VISA card compromissed - why,how,when,who

Ctrl Alt Del · 30-09-2015 8:20am #1

Hello,

Never thought it will happen to me,but here i am...my card / my account has been emptied and over few days ,well , apparently i did lots of shopping.

What are the options here,how does the system works from the end users perspective,the banks,the shop and from the "fcuker" that stole the card details.

Thanks.

Atlantic Dawn · 30-09-2015 8:28am

Probably emptied in the US where they don't use chip and pin for point of sale transactions if I was to guess?

Ctrl Alt Del · 30-09-2015 8:59am

Atlantic Dawn wrote: »

Probably emptied in the US where they don't use chip and pin for point of sale transactions if I was to guess?

Yes.

I will love to find out how they managed to get my card details...
How is it possible, didn't do any ATM transactions just PoS online.
How can i run back the track to see from where it originated from ?

Which supplier got hacked,can i afford to have my suspicions,can i be right or wrong ?

anvilfour · 30-09-2015 9:04am

Ctrl Alt Del wrote: »

Yes.

I will love to find out how they managed to get my card details...
How is it possible, didn't do any ATM transactions just PoS online.
How can i run back the track to see from where it originated from ?

Which supplier got hacked,can i afford to have my suspicions,can i be right or wrong ?

Hi Ctrl, I am so sorry to hear you've been defrauded - I take it you've already been in touch with your bank?

Last time this happened to me around 8 years ago they asked me some questions and the money was put back in my account.* It's probably just a question of using the wrong website, but there's no harm checking your computer over, making sure you don't have any third party extensions installed in your web browser or any programs you don't remember installing to make sure there are no key loggers on your machine.

*this took several weeks though from speaking to other users on here this process is much faster nowadays.

Atlantic Dawn · 30-09-2015 10:30am

Ctrl Alt Del wrote: »

Yes.

I will love to find out how they managed to get my card details...
How is it possible, didn't do any ATM transactions just PoS online.
How can i run back the track to see from where it originated from ?

Which supplier got hacked,can i afford to have my suspicions,can i be right or wrong ?

Very hard to say. I am not sure if the scammer needs a full skim of the card to obtain all the data from it or do they just need the actual details printed on the card in order to make a dummy card they then use for POS transactions. Happened to me once but the bank wouldn't confirm any details as to how it was done, they just got me to sign a document saying it wasn't me who withdrew the money and I was refunded.

Did any shop ask you recently to put your card through the old method like this machine below...

PrzemoF · 30-09-2015 10:44am

I did shopping online in a bicycle shop, but the parcel wasn't coming for ~2 weeks. Called the shop - they told me that the webpage was compromised. I the meantime my card was blocked, I got contacted by my bank and they told me that someone was trying to do some shopping that didn't match my normal activity (I don't remember the details, but buying 2 iphones somewhere far away from Ireland is not something that I'd normally do ;-) ). The shop owner claimed that they lost control over the server and that's why the page was compromised, but stayed on line. No money was lost and the card was replaced.

anvilfour · 30-09-2015 11:46am

Atlantic Dawn wrote: »

Very hard to say. I am not sure if the scammer needs a full skim of the card to obtain all the data from it or do they just need the actual details printed on the card in order to make a dummy card they then use for POS transactions. Happened to me once but the bank wouldn't confirm any details as to how it was done, they just got me to sign a document saying it wasn't me who withdrew the money and I was refunded.

Did any shop ask you recently to put your card through the old method like this machine below...

See also:

http://mashable.com/2014/06/13/p-f-changs-credit-card-hack/#_24Otw1njmqr

Atlantic Dawn · 30-09-2015 12:23pm

anvilfour wrote: »

See also:

http://mashable.com/2014/06/13/p-f-changs-credit-card-hack/#_24Otw1njmqr

Shocking the risks that this opens up, such a backward country that they can't just implement chip & pin.

anvilfour · 30-09-2015 12:26pm

Atlantic Dawn wrote: »

Shocking the risks that this opens up, such a backward country that they can't just implement chip & pin.

From their perspective too there is no way to check that a card has insufficient funds or has been stolen - also if anyone gets their hand on the stack of carbon copies of cards then it's good night Vienna..

dbit · 01-10-2015 12:13pm

A whole multitude of methods could have been used to obtain the card info , also possible but not mentioned here yet is the POS of a store could have been compromised with a card scraping memory resident malware app, A dirt birt in a restuarant could have used skimmer that looks like a wrist watch (Never let them walk back to the till with your card) . Most likley as mentioned already is the DB of a dodgy or compromised website , as a rule i only use paypal if they dont accept it i find a store that does (Full reversal of up to 30 days or purchase protection also, not happy - then all funds returned ).

