Credit card number stolen! How do I protect others?
January 14, 2009 9:33 AM   Subscribe

My credit card number was stolen! How do I determine the most likely culprit (or at least how they did it) and try to ensure it doesn't happen again either to me or to someone else?

I have a relatively new credit card. It lives in my pocket, I have never handed it to anyone else or given out the number except as described below. I've used it twice at the grocery store, swiped it myself. On 10 January I placed an order through a website, on 12 January they ran my card, and early this morning (14 January) I got a call from the fraud department of my credit card company. Someone had made three small (>$10) purchases with my card. The purchases were dated today, 14 January. (Capital One was right on top of it!) Classic fraud flag, the thief checking the card works with small purchases before using it for something big. I confirmed I did not make those purchases, I won't be liable, that number is cancelled and they're sending a new card. No problem there. The question is, how did someone get my card number? The only answers that make sense to me are (in order of likelihood):

1) The website I ordered through has been hacked;
2) Someone at the company I ordered from stole it;
3) Someone in my building, no more than two apartments away, has been sniffing my as-yet-unsecured wireless router (dumb, I know) and got it.

I rate #3 as pretty unlikely given my neighbors. I'm on the third floor, far from the street and parking lot, and it's cold here - a random wardriver/walker is even more unlikely.

I let the company I ordered from know about this. Of course I was speaking to a lowest-level CS rep, and she seemed pretty sure that couldn't ever happen - "We've never had a problem with that before." Then again, she seemed to think I was implying a #2 scenario, that an employee there was responsible.

Am I reasonable in thinking this was a failure of security either with the company website, or within the company? Should I call back and ask to speak to someone as high up as I can get? How likely is it that their website is compromised, and that they don't know, or haven't told the majority of their employees?
posted by attercoppe to Computers & Internet (13 answers total) 2 users marked this as a favorite
Best answer: Similar thing happened to me a couple of months ago. Bank of America security rep told me that it was probably just a random number that worked (sadly, a random number that you already owned). They've apparently been getting hit with this a lot more lately.

Also, I'm not an expert, but I don't think #3 is likely, because I'm pretty sure your card number is sent encrypted, so even if you can sniff the packets, there's no way to see what it is. I could be wrong on that, though.
posted by General Malaise at 9:40 AM on January 14, 2009 [1 favorite]

Honestly, since you've reported it, there's not much more you can really do. Get a new credit card number and be done with it. Since you don't have to pay for the fraud, this is between the company and the credit card company. You're out of the equation. If it was a hacked website, the company will get more CC chargebacks and be notified that way.

This happened to my husband and I once; we got a new number and that was that. The good thing about using credit cards is that you often don't have to pay fraudulent charges. I consider it just the price of doing business online. Just never use a debit card online if it's hooked to an account that you can't afford to have emptied -- debit cards have different protections than credit cards.
posted by sugarfish at 9:42 AM on January 14, 2009

As a precaution, if a credit card company calls for any reason, don't give personal information by phone that they already should have. Particularly, don't provide the three-digit CVV (card verification value) on the back of your card, or any other data that could be used by thieves who might only have your credit card number, name and phone number.

Unfortunately, thieves can and do impersonate credit card companies to get this information. If you receive a call claiming that your card has been misused, be sure the company rep is giving *you* information. If you have any doubts about the veracity of the call, phone your credit card company after hanging up to re-check what you've been told, and view your account online as well.
posted by terranova at 9:54 AM on January 14, 2009 [1 favorite]

Best answer: There's a simple algorithm to generate valid credit card numbers, usually used by web developers to ensure that a credit card number entered into the order form is valid. This has been used in the past for fraud. There's a reason you're asked for the mailing address, although if the company is lazy they don't actually use it for verification, and also I imagine part of the reason why the CC companies implemented the 3 digit verification code to check that you actually have the card.
posted by hungrysquirrels at 10:01 AM on January 14, 2009 [1 favorite]

Here's a previous question that has some advice in it.

Someone in my building, no more than two apartments away, has been sniffing my as-yet-unsecured wireless router (dumb, I know) and got it.

Technically someone from a significant distance away can sniff your connection if they use a more powerful antenna. I agree that this is unlikely, especially since the web site you used almost certainly used SSL encryption on top of your unsecured wireless connection.
posted by burnmp3s at 10:12 AM on January 14, 2009

This happened to me too. A hotel I stayed at years before sent me a letter months after saying they had a security break in on the computer. I am assuming mine came from that.
posted by ChloeMills at 10:13 AM on January 14, 2009

Response by poster: General Malaise, that's interesting with the random numbers. Goes along with what hungrysquirrels says too.

Sugarfish, the thief did not order from the same company I did - they're not getting a chargeback from me. The thief bought some coffee and a clock or something, and paid UPS a few bucks too. If the company I ordered from is ultimately responsible for the theft, they're not going to know about it unless someone tells them - or they happen to discover it themselves.

