Credit Card Fraud

My wife was hit by credit card fraud last week - somehow, someone managed to get her credit card number and used it to make charges to

  • AOL - setting up an email account in my wife's name that even used our actual address, phone number etc.
  • Register.com - two charges were made here which were subsequently reimbursed before we even found out about anything. I assume register.com discovered something fishy about the order and canceled it. It would've been nice if they had contacted us about this as well though.
  • A hardware-store. We lucked out because the store owner got suspicious of why a woman in North Carolina would order hardware to be delivered in another state and called us to verify, which is how we found out about this.

After a call to the credit card company, my wife's card was quickly blocked and the illegal charges were refunded to us, but despite the fact that we did not lose any money, things like this do make you wonder how secure credit cards really are, especially when used on-line.

The main thing we wonder is how they could have gotten the card-number along with her name, address and phone number. Considering the register.com order, my initial thought was that they may have sent my wife a spoofed credit card confirmation email or something, but I get way more spam than she does, and have not seen any spoofs purporting to be from this company. Besides, my wife is pretty smart when it comes to stuff like this and does not open unknown email-attachments or click on weird links, nor does she shop at unknown, potentially untrustworthy, sites.

So without knowing the source of the leak, it's hard to figure out what other information, card numbers, etc. may have been compromised, or whether there's a chance we'll get hit by this again... You can believe we'll be checking our accounts like a hawk from now on though...

TrackBack URL for this entry: http://www.hutteman.com/scgi-bin/mt/mt-tb.cgi/146
Comments

It's highly possible that the information that was obtained was not because of information that was given online. It's very easy for anyone at a retail store, resturaunt, hotel, etc. to get all of that information, any time they want to. I used to work at a hotel, and every person that worked at the front desk had access to all of the credit card numbers, along with names and addresses of all of the guests that ever stayed there.

With the security that is in place on most of the "retail" sites on the Internet, it's a lot safer than the "real world", most of the time.

Posted by Tom S. at June 14, 2004 2:44 AM

My fiancee had a similar thing happen to her recently, where suddenly our credit card was used to purchase on-line porn.

What we narrowed it down to was some removalists that we had used a couple of days prior. We paid them with credit card, and so they obviously took a copy of the number, knew our street address, and went from there.

The worst thing is there's nothing we can do to ensure they are punished. We can't prove it was them. And if we ring their company, who's to say whoever we speak to is legit? Just as likely they could come back to our house, with their removalist truck, break in, and take everything. So we say nothing, and probably other people get done with the same scam.

Posted by Andrew at June 14, 2004 2:55 AM

Luke, rest assured that although it is a small hassle to report the credit card fraud, you and your wife are completely safe. All you have to do is say "fraud" to your credit card company and they will refund your money. The last thing they want is for credit card customers to loose faith in the use of credit cards. The merchant, however, takes it completely on the chin -- I know from lots of experience :-(

Even when it is clearly the credit card customer committing the fraud (i.e. we shipped software to the same address on the credit card), if the customer says "fraud" we the merchant loose.

FORTUNATELY in this case both AOL and Register.com are public companies so this one fraud won't cause their children not to eat, but it sure hurts a small business (like mine) when someone steals a credit card which results in a chargeback. We've seen them for well over $2000. We then loose our cost of the product we sold (~$1800 on $2000) plus they hit us with chargeback fees of $30 each and threaten to cut off our merchant privledges if the fraud rate ever exceeds 1% of transactions, all after nothing about the transaction looked suspect and the credit card company previously gave us a credit card authorization.

Ah well, it follows the Golden Rule; "He who has the Gold makes the Rules." :-)

Posted by Mike Schinkel at June 14, 2004 4:03 AM

Luke,

If you haven't already, you should also think about placing a fraud alert on your credit report with the three major credit reporting agencies. That way, if someone attempts to create new credit accounts in your wife's name, you will have an easier time cleaning up the mess.

Posted by G. Andrew Duthie at June 14, 2004 8:35 AM

Luke,

My credit card company (Citibank) offers the ability to generate a one-time use credit card number on their web site. This has provided me great peace of mind when ordering things online from companies that I don't trust to protect my card number well. Your credit card company may offer a similar service which can help prevent credit card fraud.

Another added benefit is that it protects you from companies such as domain name registrars that get over-zealous about renewing your account automatically months before it expires.

Posted by Josh Christie at June 14, 2004 10:15 AM

I had something similar happen a while ago. What is really troubling is that now someone somewhere has your information and may be spreading it to others.

There is currently an on going investigation about my case. For more info, see my weblog.

