How can credit card info be stolen just by visiting a website?
April 28, 2010 2:43 PM   Subscribe

How can credit card info be stolen just by visiting a website?

My sister visited some time last week and this week her bank statement showed a $300 charge for items purchased on said site.
She called the company and they confirmed the billing address was hers, but the shipping address was somewhere else (not her address). Of course she contacted the bank and had the charges stopped.

How is it possible that just by visiting a website that her credit card info be stolen? Maybe the site pulled this info right off her computer some how?
posted by chump to Computers & Internet (11 answers total) 3 users marked this as a favorite
This is highly unlikely.

Most likely someone else got her card number from some other means and used it fraudulently on the same site.
posted by bitdamaged at 2:56 PM on April 28, 2010

Somebody randomly shopping at the same website using her credit card information seems a little far-fetched to me, considering it's and not somewhere much more common like Amazon. I'd hazard a guess that the security breach happened on the business website's end, or else possible someone gained access to her website browsing history and thought she wouldn't notice if the charge came from the same place.
posted by scarykarrey at 3:00 PM on April 28, 2010

bitdamaged: "This is highly unlikely.

Most likely someone else got her card number from some other means and used it fraudulently on the same site.

This is highly unlikely, if only for the sheer coincidence.

Questions to ask your sister:
* Was she on a public, or her own or another (unencrypted) wi-fi network at the time she used the site?
* Does the site itself have secure/encrypted transmission for its shopping area? In the most basic terms, is it an HTPPS url/is there a little lock icon in the status bar of the browser?
* Has there been any other suspicious activity on her card, shortly before or since this incident? That is, could the card info have been stolen elsewhere?

Not directly for your sister:
* Are there any stories online about these sort of shenanigans happening on this site before?

That's just off the top of my head. Others will surely chime in with other possibilities/explanations.
posted by yiftach at 3:04 PM on April 28, 2010

Corollary to my first question: was she on a public computer or one that others outside her household have access to?
posted by yiftach at 3:05 PM on April 28, 2010

My top two guesses would be public computer or trojan infection - which can be picked up by visiting a website. How is her antivirus software?
posted by Billegible at 3:15 PM on April 28, 2010


I've had a CC number stolen "from a website" after having made a purchase. My personal PC, encrypted wireless, secure payment page (not third-party), no trojans. It was a smaller site, but nothing weird. The number wasn't used on that same site, though - there were three test purchases made on other sites, which my CC company caught right away. I was kind of shocked when it happened. My personal theory is still that someone at the company or with access to their website or merchant back-end grabbed the number, rather than that the actual website was somehow compromised.
posted by attercoppe at 6:37 PM on April 28, 2010

So, I should say, in answer to the original question:

Had your sister previously purchased anything on that site?
Where else, online or off, might her card number have been stolen? Perhaps it's not too much of a coincidence that someone used it on a site that she visited - particularly if the number was stolen by someone in the same community.
posted by attercoppe at 6:40 PM on April 28, 2010

Usually the mechanism behind something like this is "I bought a bunch of porn and now my card's being used fraudulently, but I'm going to claim that it was just randomly stolen off the internet from some perfectly respectable website because that makes me sound less like a perv with bad judgment."

Which isn't to accuse your sister of being a perv with bad judgment, because that would be awfully rude of me. Just, you know, adding the data point!
posted by ErikaB at 9:25 PM on April 28, 2010

Some web browsers (I'm looking at you, Firefox) store information you enter, potentially including credit cards. Has anyone else been using her computer? Has she purchased anything while using someone else's computer?
posted by Joe in Australia at 3:03 AM on April 29, 2010

Im sorry let me reiterate - it is highly unlikely that by simply visiting the site in the browser (and not making a purchase) that stole her card number from somewhere on her computer and then charged fake (or real) purchases to it.

More likely her card number was stolen by other means, perhaps by using the an unsecured computer over an unsecured connection?
posted by bitdamaged at 8:43 AM on April 29, 2010

This could have been a case in which:

(a) she already had an account with, and has made a purchase from them in the past. stored her credit card info in her account (many shady and non-shady retailers do this to "help" you purchase next time).
(b) she is set to auto-login ("Remember Me on this computer") to with her account using a stored cookie to verify that she is indeed Ms. Chump.
(c) an XSS vulnerability in allowed another user to steal your sister's cookie, which allowed access to her stored credit card number and account permissions (and thus change the shipping address).
posted by benzenedream at 10:15 AM on April 29, 2010

« Older vaulted ceilings + air purifier?   |   What are the current realistic processing times... Newer »
This thread is closed to new comments.