PDA

View Full Version : Credit Card security - I've been done!


Mac the Knife
7th Nov 2013, 17:47
This afternoon I went with my son to a grungy little sport warehouse to get him a new judo-gi (it's the only one in Cape Town that has good ones) and I paid by credit card.

This is a chip-and-pin card and I was slightly surprised not to be asked to enter my PIN in the machine but didn't really think about it. In our system you get an SMS instantly as soon as a transaction is processed and up it popped - 500 rand correct, no surprises there.

Then, within half-an-hour I got SMSes about a blizzard of transactions, none of which I had authorised or recognised. First a couple of small ones and then three or four fat ones!

I called my provider chop-chop and they were very efficient, reversing all the subsequent transactions and blocking the card.

I guess either the merchant cloned the card (supposedly impossible with chip-n-pin and a bit unlikely - only one elderly salesman in the place) or there was cardnumber harvesting malware on his system.

My question is, how come these transactions went through with no PIN, no card security code and no expiration-date provided?

Mac

:eek:

First time it's ever happened to me in zillions of transactions and no great harm done because of the SMS alerts (apart from the chore of having to get a new card).

anotherthing
7th Nov 2013, 17:53
Never heard of SMS alerts before... sounds like a great idea.

localflighteast
7th Nov 2013, 18:23
Ocassionally my bank will call you there and then on your cell phone if they think a transaction is dodgy. It is completely automated , you just press a key to confirm.

Actually a good idea in my opinion

racedo
7th Nov 2013, 18:55
Mac

I would go back in and ask why he is allowing his shop be used for fraud, you are reporting to police and talking to newspaper...............could get chased out or bought off

OFSO
7th Nov 2013, 19:32
Never heard of SMS alerts before

Yeah, Spain has been doing them for some years. But unusual transactions are blocked so fast here (and you can't pre-warn a bank either, as it's all computers and *anti-fraud stuff*) that it is not really necessary.

Mac's experience was typical: a few small transactions to check the card out and then the big ones. In Europe you often get a card blocked if it is used for one or two euro transactions since these are recognised as the "testers".

axefurabz
7th Nov 2013, 19:38
a bit unlikely - only one elderly salesman in the placeHa! Serves you right for underestimating us !!

Capetonian
7th Nov 2013, 19:42
Mac - is it near Kenilworth Centre, because I've been asked to go there to get something for a friend there to take overseas. If so, thanks for the warning!

Turbine D
7th Nov 2013, 19:44
The way it works for my credit card is this: On the credit card web site for the account, you set whatever monetary limit you want and when the card is used for a purchase above that limit, you are notified of the merchant and amount charge by email immediately.

rgbrock1
7th Nov 2013, 20:35
Turbine D wrote

you are notified of the merchant and amount charge by email immediately.


Which is reactive instead of proactive. A proactive mechanism for fraudulent credit card use would be like this. You set the limit for the card to the maximum allowed per transaction. If a transaction is started which exceeds this set amount then a Predator drone is sent to the location of the apparent thief who is then hit with a small APND (Anti-Personnel Nuclear Device.)

Thus, the prospective thief is obliterated from the earth and your card is saved!

If this proactive mechanism was enacted a few dozen times I'd wager credit card fraud would cease to exist. Sort of like the practitioners.

er340790
7th Nov 2013, 20:41
That's nothing.

Last year I bought an on-line ticket with a Canadian Regional Carrier. I don't believe in ridiculing cr*p service, so I would never tell you that it was Bearskin Airlines.

The $453.60 fare was charged to my credit card on-line.

The following day, my card stopped working while on a trip to the US. It transpired that Bearskin had charged me $45,360.00, a mere hundredfold increase !!!

The thing was, this was WAY above the card limit. The credit card company stated (classic) that the charge was accepted 'for my convenience'. Gee thanks, you winkers!

Again, I would never tell you the name of the card company. But it was RBC.

Wunch of bankers!

racedo
7th Nov 2013, 23:12
Yeah, Spain has been doing them for some years. But unusual transactions are blocked so fast here (and you can't pre-warn a bank either, as it's all computers and *anti-fraud stuff*) that it is not really necessary.

A boss of mine who lived in Barcelona was out with some friends at a very decent and expensive restaurant............he moved in those quarters.

At end of meal he handed across card for payment...............5 minutes later his phone rang and he was asked was he buying games software, music DVDs etc etc as someone was seeking to put a 500 transaction through right then. Realising which card it was he called the manager and asked where waiter was with his card.
Manager tracked guy upstairs with boss and he was in front of computer ordering more stuff with card right beside him.

Manager handed the card back and said as cancelled card the restaurant would be paying and please go downstairs shutting door.

10 mins later a face beaten waiter came to table to apologise with manager by his side, he still worked in restaurant but was never allowed take payments again and cost of meal came from his pay.

racedo
7th Nov 2013, 23:13
Mac - is it near Kenilworth Centre, because I've been asked to go there to get something for a friend there to take overseas. If so, thanks for the warning!

Cash is king in places like that......

Metro man
8th Nov 2013, 00:09
In Singapore I get asked to enter a code number which is SMSed to me when making online purchases. Also I get an SMS if a large transaction is made on my card.

A while back I got a call from the card company asking about a transaction which flagged up and they had stopped. I couldn't have made it as I was in the air at the time, transaction was cancelled and a new card issued.

Dushan
8th Nov 2013, 01:42
The way it works for my credit card is this: On the credit card web site for the account, you set whatever monetary limit you want and when the card is used for a purchase above that limit, you are notified of the merchant and amount charge by email immediately.


Same here. You can pick SMS or email, or both.

Dushan
8th Nov 2013, 01:44
If this proactive mechanism was enacted a few dozen times I'd wager credit card fraud would cease to exist. Sort of like the practitioners.

Ah, but then, RGB, the credit card companies wouldn't be able to charge usury interest fees in the name of "fraudulent activity".

BDiONU
8th Nov 2013, 04:04
In the UAE you get SMS for all credit card transactions, no PIN used just signature. But debit cards you use your PIN for so no SMS.

Flap 5
8th Nov 2013, 05:54
At end of meal he handed across card for payment .......

Rule number 1 of paying by credit card: Always stay with the card. Never let it be taken away for payment of a bill. Normally the waiter brings a card machine to the table. If not take the card to the till and watch the transaction on their card machine.

In fact with chip and pin that has to happen anyway as you have to enter your pin.

Capetonian
8th Nov 2013, 06:42
Also, as I've said before, scratch off the CVV number. It doesn't prevent fraud if your card is stolen or cloned, but it does limit the types of transaction that can be done with it.

arcniz
8th Nov 2013, 12:01
scratch off the CVV number

Sound advice, Cape.

mixture
8th Nov 2013, 16:19
Also, as I've said before, scratch off the CVV number. It doesn't prevent fraud if your card is stolen or cloned, but it does limit the types of transaction that can be done with it.

And as I've said before.... waste of time defacing your card like that.

For each merchant that requires CVV, there's another that doesn't require CVV. The unscrupulous know which merchants accept what and tailor their use of cards accordingly.

racedo
8th Nov 2013, 17:42
Rule number 1 of paying by credit card: Always stay with the card. Never let it be taken away for payment of a bill. Normally the waiter brings a card machine to the table. If not take the card to the till and watch the transaction on their card machine.

In fact with chip and pin that has to happen anyway as you have to enter your pin.

I agree

But also depends on establishment.

ehwatezedoing
8th Nov 2013, 18:12
Rule number 1 of paying by credit card: Always stay with the card. Never let it be taken away for payment of a bill. Normally the waiter brings a card machine to the table. If not take the card to the till and watch the transaction on their card machine.

In fact with chip and pin that has to happen anyway as you have to enter your pin.

While it certainly reduce your chance of having it cloned, technically it doesn't matter anymore that you stay with your card or not during a transaction.
Even one with a pin number attached to it.

I had mine cloned couple of years ago with its pin number!
Bank manager explained to me that some robbers would get a job only to stay a few days or weeks there to clone cards.
On top of that, they have a system to also copy your pin numbers by having the transaction machine connected to another one out of view.
So you can be as careful as you want when typing your pin, it can still get stolen.
Bank knew where the original card thief happen (as I wasn't the only one) but would never let me know where as it wasn't the merchant fault but a "rogue" employee. And that they didn't want to ruin the merchant reputation...Anyway :*

It is still cheaper for the banks/credit card companies to reimburse their clients than to create an advanced clone proof system.

radeng
8th Nov 2013, 22:31
I wanted some spare parts. The importer said he didn't have them in stock, importing them as a small order was prohibitively expensive, but if I waited, they could get 'bulked in' to an order. OK, and as the weeks passed, figured he'd forgotten. Then get an email, he had them. I could order by email but he didn't have an https, but he had an 0800 number. Telephoned, and he said that even https wasn't secure enough and GCHQ and NSA could steal the numbers. So we did the transaction by telephone......goods arrived next day.

Admittedly the dealer and I know each other, but we are both equally suspicious - paranoid, maybe?!

Trust the government and the security services?

As Mrs Ramsbottom said " Not me!"

G-CPTN
8th Nov 2013, 22:39
I wanted some spare parts.
They weren't batteries by any chance? :E

VP959
9th Nov 2013, 08:03
Not sure if it's still technically possible (would guess that it is) but when my card was cloned it was via a card machine that had been tampered with internally. It was a filling station on the south coast and apparently hundreds of other cards were cloned the same way.

There have been various rumours circulating that accessing card details via a doctored chip-and-pin machine is pretty straightforward, all that the crooks need to do is substitute a doctored unit for a kosher one. Apparently the vendor doesn't even have to be involved, as the data from the cards and the pin numbers can be stored inside the doctored unit, then a while later the crooks swap it back out and have a stack of valid chip-and-pin card data to do with as they wish.

The time my card was cloned hit the news locally as the filling station (or maybe stations) involved were caught some time later, probably because they over-played things by cloning too many cards from a single location, causing the card company fraud detection systems to see a pattern.