So for the first time in my life (to my knowledge), someone managed to steal my credit card number and attempted (but failed, thankfully) to use it at a couple of major retailers. I have no idea whether I screwed up somewhere, or if I was a victim of one of the major retailer database thefts, but that’s not really important for this thread.
What I’m curious about is exactly how my info was used. In this case, I got info from my credit card company about the amounts that were attempting to be charged, the retailers (Macy’s and Best Buy) and the location of the retailers (both in Washington State). But what I don’t know is, do these people who steal the numbers (or some third party who buys the stolen info) print new credit cards with the info and attempt to use them in person? Or are they trying to buy things online and have them shipped…somewhere? It seems like you’re risking quite a bit using either method, but I admit to not knowing much about how any of this works.
I’d love to get theories or precise information about my situation, but feel free to share your own experiences in the thread as well.
If I print a new card with your number and go to an out of state Best Buy (so no one recognizes me), I don’t think I’m taking that big of a risk. Especially if I, say, take the plates off my car a few miles before I get there, spend a few grand on your card, go to another store, spend a few grand on another card, lather rinse repeat, drive away, put the plates back on my car and drive home.
On the other hand, I think it’s common to just use them on the internet and have the items shipped somewhere that they can pick them up. I know of two empty houses off the top of my head (houses getting flipped, they’ll be unoccupied until spring if I had to guess). It would be trivial to send something there and watch for it to show up.
Since they were both in the same state, I’d guess that someone encoded a mag stripe with your CC info and bought some stuff at those stores. The only way the store is going to notice is if the cashier happens to catch that the number on the front of the card doesn’t match the number that comes up when they swipe it. But I think you can buy something to emboss cards now, so that fixes that.
The risk I’m thinking of with regard to the in-person purchases relates to what actually happened in my case, which is that the purchase was declined in both instances. I had more than enough credit to cover both purchases, so the only reason the card was declined is because the attempted purchases triggered a fraud alert. Given that the credit card company knows exactly where AND when the attempts were made, I’d think retailers could provide security video of the crook if authorities wanted to go after them.
Is this not a risk because credit card fraud is so common these days that no one would bother going after a single offender?
Is very rare for the banks to pursue it. When they’ve got hundreds of millions of dollars of transactions moving through their systems every few hours, they’re not going to spend their time worrying about a declined transaction on a stolen card. Their computers did their job (declined it, turned the card off and called you) and that’s the end of it. If any transactions went thought, they’d repay you and move on. I assume there’s some threshold after which they do call the local authorities or FBI, but I’d assume that’s it’s something over 10 or 20 thousand dollars or if they can pin point many stolen cards to one person/location.
But, FTW, I always thought it was odd that they don’t just call the local police give them the info and let them decide if they want to deal with it. In cases like these, they’ve got camera footage. My assumption is that since it may involve interstate commerce, sworn statements from the cardholder and the bank, cooperating store owners etc, it may just not be worth it.
I’ve had two cards compromised (the physical cards stayed with me but the info was stolen). In both instances, they must have made physical cards because my account showed the store locations such as “Target #5512, Chicago”. So they were being used in person.
The first time was incredibly obvious to the bank and the card was shut down immediately. While I was paying for breakfast in the Chicago suburbs at the same place I do every Sunday morning, someone in Atlanta was trying to buy gas and shop at Marshalls. Bank figured that one out in a hurry.
Second time, was more local. Two Targets in the general area. The good news was that the account compromised as sort of a hold-over account from my single days and had maybe $24 in it. I don’t know what it costs to buy a fake credit card but I hope it’s more than $25
The weird thing was the charges though – they nailed it right on the button. Say I had $24.41 in there, the charges were:
Target #0001, Chicago - $19.17
Target #0002, Highland Park - $5.24
…bringing the balance exactly to zero. How does one manage that?
