Any idea how a credit card that has never been used was cloned? Is this a bank data breach?

Yesterday, my partner and I received our new, more secure, chipped cards on our shared credit card account. We activated them via the attached phone number around noon. My partner used his card once, in person, at a local retailer. My card never left the house.

When we got home yesterday evening, less than 12 hours after activation, my card had been used 3 times in Canada (I’m in Maryland). These were all in-person transactions, not online. It’s not clear whether they used the magnetic “swipe” or the supposedly harder to duplicate ship.

I understand that card cloning is easy to do - skimmers just duplicate the magnetic stripe that they read when you swipe, or you can generate your own magnetic strip if you know the algorithm, name on the card, and card number. But there is literally not a single merchant in the world who had this card’s number yet. It had never been swiped, chipped, or used online.

So my question is: does this mean that there’s a data breach at the factory and/or the issuing bank? That is a much more serious problem than a merchant breach, and can compromise a lot more of my financial data. I’m particularly concerned because I’m trying to buy a house right now, and it would be seriously the worst time for identity thieves to be damaging my credit.

It doesn’t seem logical that a massive breach including your personal information is to blame, because the card was used so quickly after issue. The most likely possibility is that your card information was physically compromised on its way from the credit card company to you. This could have been from an unscrupulous credit card company employee, postal worker, neighbor, or household member. You can express this concern when you call the financial institution to have the card reissued, but don’t expect to get an answer as to the cause. Some types of fraud are, unfortunately, just impossible to trace.

http://krebsonsecurity.com/2015/01/how-was-your-credit-card-stolen/ contains a fairly thorough list of the ways in which a card can be compromised. Please know, however, that a single instance of card fraud on its own will not harm your credit. If you are worried that your personal information may have been compromised, you can place a credit freeze with all 3 bureaus. This would prevent new credit from being taken out and any hard inquiries from going through, which is what really matters when you’re trying to purchase a home.

Wouldn’t a credit freeze also block me from getting a mortgage? I have a pre-approval, so that’s set up, but I’m assuming that they will want to pull my credit again before issuing an actual loan. I could lift the freeze for them specifically, but I did want to go loan shopping when the time comes.

It’s a good idea, though.

If you are anticipating a credit check, it’s a simple matter to temporarily unfreeze your credit. This can all be done online.

Are you sure it’s a new number? I was sent a new, chipped card from BoA, but the actual numbers were the same as the old, unchipped one.

You said your partner used his/her card. His/hers and your have the same numbers. For all practical purposes those two cards are absolute clones of one another. Legitimate clones, but clones nonetheless. Any compromise that affects one affects the other equally.

I read that people standing behind you at a checkout counter are using their cellphones to take pictures of your credit card as you stick it in the machine.

I placed black electrical tape over the numbers and expiration date on my card.

Rachellelogram, I looked through your linked article, and every mechanism the author presents involves use of the card with a merchant, either online or in person. That’s why I’m puzzled as to how this one was so quickly compromised. As for physical compromise, my partner of 20+ years and my neighbors of 8+ years have shown no tendency to steal despite many opportunities, which would suggest postal or bank workers, which is also a big deal in my mind.

Morelin, yes, it’s a new number. My partner was annoyed because he had the old number memorized.

LSLGuy, it’s entirely possible that my partner’s card was compromised in the one time he used it, although I would have thought that the retailer (Target) would have tightened up its security after past breaches. However, the card that was used had my name on it, not just our shared number. If his card was cloned or photographed as Me_Billy suggests, it still wouldn’t have given anyone my name.

Chefguy, I think that freezing my credit might make a lot of sense right now, but I want to consult with my mortgage broker and look into the costs involved before I tackle that. I’ll call the mortgage guy on Monday.

One thing to remember about this is that it will NOT prevent someone from cloning your card or stealing your information. What it will do is prevent anybody from opening a credit account in your name. FWIW, we just froze our credit at all three places. Some states require you to pay a fee to do that (Oregon was $10 for each, so $60 for the two of us). But it’s dead easy to lift the freeze by going to the three credit sites, should you need to establish a credit line somewhere.

An interesting side benefit is that Experion sent us paperwork immediately after freezing the accounts saying they had placed a five-year hold, removing us from “pre-approved credit offer mailing lists”, along with a form to permanently have our names removed from said lists. I didn’t know they were in that business.

It’s odd you didn’t get a call or a text when the card was used in Canada. I always get text when my cards are used out of state (by me) when I’m on a trip, to the point of annoyance, so I always pick the card I’ll use, and call that company before I go to tell them where I’m going and that they should authorize purchases.

I wonder if the cloner called the company. Maybe there’s a phone number on record.

I wear a ski mask anytime I leave the house and use a digital voice distortion tool anytime I’m on the phone. Now your telling me I gotta buy black electrical tape?

It also comes in red or yellow if that helps?

ahahah … i salute both of you. on a serious note … it’s really not over-kill.

me_billy … i’d suggest foam-backed tape for the front … electrical-tape would be fine for the security-codes on card-back. why foam-backing for card-front? easy enough to figure out what all of the impressions stand for … even cloaked by electrical tape. foam-backing, however, reduces the impression-effect or “bass-relief”. not only that … your electrical-tape on card-front will eventually wear down to such a point … eod.

fwiw … they have an even more secure credit-card in the works … one which has numbers that change. yes … the security-code on card-back … they call it dynamic cvv-card or something.

Another possibility would be that the bank used an insecure method to generate credit card numbers. It’s happened in the past where a bank has issued a new card with a number that’s easy to guess based off of the old number (e.g. if you had a card ending in 5124, they might issue one with the same number but ending in 5125). I don’t think that a bank has ever done something quite that stupid, but it has happened that they’ve done things almost that stupid and had new number compromised.

Actually, I do remember an article I read recently about just this. Some credit card company used a number generator that was trivially easy to hack, so much so that as soon as a card was made, a hacker could predict it’s number, and the next, etc.

First, Visa, Mastercard, Amex, and Discover card numbers all contain a check digit. So consecutive card numbers will never be issued.

Second, even if you could somehow predict the new card number, it would be useless in creating a magnetic strip for the card because you wouldn’t have the CVV/CCV number that is on the strip. (This is not the same as the 3-digit code on the back of the card which is called the CVV2/CCV2 code but often referred to as the CVV/CCV code.) If you create a card with the wrong CVV/CCV code on the stripe and try to use it, the card number will get shut down in short order.

If you only have the card number and not the correct CVV/CCV, your only hope is to find a merchant to run it through as a card-not-present transaction and then only if the merchant’s processor does not require a CVV2/CCV2 for card-not-present transactions.

All good info. But minor nitpick ref the above …

Once you (any you) understand the card number is really 15 digits long with a trailing check digit it becomes very easy create consecutive card numbers as long as you’re talking about consecutive within the 15 digits. e.g.

5123 4567 8901 234x where x is the appropriate check digit is followed by
5123 4567 8901 235y where y is the appropriate check digit.

Anyone even remotely involved in credit card management, legit or illicit, understands this idea.

Assuming for our examples that x is 7 and y is 2 (I’m too lazy to run the algorithm) only a naïve person would not recognize that
5123 4567 8901 2347 and
5123 4567 8901 2352 are in fact consecutive credit card numbers. To be sure, I bet about 98% of consumers fall into the naïve category.