Home Selected Cases Abuse and fraud Debit card fraud after registration of the card in a payment app

Debit card fraud after registration of the card in a payment app

Topic:

Case number: 2026/08

Fraudsters used a client’s debit card for two payments after registering the card in a payment app. The bank refused compensation on the grounds that activation was only possible using the card data and an SMS code, which had been sent to the client’s registered mobile phone for this purpose. The client argued that she had not been able to classify this SMS because the sender was unknown to her and therefore had not paid further attention to it. She also complained that the bank had executed the debit card payment after the fraud report. At the time of the report, it had only been designated as provisional. The bank was of the opinion that the loss had occurred due to a breach of duty of care by the client and refused to accommodate her request. The Ombudsman had to end the proceedings without a mediation solution.

The client contacted the Ombudsman after two fraudulent payments in favour of a merchant unknown to her were charged to her debit card and the bank was not willing to provide compensation. After the debit, the client lodged an objection with the bank and demanded compensation. At that time, the disputed transactions were only recorded as “provisional” on her account. Despite the fraud report, they were executed by the bank.

The client was of the opinion that she had not knowingly disclosed either her card data or a security code. She did receive a text message with a code, but it had a sender name that was unknown to her. The SMS did not contain any reference to her bank, which is why she was unable to identify it and assumed it was a spam message, which she ignored. From her point of view, she could have expected that security-related communications regarding her debit card would clearly originate from the bank or at least be clearly identifiable as such.

The bank refused to pay compensation. It stated that the debit card had been properly registered in a payment app. This process requires the use of confidential card data as well as a verification code sent by SMS. The processing of card transactions is carried out by a certified external service provider who has been carefully selected, instructed, and contractually obliged to maintain the confidentiality of client data. Since activation is only possible with the correct security features and took place immediately after the verification code was sent to the client’s mobile phone, it must be assumed that the client either disclosed the necessary data or enabled access to it. Based on the applicable contractual terms, the bank denied its liability.

The Ombudsman pointed out that he could not conduct investigations into the question of how the fraudsters had specifically obtained the card data and the security code. He also explained to the client that authorised card payments cannot be stopped after approval, even if they are initially shown as provisional. In such a case, the bank is irrevocably obliged to pay the merchant, who is normally not part of the fraud scheme.

However, he also stated to the bank that, in his view, the client’s argument regarding the sender of the SMS should be taken into account in the Ombudsman procedure. Since there was no direct contractual relationship between the client and the external service provider, it seems understandable that she did not necessarily associate an SMS from an unknown sender with her bank card, especially as the text did not establish any clear connection to the bank.

Despite this assessment, the bank was not willing to deviate from its position or make any concessions to the client. As the Ombudsman cannot make binding decisions for the parties and further mediation efforts appeared futile, the procedure was concluded without an agreement.