My wife’s credit card was compromised last week. We don’t know how. The first clue was a call from the CC company’s fraud department; my wife called back, and was asked about a suspicious charge. Her card has been cancelled, and a new one is on its way.
The charge was for about $950. My understanding is that fraudsters typically make a small charge or two (to test the card’s validity) before using it to rack up big charges, but in this case that’s not what happened; they went straight for a big-money charge.
So how did the CC company know to suspect this was a fraudulent charge, and that they needed to talk to us about it?
A few years ago my son treated my wife and me to a trip to Hawaii. He paid our airline tickets, hotel bill, and a rental car. So when I took him and his family (wife + 4 kids) out to dinner in a fairly fancy restaurant and charged $400, the CC company got suspicious and I got an email asking me to call the 800 number on the back of the CC. Note that they didn’t ask me to go to a web site or to call a number on the email. I decided that that had to be legitimate and called the number. Sure enough they were suspicious. After I explained they were satisfied. They did ask me for my mother’s maiden name, which is a fairly weak identifier, but the only one they had.
Someone told me that when you are going on a trip, it is not a bad idea to warn the CC company ahead of time. On the other hand, if you have charged an airline ticket to Seattle and then charges start coming in from Seattle, they will not be suspicious.
They pay attention to patterns. If you live in New York and suddenly your buying an HDTV from a bricks and mortar store in San Francisco, a flag will be raised.
Of course, the models are more sophisticated that just that. I doubt they publicize them, so fraudsters can’t find out what they’re looking for. But the company knows how you use your card and deviations from that pattern makes them look into it. They might decide it’s nothing (if it’s obviously a vacation out of town, for instance), or they might contact you.
I had this happen to me once. We had a corporate credit card that was being used primarily for small items like postage and office supplies. Then we had our big event, in a different city, which charged thousands of dollars for a banquet and hotel rooms. You can bet I got a call from the credit card company.
I think they have a variety of algorithms that try to detect “unusual” behavior, based on their regular customer base and possibly tailored to you over time.
My Bank of America credit card has a very annoying fraud detection thing that I keep triggering every month or so. These things have triggered it:
Traveling too far too quickly (like on a road trip, buying things at gas stations along the way) will usually cause an alert the next morning
Buying things online from international vendors (like digital games from a UK vendor). In fact this happens every time I purchase with this vendor, despite me telling my bank to fix it and threatening cancellation.
Buying an unusually expensive item (one time it was $800, another it was $400) from vendors who I usually spend small amounts with
Things that did NOT trigger fraud alerts even though I thought they might:
Having the car rung up twice at the same establishment in a matter of minutes. I think if it’s the same amount they’ll just deny it, if it’s different they’ll let it through.
Buying things from adult stores or websites
Suddenly buying an item in another state or even country, even though my credit card company should not have known that I was traveling
Upon detecting these attempts, I will get a phone call from some random number telling me to call some other number, which I refuse to do. I will also get notified online via their app and via email telling me to go to some sketchy-looking website and answer questions about myself. They’ll ask, for example, “Which of these street names are you affiliated with?” and “Which of these cities have you lived in?” and “Which of these zip codes did you reside in?”. The first few times were sketchy – the identification website, lacking their domain name, could very well have been a phishing site itself, but my bank doesn’t seem to care.
Exactly; They most likely have pretty sophisticated computing resources dedicated to flagging anything fraudulent.
For me, they know that I’m a 40 year old man living in Dallas, who doesn’t charge much on my card, except for the occasional dinner here or there, and large purchases like appliances. If for some reason, they saw some transactions that don’t fit my pattern, or those of a 40 year old guy who doesn’t use his card much, that would be a red flag.
Yeah, I flew into an airport several years ago and the pickup from the car rental company wan’t there. I had no change, so I used a credit card phone. Then when I tried to pay for the rental car, the card was declined. (“Call the card company”). The computer flagged a suspicious transaction, they saked about the $1 charge and said many times someone does a small transaction to see if card works before doing a big transaction - plus the car company’s reserve was an eve amount - about $400 IIRC. Very suspicious.
A few years later, I got a phone call after a vacation to Amsterdam and NYC. They wanted to know if I had charged anything to a phone company in Columbia (!!). Then they completely cancelled my card and issued a new one.
From what I’ve heard, there’s a list of the sorts of things that set off alarm bells. Transactions out of your area, transactions involving services, restaurants, liquor, electronics - high value, easily resold items, certain merhant areas and types where it’s easy to get cash, etc. All this is computerized now and the computer will automatically flag “out of character” behaviour.
I tried paying for a trip recently, and had forgotten my Verified by Visa password. I figured it out by the third try, but next time nothing worked until I phoned the credit card company. As soon as I had messed up, they flagged the account. When more charges overseas were attempted, they disabled the VbV access. One phone call cleared it up.
Very good idea to tell the company if you are travelling outside the country, somewhere you don’t habitually go. That way they can check transactions and still block any that likely are nowhere near the travel area.
Back around 1990 I was taking a graduate AI course and it was mentioned that American Express had one of the most advanced Expert Systems in the world at the time for just this purpose. I don’t have a cite given how long ago it was, but even back then banks were spending a great amount of money and effort on a technological solution to this problem.
