back to article Bank security guru: Sue your bank for refund

Noted banking security expert Ross Anderson was forced to threaten action in the small claims court before his bank agreed to refund a disputed transaction. Anderson, professor in security engineering at the University of Cambridge Computer Laboratory, who has often appeared as an expert witness for plaintiffs in so-called " …


This topic is closed for new posts.
  1. Will 12


    Suing companies to get what your entitled too, is far too often becoming the quickest and easiest route to getting satisfaction. It shouldn't be like that but it is.

    Companies get one phone call and one letter/email from me now, then it's off to court. SOme even go as far as acknowledging the claim and then don't bother entering a defence.

    I've won against, Halifax, Natwest, RBS, Ikea, Virgin, and game.

    A total waste of everyones time and money.

    1. Anonymous Coward
      Anonymous Coward

      Waste of time and money?

      Sounds as if you're making a nice little earner out of it.

    2. Real Ale is Best
      Paris Hilton

      What on earth for?

      Is it just me? I've not had that many problems!

  2. Hollerith 1

    Small claims court rocks

    I use it, or the threat of it, all the time. Whenever a company screws up, they get three letters from me, first pointing out the problem and asking for whatever it is to be fixed/restitution made/etc, the second chasing it up or answering the company's delaying reply, and the third saying that if the fix doesn't happen within 30 days, either my solicitor will be writing to them (for big things) or I will be taking them to small claims court. At the end of 30 days, they hear from my solicitor or they get the small claims court papers through their door. I have usually had results right there and then. In court (2 times), I win, because my paperwork is always meticulous, and I don't waste the court's time.

    Those who spend a year fruitlessly on the phone or writing dozens of letters and getting nowhere but to a nervous breakdown are only allowing themselves to be puppets of companies who want to drag things out until the 'little guy' cracks. As consumer law is so strong in the UK, why not use its power?

    1. Danny 14

      Be careful though

      Small claims are getting more and more bogged down. Mediation is often enforced on cases where ombudsmen havent been used. This doesnt always go in your favour.

  3. Anonymous Coward

    they don't do anything until court action

    it's a well known fact that banks won't do anything until you send them court papers, the whole bank charge fiasco proved this. Complaining to the bank itself or even the Financial Ombudsman is a complete was of time.

    Mines' the one with the summons in the pocket

  4. Efros
    Thumb Up

    Contrast this

    I was contacted by my bank, a small rural bank in the US, when one of the tellers noticed a Debit card payment actioned in Florida (about 2000 miles away) to a racecourse bookies. This teller happened to know us and also that neither of us were in Florida or frequented bookies. Bank put an immediate investigation into the debit, money that had already been disbursed from my account was returned by the bank pending the result of the investigation. The investigation resulted in new debit cards for my wife and I, no cost to us, and an explanation that the debit card had been compromised by a security issue at one of our local supermarkets. All done with no intervention on our part.

    1. Charlie Clark Silver badge

      Not all cats are grey

      The banks do sometimes get it right. I was called by my bank regarding some suspicious credit card transactions a few months ago. Card immediately stopped and everything sorted in due course.

      Of course, the bank's willingness to act may have had something to do with the fact that several million German credit card details had been stolen in Spain a couple of months earlier. Whatever the reason it was nice to experience that level of vigilance.

      The UK has pretty poor consumer protection legislation - the infamous "light touch" of the FSA was all the banks had to worry about for a while. So sometimes the small claims court is the only recourse. It's not what the courts are for, though. Banks and others will stall as long as possible knowing that most people won't take them to court so it's cheaper to sit things out. When they lose it's just a small payout and then business as usual.

  5. Anonymous Coward

    Surely it'd be easier...

    to agree that neither you or your missus had used your missus's card for a legit transaction with a retailer that you accept you've used?

    Maybe it's me, but I smell stale haddock.

    1. Jimmahh

      Re: possible haddock issue

      It's not spelt out in the article or the blog post itself, but in the supporting doc (PDF of letters bouncing back and forward between him and the bank) he does explain why he wasn't willing to sign the second declaration....

  6. Arclight


    "Anderson replied that had told it that the details of the NatWest card held by the Andersons were compromised when an auditor for the online hotel booking service lost a laptop."

    As interesting as the original story is, what the hell was someone doing with credit card information on a laptop?

  7. Wize

    But why...

    ...didn't he sign the second disclaimer?

    1. Anonymous Coward
      Anonymous Coward

      Re: But why...

      Because he couldn't be sure if he / his wife had made it or not. A disputed transaction is one that you are unsure of - particularly as several companies use 3rd parties for card processing. Effectively you say "I'm not sure if I made this or not - I'd need more information to verify the legitimacy of this transaction". The fact that it is usually only disputed in the event of being sure it wasn't your own is irrelevant.

