PDA

View Full Version : Credit Card Fraud


ORAC
10th Jan 2009, 09:42
ORAC got done this week. :suspect::suspect:

Went to get some dosh out on Friday lunchtime - "You have insufficient funds for this transaction".

What the f**k, thinks I, I have about a grand in the account.

Toddle across to the bank machine and do balance check - 1400 overdrawn!

Went inside and had staff check and, over the last week, there have been big purchases on GetYouIn, a ticket agency, 3 lots of easyJet tickets at around 600-700 quid each, online purchases from TescoDirect and Argos for in store pick up. Nearly 2.5 grand in total. All hit the account between last Monday the 5th and Friday the 9th.

Bank were good about it, cancelled the card and said that they would send me a form to sign and that the money would be credited back to my account in 5-10 working days. But they couldn't explain why their anti-fraud software didn't pick it and stop the payments or why the didn't phone me to check.

So I have the cash in my wallet until my new card arrives and no more money until my pay goes in next Friday and/or the refund the deductions.

No idea how they got the card details, as I explained to the bank I am single, no one lives with me and the card lives in my wallet. Haven't used it in a bar, shop or restaurant where I let it out of my sight and used chip & pin; all online purchases were through HTTPS sites.

Barstewards...... :suspect::suspect:

SpringHeeledJack
10th Jan 2009, 09:57
That has got to sting ORAC, hopefully you can get a subby from family or friends until next friday. It makes you wonder what rights the customer has to know HOW the fraud was committed so as to avoid it in the future.

The police can apprehend the passengers booked on EasyJet, because even if they are not the fraudsters, they know them very well. Also the delivery addresses for the TescoDirect etc should provide plod with some info.

Stay in and have a cheap weekend, it's not looking too inviting outside, unless you like hiking that is :}


regards


SHJ

Mallan
10th Jan 2009, 10:02
I also got hit last month Luckily it was only for £25. The bank fraud department we very good, Stoped the card and after signing the form had the money refunded and a new card arrived within a couble of days. I also very rarely use my card for online shopping.
The £25 was by phone for O2 air time in Slough, so somehow they got hold of my 3 digit security number, which is very disconcerting.

Yak97
10th Jan 2009, 10:02
I likewise got stuffed recently by fraud, which also included 2 sets of airline tickets.

Now perhaps someone could explain the reason why fraudsters go for airline ticket especially Loco's? Mine were with Easyjet & Vuelling. Virtually the same name on the 2 bookings but wildly different routings on consecutive days (looking at that again that was booking days rather than travel days).

Seeing as Loco's don't refund bookings and you need a passport under the same name to travel, what do the fraudsters get out of it?

Do they have a pool of people who are just waiting for fraud to occur to book tickets?:confused:

ORAC
10th Jan 2009, 10:12
It was the easyJet that made my eyes boggle. If the bank software didn't get triggered by that what the hell would? At the cost of the last one they must have been sending a brass band on holiday....

5th easyJet: 187.29
6th easyJet: 657.20
6th GetmeIn: 380.29
6th TescoDirect: 158.63
6th ArgosDirect: 144.25
9th easyJet: 754.40

Total of 2282 pounds. easyJet transactions had overseas transaction fees as well. No idea where the other transactions were actually made from, but obviously they arranged for an instore pick up in the UK. :(:(

corsair
10th Jan 2009, 11:11
That's annoying, have you swept your computer for a key logger? That's a strong possibility. Maybe someone then sold your details on for a price.

It would never happen to me, I have to say. Both my cards are up to limit. I didn't need any help from fraudsters on that.:ugh:

ORAC
10th Jan 2009, 11:17
I use a Macbook with OS X, a key logger or other malware would need to ask to install itself.

WorkingHard
10th Jan 2009, 11:31
Last year my card was charged on 3 separate occasions by a company with whom I have had no dealings and could not find any reference to on the internet. In order to charge the card they would of course need a merchant number. This is a UK company and so I (eventually) had the money refunded by my card provider BUT, despite even the threat of legal action from me they absolutely refused to tell me who the company is. So we have a situation where an unauthorised transaction takes place against my money and I have no right to know who took it!!! Is this really Britain at it's best?

