Fraudulent misuse of debit/credit cards

Sanguine Fan

A couple of months ago I was emailed by my bank with a query about several debit transactions on my current account. It turned out that my debit card details had been used without my knowledge to make payments to a number of well-known online retailers. This happened despite the card being in my possession at all times. Everything was refunded within a week, but I have been unable to find out from my bank how the fraud was perpetrated.

This week the same type of fraud took place - this time on my credit card account, which is with the same bank. Several large online transactions were made using the card details. Once again, the card was always in my possession.

I suspect if I enquire again the bank will ignore my request for more information. They have accepted liability and presumably passed the details onto the Garda. But it leaves me anxious about the security of my bank accounts.

The bank has told me that the card details could have been stolen in one of several ways. One of the online sites to which I made a payment in the past could have been hacked. Or the card details may have been skimmed through an ATM or sales terminal in a shop. A third possibility is that the sixteen-digit card number was generated randomly. (But surely they would also have to match the correct 3-digit security code on the back of the card before a transaction would be accepted?) I gather it is also possible that my computer has been infected with spyware which captured my bank details when I used them online.

The problem is that I have no idea how these two frauds happened, and therefore I don't know how to make sure it does not happen again.

If anyone has experienced something similar, I would be grateful for any insights you can offer.

Thank you.

coylemj

Have you considered something closer to home? Maybe someone has physically taken the cards from your wallet or purse and copied down the details. Which would point to a family member, flatmate or work colleague.

Sanguine Fan

coylemj wrote: »

Have you considered something closer to home? Maybe someone has physically taken the cards from your wallet or purse and copied down the details. Which would point to a family member, flatmate or work colleague.

Thanks, but given my circumstances that is not a realistic scenario.

I suspect my card details were stolen from a web site that has been hacked, quite possibly without their knowledge. I only ever use sites that are secure so maybe I was just unfortunate.

coylemj

Sanguine Fan wrote: »

Thanks, but given my circumstances that is not a realistic scenario.

I suspect my card details were stolen from a web site that has been hacked, quite possibly without their knowledge. I only ever use sites that are secure so maybe I was just unfortunate.

So what you are saying is this: in the past and obviously on different occasions you have used your credit card and debit card to purchase from a particular online retailer and now the details of both cards and the credit card CVV number has been hacked from their website?

That is highly unlikely.

Sanguine Fan

coylemj wrote: »

So what you are saying is this: in the past and obviously on different occasions you have used your credit card and debit card to purchase from a particular online retailer and now the details of both cards and the credit card CVV number has been hacked from their website?

That is highly unlikely.

I am not an expert - clearly you are. I was simply repeating a likely scenario as suggested by the bank.

Indeed, they also suggested that both the sixteen-digit card number and the three-digit security code could have been generated randomly by the fraudsters.

coylemj

Sanguine Fan wrote: »

I am not an expert - clearly you are. I was simply repeating a likely scenario as suggested by the bank.

Indeed, they also suggested that both the sixteen-digit card number and the three-digit security code could have been generated randomly by the fraudsters.

And having defied odds of 1,000 to 1 to correctly guess the CVV number, they also correctly guessed your name and carried out 'several large online transactions'?

That is not a 'likely scenario'.

Sanguine Fan

coylemj wrote: »

And having defied odds of 1,000 to 1 to correctly guess the CVV number, they also correctly guessed your name and carried out 'several large online transactions'?

That is not a 'likely scenario'.

I made the same point when that suggestion was made (although the genuine customer's name is not necessary apparently). The response was that the sites used by the fraudsters don't require the CVV number. I have never come across a commercial web site that does not ask for this three-digit code, so I have to take their word for that.

I am still not clear how this fraud happened. I can only assume that some legitimate site I used in the past was hacked and my credit card details stolen. Either that or an ATM or terminal I used was skimmed in some way.

If you have any other ideas I would be glad to hear them.

GerardKeating

coylemj wrote: »

And having defied odds of 1,000 to 1 to correctly guess the CVV number, they also correctly guessed your name and carried out 'several large online transactions'?

That is not a 'likely scenario'.

Depends if it was Visa or MasterCard.

Visa will shut a card down after 100 failed attempts, but MC do not, so this permits brute force attacks to guess the Card number and CVV2 code.

GerardKeating

Sanguine Fan wrote: »

A couple of months ago I was emailed by my bank with a query about several debit transactions on my current account. It turned out that my debit card details had been used without my knowledge to make payments to a number of well-known online retailers. This happened despite the card being in my possession at all times. Everything was refunded within a week, but I have been unable to find out from my bank how the fraud was perpetrated.

This week the same type of fraud took place - this time on my credit card account, which is with the same bank. Several large online transactions were made using the card details. Once again, the card was always in my possession.

I suspect if I enquire again the bank will ignore my request for more information. They have accepted liability and presumably passed the details onto the Garda. But it leaves me anxious about the security of my bank accounts.

