I am impressed you stole from me so efficiently
December 19, 2015 12:46 PM Subscribe
Fraudulent charges were made to my debit card. In the end my bank has taken the hit and refunded all the stolen money. However, I’d like to understand how it happened.
When a charge is made via my debit card I receive immediate email confirmation. Last night I received two messages about charges, neither of which I had made. The emails arrived within eight minutes of each other. One charge was made at a Walmart, the other at Winn-Dixie Supermarket, both in Hialeah, Florida.
I immediately got on the phone to call the bank. About a half hour later, while the bank had me on hold, two more charges were made at different retailers also in Hialeah FL, again within minutes of each other. The next two charges came very close to cleaning out the account. This makes me think that they knew how much was in there.
I’d like to understand how the crooks did this. Sadly (because I’m beginning to think that there can be good money in it) IANAC, but I am trying to work through this.
Here are my suppositions:
1- There were two of them. They each hit a local store at approximately the same time, and purchased money orders. (They guy from the bank told me that they probably purchased money orders)
2- They had my pin and my card number, and counterfeited cards which they presented to the retailers. This particular bank has not yet updated to cards with chips.
3- Then they went to the next stores, and did the same thing.
If these suppositions are not likely, or if there are other ways they could have pulled this off, I’d like to know.
Additionally:
1- How did they know how much money I had in the account? I use a very tight password to log into the bank account online (that I have since changed).
2- Do retailers not ask for identification before issuing money orders? Do the retailers who issue money orders to crooks have anything to lose?
3- Anything else I should know about how I ended up in the middle of this, or how I might be more careful moving forward?
When a charge is made via my debit card I receive immediate email confirmation. Last night I received two messages about charges, neither of which I had made. The emails arrived within eight minutes of each other. One charge was made at a Walmart, the other at Winn-Dixie Supermarket, both in Hialeah, Florida.
I immediately got on the phone to call the bank. About a half hour later, while the bank had me on hold, two more charges were made at different retailers also in Hialeah FL, again within minutes of each other. The next two charges came very close to cleaning out the account. This makes me think that they knew how much was in there.
I’d like to understand how the crooks did this. Sadly (because I’m beginning to think that there can be good money in it) IANAC, but I am trying to work through this.
Here are my suppositions:
1- There were two of them. They each hit a local store at approximately the same time, and purchased money orders. (They guy from the bank told me that they probably purchased money orders)
2- They had my pin and my card number, and counterfeited cards which they presented to the retailers. This particular bank has not yet updated to cards with chips.
3- Then they went to the next stores, and did the same thing.
If these suppositions are not likely, or if there are other ways they could have pulled this off, I’d like to know.
Additionally:
1- How did they know how much money I had in the account? I use a very tight password to log into the bank account online (that I have since changed).
2- Do retailers not ask for identification before issuing money orders? Do the retailers who issue money orders to crooks have anything to lose?
3- Anything else I should know about how I ended up in the middle of this, or how I might be more careful moving forward?
How did they know how much money I had in the account?
Two possibilities: If they stole your PIN, any ATM will tell them. If they didn't (or aren't that bright), they don't know and are just guessing.
Do retailers not ask for identification before issuing money orders?
Some do, some don't. That said, how do you know the person doing the fraud doesn't have a friend behind the counter?
Do the retailers who issue money orders to crooks have anything to lose?
Most merchants will get hit with a $25 chargeback fee and an increased possibility of losing their merchant account or have longer hold periods on deposits from credit card payments. In the case of Wal-Mart, nothing will ever shut down that merchant account. Ever.
Related to that: ...my bank has taken the hit...
Nope, your bank didn't take the hit. It charged the transaction back to the merchant account of whatever merchant was foolish enough to take the card. The merchant is out the money (or the merchant's bank, depending on agreements on that end to which you are not privy).
Anything else I should know about how I ended up in the middle of this, or how I might be more careful moving forward?
Welcome to the wonderful world of being able to move money with hardly any form of authentication or verification. Chip-and-PIN would prevent the duplicate-card fraud you experienced but banks here don't want to widely roll that out.
