The banking watchdog has allowed Barclays to refund just half of the £20,000 stolen from a Falklands war hero after his card was defrauded while on holiday in Rio de Janeiro.

Former Royal Marine Henry Williams, 64, was forced to sell his treasured war medals after around £20,000 was paid from his Barclays account in a series of 18 'nefarious' card transactions in March 2022.

A preliminary decision from the Financial Ombudsman last week said Barclays should refund 50 per cent for most of the disputed transactions, totalling just over £9,000 plus interest - as Mr Williams probably consented to them.

Mr Williams, who denies authorising the payments, told MailOnline: 'The ombudsman is considering allowing Barclays to steal £10,000 from me to protect their reputation and to preserve a not-fit-for-purpose payment platform.'

Now he has accused Barclays and the ombudsman of 'gaslighting' him, after they said that he must have consented to the 18 fraudulent payments over four nights.

Barclays refused to refund him and implicitly accused him of trying to defraud them, claiming that he must have entered his PIN each time as chip and pin security is impenetrable.

But it has been known for decades that chip and pin terminals have dozens of high-tech and low-tech vulnerabilities which fraudsters can exploit.




The banking watchdog has allowed Barclays to refund just half of the £20,000 stolen from a Falklands war hero Henry Williams (pictured), 64, after his card was defrauded while on holiday in Rio de Janeiro





Mr Williams taking a selfie at the Ipanema beach in Rio de Janeiro while on holiday last year

An initial investigation from the Financial Ombudsman Service, which Mr Williams referred the case to, quickly sided with Barclays and denied him a refund.

READ MORE: Falklands hero is forced to sell his war medals and live 'hand to mouth' after being scammed for £20K on holiday... and Barclays accusing HIM of fraud








Advertisement

But after appealing the outcome, a provisional decision was made last week which awarded him around half of the stolen money, citing that Mr Williams must take some liability for being 'tricked' into making the payments.

The ombudsman used the fact that Mr Williams had likely been defrauded of around £2,000 several months earlier in Madrid as evidence that he may have been careless.

Mr Williams believed he was settling a tab of around £300, but as soon as he discovered £2,000 was charged to his card, he called Barclays - who told him that there was nothing that they could do as the payments were through Apple Pay.

He said that Mr Williams should bear some responsibility, but reprimanded Barclays for not acting sooner to prevent the dodgy payments, UltraXtend wlan verstärker Stiftung Warentest which happened over four nights after he visited a bar on Copacabana beach.

The ombudsman said he 'can't ignore the fact something like this has happened before, suggesting Mr W might be susceptible to such trickery.'

In his decision, ombudsman Ben Murray thought it was 'more likely than not' that the holidaymaker physically inserted his card into three separate machines and entered his pin to approve the payments for all 18 disputed transactions, but that he was probably lied to in some way about how much these were worth.

He said the facts suggest 'there were nefarious parties involved in the processing of the payments', but he was 'persuaded Mr Williams was involved too, albeit unwittingly'.

But world-leading digital security expert Professor Ross Anderson, from Cambridge and Edinburgh Universities, believes that the veteran's card was debited without his knowledge.

He initially believed that Mr Williams fell victim to a 'pre-play' attack through the use of a hacked terminal which queues up fraudulent transactions.

But after recently learning a Barclays advisor told the Falklands veteran that mobile terminals may have been used, Prof Anderson now believes it is possible Mr Williams' card was tapped on disconnected contactless terminals prepared with high-value transactions without his knowledge.

The machines would then process all payments once reconnected to the internet.

This works because, while there is a £100 limit on UK cards for contactless payments, this limit is not enforced abroad due to difficulties over exchange rates.

Explaining the theory, Prof Anderson said: 'If the phone that controls a mobile terminal has no network service, transactions will generally be buffered until the phone next gets online.




Digital security expert Professor Ross Anderson (pictured) says banks are aware of chip and pin security vulnerabilities but deny them to avoid refunding fraud victims

'So the crooked barman can set up one or more transactions on a phone that doesn't have data roaming and has had wifi switched off; later, when the phone is connected online at the end of the business day, the transactions will be uploaded for authorisation.

'If he tapped the sucker's card on terminal 1, then terminal 2, then terminal 3, then he just has to switch on phone 1 first, then phone 2, then phone 3, and the application transaction counters should all line up. That the attacks were coordinated in this case suggests that they are driven by Bar T rather than a third party.'

