A few days ago, I was checking my Amex Blue credit card online for my recent transactions, as I tend to do maybe once a week. I noticed a charge that I couldn't remember making, from McAfee.com, referencing some kind of McAfee Clinic service. I never ordered *anything* from McAfee.

So my first reaction was to initiate some kind of fraud investigation, but they don't let you do that until your statement has closed. So then two days later, while I'm out of town, another charge posts to my account from RegSoft.com. I think I might have used RegSoft at one time in my life to buy a shareware product, but if I did, I didn't use this credit card to do it, and I never authorized any follow-up charges.

So this second charge made it clear that there was fraud going on, so I called up to have my card cancelled. Meanwhile, apparently there was another charge for for "AOL Service." I wouldn't touch AOL with a ten foot pole.

In talking with the CS rep, it appears that several more charges were attempted since I've cancelled the card. I now have a new card number, and will be disputing those charges.

So, has anyone else ever had this happen? Any interesting stories? Any horror stories? As far as I know this is the only card of mine that's been used fraudulently. The thing is, these aren't rinky-dink companies, and they should be going through some kind of verification service. So the thief obviously has my name, address, etc. in addition to just the # and expiration date. Is there ANY chance that I will learn who has obtained this info and how they obtained it? Amex will launch some kind of "fraud inquiry" and I really need to find out how this thief got access to my personal information. Any chance that'll happen? I'm no longer worried about my Amex card, I think that's safe now, but someone has gotten access to my info, and I'm starting to get worried about serious identity theft.

I have a few friends who have had this happen - on Amex, bankcards or other plastic - generally it happens due to the fact that very few of your personal details are actually checked by most organisations, although there should always be decent checks.

It's so easy for folk to get your credit card number these days. Even at some local shops, the till displays it along with expiry date and anyone can memorise a 16 digit number.

The upside, at least in the UK, and probably elsewhere, is that the onus is generally on the bank to prove you did make the transaction, so none of my friends has been hurt by this (other than indirectly through higher charges, I guess)

When Blue first came out, Amex had an employee who kept phoning us to get us to convert - to which we kept saying no. After a while, we got a phone call from a differerent employee wrt to 'our' blue card (that we had never seen). It turns out that the first employee was bent, and had signed us and a few other people up for a blue card anyway with a different address. Amex had caught on to them somehow, and were working with the FBI. They were phoning everyone who they thought may have been hit.

Never heard anything more about it beyond them changing our regular Amex card numbers to further protect us - no bills, no negative credit references etc, so they sorted it out satisfactorily.

Two years ago I got a call from my Master Card's issuing bank's credit card security office asking if a $10 online charge to a firm in Russia was legit or not. Since my HD had died three days before I knew I hadn't been charging any misc. shareware. They cancelled the card, reversed the charge, I got a new one two days later and it's been all good since. I was really impressed. USAA Federal Savings Bank, btw.

-Zeke

It's been a few years since I've dealt with credit card verification, and even then only peripherally, but the information needed to prove to the credit card clearing houses that you are you is pretty slim. Basically, they just use all the numerical information in your address slapped together. That is, if you live at 123 Elm St, Apt 54; Anywhere, NC 27587, then the only information they need is 12354 and 27587 (they keep the zip separate so that they can deal with zip and zip+4 without issue). I forget how fractions work, but, basically that's it. So all a thief needs to know is your address, and they could figure that out by looking in the phone book, once they have your name and CC number.

I wouldn't worry about the theives knowing your personal details. They just got your card number somehow and they've been making online purchases with it.

Note that all of the online purchases you listed were ones that don't require delivery to a physical address. For instance, they used your card to purchase/register some downloaded software online. So catching them is unlikely and you've probably done everything correctly to deal with the problem.

Hopefully Doug Burnside will hop in here and describe his experiences in this area (I believe the same thing happened to him once).

I'm surprised that they didn't make a bunch of charges for porn sites. That's what the script kiddies usually do.

