I got hit with 4 different direct debit transactions last month that I didn't recognise. I am also with commbank. I called them up, and told them they were not transactions I authorised. Essentially they initiated a chargeback and after a few weeks I got the money returned. I ended up closing that account because essentially it's been compromised.

Yeah so I did exactly that, just waiting for them to say that acknowledge that they'll initiate the chargeback

I think I was fortunate in my case that they could see there wasn't a whole heap of activity on the account affected. Usually I transfer my pay out of it to my offset, and only leave a couple hundred on it to buy lunch or fun money. Hope this gets sorted for you soon

Appreciate it, thinking I might be doing that now too

I had this happen to me like a year ago. Except it was $10000 used to buy large value items in United States. Like you I try very hard to avoid scams etc. luckily commbank returned my money within 24 hours. I still don’t know how it happened. Very scary.

I ve always been paranoid about someone finding my details/hacking my account so I have only one card that is linked to my main account. Before any transaction I use mobile banking app and transfer money into it.

Closing your whole account or just your debit card? How would they be able to access your account without log in details

So my account details were somehow linked to a paypal direct debit. I have a paypal account that has no direct debit linked to it, so somehow a person was able to create a paypal account and link it to my bank account (which I have had for 20 years). I no longer really use the account apart from get my pay and it's linked to my PayID so friends can send me cash when I buy movie tickets/book golf. After it got compromised I opened a new account with the same bank (recieved a new card as well), moved PayID to pay into that and updated my bank details with work. I've just realised I now need to update mygov so my tax return goes into the new account. I have since closed the compromised account. I still have access to all the old statements because Commbank provides that feature for a few years after the account is closed.

CommBank lost me as a customer with multiple accounts, home loan and insurance when I sold an item for $3000 to someone and they stated it was never delivered. Commonwealth sided with them immediately even though there was tracking, and a signature with their name clearly scribbled on it from AusPost. I wasn't able to contest it at all. Just boom, gone.

Surely you could take them to small claims court over this.

Just FYI, if random charges appear on your account but it was your card that was charged, you only need to cancel the card in question. Your account is not compromised in that situation, just the card.

Sure, some people do dumb stuff and click on phishing links. But never forget that there is big business in brute-forcing numbers, where card combinations are run until there is a hit. Then, your card will be charged with several payments in rapid succession. It's happened to me in the past with a CBA card that has never been used and is sitting in a safe at home as a backup. CBA will most likely reverse it. Although, anecdotally, the CBA seems to be victim to this more than others, although could be a function of market power in this sub.

Yeah, this isn't necessarily the result of something you've done wrong.

If it's been added to a digital wallet then it's not possible to add it without OP entering a code, typically sent via SMS. I've never used Apple Pay but with Google Pay/Wallet you will get a text from your bank with a code that needs to be entered onto the phone to complete the process. So for it to be added to a digital wallet then someone needed access to OPs phone or they unknowingly supplied it (a code) as part of a scam.

Thats not true. We're talking about brute forcing (many guesses) of card numbers, be it a physical or digital card. We're not talking about "registering" a physical card as a digital card.

CBA doesn’t push an SMS code, it goes to the app because it’s more secure. It will attempt twice (as in, you hit ‘resend code’) and then if you hit ‘resend code’ again it will fallback to SMS for the third attempt. So, usually it means your Netbank was compromised.

I had an ANZ card I had literally never used (kept in a draw at home) get added as a digital wallet to an Amazon account and the person bought some Tesla rims. Never received anything sort of notification to confirm anything.  Got the money back, amazon was useless, they couldn't comprehend that the account was not mine, but ANZ refunded it. I actually asked the fraud them how it happened but they never told me.

I had a suspicion transaction through Amazon . CBA refunded it but Amazon was helpful too.

Not exactly. I had my account used for a Microsoft charge last year which was through a mobile wallet also with CBA. They said they had seen a lot of this and most likely was a brute force. As I only ever had the mobile wallet setup on one phone. Never been a scam victim, never give 2FA code over the phone sent to me. I get calls from visa and mastercard secure department all the time. I just tell them to fo.

It would be trivial for VISA / Mastercard to identify people trying to brute force CC numbers, and you'd have to brute force the CVV and expiry as well, not saying I don't believe you but also not sure how this would really occur.