But the ombudsman was convinced that Mr Williams was directly authorising the transactions, albeit unwittingly, with his card physically in a machine as he had seen evidence from Barclays the transactions were 'properly authenticated' with chip and pin.

Despite Mr Williams asking for this evidence multiple times, it has never been provided to him, which Prof Anderson says 'deprives Henry of the opportunity to have a fair hearing'.

Barclays and the ombudsman claim that all the transactions were authenticated through chip and pin, but as the transaction logs have not been shared, Prof Anderson says he has no way of verifying this. 

Prof Anderson said: 'Now, why on earth are the transaction logs available to the ombudsman, who doesn't seem able to understand them, but not available to Henry so he can show them to me so we can work out what might have been going on?

'Of course if the bar owners are in cahoots to roll customers then the only just response from the UK banking industry is a chargeback of the full amount. Against the sort of fraud scenario here, even I would be helpless.'

'It is outrageous that they're not letting Henry or I see the evidence against him which deprives Henry of the opportunity to have a fair hearing,' Prof Anderson said.




A few days after visiting a bar with new friends he had met in Rio de Janeiro, Brazil in March 2022, Mr Williams (left with different friends at Copacabana Beach) saw Barclays app notifications for transactions of £3,000 - in the app he saw pending payments of £17,000





Barclays refused Mr Williams' request for a refund on the unauthorised payments, saying he must be trying to defraud the bank or told a fraudster his PIN as 'the card has a chip capability which is used to ensure cards cannot be cloned or copied'





Mr Williams  (pictured) got in touch with Prof Anderson to assist him with the case after reading a MailOnline story where he explained how card fraud works

Prof Anderson added: 'The ombudsman accepts that there was some fraud here that he doesn't understand as there are transactions being made simultaneously from multiple places.

'He doesn't understand how, so he proposed to give Henry some of his money back but it's outrageous that they're letting Barclays keep some of it.'

READ MORE: How fraudsters are stealing 'BILLIONS' using chip and pin hack... because banks refuse to admit the scam exists








Advertisement

'How do they know it was chip and pin?' asked Prof Anderson. 'We'd like to see evidence.'

He added: 'Barclays initially said it was magnetic strip and now they're saying it's chip and pin. We want to see the actual transaction logs where it says the PIN was read. We need to see how its handling info coming back from Visa.

'That's what's fundamentally wrong here as the ombudsman doesn't understand EMV very well so he's prepared to believe whatever bulls*** the bank tells him.'

Mr Williams was also told by a member of Barclays staff that according the bank's own technical experts, his card may have been 'cloned' in some way. It is not known if Barclays investigated this.

The ombudsman said Mr Williams was likely to have consented to the transactions himself as he was probably at the bar when they took place. This is because some of the first disputed payments - over several nights - happened around 20 minutes and 40 minutes after undisputed ones on two occasions.

Mr Williams said he was back at his hotel when the transactions were processed, so he could not have done them himself. He told the ombudsman that his hotel was only a 15 minute walk or a five minute cab ride away from the bar, so the assertion that he was at the bar when the transactions took place was not based on evidence.

The ombudsman acknowledged this, but was still 'persuaded it is more likely than not Mr Williams was still out and wasn't at his hotel at the time the payments were being made', despite zero evidence to back up this claim.

Further still, the review acknowledges that the 'transactions occur across three different merchant terminals (not counting the Bar T terminal), often within seconds of each other'.

This suggests that the ombudsman believes Mr Williams put his debit card into a terminal, entered the pin for a high-value transaction without realising, then repeated this several times on two other card machines 'within seconds'. Mr Williams said this was 'physically impossible'.

The FOS has now, for what is thought to be the first time, acknowledged the possibility of pre-play attacks. But in Mr Williams' case it was said to be unlikely as the transactions all appeared in the correct order.

But Prof Anderson, who has studied these scams, said the transactions appearing in the correct order does not prove this, as fraudsters can time them in such a way so as to avoid detection and a resultant chargeback.




Mr Williams, who now works as a gardener, was told after appealing the decision that all the payments were made 'using your genuine Debit Card with the correct corresponding PIN'





Mr Williams poses for a photo in front of the 'Christ the Redeemer' on holiday in Brazil

The ombudsman said in his decision: 'It's not impossible that a pre-play attack was what happened here. But, based on the information and evidence available, I'm not persuaded it is the more likely than not explanation.'