Scumbag O'Riley
10th Jan 2009, 11:46
Excluding the interest rates charges levied by the card issuer, I have only ever had money removed fraudulently from a credit card of mine the once. I'd only had the card a few days and the only time I had used it was when I handed it over to the cabin crew on a UK based airline to buy some duty free. They took it away 'to be authorised' (for twenty pounds) and several days later the naughty charges showed up.

When I recently lost the card in the house and needed it replacing quickly instead of turning the place upside down I just called up and asked for a replacement. Naturally, phone person tried to sell me the fraudulent, expensive and worthless protection policy to be used if I ever lost my cards again. He wouldn't take no for an answer, and his last concescending remark was that I needed it as I had fraudulent charges on the card in the past, like fifteen years ago.

So if somebody else uses your card they remember and hold it against you!

1DC
10th Jan 2009, 11:48
Youngest daughter was stung in Oz last year, the money was taken out in Thailand whilst she was at work in Melbourne. It was a few thousand dollars and was spotted on the day it happened on the second use of the card. The bank said she had to do the form filling and would get the money back, unfortunately it was right at the time all of her standing orders went out to pay her bills and the bank flatly refused to give her a fast payment so that she didn't go into the red, they told her to move money from her savings accounts instead...It took nearly a month for her to get her cash.

Flap 5
10th Jan 2009, 12:31
I have been done twice. A year ago one of my debit cards (a clone) was used at an ATM in Sydney, Australia on the same day I used the original card in Tescos, Stevenage. I was told they check the card, the pin number and that you have sufficient funds in your account - and that is all. The fact that the same card was appparently used in two places 12,000 miles apart at the same time did not seem to throw up any sort of error!

The second time was with a credit card where insurance was purchased. In both cases the money was refunded. With the debit card the money was gone for three weeks or so but with the credit card I did not lose out because you don't pay the account until the next month and by then the account had been corrected.

It is now not an offence that you report to the police. You tell your bank and they decide whether to report it to the police or not. Most times it is not reported to the police - so that keeps the governments crime statistics nice and healthy.

I now have cards with two banks. Two years ago I had just one card and it was stopped when I was in Italy because of suspected fraud because I was taking money out abroad. How come the criminals get around these checks so easily when the genuine person is often stopped? Clearly they know the system very well and are able to get around it.

L'aviateur
10th Jan 2009, 13:37
Some banks seem to have a good system of second guessing fraud, in the last 12 months i've had my card stopped at least 10 times. I travel a lot, and tend to use the credit card for the protection it affords me.
For cash I have an prepaid international currency card which works in ATM's all over the world at rates beating any bank fees and using a preset Euro or Dollar exchange rate, and the Mastercard exchange rate elsewhere. I feel much safer knowing that I can transfer a few hundred pounds across online and if anything happens, I lose that maximum that is on the card.

Scumbag O'Riley
10th Jan 2009, 13:46
I now have cards with two banks. Two years ago I had just one card and it was stopped when I was in Italy because of suspected fraud because I was taking money out abroad.Ah, very wise, you think you have got them fecker banks beat, but you are wrong.

I had my second card stopped in Italy the day after my first one was stopped. And that is after I had called my bank, at great expense on mobile, to tell them I was in Italy and not to stop my second card.

So they stopped my second card on a Sunday. Could I get hold of my bank. Could I ****. Day of rest for banks, but they will stop your fecking cards.

They didn't manage to unlock my first card until I got home. Took until Tuesday to unlock my other one. Cost me over £150 in mobile charges, was terrified my mobile company was going to cut me off, then I would be completely fecked.

And then they have the gall to tell you it is for MY protection. Is it ****. Their oversensitive fraud programs are there purely for THEIR protection and for my inconvenience.

I tell you, banks are absolute Rubbish.

Rubbish

Complete Rubbish

Did I say they are Rubbish? Well they are.

A A Gruntpuddock
10th Jan 2009, 14:05
Visa called one night to say that my credit card had been used on a dodgy website and they thought it was probably fraud.

Not only did they spot it but they issued a new card straight away at no cost and without any paperwork. Excellent work!

I expressed surprise that someone had got the number since the card had never been out of the house and I only used it on secure websites.

It was explained that the crooks generate numbers then try them on websites just to see if it is a 'live' card. If it is not rejected they know they have a legitimate number and can then try using it.