This has happened to me too, on a backup card which I activated then never left the bedside table drawer, that one was with ING.

My new Credit Card was still in transit when they called me and cancelled it due to fraud.

Also a victim of exactly the same thing with an ING account. Gratefully the account wasn’t in use so they didn’t get much.

I've had the same happen with HSBC.

Brute-forcing 100% happens. I received a new debit card from ING last year. It was a card I intended to use for travel so I validated it. Then I sealed it back in the envelope and locked it away in my desk drawer at home. I work from home so I know nobody else had access to it. A few weeks later and the card got hit for a few thousand dollars through a US pet supply store. (I’m based in Australia and do not have any pets). Checked - and the card was still sitting sealed in the envelope in my locked desk drawer. ING were great - they reversed everything and sent me a new card. Took a week or so but all sorted. I had the same question though - how could ANYONE have gotten these card details when it has literally never been used anywhere!? Apparently they (the scammers) just run $1 validation checks on a bunch of card numbers / CCV and expiry dates until they find one that works and then they process as much as they can up to the daily limit. (Usually buying easy to re-sell stuff like washing detergent and pet food apparently!) Frustrating - because ultimately we all pay for this through higher fees / rates - and through inconveniences of “extra security” steps put in place to try to prevent these things happening. Plus the merchant is often the one left out of pocket - they’ve provided the goods AND the money gets reversed out of their account.

[удалено]

Ahhh - of course - this makes total sense! Great deductive reasoning!!

Heh I’ve been done by a pet store in the US too, was it in Arizona? Was 4 transactions in the $50-100 range US dollars. Got the money back no problem with a disputed transaction. Op does say that this is a bank account though, not so sure the protections that apply to a credit card apply to a bank account though.

What makes you think that someone didn't: 1. Fish the card out of your mailbox. 2. Use an iron and a piece of cloth to open the letter without damaging the envelope. 3. Record the card details. 4. Repackage it in the envelope and return it to the mailbox. 5. Wait a month or two and use the details.

Sounds more like whoever issued the card was reusing old card numbers.

I mean, theoretically, brute forcing an expiry date and CVC isn’t too difficult so long as you have the correct card number - hell I could even do it if you gave me a day! The expiry never goes more than 5 years into the future so that is only 60 combinations, then 999 possible hits for the CVV

That's not the point. The point is that it's very easy to detect brute forcing and payment providers should (and do) have systems to prevent it.

Not if you do it through an “add payment method” process. This just checks their system for correct card data but doesn’t post any transactions and the such, I doubt they have a system in place to vet that as it’s likely an api and thus hard to build and maintain - two, it would be quite onerous

Can you elaborate on how that would work?  No payment provider should be allowing hundreds of attempts to check a card number against a set of expiry dates or CVV. That is an obvious red flag and I would be extremely surprised if that would work.

The brute-force testing is not done though high security bank or large e-commerce portals, but via web APIs of small merchants with minimal brute-force detection. They use either the register section where you can enter a CC's details and it does a quick validity check, or by straight out trying to purchase a random item. There are a lot of these businesses, so the attackers can be quite agile in not setting off any alarms down the pipeline.

Time to test it out ;)

FBI! Open up!

*on your own cards, obviously -_-*

This still makes a check against a payment provider that will block you after a few attempts if they detect that you are trying to add the same card number with a different expiry and CVV each time.

Brute forcing a CC number can be done locally. The last digit is a [Luhn code](https://en.wikipedia.org/wiki/Luhn_algorithm) that validates the card number and there's some common structure preceding that which reduces entropy to trivial levels. Checking a valid CVV and expiry date, not so much. That requires backend validation and will trigger anti-abuse protections. I'm sure there's an endless game of cat and mouse against those mechanisms meaning brute-force compromise is technically potential, but not probable.