Don't use your card at shady-looking ATMs or point-of-sale terminals or automated gas pumps without security stickers (and even the sticker is no guarantee; guess what else crooks can steal?). Cover your hand while you enter your PIN anywhere. Do what you already do, which is monitor your transactions and have a healthy password. Do not reuse that password anywhere.
If you want to go whole hog, change financial institutions to one that issues its plastic cards with chip-and-PIN. (First Tech Federal Credit Union is one, UN Federal is another.) This won't eliminate all forms of plastic card fraud you can experience, nor will it stop it at merchants that still accept swipe-to-pay, but it can limit it. It's up to you whether you want to go that far.
posted by fireoyster at 1:04 PM on December 19, 2015
Two possibilities: If they stole your PIN, any ATM will tell them. If they didn't (or aren't that bright), they don't know and are just guessing.
Do retailers not ask for identification before issuing money orders?
Some do, some don't. That said, how do you know the person doing the fraud doesn't have a friend behind the counter?
Do the retailers who issue money orders to crooks have anything to lose?
Most merchants will get hit with a $25 chargeback fee and an increased possibility of losing their merchant account or have longer hold periods on deposits from credit card payments. In the case of Wal-Mart, nothing will ever shut down that merchant account. Ever.
Related to that: ...my bank has taken the hit...
Nope, your bank didn't take the hit. It charged the transaction back to the merchant account of whatever merchant was foolish enough to take the card. The merchant is out the money (or the merchant's bank, depending on agreements on that end to which you are not privy).
Anything else I should know about how I ended up in the middle of this, or how I might be more careful moving forward?
Welcome to the wonderful world of being able to move money with hardly any form of authentication or verification. Chip-and-PIN would prevent the duplicate-card fraud you experienced but banks here don't want to widely roll that out.
Don't use your card at shady-looking ATMs or point-of-sale terminals or automated gas pumps without security stickers (and even the sticker is no guarantee; guess what else crooks can steal?). Cover your hand while you enter your PIN anywhere. Do what you already do, which is monitor your transactions and have a healthy password. Do not reuse that password anywhere.
If you want to go whole hog, change financial institutions to one that issues its plastic cards with chip-and-PIN. (First Tech Federal Credit Union is one, UN Federal is another.) This won't eliminate all forms of plastic card fraud you can experience, nor will it stop it at merchants that still accept swipe-to-pay, but it can limit it. It's up to you whether you want to go that far.
posted by fireoyster at 1:04 PM on December 19, 2015
It's likely that they have a strategy for increasing the charges until they get denied, and that's how they got close to your balance. Likely they got your info indirectly from a card skimmer at a gas station or ATM, or from a data breach on an online merchant with poor security practices. There's a black market online for buying and selling batches of stolen credit card numbers, so your particular criminals likely bought your info from whoever skimmed it. Strangely enough, the one time this has happened to me, the end criminal was also in Florida.
3) Anything else I should know about how I ended up in the middle of this, or how I might be more careful moving forward?
Always use a credit card instead of debit whenever possible. Credit cards have stronger fraud protection. You're lucky your bank made you whole. Seriously, debit cards are a huge liability.
posted by qxntpqbbbqxl at 1:08 PM on December 19, 2015 [7 favorites]
3) Anything else I should know about how I ended up in the middle of this, or how I might be more careful moving forward?
Always use a credit card instead of debit whenever possible. Credit cards have stronger fraud protection. You're lucky your bank made you whole. Seriously, debit cards are a huge liability.
posted by qxntpqbbbqxl at 1:08 PM on December 19, 2015 [7 favorites]
Seconding what qxntpqbbbqxl wrote: Always use a credit card instead of debit whenever possible. Credit cards have stronger fraud protection. Seriously, debit cards are a huge liability.
There's really no reason to use a debit card, except to get money. Credit cards have a lot of nice built-in protection. Debit cards do not.
posted by still_wears_a_hat at 1:16 PM on December 19, 2015 [5 favorites]
There's really no reason to use a debit card, except to get money. Credit cards have a lot of nice built-in protection. Debit cards do not.
posted by still_wears_a_hat at 1:16 PM on December 19, 2015 [5 favorites]
Anything else I should know about how I ended up in the middle of this, or how I might be more careful moving forward?
