Credit card fraud, again!

For the third time in about six months, one of our credit cards has been used fraudulently. The first two times, thieves used one of my account numbers to order stuff online, so it’s possible that a waiter* just wrote down my information. This time, however, thieves actually made a copy of my card and charged $100 to a Safeway in Canada. When they tried to use it a 2nd time 18 minutes later, for $200+, CapOne declined it for suspected fraudulent activity.

I have no idea how they knew it was fraudulent because we’ve been traveling the last two weeks, including Canada. None of those purchases were flagged. But I’m grateful, because each time they managed to stop the thieves before they stole a lot. But I have to say it’s rather alarming to have one, let alone THREE credit cards (issued by three different banks, BTW), hacked in such a short time!

The good news is that I have online accounts and check activity often, but the thieves are definitely getting smarter. I just hope that it’s only my credit card, and not my identity that was stolen. I already pay for a service which will alarm me if anyone tries to apply for credit with my name. And I’ve now signed up for alerts on all of my cards, so that I’ll be immediately notified if a charge is made out of the country (2 of the 3 fraudulent purchases were made outside of the U.S.)

Has anyone else noticed a significant uptick in fraud lately? Prior to this year, I didn’t have any issues at all.

*I say waiter because they are one of the few people who actually take my card and disappear with it. Most vendors either take it and give it back within a few seconds, or have me swipe it myself.

It seems like you’ve been targeted. Is there anything about where you leave your bags or anything similar that could facilitate someone compromising more than one card? I’m not saying that you aren’t being careful, but how likely is it that three separate people gained access to your accounts independently?

My first inclination is that either it’s the same person behind all three, or whatever gave them access in the first place was shared with two other people.

It’s highly unlikely, but your card could potentially be skimmed right under your nose, as you watch. Maybe try restricting certain cards with certain vendors? There’s lots of missing info here, and only you know exactly how your cards are used, both physically and over data.

I use credit cards **a lot ** because I like to earn travel rewards.

  1. The first card that was compromised was back in January, and was a brand new card, just 9 or 10 days old. I’d only used it at 5 places, including one very large purchase (my daughter’s tuition), before someone ordered something online from an overseas “herbal” store. Because it was an online purchase, someone could have just copied the information off my card, or even gotten the card out of the mailbox and copied it, but it would have had to have been just a few days prior because I’d just gotten the card.

The herbal store purchase was flagged immediately by Citibank, and they were on it immediately. They suspended the account, emailed me, and called my home phone to alert me to the suspected fraudulent activity.

  1. The second card was used just about 2 months ago, and it’s the primary card both me and my daughters use for everyday spending. We use it a ton, for both online (Lands End, Amazon, Eddie Bauer) and local stores (restaurants, Kohls, Target, Costco, gas stations, drugstores, grocery stores), so it’s impossible for me to figure out how/when it was stolen.

I caught the fraudulent activity on this one myself when I went online to check on activity for all my cards, something I do regularly since the first incident. Honestly, I might not have caught it at all had the thief used it at a place that we frequent, such as Amazon. But it was for, where none of us shop, it was made the day prior, and it was for over $200. It stuck out like a sore thumb.

The CSR couldn’t or wouldn’t tell me anything other than the dollar amount (over $200) and the time and date of the transaction. Personally, I think that they should release this information so that I could see if the shipping address, or even what they bought, could help me narrow down who the thief was. But they don’t. The good news is that the activity was still in pending status so I hope that Chase was able to reverse it before the item(s) ever shipped.

  1. The third incident happened just last night. I was checking activity on all our cards, as I do almost daily now. Lo and behold, my CapOne card had a note that the account was restricted and to please call this 800 number. Really?

I called the fraud department, and the CSR asked me if I had just tried to make a $200 purchase at a store in Canada. No, I hadn’t. He said that 18 minutes prior, someone had used my card to make a Safeway purchase in Canada for ~$100. It was approved. The second purchase was declined.

Now, I’m totally with you in suspecting an inside job at this point, except for two things. First, is that while the CapOne account is technically in my name, neither I nor my kids ever use this credit card. My husband does. It’s HIS primary card. So if it’s someone who’s been in my house, they rifled through both my purse AND my husband’s wallet (which is always on his person or on our dresser), at various times throughout the year. This narrows it down to about 2 kids – my youngest daughter’s best friend and my older daughter’s boyfriend.

