How did they get my credit card?

I just got a call from the Fraud department of one of my credit cards. They said there was ‘unusual activity’ in the form of a $1000 online purchase at a college in Berkeley. I only use this card for gas (alternating months) and when I fly a particular airline. AFAIK I don’t have it registered for any online billing (eBay, PayPal, etc.) I was informed that I would not be held responsible for any bills that are not mine, I would receive a form so that I can indicate charges that are not mine, and that my account would be closed immediately and a new one opened. I should get a new card in a week or ten days. I pulled my credit report, and there is no unusual activity on it. No alerts, balances look fine. (In fact, I owe less on my house than I thought I did.)

So how did they get my number? I’ve just noticed that the card expires at the end of this month. Is the most likely explanation that someone intercepted the new card before it got to me?

Another question: How likely is it that the fraudulent user will be caught?

In the UK, card skimming at gas stations is rife. A device is used to copy the card when it is handed over the employee. Copy of card then sold on.

Every card I’ve had in the post for the last few years I’ve had to phone up and answer security questions to activate it, so I’m not sure if your new card getting intercepted is likely.

Likelihood of the fraudulent user getting caught? About zero. All the banks are interested in is cancelling the card.

A lot of credit card information is stolen by the millions from large merchants and credit card processors with insecure servers. Then the hacker who stole those numbers can sell them to people who want to commit fraud. That’s probably what happened to you.

Scougs, is it still that bad with Chip-and-PIN? I thought that Chip-and-PIN essentially eliminated the possibility of using a mag-stripe skimmer on a card because it disallowed domestic mag-stripe transactions.

We’re switching to Chip-and-PIN here in Canada, but mag-stripe transactions will still be accepted at ATMs untul the end of 2012, I believe, and at the merchant until the end of 2015. I would assume that foreign magstripe transactions will still be accepted after that date, but I haven’t seen anything explicitly statiing that.

I (virtually) always use one of two pumps that face the entrance to the store, and I never go inside to pay for my gas. It’s possible that someone put a surreptitious reader on a pump, but if I were a fraudster I’d choose a less visible pump to tamper with.

When I lived in L.A. I received a similar call from the local police. In that case, someone had stolen a renewed card before it reached my apartment (which has locking mailboxes).

Good point - my anecdotal point about gas stations may be out of date. It’s just kind of common wisdom to pay by cash if possible at gas stations - especially in the middle of the night when there’s a single, low-paid, unsupervised employee. Perhaps it’s no longer warranted.

Not the gas station then, by the sounds of it. But re the stolen card in the mail - do you not have to activate cards?

Yes. New cards must be activated from the telephone number on record. However, new cards are sent out before the current card expires. They tend to have the same expiry date, but with a later year. So if someone intercepted the new card it would be a simple matter to use the expiry date on the card, plus the current year.

Skimming of cards in gas stations is so rife in the UK that I never use one, always pay cash.

I know of several people who have been done through skimming.One way that it is done, the card is read, but then the PIN number input is observed using the in store security camaras.

Have heard of this in restaurants too, where you ahnd over your card, and its taken out of sight, the details on it are written down, and the card PIN is skimmed with a memebrane pad that has been inserted under the real kepad.

Once they have these details, they can use it in ‘absent card purchases’

Apparently this took off dramatically with organised Tamil gangs, some of the money was alleged to have funded the Tamil Tigers, but I have often heard anecdotally that other scams were used to fund the Irish terrorists - the IRA.

I tend to go for the more parsaic old fashioned idea that its prompted by greed and laziness.

I’ve heard of skimmers here, but only at ATMs. PINs are not required for credit cards, and I only use my ATM/Debit card to withdraw money. I don’t make purchases with them.

I have two credit cards and have been preemptively issued a new number for one card twice and the other once in the past 18 months for that reason.

Do a google search for ‘credit card number generator’.

No need for them to have the card in hand.

It’s more likely low paid clerks that are doing it. If you have a clerk or someone in accounting that’s a clerk making a dollar more than minimum wage, they have access to all the credit card info.

They just sell it to others for like a buck a number. Let’s say you’re in a hotel and it has 300 rooms. That’s a potential of $300 a day. Then depending on how long they stay, it can be more or less.

It’s really easy to do. I’ve actually caught clerks doing this when I did auditing.

It’s a lot easier than trying to capture a credit card number with a skimmer and it works as you are not using the numbers. You’re selling them to others who can use them.

Since nobody ever sees or handles this card except for me, does that mean that someone in the gas station’s corporate office might be stealing card numbers?

I have a Canadian chip and pin bank card and it was swiped a few months ago with a fake debit machine.

Sorry, did you miss my post?

There are credit card generators available online, and there is no need for anyone to have ever encountered you or your card…

Johnny, I had my CC defrauded several years ago, used in Brooklyn (I live in Pittsburgh). Cancelled card, got a new one.

Discover called me months later, saying that many users had the same problem and the gas station owner actually found a camera had been mounted in a corner, used to spy DOWN on users; it took several zoomed-in photographs of the numbers, complete with expiration dates.

It could have been that. Honestly, they’re so insecure it’s unbelievable.

Assuming it was a magstripe, and not a chip, transaction, that worked because we are still accepting domestic (i. e. Canadian) magstripe transactions. Prersumably, after the two deadlines I mentioned earlier, a thief wouldn’t be able to use a cloned Canadian magstripe card in a Canadian transaction. (Now, taking it to the States and using it there, or using it online, would be a different thing.)

Son of a gun! I’d never heard of these before. And I’d never thought of them either. (Although there’s no reason not to have.)

For those sharing my ignorance, part of the security of credit cards were that it has always been unlikely that someone could guess at a valid number. But if you have a computer and a program that will generate possible numbers and then test them to see if they’re valid you can come up with as many numbers as you want.

But I thought that there was a level of security that would match a credit card number to a name or address or something. Am I being naive?

ETA: from Wikipedia

I think there are varying levels of security available to the merchant for varying prices. Pay so much, it checks the validation date and number. Pay more, it checks the name and address and postal code. And so on. If so, this gives a monetary incentive to the merchants to be as insecure as possible.

I 've read reports of Canadian tourists being unable to use their cards at US gas pumps because the US pumps were requiring the entry of a US postal code. Which, of course, the tourists didn’t have. There would always have to be exceptions for handling foreign cards, if the merchants wanted foreign business. And it would seem to me that a foreign card is more easily spoofed, if only because the authorization and checking–and billing–would take longer?

Many gas stations in the US require a postal code, and of course the number pad is numeric. I’ve noticed that some gas stations that do require it have signs saying something to the effect of “If your zip code contains letters, please come in.” (here, US postal codes are called “Zip” codes, ostensibly because using them helps mail “zip” along to its destination quicker), so it looks like Canadian cards would still be acceptable, they would just have to be processed by the attendant rather than automatically by the customer at the pump. (source: personal experience)