Since there are only 999 possible security numbers on the back of the card they can quickly find out what works then go on a shopping spree.

Thanks to the wonders of computing they never have to see your card.

lexxity
10th Jan 2009, 15:00
For all HSBC are a bunch of gits, they did spot and stop Mr L's CC immediately a year or so ago.

We had just paid for some airline tickets, walked to a coffee shop and joined the queue when his mobile went.

Couple of quick questions regarding purchases that day and they said right we're stopping the card as there has just been an attempted use in Malaysia.

Very pleased with that service.

Only time ever with HSBC mind you.

Hyph
10th Jan 2009, 16:22
Card Fraud and Card Processing 101

Having worked in this business, I have a few thoughts I'd like to share.

Get comfortable...

The banks never do anything for your benefit. They might do something that benefits you in some way, but there will be some bigger benefit for the bank behind it - whatever they say.

The reason the banks (in the UK, at least) don't always report the fraud to the police is that they have to pay to have the police investigate it.

This "fee" is not small, so the banks have to consider the relationship between the fee and the value of the fraud. Given the likelihood is that Dibble will fail to catch the perpetrator of the fraud, who could be thousands of miles away, the fraud needs to be many multiples of the fee before the banks will bother to report it.

This has two benefits for the Government. The crime stats are kept artificially low and the police receive funding from the supposed victim of the crime (the bank) in order to investigate it.

Card fraud is rife. It is many times higher than the banks will publicly admit.

There are two reasons they don't admit the real figures.

The first is public confidence - it does not look good for a bank to reveal that they are being fleeced and are powerless to stop it. It could devalue their share price (see later), hurt their business and discourage the public from using plastic with the risk that they might switch back to "expensive" (for the bank) cash.

The second and possibly more surprising reason is that the banks don't really care that much about fraud.

To you or me, the fraud is a significant amount of money. To the bank, it is just a cost of doing business. They factor losses due to fraud into their merchant charges and interest rates. So they don't really pay for it, you and I do either through interest charges or simply higher prices on everything we buy.

This attitude might be about to change. With the economic downturn in full swing and bank share prices already on the floor, the focus will shift to actively seeking to save money at every opportunity - up to now their interest has primarily been making new money, rather than finding ways to save it. They were making more money than they would have saved, but that could well be changing.

The way the card processing systems work varies between banks and merchants. The crooks know this already... in most cases, and as you found out, the bank systems check to see if the PIN matches the card and if there are funds in the account.

In some cases, the check is just to see if the PIN matches with the chip/card number. In others it's the full anti-fraud system where transaction patterns are checked and if something out of the ordinary pops up the transaction may be queried or (occasionally) declined. Ultimately, all cards are 'swept' through the fraud detection routines, though perhaps less frequently than you might hope.

The key differentiator between what happens when the card is presented for processing is down to the fees that the merchant has to pay to the bank. The more sophisticated the check, the higher the fee, but the lower the risk is for the merchant. The merchant decides how much risk he is prepared to take and pays for the service he feels is most appropriate. A cheap service might land the merchant with all the risk of a fraudulent transaction, but if the merchant pays more, the bank will take on more of the risk.

This is one of the reasons for the introduction of Chip & PIN.

The crucial difference between Chip & PIN and the "old" signature cards is where the risk lies.

With Chip & PIN, once the correct PIN is used, technically the responsibility for fraud lies with the card holder... YOU.

Under the old system, the risk lies primarily with the bank, though they will often sting the merchant, depending on how much he/she is paying in processing fees.

In the event of fraud, if the bank didn't want to refund your money you could ask for a copy of the signature used to verify the transaction and unless the crooks had forged your signature well enough, it would be obvious that you didn't effect the transaction yourself. In this case the bank would simply hold the merchant liable for the fraunt on account of their carelessness. Case closed.

With Chip & PIN it is very difficult to prove you didn't enter the PIN number. The bank can suggest that it was you yourself or that you compromised the security of your PIN either willingly or through negligence. The onus is on YOU to prove your innocence.

Chip & PIN is relatively new in the UK and the banks are still playing nicely when it comes to dealing with fraud. Eventually this will end and they will start pushing back.