Simply put even if the site has an encrypted symbol for the connection still its better never to give out card details to anyone as the DB they store this info in - is usually the first thing a hack team goes after. (You would not believe the ease in which some are taken)

The Bank will replace your funds dont worry about that . I just hope you didnt buy into any one of those silly recurring charge small print dohickeys.

anvilfour · 01-10-2015 12:28pm

dbit wrote: »

A whole multitude of methods could have been used to obtain the card info , also possible but not mentioned here yet is the POS of a store could have been compromised with a card scraping memory resident malware app, A dirt birt in a retuarant could have used skimmer that looks like a wrist watch (Never let them walk back to the till with your card) . Most likley as mentioned already is the DB of a dodgy or compromised website , as a rule i only use paypal if they dont accept it i find a store that does (Full reversal of up to 30 days or purchase protection also, not happy - then all funds returned ).

Simply put even if the site has an encrypted symbol for the connection still its better never to give out card details to anyone as the DB they store this info in - is usually the first thing a hack team goes after. (You would not believe the ease in which some are taken)

The Bank will replace your funds dont worry about that . I just hope you didnt buy into any one of those silly recurring charge small print dohickeys.

Some excellent advice dbit thanks.

When it comes to placing orders, I believe HSBC used to offer a service with online banking where you could generate virtual credit card orders on a one time use basis which I thought would be an excellent way to prevent fraud - naturally though you couldn't use these in a restaurant, maybe if you called ahead?

Wished the banks over here offered this service.

seamus · 01-10-2015 12:33pm

Ctrl Alt Del wrote: »

I will love to find out how they managed to get my card details...
How is it possible, didn't do any ATM transactions just PoS online.
How can i run back the track to see from where it originated from ?

Which supplier got hacked,can i afford to have my suspicions,can i be right or wrong ?

Very difficult overall to track it, even for the card people. At a higher level they can group fraudulent transactions together and see if there's any link between stolen cards and recent purchases made by those cards. But even then it's not straightforward.

A terrifying number of online sites get compromised or have data stolen without ever being aware of it.

So from your point of view there's little to be gained except personal curiosity in trying to track this back.

The reason that the US hasn't switched over to this is that credit is king in the US. If one card issuer or payment processor tells shops and customers that they're moving to chip & PIN and will stop accepting payments without, then people will move to another provider who will.
The credit market is enormous in the US, with a lot of competition, so providers have been willing to take the hit on fraud in order to maintain their customer base.
In Europe, the market is far smaller and consumer protections far higher (and therefore more costly), so the transition was much more straightforward. EU retailers are by and large also much less resistant to enforced change than US ones.

The US will have it implemented in the next couple of years which should see a rather dramatic drop in card fraud for european customers. Russia and China are still potentially huge hives of fraud activity, but far easier for card issuers to block and detect.

dbit · 01-10-2015 1:30pm

anvilfour wrote: »

Some excellent advice dbit thanks.

When it comes to placing orders, I believe HSBC used to offer a service with online banking where you could generate virtual credit card orders on a one time use basis which I thought would be an excellent way to prevent fraud - naturally though you couldn't use these in a restaurant, maybe if you called ahead?

Wished the banks over here offered this service.

We do have disposable credit cards available in this country, they are not really inline with the ease of use as per a credit card and quick online purchases , So yes i agree with you . IF my credit card is in the hands of another then I never let them leave my side - I have stopped some clerks/sales people a few times from this practice. ( Esp when abroad)

Paypal really is the dogs nuts when it comes to being protected and my CC number or details never go anywhere beyond paypal. You cannot trust any website to retain your information securely simple as that - why - becasue you dont know the loose or lack of control they have over this info.

A great book to read on this would be "The art of deception" - in this book you see in so many ways that the human can be tricked into giving personal details away for intended targets .

I even tried it on a buddy (With his permission) with a local video store (national chain) after reading this book and just as easily the information i was after was given - all it takes is a few freindly phone calls and a false placement of the notion that you too work for that same chain but in another store and as "our own" computer systems are on the blink - could you do a quick lookup for an address and card number - hey presto info freely given out.

dbit · 01-10-2015 1:40pm

A little bit of light reading on the cards techs and some of the standards we are all supposed to have adopted :-

Yes its branded by work but fairly informative and brief .

http://blog.trendmicro.rsvp1.com/trendlabs-security-intelligence/moving-forward-with-emv-and-other-payment-technologies/?mgh=http%3A%2F%2Fblog.trendmicro.com&mgf=1

Impetus · 01-10-2015 7:01pm

Under EU law, if the retailer (eg in the US) who debited your account did not participate in the PIN process, the liability for proving their right to debit your account is on their shoulders.

You should demand that the card issuer refund you in full for the amount stolen.

