Widespread credit card fraud or bizarre coincidence?
May 24, 2009 2:22 PM Subscribe
Both my daughter and I have fraudulent charges at the same online poker site on our credit cards. Is this happening to lots of people or is it a weird coincidence?
I checked my online account last week and discovered a $700+ charge to FullTiltPoker. I've never played online poker or even been to the site. I called Citi Mastercard and they have canceled the card and are sending me documents to sign that the charges aren't mine (there were two other pending charges; total of about $2500).
My daughter was checking her account yesterday and had two charges on her account for the same site. She also has a Citi Mastercard, but it's not shared (or even the same type - mine is a rewards card and hers isn't).
Neither of us had lost our cards. My daughter keeps her statements and I shred mine so the information is not being stolen from the garbage or recycling. They told me at Citi that someone could have hacked into a merchant's computer system where I had used my card. I doubt my daughter and I have used our cards at the same merchant recently. The odds of this happening to the two of us at virtually the same time seem pretty huge unless it's happening to tons of people. Is it widespread? Has this happened to anyone else recently?
I checked my online account last week and discovered a $700+ charge to FullTiltPoker. I've never played online poker or even been to the site. I called Citi Mastercard and they have canceled the card and are sending me documents to sign that the charges aren't mine (there were two other pending charges; total of about $2500).
My daughter was checking her account yesterday and had two charges on her account for the same site. She also has a Citi Mastercard, but it's not shared (or even the same type - mine is a rewards card and hers isn't).
Neither of us had lost our cards. My daughter keeps her statements and I shred mine so the information is not being stolen from the garbage or recycling. They told me at Citi that someone could have hacked into a merchant's computer system where I had used my card. I doubt my daughter and I have used our cards at the same merchant recently. The odds of this happening to the two of us at virtually the same time seem pretty huge unless it's happening to tons of people. Is it widespread? Has this happened to anyone else recently?
I don't think this is a matter of something widespread: Likewise I don't think it's coincidence. You should consider whether there's someone in your house who's been using the cards.
Checking the internet history and cookies on all the computers would be a first step.
posted by dunkadunc at 2:37 PM on May 24, 2009
Checking the internet history and cookies on all the computers would be a first step.
posted by dunkadunc at 2:37 PM on May 24, 2009
Response by poster: Thanks for the thoughts but that's the thing ... I don't believe it is anyone in the household. It's all family members and I have absolutely no reason to think that any of them may be the cause.
posted by nelvana at 3:04 PM on May 24, 2009
posted by nelvana at 3:04 PM on May 24, 2009
Do you share a computer? If you do, you might want to scan it for malware and viruses. Actually it's probably a good idea even if you haven't used the same computer.
posted by rdr at 3:11 PM on May 24, 2009
posted by rdr at 3:11 PM on May 24, 2009
Having been through this a couple times, and given the brief details here, it seems extremely likely that someone with access to your home, car or some place that you and your daughter think of as secure has been stealing the information. More telling than the fact that both of you were ripped off is the fact that (as far as your story suggests), there was only one suspect charge and it was to the same place. The last time mine was stolen, someone had charged a dozen things to a dozen places as quickly as possible before the company shut the card down. My wife had almost the same story ten years ago. Having one and only one charge and to one place suggests someone hoping (very wrongly, obviously) to sneak something through undetected. That it's a gambling site suggests compulsive risk-taking behavior, but now I'm telling you things you've thought, no doubt.
Having dealt with a larger fraud charge in the past, you may find the card company is more aggressive about investigating the charges that you would assume. They were in my case some time ago, and with the banks feeling the pinch lately, I suspect they won't feel like writing it off. Those charges are online, so they will have an IP address associated with them, making it relatively easy for the fraud department to track them. Don't be surprised if the IP address belongs to someone you know, or is even in your house.
posted by el_lupino at 3:12 PM on May 24, 2009
Having dealt with a larger fraud charge in the past, you may find the card company is more aggressive about investigating the charges that you would assume. They were in my case some time ago, and with the banks feeling the pinch lately, I suspect they won't feel like writing it off. Those charges are online, so they will have an IP address associated with them, making it relatively easy for the fraud department to track them. Don't be surprised if the IP address belongs to someone you know, or is even in your house.
posted by el_lupino at 3:12 PM on May 24, 2009
Response by poster: el_lupino, my card had only three fraudulent charges at two different online gambling sites. My daughter's one fraudulent charge was at one of the same gambling sites. I will be surprised (shocked even) if the investigation leads to our house, but I hope they are able to track down the person responsible using an IP address. You are right though that it doesn't seem to be what I would think of as typical credit card number theft activity.