Stop using a debit card and get a credit card.
Credit cards have legislatively mandated $50 maximum liability under the Fair Credit Billing Act and most credit card companies will waive that $50. Debit cards are also regulated under the Electronic Fund Transfer Act, but there is no maximum liability if you take too long to report the loss. For instance, if you take two days to notice a lost card, you could be liable for up to $500 in charges. Further, fraudulent debit transactions still come right out of your checking account, which means they can overdraw your checking account, unlike credit transactions. So, an inconveniently timed fraudulent charge could cause your rent payment or mortgage payment to bounce. In that case, you could be entirely compensated for the fraudulent charge, but still end up with significant penalties from your landlord/mortgage holder due to a bounced payment. Even worse, the EFTA does not require your bank to immediately reimburse you for fraudulent charges; they can take 10-20 days to do so, extending the window when a bounced check can happen.
Even if fraud does not occur, holds on debit accounts can cause checks to bounce if you have a tendency to keep low account balances. For instance, gas stations often hold $50 or $75 on your account whenever you make a transaction. That hold goes straight to your checking account and can cause a check to bounce if your balance is too low.
In addition, the rewards on a credit card are, in general, almost always better than debit cards. It is trivial to get 1% cash back on credit card transactions, and you can push that to 5-6% if you are creative with how you use credit cards.
There is almost never a reason to use a debit card unless there is a discount provided for using a debit card. Even then, the discount needs to exceed the cash back you'd get from a credit card to make sense.
posted by saeculorum at 1:29 PM on December 19, 2015 [8 favorites]
Stop using a debit card and get a credit card.
Credit cards have legislatively mandated $50 maximum liability under the Fair Credit Billing Act and most credit card companies will waive that $50. Debit cards are also regulated under the Electronic Fund Transfer Act, but there is no maximum liability if you take too long to report the loss. For instance, if you take two days to notice a lost card, you could be liable for up to $500 in charges. Further, fraudulent debit transactions still come right out of your checking account, which means they can overdraw your checking account, unlike credit transactions. So, an inconveniently timed fraudulent charge could cause your rent payment or mortgage payment to bounce. In that case, you could be entirely compensated for the fraudulent charge, but still end up with significant penalties from your landlord/mortgage holder due to a bounced payment. Even worse, the EFTA does not require your bank to immediately reimburse you for fraudulent charges; they can take 10-20 days to do so, extending the window when a bounced check can happen.
Even if fraud does not occur, holds on debit accounts can cause checks to bounce if you have a tendency to keep low account balances. For instance, gas stations often hold $50 or $75 on your account whenever you make a transaction. That hold goes straight to your checking account and can cause a check to bounce if your balance is too low.
In addition, the rewards on a credit card are, in general, almost always better than debit cards. It is trivial to get 1% cash back on credit card transactions, and you can push that to 5-6% if you are creative with how you use credit cards.
There is almost never a reason to use a debit card unless there is a discount provided for using a debit card. Even then, the discount needs to exceed the cash back you'd get from a credit card to make sense.
posted by saeculorum at 1:29 PM on December 19, 2015 [8 favorites]
You're also fortunate that the bank acted quickly to make you whole. It's not uncommon to have to wait months to get your money back. As you might imagine, this can cause huge problems with bouncing auropayments, rent/mortgage, etc.
