Fraud me once, shame on me. Fraud me again, you can?
October 13, 2023 1:36 AM Subscribe
I've had to cancel my Visa card after discovering an unauthorized transaction. I got a new card, new PIN, new CVV, and as soon as the shiny new card arrived, I found a new unauthorized charge and had to do the whole dance again.
How is it possible for fraudsters to hack my new card so quickly, when all the numbers were changed?
Details below. Theories welcome.
FWIW, this is in Canada, where credit cards have PINs but tap doesn't require it. (But the fraudulent charges were not made with tap: they were online charges, which often require the 3 digit CVV).
I'm a good boy and try to take all the usual precautions to protect my credit cards and financials:
- I use 2FA, use long complex passwords, don't reuse passwords, and don't write them down.
- I have credit monitoring and get alerted when suspicious transactions are flagged (my credit report is pristine so far)
- I use a VPN to access the internet and use an extension that requires https://
- I use a Mac and scan for viruses and malware
- I check for skimmers at ATMs and cover my hands. I tend to pay using tap, which requires my physical card and avoids skimmers (unless there are wireless skimmers?)
- I don't answer emails from Nigerian princes and don't give my card details over the phone or email. I don't buy stuff on the phone from phone bank operations that call out of the blue.
- I check email senders true addresses to avoid phishing and spam.
- I don't use my phone to pay for things
In both cases, the fraudulent charge was small (about $20 or so), and it was an online purchase. It was so small that I was tempted to chalk it to a billing typo, ignore and just pay it. But as soon as I asked what the charge was (it looked plausible at first: could I actually have bought this hideous shirt?), my bank required me to cancel the card.
Can someone charge my Visa card without knowing its basics, like the CVV? Also, after weeks, there were only two very small charges. Is making a small charge a prelude to making bigger fraudulent ones? What's the point of making a small, fraud charge?
Not to be needlessly paranoid, but in both cases the fraudulent charge was on a clothing website. One I had never used before (and which sold *godawful* clothes to boot!). They were different sites (one was an etsy store, the other a standalone brand), but both had a .co.uk URL. Has the UK become a fraud hotspot since brexit?
The second fraudulent charge occurred three days after I received the brand new card with new number, new PIN and new CVV. I can sort of see my *old* card being hacked (I had it for years and also had some personal info stolen in several major breaches, such as the linkedin one. But I changed all my passwords after these breaches, and all was fine for years). With the new card, surely, there was no time for its info to be stolen in a new major breach? So how did they do it?
My bank was great about covering these charges both times. But they were adamant about about cancelling both cards and changing all the numbers, which was a major hassle as I had to be without credit for days on end both times, and had to update all my recurring billing agreements, such as my internet or mobile phone providers. Could it be that's how the new card got hacked so quickly? Could my mobile phone company, the gas company, or the electricity provider be in on it? (I'm joking of course, but I'm also getting a bit paranoid).
Basically, I count myself lucky not to have suffered too much, but I am mystified: How is my card getting breached again, and so fast without being skimmed? I'm hoping a Mefite somewhere either works for Visa, or is a white-hat hacker and has an explanation.
Help me, hive mind, you're my only hope (.....to understand what is going on)
FWIW, this is in Canada, where credit cards have PINs but tap doesn't require it. (But the fraudulent charges were not made with tap: they were online charges, which often require the 3 digit CVV).
I'm a good boy and try to take all the usual precautions to protect my credit cards and financials:
- I use 2FA, use long complex passwords, don't reuse passwords, and don't write them down.
- I have credit monitoring and get alerted when suspicious transactions are flagged (my credit report is pristine so far)
- I use a VPN to access the internet and use an extension that requires https://
- I use a Mac and scan for viruses and malware
- I check for skimmers at ATMs and cover my hands. I tend to pay using tap, which requires my physical card and avoids skimmers (unless there are wireless skimmers?)
- I don't answer emails from Nigerian princes and don't give my card details over the phone or email. I don't buy stuff on the phone from phone bank operations that call out of the blue.
- I check email senders true addresses to avoid phishing and spam.
- I don't use my phone to pay for things
In both cases, the fraudulent charge was small (about $20 or so), and it was an online purchase. It was so small that I was tempted to chalk it to a billing typo, ignore and just pay it. But as soon as I asked what the charge was (it looked plausible at first: could I actually have bought this hideous shirt?), my bank required me to cancel the card.
Can someone charge my Visa card without knowing its basics, like the CVV? Also, after weeks, there were only two very small charges. Is making a small charge a prelude to making bigger fraudulent ones? What's the point of making a small, fraud charge?
Not to be needlessly paranoid, but in both cases the fraudulent charge was on a clothing website. One I had never used before (and which sold *godawful* clothes to boot!). They were different sites (one was an etsy store, the other a standalone brand), but both had a .co.uk URL. Has the UK become a fraud hotspot since brexit?
