Credit card fraud - 'leaky' finance company?

[RogerS]

I have had an emergency credit card for nearly three years. It has never been used and apart from ringing the finance company to enable the card, it has remained securely locked in the safe and never seen the light of day.

So you can imagine my surprise when yesterday I was called up by the fraud department of the company to check some transactions that had been spent using this card. All of these were fraudulent.

So full marks for their fraud systems but then I got to thinking as to how this could happen.

The fraudsters had skimmed the card. Impossible - see para 1.
I'd used it in one of those dodgy add-ons on a cash dispenser. No - see para 1.
I'd used it for an internet purchase and the supplier had leaked my details. No - see para 1

So how? If they walked into a shop then (a) how could they have cloned my card (b) how would they know my PIN (it is the default as supplied by the card company)?

If they used it over the internet or telephoning in an order then don't they need the 3-digit security number on the back?

Had a renewal card got intercepted? Not really as the expiry date isn't until July this year.

So as Holmes would say ...'consider the impossible'....ie the credit card company has a leak. Their internal systems are weak and allow an insider to gather all the information.

Am I missing any other explanation?

 

[NickWelford]

I used to work for a large credit card company. Whilst their control systems were OK, they were by no means perfect and staff could, if they had a mind, access the kind of data needed to make fraudulent transactions. Maybe not use it themselves, but there is a market for this kind of information. Like all companies, a certain amount of trust has to be placed in employees.

Pins are pretty secure, but all the other information, such as the 3 digit 'security number' is available somewhere - for example, when new plastics are produced, someone could note down these details along withthe relevant name and address from time to time.

You should report your misgivings to the Inspection Dept. of the company concerned - they will take it seriously.

 

[The Bear]

Hi

I hope you have more luck than I did when I fell victim. I too was very impressed when the fraud department identified fraudulent use on my card, originating in Sweden (where I have never been).
However this turned to dismay when I got my statement. When I looked they did not stop the card for another 5 days, incurring another 30 fraudulent transactions. They then forgot to send the paperwork for me to sign declaring it fraudulent. They then took 2 months to sort it out. To cap it all they then said it would be best for me to pay the interest on the fraudulent transactions which they would later refund as it made sorting it out easier!! unbelievable. Unfortunately i don't share the confidence that the companies take these seriously as to how the customer is affected.
And yes they are a large company with the backing of a High Street bank.
Now having said all that I still use a credit card regularly as it offers far more protection than a debit card. With a debit card, it is your money lost, with a credit card it is theirs.

Good luck with getting this sorted quickly

Mark

 

[White House Workshop]

In 1997/98 I led a team of consultants that did a complete transformation of a particular bank's credit card division. We achieved quite a lot of improvements and showed them how to cut their costs by up to 35% over time. One of the biggest things they did get, though, was that the new procedures showed up that the head of their fraud division had been milking cards for years. He's now serving time. I'm pretty sure that's an exceptional case, but with more and more information being transferred offshore the temptation and opportunity for fraud increases dramatically.

It pays to keep an eye on your statement(s), even if you're not using the cards. Most cards are now accessible online and a few minutes every week or so can avoid a lot of heartache later.

 

[Maia28]

I have had a Nationwide Gold Card that we use for Sainsbury's internet shopping and a few random transactions. Just before Christmas I got a 'phone call from their investigations division at about 4PM on a Saturday afternoon. After ringing them back, just to be sure the call wasn't a scam, they told me that someone had been trying to make a small purchase on iTunes as this can be used to illucidate the available credit limit. They cancelled the card just as the Sainbury's delivery man turned up and guess what, there was a problem with my payment. This would not have been so bad had I not left my bank card in a machine a couple of days earlier and had to cancel that card. The emergency credit card had not be authourised so that failed as well. Fortunately, my wife turned up and she had a working bank card to pay with.

This week I ordered a Makita drill from ITSLondon with the replacement gold card and they rang me up to say that there was a problem that it had failed as my address didn't match that registered to the card. Stange, but even stranger was that I didn't show up on the electoral role that they use (from a company called 192?). I opt out of the public register, so that might have caused the problem. ITSLondon where very helpful and I'm expecting delivery today. Seems odd that they can still process the order and deliver even though the card has failed their system though.

 

[RogerS]

This week I ordered a Makita drill from ITSLondon with the replacement gold card and they rang me up to say that there was a problem that it had failed as my address didn't match that registered to the card. .

Interesting that as I'm not convinced that address checking is all that common. Two reasons for saying this. Firstly I've been deliberately using a different address and not had any problems so far. Secondly, address checking is very difficult unless they use some clever fuzzy logic to match the address. All very well if you live at The Elms, High Street but if you live at an address such as Flat 17 Barness Court 6-8 Westbourne Terrace London which is where I lived for a long time, you find that the address databases have a wide variety of address combinations such as....