Chip & PIN is very good for the banks, but not good for the consumer. This is why the Association of Payment And Clearing Services (APACS) are regularly to be found in the press and media harping on about the "high security" of Chip & PIN and how it's impossible to "break". APACS are owned by and are a mouthpiece for the major banks. They won't ever admit there are holes in Chip & PIN, in the same way that they won't admit the real amount of fraud that goes on.

And as for finding valid card numbers and CVVs... it is trivially easy to generate valid card numbers and only a matter of trial and error to find the CVV (the number on the back).

There is a simple formula, which is in the public domain and widely known by those of nefarious intent, that can be used to generate a valid card number.

Essentially the card number breaks down into four groups: Card Type (VISA, MC, Amex...)
Issuing Bank (HSBC, Citibank...)
Account No
Check digit

The formula can be easily used to generate the 'random' parts of a card number. The check digit will confirm to anyone who cares to look if the whole card number is valid or not. The crooks can then use the internet to check if the card is 'live'.

As you can probably tell, this is a very simple but global system. It was created in a time when things were easy for the banks and criminals were less sophisticated. It is no wonder it is being abused on a massive scale. And these are the same banks that have been bailed out with our money. I'm just a shade annoyed by that. :mad:

Oilandgasman
10th Jan 2009, 17:40
Excellent piece Hype which sums up the present position. Ditto happened to me of course and the fraudsters were kind enough to create a Paypal account with my card and a false Yahoo e-mail account. Having phoned Paypal I asked the obvious question "To what address were the goods sent?" " The same address sir" " Yes, I had already managed to deduce that probability myself, but what IS the address please?" "Sorry Sir as the address is on our computer, the fraudster's details are protected by the Data Protection Act!!!!" To cut a longer story short, ended up taking to the Data Commissioner's Office in Westminister. " " I am afraid Paypal have given you the correct answer Sir but you will be glad to hear that the Police can access the data if they are approached by the Bank and Paypal" " But they never do approach the Police unless £millions involved in each case" " Brrrrrrrrrrrrr":ugh:

frostbite
10th Jan 2009, 17:49
Thanks for that, Hyph! Most interesting.

Flap 5
10th Jan 2009, 18:47
Thanks for that Hyph. I was aware of most of it but it helps to have my knowledge confirmed and expanded.

The real concern from what you say is that fraudsters will continue to do this and the fraud will increase. They know that the banks do not want to admit to it and that the police do not have the expertise. I am sure that in both of my cases the fraudsters could have been caught if the police had the expertise and the banks had the technology and could be bothered.

The one in Australia would have been stopped at source before any money was given out. They can do it as I was prevented from withdrawing money with my own genuine card in Italy, and with my own genuine pin. It is quite likely for me to be in Italy on holiday when my card is not in use in the UK but very unlikely that I would be in Australia on the same day that my card is in use in the UK.

In the other case the purchaser of the insurance could easily be traced if the banks and the police had the technology and the expertise.

The fact that the banks and the police are not bothered, or have the technology, means that this fraud will increase with little being done about it.

blue up
10th Jan 2009, 21:10
When you receive a new card you need to BURN the piece of headed notepaper it arrives on. The ink runs into the paper and the glue-stuff can hold several digits of your credit card serial number. One bank statement is all they then need to copy your details. The last 3 cards we have had sent to us had the full 4+3 digits inprinted onto the paper.

Next time you receive a new card, have a look. Particularly if it is a Barclaycard.

Riskman
11th Jan 2009, 01:06
I got this by e-mail from my sister-in-law yesterday; she works in an accountancy firm. I've just copy/pasted the text. It sounds plausible but a fraudster has to have your credit card number and your address which is possible, but your phone number as well? Maybe I'm naive but isn't that starting to strain credibility? Perhaps this is spam - e-mail all your friends and clog up the web etc but perhaps worth noting.

R
The scam works like this: Person calling says, "This is (name), and I'm calling from the Security and Fraud Department at VISA. My badge number is 12460. Your card has been flagged for an unusual purchase pattern, and I'm calling to verify. This would be on your VISA card which was issued by (name of bank) did you purchase an Anti-Telemarketing Device for £497.99 from a Marketing company based in London?" When you say "No", the caller continues with, "Then we will be issuing a credit to your account. This is a company we have been watching and the charges range from £297 to £497, just under the £500 purchase pattern that flags most cards. Before your next statement, the credit will be sent to (gives you your address), is that correct?"