I've had the exact same thing happen to me, and even though I could give them exact addresses of where the computer chess game (high quality crimals, I tell you) was shipped, they weren't interested. My bank credited me the $50 and wrote it off as a cost of doing business. (Now, this was an account I didn't ever use, so the $50 caused it to bounce, causing all sorts of pain and suffering on my end).

One interesting detail is that when I called up one of the discrete companites listed on my bill under some meaningless category and asked who they were, they immediatly offered to credit me my $2 back. I had to dig deeper to find out that I was cancelling my subscription to webvergins.com or whatever.

Matthew

Empeg received many dozens of fraudulent orders with matching credit card numbers and billing addresses. The delivery addresses are always substantially different - usually in the former soviet union.

Hackers get those details from poorly secured etailers. One huge (as big as a rain forest!) etailer threatened to sue me if I linked them with a major fraud attempt that we experienced, and then DIDN'T FIX THE SECURITY HOLE until The Register broke the story several months later. I had identified them as the only common link, and worked out specifically which of their sub vendors was the problem.

Despite all this I buy almost everything over the internet, from groceries to PC's. Consumers are protected by their card issuer - it is the victim retailer that loses out in every case. If it's a western country the police are sometimes interested but their investigations last months or years and you never get back your money or goods.

Rob

"One huge (as big as a rain forest!) etailer"

Like as big as the Amazon?

This happened to me on my Capitol One card. I saw 2 bogus charges - one to AOL and also to some webhosting company. I promptly called both to investigate.

AOL had a great fraud department and found that the application which used my card had random data in all of the data fields (name, address, etc) How my card passed through that one is a mystery to me. Anyway, they refunded my card the ~$30 fee.

The webhosting company was just amazed that it happened. I requested logs and info about which domain was purchased with my card, but they never followed through on anything.

Capitol One was really good about it. They refunded me and gave me a new card. I doubt they ever did much further than that though. I would have liked to have found out which bastard got my card number, etc.

Here's a completely unrelated link to a story at The Register.

Gareth

Absolutely love this quote:

At least one merchant known to us experienced "a spate of credit-card fraud starting late last year," at just the time when Bibliofind's security breach began.

Items of between $1200-$2000 in value were bought with valid US credit cards and ordered "to be shipped mostly to eastern-European destinations."

Our sources, who requested that their identity be withheld, explained that their operations manager "got suspicious and phoned the cardholders concerned, who confirmed that they'd not placed any orders."

Gee, I wonder which merchant that was.

Gee, I wonder which merchant that was

I guess sometimes it's difficult to see the wood for the trees.

Hopefully Doug Burnside will hop in here and describe his experiences in this area (I believe the same thing happened to him once).

Twice, actually.

Both times the CC information was compromised when I sent it via non-encrypted email to businesses from which I made purchases. People hacked their email servers to get the information.

The first time was a real criminal genius who used the credit card numbers to make long distance phone calls -- didn't take the police too long to track him down.

The second time the perpetrator didn't have quite enough information: He had my first initial but not the full name, so he attempted to make about $30,000 worth of purchases in two days as David, Darin, Donald, etc. and none of the purchases went through. The bank caught on pretty quick and cancelled the card.

I no longer send my credit card number through emails, but have no problems sending it to encrypted sites. If encryption is not available, then I make them give me a phone number and give them the numbers that way. If they won't do that, then I shop elsewhere.

tanstaafl.

Thanks for sharing your story, Doug. I am very sure that my credit card number has never gone through anything other than an SSL-encrypted channel from me to those I've done business with on the Internet. I write security software for a living so I'm reminded daily of how many people out there are looking to break into things and get information.

The only possibilities I can think of are:
1) The "old school" method of dumpster-crawling for a CC# on a receipt.
2) A cashier/waitress at a restaurant or other business getting my info from their copy of my receipt and then using it.
3) One of the merchants who has my CC on file (not many, I rarely select that option, but sometimes they don't give you a choice) had a database hacked, or had some inside fraud going on.

