Uncovering Revolut fraud support beneath the marketing!

UPDATE: Revolut took a look at my case again following my continued argumentation and reimbursed me fully for which they deserve credit.

Note: This is a long read, but I want to make sure the whole story is covered.

I want to start by admitting that I am ashamed and accept full responsibility for falling for the initial fraud attempt. This post is not about deflecting blame but rather about sharing what I discovered about Revolut’s security protocols, support, and fraud prevention measures.

The reason I am sharing this is because I believe that both existing and potential new customers need to be aware of these issues to make informed decisions about trusting Revolut with their financial assets.

Tagging Revolut to allow them to respond in case they have something to add.

This how they market their security on how they protect their customers:

https://www.dhirubhai.net/posts/revolut_here-to-protect-our-customers-activity-7209873945087397888-vqGI?utm_source=share&utm_medium=member_desktop

Customer reviews:Revolut Reviews - Read 682 Genuine Customer Reviews |

"We really focus on security and we really want it to be the paramount of Revolut"

https://www.dhirubhai.net/posts/revolut_leadership-pride-podcast-activity-7206991282781532160-HlXx?utm_source=share&utm_medium=member_desktop

You can make up your own mind below whether the marketing message corresponds to reality...

Importance of Fairness

To ensure I am being fair when describing how Revolut supports its customers and handles fraud cases, I took several steps to give them ample opportunity to respond and address my concerns:

1. Contacting Support Agents: I initially described the issue and my concerns to five different support agents.
2. Outreach on LinkedIn: I sent a detailed summary of the issue to several Revolut employees on LinkedIn, asking them to respond or forward my message to the relevant contacts. Unfortunately, I did not receive any responses.
3. Complaints Department: I formally submitted the issue to Revolut’s complaints department. They confirmed the responses I had received from support and informed me that the case was closed, stating it had been handled in accordance with their policies.
4. Follow-Up Questions: I sent direct questions and additional concerns to the complaints department but did not receive any further responses.

Given the size of an organization like Revolut, it’s possible that an issue could be mishandled or not aligned with the overall company policy. Therefore, I made efforts to reach out through multiple channels and different people to ensure that my representation of Revolut’s fraud support and policies is fair. I have documented and saved all interactions for transparency.

What happened?

I was about to go on vacation with my family and was expecting a package from PostNord, one of the largest postal services in the country. I received a text message that appeared to be from them, indicating an issue with my delivery:

Multitasking and distracted by the imminent trip, I didn't scrutinize the sender's details, especially since I was expecting a delayed package. The link led me to a legitimate-looking site that wasn’t flagged by Microsoft Defender, which usually catches such fraudulent sites. (It was likely in the first wave, as it's now blocked.)

On the site, I entered my address details and was prompted to pay a small fee of less than 1 Euro. I used my Revolut card, which I keep for traveling and maintain a low balance to protect my main accounts from potential fraud. I received an OTP (One-Time Password) via SMS, which I entered, followed by another OTP, which I also entered.

Knowing I had only about 20 Euros in the account, I wasn't overly concerned and believed I had successfully updated my address for the package.

Two days later, as I was preparing for my vacation, I transferred about 1000 Euros to my Revolut account. The next morning, I noticed four transactions of approximately 95 Euros each, two from Apple Pay and two from Google Wallet, all made from the other side of the world while I was asleep.

Reviewing the verification codes I had provided, I realized they were used to add my card to Apple Pay and Google Wallet.

This classic phishing and fraud scenario should have been obvious to me, especially given my background in helping companies protect against and track such frauds.

That’s on me! The combination of expecting a delayed package, having a low balance, being stressed, and multitasking meant I wasn’t as vigilant as I should have been.

Initially, I was ready to accept this as a personal lesson until I dug deeper into Revolut’s security protocols, customer support, and how their current practices seem to enable fraudsters and thieves to continue their activities.

The Non-Existent Revolut Support

To summarize, Revolut has done absolutely nothing to help me as a customer, prevent future fraud, or reclaim the stolen money.

