Credit Cards "stolen"

Martyr

The Irish Payment Services Organisation claims that credit cards, believed to be stolen, were used in the last couple of days to purchase $1 and $2 items..
they believe the cards were stolen months ago..

http://www.rte.ie/business/2008/0808/credit.html

smells like BS to me, "months ago" ? can somebody tell me why they would say that if they don't know how the cards were "stolen" in the first place???

sounds more like the cards were lost and the IPSO were waiting for unusual purchases to occur before raising any alarms..sounds more like they probably knew for some time.

yes, thats crazy idea, of course :P

whiskeyman

Average Joe wrote: »

can somebody tell me why they would say that if they don't know how the cards were "stolen" in the first place???

http://www.breakingnews.ie/ireland/mhqlcwidojid/

breakingnews wrote:

Reports this morning say fraudsters are believed to have hacked into the database of one the country's leading retailers to steal the credit card details of its customers.

I've heard that on the radio as well... don't know why the RTE aren't reporting it?

spurious

A couple of months ago, I got a call from the bank saying someone had just tried to fraudulently use my card, which was sitting in front of me.

The agent explained my details may have been retrieved from any instance of using the card, online or otherwise. They may have been retrieved up to 18 months ago, so there is no way to know where my details were taken from. I only use 'big' Internet sites for online stuff - amazon, paypal etc.

They said they were investigating it. When I asked would they let me know if they found out which site/shop/restaurant took my details they told me they couldn't.

Martyr

whoever the retailer is should be named and shamed..if they were aware of a breach in security and warned the IPSO but not their own customers, how could you trust them to protect your data? i wouldn't.

just speculating.

probe

There is no reason why a retailer needs to store your card details. Under EU law therefore, retailers should not store personal information not essential to the customer relationship. If retailers did not store these data, they would not be available for criminals to misuse.

In France, even large retailers such as Carrefour have no access to your card number. They have to use a bank provided terminal, which transmits the card data in encrypted format to the carte bancaire centre – bypassing the retailer’s computer system. The bank provided card processing terminal can communicate with the retailers’ POS system to receive transaction details (eg amount, currency and reference information) and can communicate in the return direction with details of the amount paid, payment status (approved, declined etc), authorization code, and other transaction reference information. They have a complete audit trail without storing personal information. Some Irish retailers appear to operate on this basis too – eg Dunnes Stores. Other retailers (usually British based) don’t – eg Marks & Spencer, B&Q, etc and flout the law by needlessly capturing your personal information on their computer systems.

The same goes for online transactions. In this case the purchaser is sent to a web page provided by the card processing bank to enter their personal information, and the bank website passes the customer back to the retailer’s website when the payment cycle has been completed.

The Irish Data Protection Commissioner is allowing certain retailers operating in Ireland to break the law by needlessly storing cardholder details. It seems to me that he should be put in jail for not carrying out his duties properly, thus facilitating fraud, and not protecting people’s personal information. That is his job!

.probe

wayne040576

I just got two calls in the space of an hour from my credit card company telling me that small fraudulent transactions had appeared on both of my cards in the last few days. Had to cancel both.

probe

wayne040576 wrote: »

I just got two calls in the space of an hour from my credit card company telling me that small fraudulent transactions had appeared on both of my cards in the last few days. Had to cancel both.

Just $2 a month charged to each card on a million stolen numbers (they stole between 40 and 90 million card numbers in TJX depending on which report you read) would yield the best part of $2 million a month, less fees and the odd chargeback. "A nice little earner"! Most people wouldn't notice them on their statements, and if they did probably wouldn't complain given the small amount.

Every card issuer should provide cardholders with enhanced security options- eg:

1) Access to their account website using multi-factor encryption, which shows not only processed account entries but also up to the minute authorization request traffic. It often takes several days for the amount to be debited - even though your bank knows of the transaction in real time.

2) The ability to generate one-time-use EMV card numbers for CNP transactions, so you could create a Visa or MC/Maestro number for a specific transaction amount limit which would only work once to give to an online merchant. You could then use your card online with confidence, aside from the risk that the merchant you deal with doesn't deliver the goods you ordered.

3) A texto-alert option, where you could register a mobile phone number to receive an SMS notification in real time of each authorization attempt on your card over a specified figure - to enable you to put a cap on your exposure by giving you the option of taking timely action against a fraudulent transaction. I wouldn't mind paying for the cost of an incoming text message for transactions over a threshold that I was uncomfortable with.

