Status of “device IDs” in fraudulent transactions
I have been talking to somebody who claims to have recently been the victim of a number of fraudulent online transactions made on their debit card totalling approximately £900. The card itself had not left their possession, and the purchases (mostly on Sainsbury’s online) only needed the name on the card as well as the number and expiry date. No CVV or postal address was asked for.
The bank has informed them that their systems showed the “device ID” was the same for the disputed transactions compared to that of previous undisputed ones. So the bank are not offering compensation.
I’ve not heard of the device ID this being used by banks in this way. To what extent are such IDs reliable proof of identification over time?
I have meanwhile told them it may be worth filing a SAR for device IDs from the bank for both the disputed and undisputed transactions as I believe they now count under GDPR PII. It seems to me that at the very least the bank should offer some evidence for their assertion!