How was my Credit Card Compromised?

(I see there is a thread with the same title from '04. Some things never change.)

My credit card is payable on the 12th. On February 11, I noticed large charges I did not authorize. I called the bank at once and cancelled the account. Oddly, it took the bank four weeks to send me a new card.

I got the new card about 13 March, Monday of this week. I went to Amazon and change my payment information. I went the the gym for the same purpose. Nothing else.

Last night I got a suspicious call from someone claiming to be my bank. They asked the sort of questions my bank would already know. They did not seem to know my new credit card number.

(By the way, although caller ID did show my bank’s number, the call disconnected several times and the customer service lady apologized when she called back. “Our system is having trouble.” Is this a clue?)

Today I went to the bank. They said they had not called me. I have now cancelled my second card.

Any thoughts?

Perhaps having frauded the first card, they called me to try to do it again. Perhaps Amazon or the gym compromised my card. Could my laptop be hacked somehow? My computer does auto-fill my credit card number when I buy stuff. I am not paying for any additional security software. I do not use my credit card on my phone.

Frankly I admire the entrepreneurial spirit of these people.

New card from a different bank.

I’m genuinely puzzled, why did it take them that long to get you a new card? Are you not physically near your bank? I can’t actually remember the last time a bank didn’t just print and issue a card for me before I walked out the door, credit or debit.

I’ve never had anyone do that for a credit card, only for a debit card. Last time I had to get a new card, it took me about two weeks to receive it. However, it was just a new credit card number for the same account. However, my bank is a credit union and they outsource the credit card accounts.

When you say you “canceled the account” do you mean you canceled the card and asked for a new credit card number (or the bank did), or did you actually cancel the account and then make a new account? If the latter, that might explain why it took longer than usual for you to get your new card.

Receiving that phone call does not mean your second card was compromised, especially since they didn’t know the number. It could have been the same people making a try or someone completely different.

I discovered the first fraud and called the bank at once. Then the next day I printed out the statement. IZ discovered more odd transactions and called again. Somehow that confused them. As for your question, I cannot really recall.

I presume they may have decided to try to use your old card and realized it was cancelled. The presumption would be you got a new card, so it can’t hurt for them to try to scam the details of the new card. Maybe they’ve hacked Amazon and they can tell there is a new card, but since your computer, not Amazon, autofills(?) all they know is that there’s a new card. Or maybe someone can tell from the gym you got a new card, but can’t access your card details. Maybe timing is coincidence, they just wait a month to lull your suspicions.

Quite often records like receipts only list last 4 digits of the card, so if someone quotes just that, it may also indicate a scam.

AFAIK autopay places can store your card details, but not that CCV 3-digit code. (BIIIIG penalties for that) So there’s a limit to what a hack can get and what they can do without some additional input from you.

So we can agree that my laptop has not been hacked? Seems to me that the phone call was an attempt, but in truth the second card was not compromised.

We had 3 cards compromised in as many years before we figured out it always happened after we’d made the drive to Florida and back to visit my husband’s family. We’re pretty sure our cards were skimmed or something at one of the gas stations along the way.

BUT I don’t save my credit card info on my computer or on any accounts where I shop on line. I use it enough that I have the number, date, and CVV memorized and I’d rather enter them every time than trusting various businesses to keep them secure. I also don’t order from my phone - OK, maybe pizza on the way home - nor do I do business on any wifi other than mine or family’s.

Plus we now have a card with a very small credit limit that we use for gas and food on the road. So far, so good.

Apparently the continuing chip shortage is seriously delaying new credit cards.

I don’t think the new card was compromised. I think the people who stole your first card realized you had cancelled it (quite possibly just because the number no longer worked) and called you in the hopes of getting your new number. So long as you didn’t give them any information over the phone, the new card is probably stop fine. I wouldn’t bother to cancel it.

(Unless you’re afraid you have them important info. In which case, cancel ASAP.)

If you are in the US, this is unnecessary for a credit card. Federal law limits your liability to $50, so long as you report the fraud when you learn of it. That limit was set agrees ago, and is now absurdly low.

Debit cards don’t have that limit. Which is why i use a credit card in preference to a debit card.

In theory, either way you generally get your money back.

The difference is, on a credit card, you don’t owe the money unless your fraud claim is denied. On a debit card, you don’t get your money back until the fraud claim is approved.

Except that a number of our bills are paid automatically via VISA so when the card is compromised, I have to change our payment info on every one of those accounts. And we do it that way because we get cash back on all transactions.

Having a second credit card for riskier transactions may make sense for you. You don’t need it to have a low limit, that’s all i meant to say.

My credit card seems to get invalidated for no obvious reason about once a year.
I’m sort of resigned to it (have to reset various autopay arrangements etc).

But yes, there seems to be an upswing in calls claiming to be from the bank about fraud.
They are getting much better at this: no obvious foreign accents any more, for example.

The advice remains the same: don’t give out any details on an unsolicited phone call.
And check your account daily online.

Our credit union offers an alert service. I have ours set to notify me of any charge over $25 as well as any charges made on line. It’s great for my peace of mind - especially when I get the “Order shipped. Your card has been charged” spam emails. They claim to have charged me $782.47, but since VISA hasn’t texted me, I know it’s BS.

I got a call from Amex many years ago telling me they were invalidating my card due to possible fraud attempts (trying to make charges to a telephone company in South America!). They told me they’d send another card different number. However, checking my statement, someone used the allegedly cancelled card to book a ticket (never used) from Manila to Hong Kong, complete with someone’s name. (Back in the days of travel agents). So I had to call Amex customer service and ask how someone could put a charge on my card the day after it was cancelled. They removed the charge.

I’m guessing my card was compromised during a trip to New York, where it was used for assorted expenses - restaurants, hotels, etc. Good on Amex for catching the first suspicious transactions.

I do wonder if their fraud department has a program that notes where fraudulent cards have a common nexus. I recall one store in Toronto caught making fake ATM withdrawals - They were early adopters with a pinhole video camera in the ceiling to record PIN numbers and skimmer to read cards. But I assume it didn’t take long to figure out that the common point when people complained about wrong withdrawals, was a small coffee shop in downtown Toronto.

OTOH we arrived at an airport once, tried to make a call fo the car rental agency, but the credit card phone did not work. When we finally got to the rental, our card was declined, we had to talk to the card hotline. Apparently their automated fraud detection decided that when we had spent a dollar on a (failed) phone call that was seen as testing if the card worked before presenting it for a large transaction. After a few questions to check us, they took off the hold on the card.

When my card was used to buy plane tickets in India, my CC company said my card probably hadn’t been compromised but that the number had been randomly generated and tried.

More recently, I was told that a hotel was probably the weak point in last year’s compromise and that I might want to pre-pay on Booking when I’m close to the date of stay to reduce vulnerability.

This is my assumption. Today I got two messages asking me if I authorized $900, please reply yes or n. I replied no. When I got home I called the bank. The lady who talked to me said the bank had not tried to contact me.

I am not sure if I believe her or not. In any case, I am not happy about this situation.

I assume the follow-up if you reply is “can you verify the card details so we can verify?” to get the card number etc. - unless they specifically showed that they knew the card number already. If it’s not the bank looking for confirmation, it’s part of the phishing I assume. It may be pure coincidence and not even related to the previous attempt or it may be the “let’s see if we can get the replacement card details” scam.