And rdr thanks for the scanning suggestion. I've just finished scanning with Spybot and there were only some advertising cookies. We have a router (with a decent password) and my daughter's laptop connection is wireless but mine is wired. I have other credit cards and do lots of personal & business banking online so security is a concern. It seems so odd that it's only the one card - I've checked everything else - which makes me think it's not related to our computers or network.
posted by nelvana at 4:22 PM on May 24, 2009
And rdr thanks for the scanning suggestion. I've just finished scanning with Spybot and there were only some advertising cookies. We have a router (with a decent password) and my daughter's laptop connection is wireless but mine is wired. I have other credit cards and do lots of personal & business banking online so security is a concern. It seems so odd that it's only the one card - I've checked everything else - which makes me think it's not related to our computers or network.
posted by nelvana at 4:22 PM on May 24, 2009
How about this - is there some place where both you and your daughter use your credit cards that might have had a security breach? That way both of your card numbers might have been sold in the same batch by an identity thief and thus been bought by the same person, whoever is putting the fraudulent charges on.
posted by XMLicious at 5:13 PM on May 24, 2009 [1 favorite]
posted by XMLicious at 5:13 PM on May 24, 2009 [1 favorite]
You might want to look into that wireless connection a bit more. The default wireless settings are almost always totally insecure. Make sure you are using WPA2 encryption on that thing (not WEP) and change the password. Make sure the password is actually hard to guess.
posted by chairface at 6:50 PM on May 24, 2009 [1 favorite]
posted by chairface at 6:50 PM on May 24, 2009 [1 favorite]
I think XMLicious is on the right track. Sift through your statements and think it out. Where have the cards both been? A restaurant or local store? Gas station? ATM? Hotel?
Two frauds to similar accounts in the same family at the same time is too much of a coincidence.
posted by JuiceBoxHero at 7:34 PM on May 24, 2009
Two frauds to similar accounts in the same family at the same time is too much of a coincidence.
posted by JuiceBoxHero at 7:34 PM on May 24, 2009
I think XMLicious may be right as well. A few years back, I had found several bogus charges on my bank card. The source eventually led back to the employee of a restaurant that I would often receive delivery service from(I gave my CC# over the phone).
posted by zerokey at 8:13 PM on May 24, 2009
posted by zerokey at 8:13 PM on May 24, 2009
Years and years spent with accounts at various banks, and no fraudulent charges.
Then my wife and I move to a new bank, and within three months:
- My new card never comes, and is caught being used fraudulently by the Visa fraud detection people;
- My replacement card comes, but shortly after the Visa fraud detection people call to verify I'm not traveling, as they're watching the card being used simultaneously in several airports across the globe;
- My wife's card gets a bunch of fraudulent charges on it at a local retailer, one she's never been to, and the card's still in her possession.
We pull our accounts out of that bank, and nearly ten years later we haven't had any more fraud issues with any of our cards.
My point being, if it isn't obvious, that you're both using Citi cards (presumably from the same bank branch, or at least two branches that get their cards generated out of the same facility) and someone's lifting the numbers to go online gambling. That's where I'd place my bet, anyway.
posted by davejay at 8:43 PM on May 24, 2009
Then my wife and I move to a new bank, and within three months:
- My new card never comes, and is caught being used fraudulently by the Visa fraud detection people;
- My replacement card comes, but shortly after the Visa fraud detection people call to verify I'm not traveling, as they're watching the card being used simultaneously in several airports across the globe;
- My wife's card gets a bunch of fraudulent charges on it at a local retailer, one she's never been to, and the card's still in her possession.
We pull our accounts out of that bank, and nearly ten years later we haven't had any more fraud issues with any of our cards.
My point being, if it isn't obvious, that you're both using Citi cards (presumably from the same bank branch, or at least two branches that get their cards generated out of the same facility) and someone's lifting the numbers to go online gambling. That's where I'd place my bet, anyway.
posted by davejay at 8:43 PM on May 24, 2009
Response by poster: chairface yeah, I was a little leery of wireless when we got the router so made sure to set it up with WPA2 and picked a password that makes little sense. We'll change it just in case.