To process the transaction with a PIN they would have had to have the card present at the point of sale. I am assuming that you are still in possession of the card.

Impetus · 01-10-2015 7:21pm

seamus wrote: »

The reason that the US hasn't switched over to this is that credit is king in the US. If one card issuer or payment processor tells shops and customers that they're moving to chip & PIN and will stop accepting payments without, then people will move to another provider who will.
The credit market is enormous in the US, with a lot of competition, so providers have been willing to take the hit on fraud in order to maintain their customer base.

The US is moving to chip and sign, rather than proper EMV processing which requires a PIN at point of sale. They are spending all the money on issuing chip cards and retailer card reading equipment, and leaving the system open to signature fraud. They are spending 95% of the cost of installing a proper EMV system and leaving a gaping hole where fraud will continue to fit through.

In the EMV system, if a card is stolen, the thief had 3 chances to guess your PIN. After 3 failed attempts, the card locks up, and has to be unlocked at an ATM (after contacting the issuing bank).

Chip and signature only makes it more difficult to clone a card. A "pickpocketed" chip and signature card is as secure as an old fashioned mag stripe card.

markpb · 01-10-2015 8:37pm

anvilfour wrote: »

Some excellent advice dbit thanks.

When it comes to placing orders, I believe HSBC used to offer a service with online banking where you could generate virtual credit card orders on a one time use basis which I thought would be an excellent way to prevent fraud - naturally though you couldn't use these in a restaurant, maybe if you called ahead?

Wished the banks over here offered this service.

Why bother? If your credit card is compromised, ring the bank, dispute the transactions, get the items removed from your bill and get a new card. It's all painless and shouldn't affect the amount you pay them at all. It's happened me twice and a quick phone call (from the bank to me) sorted it out.

If it's a debit card, it's a slightly different story because the delay getting your money back is (very) inconvenient.

anvilfour · 02-10-2015 11:22am

markpb wrote: »

Why bother?

Simply because as the old adage goes, prevention is better than cure... :-)

I don't have oodles of money to do without for 24/48 or however many hours or days it takes for the bank to recognise the transaction as fraudulent and refund the money, I also don't want to have to wait several working days for a new card to be issued each time I am a victim of fraud.

My last experience actually dragged out for nearly 6 weeks and I vowed never again to use my main debit card for online transactions. Now I have a separate account into which I only move just enough for whatever I am ordering but this is a bit fiddly compared to using a virtual visa.

dbit · 02-10-2015 11:29am

Reducing the surface areas and for the chance for something to happen is always the best way to go .

_Tombstone_ · 02-10-2015 12:34pm

I've malware on my main machine, (I use another auld machine for buying and banking only, tis the only way) its called Level 3 search and the few AV lads I've tried - Malwarebytes, avast, MSE can't see it. I wouldn't even know its there except for it hijacks searches, its rare it actually does this, hasn't done it in two days. Reading about it, it can record all inputs into all browsers as well, I use to use different browsers for different things thinking it added a security layer...anyway, it'd fairly own ya.

I got it off Google or more precisely, one of their dodgy Ads that I foolishly let through Adblock on a few sites lately that I'd use alot. They're all blocked again now. It's my first dose of Malware ever.

Il format the machine over the wk-end, it needed a cleaning anyway.

Mick55 · 15-10-2015 3:45pm

Rather than start up a new thread I'll jump in on this one!

Same happened me today. Woke up this morning to a text message from BOI saying to contact Bank Of Ireland's 'Visa Debit Card Security 24 Number' ( Google'd the number before I was satisfied the text was legit! ).

Checked my account and there was three transactions that maxed out the account (there was only €45 in the account any way haha! )

BOYLESPORTS EC €10 (x2)

FACEBOOK VIRTU €23

Rang the bank and they cancelled the card, new card coming in the post and form on the way to claim back money so that's all good and well.

Like the OP I am very careful how I use my card. Any online transactions are well known sites and ATM transactions I'll always check the machine and cover the keypad. But from reading above I can see there are other ways of obtaining details which I may have fallen afoul of.

Any ideas what the above transactions could be? The Boylesport transaction means the cards was used in Ireland and not exported to the US ( May be wrong though ).

The Facebook one is confusing, what can you buy from Facebook? In order to purchase anything from Facebook don't you have to have an account?

The guy in the bank was helpful and courteous but didn't seem too interested in solving the issue, just re issue the card and that's that. Anyone any ideas about the spends?

markpb · 15-10-2015 4:06pm

Mick55 wrote: »

Like the OP I am very careful how I use my card. Any online transactions are well known sites and ATM transactions I'll always check the machine and cover the keypad. But from reading above I can see there are other ways of obtaining details which I may have fallen afoul of.