However, this latest purchase wasn’t an online purchase, but a brick and mortar one. Since the card was still in my husband’s possession, the thief made a duplicate card. No way is either of these kids sophisticated or wily enough to make a duplicate credit card. Nor is either of them in Canada at the moment.

P.S. To add to the mystery, my credit card procurement card at work has been compromised twice in 2 years. That card is never on my person, and it’s always locked in my drawer at work. The only times I’ve gotten it out of the drawer were the two times I created profiles at the only two vendors that I use, Amazon and Staples.

I’d theorize that the thief could be someone at work, and they found where I hide my key and rifled through my work drawer (where both my procurement card and purse is kept)…EXCEPT for the CapOne card. How did they get my husband’s credit card?

It’s a mystery.

Are all your cards mailed to you?
Have you used all your cards online? I wonder if information captured online is enough to forge a card.

All have been mailed to me and all have been used to make legitimate online purchases.

I have no idea if someone can use basic info to duplicate a card.

Just some suggestions for prevention:

Have you at least had all your cards canceled and re-issued with new numbers? Card monitoring is a good thing, but you shouldn’t continue using a number after it’s been compromised.

It’s possible that there’s a skimmer at a local place you shop at frequently. Gas station pay-at-the-pump card-swipers have been known to have skimmers on them, as well as self-checkout lanes at grocery stores. It’s inconvenient, of course, but if you can go in to the gas station and pay at the register, and use regular cashiers instead of self-checkouts, that could help.

It’s also possible, if all the cards have been used online, that someone is getting your card information via a MITM (man-in-the-middle) attack on your computer. Is your computer *totally *clean of any infection? Are you running a firewall and active virus scanner? Do you have a password on your network (including wifi security, if you have a wifi router)? You should also password-protect all of your computers and get into the habit of locking the desktop when you walk away from it, so nobody can break in and surf that way.

And, of course, never leave your cards unattended around the house. It could be something as simple as an apartment maintenance man scamming on you (if you live in an apartment).

I feel your pain.

I had my credit card number compromised just two weeks ago. Second time this has happened in about a years time.

First time, someone tried to get cash a couple of times from an ATM in Chicago. Since I am in Central Texas, and don’t travel, the card company thought this odd and promptly closed the card out. Unfortunately, I didn’t realize this until my card was declined at a diner after purchasing a meal for myself and a friend.

The second time, I looked at my bank statements and noticed my balance was short $541. Seems that WesternUnion had charged my card for something. I went to my bank and explained the situation and everything was taken care of.

The problem with both situations is that I use the card for all my online shipping purchases, payment of utility bills, and most inventory buying. The bank automatically issues me a new card number and expiration date, but can’t give me a Security Code to go with it. Consequently, I have to notify everybody that they can no longer use my old card number, but I can’t give them a working number because they require the security code as well. For a week, until my new card comes in the mail, I am unable to use my card for its usual purposes and have to work around everything, many things which cost more to do the “long” way than by online.

I guess it’s just something I have to expect occasionally when doing business by card and internet.

If someone gets a hold of your card they can make a clone of it. It’s not likely, as it would take a dedicated scammer to do it, but it’s possible. Any info gathered can easily be put into a magnetic card encoder and be put on a semi-realistic looking card, or they could even wipe a real card and recode the strip.

If they have the full card #, the expiration date, and the CVV code off the back, they essentially have your card for online purchase purposes.

Information such as the AVS info (cardholder billing zip code, and billing street number) do NOT have to match in order for a sale to go though. Smart merchants make the matches a requirement, but a merchant that has lax standards can just pay a bit more per transaction when they’re downgraded due to an AVS mismatch.

I used to think that an exp date had to match a CC# in order to process, but that’s not always the case. Merchants can choose what level of risk they take, but they often default to what was set by their merchant service provider.

There’s a situation that I don’t really want to elaborate on here, for obvious reasons, but a blatantly stolen (and reported and shut down) card can be used to make a purchase. At the merchant’s expense, they carry all the risk at that point.

My advice to you would be, get a P.O. box and have the cards that are never swiped delivered there. Secure your PC, and only use that info online, put the card in a block of ice if you have to.

If you have been skimmed at a retailer, don’t hand them your card. Make them manually enter the number and exp date. When it asks for the CVV, tell them to press enter to bypass it, maybe select that it can’t be read. Deny that request whenever possible. With all that info, you’re open to all sorts of fraud.

I don’t think you’ve been lax on security, but as many compromises as you’ve had warrant extra attention for sure.