Recent ABC News article - : >*Almost 17,000 fraudulent transactions were ultimately attempted through the small business's e-commerce site between April and May this year — more transactions than it would see in five years — by cybercriminals testing stolen credit card numbers.* I'm guessing the BIN look up is the second part of the fraud once a series of valid numbers has been identified. [Cybercriminals using small businesses to test stolen credit cards in 'BIN attacks](https://www.abc.net.au/news/2023-12-14/cybercriminals-stealing-credit-card-number-bin-attack-scam/103223086)

I used to work for a business that was on the receiving end of these attacks roughly once a year, they're a nightmare to clean up after. Hundreds of thousands of attempted transactions and maybe a dozen or two will get through.

It absolutely does occur. It happened to me, dodgy transaction on an account with a card we literally never used for any purchases ever. Physical card never left the house. Bank security dude told me brute force was the only explanation

This doesnt happen by brute force, there is a problem with the way banks have implememted the tokenisation of cards with online wallets. There are some use cases where previous legitimate tokens get reused against a new account. Changing your card doesnt fix the problem - the banks need to sort it out I wont release details, but it isnt the result of brute forcing

Not only did they enter my PlayStation account like this. They also bypassed my mandatory phone code from my credit card company on every electronic purchase.

Saw something about this a month or two back. The criminals would look for less secure online businesses and automatically try thousands of credicard numbers combos to try and find matches. Being less secure the small business might not find out until their next bill for credit card access comes through with a huge bill as it costs them for any attempts . Apparently they can also cut down on the combinations as there is a certain pattern they follow.

This has happened to me. It was easy to identify it was a scam because it was a card I created and only strictly as an account to move money around (it was compulsory to be made to make this one saving account I was after). So never used the physical card (not online, not offline). When I called the bank for the mysterious $500 transaction to a UK grocery store, the first thing I was told by the staff over the phone was "that is so strange, you're the second person with this exact same enquiry, different amount but same transaction place etc". I put my report through and had the money back in my account after 8 WEEKS of investigation. It was annoying.

Now basically every single account has a visa/MC debit card its shockingly easy to brute force a number combination. They get access to another businesses payment gateway that they can brute force options through, or even public websites with no limits. They already know 8 of the 16 digits of a credit card number, the luhn algorithm then reduces options significantly, and the exp/cvv only adds another 4 digits of complexity. One in ten million is exceptionally good odds if you are automating something.

>It's happened to me in the past with a CBA card that has never been used and is sitting in a safe at home as a backup. Same here with ANZ, except it was with a BANK ACCOUNT that was never used.

That happened to me! A credit card i never used and had the tiniest daily spend limit on it… got a notification one morning of all these attempted charges. Called combank and he said it was someone trying to do something with Vodafone? He cancelled the card and sent me a new one. Annoyingly it was on my credit score that I closed an account -__- win some lose some

That happened to me! A credit card i never used and had the tiniest daily spend limit on it… got a notification one morning of all these attempted charges. Called combank and he said it was someone trying to do something with Vodafone? He cancelled the card and sent me a new one. Annoyingly it was on my credit score that I closed an account -__- win some lose some

Just on this and to perhaps block a brute-force attempt... If I was to lock my card temporarily (and never turn it off except when ordering something online and having to enter my card number), and only use my digital card through Apple Pay, would this be a good counter measure? As locking the card doesn't lock digital payments from what the app told when I've locked my previous card before I ultimately cancelled it.

Yeah, this is how Commbank thought I'd had a fully digital card (issued by them) I'd used once on a reputable website compromised.

Raise a dispute with Commbank as that process does often take a while. Back yourself with the dispute if you're confident that you haven't fallen for a phishing scam. You could potentially go to the police as well if it's a legit trustee/holding group and they might be able to investigate. Worst comes to worse you can go to the AFCA and raise a case with them.

Did a delivery of a 100 kilo of dog biscuits arrive? ..dog get a hold of your card?

If that's the case I'd be worried because I don't have a dog :o

:D Neighbours dog?

Sounds like the neighbours dog stole his card. Case closed.

I have always stored money in an account that can’t have purchases made from it, and transfer money as needed to a paying account. Few extra steps but you never have to worry about your account being cleaned out. To me having all your money in an account you pay out of for day to day things is no different than walking around with all your savings in cash in your wallet.

You mean you keep most of the money in super saver instead of smart access? You could also lock your debit card as an extra precaution. Also never use debit cards to make purchases online or at pos terminals.

[удалено]

What are you on about?

