Credit Card Fraud
Quaver - 29-6-2017 at 13:33
Someone used my credit card at Tescos for £150 last week
It is a rarely used card, and the Tesco is not my local one (but same county).
The bank has cancelled the card and is going to refund me in full.
What I don't understand is how they got my card number and PIN
And how did the bank know it is a real fraud?
And why did the thief only use it once?
The physical card hasn't been stolen, and hasn't been used for a while.
Amazon and few other sites may have my card details, but not PIN.
John_Little - 29-6-2017 at 13:41
Glad it turned out ok. How did you get to know about it? And if you find the answers to your questions, pass them on to us, please.
Quaver - 29-6-2017 at 13:46
I went onto my online banking and found the suspicious Tescos transaction.
It is not my usual credit card, so the transaction stood out
JackInCT - 29-6-2017 at 14:16
It's a complete waste of time as to how the crooks got your information as it's impossible to trace that backwards.
I've had this happen to me, and MY best guess is this: some site that I used with my card with was hacked, and although all sites claim to be secure
re online financial transactions, in the real world that's baloney AKA a lie. So when the site was hacked, even though they claim that credit card
stuff is NOT stored, it really was, and the crooks got hold of it when they penetrated the site. In the real world most retail sites don't have the
horsepower staffing wise to really comprehend what they are buying re setting up an online sales operation, and even if they do, setting up such an
operation is cost driven, i. e., spending as little as possible on the gear, to include monitoring its operation for bugs/holes.
Katzy - 29-6-2017 at 21:07
Ours cards got hijacked, a while back. The Halifax noticed before we did. Got everything reimbursed and quickly, with it.
Apparently, they also managed to nick the tea leaf, too.
marymary100 - 1-7-2017 at 22:05
Next level CCV
dr john - 3-7-2017 at 12:23
As someone who has made several online shops for clients, I have to say your post is generally wrong!
Credit card companies will no longer support online shops which do not use a secure payment gateway.
The vast majority of online shops DO use secure servers, and most do not store card details. Almost all connect you with a secure payment gateway
which processes the card on their servers, and checks with the card issuer as well if the card has set up such a service. The card is NOT processed in
their online shop at all. So THEY don't need the manpower to make the processing secure.
Payment gateways are big financial businesses which exist to make things very secure, and as they are used by millions of companies to keep their
shops secure, they have plenty of founds available to keep things secure. They take their 1 - 4% fee from each transaction they process, and make
their millions that way.
The ones which do store your card details are very big companies which have lots of repeat sales, and as has been seen recently in the UK, once they
set up their secure system and storage, they don't always update it often enough, of miss out one bit that allows skilled hackers to get in. So most
small to medium sized online shops are actually more secure, as the payment gateways spend a lot of time improving things.
The commonest way to have a card's details stolen is for an OFFLINE shop or restaurant to swipe it through a card reader that stores all details for
later use, then swipe it in the real one that carries out the transaction - a petrol station at a town I often visit was the source of a lot of
illegal purchases, unitl the part-timer doing this was caught. Luckily it never happened to me.
If the card reader is not brought to you to use in a shop, or is not fixed in place on the counter, but instead the person serving takes it away to
swipe it, then there is a risk of the card being swiped in the illegal card reader before the legal one.
The other way the details could be stolen is an online shop set up to steal data, deliberately storing the data before passing you on to the payment
Or an offline shop has a card reader in their office with the "buyer not present" option and they get an email from their online shop with the card
details. This is an old-fashioned way for a shop to work (begining of the century style), and if used now, the shop owner is probably pretending they
don't have an online shop to the card processing company. And if they have a crooked employee, they can see all the details in the email.
Most card companies get suspicious if a lot of "buyer not present" purchases are processed, and would check to make sure there is not a website
shop, and demand full security checks or the card reader is disabled - this happened to some of my clients about 10 or 12 years ago (and the checks
introduced then are so tricky to comply with) so they switched to a payment gateway, and since them all shops I've made have used the payment gateway
So in this case it could have been data lifted quite some time ago and sold on recently.
I solve the hacked card number problem by having two cards. One is exclusively for buying online and has a much lower spending limit then my regular
card. And I've refused upgrades to a higher limit several times as well. So transactions on the online card are easy to check and oddities stand out
very clearly. So far there have been no problems. I strongly suggest everyone should have two cards with a low limit one for online only. If either
card gets hacked, get it stopped, and switch to the other one while waiting for the replacement card.
dr john - 3-7-2017 at 12:32
A friend got hired when a similar device which changed the number for access to a very secure system every minute got it's clock out of synch with
the remote server! so you were always entering the last number or the one before that, instead of the one on the server. There were dozens of people
locked out of the system, and the number was increasing slowly.
They set up his own special remote access on a brand new device (so it was in synch) and gave him a couple of out of synch devices to work with. It
turned out to be a fault in the devices, not the server.
LSemmens - 3-7-2017 at 12:58
Thanks for an interesting and comprehensive analysis of the state of play, John.