I challenged all the unauthorized transactions with Revolut support, but they were all rejected. The support team claimed it was not fraud since I had provided the OTP codes to add my card to Apple Pay and Google Wallet.

I argued that the scam involved impersonating a well-known postal carrier, setting up a fake website, collecting my card details and OTP codes under the guise of a legitimate payment. The fraudsters then added my card to their Apple Pay and Google Wallet accounts and made purchases without my authorization. This is the very definition of fraud.

Despite my arguments, Revolut support was unyielding. I escalated the issue to the complaints department, which reiterated that there was nothing they could do and rejected my claim. Additionally, I reached out to several Revolut employees directly on LinkedIn, but received no responses.

Analysing Revoluts support, security protocols and actions

I sent Revolut a series of direct questions that I, as a customer, needed answers to. Unfortunately, they have not responded, which highlights several issues regarding their security protocols, customer service, and how their actions (or lack thereof) make it easier for fraudsters to steal from their customers.

Here is the email I sent, which also underscores the deficiencies in their customer protection, security protocols, and service:

Through our communication, we agree that the following events occurred:

A phishing email was sent to me, leading me to provide two codes to add my card to Apple Pay and Google Pay. The card was added, and two days later, the scammer made two purchases with Apple Pay and Google Pay without my authorization. Do we agree on this sequence of events?

Card Addition Security:

Revolut allows its credit cards to be added to an unknown device, in a different country, with an Apple ID or Google ID not corresponding to the cardholder's name.

For example, a customer living in Sweden by the name of Martin Liljenberg had his card added to a new device under the name Ramesh Chadha in India with just a passcode. When a card is added, is no notification sent to the card owner?

My comment: I was tricked into providing my OTP for adding a device to Apple Pay and Google Wallet. This was then added to an Apple user with a different name, in a different country, and on a new device. There were no security protocols or notifications to me, the account holder. Such security protocols should flag a new country, different name, and new device.

Transaction Verification:

When the card is added, can the scammer make purchases from the scammed cardholder's account without any verification? In this case, purchases were about 100 Euros each, totaling almost 500 Euros. What is the maximum amount that could be transacted without the scammed cardholder being able to stop it? Could it be 10,000 Euros? 100,000 Euros?

My comment: How is it possible that after the card is added, no OTP or verification is sent to the account owner when making purchases of this amount? What are the limits? Could this poor protection apply to much larger sums?

Vendor Trust:

Revolut seems to trust Apple and Google on the customer's behalf once the card has been added, requiring no further authorization for purchases. Why do you trust these vendors on the customer's behalf, particularly for a customer who doesn't have an ID with Apple and may not trust them? Can you list other vendors you have decided to trust on behalf of your customers?

My comment: I do not have Apple devices or accounts. I happen to use Google, but why is Revolut trusting these vendors to spend my money without notifying me? What other vendors do they trust on behalf of their customers?

Action Taken:

Please confirm that Revolut has taken no concrete actions on behalf of the customer, excluding internal processes and communications. Specifically, has Revolut taken any actions to block the fraudulent transactions, report the scammers, or recover the funds? Please list these in detail so they can be verified.

My comment: This is very serious and makes it easy for criminals to continue scamming Revolut and other companies' customers. Revolut has not reported this to Apple, Google, VISA, the involved bank, or anyone else. This means the criminals won’t even be blocked on these platforms, nor will their bank account be investigated. They don’t even have to change their Apple ID to add cards from other victims and steal their money.

Complaint Categorization:

You state that complaints can be either about fraud or undelivered goods/services. Confirm that you categorize this incident as non-fraudulent and that you believe the fraudster received the goods and services (how do you know this? The actual person who paid for the service, me, has no way of verifying).

Does this mean you do not consider the fact that your customer did not receive any goods or services?

My comment: Revolut claims that this wasn't a case of fraudulent transactions. They also claim the customer (i.e., the thief) didn't receive the ordered goods (they don't know that, and they don’t care that I paid for it and didn't receive any goods or services).