XMLicious I also thought of this but we generally shop at different stores (I buy groceries, books, fitness classes & household stuff; she buys clothes, fast food and makeup etc). I got her to check my last few statements and she said none of them are the same vendors. I wish it was as easy as being able to pinpoint a common store.
That's why I posted this question because everything I thought of didn't seem to lead anywhere. I was hoping to hear that lots of Citi customers were experiencing the same thing (ie. the problem was with Citi). Judging from the lack of that type of response, it doesn't seem to be the case.
I appreciate the thoughtful responses. If anyone else has any ideas, I'd be happy to hear them. Otherwise I guess I'll wait to see what Citi uncovers. I'll update the thread if I find out what happened.
On preview, davejay we both got the cards online. I'm in Canada and I don't think Citi has branches here or at least in my city. I got my card about a year ago and she had hers before then. Citi must have millions of customers which is why it would seem to be a huge coincidence for both of our numbers to be used this way at virtually the same time. Again, I was thinking there may have been a widespread problem for that to have happened.
posted by nelvana at 9:07 PM on May 24, 2009
XMLicious I also thought of this but we generally shop at different stores (I buy groceries, books, fitness classes & household stuff; she buys clothes, fast food and makeup etc). I got her to check my last few statements and she said none of them are the same vendors. I wish it was as easy as being able to pinpoint a common store.
That's why I posted this question because everything I thought of didn't seem to lead anywhere. I was hoping to hear that lots of Citi customers were experiencing the same thing (ie. the problem was with Citi). Judging from the lack of that type of response, it doesn't seem to be the case.
I appreciate the thoughtful responses. If anyone else has any ideas, I'd be happy to hear them. Otherwise I guess I'll wait to see what Citi uncovers. I'll update the thread if I find out what happened.
On preview, davejay we both got the cards online. I'm in Canada and I don't think Citi has branches here or at least in my city. I got my card about a year ago and she had hers before then. Citi must have millions of customers which is why it would seem to be a huge coincidence for both of our numbers to be used this way at virtually the same time. Again, I was thinking there may have been a widespread problem for that to have happened.
posted by nelvana at 9:07 PM on May 24, 2009
Response by poster: ha davejay, I missed the "place my bet" comment until I re-read your comment. :)
I may end up not using the replacement Citi card when I get it but I really liked the 2% reward!
posted by nelvana at 9:14 PM on May 24, 2009
I may end up not using the replacement Citi card when I get it but I really liked the 2% reward!
posted by nelvana at 9:14 PM on May 24, 2009
Do your cards have RFID chips? It's possible that you and your daughter were out together and compromised at the same place.
This video demonstrates how easy it is to hack these types of cards. If your cards do have RFID, you can either bash the chip flat with a hammer to disable it or simply request a new card from your card issuer.
posted by LuckySeven~ at 9:04 AM on May 25, 2009
This video demonstrates how easy it is to hack these types of cards. If your cards do have RFID, you can either bash the chip flat with a hammer to disable it or simply request a new card from your card issuer.
posted by LuckySeven~ at 9:04 AM on May 25, 2009
It could have been a data breach, as I heard someone call it, at Citi or one of their contractors. I've gotten 4 new credit cards in the last year because of some leak or another and the latest was from Citi.
posted by fiercekitten at 9:18 AM on May 26, 2009
posted by fiercekitten at 9:18 AM on May 26, 2009
Being an online poker player myself... These sites don't allow you to charge a credit card without having all of the info. I.E. Your account #, your CVV CODE (3 numbers on back of card), the Expiration date, and here's the kicker... The Billing address of your credit card must match the Address associated with your account.
So just to clarify, in order for the perpetrator to charge your card, he would've had to make a whole new account under your name,address, etc. Then this same account could've also been been used to be charge your daughter's card.. that is if you both have the same mailing address.
So it seems more likely to me, as people have said before, it is somebody you know.
Also on a side note.. most credit card companies do not allow business with the banks the poker sites use. Normally they can't catch it the first time but be sure, I know through a lot of experience, the next time you try to use the same credit card, DENIED. So who's credit card was used first yours or your daughter's? I bet one was used and then they tried to use it again and got denied then they were able to have access to the other card....