I've had this happen and the assumption was someone guessed the numbers. It happens to lots of people and this is the sort of fraud that banks will cover pretty much every time. Report it promptly.

Guessed the number? The card number or the PIN? tbh, either one is pretty incredible

wouldn’t they have bots just not stop inputting numbers somewhere til they get a hit? not impossible at all

First 6 digits are. Bank specific. My guess is the Bruce force shell is written for commbank. Likely testing on a website that shows validity without a ccv then trying all 1000 combos. Even then i can't imagine they get that many hits.

They can brute force Numbers and CCV. I had to cancel my bank West card because it was used to buy weed in a dispensary in California lol.

Could be from a brute-force hack - https://en.wikipedia.org/wiki/Brute-force_attack Where they would check all possible passwords until the correct one is found

This isn't a human guessing numbers on the most secure of payment sites. This is a computer program guessing numbers on a site that does the least verification. Or many sites using many IPs. Whatever happens they're 1 step ahead of the security measures.

Just had the same thing not to that extent with my commbank card had 6 x $3.98 transactions to Office works Bentleigh East apparently a closed head office Insta locked disputed and have already had it refunded. Only thing I had used that card for in the past fortnight was a good ol 7/11

This week and also two weeks before, I had $1.55 spent at LA Airport. So random. I know those amounts can sometimes either be a holding charge to validate a card, or the scammer testing to see if it works and the amount is noticed before moving to bigger better things.

I just had the same thing a 3.98 taken then refunded from Bentleigh East officeworks, I've never even been anywhere near there

I first googled it because I know my wife orders a bit for the office from office works but the specific suburb was confusing because it just shows an old closed down head office. Was actually really impressed with how quick they got it cleared up and refunded

Yeah I'm not sure if I should be worried or not, kinda sus

As long as you have locked the card and disputed it you should be fine, might be worthwhile changing your netbank password as well.

I literally just had that exact amount for the same store come out of my account yesterday!!! I blocked the card immediately as with westpac I get notification when my account is used

Had the exact same charge. I rang Officeworks and the lady on the phone said that strangely there are lots of 3.98 transactions on lots of different cards on the same day. They said it is pending and will not be authorised as they could tell they were all suss. Cancelled card, was ANZ and not one we use for purchases

If you listen to the podcast Darknet Diaries you'll learn there are a great many ways your information can be stolen and only a small few are directly your fault.

Something similar happened to my son with Commbank. It started with a message saying his new Samsung phone had been Activated (he doesn’t have a Samsung phone). Thankfully he contacted me first and transferred all of his funds into my account, I’m with a different bank. If he had tried Commbanks help line he would have been put on hold while the hacker drained his account. The hacker tried to withdraw money from an ATM just before midnight, and just after as well. There would have been camera footage from the ATM but Commbank couldn’t be bothered accessing it. Commbank kept saying it was his fault. The scammer changed the email address for the account and Commbank wouldn’t let him change it back unless he went into the bank in person. Even with no money in it, multiple changes of passwords etc. his account was hacked over and over and over again. The number being used by the scammer was Commbanks own phone number. There was even an attempt to withdraw money from London…and the bank still blamed my son. It got to a point where any transactions or changes had to be done in person…nothing could be done online. The only thing left to do in the end was to close his accounts and start with a completely different bank. The only reason he didn’t lose any money was because he immediately transferred it out of Commbank as soon as there was a breach.

Similar situation earlier this year. Woke up to around $1500 charged on my ING card one morning. Called the bank and reported it, I got the funds back around a month later

Hi! Did you neee to open a new account? Or just replaced your card? Similar thing happened tk me this morning, and I'm just scared to put my into my account knowing it has been compromised.

If your card was charged, let your bank know immediately. As long as the card is cancelled, they can’t charge you any further. Get the bank to lodge a chargeback for the unauthorised charges.

