For the Second Time in Less Than Three Months, My Debit Card Has Been Hacked

Miscellaneous and Personal Stuff I Must Share
21

Just to be clear, because the word “chip” is being used in this thread for both the RFID chip, and the 1/2 inch square chip with the cold contacts.

The RFID chip is used for “tap-and-go” and has a limit set by your bank for those types of transactions: typically $50 or so. That way if someone does manage to get close enough to you with a reader they can’t clean out your account.

The other gold chip requires that you insert your card into the card reader and complete the transaction with a four digit PIN. This method is extremely secure since the reader needs both sets of information to complete the transaction. As far as I’m aware all bank cards in Canada are chip-and-pin and have been for over 10 years, at least. Fraud is almost unheard of.

22

What bank are you with? Every card I’ve ever received was through the mail. (Scotia, Tangerine, RBC, etc…)

23

Not to mention that credit cards frequently offer “rewards”: discounts, cash back, airline miles, etc.

Debit cards typically give back jack shit.

I’ve “earned” hundreds of dollars every year by using my CC rather than the debit card. I pay it off every month so it’s not costing me anything, and I’m essentially getting 2% off everything I buy.

24

Seconded.

I NEVER use my debit card anywhere besides my bank’s ATM. I use a credit card anywhere else.
Even though my debit card says VISA on it and is supposed to carry the same protection, there is a big difference between finding a fraudulent charge on a credit card and having somebody clean out your bank account.

25

While it is certainly possible to scan an RFID-enabled chip “remotely” (i.e. within 3 feet) it is unlikely that this is how information was extracted. As Leaffan noted, the tap-and-charge payment method is limited to $50 and is also only good as a one time payment to an authorized vendor. While anyone can created credentials to be an authorized vendor, doing so every time for a $50 hit is unwieldy at best. On the other hand, every time you give your card to a server to take in the back to swipe or read out the number on the phone, you are openi g yourself up to potential fraud, which is again why debit cards associated with a bank account should not be used for general transactions. Unless you have absolutely terrible credit it is trivial to get a credit card and the have the company set the by-purchase and total limits low enough that any fraud that occurs is manageable. Although as a consumer you have specified fraud protections (albeit ones that vary by state) the onus is ultimately on the cardholder to demonstrate that a particular charge is actually fraudulent, so a large fraudulent charge can tie up your money or credit for an extended period of time if a card issuer doesn’t accept the fraud claim (although there are limits on liabilities for contested charges).

The ENV chip is a secure point-of-sale transaction that generates unique keys that cannot be used for another transaction (hence, why chip card transactions often take longer and require a working Internet connection; they’re actually communicating with a central server). However, ENV transactions do not generally require a PIN, although most bank cards will require a PIN to complete a transaction.

For online and over-the-phone (so-called “card not present”) transactions, many card companies offer one time virtual accounts, and there are trusted third party services that offer this as well so that you can limit the number or duration of transactions (e.g. for a subscription) so as to avoid online/phone fraud.

Stranger

26

I would try to connect the dots and see where you have used your both card 3 months ago and recently. It could even be a local diner, I’ve heard account of employees being approached by bad guys and offered $20 per card to swipe them through their scanner.

It could also be something online, probably not somewhere big like Amazon or Netflix, but some smaller business could more likely be compromised without it being noticed.

27

Years ago my Scotiabank card had worn out. I went into the bank, with ID of course, and got a replacement card on the spot.

Last year I lost my Scotiabank card, and again, I received a replacement instantly.

Also last year I set up an account at TD and they gave me a card at the bank.

28

Is this really worthwhile? If I report something like this to the police, I have to tell them all the places I’ve used the card and then someone has to either do that data entry or manually figure out the merchant in common.

The credit card processor and bank, on the other hand, already have all that data in neat database form, and presumably have fraud departments that filter through it regularly. Surely they are already looking for this kind of stuff and will just call the local police if they notice such a glaring indicator of the the fraud.

Basically: I can’t imagine that an individual reporting this would meaningfully make a difference here. Unless the credit/debit card fraud departments are incredibly inept.

29

I get what you’re saying but it’s 6 of one half dozen of the other. If you want to be pro-active and not wait for a bunch of other people who use the same debit card from the same bank that you do to get their bank accounts drained before maybe something is noticed and action is taken, then call the cops. If you want to wait and let the same thing happen THREE TIMES IN A ROW then just do nothing, I guess.

30

I’m actually making a stronger statement.

I’m saying that if the information exists for the cops to figure out where the breach is from me reporting things, then it will be trivially discoverable by the card fraud department, which will report it to the cops.

I think you’re saying that calling the cops will help. I’m saying: it won’t. The local cops simply aren’t capable of finding a signal in the data faster than the bank’s fraud department, and the bank’s fraud department already has all the information you could tell the cops.

I’m fairly sure that you do not have to wait for other people to use the same debit card and get defrauded, because information about fraudulent use is shared more widely than that.