There are too many people involved in a credit/debit card transaction for even the most security conscious person to protect themselves. By all means, use common sense but between you and your bank lies:
* merchant / merchant terminal supplier / merchant terminal manufacturer (for retail)
* browser / OS / PC / telco / merchant website / gateway website
* telco
* gateway
* acquirer
* V/MC network
* issuer

A problem with any point at almost any stage could lead to your card being compromised. You have no control over most of them. Neither do Visa or Mastercard.

[Any ideas what the above transactions could be? The Boylesport transaction means the cards was used in Ireland and not exported to the US ( May be wrong though ).

It could have been used online.

The Facebook one is confusing, what can you buy from Facebook? In order to purchase anything from Facebook don't you have to have an account?

You can buy Facebook credits for paying for rubbish.

The guy in the bank was helpful and courteous but didn't seem too interested in solving the issue, just re issue the card and that's that. Anyone any ideas about the spends?

He probably didn't know why your card was flagged and, even if he did, there's no way he's going to share fraud detection measures with a punter. Why would he? The bank have already spotted the problem, cancelled the transactions, cancelled the card and flagged the transaction for a broader investigation (i.e. of all the fraudulent transactions performed by those merchants, what other merchants or networks do they have in common)

Mick55 · 15-10-2015 4:29pm

markpb wrote: »

He probably didn't know why your card was flagged and, even if he did, there's no way he's going to share fraud detection measures with a punter. Why would he? The bank have already spotted the problem, cancelled the transactions, cancelled the card and flagged the transaction for a broader investigation (i.e. of all the fraudulent transactions performed by those merchants, what other merchants or networks do they have in common)

Cool, didn't know what the process was. Do you think they would look into it in depth as so ascertain what profiles the transactions were used for. Seems like an easy one, person who owns the Facebook profile or Boylesport profile who bought the credits is responsible for the fraud? I'm guessing its not that easy though!

markpb · 15-10-2015 5:09pm

Mick55 wrote: »

Cool, didn't know what the process was. Do you think they would look into it in depth as so ascertain what profiles the transactions were used for. Seems like an easy one, person who owns the Facebook profile or Boylesport profile who bought the credits is responsible for the fraud? I'm guessing its not that easy though!

I'm not sure but I'd expect:

* Issuing bank looks after the customer
* Merchant can try to chase the offender for fraudulent purchases
* V/Mc Networks may try to trace the card to see where it might have been stolen from

Visa/Mastercard won't care about chasing the individual who used the card because it's not worth their time for a few euro and the person who used the card probably bought it on the black market anyway. The person they're really interested in is the merchant or gateway who leaked the card and the person who stole it.

Of course, for small amounts of money, it's quite likely that no-one cares because loss like that is factored into everyone's profit already.

Mick55 · 15-10-2015 5:25pm

markpb wrote: »

I'm not sure but I'd expect:

* Issuing bank looks after the customer
* Merchant can try to chase the offender for fraudulent purchases
* V/Mc Networks may try to trace the card to see where it might have been stolen from

Visa/Mastercard won't care about chasing the individual who used the card because it's not worth their time for a few euro and the person who used the card probably bought it on the black market anyway. The person they're really interested in is the merchant or gateway who leaked the card and the person who stole it.

Of course, for small amounts of money, it's quite likely that no-one cares because loss like that is factored into everyone's profit already.

Thanks for the answer, very informative. Interesting to know the ins and outs, thanks!

ED E · 16-10-2015 8:24am

Atlantic Dawn wrote: »

Shocking the risks that this opens up, such a backward country that they can't just implement chip & pin.

Germany still has prevalent signature verification...

16-10-2015 4:05pm

Here's a good informative video explaining Chip & Pin fraud.

Link: https://www.youtube.com/watch?v=Ks0SOn8hjG8

Ctrl Alt Del · 09-11-2015 12:59am

A quick update,thanks for all the info above...

The bank refunded all the money (i guess) as even today i haven't received a phone call,email or letter ! I had to go trough the statements and check one by one and trying making totals in and outs.

Not sure how that works for them but im asking myself now: how do they know is a valid or not purchase ?
I'm lost at the complete silence from their side...

dbit · 09-11-2015 9:06am

Ctrl Alt Del wrote: »

A quick update,thanks for all the info above...

The bank refunded all the money (i guess) as even today i haven't received a phone call,email or letter ! I had to go trough the statements and check one by one and trying making totals in and outs.

Not sure how that works for them but im asking myself now: how do they know is a valid or not purchase ?
I'm lost at the complete silence from their side...

They will look at your purchase behavior location of the rougue purchases's and they can track with a certain level of accuracy the purchases that were made by you . The rouge purchases usually take place out of territory , once details have been sold on .

VISA card compromissed - why,how,when,who

Comments