4) A random variation of card expiry dates. If I am a crook, and I buy a million oldish card numbers for a cheap price, I will probably get a good "hit rate" by adding 2 years to the expiry date of expired cards - eg if a card expired at end 03/08, a fraudster would probably try the same card number with an 03/10 expiry date and get away with it. The 03/08 card should be replaced by a card expiring in 01/10 or 05/10 or whatever. Card issuers should stop card numbers that have the wrong expiry date presented on an authorization request for a CNP transaction. While the CVV number changes with each new card, not all service establishments are forced to enter a CVV number to get a transaction approved.

They only need to stop the card for CNP (customer not present to enter the PIN) transactions. The card could continue to be usable where it is authenticated with the PIN and EMV chip. The cardholder should get a message from the website after entering a wrong expiry date to contact their bank to get a replacement card with a different number after this alert event.

One of the biggest inconveniences of having your card compromised is the switching off of the card without notice - when you are dependent on it. The ability to go to the card issuers website with MFA security could be extended to allow you to pre-approve transactions on your stolen card number for specific amounts at service establishments you specify (eg the hotel you are staying in) to enable you to complete your trip en toute tranquilité. AmEx provide a similar service to cardholders who are victims of card theft, in a lower tech way. You talk to them, they confirm your identity, and then speak to the hotel or other service establishment and authorize the payment.

.probe

wayne040576

Average Joe wrote: »

whoever the retailer is should be named and shamed..if they were aware of a breach in security and warned the IPSO but not their own customers, how could you trust them to protect your data? i wouldn't.

just speculating.

I'm fairly sure I know who it is. There is only 1 irish retailer that has my details stored due to online transactions.
Unless they store them every time you buy something in the shop itself?

miju

Visa and AIB have an extra online security feature called Verified by Visa. As well as putting in your card details you have to enter a seperate pin number (which is not your normal card pin) on their website.

very handy

probe

wayne040576 wrote: »

I'm fairly sure I know who it is. There is only 1 irish retailer that has my details stored due to online transactions.
Unless they store them every time you buy something in the shop itself?

You should dump your bank. If you still have your cards, and they have EMV chips, they only need to stop non-EMV transactions - ie online stuff and transactions where your card's magnetic stripe has been swiped rather than the chip being authenticated.

If some retailer has stored your card details, and they have got into the wild, card transactions from this source will have a different transaction type code to transactions where you are present with your card and enter your PIN.

Sure they will have to issue you with new cards, but they don't need to stop EMV transactions on your old cards until the new cards reach you. The security plods working for this bank haven't a clue.

You are better off moving to another bank. If people put up with this second rate backstreet bank service, they only have themselves to blame for having their cards switched off without notice needlessly! You could be in Hong Kong or Paris or wherever unable to pay a hotel bill as a result.

Why stay silent on the retailer you suspect? Companies like this should be exposed to public scrutiny. Boards.ie is an open forum - they can present their case here, if they have a case. No point in sweeping things like this under the carpet!

While EU law makes retailers liable for non PIN transactions, it does not make them liable for the consequences of publishing your card details - eg over wireless networks or dumping computer printouts or CDs/DVDs with these data in a skip, or facilitating staff taking data home on USB storage devices containing this stuff and selling it on the net for extra pocket money.

.probe

wayne040576

miju wrote: »

Visa and AIB have an extra online security feature called Verified by Visa. As well as putting in your card details you have to enter a seperate pin number (which is not your normal card pin) on their website.

very handy

Yeah I use that. The problem is that a lot of sites don't implement it and it doesn't help when it's the retailer that gets you details stolen from their database.

probe

miju wrote: »

Visa and AIB have an extra online security feature called Verified by Visa. As well as putting in your card details you have to enter a seperate pin number (which is not your normal card pin) on their website.

very handy

Verified by Visa (or MasterCard's equivalent) does not stop a fraudulent "retailer" charging $2 a month to your card and a million others. These "verified" programs seem to me to be a means of pushing liability on the cardholder.

Service establishments don't have to participate in these programs. Your card is still wide open to abuse even if you sign up for this so called verification process. Bongo Services in XYZ land can still charge anything they like to your card number, if they get their hands on the card details. And the cost per thousand card numbers is falling rapidly if one is to believe the news items on the net - as security breaches proliferate.

In any event, the verification process simply verifies that you know a code - which code can in any event be stored by the retailer, and fall into the wrong hands. They might as well add another 4 digits to a 16 digit card number and call it "super-secure"!

.probe

probe

Not that wayne040576 is doing much to prevent ID theft :-)

Let me guess, your star sign is Taurus..... and your birthday is the 4th of May.

Taurus Traits ( according to http://www.astrology-online.com/taurus.htm ) include "Placid and security loving" - security loving people don't give out their DOB!

Of course I might be completely wrong and 040576 might be part of your PPSN... :-)

.probe