      As he wasn't sure if it was legitimate or not he disputed it to try and get more information.

      Signing the second form would have meant that he was claiming he definitely didn't make the transaction. If it later turned out that the transaction was legitimate, and processed by a different company, then he would be legally liable for extra things.

      You really should read past this article. I've just summarized comment #10 on LightBlueTouchpaper

    2. ChrisC Silver badge

      Bit risky... sign something saying you definitely didn't do something, if you're not 100% certain you didn't. If I see a payment to a company name I don't recognise on my statements, my first thought is usually "OK, what have I recently bought for that amount from a supplier who might be using a third party to process their payments?" Which is fine if (as has always been the case so far) the amount is one you do recognise, and if another payment for said amount hasn't already been taken by the company name you were expecting to see on the statement.

      Now what happens if this is a payment for something you bought ages ago on a "buy now pay at some point in the future when you've forgotten that you hadn't already paid for it" scheme, or for something where the amount taken is variable? Can you be absolutely certain, to the point of being willing to sign something which could potentially be used against you if the bank thinks you're trying to defraud them, that you DIDN'T authorise that unknown payment?

      So no, I don't actually think it's unreasonable of him to refuse to sign that disclaimer - it's one thing to go on record as saying you genuinely don't recognise a payment that you're disputing, it's quite another thing to go on record as saying it definitely has nothing to do with you.

    3. Alistair 1
      Thumb Up

      His blog has the answer

      I quote:

      "the 2nd declaration requires you to categorically state that you did not make the transaction.

      Since Ross was unable to ascertain that neither he nor his wife definitely didn’t make the transaction (since some firms don’t appear under their own name on your CC bill,) if he signed it and it turned out that either of them had in fact made a genuine purchase, then he’d be signing a false declaration, with any repercussions associated with such an act.

      Put simply Ross didn’t have enough information to categorically sign it truthfully - indeed, he asked for paperwork to determine exactly where the transaction took place (which was not forthcoming,) to determine it."

  8. Anonymous Coward
    Anonymous Coward


    This is sound advice. Don't call; it's faster and less aggravating to write a (polite) letter and if you want to be really sure, fax it and send it, noting you did both on the letter (and the fax, obviously). Keep the fax receipt, it's your proof of delivery. No dice? Small claims court. Just be sure you have a leg to stand on -- which often enough isn't the case. Have you read the Ts&Cs lately?

    The sad thing is that banks have made themselves indispensible so like the proverbial at&t, they don't care, they don't have to care, they have your money already anyway.

  9. Graham Marsden
    Thumb Up

    Bravo Ross Anderson!

    Nat West's current slogan is "Helpful Banking", but what they really mean is "helping themselves to our money"!

    1. Anonymous Coward
      Anonymous Coward

      Thats not what their slogan really means

      "helping ourselves to your money" is the current definition of the word "Banking"

    2. Anonymous Coward
      Anonymous Coward

      It must be getting on 20 years?

      Since Viz parodied their ad as "Gnat West: The Bank that likes to say Fuck Off". No change there then, really.

      1. LaeMing

        Or as we say here in Aust.

        "Which bank? Every bloody bank!"

        (In reference to the old "Which Bank? The Commonwealth Bank" ad campeign of decades yore.)

        1. Chemist

          Re : Or as we say here in Aust

          I didn't think you were allowed to say "bloody" in Oz anymore - at least not on the internet

  10. Anonymous Coward
    Anonymous Coward


    Still think the simplest solution is a change in the law to make the banks do the work.

    You dispute the transaction, the bank has to pay up within 7 days unless it can provide proof of your authorisation. Then, if you still dispute it, it moves to a 3rd party arbiter, and then on to the courts. But at all times, it is up to the bank to prove (beyond reasonable doubt) that it was you who authorised it.

  11. Michael C

    Bad business model

    Anytime a company seeks to include in their business model policies that include profits from transactions that in reality are fraudulent, incorrect, or simply based on customers not following up properly to dispute, is simply bad business. If there's a mistake, and a transaction should be refunded/reversed, there should NEVER be a case when the customer is put in a backward position, where they might "give up trying" before receiving a just and due refund under the guise the customer's failure to complete the process is a profit for the company.

    Prompt customer service earns customers which churn profit. Bad press because your customers are suing you for refunds you have to give them anyway because you've been sneaky and counted that as profit (and then shareholders who in turn also sue for misrepresentation of profit), is a money looser.

    1. Steve Roper

      I don't understand

      why companies feel the need to give bad service in the first place. Good customer service isn't rocket science.

