is this legal
March 10, 2012 8:22 PM   Subscribe

Unauthorized credit card charges, how did they get my credit card number?

About a year ago traded in some airline miles for magazines using the MagsForMiles program. Now I just got charged $250 by a company I never dealt with called for a renewal charge on one of my credit cards. I never used a credit card for travel on that airline, it is all done via purchase order. I never gave the credit card number to the magazines, MagsForMiles, or newsubmagazine. Is it legal for a company to charge a credit card in this way?

I called newsubmagazine and they said that they would refund the money. I truly do not trust the company at all. If you do a search on this company, there are many complaints.

I called the credit card company and told them to cancel the card and that the charges were unauthorized. The said they would check with the vendor.

newsubmagazine is in Columbia.

So, what kind of scam is this? How did they get my credit card number? Will they just charge another credit card? Is there an agency I can complain to? When I had unauthorized telephone charges I was able to report the company to the FCC, is there a similar agency for this kind of problem?
posted by wandering_not_lost to Law & Government (10 answers total)
You would be surprised at how many sources there are for very sensitive information. The market price for a credit card or Social Security number is a less than a dollar, sometimes way less depending on what kind of information comes with it: billing address, name on the card, CCV (the 3 or 4 digit number on the back), etc. As I understand it, usually it is legitimate merchants with sloppy data storage practices that have their computers broken into, either by outsiders or unscrupulous employees. So everyone who bought something from that merchant becomes a victim.

The company in Columbia may or may not be in cahoots with the thieves, certainly my first call would be to the credit card company, not the merchant. It's important because a refund will not count against a fraudulent merchant, but too many chargebacks and they will lose their credit card merchant account.

It's good that you reported unauthorized charges to the FCC, but there is no equivalent in this case; foreign merchants are not bound by U.S. law, and the only recourse you have is your credit card company. It would be a surprise if they had another of your card numbers available to charge.

The credit card industry is (slowly) taking steps to ensure that your information is secure. For instance, you may have noticed that only the last four digits of your card are now printed on receipts, and all the other numbers, as well as the expiration date, are blocked out. There are also new standards for merchant computer systems.
posted by wnissen at 8:59 PM on March 10, 2012

Two or three times in the last few of years, hackers have made huge raids on merchant computer systems and gotten away with millions of credit card records. For instance.

There was also the TJ Maxx break-in.

Those were a while ago, but new ones happen all the time. Like as not your card information got picked up because some store you deal with was careless and got their computer system hacked.
posted by Chocolate Pickle at 10:27 PM on March 10, 2012

Another vector to consider: because credit card numbers are assigned via set, publicly-known patterns (the first number of your Visa card is a 4), there's software available on the black market that will auto-generate lists of potentially valid numbers. Feed one of those lists into a poorly coded e-commerce site that doesn't verify against billing address or have a lockout for invalid number entries, and you can winnow down your list of potentially valid numbers into a list of numbers verified to be active, with their associated expiration dates. Probably not what happened in this case, but it's something to keep in mind.
posted by radwolf76 at 12:52 AM on March 11, 2012

A phone call to the credit card issuer is not enough. You need to send your notice of the unauthorized charge in writing, within 60 days of receiving the bill if I remember correctly. The card or the issuer's web site will have details.
posted by yclipse at 5:20 AM on March 11, 2012

I work in e-commerce and therefore literally have nightmares about card security sometimes. The methods everyone has mentioned above are how random scammers get random card numbers and then charge things with them. Usually the company whose name appears on the statement is legit (and another victim, because as soon as you do a chargeback, they'll lose the funds plus on average $25 in service charges. Also, chargebacks are like speeding tickets for a merchant - one every now and then is no big deal, but if they keep happening you can get your rates increased or lose your merchant account).

Anyway, yes, companies can buy an uncomfortable amount of info about you if they have some of your address info, but credit card numbers are not one of them. Card data is so segregated from the rest of your info it's not even funny.

The "free trial" thing on subscriptions or memberships usually works this way - you have to give them your CC to start the "free trial." It's generally "legit" in that they don't charge your card for the trial period, but they're counting on you to forget, and it's usually harder to cancel than it was to sign up. AOL made a ton on this deal back in the day, and generated a lot of hate for it too. If that is this company's business model, they're undoubtedly generating the same heat, but that doesn't mean they're totally crooked.

Are you sure you didn't give them the CC in signing up originally? And are you positive that the company that you did the trial with is the one that billed your card, for that matter?

Either way, I'd contact the company that billed your card and give them a chance to refund it, if you have a way to do so. Explain that you get a refund or you do a chargeback.

If you can't contact them or they don't make it right, call your bank and tell them you want to do a chargeback. They'll ask questions and ask you to sign an affidavit, and you'll get your money back 99% of the time.
posted by randomkeystrike at 6:05 AM on March 11, 2012

On re-read that you've already contacted the merchant and your bank - if you don't see the credit in 4-5 days, keep pressing about the chargeback. They will not have cancelled the account; they will just have deactivated it for more charges (if they even followed your instructions).
posted by randomkeystrike at 6:07 AM on March 11, 2012

You should complaint to the FTC about this, not he FCC.

Until recently, it actually used to be legal for companies to pass your credit card info between each other in the course of making a purchase. You would buy something online or on the phone from company A, and they would sneak in an upsell from company B for a different product. You might never notice the upsell, in part because you did not have to re-enter your credit card info. This is now illegal in most cases in the US.
posted by yarly at 7:53 AM on March 11, 2012 [1 favorite]

It's possible that this is an example of negative option billing. When you used the MagsForMiles program, you may have been signed up for addition services even if you didn't opt-in. It's not the most ethical of practices and it can be hard to spot, even if you read the fine print.
posted by allen.spaulding at 8:00 AM on March 11, 2012

It is more likely that they got A credit card number (along with many others), that happened to be yours. Either by buying a list of valid, active card numbers, or by generating numbers that are valid and hoping for the best.
posted by gjc at 8:53 AM on March 11, 2012

$250, out of the blue? And they answered the phone? Weird. Either the magazine deal was a negative-option situation, like allen.spaulding, or they received stolen property. The FTC would be a good agency to talk to about this.
posted by rhizome at 9:21 AM on March 11, 2012

« Older help, please   |   How do I speak to my dad when his crazy thoughts... Newer »
This thread is closed to new comments.