Author Topic: Why am I doing that's causing my credit cards to get fraudulently used?  (Read 4924 times)

0 Members and 1 Guest are viewing this topic.

Offline engineheat

  • Regular Contributor
  • *
  • Posts: 187
  • Country: us
Twice this year, I had to cancel my credit cards due to unauthorized use, usually by someone out of state. I'm trying to pinpoint the problem but I'm not an expert on technology.

I make purchases online and pay my bills online, and I only do this at my home wifi, which has a password. Could it be that unscrupulous site/vendors can use your credit card information? It seems someone with your numbers can make a fake card and use it at physical locations, because that seems to be the case.

Or is it because Chrome stores your credit card info and that gets accessible when you use a public wifi later, even if you are not doing any shopping?

Thanks
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 6342
  • Country: us
    • Personal site
If you know the card number and expiration date, you can definitely make a physical card with a magnetic stripe. Chip cards are harder to fake, but until nobody accepts striped cards, chips are useless.

I generally, don't give the card number to small sites with unknown reputation. They either have PayPal option or don't get my business.
Alex
 

Offline wraper

  • Supporter
  • ****
  • Posts: 11057
  • Country: lv
More likely it was skimmer at ATM or point of sales.
 

Offline GerryBags

  • Frequent Contributor
  • **
  • Posts: 334
  • Country: gb
More likely it was skimmer at ATM or point of sales.

Yes, they've got very good at making them hard to spot when you're standing in front of a cash-point (ATM) in a hurry. I got caught twice in the last year I was living down South. Then you've also got to watch for fake refund phishing expeditions if you use Ebay these days. I never use links in Emails any more.
 

Offline wraper

  • Supporter
  • ****
  • Posts: 11057
  • Country: lv
I just hate those stupid "anti-skimmer" devices banks place on many ATMs. Because of that crap you never know for sure is it's really an anti-skimmer or skimmer mimicking it :palm:.
 
The following users thanked this post: janoc

Offline Bud

  • Super Contributor
  • ***
  • Posts: 3976
  • Country: ca
You just happen to live in a country which is behind everyone in the world in adopting chip and pin technology.
Facebook-free life and Rigol-free shack.
 
The following users thanked this post: hans, odessa, Bassman59, StuUK, Connoiseur

Offline wraper

  • Supporter
  • ****
  • Posts: 11057
  • Country: lv
You just happen to live in a country which is behind everyone in the world in adopting chip and pin technology.
It does not matter where you live. As long as magnetic stripe is still accepted somewhere, you still can be fucked. It does not matter if you card has a chip if it still has a magnetic stripe.
 
The following users thanked this post: Barryg41, janoc, thm_w, tooki

Offline GreyWoolfe

  • Super Contributor
  • ***
  • Posts: 3366
  • Country: us
  • NW0LF
SWMBO and I have been with Bank of America since 2004.  We have had our credit card and debit card hijacked multiple times.  BofA does an excellent job of catching it, actually catching it before us every time.  Once the claim is filed, the money is back within 24 hours.  We pretty much accepted that this is a fact of life.
"Heaven has been described as the place that once you get there all the dogs you ever loved run up to greet you."
 

Offline BillB

  • Supporter
  • ****
  • Posts: 611
  • Country: us
Mine get hacked, too. and I suspect it is small websites holding the credit card data getting breached.  Even large retailers (Target, Panera, etc) are getting breached as well.  I agree this is the new normal until they devise a new system like biometric or mutli-factor.

Some card companies implement a virtual number system (Discover used to have it, Capital One does it now) where you can generate a specific number for each website you visit. 

 

Offline rsjsouza

  • Super Contributor
  • ***
  • Posts: 3690
  • Country: us
  • Eternally curious
    • Vbe - vídeo blog eletrônico
SWMBO and I have been with Bank of America since 2004.  We have had our credit card and debit card hijacked multiple times.  BofA does an excellent job of catching it, actually catching it before us every time.  Once the claim is filed, the money is back within 24 hours.  We pretty much accepted that this is a fact of life.
Similar experience with Citi: throughout our lifetime with them (2007 and on), we had our cards cloned twice and preemptively replaced by them at least five times (due to hacking to vendors such as Home Depot or Target). This has become a fact of life.