Just my 2 cents..
posted by cheechman85 at 11:37 AM on May 26, 2009
So just to clarify, in order for the perpetrator to charge your card, he would've had to make a whole new account under your name,address, etc. Then this same account could've also been been used to be charge your daughter's card.. that is if you both have the same mailing address.
So it seems more likely to me, as people have said before, it is somebody you know.
Also on a side note.. most credit card companies do not allow business with the banks the poker sites use. Normally they can't catch it the first time but be sure, I know through a lot of experience, the next time you try to use the same credit card, DENIED. So who's credit card was used first yours or your daughter's? I bet one was used and then they tried to use it again and got denied then they were able to have access to the other card....
Just my 2 cents..
posted by cheechman85 at 11:37 AM on May 26, 2009
Response by poster: Our cards don't have RFID chips but thanks for the link to the video - that's quite scary.
cheechman85, thanks for that information. My credit card was used first and then 6 days later they used it again - twice actually in the same day. I believe hers was used in between the charges on my card. The person at Citi said that it was likely the online poker site didn't have good security. I assumed she meant that they didn't require the CVV code or billing address but from what you say, she's wrong about that. My card definitely didn't leave my possession so it would have been difficulty for someone to get the CVV number.
I appreciate all the comments. I am certain it's not someone in the house but more likely a problem at Citi. None of my other cards have been touched and they have higher limits. If it was someone with physical access to my cards, I assume they would have used more than just this one. Citi has put through a temporary credit for all the charges on my card.
If anyone's interested, I will update the thread when and if I find out how it happened.
posted by nelvana at 7:53 PM on May 27, 2009
cheechman85, thanks for that information. My credit card was used first and then 6 days later they used it again - twice actually in the same day. I believe hers was used in between the charges on my card. The person at Citi said that it was likely the online poker site didn't have good security. I assumed she meant that they didn't require the CVV code or billing address but from what you say, she's wrong about that. My card definitely didn't leave my possession so it would have been difficulty for someone to get the CVV number.
I appreciate all the comments. I am certain it's not someone in the house but more likely a problem at Citi. None of my other cards have been touched and they have higher limits. If it was someone with physical access to my cards, I assume they would have used more than just this one. Citi has put through a temporary credit for all the charges on my card.
If anyone's interested, I will update the thread when and if I find out how it happened.
posted by nelvana at 7:53 PM on May 27, 2009
Im in for the update too please...
posted by cheechman85 at 7:31 AM on June 5, 2009
posted by cheechman85 at 7:31 AM on June 5, 2009
Response by poster: Well, there's not much to report. So far there's still temporary credits on my account for the fraudulent charges. I received a form that I had to fill out and return stating that I didn't make the charges/give my number to anyone/allow anyone else to use the card. I faxed that to Citi earlier this week. No one has contacted me other than that letter. None of my other cards have been touched.
My daughter also received her new card. The last I asked (a couple of days ago) she still hadn't seen a credit on her account although I assume it's coming.
I'm pretty convinced at this point that the problem originated at Citi. If someone had physical access to that one card, they would have had access to my other 3 or 4 non-Citi cards (I don't carry a balance on any of them but use them for different purposes/rewards). Either someone gained access to a merchant's files where I used the card (although my daughter hasn't used hers at any of the same places so that doesn't seem to make sense) or it was that someone who has access to Citi's records.
Stay tuned!
posted by nelvana at 9:16 PM on June 5, 2009
My daughter also received her new card. The last I asked (a couple of days ago) she still hadn't seen a credit on her account although I assume it's coming.
I'm pretty convinced at this point that the problem originated at Citi. If someone had physical access to that one card, they would have had access to my other 3 or 4 non-Citi cards (I don't carry a balance on any of them but use them for different purposes/rewards). Either someone gained access to a merchant's files where I used the card (although my daughter hasn't used hers at any of the same places so that doesn't seem to make sense) or it was that someone who has access to Citi's records.
Stay tuned!
posted by nelvana at 9:16 PM on June 5, 2009
Thanks for the follow up!!!
posted by cheechman85 at 11:15 AM on June 8, 2009
posted by cheechman85 at 11:15 AM on June 8, 2009
This thread is closed to new comments.
posted by Zé Pequeno at 2:30 PM on May 24, 2009 [10 favorites]