Anyway I seriously doubt I'll ever find out who did it... As long as the charges are reversed I'll be happy. My one hope is that it's an isolated incident and that I'm not headed for some kind of identity theft.

Consumers are protected by their card issuer - it is the victim retailer that loses out in every case.

Here is a tale of woe to demonstrate that.

The owner of the stereo shop where I do all my business was all excited early this summer -- he had been contacted by a retailer in Maylasia who was looking for some high-end stereo equipment that was difficult to get over there. The retailer told my stereo shop owner that the distributor for the equipment had told them that my stereo shop had this equipment, and would he be willing to sell it to them at full retail -- they needed it immediately.

Payment was made by American Express, and the Maylasian faxed him pictures of both sides of the card. American Express verified that the card was valid, and $13,000 worth of stereo equipment went off to Maylasia via Federal Express.

So far so good -- until the real owner of the credit card (somewhere in the midwest part of the US of A) declined to pay for purchases he had not made. And American Express of course wanted nothing to do with it -- since the stereo shop had not had actual possession of the physical card, but instead only pictures of it, the small print said it was the stereo shop's problem, not theirs. Turns out that the pictures of the credit card were created from scratch with Photoshop or something similar.

An expensive lesson to learn. Two lessons, actually: (1) If a deal seems too good to be true, it probably is; and (2) Credit card companies protect the cardholders, not the merchants.

tanstaafl.

I no longer send my credit card number through emails, but have no problems sending it to encrypted sites.

Even this isn't enough sometimes.

If my friend Tod happens to stumble across this thread, he can relate a situation where his credit card information was sent through clear-text email, even though he went to an encrypted site to place the order.

Here's how it worked:

The encrypted site was just a "storefront" that had no credit card processing capability. Although they didn't go to the trouble of telling their customers this fact, and it looked like it was a fully-encrypted site because the proper "secure" icon appeared on the browser window.

In fact, this site didn't even handle the merchandise. They simply forwarded their orders, and the credit card numbers, to the real processing center. The way they did this was via clear text automated e-mails to their processing center.

Normally, Tod wouldn't have known about it if it weren't for the fact that, when he placed his order, the real processing center was having mailserver trouble. And because of the way they handled the orders, the return address on the email was the customer's address, not the storefront's address.

So, Tod got an "Undeliverable mail" bounce of clear-text email that contained all of his personal data, the details of the order, and his credit card information.

Needless to say, he wasn't happy about it. Nothing bad came of it, but it makes me wonder how many other e-tailers do it the same way: lure you into a false sense of security simply by using an SSL order form page, but then they're careless with the data at the back end.

Here's a crazy one for you!

Last week, I was looking over my online credit card statement. (Conveniently, this card has a web site where you can view transactions up to the last business day.)
I noticed a charge of around $18 for a pizza. I recalled buying a pizza from this same pizza place over a month before, when I was over at a friend's house - but not since then. I double-checked, and yep - they already charged me for that pizza last month, so this was a new charge.

I filed a fraud complaint, but then I realized what really happened. When I ordered the first pizza, they updated their computer to link my card number to my friend's house address (without asking me first!). Then, when my friend ordered his own pizza last week, they charged it to my card number, on file, instead of to his own card!

Tell him he has to hand-deliver you a pizza tomorrow.

Yeah, I once had a bad experience buying some stuff from A2Zcomputers 'securely' online. Because I had ordered over $1000 of gear, they emailed me back a signature request form, including, in plaintext all of my relevant details - name, address, CC number etc.

That was bad enough, but what *really* pissed me off was the fact that they couldn't even be arsed to send one email per customer. They bundled 3 such requests up, and mailed them in one email to the 3 customers.

Amaterish. And needless to say, the last time I ever dealt with A2Z. Fortunately I haven't notice any extra charges due to this, and it was over 2 years ago. I guess that the other 2 customers are generally good and law-abiding too.