Fraudulent Transaction - Security Flaw in Disposable Cards?

Hi all,

Although I haven’t been very active in this forum lately, my previous posts will show that I have been a great supporter of Revolut over the years, and have found both the product and service to be excellent. It has been my go-to account to use while travelling, and several of my colleagues signed up because of my feedback. However, for the first time since I started using Revolt, I feel completely let down by customer service and am considering moving to a different provider.

On Saturday night I received an app alert, informing me that my disposable virtual card had been used to make a £22.56 payment to Deliveroo (food delivery, for anyone not familiar with them) and that new disposable card details had been created. This transaction wasn’t made by me - in fact I was in the Republic of Ireland, a Euro country - so I immediately reported it to a Revolut live agent via the in-app chat. I was directed to an online chargeback form, which I filled in and submitted.

The following morning I received this email:

After careful investigation of your dispute request submitted on 23/07/2021, we have concluded the claim for the following transaction(s) is not valid:

Transaction Date Merchant Name Transaction Amount
23/07/2021 Deliveroo £22.56

We have found no traces of fraudulent activity on your account, and therefore, deem you liable for the above mentioned transaction(s). No refund will be credited to your account as a result of this claim.

Needless to say, I found this to be an unacceptable response. I contacted a live agent to request an explanation of how they determined that I am liable for a transaction which I didn’t make. I was told that no details could be provided. I asked how I can appeal this decision. I was told that this isn’t possible. I revisited the link which I had used to access the chargeback form, and found that the fraudulent Deliveroo transaction was no longer an option to choose from.

I also asked how it was possible that my disposable virtual card had been used, as this is supposedly a very secure method of making online transactions. Is there a security flaw in the algorithm which is used to generate new card details following each transaction? The agent declined to comment on this.

Apologies for the wordy post, but I am hoping that someone reading this will be able to offer some advice.

8 Likes

Sorry to hear about your fraudulent transaction.
What is your assessment about how this may have been possible for a fraudster to achieve?
Going forward, is your assessment that after a disposable card has been used, not to create a new card until one is actually required?

1 Like

I would

  • change app passcode
  • deactivate disposable cards for now
  • file a police report

The most obvious reason why Revolut would deny a claim is when the authorisation of the payment used 2FA. Filing the incident with the local police also usually helps with chargeback claims.

1 Like

That doesn’t look good for Revolut… Technicalities aside, the support agent was absolutely wrong to say you can’t appeal. Revolut is not (yet) a bank in the UK, but as a regulated e-money business they were obliged to inform you about the complaints procedure and not block it off. I would add that to my complaint and try formalcomplaints@revolut.com (there is also a form linked in their complaints procedure if you don’t want to email). They say they will resolve issues within 15 business days. If this doesn’t work, the next step would be the financial ombudsman (don’t forget to mention the response from support, blocking off complaints is appalling).

2 Likes

Hello Burns,

Literally the same thing happened to me this month!
Fraudulent transactions were made from my account. I reached out to a live agent, simply said that they’ve followed the VISA/MASTERCARD guidelines and there is nothing they can do.
I’ve asked to speak (chat) to a manager, they refused. I asked for the contact details of the financial ombudsman, they refused. I said I wanted to file a complaint, so they sent across a link where I could sent an email, explaining what happened.
I did, never received feedback or respons.
I now contacted Wordline, although it is not easy to get through to them, not sure if they will be able to help me.

I am very dissapointed by Revolut and not happy with the service they provide at all.
If anyone knows what to do and how to get our money back, please reach out.

Have a lovely day all,
KR, Yana

3 Likes

Many thanks, everybody, for the feedback and positive words.

Had the transaction been made using a “normal” card, then I would have assumed that the details had been cloned, in which case I would have frozen the card and requested a new one. However the card which was used was a single-use virtual card, which contradicts this theory.

Probably a sensible approach given the circumstances, but surely this negates the benefit of single-use virtual cards? If I was to create and subsequently delete the single-use (pink) card each time I wanted to use it, then I might as well stop using it altogether, and instead just use this strategy for the standard virtual (blue) card.

Wise words as ever, Frank, I changed the app passcode (after I remembered what it was, since I just use biometric security these days) and have deactivated all but one of my physical Revolut cards. It’s unfortunate that there is a need to make this a police matter, but I concede that it’s a sensible approach, even if it’s just to obtain a case number for the Financial Ombudsman Service.