Yes, this is pretty much what my bank told me several months ago when my Visa debit card was compromised. I got a call on a Saturday afternoon that my card had been frozen. Whoever had gotten my card info had opened four Netflix accounts in the early morning hours. Apparently, Netflix dings your credit card or bank account for $1.00 just to verify that the account is good when you sign up for membership. Once the low-life thieving bastard knew my card was good, he charged over $1,000 worth of goods at an electronics store in Paris and another $2,000 worth of goods at a variety of stores in London. As I’m in the US, and use my card mostly for gas and groceries, this raised an enormous red flag.
I love the fraud detection people at my bank.
The same way Amazon, Google, Acxiom and the others do it: by closely tracking your every purchase. As others have noted, if you go outside your established pattern, it triggers a fraud alert. Aren’t you glad they’re watching over you so, so carefully? And all for your benefit, of course.
I’m sort of puzzled how things would work out for me if I was away from home and tripped their fraud detection checking. I do have a cell phone, but one that I only use for emergencies, and I am reasonably certain not even my bank knows it (since it spends 99% of the time off, I never fill in “cell phone number” on any forms). Since they would be unable to reach me I assume they would lock the card, but is there typically any indication when the card is declined that a fraud check failed as opposed to some other problem? I know now that one is supposed to warn credit card companies of travel plans just in case, but I can see serious problems could be caused by a false positive!
I’m glad they are watching over me… I just wish they would get it through their thick heads that when I tell them a charge is authorized then everything is ok. I have had my bank insist on cancelling cars and reissuing on more than one occasion even though nothing had been compromised.
My experience from the early days was terrible. I would fill the tank on my car, and when I tried to fill the wife’s my debit card was frozen.
Now I can fill two vehicles, but if I forget the gas can for the mower I will have to go inside so the clerk can swipe it.
It is a lot better now I Think.
It can be a good idea, especially if you don’t travel often, to call your card company and advise them you will be traveling to NYC or LA or whatever, and to please not have too quick a finger on the fraud button for obvious things in that time frame.
Any benefits to you are purely trivial, coincidental and of their convenience. The usual result of their benign oversight is finding your card doesn’t work.
This happens to me with my B of A card all the time too. It’s very frustrating, actually. The most recent one happened last week, and the charges they asked me about showed just how absurd it is:
About $10 from iTunes. I buy music and apps on iTunes at least once a week, and have for years. No way this is out of character.
A tank of gas from the gas station I use almost every time I need gas - 2-5 transactions per month for the last year plus.
Dinner at a restaurant in my town that I’ve eaten at a half a dozen times or more in the past year.
And that was it - that was all they asked about. At the same time, about six months ago, it took ME calling THEM to tell them that I hadn’t made several purchases as a Kroger and Wal-Mart in a state on the other side of the country where I’ve never been in my entire life.
I know this stuff ain’t trivial, but I don’t get the impression that B of A is doing an especially good job at it. The manage to inconvenience their legitimate customers repeatedly, while (at least in my case) missing real fraud…
Their fraud detection is pretty good but not always consistent. A friend of mine has bought the same ~$400 worth of items (not electronics either) from a company several times in the past, roughly 8 months apart. But for some reason the last time the charge didn’t go through. He called the bank and they allowed the charge.
A customer from Belgium has bought the same items from us 3 times and every time his credit card charge will not go through. He called his bank and they said the charge should be allowed. We try to run the charge and it says “Decline.” We called our credit card processor and they say it’s the customer’s bank that is refusing the charge. So where does that leave him? The last 2 times we split the order into 2 charges and it worked. This time we just had him pay with PayPal.
Really the credit card companies had a gravy train for many years, but with all this fraud stuff I feel bad for them. Well not too bad.
Why? It’s certainly making more work for them, but they don’t actually incur any direct financial loss, do they? I thought that fraudulent charges ended up getting reversed, i.e. any merchant who accepted a stolen CC for a transaction would end up with the transaction reversed, and would be uncompensated for whatever goods or services they provided to the fraudster.
I’ve had the exact same experience with Bank of America. They flag the most mundane charges and freeze the card until I call to confirm them, but never bat an eye when I order expensive things from obscure websites I’ve never used before.
You hope they use sophisticated algorithms and such, but a couple weeks ago, Chase left me wondering whether they had any clue how to deal with this regarding my debit card.
They sent me a text on the afternoon of the 14th asking if a $60 payment “at a video arcade” on the 10th was legit.
Gee, let me figure out the problems with that. First, maybe they could question that in less than 4 days’ time from when the payment was made? And then, perhaps, they could get the payment location right. It wasn’t “at a video game arcade” - which is why I had to quick log in and confirm whether there was indeed a second charge for that amount on that day. It was a payment made over the Internet to a video game company. I confirmed that it was OK, and thought well, at least they’re trying to monitor things.
I arrived home to find an E-mail questioning three more charges from that day/the night before - the $10 automatic payment to refill my mass transit account card, a purchase at the Chipotle near the train station (where I’ve bought food maybe every other or every third month for a couple years), and an ATM withdrawal at a Chase ATM at my workplace, where I’ve worked for years and done tons of transactions.
So if those fit any kind of “suspicious” filter, then I have no damned idea what “normal” is.
One thing that will trip the fraud detection is buying small amounts of gasoline several times in the same day. Long distance motorcycle riders resort to carrying several CCs for this reason.
The credit card company still has to pay people to take fraud claims from clients, process them, investigate claims, comunicate with the merchants, reissue the actual credit cards, etc. They also have to deal with a loss of confidence (& potential loss of business) from clients and familiar fraud (ie the client is actively trying to defraud the bank, or a client’s family member is commiting fraud). Also the bank can’t always get the funds back from a merchant. I know banks usually have to eat fraudulent cash advances.