The only annoyance is to re-enter this information on all the auto pay sites...
Vbe - vídeo blog eletrônico http://videos.vbeletronico.com

Oh, the "whys" of the datasheets... The information is there not to be an axiomatic truth, but instead each speck of data must be slowly inhaled while carefully performing a deep search inside oneself to find the true metaphysical sense...
 

Offline rhb

  • Super Contributor
  • ***
  • Posts: 2731
  • Country: us
Gas pumps of a particular brand all have a common key.  Most gas stations I visit now have stickers to warn if the pump cabinet has been opened.  I live in rural Arkansas (7500 pop) and they caught some guys trying to install a skimmer at a local gas station in the middle of the night.   I got hit about that time just as I was leaving on a trip.

The clever ones collect the data via bluetooth, so once it's installed they just go buy gas to collect the data for resale on the dark web.  The credit card companies are not yet adept at figuring out where the skimmers are and preemptively issuing new cards.
 

Offline Mr. Scram

  • Super Contributor
  • ***
  • Posts: 8741
  • Country: 00
  • Display aficionado
Gas pumps of a particular brand all have a common key.  Most gas stations I visit now have stickers to warn if the pump cabinet has been opened.  I live in rural Arkansas (7500 pop) and they caught some guys trying to install a skimmer at a local gas station in the middle of the night.   I got hit about that time just as I was leaving on a trip.

The clever ones collect the data via bluetooth, so once it's installed they just go buy gas to collect the data for resale on the dark web.  The credit card companies are not yet adept at figuring out where the skimmers are and preemptively issuing new cards.
I was thinking of this too. Hackaday did a piece on this.

https://hackaday.com/tag/card-skimmer/
 

Offline digsys

  • Supporter
  • ****
  • Posts: 2156
  • Country: au
    • DIGSYS
Only ever got done once ! It was on an unused card that I only keep for my ISP who insists on direct draw. My ONLY direct draw account !
15 mins after a deduction, the card amassed $11,000 from several European countries ! I wrote up a detailed report with questions on -
Why didn't the system realize I couldn't have been in 8 European countries when I was in OZ 15 mins earlier? -how did they go so far over my limit?
Plus I identified the source of the breach etc etc No answers ... they didn't chase it ... not worth their time ... just reimbursed it.
They didn't even want to reduce the limit to $2-3K, until I threatened to cancel my cards.
Hello <tap> <tap> .. is this thing on?
 

Offline engineheat

  • Regular Contributor
  • *
  • Posts: 187
  • Country: us
SWMBO and I have been with Bank of America since 2004.  We have had our credit card and debit card hijacked multiple times.  BofA does an excellent job of catching it, actually catching it before us every time.  Once the claim is filed, the money is back within 24 hours.  We pretty much accepted that this is a fact of life.
Similar experience with Citi: throughout our lifetime with them (2007 and on), we had our cards cloned twice and preemptively replaced by them at least five times (due to hacking to vendors such as Home Depot or Target). This has become a fact of life.

The only annoyance is to re-enter this information on all the auto pay sites...

My card does have a chip on it. So I guess from reading the answers this isn't rare and especially with the hacking going on.

I thought my wifi or the way I use computer isn't secure enough...
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 6342
  • Country: us
    • Personal site
US version of a chip is a joke. The bit that tells the readers if your card has a chip is on the stripe, so you can just overwrite that bit and your card does not have a chip anymore.

This will continue to happen until chip is the only option with no magnetic stripe even present on the card.
Alex
 
The following users thanked this post: hans

Offline Halcyon

  • Super Contributor
  • ***
  • Posts: 3878
  • Country: au
I've never had my card details fraudulently obtained, however I guess I'm fortunate enough to know what I'm looking for in terms of skimming devices or EFTPOS machines which have tampered software.