After seeing a close friend go through a months-long drama with the bank after getting her account cleaned out, I don't use my debit card for anything besides withdrawing cash from a bank ATM that I'm familiar with (I hope that being familiar with the machine will help me notice if skimmers/fake keypads have been installed). If I have to get cash from a sketchy ATM, I cash advance from a credit card.
posted by quince at 1:59 PM on December 19, 2015 [1 favorite]
After seeing a close friend go through a months-long drama with the bank after getting her account cleaned out, I don't use my debit card for anything besides withdrawing cash from a bank ATM that I'm familiar with (I hope that being familiar with the machine will help me notice if skimmers/fake keypads have been installed). If I have to get cash from a sketchy ATM, I cash advance from a credit card.
posted by quince at 1:59 PM on December 19, 2015 [1 favorite]
Do you buy a lot of stuff online from many different merchants? The time my credit card got stolen, it was someone in Thailand. It happened because I gave my credit card to a record label website that had horrible security practices and was hacked. I only found out because a guy at a sporting goods store in Colorado called me to ask why a guy in Chicago was buying $900 worth of figure skates and shipping them to Phuket.
posted by deathpanels at 4:19 PM on December 19, 2015
posted by deathpanels at 4:19 PM on December 19, 2015
There's no point in trying to understand it. It can be stolen and sit on a black market for weeks and weeks before someone buys it. Any attempts at figuring out when it was breached will be futile and won't really help you prevent it in the future. I went through this a few months ago when someone somehow cloned my credit card and was using it in person in another state at literally the exact same time I was using my actual credit card in person. Through all my research, it was pretty clear it's impossible to know exactly what went wrong. (I suspect maybe a skimmer was on a public parking meter, but how can I really know?)
The lesson I learned is that Chase's fraud protection sucks and I need to take matters into my own hands. The thief made literally 20 separate $15 transactions at a Walgreens all in a row and then went and did the same thing at Jamba Juice, and then went and did the same thing at Target while I was using my real credit card at literally the same time in another state. But that apparently wasn't suspicious enough for Chase. Now, I set up my preferences so any purchases I make on my credit card trigger an email alert to a separate email address I made. If I get an email when I haven't bought anything, I know something is wrong. All you can do is be better about it in the future.
posted by AppleTurnover at 7:11 PM on December 19, 2015 [1 favorite]
The lesson I learned is that Chase's fraud protection sucks and I need to take matters into my own hands. The thief made literally 20 separate $15 transactions at a Walgreens all in a row and then went and did the same thing at Jamba Juice, and then went and did the same thing at Target while I was using my real credit card at literally the same time in another state. But that apparently wasn't suspicious enough for Chase. Now, I set up my preferences so any purchases I make on my credit card trigger an email alert to a separate email address I made. If I get an email when I haven't bought anything, I know something is wrong. All you can do is be better about it in the future.
posted by AppleTurnover at 7:11 PM on December 19, 2015 [1 favorite]
Nope, your bank didn't take the hit. It charged the transaction back to the merchant account of whatever merchant was foolish enough to take the card. The merchant is out the money (or the merchant's bank, depending on agreements on that end to which you are not privy).
That's not always true, and doesn't appear true in this case. The charges in question sound like "card present" transactions, which means the card (or in this case, a counterfeit copy of it) was swiped at the point of sale. Unless this transaction met one of the very few exceptions for card present transactions, the bank did indeed take the loss.
Chargebacks are only a course of action for transactions that meet certain criteria. I'm most familiar with MasterCard's rules - the manual is a good thousand pages of said criteria.
Also, regarding an answer above that I can't find to quote for some reason: You still need to report suspicious activity within a reasonable amount of time on credit cards, just like debit cards. Reg Z (credit) requires you to report fraudulent activity within 60 days of the statement on which the fraud charge appears, just like Reg E for debit cards. The regs are very consumer-friendly, but you do have liability as well.
Anyway, on to your question:
1- How did they know how much money I had in the account? I use a very tight password to log into the bank account online (that I have since changed).
Echoing what others have said above - if they had your PIN, they'd have been able to check your balance at any ATM.
2- Do retailers not ask for identification before issuing money orders? Do the retailers who issue money orders to crooks have anything to lose?
Nope, not typically. And besides, it's elementary for a criminal to emboss their name (or the name of an assumed identity/one that matches their license) on to the mag stripe info and/or on to the front of a counterfeit card. That way, the card matches the ID.
3- Anything else I should know about how I ended up in the middle of this, or how I might be more careful moving forward?
