Thief still attempting to use my old card that was skimmed


Hi guys,

I’ve just had another supposedly “Clinton Cards UK” transaction, and I am writing this to warn the community and Revolut, because this is what happened to me around a year ago:

  1. A small transaction supposedly on/by “Clinton Cards UK”, which was pending/cancelled, followed shortly after by
  2. A big transaction (around 1600 pounds) on a Vietnamese online shopping website, which was declined because of insufficient funds, followed shortly after by
  3. A big transaction (around 800 pounds) on the same website, which went through

Basically, my card was skimmed somewhere while I was travelling around Central/East Europe and 800 pounds were stolen. With help from Revolut I eventually got them back. I also disabled that card and got a new one.

The (attempted) transaction that surprised me today was using the old card again. It was declined because the card is inactive now.

But this means that whoever stole my card details not only still has them, but is still trying to use them to steal funds! And doing it in the same manner. Can this not somehow be used to catch them?

Two points:

  1. @the community: if you see a transaction on “Clinton Cards UK”, immediately freeze your card, because it seems like a test of the card only for a bigger transaction to follow later
  2. @Revolut: please investigate


A lot of people do genuine shopping at Clinton Cards. They’re probably the largest UK retailer of greetings cards (birthday cards, Christmas cards etc) and have lots of physical shops. It’s a plausible place for very small transactions - ideal for test transactions by a fraudster. But their greetings cards are expensive compared to the Card Factory.


Yes indeed – it’s a legit company that the fraudster/thief seems to be consistently using to test the cloned card(s). In my case it’s been a year since the first attempt. I didn’t know that they have physical shops too. In that case it could perhaps be easier to catch the perpetrators.

I am still quite baffled how my card was skimmed. I’m one of the careful types, even hiding the keyboard while typing my PIN on ATMs when there is no one nearby. Must have been in a pub. I am dying to know :slight_smile:


It happened to me after using a Santander Zero MasterCard credit card in Rio around 20 times. I didn’t even use it to withdraw cash, which is the usual Brazilian method of skimming. It was a mystery how it happened. Next time in Rio, I shall insist on using Apple Pay at every merchant, which they all support but don’t know how to use.


It’s hard to catch the people who perpetrate card fraud as it spans multiple countries. If your information was stolen from Central / Eastern Europe and they’re using it on a Vietnam website, they could be located in a different country somewhere in Asia with you in home country which would be a fourth.

Even if you reported it to your local police department, they would need to involve the local police in 3 other countries which is prohibitive. All you can do is report it to your local police who would investigate it if necessary, Revolut or Mastercard aren’t in the business of finding those that engage in credit card fraud.


But who then bears the costs of the fraud?


It’s in the best interests of Revolut to make sure you’re well looked after but I’m not sure who you want to take liability for this? Revolut won’t exist if they refund a customer each time their card gets skimmed.

Why should Revolut reimburse you for going abroad (which is your conscious decision and a risk you choose to take) and having your card skimmed. Why should MasterCard do the same? It’s your problem to keep your card out of the hands of those that would abuse it.

If you don’t want your card to be skimmed, turn off the magstripe after you use it. May be inconvenient but at least you don’t have to wait for 800£ to be recalled through MasterCard’s charge back scheme.


@Recchan - the card industry covers the liability for fraudulent transactions. Unless a card holder has been negligent, then there’s no liability for the card holder.

Why should Revolut reimburse you for going abroad (which is your conscious decision and a risk you choose to take) and having your card skimmed. Why should MasterCard do the same? It’s your problem to keep your card out of the hands of those that would abuse it.

Nobody is suggesting that Revolut should reimburse a customer for going abroad. But if fraud occurs on a card through no fault of the customer, then the customer is not liable. The liability is a contractual matter between Revolut and Visa/MasterCard.

Revolut’s liability is governed by Regulation 76 of the Payment Services Regulations 2017. The customer’s liability is governed by Regulation 77 of the Payment Services Regulations 2017. Which (Consumers’ Association) also publishes a guide about this.