      Occasionally we might have a glitch on our site that causes a customer to get double-billed or incorrectly billed or something similar. The customer rings up, points out the error, and the staff member on the phone can bring up the suspect transaction on the system, see straight away that something's amiss, and refund the extra money with two mouse clicks while the customer is still on the phone. 5 more seconds to apologise for the problem, log it for recurrence-prevention, job done. If we spot the problem first, we fix it, then ring up the customer to explain what has happened and what they'll see on their bank statement as a result.

      So we've had very few dissatisfied customers (admittedly there are some people you just can't please - I'm sure we all know about the customer from hell!) and quite a lot of referrals from existing customers who were impressed enough by our quality of service to put other people on to us. The little bit of extra effort pays for itself many times over. What is it about this simple principle that so many companies don't get?

  12. Anonymous Coward
    Paris Hilton

    Unfortunately ... he is right

    Most organisations seem to take the three steps approach in escalating a complaint.

    But it tends not to be good practice for the organisation or the complainant.

    Staff tend to do jolly well out of it though (why do a job once when you can do it three times and look three times more stressed and three time busier?)

  13. Andy Livingstone

    They have now closed his account??

    Wouldn't that be the usual action by Banks?

  14. Yet Another Anonymous coward Silver badge

    @But why...

    1, It's not your job to prove yourself innocent.

    2, it probably also means you accept the bank's process to resolve matters. Which could take years or mean you have to agree to whatever the bank says.

    1. Anonymous Coward
      Anonymous Coward

      @But why...

      "1, It's not your job to prove yourself innocent."

      Yes it is. Had a NIP for speeding recently?

  15. Anonymous Coward
    Anonymous Coward

    Dont worry about the terms and conditions

    Most of the terms and conditions are meaningless.

    If the term is either contradicted by law, or the term is deemed unfair, as per the unfair terms in consumer contracts 2000, then the term does not stand. Note that the unfair terms regulations don't apply to the core parts of the agreement - hence the entire argument that bank fees were part of the exchange for service and therefore a core part of your banking agreement.

    I strongly recommend that every consumer familiarise themselves with the sale of goods acts (there have been several updates with various but similar names), the distance selling act, the trade descriptions act and the unfair terms act before embarking on any complaints process - its good to know where you stand!

  16. Anonymous Coward
    Anonymous Coward

    Not beyond reasonable doubt

    Just a note for the above fellow AC - banking transactions and relationships with your bank are civil matters - therefore the courts rule "on the balance of probabilities" not beyond reasonable doubt as is applied in criminal cases.

  17. RW

    Different in Canada

    My bank (Royal Bank of Canada) remains alert and takes the initiative.

    Last year I ordered a couple of pretty rare CDs via, paying online with my CC. Within hours, the bank called to verify that the transaction was valid.

    And earlier this year, they called again to tell me my debit card had been compromised, that they'd blocked a fraudulent transaction on my account, and to please come in to get a new card.

    I have no complaints.

    Sounds like British banks are run by thieves.

    [The compromise was apparently a bogus keypad that was capturing numbers and passwords. Many people were affected; the lines for new cards were long when I went in; and they had five tellers assigned to handling that job that day.]

  18. Anonymous Coward

    Been there

    Having sued my bank in the small claims court (and won) there are a few things worthy of note.

    1) You can file a claim online for small enough claims. It is really quick and simple.

    2) Changing banks in the UK is ridiculously easy. They are required by law to make it smooth. If your bank is incompetent enough that you have to sue them, punish them further by changing banks. They are required to transfer all your direct debits and direct deposits. Having felt I was stuck with the incompetence heap that is Lloyds TSB, I finally changed and have never looked back...

  19. Neoc

    Two-part confirmation

    A couple of times, when transferring some money on-line, I have been told by the system that a confirmation ID was being sent to my phone and could I please enter it to confirm I was actually the person requesting those transfers.

    Useful, in those cases, but I was never quite certain of the triggers for it.

  20. ZenCoder

    I've never had a problem with my bank.

    It must be easier to dispute charges in the US.

    However if I wanted to sue ... I believe I am contractually obligated to do so in the State of Texas and via a third party arbitrator of their choosing. I also signed away my rights to a class action lawsuit.

    We need better consumer protection laws.

  21. The Jase

    Time is money

    What about adding the time it takes you? I would need to book half a day off to book a day in court, and book a day off for my day in court. Could I add these to the court costs?

    1. kapple999

      No need to take time off work to attend court

      It's so much more easier these days - apart from the time taken to wordsmith your case its less than 5 minutes work on the Internet, without leaving the comfort of your home - see

  22. Anonymous Coward
    Anonymous Coward


    If people keep on doing this sort of the thing OFT will step in and put a stop to it sharpish, a la overcharging thing where everyone suddenly started winning against the banks.