You say "yes". The caller continues - "I will be starting a fraud investigation. If you have any questions, you should call the 0800 number listed on the back of your card (0800-VISA) and ask for Security.

You will need to refer to this Control Number. The caller then gives you a 6 digit number. "Do you need me to read it again?"

Here's the IMPORTANT part on how the scam works the caller then says, "I need to verify you are in possession of your card." He'll ask you to "turn your card over and look for some numbers." There are 7 numbers; the first 4 are part of your card number, the next 3 are the security numbers that verify you are the possessor of the card. These are the numbers you sometimes use to make Internet purchases to prove you have the card. The caller will ask you to read the 3 numbers to him. After you tell the caller the 3 numbers, he'll say, "That is correct, I just needed to verify that the card has not been lost or stolen, and that you still have your card. Do you have any other questions?" After you say, "No," the caller then thanks you and states, "Don't hesitate to call back if you do", and hangs up.

You actually say very little, and they never ask for or tell you the Card number. But after we were called on Wednesday, we called back within 20 minutes to ask a question. Are we glad we did! The REAL VISA Security Department told us it was a scam and in the last 15 minutes a new purchase of £497.99 was charged to our card.

Long story - short - we made a real fraud report and closed the VISA account. VISA is reissuing us a new number. What the scammers want is the 3-digit PIN number on the back of the card. Don't give it to them. Instead, tell them you'll call VISA or MasterCard directly for verification of their conversation. The real VISA told us that they will never ask for anything on the card as they already know the information since they issued the card! If you give the scammers your 3 Digit PIN Number, you think you're receiving a credit. However, by the time you get your statement you'll see charges for purchases you didn't make, and by then it's almost too late and/or more difficult to actually file a fraud report.

What makes this more remarkable is that on Thursday, I got a call from a "Jason Richardson of MasterCard" with a word-for-word repeat of the VISA scam. This time I didn't let him finish. I hung up! We filed a police report, as instructed by VISA. The police said they are taking several of these reports daily! They also urged us to tell everybody we know that this scam is happening .

Lon More
11th Jan 2009, 13:01
I've recently received a new card and this thread prompted me to check the numbers of the old cards. going back several years the first eight numbers have remained the same, leaving only eight to identify the actual account.

Seems it would be pretty easy to crack, especially if the hackers had an old statement, which normally carries the last 4 digits, in their possession

Hyph
11th Jan 2009, 18:03
Cheers for the appreciation. :ok:
It is a sad state of affairs that this situation is tolerated.

I would echo what Riskman says about being careful about handing over your CVV (those three digits on the back of your card - or four on the front of an Amex).

In fact, you should be careful with all your personal details these days, including your phone number and date of birth. It's a pain to have to be so paranoid, but as many of you have experienced, this is a growing problem.

If someone calls you, they already know who you are - the onus is not on you to prove your identity. You need to be absolutely certain you know who they are, no matter how convincing they sound. Call them back on a number you already have/know - not one they give you, for obvious reasons.

Ten West
11th Jan 2009, 20:48
I've had mine done twice. Both times the bank spotted it (Lloyds TSB. Highly recommended).

Both times the money was spent in Pakistan on mobile phone accessories, and both times it happened 1-3 days after buying petrol in LTN, once at the Shell garage by the airport and once on Dunstable Road by the Chiltern Hotel. The bank didn't seem surprised to learn of my suspicions when they asked. This was some time ago now, so maybe things are different now, but I don't risk it any more.

I still buy petrol there, as it's the cheapest place around and it's right next to my office, but I ALWAYS pay cash now.

The word is that Sri Lankans get set up in the UK to open a petrol station by the Tamil Tigers, and in return they "Harvest" all the credit card details and send them back home.

How much truth there is in that I have no idea, but it sounds plausible given my experience.

I've learned my lesson.

Gertrude the Wombat
11th Jan 2009, 21:45
The onus is on YOU to prove your innocence.
Well, not quite.

If the bank prosecute you (for lying and trying to defraud them) then they have to prove your guilt beyond reasonable doubt, as for any other criminal charge.

If you sue the bank, or they sue you, then you only have to demonstrate your innocence to "balance of probabilities" criteria, you don't have to "prove" it "beyond reasonable doubt".