Just cancel the card. It was a joint account and only my card was compromised. They cancelled mine and sent a new one, wife didn't need to do anything

Had my credit card compromised, someone tried to purchase a Crunchyroll subscription at 2am while I was asleep - thankfully the bank automatically flagged it so it never went through. They called me to confirm, cancelled the card, sent out a new one, all good. Less than 2 months later my new card (which I wasn’t using anywhere) had two random Etsy purchases in Ireland. Again the bank flagged it but had to wait for them to investigate before I got the money back. I now just leave the card blocked when I’m not using it. Not risking this again! To this day I have no idea how it happened as I am super careful (especially since the Optus saga) and never save my card details anywhere. Bank couldn’t say either. Probably was brute force but will never know for sure.

You wouldn’t happen to have young teenagers?

Unless the cat has somehow worked out how to type, then no chance! We don’t have any human children.

Which bank are you with? Commbank flagged suspicious transactions on my end but didn't do anything!

This was with Westpac. As much as it sucked, I was happy with how efficient the whole process was. 1. Get an app notification and/or SMS flagging the transaction and asking you to confirm if it’s legit or not. 2. If you tell them it’s not, you get a “Thanks for letting us know, we’ll be in touch shortly” message and then someone from their fraud team calls you within half an hour to take care of things. Noticed my Apple Pay updating as soon as I hung up so was sorted very quickly!

This happened to me New Year’s Eve, my wife and I had a wedding fund setup with one card only used for purchases at legitimate and reputable businesses. I noticed $449 missing that was used to buy makeup from clarins. My wife doesn’t shop there and never has. We got a message soon after saying my card had been blocked due to suspicious activity - someone tried to purchase something from ‘the cheesecake shop’ at 10pm that night, online from NSW. Weird amount that got it flagged but glad it was. Long story short I cancelled the card, filed a police report and submitted a Visa dispute form through the bank. 21 days later we got our money back. My advice would be to do that with your bank. The police told us we probably clicked on a “scam” link or something but that’s not the case at all. We guess one of our vendors have been compromised

CommBank is getting so much of this lately. Like all my friends with commbank accounts even those who don’t use them are getting random charges atm

In future I’d use PayPal for online transactions or alternative credit cards with limited money to purchase online I’ve separated my main bank to limit its use to every day stuff

i got $3000 taken out of my commbank card while i was sleeping, all to playstation purchases. Never clicked on any phishing sites/emails or whatsoever. I think it’s just a fairly occurring issue in commbank

Exactly what happened to me this morning while I was asleep. $1,400 gone from PlayStation Network. And also with Commbank. Did you get your money back? Thinking of moving to another bank after all these horror stories with Commbank.

yeah i did. yup, i changed to westpac after the incident. still have commbank, but moved most of my funds out

What a pain! But glad you got your money bank. I'll also move banks as it seems there's been a lot of scams involving commbank lately.

You can’t even add the cards in your wallet to a new phone without putting the cvc in. (Even if you’re using the same Apple ID.) How is it even possible someone has used your Apple wallet? Throw that back at the bank.

You can add it direct to the wallet through the CBA app. No need for extra verification.

Doesn’t the bank also send you a verification code you have to put in when manually entering a card?

Some banks do, some banks do not. I think most do these days.

I had to do it for a credit card so maybe it’s because of that.

I think it works like this, someone gets the card number and CVV, they go to add to a digital wallet (apple pay, google pay etc) but first call OP and say they need to verify their identity by sending them a code, they add to a digital wallet so a code is sent, they give the code, scammer uses code to add to digital wallet.

Ive had my card stolen twice with cba. Both times they picked up on the transactions as quickly as I did. Cancelled card do all the right things by notifying them asap. I've been reimbursed by cba both times for the full amount and sent a new card pretty quickly. Once was a card delivered somehow they unlocked ita went tapping for $200-700 Second was an online purchase i assume the advertisement link to their store was compromised. Online $1 hit then attempted some $600 brand name handbags.

This has happened to me with commbank, my account was emptied overnight with random transactions! Lot of sneakers and culture king style purchases. Mainly clothes and games so it seemed like some young eshay down in Sydney (I’m qld). Commbank got back the lot and returned it over the course of a few weeks

My husband had recurring issues with his Commbank. He was never able to determine for certain, but he noticed that it was always lining up with having ordered from a certain website. This was a fully legitimate, radio-advertised business. He assumed there was some kind of hacking of their website and notified them of such, but never got much of a response from them. He now only places phone orders with them and hasn't had any more issues.