The second fraudulent charge occurred three days after I received the brand new card with new number, new PIN and new CVV. I can sort of see my *old* card being hacked (I had it for years and also had some personal info stolen in several major breaches, such as the linkedin one. But I changed all my passwords after these breaches, and all was fine for years). With the new card, surely, there was no time for its info to be stolen in a new major breach? So how did they do it?
My bank was great about covering these charges both times. But they were adamant about about cancelling both cards and changing all the numbers, which was a major hassle as I had to be without credit for days on end both times, and had to update all my recurring billing agreements, such as my internet or mobile phone providers. Could it be that's how the new card got hacked so quickly? Could my mobile phone company, the gas company, or the electricity provider be in on it? (I'm joking of course, but I'm also getting a bit paranoid).
Basically, I count myself lucky not to have suffered too much, but I am mystified: How is my card getting breached again, and so fast without being skimmed? I'm hoping a Mefite somewhere either works for Visa, or is a white-hat hacker and has an explanation.
Help me, hive mind, you're my only hope (.....to understand what is going on)
Response by poster: Oh, that's an interesting thought: Thanks distorte! I'll have to check with the bank tomorrow....
posted by Bigbootay. Tay! Tay! Blam! Aargh... at 2:17 AM on October 13, 2023 [1 favorite]
posted by Bigbootay. Tay! Tay! Blam! Aargh... at 2:17 AM on October 13, 2023 [1 favorite]
Best answer: This has happened to my brother on his Visa by Wells Fargo* card multiple times and there is a question every day on the personal finance subreddit asking how this happened.
Your idiot bank is allowing "you" (newsflash, it's not you) to continue to charge to your deactivated card as a courtesy. It's one of the stupidest easy-to-fix credit card problems that happens regularly.
You need to call your banks and say (paraphrased) hey dumbass idiots, when I had to get a new card number due to fraud that meant I wanted the old number closed all the way forever so stop approving charges to it! Escalate until it has actually been done.
*To add insult to injury, in my brother's case Wells Fargo kept auto-updating some database with his new card number, and so the person who had my brother's old card number continued to be able to make new purchases through a few specific online vendors for months and months. Ridiculous. This was several years ago and a documented "feature" of Wells Fargo at the time.
posted by phunniemee at 5:02 AM on October 13, 2023 [34 favorites]
Your idiot bank is allowing "you" (newsflash, it's not you) to continue to charge to your deactivated card as a courtesy. It's one of the stupidest easy-to-fix credit card problems that happens regularly.
You need to call your banks and say (paraphrased) hey dumbass idiots, when I had to get a new card number due to fraud that meant I wanted the old number closed all the way forever so stop approving charges to it! Escalate until it has actually been done.
*To add insult to injury, in my brother's case Wells Fargo kept auto-updating some database with his new card number, and so the person who had my brother's old card number continued to be able to make new purchases through a few specific online vendors for months and months. Ridiculous. This was several years ago and a documented "feature" of Wells Fargo at the time.
posted by phunniemee at 5:02 AM on October 13, 2023 [34 favorites]
Phunniemee is exactly correct; this happened to me with Chase.
posted by corb at 5:25 AM on October 13, 2023 [1 favorite]
posted by corb at 5:25 AM on October 13, 2023 [1 favorite]
Confirming what distorte said. Same has happened to me. My bank didn't seem too concerned when I said that a new charge had been made against the new replacement card. I still replaced it because I don't trust anyone.
posted by Peach at 5:42 AM on October 13, 2023
posted by Peach at 5:42 AM on October 13, 2023
This happened to me in July with my credit union. I couldn't understand, and now this question has told me why.
posted by jgirl at 6:25 AM on October 13, 2023
posted by jgirl at 6:25 AM on October 13, 2023
You should get a second card if being without this one is a big hassle for a few days.
posted by soelo at 7:20 AM on October 13, 2023 [1 favorite]
posted by soelo at 7:20 AM on October 13, 2023 [1 favorite]
Google, Samsung, or Apple Pay might actually make this less likely to keep happening. The merchant never gets your actual card number. They get a temp number that is tied to your account for just that one transaction.
posted by soelo at 7:24 AM on October 13, 2023
posted by soelo at 7:24 AM on October 13, 2023
I was going to suggest an Apple Card but I am not sure they are available in Canada yet. I have had mine for 4+ years and have never had it compromised. The one time I thought it had been compromised it ended up that it was a real billing but it came from a different name and I changed the number to be safe. The vendor sent an email out an hour later apologizing, but by then I had already made the change. There are no numbers visible on the card and one can change their number from within the app. And all of the places I have stored my card number were automatically updated so I didn't have to go to each vendor and update my stored credentials.
posted by terrapin at 8:17 AM on October 13, 2023 [1 favorite]
posted by terrapin at 8:17 AM on October 13, 2023 [1 favorite]
Just a small note that even when an online site asks for your CVC (CVV), it may not be used as an absolute signal for rejecting payments. Processors just use it as one bit of data for their fraud prevention checks. As a merchant using Stripe, I can flip the switch to enforce it absolutely, but as I recall it defaults to off because they have done some analysis that the level of fraud that results is lower than the drop-off in legitimate orders that get abandoned because people get a decline over the mismatch.
posted by jimw at 9:01 AM on October 13, 2023 [1 favorite]
posted by jimw at 9:01 AM on October 13, 2023 [1 favorite]
Response by poster: Thanks, everybody, that explains it so much more! I knew Mefi would come to the rescue.