(In the UK this is.)

Pontius Navigator
11th Jan 2009, 21:59
When you receive a new card you need to BURN the piece of headed notepaper it arrives on. The ink runs into the paper and the glue-stuff can hold several digits of your credit card serial number. One bank statement is all they then need to copy your details. The last 3 cards we have had sent to us had the full 4+3 digits inprinted onto the paper.

Next time you receive a new card, have a look. Particularly if it is a Barclaycard.

Nice one. Got my new Barclaycard yesterday. The letter has my name, address, card number and, as you said, a mirror CVV number where the card was stuck.

Now shredded the letter. Thanks.

Pontius Navigator
11th Jan 2009, 22:05
You need to be absolutely certain you know who they are, no matter how convincing they sound. Call them back on a number you already have/know - not one they give you, for obvious reasons.

I had a flight booking with Airmiles. At one point they wrote to me changing the details slightly. Later they rang me and asked for my password. Now I didn't have it and asked why. They said they needed to give me some information about my flight and needed to confirm who I was. I said write; they insisted on speaking with me - impass.

They sent me a new password which I acknowledge and sent then an authentication password too as it was they who cold called me and then asked me to identify myself.

I spoke with Trading Standards and they said this was not a problem. Anyway it turned out genuine and simply another flight time change, so why the secrecy?

But don't you just love non-UK call centres :)

chiglet
12th Jan 2009, 13:52
Talking of recipts, the last time that I was in Amsterdam, I paid for a train ticket with my cc.....ALL the numbers on the cc were printed.....
Happened on a debit card too.

Hyph
12th Jan 2009, 15:50
You are correct in your statement on the balance of probabilities. For a moment, consider this:


Your debit card has been cloned and someone has used it to buy £100 worth of goods - let's assume this happens online or by phone in the UK.
This money is immediately withdrawn from your account.
You spot the money missing from your account and report it to the bank.
The bank plays hardball and doesn't want to give you the money bank because they say that you must have compromised your card and PIN.

Now what are you going to do? :eek:

The bank have taken your money and refuse to give it back. You can try to sue them to get your money back, but how do you ever prove, even on balance of probabilities, that your PIN was not compromised by something you did or neglected to do.

The bank won't co-operate with you. The police won't be interested because the amount of money is relatively low - they will take your report and give you a CRN, but won't investigate it.

You go to court and the bank will say that someone could have shoulder surfed you in a shop or some dishonest staff members (or business owners!) may have a CCTV camera trained on the Chip & PIN machine keypad and you failed to safeguard your PIN. You can't possibly prove that you could never have been at fault. In these cases the you will be deemed to have been negligent and therefore you must bear the loss - read your T&C's very carefully.

This hasn't happened yet, but this is why Chip & PIN was introduced. Once the Chip & PIN honeymoon period is over, the banks will start playing tough.

This is one of several areas where the presumption of innocence has been lost with little or no public scrutiny.

Who's next for the soap-box?

Scumbag O'Riley
12th Jan 2009, 17:06
Consumer Credit legislation, European Directives, and The Banking Code all apply.

The effect of these is that the bank has to demonstrate the consumer acted fraudulently or without reasonable care. In practice this probably means gross negligence.

So the "burden of proof" is on the bank, not the consumer, if there is any dispute. The Financial Ombudsman is there to sort it all out, not the courts, neccessarily.

G-CPTN
12th Jan 2009, 18:09
buying petrol in LTN, once at the Shell garage by the airport and once on Dunstable Road by the Chiltern Hotel.That makes me feel 'better' - having refuelled in Luton on Christmas Eve (and deciding at the last minute to use all my remaining cash instead of credit card). :ok:

flash8
12th Jan 2009, 18:52
My main accounts are both in Moscow and Vienna, MC and Visa, none have chip and pin on them - which is a problem in the UK as some places then refuse to accept them (or maybe I just look dodgy).

My Moscow bank sends me an SMS after each transaction with its details free of charge - thats a REALLY useful way to see if your card has been compromised.

Unfortunately they don't offer that in the UK? They should!!

Rgds
Flash

Gertrude the Wombat
12th Jan 2009, 20:47
Now what are you going to do?
Personally I'd sue.

It takes only a couple of minutes to fill out the online form, and in my limited experience judges are very sensible people.