An Ontario woman says she is out thousands of dollars after her bank blamed her for two unauthorized withdrawals from her account, despite surveillance photos that show another person taking the cash right under the noses of RBC tellers.

Cleopatra Evelyn-Clark worries the chip and PIN technology — used to secure billions of debit and credit card transactions in Canada every year — isn't as safe as banks say after losing more than $6,600 to a fraudster who, according to the bank, used her debit card and PIN to steal the money.

RBC's investigation found Evelyn-Clark was to blame, insisting she must have shared her card and PIN with someone.

"The whole thing is a little bit ridiculous. At no time did I give anyone my card or my PIN. I was in possession of my card during both transactions," Evelyn-Clark said.

"There seems to be no protection for the consumer here," she said. "It just seems they're all about their profit and not about protecting consumers at all."

An expert in consumer protection says there's a "power imbalance" between financial institutions and customers that allows banks to write their own rules, run their own investigations, and determine the results without any obligation to provide proof.

Been wronged and you're not the only one? Contact our Go Public team

"They are flipping the burden of proof back to the customer … [chip and PIN] transactions are not foolproof," says John Lawford, executive director of the Public Interest Advocacy Centre (PIAC), which provides legal and research services on behalf of consumer interests.

In December 2018, a woman walked into an RBC branch in Montreal, where Evelyn-Clark lived at the time, and made two withdrawals from her savings account within two days, for $3,000 and $3,650.

The tellers didn't ask for identification. The bank says they didn't need to because the PIN was used.

But when Evelyn-Clark asked for proof that her PIN was used and to see the surveillance photos to try to identify the thief, she says the bank refused.

In an email to Go Public, RBC spokesperson A.J. Goodman said the bank explained its decision to Evelyn-Clark, adding that it reviews potential fraud and unauthorized transactions, "on a case-by-case basis, considering all relevant facts before making a decision."

RBC told Evelyn-Clark the only way she could see the photos was through police, so she filed a report.

But it was only after Go Public got involved that police investigators requested the surveillance images from the bank, and allowed Evelyn-Clark to finally see them — more than six months after she first asked to see the images.

Cleo Evelyn-Clark says she lost more than $6,500 to a fraudster who made two withdrawals from her RBC account in December 2018. (Dave St-Amant/CBC)

The photos show a woman making the withdrawals at the teller counter, but Evelyn-Clark says she has no idea who that person is.

"I didn't withdraw the money. All I would like from the bank is for them to reimburse me the money that has been stolen from me," she said.

Police told her they're still hoping to identify the other woman. Go Public asked RBC for a copy of the photos but it refused.

'We don't steal. We don't cheat'

Similarly, a Langley, B.C., couple was held responsible for $4,360 after their Visa was stolen in Mexico in May. CIBC said Carol and Bill Pitts were on the hook for the losses because the four transactions were made with their card and correct PIN.

"They were basically badgering me and accusing me of having my PIN written down or giving it out," Carol told Go Public.

"That's totally not the case. I'm an office manager for a huge corporation. I know password security."

The couple says they reported the card stolen the same day Carol noticed it missing from her wallet, two days after the fraudulent charges started. They were at an all-inclusive resort and hadn't been using the Visa.

John Lawford of the Public Interest Advocacy Centre says the banks determine the results of their own fraud investigations without any obligation to show their evidence to anyone. (Andrew Lee/CBC)

The bank eventually offered the couple $1,000 as a goodwill gesture, but the Pitts say that's not good enough and have escalated their case to CIBC's ombudsman.

"I'm angry because [the bank] accused us of lying or being a fool. We're neither," Bill says.

"We don't steal. We don't cheat. So to have this go sideways and have the bank turn around and say it's our fault with no follow up, it gets me pretty angry."

Like Evelyn-Clark, the Pitts say they asked the bank for proof their PIN was used, but were refused. They also couldn't get any information on how the bank investigated.

CIBC said it worked with them on the matter and is now waiting for the ombudsman's decision.

While on vacation in Mexico in May, Bill Pitts and his wife Carol Pitts found out their CIBC Visa card was missing and $4,360 in charges had been racked up. (Submitted by Carol Pitts)

"We thoroughly investigate fraud claims and take all relevant factors into account," wrote CIBC spokesperson Trish Tervit in an email to Go Public.