Terranova, that's a good point for everyone. It was early in the morning, the CC rep had a strong accent, and it was such a weird situation overall that I asked them to verify my card number - which they did. They didn't ask me for any personal information other than to verify my mailing address for the fraud paperwork.
posted by attercoppe at 10:18 AM on January 14, 2009

It was early in the morning, the CC rep had a strong accent, and it was such a weird situation overall that I asked them to verify my card number - which they did. They didn't ask me for any personal information other than to verify my mailing address for the fraud paperwork.

Last time someone claiming to be my card issuer called me on the phone I would not even give them my billing address (which can, of course, be useful in engaging in fraud by people who already have the credit card number). I said I would call them back at the number printed on my card and the rep agreed that this was a good idea.

Don't give out information to people who call you on the phone, strange accent or not. Always call your card issuer at a number you already have for them. Do not trust the number that you are told to call.
posted by grouse at 10:32 AM on January 14, 2009 [1 favorite]

This has happened to me a few times.

Something I haven't tried is to use a "throwaway" credit card number when shopping online. It wouldn't help if (as seems likely in your situation) it was a very lucky random cc number crime, but if you're shopping at a retailer that seems even slightly shady, that would be a good way to go.

Nthing not to give info to any credit card company calling you, and calling them back at the number printed on your card.
posted by peanut_mcgillicuty at 11:28 AM on January 14, 2009

The only way to win this game is not to play. Every time you use a credit card, online or off, you're at risk from every link in the chain of the transaction. One of the biggest mass thefts of credit cards stemmed from in-person use.

So I would say it's not reasonable to assume it was the online transaction as opposed to the grocery store use (or another of the scenarios suggested above) that was at fault. (Not to say that it wasn't, of course.)

Unless you were to miraculously find out who used your number and that person told you, you're very unlikely to ever have a clue how this happened.

As burnmp3s says, you're unlikely to have lost it to a wifi sniffer, because the transaction was almost certainly encrypted.

The only way you can be entirely safe would be not to have a credit card. Next safest would be to have one but to never use one. But if you're using one, I don't think you're overall any safer to exclusively use it off-line (and I'd rate handing it over to waitstaff where it disappears from your sight and both sides can be trivially photographed as marginally riskier than online use). Just continue to scrutinize your statements, as you're obviously already doing.
posted by Zed at 12:04 PM on January 14, 2009

Best answer: I was the person on the other end of the phone today, notifying about 40 bank customers that their debit card had been "compromised". We get regular alerts from Visa's fraud department to close cards when:
1. And audit of a merchant database shows viruses or security leaks.
2. Visa is able to narrow down multiple reports of fraudulent charges to find a common denominator of merchants who were visited. Given that all cards that used that merchant may have had their numbers stolen, we'll be asked to close those cards too, even if there is no sign of fraud yet.

Some of these alerts will say that Visa knows exactly what happened, but not all of them. If they can't always find the culprit, I don't think you'll have much chance. The best advice I can give is to always have a back-up cc account so that if you can still make purchases if your account has to be closed or gets maxed out. And if you have a debit card, never, ever, ever use it on the internet. It's much worse to have your checking account get emptied when you have bills to pay.

And this is the perfect place to vent about the fact that people shouldn't buy diet pills over the internet. "Free trial offer, you only pay shipping", is a lie. Read the fine print people!
posted by saffry at 3:37 PM on January 14, 2009

call me the don of being defrauded because I logged onto my internet banking yesterday only to discover that my debit account had had over eight thousand pounds (that's GBP) removed from it in three separate transactions, across two days.

I have also had my mastercard cloned and a previous debit card cloned in the last year. I was called up by the bank fraud blokes to confirm it wasn't me who'd used my credit card to buy booze at a woolworths in australia.

as for my emptied bank account, I immediately called the bank and they will investigate the issue when I sign a form they will be sending. they assured me I would get my money back ultimately, however the investigation may take up to ten weeks.

I wondered the very self same thing as the poster does, of course - how?! I've just been travelling for 5 months, NZ, Thailand, Cambodia and Vietnam. though of course I was careful not to let cards out of my sight, eyeball cash machines before I use them and keep my cards close to me when I sleep, I expect that somewhere along the line my details got pinched. certainly in the case of the mastercard. what's more interesting is that my 8 grand loss is credited to both a Tesco credit card and a Tesco platinum I'm assuming is UK based. that makes me wonder whether somewhere online I bought from before christmas (truth be told I've not used my cards much since I got back) has yoinked my details. the fellow on the phone I spoke to when reporting the whole thing said the offending transactions were done remotely (over the phone, we guess, with just the details of the card rather than a clone per se).

fortunately I am living at home at present, otherwise I'd be well and truly fucked. for ten weeks anyhow.
posted by 6am at 4:51 PM on January 14, 2009

As always, it's not "the internet", it's the endpoint. A merchant who is not being secure with the credit card numbers. Or a random number. It's way easier to just generate random numbers than it is to sniff packets for number sequences that might be credit card numbers.
posted by gjc at 7:01 PM on January 14, 2009

« Older At least it's not Canon in D.   |   What should I do in NYC for My 30th birthday party... Newer »
This thread is closed to new comments.