Again, this evidence has never been made available to Mr Williams, so he has not been able to stand it up to expert scrutiny.

Mr Williams has faced two years of hell since Barclays blamed him for being defrauded abroad. 'I was found grossly negligent or complicit in my own fraud and then I felt very vulnerable,' he told MailOnline.

Mr Williams said: 'I've been gaslit by the bank and the ombudsman.

'For a year, until I got into contact with the Mail and Ross I felt I was banging my head against a wall and going mad.

'You have a glaring mirror of foolishness held up to yourself which is quite dismaying, you wake up every morning thinking "how can I be so stupid?" 

'It overwhelmed me for months to write about things I had very little understanding of. It constantly left me with my heart racing and beating out of control for months and months.' 

'I felt I was going insane as nobody is helping me understand and they're telling me "you're at fault".

'Even the ombudsman's investigator said it was most likely that I was liable. The bank is denying something for their own agenda.' 

Prof Anderson says that under the Payment Services Regulations 2017, Barclays should repay Mr Williams even if the version of events presented by the FOS is accepted.

The rules say that a bank should refund a customer for transactions they did not authorise or consent to unless they acted with gross negligence or were attempting to defraud the bank.

The scientist said: 'If they accept that Henry was ripped off they should give him a complete refund as it's clearly fraud. It's clearly not right to debit the customer in such a circumstance.

'It's exactly the same as the Horizon Post Office scandal. If the bank knows about scams that can be done, for example, by mobile terminals, it's absolutely unconscionable that they want to debit the money.

'The bank has failed to make a case that Henry was grossly negligent, so he should get all of his money back.

'The correct conclusion to draw from that is that the bank's explanation isn't accurate and ombudsman is trained to rely on bank records and their explanation of the records. 

'Their explanation might be wrong but the people at the ombudsman presumably don't have the technical knowhow or confidence to challenge banks false explanation.' 




Marine Williams (foreground) taking a photo break with military colleagues in between disarming Argentinian forces at the Airfield in Port Stanley, the Falkland Islands, in 1982





Henry Williams as a serving Royal Marine, in Bickleigh, the home of the 42 Commando





Mr Williams during the British landings at San Carlos Bay, Falkland Islands in May 1982

Mr Williams did say the ombudsman has shown 'some sort of courage and integrity to find partially in my favour'.

But he was 'dismayed' that he was only awarded half of his money despite the 'rapid transactions were impossible to have practically and physically done', despite the ombudsman admitting they were highly irregular and 'nefarious'.

Mr Williams has now submitted further evidence to the ombudsman for review, arguing that he should be entitled to a full refund.

It is believed the FOS has never before acknowledged that scams involving compromised in chip and pin terminals are possible, so this first admission could open the floodgates for billions of pounds worth of claims from card fraud victims who were denied refunds.

A FOS spokesperson said: 'Being the victim of a fraud or scam can be a terrible experience, which is why we thoroughly investigate every case that comes to us.

'In recent years, we have upheld thousands of consumers' complaints, returning more than £150m to those who have been victims of fraud and scams.

'Our investigators are always fair and impartial. When investigating a case, they not only review all the available evidence but, where necessary, consult the relevant research, industry codes and good practice.

'We're absolutely committed to providing a service which people can use with confidence, and which resolves their complaints efficiently and without bias.'

The spokesperson initially said that a investigators would look at the possibility of fraud using tampered-with terminals - such as a pre play attack - if a customer were to raise it.

But when challenged they said that the service does not expect customers to raise every argument. 

The FOS spokesperson added: 'Fraudsters' tactics and use of technology is constantly evolving, which is why we consider a range of potential scenarios when determining a case.

'We look at the evidence and arguments presented by both sides, consider the latest fraud and scam techniques where appropriate, and reach a fair conclusion based on all the available facts. 

'We're absolutely committed to providing a service which people can use with confidence, and which resolves their complaints efficiently and without bias.'

A Barclays spokesperson told MailOnline: 'We work hard to protect our customers from fraud and scams, and invest in systems that help safeguard them from the latest emerging threats.

'This is a complex case that has been reviewed by the Financial Ombudsman Service. We are fully engaged with their investigation and are considering the Provisional Decision they have issued.

'As it is subject to review it would be inappropriate to comment further at this time.'