If you don’t want your card to be skimmed, turn off the magstripe after you use it. May be inconvenient but at least you don’t have to wait for 800£ to be recalled through MasterCard’s charge back scheme.

Very good advice. Although I disagree that it’s inconvenient to turn off the magnetic stripe. There are very few occasions, except in the United States, that ones needs to use this archaic method.


I asked a completely non-loaded technical question and you give me a sermon.

BTW I used the term “skimmed” loosely and not to mean only magstripe copying. In fact I mostly keep magstripe off and pay via NFC. I can’t remember the last time anyone wanted to swipe my card. It only comes in handy on some toll roads, and I was travelling without a car. So I am pretty sure it was off and the card data was “skimmed” in a different manner.


It depends what is negligent though. Is it negligence if you don’t disable your card after use while you’re in a country where card skimming is common? I’d argue if you lived in the country, no, because the bank should expect this. But in the case of going abroad, its not permanent so why not take a little bit of care? Especially when you’ll need your card and Revolut will make you withdraw your right to charge back when you don’t have it cancelled.

I don’t personally think it’s inconvenient to turn the magstripe off myself to be honest, but I understand in some countries outside of Europe it may be so when you have to either get a SIM or pay stupid amounts per day.


Skimmed is a term that specifically refers magstripes.

This sounds pretty hard to believe. To extract card data by NFC you would need an extremely close connection to the card itself as this is how NFC works. It’s called Near Field Communication for a reason. As for any other way of doing it, there’s none that I could think of immediately since there’s only NFC/Magstripe and Chip. Businesses aren’t usually in the business of stealing your card information because they’d be finished.


The business itself might not be skimming (copying card numbers and expiry dates and watching PINs being entered), but its employees might be doing so. This is what happens in many cases. It’s often possible for employees to access records of every card number and expiry date used at the merchant, and where they have also observed a PIN being entered, they can pass the details to their external accomplices, who can create a working card which can be used to withdraw cash.


I think in this case it should be a mix of the employee and the card machine company that’s liable. The card machine I commonly see in the UK presents a price and then you tap it or insert your card. Normally they have a shield around the pad, but it’s common sense to cover your hand manually also.

This was the case on my works old card machine. It would print the full number and expiry on the business copy. Luckily my employer opted to switch to a different unit not by Lloyd’s.

Yeah I imagine this is probably easier for businesses without online payments where things are done over the phone especially. You could take the CVC and use it to buy things to an address of a mule etc.

I’m still trying to get my work to add online payments :sob:


Your imagination doesn’t go far. Here is another possibility (and I am sure there are others): a camera records both sides of the card. This gives the “skimmer” both the credit card number and the CVV code – enough data to spend money.


My imagination is probably not the best as I’m likely lacking in such areas. However my brain is quite reasonable when it comes to logic. For instance, it can see how likely something is to be and work out if it’s an actual issue.

If you’re not checking the ATMs in a foreign country then I’m not sure if I should be blaming anyone but you, to be perfectly honest. Even in your home country you should be giving it a glance to double check.

These devices aren’t non-existent to the point you can’t notice that they’re there. They’re just positioned in places that you often can’t see. I’d say it’s more common for a device that stops your card from being sent back out being equipped to the machine than two cameras also, tbh.


You could just put some tape on the CVV number so no camera or anybody can see it (you can always check the CVV in the App yourself).


As I understand the initial post, it was an online transaction, not a cash withdrawal at an ATM. A card was therefore not required and a picture of both sides of the card would be enough, as already pointed out.

I only use my virtual card online, and that one is deactivated if I’m not shopping online. For my physical cards I always disable online transactions plus mag stripe plus ATM. Except toll roads I lately never required the mag stripe here in Europe.

From the schemas, they push EMV project for chip cards forward and even start to disable the fallback to mag stripe if the chip or NFC did not work properly. For us consumers this is a security benefit to limit fraud even more.