Posted by Jeff Lewis at June 14, 2004 11:00 AM

I had that happen to me where someone got my card number. Ran up a $600 charge at a computer store that I could not even find as a real business. Atleast the bank gave me the money back ASAP. I kinda even wonder if it wasn't an insider job, because it was weird that the business didn't seem to even exist.

We did have a good experience at work where someone got the company card and tried to order 512mb flash cards and have them shipped to another country. Atleast we got a confirmation call to see what the deal was. After these experiences I actually like it when a company has a pain in the ass verification system to purchase goods.

Posted by monkeyinabox at June 14, 2004 2:58 PM

It seems very likely the register.com connection that caused the problem. Every domain name registration has enough information to allow a scammer to put together a very credible spoof of a domain renewal. Given that register.com spams the heck out of you as your domains come within six months of expiring - even to the extent of calling you on the telephone - no one could be blamed for not being able to sort out the spams from the scams.

Posted by Bob Foster at June 15, 2004 11:13 PM

Luke,

It seems the answer to this problem is to rely on more than card possession and knowledge of the cardholder's home address as proof of right to use the card. Using debit cards at brick-and-mortar stores that support entering a PIN code is one valid method. I also like the one-time-use credit card number feature. Maybe conducting transactions on-line needs to go through a trusted third party that does not expose any secure or private information about the purchaser to the merchant?

It is another case of trading convenience/efficiency for security...

When making purchases with credit/debit cards, we should all be aware of the security and privacy policies of those merchants.

Hope nothing further follows from this perpetration.

Cheers,

Charlie

Posted by Charlie Little at June 18, 2004 11:38 AM

I don't believe online use of a cc should require any more security than offline use. Think of when you eat at a restaurant, and your card disappears into the back for 5-10 minutes..where's the security?

That said, the very first online purchase I ever made, about a decade ago, resulted in a bit of a scare. A few weeks after buying some books online (at a storefront site that no longer exists) I went hunting for my email address at one of the major search engines (brand-new at the time) to see what traces I had left on the web.

To my great chagrin, I found my full real name, my address, my cc# and exp date all listed! A bit more hunting turned up about 60 other records, exposing other people's cards, that were indexed to the same online storefront.

VISA immediately issued me a new card, and there was no harm. However, getting the record out of the search engine's database was a bit more difficult. The search engine people did not repond to my emails. The merchant called and was apologetic for how their business records were briefly exposed to the engine's crawler, but he had no greater luck geting the search engine people to do anything.

VISA was worst of all; their customer service had no idea what I was talking about when I said "online purchase," and had no conception of what it meant when I told them some 60 customer records were exposed. It took several calls before I reached a service rep who was aware of a newly-formed "online security" department.

I was called by the VP of online security who thanked me for the information about the exposed records. He advised me that new cards would be issued all around. He also told me that the search engine people had advised him that they had built their engine with no means to edit its content! They were working on this, and hoped to have the content removed in a month or two.

I subsequently visited the site every week or so to see how it was going. It was 3-4 months before the entries were removed.

Posted by Robt Martin at June 21, 2004 6:02 PM

My wife and I got hit by attempted identity theft several years ago. We believe the social security numbers were leaked somehow through a financial company we do business with.

Best thing is to add credit blocks to your credit reports. It is sometimes a hassle when you apply for a new credit card or when we leased a vehicle, but it is a simple matter of speaking to the fraud department of the crediting agency.

But it has been a godsend to us to have this done. I especially want to thank Dell computers who first brought it to our attention because they were double-checking the order request.

Posted by Jim Widner at June 21, 2004 10:15 PM

This same problem happened to me. For our business we use a Schwab Debit card, I saw a charge appear on it for Aol, and I called support and was told this was a fraud issue. I canceled the Schwab card, but was so curious as to why no other bogus charges appeared except for the lone AOL one.

Posted by Gary at June 23, 2004 8:19 AM

RE: Credit Card Fraud

Trackback from Jason Nadal at June 28, 2004 4:36 PM

Luke,

This might not be much but everytime I sign the receipt, I always scribble on the last four digits if the receipt contains all 16digits of my creditcard.

-ron

Posted by Raj at June 28, 2004 5:11 PM

pls send me a credit card number and all the information on the card.

Posted by sodiq afeez at January 18, 2005 7:23 AM

I don't know what is worse credit card fraud/identity theft or the legal theivery that takes place with credit cards and home mortgages.