Tervit said victims of credit card fraud at CIBC are fully reimbursed if "they've met all of their requirements in the cardholder agreement."

CIBC didn't answer Go Public's questions about the security of the chip-and-PIN system.

RBC says chip-and-PIN cards are secure and, to date, the bank, "hasn't seen a case where a chip card was counterfeited and used in conjunction with a valid PIN."

'Fundamental flaw'

It's not clear what exactly happened in either case. But cybersecurity expert Claudiu Popa says there's a "fundamental flaw" in the technology that allows fraudsters to trick ATMs and point-of-sale (POS) terminals into thinking the right card and PIN were used.

"People who adequately protect their PINs are still at risk of having their transactions compromised," said Popa, who is a risk adviser at Informatica, a data protection company.

He points to research out of Cambridge University that found fraudsters are getting around chip-and-PIN security either through shimming — when a thin, card-sized circuit board is secretly inserted into the card slot in order to clone cards, while a tiny camera is used to record the PIN — or by installing malware into the terminals so the machines think the right PIN is being used.

It's not clear how often those things happen, but the authors of the 2015 study say compromised chip-and-PIN systems could "reach a massive scale."

RBC says chip-and-PIN enabled cards are secure and, to date, the bank hasn't seen a case where a chip card was counterfeited and used with a valid PIN. (Mark Blinch/Reuters)

Popa says it doesn't matter whether someone had stolen Evelyn-Clark's PIN. "They might have been able to enter just any PIN and the chip on the card would have said that it's a legitimate PIN," he said.

There is no way to know if Evelyn-Clark's card was cloned or if there is another reason for the withdrawals. RBC isn't offering details on its investigation.

In the Pitts's case, there is another possibility. A Mexican mobile payment system called Sr. Pago doesn't always require a PIN — only a signature.

Interac, the company behind debit cards, says Canadians lost $4.4 million to debit card fraud that year, a record low according to the company.

Cybersecurity expert Claudiu Popa says keeping your PIN safe is no guarantee your chip-and-PIN enabled debit or credit card won't be compromised. (Yanjun Li/CBC)

PIN rule ignored

There is some protection for customers under the Canadian Code of Practice for Consumer Debit Card Services, but it doesn't apply to credit cards.

The voluntary code addresses the power imbalance between banks and customers when it comes to fraud investigations, according to John Lawford of PIAC, and puts the onus on banks to prove customers are to blame. If they can't, financial institutions need to err on the side of the customer.

"The bank can't just say 'Oh we have the correct chip and the correct PIN therefore you're liable.' That's not the way the rules are written," he says.

"The rules say if the customer disputes the charge it's up to the bank to show that the PIN was compromised or that the customer was somehow negligent."

All the major banks have agreed to follow the code, but often ignore it in favour of cardholder agreements that give them a lot of leeway with their investigations, Lawford says.

The agreements say if someone is careless with the PIN, or chooses a PIN that's easy to guess, they are liable for losses.

RBC says it followed the code when it investigated Evelyn-Clark's case.

Promised protection falls short

Legislation that was meant to better protect bank customers passed last June, but the section of Bill C-86 related to unauthorized transactions was put on hold.

The law would have limited customer liability to $50 for unauthorized credit card transactions unless the cardholder demonstrated "gross negligence in safeguarding the credit card."

Lawford says the section wasn't put into force because banks wanted more time to negotiate terms with the government before it was implemented.

But while C-86 addresses credit card fraud, it offers no protection for debit card holders. Both the Pitts and Evelyn-Clark say better protection is what's needed.

The Pitts are waiting to hear what CIBC's ombudservice decides. "We assumed that we'd be protected," Bill said.

Carol added they "just want to bring this to the general public, because people need to know that they are not protected," says Carol.

Evelyn-Clark says she has now lost faith in the system and has hired a lawyer, hoping to get at least some of her money back.

Submit your story ideas

Go Public is an investigative news segment on CBC-TV, radio and the web.

We tell your stories, shed light on wrongdoing, and hold the powers that be accountable.

If you have a story in the public interest, or if you're an insider with information, contact GoPublic@cbc.ca with your name, contact information and a brief summary. All emails are confidential until you decide to Go Public.

Follow @CBCGoPublic on Twitter.