As much as a I don't like Paypal as a company, I use them for almost every purchase I make online, particularly overseas ones. It adds an extra level of protection and if something does go wrong, you're more likely to get your money back.

I would also advise to cover up your PIN whenever you use an ATM or EFTPOS machine with both hands. ATM skimmers normally rely on a small pinhole camera to capture your PIN in addition to card data. On the subject of ATMs, give the card slot a good wiggle, skimming devices are normally just taped on.

Use alternative methods to pay bills, for example, I pay all my bills online but I manually transfer the amount using BPAY (via my internet banking) or do a once-off direct debit request. It takes no additional time and it saves me those 1-2% credit card transaction fees.

If you must use credit cards, insist on a low credit limit. If a bank refuses to lower your spending limit or apply extra security measures, I would reconsider using that bank. For example, I use Visa Debit which is linked to my normal savings account, but I can stipulate my own daily transaction limits for card transactions. The default is $1000 per day but I can decrease or increase that anywhere up to $10,000.

Finally, get into the habit of checking your statements/internet banking frequently. I check mine at least once a week.
 

Offline T3sl4co1l

  • Super Contributor
  • ***
  • Posts: 14739
  • Country: us
  • Expert, Analog Electronics, PCB Layout, EMC
    • Seven Transistor Labs
I've had two instances, I think it was, both probably in relation to data leaks from retailers.  The charges were detected immediately, and a new card issued.

Tim
Seven Transistor Labs, LLC
Electronic design, from concept to prototype.
Bringing a project to life?  Send me a message!
 

Online IanB

  • Super Contributor
  • ***
  • Posts: 9634
  • Country: us
I've had two instances, I think it was, both probably in relation to data leaks from retailers.  The charges were detected immediately, and a new card issued.

This has been my experience. It seems using my card at a "dodgy" on-line retailer has allowed my card details to be stolen and fraudulently used. I am very wary of that now.

I second the above advice to use only Paypal-equipped sites for card processing unless it is a major retailer you trust.

You can also use a service like ShopSafe: https://www.bankofamerica.com/privacy/accounts-cards/shopsafe.go

This will prevent your virtual card being accepted by anyone other than the original retailer you made the purchase from, so even if the card details are stolen the card will not work and any fraudulent transactions will be declined.
I'm not an EE--what am I doing here?
 

Offline Halcyon

  • Super Contributor
  • ***
  • Posts: 3878
  • Country: au
What I find frustrating is that the big banks clearly don't care. There are any number of methods they could employ to keep people secure. For example, for those who just use their card for online purchases, have it "disabled" by default, until you log in to your internet banking and "enable" the card for x number of minutes for x amount of dollars. So simple.
 

Online rdl

  • Super Contributor
  • ***
  • Posts: 2835
  • Country: us
Quote from: Bank of America
Please note that ShopSafe requires you to have Adobe Flash installed on your computer.

Seriously?
 
The following users thanked this post: NiHaoMike

Offline David Chamberlain

  • Regular Contributor
  • *
  • Posts: 238
You just happen to live in a country which is behind everyone in the world in adopting chip and pin technology.
It does not matter where you live. As long as magnetic stripe is still accepted somewhere, you still can be fucked. It does not matter if you card has a chip if it still has a magnetic stripe.

That is technically true, however the chip cards have a modifying effect on social behavior.

For me if feels weird if a shop assistant asks to physically handle my card because there is no reason for them to do so, I just tap it.

Second reason is chip payments are so simple and all pervasive (in Australia) that I never carry cash now and so have no reason to use an ATM - seriously the only people who carry cash are kids looking to buy drugs :)

OP - This is not relevant to you if, as you say, you only use your card online. Your WiFi password is not the issue here and by that I mean it is a very unlikely attack vector. Most likely is you have used your card on unscrupulous sites, or you have a trojan on your computer. The first issue really just takes a bit of 'internet wizdom' such as only putting your card in to sites you know and trust. Check the URL matches and that it is secure..

The second, if your running Windows you can do a free scan with this tool, it is regularly updated.
https://www.microsoft.com/en-au/download/malicious-software-removal-tool-details.aspx

Next I would look at your browser 'add-ons' some of those can be nasty.