Refund Policies:

Despite the fact that both Google and Apple often have refund policies, have you contacted them or attempted to secure a refund on behalf of your customer?

My comment: If the issue was reported to Google or Apple or the vendor that provided the goods to the scammers, I might be able to get my money back as a refund. Revolut has not tracked the transaction or asked about a refund.

Transaction and Identity Data:

You have not provided your customer with any data about the identity of the Apple ID or Google account that made the purchases, nor details about the transactions. Do you have any intention of doing so, to enable the customer to challenge the purchases with the vendors?

My comment: I do not know anything about the transactions and purchases made from my account. Revolut has not provided what kind of goods were purchased or the Google account or Apple ID of the scammer. Revolut gives me no information at all. This further protects the criminals, whereas Revolut’s interest should be in protecting me as their customer.

Reporting the Scammer:

Have you reported the scammer to any authority, such as another bank, VISA, Apple, or Google, to prevent them from continuing their fraudulent operations?

My comment: This is similar to the point above, just trying to be absolutely sure.

VISA Regulations:

You mentioned VISA's regulations preventing you from taking action. Can you confirm this position, as I plan to escalate this matter to VISA, where I have several accounts and services?

My comment: Revolut claims in their answer that my claims are invalid as per the VISA scheme. I would love to get an answer on this from Visa .

Conclusion

Your responses to these questions will provide crucial clarity on Revolut's handling of this matter and help determine the appropriate next steps. I look forward to your detailed answers.

My Issues with Revolut

Revolut has done absolutely nothing for me as a customer, nor have they taken steps to help prevent fraud and theft, thereby making it easier for criminals to operate.

While Revolut does respond to communications, their responses are limited to arguments about why the situation is solely my fault and why they cannot do anything for me. Although I have presented legal arguments demonstrating why they are wrong, they might be right that, legally, I have no claim. I can accept that; however, what I cannot accept is the utter lack of support and assistance provided to me as a customer.

Security Protocols

As someone working in IT security, I have identified several flaws in Revolut's security protocols and algorithms:

• Multi-Factor Security: Revolut should combine location, device, and identity verification to protect their customers, rather than relying solely on OTP (One-Time Password). There are insufficient notifications and approvals for adding a card to a device, and the customer should be informed of such changes.
• Transaction Verification: No OTP is sent for transactions once a card is added to certain vendors. The OTP itself is reliant on SMS, not push notifications within the Revolut app, which could include verification of a number on the device where the card is added and the Revolut application.

Customer Focus

It is clear that Revolut's primary response to customer issues is to blame the customer and not provide any meaningful assistance.

• I have contacted another bank, SEB, which confirmed that their security protocols would have prevented this situation. This comparison highlights the gaps in Revolut’s security measures and customer support.

Conclusion

Revolut’s lack of action and support, coupled with their inadequate security protocols, significantly undermines customer trust and safety. It is crucial for them to improve their security measures and adopt a more customer-centric approach to prevent such issues in the future.

Why Publish This?

I want to inform current and potential Revolut customers about how the company handles matters like this. While your opinion might differ from mine and you might believe that Revolut manages these issues according to your expectations, I feel it is essential to share my experience.

I acknowledge that I am at fault for being tricked into providing the OTP codes. However, I strongly disagree with Revolut's security protocols and their approach to supporting me as a customer. This post aims to shed light on these concerns so that others can make informed decisions about trusting Revolut with their financial assets.

AI:s point of view!

I created a GPT and a prompt for GPT-4o and gave all information about the issue. In the prompt I asked for a legal assessment according to regulations and laws with external references:

Legal Assessment of Revolut's Handling of the Fraud Case

Based on the information provided and relevant regulations, Revolut's response to your fraud case appears to be inadequate and potentially in violation of key legal standards set by the EU’s Payment Services Directive 2 (PSD2).