Sadly, there's not much you can really do - your card was probably skimmed at an ATM somewhere by a nigh-invisible reader that was custom-fit to the model of ATM that it was attached to. Unless you want to take apart the reader (pro tip: I do not recommend trying this, banks get mad), there's not much you can do.
At this point, I'd recommend using a chip/EMV card if your bank issues them. If not, go for a bank that does. That really is some of the better protection out there right now in the payments world.
source: many years working in bank card fraud
posted by Verdandi at 8:01 PM on December 19, 2015
That's not always true, and doesn't appear true in this case. The charges in question sound like "card present" transactions, which means the card (or in this case, a counterfeit copy of it) was swiped at the point of sale. Unless this transaction met one of the very few exceptions for card present transactions, the bank did indeed take the loss.
Chargebacks are only a course of action for transactions that meet certain criteria. I'm most familiar with MasterCard's rules - the manual is a good thousand pages of said criteria.
Also, regarding an answer above that I can't find to quote for some reason: You still need to report suspicious activity within a reasonable amount of time on credit cards, just like debit cards. Reg Z (credit) requires you to report fraudulent activity within 60 days of the statement on which the fraud charge appears, just like Reg E for debit cards. The regs are very consumer-friendly, but you do have liability as well.
Anyway, on to your question:
1- How did they know how much money I had in the account? I use a very tight password to log into the bank account online (that I have since changed).
Echoing what others have said above - if they had your PIN, they'd have been able to check your balance at any ATM.
2- Do retailers not ask for identification before issuing money orders? Do the retailers who issue money orders to crooks have anything to lose?
Nope, not typically. And besides, it's elementary for a criminal to emboss their name (or the name of an assumed identity/one that matches their license) on to the mag stripe info and/or on to the front of a counterfeit card. That way, the card matches the ID.
3- Anything else I should know about how I ended up in the middle of this, or how I might be more careful moving forward?
Sadly, there's not much you can really do - your card was probably skimmed at an ATM somewhere by a nigh-invisible reader that was custom-fit to the model of ATM that it was attached to. Unless you want to take apart the reader (pro tip: I do not recommend trying this, banks get mad), there's not much you can do.
At this point, I'd recommend using a chip/EMV card if your bank issues them. If not, go for a bank that does. That really is some of the better protection out there right now in the payments world.
source: many years working in bank card fraud
posted by Verdandi at 8:01 PM on December 19, 2015
When a charge is made via my debit card I receive immediate email confirmation. Last night I received two messages about charges, neither of which I had made. The emails arrived within eight minutes of each other. One charge was made at a Walmart, the other at Winn-Dixie Supermarket, both in Hialeah, Florida.
I immediately got on the phone to call the bank. About a half hour later, while the bank had me on hold, two more charges were made at different retailers also in Hialeah FL, again within minutes of each other.
This happened to me about six months ago. I am in the northeast and check bank accounts regularly. The charges were at Wal-mart, Winn-Dixie, and Popeye's chicken in New Orleans. I think also a charge at a McDonald's? They were all made within a period of a day or two.
And, I, too, was on the phone with the bank when another charge came in. They saw it before it even hit my online account. It was bizarre. I don't know if they knew how much money I had, and don't have any reason to think they did. I think they just planned on using it until it got rejected. Our bank gives us an additional thousand dollars to dip into at $35 an overcharge so they could have gone on at that rate for quite a while.
The bank happens to have a pretty shitty card -- it doesn't even have raised numbers on it. It seems pretty easy to replicate, and then 'oh the magnetic strip is broken' and the cashier enters the number manually and the signature matches the signature on the back. They ring it as credit instead of debit and there you go.
The bank asked me if I wanted to press charges and I told them the charges were too sad. $15.87 at Popeyes? The supermarket? What a crime spree. The bank paid the money back in a day or two and sent me a new card.
posted by A Terrible Llama at 8:03 AM on December 20, 2015
I immediately got on the phone to call the bank. About a half hour later, while the bank had me on hold, two more charges were made at different retailers also in Hialeah FL, again within minutes of each other.