I'm going to look into Apple.
But first I'm going to follow phunniemee's advice and call my idiot bank to say "Hey dumbass idiots, stop approving charges to my old number".
Oh wait: I'm in Canada: I'm going to call my friendly bank and say: "I'm terribly sorry to bother you, but would you mind making a slight change to your charging procedure? Thank you kindly...."
posted by Bigbootay. Tay! Tay! Blam! Aargh... at 9:15 AM on October 13, 2023 [19 favorites]
I'm going to look into Apple.
But first I'm going to follow phunniemee's advice and call my idiot bank to say "Hey dumbass idiots, stop approving charges to my old number".
Oh wait: I'm in Canada: I'm going to call my friendly bank and say: "I'm terribly sorry to bother you, but would you mind making a slight change to your charging procedure? Thank you kindly...."
posted by Bigbootay. Tay! Tay! Blam! Aargh... at 9:15 AM on October 13, 2023 [19 favorites]
If you want more detail about what happened behind the scenes, this article talks about issuer tokens and how they persist even through card number changes, etc.
posted by Superilla at 10:12 AM on October 13, 2023 [2 favorites]
posted by Superilla at 10:12 AM on October 13, 2023 [2 favorites]
Just chiming in to nth confirm this is also a thing in Canada. I had to get a new card number (RBC if you're curious) because Im an idiot, not for fraud reasons, but the outcome would be the same. This was a year ago and there is still at least one of my subscriptions successfully being charged against the old number, which should have been completely cancelled. Yeah, cancelled is apparently not what you or I think it should be.
posted by cgg at 11:26 AM on October 13, 2023
posted by cgg at 11:26 AM on October 13, 2023
Can someone charge my Visa card without knowing its basics, like the CVV?
My partner just dealt with this - exact same scenario, pretty much the second he activated the new card another fraudulent charge posted to it. The rep he spoke to told him that the card number still works in online wallets (services like PayPal) and asked if he wanted to deactivate all online wallets because apparently they don’t automatically do this when a card is canceled for fraud(?!). He said um yes please deactivate my stolen card everywhere and hasn’t had any issues since (knock wood), so try that language with your issuing bank.
posted by Fish, fish, are you doing your duty? at 10:21 AM on October 15, 2023 [1 favorite]
My partner just dealt with this - exact same scenario, pretty much the second he activated the new card another fraudulent charge posted to it. The rep he spoke to told him that the card number still works in online wallets (services like PayPal) and asked if he wanted to deactivate all online wallets because apparently they don’t automatically do this when a card is canceled for fraud(?!). He said um yes please deactivate my stolen card everywhere and hasn’t had any issues since (knock wood), so try that language with your issuing bank.
posted by Fish, fish, are you doing your duty? at 10:21 AM on October 15, 2023 [1 favorite]
just an FYI, at least in the States, merchants that subscribe can get your updated credit card info before you do. It's called an updater service and it should be criminal IMO.
Visa: (PDF)
https://usa.visa.com/dam/VCOM/download/merchants/visa-account-updater-product-information-fact-sheet-for-merchants.pdf
Mastercard: (WEB)
https://developer.mastercard.com/product/automatic-billing-updater-abu/
American express: (WEB)
https://www.americanexpress.com/us/merchant/cardrefresher.html
and discover: (PDF)
https://www.discoverglobalnetwork.com/content/dam/discover/en_us/dgn/docs/account-updater.pdf
posted by couchdive at 11:27 AM on October 16, 2023 [1 favorite]
Visa: (PDF)
https://usa.visa.com/dam/VCOM/download/merchants/visa-account-updater-product-information-fact-sheet-for-merchants.pdf
Mastercard: (WEB)
https://developer.mastercard.com/product/automatic-billing-updater-abu/
American express: (WEB)
https://www.americanexpress.com/us/merchant/cardrefresher.html
and discover: (PDF)
https://www.discoverglobalnetwork.com/content/dam/discover/en_us/dgn/docs/account-updater.pdf
posted by couchdive at 11:27 AM on October 16, 2023 [1 favorite]
« Older How to kindly say: I’m leaving, now fend for... | What's a great setup for shooting video and... Newer »
You are not logged in, either login or create an account to post comments
Later the same thing happened to my partner. She kept getting minor charges from Portugal on a card that had been compromised and cancelled over a year earlier. Like yours, very very small charges, like someone testing the waters.
Did the bank confirm that the second fraudulent charge was actually on the new card?
posted by distorte at 2:08 AM on October 13, 2023 [11 favorites]