5

If someone steals your wallet, takes the money and uses it to buy something that is theft against you. If someone steals your wallet, takes the bank card and uses that to buy something what crime are they committing, against whom?

This is prompted by the story in the news about this happening:

A woman has described how criminals raided her gym locker, stole her wallet and went on an £8,000 shopping spree while she was exercising.

Charlotte said she was told her card had been used to make about £8,000 worth of purchases from her current account, with goods bought from the Apple store at Westfield shopping centre in Shepherd's Bush, the Apple store in Regent Street, and Selfridges on Oxford Street - all within 90 minutes.

While Santander had managed to stop some of the purchases, she would still be £5,000 out of pocket.

"I was very rudely and bluntly told 'you will not be getting your money back. It's your fault because they've used your PIN'," she said.

...

Santander apologised for initially "incorrectly declining her refund request and for the customer service she received", and it has paid her £750 in compensation [after the story went viral and attracted press attention].

If the crime was theft against the account holder this would make sense, as the money was taken from the account holder. If the crime was fraud against the bank, it seems like this would not directly affect the account holder. What actually is happening here, what crime is being committed against whom?

The case and myself are in the UK but any jurisdiction would be interesting.

ScottishTapWater
  • 1,078
  • 11
  • 22
User65535
  • 6,608
  • 5
  • 24
  • 52
  • do you have a jurisdiction in mind? This might range from conversion to fraud, depending on the exact type of card used and there might be a specific law like "Bank account misuse". OR do you try to understand who all was damaged? – Trish Sep 05 '22 at 10:56
  • Thanks, I have added a line. I am just trying to understand the legal principle here, what the crime is and what the legal responsibilities are. – User65535 Sep 05 '22 at 11:06
  • 7
    It's worth noting that "I was very rudely and bluntly told 'you will not be getting your money back. It's your fault because they've used your PIN'" doesn't imply that there's no crime. It only means that the bank is disclaiming liability because the person spending the money had the PIN. – phoog Sep 05 '22 at 12:44
  • 3
    You have to wonder how did the thieves get the PIN? – DJClayworth Sep 05 '22 at 19:57
  • @DJClayworth - Typically by shoulder-surfing the individual as they enter their PIN legitimately into either an ATM or device reader, then stealing their card from a bag or pocket. A more modern variant has a two-man team taking the card from the ATM while the user is distracted, then claiming that the machine ate it. If timed right (typically late at night at the start of a weekend), the card holder may fail to stop the card for several days, thinking that nothing is untoward other than the annoyance of the machine taking their card and that they can collect it from the shop when it opens. – Richard Sep 05 '22 at 20:00
  • @DJClayworth according to the posts I read on Twitter, the woman's banking app has a 'feature' that shows your current PIN !!! Yeah, amazing huh!. So, the thieves stole the bank card, and the phone and the phone tells them the PIN, therefore, the bank say you told the thieves the PIN. – Neil Sep 05 '22 at 21:25
  • 1
    "If the crime was fraud against the bank, it seems like this would not directly affect the account holder." How do you figure? As a trivial counter-example, imagine you defraud the bank into thinking that you are the account holder and withdraw some money. You lied to the bank to obtain a thing of value that was in the bank's custody and control. But you also stole from the account holder since the thing of value you got belonged to them. Any insurance coverage or possible recourse they might have isn't legally relevant to what you did. – David Schwartz Sep 06 '22 at 06:49
  • 1
    @Neil While it's true that the Santander mobile app can show you the PIN - you need to log in to the app first and the app will ask for a re-authorisation of fingerprint/passcode before displaying it. Basically "just" taking the phone would be insufficient. – motosubatsu Sep 06 '22 at 08:31
  • @DavidSchwartz Actually that is the question I meant to ask. In the scenario you outline, is there theft from the account holder or from the bank? When someone gets money from the bank by persuading them they are someone else are they taking money that belongs to the account holder or the bank? If it is fraud against the bank then one would assume it is the banks money, if it is theft against the AH then it is the AH's money. Surely it cannot be both? – User65535 Sep 06 '22 at 09:03
  • @motosubatsu The banking app allows any fingerprint registered with the phone to be used as MFA (I've just tried it). Once the thieves gained access to the phone, they could just register a new fingerprint, and then get into the app/PIN. – Neil Sep 06 '22 at 10:21
  • 1
    @Neil sure.. but on most phones doesn't registering a new fingerprint itself require you to enter the phone's PIN? (mine does, I just checked) i.e. you can't just grab an unlocked phone and add your own finger print. – motosubatsu Sep 06 '22 at 10:39
  • 1
    @Neil Showing the PIN requires fingerprint/app pin to display... if this bank made an app that doesn't require authentication before looking at the PIN but solely relies on the lockscreen, then they are the completely at fault. – GACy20 Sep 06 '22 at 14:16
  • 1
    @motosubatsu During a related BBC radio programme, https://www.bbc.co.uk/sounds/play/m001brf0 (skip to 22mins) a presenter outlined her theory about how this was done and claimed that she tested her theory and it worked. The thief would have another phone with banking apps pre-installed on it. They try to set up access to the victim's account from that phone. They have the victim's bank cards because they stole them with her phone. They ask Santander to SMS the victim's phone with a one-time authorisation code, which is displayed on the lock screen. They enter that in their phone. – Lag Sep 06 '22 at 15:48
  • @Lag Yeah I can see that would work - assuming that victim has their phone set to display full notification content on the lock screen. – motosubatsu Sep 06 '22 at 16:35
  • @motosubatsu: Which is the default configuration. Or they could rip the SMS message out of the air. – Joshua Sep 06 '22 at 18:37
  • @User65535 Why do you say it can't be both? What law is there that must be one and only one victim to a crime? You are lying to the bank to obtain a thing of value in the bank's custody and control. Why isn't that fraud against the bank? You are lying to obtain property that rightfully belongs to the account holder. Why isn't that fraud against the account holder? Where does this "cannot be both" rule come from? – David Schwartz Sep 09 '22 at 22:44
  • @DavidSchwartz I had assumed that to defraud someone you would have to get something of theirs, but this makes it clear I was wrong. – User65535 Sep 10 '22 at 07:17
  • motosubatsu, on an iPhone you definitely need the phone's passcode to add a new finger print. And applications can decide to only give you access to data for the passcodes that were present when the data is stored (so a new finger print might not give you access, only an old one), or even refuse access altogether if some fingerprint information is changed. – gnasher729 Sep 21 '22 at 11:10
  • Barclays would require you to enter the Barclays specific passcode as well. – gnasher729 Sep 21 '22 at 11:11