If your worried about Chrome storing credit card information then you can delete it, but it would not have done so without asking you.
Stick this in your URL and it will take you to your autofill settings where you can delete the card number.
chrome://settings/autofill?search=Autofill

« Last Edit: May 14, 2018, 05:58:26 am by David Chamberlain »
 

Offline Jeroen3

  • Super Contributor
  • ***
  • Posts: 3404
  • Country: nl
  • Embedded Engineer
    • jeroen3.nl
Skimming is basically history here. The payment provider, Currence*, basically issued: "Starting 2012, the old magnet strip card will not work anymore".
Everyone is on chip now, or wireless, and it's the best method ever. You have to explicitly tell the bank you want the magstrip to work abroad.

Maybe you just have to form an angry mob with pitchforks and torches to tell the banks you don't want this crap anymore.

*collaboration of major banks responsible for national retail payment services, they also made iDEAL which was a huge revolution in online shopping with debit cards.
 

Online Bassman59

  • Super Contributor
  • ***
  • Posts: 1304
  • Country: us
  • Yes, I do this for a living
What I find frustrating is that the big banks clearly don't care. There are any number of methods they could employ to keep people secure.

Here in the U.S., they really don't care. That's why we still have credit cards with mag stripes. That's why we have credit cards with chips but no PINs. That's why restaurants still take credit cards back to some hidden POS terminal and run them, out of sight of the customer. All of this is completely stupid, but retailers won't upgrade their POS terminals. This is ridiculous, because the banks have said that all retailers as of October of last year must upgrade to chip-card readers or else the banks won't reimburse the retailers without upgrades for fraudulent transactions.

I'm at the point where I ask retailers, "why don't you take Apple Pay? Do you really not care about fraudulent transactions?" I usually get blank stares.

Also, never ever ever use debit cards for point-of-sale purchases. Sure, if the card is compromised, the bank will reimburse you for the losses. But what happens if the bad guy wipes out your checking account right before the mortgage payment hits your bank through the ACH system? Or, if you're like me, you pay all of your bills on payday, so they all hit the bank at the same time? NSF fees, charged by the payees, add up.
 

Offline Mr. Scram

  • Super Contributor
  • ***
  • Posts: 8741
  • Country: 00
  • Display aficionado
Here in the U.S., they really don't care. That's why we still have credit cards with mag stripes. That's why we have credit cards with chips but no PINs. That's why restaurants still take credit cards back to some hidden POS terminal and run them, out of sight of the customer. All of this is completely stupid, but retailers won't upgrade their POS terminals. This is ridiculous, because the banks have said that all retailers as of October of last year must upgrade to chip-card readers or else the banks won't reimburse the retailers without upgrades for fraudulent transactions.

I'm at the point where I ask retailers, "why don't you take Apple Pay? Do you really not care about fraudulent transactions?" I usually get blank stares.

Also, never ever ever use debit cards for point-of-sale purchases. Sure, if the card is compromised, the bank will reimburse you for the losses. But what happens if the bad guy wipes out your checking account right before the mortgage payment hits your bank through the ACH system? Or, if you're like me, you pay all of your bills on payday, so they all hit the bank at the same time? NSF fees, charged by the payees, add up.
Using Apple Pay is solving one problem and getting into another. What I pay should be between me, my bank and the retailer. I don't need Apple meddling with that.
 
The following users thanked this post: janoc

Offline Halcyon

  • Super Contributor
  • ***
  • Posts: 3878
  • Country: au
Using Apple Pay is solving one problem and getting into another. What I pay should be between me, my bank and the retailer. I don't need Apple meddling with that.

I've never understood the real point of Apple Pay, apart from giving Apple more access to your personal information. Most banks here allow you to pay for things using their own applications via NFC, even the smaller credit unions are on-board with this. Similarly, you can now make instantaneous intra-bank payments 24/7/365, where before they used to take about 12-48 hours for most transactions.
 
The following users thanked this post: janoc


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf