How was my credit card number stolen?

Factual Questions
1

To start with, everything seems fine now—my bank caught the fraud immediately, refunded the small amt. of the illegal charge, and has since replaced the card. But I want to know more about the whole process of how my credit card was stolen…

Last weekend, my bank called me and said that it noticed some suspicious activity on my card and had frozen it. I was traveling, so I assumed they saw me in the new city and panicked unnecessarily. Nope. It turns out the charge was in a third city, near my mom’s place in PA—which I had visited back in April.

So, here are the three charges I made in April, and the new illegal charge:
Apr 20, 2017TARGET 00012914 PHOENIXVILLE PA

Retail Stores

($23.16)
Apr 20, 2017

Apr 20, 2017

SURF N TURF INN JOHNSTOWN PA

Miscellaneous Stores

($89.09)

Apr 19, 2017

Apr 19, 2017

PF CHANGS #9864 COLLEGEVILLE PA

Miscellaneous Stores

($87.81)

2

One of the wait staff at the restaurants stole your number?

3

[Sorry for the post mess; I was hitting TAB to space out the chart of charges, and my browser toggled me around the page until it hit SUBMIT.]

To start with, everything seems fine now—my bank caught the fraud immediately, refunded the small amt. of the illegal charge, and has since replaced the card. But I want to know more about the whole process of how my credit card was stolen…

Last weekend, my bank called me and said that it noticed some suspicious activity on my card and had frozen it. I was traveling, so I assumed they saw me in the new city and panicked unnecessarily. Nope. It turns out the charge was in a third city, near my mom’s place in PA—which I had visited back in April.

So, here are the three charges I made in April:

**Apr 20, 2017 TARGET 00012914 PHOENIXVILLE PA ($23.16)

Apr 20, 2017 SURF N TURF INN JOHNSTOWN PA ($89.09)

Apr 19, 2017 PF CHANGS #9864 COLLEGEVILLE PA ($87.81)
**

Here’s the illegal charge:

Jun 4, 2017 WAWA 57 00000570 PAOLI PA ($81.85)
(Wawa is a convenience store/gas station chain.)

My card has a chip. How was it stolen?

My money is on the waitress at PF Chang’s—that she or a colleague wrote down/cloned the card info. But then how does she use it? I don’t know enough about CC fraud. Can they just load the info onto a dummy card and then use it in a swipe (non-chip) terminal—like a gas pump’s?

It could also be random coincidence that the card was used fraudulently in PA—it could have been stolen anywhere in the country/world, and then just happened to have been used there… but I’m disinclined to believe in that level of coincidence.

Thoughts?

4

You can write the credit card info onto any mag stripe card if you have the right equipment. Then, yes you’re right, use it in a place that has a terminal that doesn’t take advantage of the chip. If it’s a gas pump or something where the card does not need to be checked by a human, even better.

So odds are some waiter perhaps watched you type your PIN if necessary, and then copied the data from your card.

IIRC, the incentive to move to chip authentication is that the merchant will eat any cancelled charges if they haven’t upgraded to chip terminals or did not use the chip.

5

Does that WAWA use chip reading terminals? Some fast-food places don’t, since they don’t want it to slow down the line. If that was the case, then they could just clone the info in your magnetic stripe and use the card. They would need a card reader and card writer that clones the stripe.

What is SurfNTurf? Did they have a chip reader?

6

I’ve never met a credit card machine that you couldn’t just punch the numbers into the terminal with.
It’s entirely possible someone physically wrote down your card number, then took it to Wawa (several months later) and keyed it in.

If you wanted to, you could try to get the highest manager/supervisor you can at that location and have them pull the security footage from the time the card was used. It’ll be very clear if a random customer swipes ‘your’ card or if an employee pulls a piece of paper out of their pocket, types the number in, then takes $87 from the register (or uses the money in some other way).

However, if it’s a c-store/gas station chain you might not get very far with that approach, but a charge was generated with your number at that location, someone did it and it’s probably on camera.

7

It wouldn’t have been a PIN purchase—she took the card away, ran it, then brought the card and print-out back for me to sign.

That’s interesting. I wonder if the folks at Wawa ate the amt. of that charge.

8

Wawa is a convenience store chain (like 7-Eleven) in the greater Philadelphia area. Some of them now have gas pumps, too. Though I just checked the store in question (#57, in Paoli), and it appears to be one of the older kind, sans gas pumps.

SurfNTurf is a very old-school restaurant in Johnstown, PA, which is a good 200+ miles from this particular Wawa. Possible that it happened there (again, it was a waitress-takes-card-away, brings-back-receipt-to-sign situation), but the distance from the scene of the crime would make it less likely than PF Chang’s (best opportunity) or Target (which has chip readers).

9

Interesting. Hadn’t though of that.

I wonder, in particular, if it was a customer, or if it was an employee who typed it in. Definitely might get less cooperation if it was the latter.

Also just looked back at the details of the transaction, and my bank doesn’t give time of transaction—just date. So couldn’t narrow it down closer than that.