Thank you, I hadn’t come across this address before. I’ll send them an email (which will largely be a copy-and-paste of my forum post!) Hopefully they will send me a response, although based upon my experience with the support team in live chat, I’m not holding my breath.

I’m sorry to hear that you have had the same issue as me, it’s a stressful experience. Partly for the financial reason - nobody wants to lose money and feel vulnerable to further fraud - but also because I have recommended Revolut to my friends and family members, people that I care about. I don’t know if I’ll be doing that in future.

not really imo. The card creation takes nano seconds to achieve and is then immediately ready to deploy. If it ain’t there in the first place, it can’t be (mis)used and adds another layer of security since it doesn’t even exist. Even if required for an impulse purchase, the time spent in creating it will not impact your choices/intentions.

I completely agree with that, but if you’re going to take that approach, why repeatedly create a virtual disposable (pink) card? Just create a virtual (blue) card instead, then delete it. The supposed strength of the disposable card is that it doesn’t need to be frozen or deleted, because it is theoretically secure. This clearly isn’t the case though.

1 Like

Hi all,

Thought I’d add a short note to this conversation as it helped me resolve the same issue in the end.

I also had the same happen, where £46.50 was spent with deliveroo on my disposable virtual card. I followed all the same steps as you did with the same outcome from the in-app chat and chargeback form.

Subsequently, I then filled out and sent in the complaints form, again with effectively the same details as above and linked to this conversation.
The good news is Revolut has refunded the £46.50 to my account! So hopefully if you pursue this course the same will occur. Though I am still waiting for a response from Revolut.

Thanks for all the details within the conversation as it really helped. I now block my cards other than when I need to spend the money as that was a number of hours of my life I won’t get back!

1 Like

Hi Burns, the exact same thing happened to me. Plus other people online:

https://www.reddit.com/r/Revolut/comments/ovril6/revolut_refusing_to_refund_fraudulent_payments/

I agree that Revolut have a security flaw with their ‘secure’ disposable cards. I had to ask Deliveroo for proof that the purchase was fraudulent, only after that did anyone at Revolut listen to me.

I will be submitting a complaint to formalcomplaints@revolut.com.

That’s great news @Robbo, I’m glad that it worked out well for you :+1:

Coincidentally I was also refunded yesterday, but as yet I haven’t received any correspondence either. I’m hoping that they will address my question of how someone was able to access disposable card details which, to me, is more of a concern than the single fraudulent transaction.

I’ve thought about it quite a lot, and can only conclude that either:

  • Revolut suffered a cyber attack which has resulted in a data breach, or
  • Their system for generating and/or storing disposable card details isn’t secure enough.

Either way, I’d like to know. Of course it could be neither of these theories, and Revolut may be able to provide a logical and acceptable explanation. However their silence on the matter isn’t doing their reputation any favours in my eyes.

It’s also interesting that several of us have been the victim of this fraud, and on every occasion it has been a Deliveroo transaction:

Does anyone have a theory of why this might be the case?

:thinking: Related?

Good to hear they have refunded you also.

Agreed, I also would like to know what is going on, at least from the perspective of ensuring this doesn’t happen to me again.

1 Like

I’m very glad to hear you have both been refunded. I think the same as you @Burns, a cyber attack, or their cards are not secure and not enforcing any additional security measures on purchases.

I asked for an explanation but I don’t think the App customer service people would know what is happening. I have raised this security issue in my complaint email - I hope Revolut take it seriously and work out what the problem is.

1 Like

The cases I reported on my post where from different users, but from what I could understand, they were all made with physical card details.

1 Like

It’s really hard to pin down without knowing details like how payments were authorized, but when fraud happens in a specific region, card details were most likely obtained through a local service or merchant, like a Portuguese online shop. History of incidents shows that merchants are usually the easier target. Banking system security breaches are rare, and more often than not social engineering and phishing play an important role.

Fraud related to disposable cards is more puzzling.

2 Likes

Hello Burns,

great news that you’ve got your money back!
Tips on how I could get my money back?

Thanks a lot!

This morning I noticed a fraudulent charge of £24 on my Revolut account from Tick Tock, which I’ve never used and whose App has not appeared on my devices despite apparently buying it 3 days ago. I’ve requested a refund from Revolut who have advised me to contact Tick Tock, which is impossible. Any advice?

was this from a disposable card?

Did you read this post