Identity Theft 101
August 26, 2008 3:28 PM   Subscribe

Identity Theft filter: long story short, my email, debit card #, first and last name, and home address were used fraudulently to open an account with ccbill.com. How does this happen?

No, I don't play Texas Hold'em, but apparently somebody who does managed to get my info and use it to buy chips for a gambling site. In doing so, they cleaned out my bank account down to the last dollar.

The only parties besides myself who would have access to the four pieces of information used to open the ccbill.com account would be online retailers of a reputable nature.

I'm just trying to understand how something like this happens, because it really feels like a violation and I'd like to protect myself in the future.
posted by chez shoes to Computers & Internet (18 answers total) 5 users marked this as a favorite
 
I had someone buy a very expensive camera from Dell and ship it to Florida using my debit card. The thief managed to buy $200 worth of services from Ancestry.com. Thieving Scoundrel even knew the security code on the back of the card! Bank of America ultimately gave me my money back (and sent me a new debit card), but I suspect that my details were swiped from (as you say) reputable online retailers. (Think Amazon, GoDaddy, 1-800-Flowers, etc.)

If you're going to use your debit card to make purchases online, the best defense is to monitor your banking activity online on a regular basis. Like, every other day.

Sorry about your (financial) loss -- I hope it gets sorted out quickly. It's a major pain in the ass.
posted by potsmokinghippieoverlord at 3:47 PM on August 26, 2008


Best answer: I don't have a good answer for you (there are so many articles that discuss protecting personal data) - but the same thing happened to me, and I was lucky in the fact that they made a small ($3) test purchase on a porn site (maybe a day pass?) - that I caught online, and closed the account right away.

After that, though, I always follow the practice of having one account for online purchases/debit card use etc... I transfer money into it from my main account when I need to use it, and that way, even if they get all my info, only the account with a small amount of money in it is cleaned out.

And it DOES feel like a violation. Sorry this happened to you.
posted by Liosliath at 3:48 PM on August 26, 2008 [1 favorite]


I very much sympathize with chez shoes loss.
I try to use PayPal and not a credit card when making online purchases and wonder if this is a good idea? Also, Amazon holds my card details, is this not safe?
I hope I am not derailing this thread by asking.
posted by lungtaworld at 4:01 PM on August 26, 2008


The only parties besides myself who would have access to the four pieces of information used to open the ccbill.com account would be online retailers of a reputable nature.

If you're not careful with your bank statements and receipts, anyone with access to your garbage or recycling could get these. Name, address and email are trivial this way, and even reputable online retailers sometimes (stupidly) have card info in the receipt you receive in your parcel.
Along similar lines, a crime of growing popularity is breaking into cars, and copying the info on cards inside without taking them. Victim assumes a simpler crime has taken place and doesn't necessarily connect the dots even after the identity theft.

It's likely that your details were snatched online, but it's easier to figure out what went wrong if you can rule out as many scenarios as possible, which in future may require a change in habits. (Eg unsolicited credit card applications get ripped half with one half dropped in the garbage, the other in the recycling. It takes 2 seconds longer than just dropping it in the recycling)
posted by -harlequin- at 4:01 PM on August 26, 2008


I trust Amazon.com with my actual number but for every other online purchase I use one time use credit cards numbers that can be generated with a dollar limit and time expiration. Citibank offers them with their cards (they call them virtual account numbers). The entire credit card is online only (I have a separate one for gas/ groceries/ etc) so it makes it easier to scan for purchases I didn't make.
posted by sharkfu at 4:03 PM on August 26, 2008


Response by poster: Thanks for the replies so far. Liosliath, I like your idea of having a second account for this purpose - I'm opening one tomorrow. Or whenever my bank refunds my money :)

To clarify: I do paperless bank statements, and shred just about everything that I toss.

The thing that gets me is that they had my email addy: it's one that I reserve solely for online shopping and close friends. Since I'm pretty sure I can rule out the latter, I'm now questioning the safety of online shopping - particularly WRT Amazon and others that hold my card details.
posted by chez shoes at 4:07 PM on August 26, 2008


Do you keep your PC fully updated? There have been vulnerabilities in Flash that allow a rogue advertisement to install software on your home PC. That software then monitors your PC for useful information and sends it back home for further nefariousness.
posted by nomisxid at 4:07 PM on August 26, 2008


A large percentage of computers that are online have been infected with keyloggers or other trojans. It's possible to get infected just by surfing to the wrong site; you need not choose to download, view or install anything. You can even get infected if your machine is running a firewall, realtime spyware scanner and realtime virus scanner. None of those systems work 100% of the time. And they may work 0% of the time against new threats that haven't been identified yet.

So the online retailers may not have been hacked. It's possible that someone can see every word you type. Your machine sends them a logfile every couple of days and they run a script to find credit card numbers. Tra-la, you're compromised.

You're in the same boat as tens of millions of people. Bring your machine into the shop and have them do a through scan and update of your security software.
posted by ten pounds of inedita at 4:11 PM on August 26, 2008


Response by poster: nomisxid, I do update regularly. And, I'm on a Mac, so I think I'm pretty safe.
posted by chez shoes at 4:12 PM on August 26, 2008


Best answer: Safe(R) on a Mac,but not entirely so. This site looks useful for making even more sure that you're secure.
posted by Liosliath at 4:17 PM on August 26, 2008


Response by poster: Liosliath, thanks for the info - I know nobody is 100% safe, but this is good to know.
posted by chez shoes at 4:18 PM on August 26, 2008


Liosliath beat me to it. Was about to link exactly the same thing.
posted by ten pounds of inedita at 4:19 PM on August 26, 2008


Best answer:
There are often leaks you wouldn't even think of. For example: the housing manager at my friend's apartment (having a mail key) would steal mail during the day when it arrived. He ended up setting up credit card accounts in tenants' names and ordering Dell computers. Since he also signed for all UPS and Fedex packages he was able to do this for a while before people got suspicious.

Other potential leaks:

-Cashiers/ waiters sliding your cards into portable readers for later use.

-Surfing at a wifi hotspot without using a VPN. (session jacking can be used to get into someone's email by copying their cookies mid-session)

-Already mentioned keyloggers

-Sites that use cross-site scripting (I have a Mac too and caught a site trying use XSS to go to some of my HTTPS bookmarks. If I'd been logged into them they would've had access. Use NoScript plugin for firefox.)

-Compromised ATM network vulernabilities

I urge you to switch to a credit card for online purchases for this reason: when a debit card is compromised online the thief is stealing your money, when a credit card is compromised they're stealing the bank's money. Banks work harder to protect their money.
posted by sharkfu at 4:40 PM on August 26, 2008


Response by poster: sharkfu, you raise some excellent points. Thanks for the NoScript plugin suggestion - I wasn't aware of that one.

Cashiers/waiters/ATMs wouldn't have access to my email addy, though. And I don't use wifi hot spots, or have an apartment manager. So, I'm still pointing the finger at one of the online vendors I use.
posted by chez shoes at 4:46 PM on August 26, 2008


Ever stay at a Best Western?
posted by meta_eli at 4:51 PM on August 26, 2008


Response by poster: meta_eli, never. And not planning to now!
posted by chez shoes at 4:59 PM on August 26, 2008


or shop at SweetBay?
posted by patnok at 7:03 PM on August 26, 2008


Response by poster: never even heard of SweetBay, so, no.
posted by chez shoes at 7:43 PM on August 26, 2008


« Older Hacking the corporate sofa.   |   Post-poop dog won't move on walks, help! Newer »
This thread is closed to new comments.