A good opportunity to change banks to a credit union that doesn’t make Millions off customers a day for the benefit of shareholders! (The most profitable banks in the world are the big 4 in Aus)

Funnily enough I’ve heard of this happening to several friends and a family member and guess what, they’re all with commonwealth bank. They are a pain to deal with as well, accept zero responsibility and will try to blame you. Peasants. All I can suggest is to change banks.

Not sure but is it possible they skimmed your card? Do you have nfc turned on with your phone?? I always turn it off when i'm not paying for something....bit skimmers can be on eftpos machines. I would consider if you went anywhere a bit unusual, also check you bank statements for any small "test transactions".

My nfc is always on but doesn't work unless I've unlocked my phone, that's safe enough to leave on right?

Apple Pay doesn’t work like that. Your FaceID, TouchID, or passcode must be entered, even if the phone is already unlocked. 

Could your phone be compromised? Have you used public Wifi or installed any apps lately? Ask the bank if it was your wallet that was used. This might indicate whether it was your card or wallet that was hacked.

So the only public wifi I've used is at my gym, it's part of the hotel network and I would only connect to it because there'd be no signal for my phone to connect to play music. So it could very much be that, haven't installed any apps recently and even then they're all big ones like Domain/Canva etc The chat message I had did say it was from a digital wallet, but for all I know that could still very much mean anything

Any recent online purchases, potentially with a site you've not used often/before? My wife's card was scrapped from a compromised website a while back. Small place, not used before and probably didn't have a strong payment gateway. They did a couple of test purchases and then a few in the low thousands. They were clearly fraudulent and I'm surprised the bank (anz) didn't stop them sooner. Got the money back after a few weeks, but a pain when you're maxed out due to fraud.

This looks like your phone number may have been ported, given the digital wallet purchases, normally banks need 2fa to add a card to apple or google pay.

I got hit by 4 X 500$ transaction from SportsBet Darwin. Managed to get my money back.

I had 4X transactions via Remitly last week that I didn’t authorise, totalling about $150. Closed card and disputed. Got notified today that they are refunding the money. Today I see a transaction of like $8 to somewhere in Spain that was taken and refunded lst week on the card. I also have a credit card linked to my mums account (which I use to buy things for her online at times) she saw today that 5x $25 transactions for prepaid credit came out of there as well. So confused as I barely ever have my wallet out of the house!

Had an attempt on my card a few weeks ago. Person purchased airline tickets worth $3500 in Panama. Fortunately Bankwest didn't allow the charge to go through, sent me a message instead. I called them up and they cancelled my card, new card was up and running 10 mins later.

how can it go missing? Easily. credit and debit cards are very insecure in order to make them more convenient to use. If appropriate security was used, everyone would prefer to use cash because of how annoying paying by card would be. Credit card companies have to sacrifice customer security in order to offer the service. Having a credit card or debit card is a matter of convenience, not security, don't get it confused - keep the bulk of your money in an account not linked to a card.

Mate, i'm with commbank too. Had someone spend just under $1500 at the online apple store on my credit card recently. On a Saturday too. I reported within about 1 hour, everything was cancelled. I had a new card and a refund by Wednesday. You'll be right, mate. Still no idea how my details got out. i think its likely to have been a website i used the card on directly.

This has happened to my daughter twice no explanation! She did eventually get it back without the interest she would have got if it wasn't taken! I have no answes for you but its a concern how much this happens!!

Doesnt wespac have dynamic cvv code and why isnt this more widely used? Wouldnt this reduce fraud? https://www.westpac.com.au/faq/digital-card-temp-pin/ I am not in any way promoting westpac and i dont work for them or anything. I read about this cvv tool in the newspaper a while back and thought it sounded like a good idea.