3 Answers3

11

Burglary, theft and fraud(s)

The burglary and theft are trivial and unlikely to be prosecuted - it’s the breaking in (burglary) and taking (theft) of the possessions including the physical card itself. Using someone else’s credit card without permission is fraud - in this case it appears there were several frauds.

All are crimes against the Queen. While crimes may have victims, they are perpetrated against the state, which, in the UK is the Sovereign. The gym was a victim of burglary, the cardholder was a victim of theft, the cardholder and the bank are victims of frauds.

Any of these aggrieved people may seek damages from the perpetrator(s) (who appear to be unknown at this time) for whatever their losses are. Their most likely causes of action are the torts of conversion (the civil equivalent of theft) and fraud (the civil equivalent of, well, fraud).

The allocation of the loss between the bank and the cardholder is a matter of the contract between them and financial regulations.

Dale M
  • 208,266
  • 17
  • 237
  • 460
  • in California there's also "Misuse of a banking card", might there be something similar? – Trish Sep 05 '22 at 11:29
  • 1
    Probably the vendor(s) that the card was spent at can also consider themselves victims of fraud. – bdsl Sep 06 '22 at 14:15
  • @bdsl why? They got paid. – Dale M Sep 06 '22 at 20:28
  • 1
    @DaleM Someone entered into a transaction with them and relied on a lie to obtain their goods or services. I'm not sure if it's guaranteed that they get to keep the money, or even receive it at all from the payment processor. If they do receive it and it happens enough it could put at risk their relationship with the financial institutions. – bdsl Sep 06 '22 at 20:59
7

In the US, there are more answers because there are more jurisdictions, also a distinction between "credit card" and "debit card" (banks issue both but there are separate laws). "What happens" is largely unknowable to the card-holder past a certain point. Credit cards in the US usually do not have PINs associated with them, though it is possible, so I will assume a credit card, with PIN, the card was physically stolen and used – presented – in-state, in Washington state. Federal or state law could be relevant. We start with federal law, 15 USC 1644 which says

(a) Whoever knowingly in a transaction affecting interstate or foreign commerce, uses or attempts or conspires to use any counterfeit, fictitious, altered, forged, lost, stolen, or fraudulently obtained credit card to obtain money, goods, services, or anything else of value which within any one-year period has a value aggregating $1,000 or more...

