Tiffany told the bank she had not made the withdrawals and wanted reimbursement of the $9,500. The bank offered $2,375 (25 per cent of her loss), saying she had not taken sufficient care of her banking credentials. It said the withdrawals had been made using a mobile registered with her banking app. Tiffany said the phone was her old one, which she no longer used, and besides, it wasn’t working any more. She said her credentials might have been compromised by a data breach. The bank looked into her complaint, but came back with the same response: it would offer her only $2,375, although it did add on another $500 for taking so long to look into the matter. Still dissatisfied, Tiffany complained to us.

Our investigation

Data records showed her old phone had, indeed, been used to make the transactions. If, as Tiffany speculated, her credentials had been compromised in a data breach, the hackers would have obtained her username and password but not her device, so would have to have used another device to gain access to her account. Furthermore, it is impossible for anyone to gain access to a device that has been switched off or no longer works. This explanation didn’t seem very likely.

 Tiffany wasn’t sure what had happened to her phone: she thought she may have thrown it away or it might be still in her home. In either case, we thought it was likely that the person who made the transactions was in possession on the phone. But possession alone would not have been sufficient without Tiffany’s login credentials – unless she stored those details on the phone. If that were so, Tiffany would not have taken reasonable care to protect her banking credentials – as required by the terms and conditions of her account – and would not therefore be entitled to reimbursement of the $9,500.

 Outcome

 Tiffany accepted the bank's offer.