Have both cards been used at the same location of any store in the last month? The most common cause would be skimming, either deliberately (someone running your card for later at a restaurant or the like), or attached to a gas pump or the like.

Or, in other words, I'd recommend against thinking of it as "Two separate hacking incidents", since they could've had your card for a while and not run them until now, in sequence. Or if your cards are linked, invalidating the first card could've just had the fraudulent merchant get the second card's info from your bank and rinse/repeat.

If you're not on chip-and-pin, you should make efforts there. Otherwise, the usual caveats about debit vs. credit cards apply, and I like having a separate card for recurring/subscription items vs. the "exposed" card that ever sees public use, to limit the amount of account-swapping I have to do.
posted by CrystalDave at 3:37 PM on August 4, 2020 [2 favorites]

Well my first guess would be that a vendor got hacked, did you use the two cards at the same online or in person store? Especially if it's a smaller company?

Next most likely is browser-based malware, especially if you used the auto fill on a website. Firmware updates won't do anything about PC malware, you'll need to install something like MalwareBytes to take a look. In general, think about anything on common with how you used the two cards
posted by JZig at 3:37 PM on August 4, 2020

Check yourself and your spouse in Have I Been Pwned? and Pwned Passwords. It's possible both of you turned up in a data breach. Similarly, if either or both of you use the same password across multiple sites, one of which is your financial institution, PLEASE stop and please get a password manager.

Freeze your (plural) credit. Good idea on general principles, even more important post-hack. Free -- ignore the touts for pricey "credit-monitoring services" that the credit bureaux will shove at you.

I hate to bring this up and I hope it is not the case, but -- evaluate the chances that a family member is the root of the problem.

Any chance you and spouse use the same gas station? Check the news and the local police blotter to see if a skimmer has been reported there.
posted by humbug at 3:58 PM on August 4, 2020 [2 favorites]

I'd suspect a vendor you used the card at has a security problem (a specific chain of gas stations in my area were particularly affected recently). I've solved this security issue by *NEVER* using a debit card unless I'm withdrawing money from a bank ATM. Using debit cards as credit cards at points of sale is a high risk behavior as getting debit card info can allow a thief to clean out your entire account and banks don't always immediately return that money to your account. I've had friends struggle for months with their bank to get their money returned. Credit cards at least have protections and you're not responsible from fraudulent charges.
posted by quince at 4:54 PM on August 4, 2020 [6 favorites]

Several months ago, during a transaction with a small-time online merchant who's particular identity I haven't been able to ascertain, my personal information including my name, email, physical address, official gender, and phone number, was scraped by a 3rd party affiliate tracker I had never heard of and never had any dealings with, and stored in an unsecured AWS database, which was subsequently stolen, sold, and posted all over the web. Since then every. single. one. of my credit cards has been fraudulently used, all over the country. It has been a huge pain in the ass and I hope extremely bad things happen to the C-level executives of Straffic and the people responsible for it.

So it's quite possible you did nothing to cause this other than buy something online months ago.

What I've done is start using virtual CC numbers and/or more PayPal. Good luck.
posted by glonous keming at 5:12 PM on August 4, 2020 [1 favorite]

Something like this happened to one of my coworkers. It finally turned out that the building super was illegally entering tenants' apartments and stealing their credit card details. (!!!)

Consider whether there's anyone who might have physical access to your cards.
posted by mekily at 6:12 PM on August 4, 2020 [3 favorites]

Credit/debit card numbers are much more commonly stolen via skimming (device installed on an ATM, gas pump, other POS system where you swipe your card) or via humans who temporarily get their hands on your card (like at a restaurant) photographing, scanning, or writing down the numbers. Card numbers can also be stolen when someone hacks into an online store or other place where you paid online.

I've experienced multiple instances of me and my partner or roommate having our cards compromised around the same time, and in two cases we were able to trace it back to a single restaurant in our neighborhood that we frequented. In the 3rd case, it was because a small business website we'd both bought from was hacked.

Those things are much more likely to be the culprit than someone having hacked into your personal computer on your home network to obtain the information. So while regularly changing passwords for personal devices on your home network is always a good idea--as is never storing your credit/debit card numbers in plain text on any personal devices--this probably isn't how your cards were compromised, so you don't have to worry about other things on your personal devices and home network being compromised.

You can better shore up your financial and personal data security by:

* Making sure you're using unique, strong passwords for all your online accounts where your financial info is stored (unique is important--if you're using the same password at Amazon and your bank, someone who hacks your Amazon account can also get into your bank account--and they do try all the banks to see if you have an account with a matching password). Use a password manager to make this much easier on yourself.