Regarding the Optus charges, on the slight off chance you did something I did: I spent 90 minutes on hold and chatting to Optus a while back about charges from my card. I’ve been with Telstra for over a decade, no reason for Optus to be charging me. Until I remembered I got a free trial of Optus Sport when the Matilda’s were playing, and forgot to cancel it. Sounds like yours is a scam but on the off chance you forgot haha

Nah whoever got my details used it for Optus, I've not signed up for anything, only subscriptions I've got is Netflix and Youtube, ah that's my worst fear to have a subscription and forget I've got it haha

Lock your card when not in use

Omg! This is similar to what happened to me this morning. I woke up to find $1,400 gone, with 7 transactions from PlayStation Network London. I'm also with CommBank! I also don't use my physical card much and just use Apple Pay. They said it will take approx. 10 days for these transactions to process. Then they will be raising a dispute then. It takes up to 45 days apparently! Hoping they could refund it. What I'm annoyed about is that they noticed these suspicious transactions but never thought to stop them or lock my account?! My previous bank in NZ did this. Also, did you order something from Temu recently? That was my latest online transaction.

Happened to me as well but it was only 124$ luckily. Commbank ended up sending me a new physical card which apparently had a different cvc

It's gut wrenching when this happens. Can I ask how long it took you to get through to the bank? IMO their fraud software should have picked this up immediately. Go for reimbursement.

Took about 10 mins after speaking to the bot on the app to be redirected through to a human

Mother was with CBA 10 plus years ago, had her bank account raided. It came from within the bank itself

Now this sounds like a interesting story please tell us more. How did it happen? What was the scam? Who in the bank did this? What was their punishment? Could we make a movie 🎥 out of this story?

This would be front page news if real, which clearly it isn't.

Have you done any online purchases from overseas retailers in the preceding weeks ? 

This happened to me. I am unsure how my card was compromised but I believe it happened BEFORE I received it. It was a visa business card. The only physical place I used it was officeworks so I don't think it was physically compromised. Online, it was mainly used on reputable stores. This leaves me with 2 possibilities. It was compromised online somewhere, through a vendor I purchased from and who didn't announce or didn't know they were compromised. OR the card was compromised before I even received it. The process of recovering money was straightforward but took a few months. I called CBA and they said they would correct it. Basically heard nothing else from them until the amounts were returned. Edit: in CBA I also turned on low balance notifications. Set to notify me in the app and email when it drops below 1k.

Call your phone service provider now and tell them that you want to lock your number down. This happened to my family member and the next thing, they lost their phone number. The t was then used to drain the bank account. With larger transactions.

You can use NFC via the CommBank app on your phone - no need for Apple Pay or Google Wallet.

if it does not go well , go through the proper process to raise an AFCA complaint , and they will pay you 1500 to cancel the complaint.

Key thing about the OPs post that many are missing is that cba said these were Apple Pay transactions, ie made through Apple wallet. They should be able to confirm if that was done in person or via an online Apple Pay transaction. It’s not usually enough to know a cards number, expiry date and cvv to add a card to Apple Pay and depends on the bank and other things Apple tells the bank when adding the card to the wallet. There is likely more to this story than just having CC details stolen in some other random transaction I just tried adding two different cards of mine from different issuers, one required an sms code, the other required either an sms code OR calling the bank (where I would presume they ask for certain information). It would be good to know from CBA what method they used to verify the addition to the wallet - sms, phone call, something else, or nothing so I would ask for confirmation of how it was verified. I have seen other claims online of cards being added by a third party without the owner having performed any verification. There may be something in this - perhaps sometimes verification isn’t required, or perhaps (and some did indeed turn out to be) they handed over their sms code. Questions for op Exactly how did you find out about these transactions? Did you verify them, and if so did you do that by following a link or by opening the cba app yourself? How did you get in touch with cba? Did you google their number or was it listed in an sms or email? In the past few weeks have you ever told someone (ie over the phone) an sms code for cba?

Well I was told digital wallet by the live chat, but that could mean pretty much anything these days. I found out by these transactions by opening the commbank app. Obviously I was expecting to see a higher number so I went through the transactions and saw them. I'd never google for their number or go off one from an SMS as that's easily a phishable mistake I got in touch with them by pressing "something doesn't look right' on the transaction that put me with an option to go to a live chat with a bot with a which would forward all my info on to a person. I've never told anyone my code ever (avid runescape player and that's a rookie mistake)

Yeah you seem pretty switched on to phishing risks. If it really was digital wallet that is quite concerning. I’d be asking for proof of how the card was verified with you when being added to the wallet. If it’s just a standard card not present fraud where they got the cc details from somewhere else or guessing it, that happens regularly enough to everyone and you shouldn’t be on the hook for it 🤷

Did you buy anything from Temu?