(is a criminal and shall be punished). In your story (transplanted) they crossed the dollar amount, but this is not clearly a case involving interstate commerce, so the federal law may not be applicable. The reason for the hedge is that the expression "a transaction affecting interstate or foreign commerce" is a quasi-magic expression that justifies federal intervention, since Congress does not exactly have unbounded powers to meddle in local affairs. If the federal prosecutor can devise an good reason to think that little Billy stealing a card and buying $1,000 worth of bubblegum at the local dime-store "affects interstate commerce", then you have the legal possibility of federal prosecution. It is then a discretionary matter: does the US attorney want to prosecute little Billy? (Is little Billy a cog in a vast interstate criminal enterprise). Anyhow, if they find Billy and can prove that he did the deed, he can be fined and imprisoned (10 years). This is highly unlikely, though. Also note that this law pertains to credit cards, not debit cards (there is a special law pertaining to credit transactions).

State law, RCW 9a.56.290, similarly criminalizes the act, broader language that covers more bases and which lumps all cards together, be they debit, credit or any other kind of payment card (gift card for example). Under state law, there is no minimum amount for prosecution, therefore you can be state-prosecuted for a $1 usage.

In both of these cases, the act of fraudulently using a card is a crime, even if the person initially suffering the loss is fully compensated.

There is no federal provision for breaking into a gym locker and stealing an item: it is a state-level crime. It Washington, it is theft. A credit card is an "access device", as distinct from a wallet photo. Theft of an access device is a class C felony (theft in the second degree) under RCW 9A.56.040 (even if it is not used).

Burglary is precluded as a charge if the thief is authorized to be in the gym. Washington law draws the line at the premise, and not the box.

Finally, with attention to the card-holder's loss, 15 USC 1643 limits cardholder liability for unauthorized use of a credit card (credit card, not debit card). The wording of the law is a bit confusing since it says that the card-holder is not liable unless... and then states conditions that have to be true in order to make the card-holder liable. The limit on liability is $50, the issuer must adequately warn of potential liability, also say how to alert the issuer, and the card-holder is only liable (up to $50) for charges before the issuer was notified.

user6726
  • 214,947
  • 11
  • 343
  • 576
  • 3
    I believe that you will find that since the major credit card payment networks all operate on an interstate basis, any transactions on those networks are considered to "affect interstate commerce" even if all parties are in the same state, and so the federal law applies to all such transaction. The state law will generally also apply. – David Siegel Sep 05 '22 at 19:01
  • 2
    We know from Wickard v. Filburn that a business doesn't even have to be "interstate" to fall within the imaginable scope of a commerce-clause invoking law. My non-major state-internal credit card can be used in a neighboring state, so state-internal fraud ultimately affects interstate commerce. – user6726 Sep 05 '22 at 19:08
4

The answer by @DaleM covers part of the answer, but not all of it. The complication is that it depends whether the card in question is a credit card or a debit card.

If the card is a credit card, there is no actual transfer of money. The bank pays the vendor, and if the purchase was not authorised by the cardholder then the bank and the vendor are victims of fraud. The bank and vendor then go through their agreed procedure for dividing the loss, in the first instance, and perhaps in future (if anyone is caught) get to sue the culprit. The cardholder is not a victim, because one of the key benefits of credit cards is that the cardholder cannot be held responsible for unauthorised payments.

(Aside: This is why all purchases not made in person should always be made by credit card wherever possible. It's also why some vendors will impose charges for using credit cards, because the bank typically charges fees to vendors which will cover those losses.)

If the card is a debit card, payments made on it represent direct transfers of money out of your account. In this case the victim is the cardholder, and the crime is theft from the cardholder. The bank may optionally reimburse you, but there is no legal requirement for them to do so until you've cancelled the card. As this case shows, it's good PR for the bank to cover this (and bad PR for them to refuse to), but strictly they have no responsibility for it.

Graham
  • 2,711
  • 10
  • 14
  • This is answering the question I really wanted to ask. To clarify, in the case of a debit card, the thief is taking your money from the bank and giving it to the merchant. In taking it from the bank they intend to permanently deprive you, so it is theft from you. – User65535 Sep 06 '22 at 18:53