  23. Richard Jukes

    Not just banks.

    Its the same with companies other than banks. It has recently come to my attention that I was sold a PC that had an evaluation copy of windows vista on it, by a well known and large high st retailer (whom shall remain nameless) - I called their support lines to be told that 'It was impossible that I had been sold an evaluation copy, and that I had got a virus'

    I had to tell the drone on the other end of the phone that quite how I had gotten a virus on a pc that is not connected to the internet and has only had SQL server, a hire management program and nothing else was beyond me.

    In the end I resorted to taking a written copy of the 'This pre-release version of vista will expire in three days...' message to the local purvayor of cheap computer tat, asking for the manager and saying 'Hello mate, you've got a problem - read this!'

    And in all fairness to the chap, he's offered to put it right, no quibble, no hassle and no condescending attitude. So thumbs up for him! But the call centre...GRR! And what I found even worse was being told that I didnt know what I was talking about, by someone with less IT qualfications than myself...

  24. Anonymous Coward

    Playing devil's advocate...'s worth remembering that the fraudulent card payment wasn't the bank's fault either - the security breach was apparently by's auditors. Ideally neither the bank or the individual should have to pay the cost of this fraud, but in reality the perpetrator is unlikely to be caught and so someone is going to be out of pocket.

    Why should it be the bank? Did the bank tell you to shop at Did the bank tell to use crappy auditors? No. It's not the bank's fault.

    As for anti-fraud measures, given how warmly we all embrace biometric IDs and other identity proving systems I don't think the banks have any choice but to assume that if a card is used then it should honor the transaction in good faith - otherwise trying to use your card is just going to be unbearably invasive and inconvenient (I've given up on on bank's on-line payment facility for this reason).

    So perhaps we should remember that we are not *entitled* to this money, the fraud is morelikely to stem from the individual's purchase history than from the bank itself, and any refund on offer is a courtesy only.

    And no, I don't work for a bank, I'm just sick of this culture of whiny self-entitlement...

  25. Paul Landon
    Paris Hilton

    Banks are Paris-sites

    I find that enclosing a photocopy of the filled in Small Claims Court papers with the second letter shows that you are sincere and your case will be treated as if there were a court case pending rather than just one of thousands of complaints for that day.

    I recommend adding £30 per letter and £6 per day whilst their account is "overdrawn" compared with your version. Fair's fair, they do to you.

    On changing banks: It is not always that easy, cancelling all your cards and direct debits.Many years ago, after a dispute with Royal Bank of Scotland about service, I was moving my personal and business accounts to another bank. After 3 weeks, the new manager phoned me to come into the bank. "I'm sorry sir, we don't want your accounts, how would you like the contents?". It turns out that they had just received a reference from my old bank saying "Mr Blah has banked with us satisfactorily for many years, however we would not recommend facilities such as a £500 overdraft"!!! Codified bankspeak for BAD_CUSTOMER! Even though I wasn't asking for any overdraft, and my old bank had provided a £500 overdraft limit (which was used correctly and paid off) and at the time of the move I was thousands in credit!

    This left me right in the shite at the time I had just moved down south and started a new job.

    Paris: because banks are Paris-sites.

  26. Phil 54


    When I was in the UK I got burned by a fake keyboard and camera on an ATM. I noticed three days later that my account had had the maximum withdrawn three days running. Natwest hadn't noticed the unusual pattern but when I called them they asked me to file a police report and promptly refunded the money even before I gave them the report details.

    I went to the police station near Edgeware Road at about 10 on a Thursday morning and was told by the constable that I was the TENTH person to file for the same thing THAT DAY.

  27. Simon B
    Thumb Up



  28. kapple999

    No need to go to Court - the law has changed to be on your side

    As I already said as #19 on Ross's newsletter, I don’t think Ross’s experience dating back to June 2009 will recur, because since November 2009 you now have up to 13 months to query a transaction – no matter what MasterCard bylaws state.

    reproduced verbatim below :

    “If there is an unauthorised transaction on your credit card account you should dispute it without undue delay (and no later than 13 months after the transaction).

    It is for the bank, building society or credit card company to show that the transaction was made by you and there was no breakdown in procedures or technical difficulty.

    If you’ve not authorised the payment then your credit card company must immediately refund you the transaction amount unless they have some evidence suggesting you may not be entitled to a refund because of the way you have acted. In these cases the credit card company must investigate the claim, but must do so as quickly as possible.”

    Banks & Credit Card companies now have to keep all the data readily available for 13 months, just in case you make a claim a year later. They can’t claim they no longer have any records of the event. If they didn’t keep any records, then since they can’t prove their case - you win.

This topic is closed for new posts.