31

This happened to my husband and the card wasn’t used anywhere out of the ordinary. We live on the east coast and fraudulent charges were posted from the west coast.

32

It sucks. You’re unlikely to figure out how it happened. As mentioned, credit cards offer some extra protection of they’re an option. Most banks are able to fix things pretty quickly. If your bank makes it difficult, it may be worth the hassle of making a change there.

But your card wasn’t “hacked”.

33

I use my bank debit card all the time for POS purchases, but I never give it to a server. They bring the little machine to me, I insert the chip, enter my PIN, and done. No chance for fraud.

Maybe I’m not following what an ENV is, but every bank debit card I’ve had with a chip requires a PIN.

34

I’ve always got new debit and credit cards through the mail. If I’ve lost my card, my bank (RBC) gives me a temporary chipless one. The chipped one comes in the mail a week later.

35

I believe you live in a technologically advanced county. This is not common in the United States

“EMV” not “ENV.” EMV (Europay, Mastercard, Visa) is the name of the chip standard.

36

Well, I hate to tell you, but that’s exactly true.
Plus we replaced the one dollar and two dollar bills with coins, eliminated the penny, and switched to polymer bills.

It baffles me how the US is so ridiculously behind.

37

Interesting article, thanks.

Chip cards without a PIN option, just signature? Never heard of such a thing before.

38

I believe that in the Great North you have things called “Paywave” cards that require neither PIN nor signature. I have heard people brag about them and express shock that they are very rare down south.

The signature thing is pretty much a joke. Yes, you have to make a scribble on a piece of paper or a terminal, but absolutely nobody checks it.

39

I don’t know how often this actually has happened, despite all the hype. Other forms of theft are more common at the moment.

““There’s probably hundreds of millions of financial crimes being done every year and so far zero, real life RFID crime,””

This thread caught my eye because we were just nailed by a scammer.

About a week back, I was finally getting all my cc transactions downloaded into Quicken and reviewed - it’s been far too long. I spotted a bunch for one merchant that weren’t clear - several times a month for a year or more.

So if I live in MyTown, there are lots of merchants around like MyTown Safeway, MyTown Gardening and so on… but these were just for “MyTown”.

I looked at the online transaction listing, and that said “MyTown Kennels”… which is an actual business nearby. I was wondering if some dog-loving thief was making frequent small purchases… so I called the card issuer - and it’s actually “MyTown Cleaners”. So, no fraud, just an inaccurate business name shown on the bill.

Then Monday, I spotted a charge from that day, from what appeared to be a restaurant in NYC. I went to the the issuer’s website and that actually concurred that the purchase was made in NYC in person.

Didn’t have time to check into it Monday… but Tuesday I discovered that I’d evidently paid for metered parking in New York, to the tune of 25 cents. I got on the phone with the bank immediately.

Not only did “I” have a nice meal 240 miles away from here Monday, “I” bought a couple tanks of gasoline across the border in New Jersey - guess I needed the fuel after driving in Manhattan gridlock. Of course I couldn’t dine at Red Lobster (evidently someone tried to use the card there and it was declined), so naturally I had to have that nicer meal in NYC (Anejo Tribeca, if anyone knows the place). Must have been a quick meal though, if I only paid a quarter for parking! I also got thirsty at some point and hit a vending machine for a drink.

My theory is that someone tried the fake card in a meter in NYC, found that it worked, tried it in gas stations, and had some dinner then. I’m just lucky they didn’t go crazy and buy a lot of really spendy stuff. I guess my thieves weren’t trying to live too high on the hog. The funny part is that the parking meter charge was dated after the others vs before them.

So - on the phone with the bank, and when I explained I questioned the 25 cent charge I got booted right over to their fraud department. They wanted to be very sure nobody in the household had made those purchases. Erm, no… when I visit NYC I am not insane enough to have a car… and nobody’s been there for 4+ months.

So we had to go back through all my recent transactions to verify them. SUnoco, yeah that’s us. A restaurant nearby, that’s us too. Etc. etc.

Interestingly, the two gasoline purchases were moved from my online transaction listing immediately. The restaurant and the parking meter are still there at the moment.

I’m assuming that these purchases have been made at places that do not yet have chip-enabled readers.

Anyway… this is the second time in 2ish years that this same card has been compromised. The last time, the bank caught the charge and notified me. An attempted purchase at Target.com was thwarted somehow and it triggered their alerts.

I’m just thankful this happened at a time when I was paying pretty close attention (due to getting ready for our tax return); otherwise it could have gotten pretty unpleasant.

I’m assuming it happened either via a gas station skimmer, or perhaps when I used it at a restaurant. I wish US restaurants would get the handheld readers like I saw everywhere in Canada in 2017. The only place I’ve seen that here in the US is those tabletop gadgets at Applebee’s.

40

I stopped by the bank today to drop off some stuff in the safety deposit box and chat with the lady about my card issues. She confirmed I did everything right online and that a new card is coming my way and that the UPCOMINGEVENTS.COM was purchased in New Jersey.