They had your PIN. When I swipe a PIN based debit card for too much money it’ll just take what’s on it and ask me to collect the rest. So, for the second transaction they may have swiped if for $15.73 and the machine said “$5.24 available, collect $10.49?”. The cashier then asks the person if they can cover the rest of the amount due, if the person says yes, they tell the CC terminal to continue with the sale and collect the rest of the balance with another form of payment, if the person doesn’t want to they cancel the sale and it reverses the charge.
So, I’d work on the assumption that someone has your PIN, but I probably wouldn’t worry about since you have a new card number and that old card number was probably the ONLY piece of info they had about you.
The the best of my knowledge, if they had just swiped the card like a credit card, it would have declined if the sale was for more than you had in your account (or it would have over drawn you). I’ve never seen the situation as I described above happen without using a PIN.
OTOH, maybe he just got lucky with the two charges.
AFAIK, as a merchant “decline” just means decline. I assume the presenter is just over their limit, but I don’t think my terminal says anything other than “decline” if the card is stolen.
First, for the guy with 24.41 or whatever, your pin is not required, per se, if the retailer has a quality POS it can recognize a prepaid/reloadable/whatever card and figure out how much is left on a credit transaction as well. Kroger, for example has a POS like this where it almost always can figure it out and I don’t have to tell them to do a split tender manually. (I get a lot of prepaid cards from rebates).
Second, for your stolen card, it depends where they stole it. The number itself is not enough to buy anything at most retailers unless they hand punch it in. To encode a physical card you need the CVV1 (found only on the mag stripe). To pay online you generally need the CVV2 (printed on the card itself, NOT found on the mag stripe). Some less smart merchants online don’t require the CVV2 but the fraud that generates generally brings them in line.
So if they stole the card from one of the merchant breaches recently, they have CVV1, but not CVV2 - so they cannot use it online easily but can make a physical card. If they stole it from a breach on some website, the reverse is true.
It is very rare for me to hand a debit or credit card to a live clerk to make a purchase. I swipe it through the card reader, answer “debit or credt?”, enter PIN if debit, and the purchase is approved.
If you have someone’s debit card and don’t know the PIN you can run the same card as a credit card and you don’t need the PIN.
And when you sign for a credit card purchase on the screen of the card reader it isn’t actually verifying your signature at all. Sure it pauses and says it is verifying but you can just make a scribble, XXX, or sign Mickey Mouse and the purchase will be approved. Try it next time with your own card. Sign anything and get approved.
Yeah, those digital signature pads are a joke. I don’t even know what the purpose of them is supposed to be since even your own signature winds up looking like a ridiculous scrawl on them.
As a merchant I have to keep all those signatures on file for quite a while (18 months?). I have thousands and thousands and thousands of little peices of paper in boxes just so that if someone disputes a charge I can pull up their signature. The electronic version eliminates the paper and reduces it to a hard drive stored somewhere.
The scrawl is probably still close enough for you to recognize it as yours and a lot of people aren’t trying to get out of paying their bill they just honestly don’t think they were at the store. Seeing their scrawl vs someone else scrawl may be enough to say ‘yeah, that’s me’. Hell, half my disputes are people that just don’t remember coming here and the majority of the people that come stomping in here with the credit card bill in hand, before they even start talking I can say 'wait, wait…it’s the gas station up the hill, did you go there?" and they say ‘oooooooh, that makes sense’. (They used to have a similar name to us, but still have it on their merchant account).
depends, many terminals are set against something so that left handers like me can’t sign. So swivel but many don’t . If I can’t get my left hand in I just make a short line with my right hand. Don’t know about recognizing that.
My card infos were stolen once, and were used in Cyprus. What I fail to understand is that the crooks made 2 or 3 small purchases in the €10- €30 range. Why didn’t they just buy nice stuff worth in the thousands?
In my case, they attempted a nearly $1100 purchase at Best Buy, and then, almost exactly an hour later, they tried a much smaller purchase (a little over $100) at Macy’s. I assume they thought that the first purchase was over my limit.