This happened to me about six months ago. I am in the northeast and check bank accounts regularly. The charges were at Wal-mart, Winn-Dixie, and Popeye's chicken in New Orleans. I think also a charge at a McDonald's? They were all made within a period of a day or two.
And, I, too, was on the phone with the bank when another charge came in. They saw it before it even hit my online account. It was bizarre. I don't know if they knew how much money I had, and don't have any reason to think they did. I think they just planned on using it until it got rejected. Our bank gives us an additional thousand dollars to dip into at $35 an overcharge so they could have gone on at that rate for quite a while.
The bank happens to have a pretty shitty card -- it doesn't even have raised numbers on it. It seems pretty easy to replicate, and then 'oh the magnetic strip is broken' and the cashier enters the number manually and the signature matches the signature on the back. They ring it as credit instead of debit and there you go.
The bank asked me if I wanted to press charges and I told them the charges were too sad. $15.87 at Popeyes? The supermarket? What a crime spree. The bank paid the money back in a day or two and sent me a new card.
posted by A Terrible Llama at 8:03 AM on December 20, 2015
and then went and did the same thing at Jamba Juice
Okay, I get the money order part of the scam but don't understand the trips to Jamba Juice and Popeye's chicken, as happened in my case. It's not like you can get money orders at Popeye's.
I'm also unclear on debit versus credit -- I thought almost all banks gave you a card you could use either way, like mine has a Visa logo on it and because I forgot to activate the pin on my new one (yes.) I always use it as a Visa card.
posted by A Terrible Llama at 8:09 AM on December 20, 2015
Okay, I get the money order part of the scam but don't understand the trips to Jamba Juice and Popeye's chicken, as happened in my case. It's not like you can get money orders at Popeye's.
I'm also unclear on debit versus credit -- I thought almost all banks gave you a card you could use either way, like mine has a Visa logo on it and because I forgot to activate the pin on my new one (yes.) I always use it as a Visa card.
posted by A Terrible Llama at 8:09 AM on December 20, 2015
also ask for a regular, dumb ATM card
Seconding this. For whatever reason banks are eager to issue debit cards, which they imply is the only way to get cash from an ATM, but that's not true. Cut up your debit cards and request ATM cards, instead.
posted by Rash at 10:40 AM on December 20, 2015
Seconding this. For whatever reason banks are eager to issue debit cards, which they imply is the only way to get cash from an ATM, but that's not true. Cut up your debit cards and request ATM cards, instead.
posted by Rash at 10:40 AM on December 20, 2015
Agreed with folks that the best way to prevent this in the future is to use your debit card ONLY at your bank's ATM (or get an ATM-old card, as suggested above), and use a credit card for everything else. You can do this through your bank (for example, I have both a debit and a credit card through my bank -- separate cards and separate accounts), or you can shop around online for the best deals, just depending on the features that are important to you (you can find cards with very low (even 0%) introductory rates, good rewards, no foreign transaction fees if you travel internationally, etc. etc., so just prioritize what you will find most valuable).
posted by rainbowbrite at 7:48 AM on December 21, 2015
posted by rainbowbrite at 7:48 AM on December 21, 2015
This thread is closed to new comments.
- We did not check ID to purchase money orders.
- We only accepted cash or debit for money orders, although since the customer did their card payment through the keypad on their side of the counter, occasionally credit payments did happen.
- We did keep a log of money orders with respect to date, which clerk printed it, what amount it was for, and the code on the order itself.
- Although there was a "daily limit" of 1999.99 day per person and a 1000.00 limit per money order, again, we didn't log or verify names so it would be easy to come back later that night or go to a different location.
- We stopped cashing money orders almost completely because of fraud. There is a phone number you can call to check the status of a particular order before you cash it to see if it's been cashed already. Our biggest concern was cashing a fraudulent money order and ensuring money orders were printed accurately (a typo can cost you or the customer a lot of money), I never heard anything about issuing money orders to criminals.
Hope that is helpful! If you have more specific questions, I can do my best to answer.
posted by rubster at 12:57 PM on December 19, 2015 [3 favorites]