The bank has told me that the card details could have been stolen in one of several ways. One of the online sites to which I made a payment in the past could have been hacked. Or the card details may have been skimmed through an ATM or sales terminal in a shop. A third possibility is that the sixteen-digit card number was generated randomly. (But surely they would also have to match the correct 3-digit security code on the back of the card before a transaction would be accepted?) I gather it is also possible that my computer has been infected with spyware which captured my bank details when I used them online.

The problem is that I have no idea how these two frauds happened, and therefore I don't know how to make sure it does not happen again.

If anyone has experienced something similar, I would be grateful for any insights you can offer.

Thank you.

Did you get the card numbers changed after the first fraud ??

Jim2007

Well first of all the bank has no way of identifying a fraudulent transaction at the time, that is kinda the point! All we can do is monitor for suspicious activity....

When it comes to websites it is of course possible that they get hacked, but at this stage most of them use a third party who is well protected to process transactions. If they do get hacked they usually are quick to detect it and inform you.

The chance of two of your cards be hacked within a short period and in both cases have the correct security code guessed is close to zero, unless there is a common factor and most often that will be someone in your circle. Sorry to say.

To protect yourself the best you can do is have the cards changed it you have not done so. Use paypal or a similar service to make payments where possible - these days even the pizza man accepts PayPal! You can also fund PayPal via a cash transfer if you wish. And finally be less trusting of those around you.

Sanguine Fan

GerardKeating wrote: »

Depends if it was Visa or MasterCard.

Visa will shut a card down after 100 failed attempts, but MC do not, so this permits brute force attacks to guess the Card number and CVV2 code.

Thanks, that makes sense as the card affected was Mastercard.

Sanguine Fan

GerardKeating wrote: »

Did you get the card numbers changed after the first fraud ??

Yes, the card was cancelled within hours of the fraudulent transactions. In the second case, which involved a credit rather than a debit card, the fraudulent transactions were rejected immediately by the bank. So, at least in my experience, credit cards are a more secure method than debit cards for online transactions.

Sanguine Fan

Jim2007 wrote: »

Well first of all the bank has no way of identifying a fraudulent transaction at the time, that is kinda the point! All we can do is monitor for suspicious activity....

When it comes to websites it is of course possible that they get hacked, but at this stage most of them use a third party who is well protected to process transactions. If they do get hacked they usually are quick to detect it and inform you.

The chance of two of your cards be hacked within a short period and in both cases have the correct security code guessed is close to zero, unless there is a common factor and most often that will be someone in your circle. Sorry to say.

To protect yourself the best you can do is have the cards changed it you have not done so. Use paypal or a similar service to make payments where possible - these days even the pizza man accepts PayPal! You can also fund PayPal via a cash transfer if you wish. And finally be less trusting of those around you.

I use PayPal whenever I can but many retail sites don't accept it. Thankfully, Ryanair now take PayPal so I hope others follow. I agree that it is much safer.

As for 'someone in your circle' being responsible for my recent difficulties, I can safely rule that out. So, if there is a common factor, it can really only be either the numbers were generated randomly, or a site or terminal I used in the past was hacked or skimmed.

In both instances the bank has been excellent and thank to their vigilance, the thieves got very little for their trouble.

Avatar MIA

Sanguine Fan wrote: »

In both instances the bank has been excellent and thank to their vigilance, the thieves got very little for their trouble.

That's key. I don't understand how you can expect the bank to be able to tell you how you compromised their account.

It happened to me once several years back. Someone in Toronto started taking cash out of my account, leeching a few hundred dollars a day for three days.

I contacted the bank and the card was cancelled immediately. The funds were refunded very quickly.

I rarely used the particular card and only used it at two physical locations within the previous few months. These details were passed to the Gardai.

Thankfully it hasn't happened since, but If it did I would not blame the bank for permanently cancelling my cards. I certainly never thought it was their fault for not being able to identify how the fraud was carried out.

GerardKeating

Sanguine Fan wrote: »

Yes, the card was cancelled within hours of the fraudulent transactions. In the second case, which involved a credit rather than a debit card, the fraudulent transactions were rejected immediately by the bank. So, at least in my experience, credit cards are a more secure method than debit cards for online transactions.

With Visa, there is little difference between Debit and Credit cards, sometimes the website/Merchant cannot always tell the difference, if they do not keep up to date with all the card Ranges.

Often a Bank cannot tell you what they know about the case, since any communication with you might become part of any legal case to follow.

Alun

GerardKeating wrote: »

Depends if it was Visa or MasterCard.

Visa will shut a card down after 100 failed attempts, but MC do not, so this permits brute force attacks to guess the Card number and CVV2 code.

I thought it was the other way round?

From http://www.pcworld.com/article/3145621/security/distributed-guessing-attack-lets-hackers-verify-visa-card-details.html

The title of their paper asked the question: "Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?"
Their answer is emphatically yes -- at least for Visa cards, for which they were able to submit sufficient requests to obtain the missing values.
MasterCard's centralized payment network, on the other hand, detected their attack on a card account after fewer than 10 authorization attempts.