HSBC owns me like a slave, they purchased my credit cards, my home loan and they nag the hell out of me. I had a good mortgage company and they sold my loan off. I was able to payments online for just a few dollars, now HSBC wants $10, for an online payment. I'm going to the Michigan Attorney Generals Office, but beware these bastards are nasty. Don't due business with this England based company.

Posted by Ihatehsbc at December 17, 2005 8:13 PM

I fell into a scam for which I was unknowingly charged by my credit card company, HSBC. I just discovered it today 12/31/05. And, forget HSBC's fraud department. The HSBC agent at its customer service phone number told me that the two companies were HSBC third party venders. I got a check as if a "dividend" or "rebate" from HSBC, also known as Household Finance, the credit card you get when you apply for credit at BestBuy stores.

I received two or three $2.50 checks which I endorsed and cashed at my bank. I must have signed something with very fine print from HSBC third party vender "Buyer's Advantage," that charged my HSBC account $89.99 and HSBC third party vender "Complete Home" that charged $99.99.

Tonight, the HSBC credit agent told me he couldn't do anything about it but for me to call the two venders next week to stop the membership. He couldn't assure me if I would get a refund from either "vender."

BUYER'S ADVANTAGE is at http://www.buyersadvantage.com/# It's ad says, "Join Now and enjoy a 1-month trial membership for $1 AND get a $20 Circuit City® Gift Card!" I remember getting a $25 BestBuy gift card just for making my first payment. Guess what, I didn't notice that the charge was made in early October 2005 and today is New Years 2005. "I think" the one-month trial period has passed and so I'm a member but don't ask me of what because I have no idea. When I called their 800 number, I was asked by some machine if I wanted to know about my benefits, among other things. When I said yes, "sorry, we're closed for the holidays."

COMPLETE HOME is at http://www.completehome.com/global/scripts/Content.asp?content=help%2Fmembership&SID=0E2B210526D146473bf4661934366a81 I was charged $99.99 by them on the third of December, but I can't stop "my membership" within the month because the month will have expired by January 2, 2006, and, unfortunately, their office is also closed for the holidays. I think businesses open on January 3. Too late to cancel my first-month trial, but I might get some money back for the period not used in "my year membership."

The COMPLETE HOME site is "cute:" "Members are in the know! Get the answers you need regarding your membership and the services it provides. Require further assistance? Choose from the additional "help" areas listed below." No one told me anything about a membership nor was I informed of their web site. Duhhhhhhh!

Am I stupid or what. But give me some "credit," I didn't fall for this new scam which may not be from a HSBC vender, but it happened soon after getting the HSBC card. Get this, I got a check for $3.25, dated June 2, 2005, from "Credit Card Protection Agency, Inc, Preferred Cardholder Division, New VISA® and Mastercard® Department" to be paid "To bearer or (to me, my printed name and address)."

The "protection" agency even includes a self-address stamped envelope. An accompanying slip says: "Fill in valid credit card number on enclosed check and return it in the enclosed envelope today...POSTAGE IS FREE...Processing Center." The check has four VOID stamps on it, has a bank ID 75-1131/919, FSMC, an affiliate of First State Bank, Lake Lillian, MN 56253.

See the "protection" agency's critic circle at http://www.able2know.com/forums/about47598-20.html

I searched the net for First State Bank of Lake Lillian. Guess what, another person who also got a check wrote at http://www.straightdope.com/classics/a3_167.html: "A few weeks ago I got a check for 25 cents from Illinois Bell. The check was drawn on a bank in Lake Lillian, Minnesota. Do you know how obscure Lake Lillian is? (Of course you do. You know everything. I'm just asking rhetorically.) It's so obscure it's not in the Minnesota key to my road map book, which includes such metropolises as Dundas, population 422. It's so obscure the person I talked to at the Minnesota tourism office couldn't find it on her computer (she said to call back when Jerry gets back from lunch). Why would a major corporation have its checking account in such an obscure bank when there are lots of banks right in the neighborhood? --V.M., Chicago"

DON'T SIGN ANY REWARD CHECKS!!!!!!!


Posted by Gulible at January 1, 2006 3:45 AM

Probably a bit late for posting on this particular entry, but I just found it. The fact is that the bad guys could have gotten that information from just abobut anywhere along the chain where it was used. In 2005, over 40 Million account numbers along with name, address, phone number, expire dates, and security codes were stolen or compromised by one transaction processor alone. Those accounts are not closwed unless fraudulent activity appears on the account.

Posted by Tom Mahoney at February 23, 2006 4:38 PM
This discussion has been closed. If you wish to contact me about this post, you can do so by email.