I wonder how curious the companies (my bank, Wawa) are about finding the perps in these situations. Is it worth it to them to pursue evidence like this, or do they just write it off as a loss that isn’t worth the time it would take to investigate/prosecute?

10

I once watched as a McDonald’s drive thru worker fumbled around with my card and her phone. The next day fraudulent charges from another state started appearing and was caught by my bank. They can take a video of the card quickly and forward it on to an accomplish immediately. Crooks these days don’t have time for writing stuff down.

11

Hackers stole millions of credit cards from Target , so maybe it happen there ?

12

Besides these ways of managing credit card fraud you’re seeing here, the whole thing can be done digitally. Your credit card number and personal information can be stolen from a retailer database and run through a credit card clearing house from a computer anywhere in the world.

There are myriad ways to defraud banks both sophisticated and not so much. It happens way more than you would imagine.

13

Yes, I admitted that possibility in my earlier post. It could be pure coincidence that the fraudulent purchase was within a few miles of places I had used the card legitimately, on a rare trip 3500 miles from home. It may just have happened that way. Odd, though, that it be used there, and at a convenience store, no less.

14

The EMV liability shift is only for a very specific set of circumstances and this probably wasn’t one of them.

You can’t, but they (Wawa) can. A customer can call me and ask me about a charge and, from my end, I can (with some minimal information from the card holder) pull a copy of their receipt, their signature (if they signed), the time stamp and if it’s not far enough out, the security footage.
And none of this takes me very long either.

Your bank won’t do anything about $87. It’s gone they’ve already moved on. At best, it’s probably a foot note in Wawa’s file and some how tagged with some location data so they can keep an eye out for trends.
If it happened at a small store someone could pull some information that could be turned over to the police, but as I said earlier, I’d be surprised if a chain store is going to bother with that. They’ve still got their money…maybe they’ll poke around to see if an employee was involved, but I don’t know if you’d ever hear back about it.

15

So generally at what dollar value will a bank or business take action on a one-time theft or fraud? It sounds as though while the act is illegal and it’s trivial to figure out further details on who did it when, that never the less if a person manages to -in whatever form- grab a small amount of someone else’s money or property and have it remain undetected for more than a few minutes, that it won’t be pursued and that person gets to keep whatever they stole (as long as they don’t make a habit of it).

16

I suggest you call PF Changs, however.

17

I go through this same situation about twice a year on average with my business bank card. There are no consumer protections on business accounts so I usually have to eat the charges myself. Because of that I would keep my limit set very low the majority of the time and call for it to be increased on the days I do purchasing.
I have only found out where the number got jacked once, and that was only because the store (Macy’s) got hacked and contacted me about it. I have a few guesses though and change my behavior based on those hunches. I figure it’s usually a gas pump card skimmer, hacked store or e-commerce site, or someone in hospitality staff. Depending on the situation I lose about $100-$1000 each time it happens. The bank, processing company, stores, police and customer service people don’t care and its up to me to fight to get my money back and it rarely happens. I would say over the passed six years I’ve lost about $3500 and I’ve managed to recover about $1200 of that money. The last time this happened was actually yesterday ($250) and I still have a case open in Georgia with Victoria’s Secret ($550) from the time before that which was about nine months ago.
Its a real problem and because very little is ever done its going to continue. For the average person, its not too big of a deal because the bank or card company will refund the money and the banks insurance will cover their loss because that’s what they’re paid to do. But It sucks for me.
After the incident nine months ago I switched to using a consumer credit card instead of my bank card most of the time but that’s a huge hassle. Purchasing usually takes me five or six hours but now takes all day at least. I also have to spend a lot of time transferring money around to keep from getting charged interest on credit cards. The only good thing is that I use rewards cards and get a little back from that. I used my southwest card for the last two months and now the wife and I are going to fly to Vegas for for free on our anniversary.

18

Wawa is a 700+ store chain. As a sometimes customer I know hey run a good operation. I have no clue about the specifics of their operation but are ‘tapes’ held locally or saved to some central server? This means the manager needs to call corporate security to have them look at the footage. Central security does whatever’s necessary to get the appropriate footage, but now what? Assuming it’s a customer & not an employee, they know what the customer looks like but not a name or address for this person. At most, it might end up on PPD’s facebook page - “Do you know this person?” Unless they get a break, they don’t know who they’re looking for, & for a relatively small dollar, non-violent crime my guess is they don’t bother.

Now if someone walks in with a knife & demands the clerk open the cash register but only makes off with $50, that’s a wholly different crime because of weapons & violence.

19

I live in southern California.

On the same day, someone tried to use my CC number to pay for a dinner in San Francisco and pay for a parking ticket in Chicago.

It wasn’t too much of a problem. My CC company just over nighted a new card to me and refunded the fraudulent charges.

20

I ad a credit card used for $999.99 online. Perhaps $1,000 trips a trigger. I was able to have the charge removed.
Do the credit card companies eat this?