OCEANIC FIZZY POP NINE

Jim2007 wrote: »

Well first of all the bank has no way of identifying a fraudulent transaction at the time, that is kinda the point! All we can do is monitor for suspicious activity....

When it comes to websites it is of course possible that they get hacked, but at this stage most of them use a third party who is well protected to process transactions. If they do get hacked they usually are quick to detect it and inform you.

The chance of two of your cards be hacked within a short period and in both cases have the correct security code guessed is close to zero, unless there is a common factor and most often that will be someone in your circle. Sorry to say.

To protect yourself the best you can do is have the cards changed it you have not done so. Use paypal or a similar service to make payments where possible - these days even the pizza man accepts PayPal! You can also fund PayPal via a cash transfer if you wish. And finally be less trusting of those around you.

My card was compromised a little while ago, the details could only have been taken from a pick of 4 very large sites, none of which have come out and said they'd been hacked. It was the only places the card was used, none of them accept paypal.

Anyway, this sneaky SOB starting taking small amounts every couple of weeks, you nearly wouldn't notice. Spotted it anyway, rang the bank, they confirmed it was fraud and gave it back that day. But this sneaky SOB also set up flipping guest accounts on Paypal (How the hell do they let that happen?) and was off buying stuff with them aswell, this money has been a pain to get back. Paypal are sending me to the bank and the bank are sending me back to paypal.

GerardKeating

Alun wrote: »

I thought it was the other way round?

From http://www.pcworld.com/article/3145621/security/distributed-guessing-attack-lets-hackers-verify-visa-card-details.html

You are correct, I mis-remembered the article.

Walter2016

The first thing you need to know is that using your card on a secure site is far far safer than using it in physical stores.

People have misplaced thinking that any card fraud must be due to malware or hacking.

Larger retailers keep all your card details on file for a minimum of six months (they have to). All you need to do is to get access to this electronic file and you have name, expiry date and card number. You don't have cvv or pin number.

The biggest recent hack was Oracle who provide the payment software to 300,000 retail locations including ikea, clarks, burger king and hundreds more.
https://krebsonsecurity.com/2016/08/data-breach-at-oracles-micros-point-of-sale-division/

Forget about the bank finding out. Its needle in haystack stuff. Just be thankful that you don't bear the cost.

Sanguine Fan

Avatar MIA wrote: »

I don't understand how you can expect the bank to be able to tell you how you compromised their account.

I don't expect the bank to tell me how the fraud took place. (And aren't you making a big assumption that it occurred because I 'compromised their account'.) I realise the bank is unlikely to spell out in detail how such crimes are committed for fear of educating potential fraudsters. But I was hoping that others with a similar experience might be able to throw some light on how their bank accounts were targeted.

If my house was burgled I would make sure it did not happen again, firstly by finding out how they got in, and then by tightening security in whatever way was necessary. In relation to my recent experience of cyber crime, I am still at the first step. I am also satisfied that currently I take every reasonable step to protect my bank account, so how the thieves managed to get their hands on my card numbers puzzles me.

Sanguine Fan

Thanks Alun for the link to that article - very insightful and informative. Here is what I learnt from it:

• Fraudsters need a valid sixteen-digit card number to begin the process. They obtain this through breaching an online site or by skimming a card at point of sale or ATM.
• There are web sites that can provide information about a valid card number, e.g. issuing bank, thus making it easier for the fraudsters to guess the other details they need to successfully complete an online transaction.
• The real danger of these attacks is not that fraudsters can buy stuff online, but that they can have money transferred from the victim's account to an account in another country where a member of the gang is standing by to withdraw the proceeds in cash. This process can take as little as 27 minutes from start to finish!
• Most sites surveyed in the article do not use 3D Secure to verify payments. The 3D Secure system makes fraud of this type virtually impossible. However, it also lengthens and complicates the payment process causing some potential purchasers to drop out at this stage thereby hitting retailer sales.
• Fraudsters exploit the lack of co-ordination and consistency of practice among both retailers and banks. There is a need for the two industries to get their act together and agree common security standards. Ordinary card-holders can push them by choosing only the most secure cards and sites.
• Mastercard came out ahead of Visa as being much more secure in the tests carried out by the authors.

The article does not go into detail about how the new contactless payment system facilitates fraud. But another article I read suggests that a criminal with the necessary equipment can obtain the card number from six inches away, even when the card is in someone's pocket or wallet!

Based on what I have read I will now be avoiding contactless terminals in shops. I will also look into how I can protect my cards when they in my wallet. Finally I will only use Mastercard online, and then only in sites that have 3D Secure.

It seems to me now that both card issuers and retailers accept cyber crime as a business cost which they presumably build into the price charged to the customer. They are facilitated by the likelihood that most victims of card fraud are so glad to get their money back that they don't bother too much about how it was stolen in the first place.

It's been an education. Many thanks again Alun.