Key Points of PSD2:

1. Strong Customer Authentication (SCA):

PSD2 mandates Strong Customer Authentication (SCA) for electronic payments to ensure the security of transactions. This requires multi-factor authentication involving at least two of the following: knowledge (something only the user knows), possession (something only the user has), and inherence (something the user is) https://www.ecb.europa.eu/press/intro/mip-online/2018/html/1803_revisedpsd.en.html and Strong customer authentication requirement of PSD2 comes into force - European Commission ( europa.eu ) .

- The SCA is designed to reduce the risk of fraud by making unauthorized transactions more difficult. In your case, once the card was added to Apple Pay and Google Pay using an OTP, subsequent transactions did not require further authentication, which contradicts the SCA requirement Revised rules for payment services in the EU | EUR-Lex ( europa.eu ) .

2. Liability for Unauthorized Transactions:

- According to PSD2, if a payment service provider fails to require SCA, they are liable for any unauthorized transactions. The directive reduces consumer liability for unauthorized payments from €150 to €50, provided the consumer did not act fraudulently or with gross negligence. Revised rules for payment services in the EU | EUR-Lex ( europa.eu ) .

- Your actions, induced by phishing, do not equate to gross negligence or fraud on your part. Hence, Revolut should bear the responsibility for the unauthorized transactions that occurred without proper authentication.

3. Consumer Rights:

- PSD2 strengthens consumer rights by ensuring that they are protected in cases of unauthorized transactions. The directive stipulates that the payment service provider must refund the amount of the unauthorized transaction immediately and in full unless they have reasonable grounds to suspect fraud by the payer Directive - 2015/2366 - EN - Payment Services Directive - EUR-Lex ( europa.eu ) and Strong customer authentication requirement of PSD2 comes into force - European Commission ( europa.eu ) .

Specific Issues in Your Case:

1. Notification and Verification:

- Revolut did not send you any notification when your card was added to Apple Pay and Google Pay, nor did it require any additional verification for the transactions made thereafter. This lack of notification and additional verification is a significant lapse in security protocols.

2. Trust in Third-Party Providers:

- Revolut's trust in Apple and Google to handle transactions without further verification from the cardholder is problematic. This trust should not override the necessity for the bank to ensure secure transactions for its customers, especially when the cardholder does not even use these services.

3. Lack of Proactive Measures:

- Revolut’s failure to take any concrete actions to report the fraud, block the fraudulent transactions, or seek refunds from Apple and Google is a neglect of their duty to protect their customers. Effective fraud prevention requires proactive measures, including cooperation with third-party vendors and relevant authorities.

4. Disclosure of Transaction Details:

- Not providing you with details about the transactions or the identities of the Apple ID or Google account involved in the fraudulent activities impedes your ability to challenge these transactions and seek recourse.

Conclusion:

Revolut's handling of your case appears to be inconsistent with the requirements of PSD2 regarding SCA, consumer protection, and liability for unauthorized transactions. You have strong grounds to escalate this matter to the relevant regulatory authorities, such as the Bank of Lithuania, and potentially to VISA, given their overarching rules on card security and fraud prevention.

For your article, highlighting these regulatory breaches and comparing them with Revolut's stated policies will provide a clear picture of the discrepancies and the need for improved security measures and customer support from financial institutions.

Recommended Actions:

- Escalate the Complaint: File a formal complaint with the Bank of Lithuania and VISA, citing the specific breaches of PSD2.

- Seek Legal Advice: Consider consulting with a legal expert specializing in financial services to explore further actions.

- Public Awareness: Use your article to raise awareness among consumers about the importance of understanding their rights under PSD2 and the need for robust security practices by financial institutions.

By taking these steps, you can not only address your own situation but also contribute to broader improvements in financial security and consumer protection.

I am not competent enough to validate the AI response, but I will certainly follow the recommendations and escalate the complaint and publish the outcome whether I am in the right or in the wrong.

UPDATE:

I have now sent the complaint to the Bank of Lithuania: Thank you for contacting us. We have received your request and forwarded it to the responsible specialists of the Bank of Lithuania.