* Check any plug-ins you might have installed on your browser, and check any authorizations you've granted to apps via Google, Facebook, or other sites that commonly integrate with third-party apps and trackers. Disable anything you don't recognize, or don't use anymore.

* When making purchases online, stick with established companies with secure websites. Make sure the URL is real (and you're not buying from, like, www.traget.com or homedepot.biz), and check your browser's site security indicators (usually a lock icon in the address bar)

* When making a purchase on a website you're not 100% certain is secure, either just don't do it, or use PayPal (and again, make sure you're not clicking on a link that takes you to pyapal.com)

* See if your bank and card issuers offer virtual card numbers, which are an easy way to pay online without giving your actual card number out

* Be vigilant about looking for skimmers anytime you insert your card into a reader of any sort

Getting compromised because of humans being jerky thieves and large companies getting hacked are much harder to prevent--they happen, they're just a cost of doing business with credit cards in the world and online, and bank fraud departments are set up to handle fixing it for you when you report it. As others have said, if it's at all possible, dealing with this when it happens again in the future will be much easier if you're able to use a credit card rather than a debit card.
posted by rhiannonstone at 8:11 PM on August 4, 2020 [4 favorites]

I use a debit card for online purchases, but only with well-known and reputable vendor sites (everything else is PayPal, direct deposit from my bank or GTFO) and only because my wonderful bank makes it really really easy to set up multiple internal accounts, only one of which is linked to my card for external access.

I am also quite religious about browsing only with uBlock Origin and NoScript both active, and using KeePass to generate and store all my usernames and their long, unique passwords along with the URLs of the site login pages those credentials are for, and doing all my computing on a machine that isn't running Windows.

27 years online, never been hacked. Scammed by an Amazon Marketplace vendor once, yes, but not hacked. And Amazon made me whole afterward, as they said they would before I even contemplated using a Marketplace vendor via their site.
posted by flabdablet at 11:45 PM on August 4, 2020

I've solved this security issue by *NEVER* using a debit card unless I'm withdrawing money from a bank ATM. Using debit cards as credit cards at points of sale is a high risk behavior as getting debit card info can allow a thief to clean out your entire account and banks don't always immediately return that money to your account.

Many of us struggle with debt or identity fraud or credit issues or that preclude us from having credit cards, so this advice is a bit "*NEVER* be poor!" You can conduct debit card transactions in complete safety if you have two accounts. We transfer funds from our primary bank account (which has no credit or debit cards attached to it) to our debit cards on a per-transaction basis.
posted by DarlingBri at 2:53 AM on August 5, 2020 [2 favorites]

Putting a virtual service like Apple Pay/Android Pay between you and the merchant is helpful. The last time my card got skimmed, I knew exactly where it occurred, because it was the only merchant in my recent purchase history that didn't have contactless payment options. Quick call to my credit union stopped the card as soon as we saw the first fraudulent use. (And we stopped shopping at that merchant!)

If the store offers their own standalone card, that also works. Target is the biggest local supermarket/dept. store chain, their "RedCard" has a debit option that just links it to our bank account. Payment through this card (a) uses a scanned barcode from my phone, instead of a physical card [I can use the physical card but choose not to], and (b) if the card were ever compromised, my actual everyday use debit card would remain unaffected (unlike the last time Target got breached, when my wife's card and mine were blocked by our credit union due to potential exposure; we lost all ability to pay for a few days while new cards were sent. We were not personally affected by fraudulent use in that case, but our credit union is overly cautious - which I feel is a GOOD thing!)

Last resort would be a credit card that has solid anti-fraud measures. If you're an Apple person, and if you qualify, the AppleCard has been great for times when I need to use an actual card but don't trust the situation (think "this is the only gas station and it's either risk a skimmer or start walking", or "yes it's an airport kiosk but forgoing coffee is not an option" - that sort of thing). No physical number on the card - requesting a new number takes seconds from your phone. Virtual number and pin for online purchases that can't use Apple Pay as an option.

I would not recommend "get a credit card!" as great starting advice for a number of reasons (Examples: how many people in my generation finished college with massive credit card debt because they gave them out like candy on campus? Do I actually WANT to send business to Name Of Bank? And telling someone to get a card when they may not have the credit to qualify is tone deaf.) There are perfectly good reasons to either NEED or WANT to stick with a debit card - our primary cards have been debit for decades. But if it works for you, it can be another weapon in your anti-fraud arsenal, depending on the card. I do hope that the anti-fraud features of the AppleCard bleed over into other vendors.
posted by caution live frogs at 7:06 AM on August 5, 2020

This thread is closed to new comments.