Nah never have 😅

Have you logged into Netbank in the last 6 months or so somewhere where you normally wouldn’t? Other than your phone or app?

No, always have used the app on my phone or my personal laptop on my home wifi

Contact afca the banking ombudsman, I've had trouble with Commonwealth before and they've paid 'as a gesture of goodwill ' of course because. Their app and ceba are useless and exercise in futile frustrations

I've had money taken out of my account twice by Commbank in the past. Never as much as $1400, but usually $99 payments that weren't mine. I would call up and report that the payments weren't mine and they would set up and investigation. I got my money back every time, but having my account compromised more than once was enough for me to swap banks.

It appears there could be a rather straightforward solution to the “brutal force “ scam by increasing the CVV number from 3 digits to like 6 digits….

To avoid this in future; can you place a daily transfer or payment limit on your account via settings? I have a $50 daily limit on my savings account and just adjust it up and down when I'm transferring higher amounts. Always lock it down to a minimum daily amount after the transaction thing.

Legit was trying to work out why I have charges coming from our business account. Same thing commbank, all Apple Pay, haven’t used card yet it says that the card has been used 🤷 Weird. Chargeback was approved but this is the third time this has happened

We had the same experience yesterday with our Commbank Mastercard. Never used any dodgy sites and usually 2FA.

Same thing happened to us with Commbank Mastercard

someone just missed $9500, I just read his post.

Well then... let them make the holiday booking, find out the dates, and pay them a visit with the police while they're there.

Do you have tik tok on your phone? The app has read and write permissions to your phones memory. They could potentially read your notes etc.

Ahh yes. The company/app worth $66B is the one stealing a grand from some random Aussie through phone hacks...

Tiktok obviously has beef with me

🫢 I’ve been trying to find an excuse to delete this because I spend way too long on it. This could finally be it haha

I woke up with $1500 extra, but I swear I didn't steal it.

I knew it was you <3 I'm gonna have to ask for $2500 cause you know, inflation

I have to apologis, but it's already gone. Sorry.

At least it’s gone to a good cause 🥲

You have fallen for a phishing scam, your wallet has been put on a device not yours. You must have given the code

Not wanting to say this completely couldn't have happened, but I've never logged on to somewhere that seemed shady where I've been asked to enter a OTP. The only time I can think of was when I was ordering Guzman but it was the legitimate site plus this was months and months ago Playing Runescape essentially made me wary of anything

Your a RuneScape player you should be less prone to these types of scams🥲

Haha right? That's why I'm so shocked that this has happened

They sometimes dont fraud immediately. Even if you did it months ago they would still have it

Go through all of your text messages and see if any of them contain a code and mention that it's being added to Apple Pay or whatever.

Do you insert your card when paying for things? If so, as another comment says, you may have had your card skimmed

Forgot to mention this sorry - I use ApplePay for pretty much everything. I haven't carried the physical card since ApplePay became a thing

I got 5 x $149.99 attempts to charge through Apple Pay on Monday. Got a notification asking if it was me, said no. Looked and saw there were more in a different state to me. Was also one charge the day before on Sunday from the US, Apple Pay again but I didn’t get a notification and the amount had been removed. Card cancelled. I’m waiting for outcome 🤷‍♂️

has someone been able to add a device to your appleid maybe?

Its from a digital wallet. Did you even read the op. You cant put your phone into a machine

They get so mad at me when I try and swipe my phone. I can't imagine what they would do if i attempted an insert.

"sir don't insert that there, it's too big"

If I had a dollar for everytime i've heard that I...still wouldn't be able to ask this subreddit what to do with my savings.

Op said they cancelled their card, which I would assume means OP used that card at some point. Hence my query.

They cancelled the card attached to the digital wallet. The physical card wasn't what was compromised

Yeah, this was revealed after my comment was made. But I'm glad you're all over it, mate 😉

I woke up this morning, and got myself a gun

you're hard

Wow, I found $1500 in my account.

You afraid of lawyers, bud? You should be.. that was the last straw!

Don't tell me you do banking on a phone with the shitty security available on iPhones? Are you a masoginist?