17 Barness Court, 6-8 Westbourne.....
17 Barness Court, 6 Westbourne...
Flat 17, 6 Westbourne ....

you get my drift. Even with a human trying to address match you still get problems due to the intellectually challenged troglodytes that many suppliers employ.

I am also fairly cautious with the data I give out and have an 'internet' birthday, for example. I use this on sites that ask for my DoB but without any real justification. You do have to take a view sometimes though. Booked a hotel near Heathrow via Airmiles and they throw up your DoB from their system (which was my internet birthday) and then went on to say that the name and DoB must match ones' passport. So I did amend it but in hindsight would have got away with it...after all an assumption on their part that I'm staying at the hotel because I'm flying and so would have my passport.

Ain't life complicated.

 

[NickWelford]

There isn't much address checking done - generally just the numeric part of the post code and the house number if any. Too many transactions would be rejected if they did too much checking, and we wouldn't like that now, would we!

 

[Maia28]

My house doesn't have a number, only a name. Once before I had a query about the address. Perhaps there may be some random low-volume sample at verification.

The ITS one was a secondary check after the card issuer had raised a query. It used a third-party database and they did give me the name of the previous occupants in 2002. After I posted above, I made four separate transactions on the card and all >£200. Three have confirmed shipping already (Aria, Screwfix and Printerland). Odd how a £30 transaction gets flagged but not bigger ones.

Like you Roger, I like to apply a bit of mis-information when I don't think the data is really required. I too have be caught out

 

[Russell]

Every time we process a credit card from a mail order transaction the system checks the house number, numbers in the post code and the security number on the card. The system then tells us which of these numbers match as a retailer we then make a decision to accept the transaction if it has been authorised. We are advised by the credit card companies not to accept those that don't have a full match because we would not be covered for any loss if the card is being used fraudulently. All retailers should have systems set up to check this data with their banks if they are accepting customer not present transactions. The system has now started to work for some overseas transactions as well for address info as well as the security number.

Note for houses that have no number we have to enter 0 this gives a full match for a house with a name.

 

[RogerS]

Every time we process a credit card from a mail order transaction the system checks the house number, numbers in the post code and the security number on the card. The system then tells us which of these numbers match as a retailer we then make a decision to accept the transaction if it has been authorised.

How would you handle the scenario given by me above...re the flat? In this instance, the post code W2 3UW covers 100 flats. Ok - a ****-up by the Post Office but in that 100 flats there will be several Flat 14's. Or how about 14 Barness Court??

 

[Russell]

You use the street number and that should match the card if it didn't we would try the flat number but usually the street number works don't forget all 3 numbers must match so you may get 2 or 3 people with same postcode and flat number but the security code is most likely different.

 

[parlapa]

I have had an emergency credit card for nearly three years. It has never been used and apart from ringing the finance company to enable the card, it has remained securely locked in the safe and never seen the light of day.

So you can imagine my surprise when yesterday I was called up by the fraud department of the company to check some transactions that had been spent using this card. All of these were fraudulent.

So full marks for their fraud systems but then I got to thinking as to how this could happen.

The fraudsters had skimmed the card. Impossible - see para 1.
I'd used it in one of those dodgy add-ons on a cash dispenser. No - see para 1.
I'd used it for an internet purchase and the supplier had leaked my details. No - see para 1

So how? If they walked into a shop then (a) how could they have cloned my card (b) how would they know my PIN (it is the default as supplied by the card company)?

If they used it over the internet or telephoning in an order then don't they need the 3-digit security number on the back?

Had a renewal card got intercepted? Not really as the expiry date isn't until July this year.

So as Holmes would say ...'consider the impossible'....ie the credit card company has a leak. Their internal systems are weak and allow an insider to gather all the information.

Am I missing any other explanation?

I have cloned credit card, the first levy was the payment of an airline ticket did in france, then many levies and payments from romania.
Fortunately I was able to demonstrate my extraneousness' because one of the same levies was making a payment in italy, so 'after 3 months, the bank has returned me the money

 

[frugal]

Interesting that as I'm not convinced that address checking is all that common. Two reasons for saying this. Firstly I've been deliberately using a different address and not had any problems so far. Secondly, address checking is very difficult unless they use some clever fuzzy logic to match the address. All very well if you live at The Elms, High Street but if you live at an address such as Flat 17 Barness Court 6-8 Westbourne Terrace London which is where I lived for a long time, you find that the address databases have a wide variety of address combinations such as....

17 Barness Court, 6-8 Westbourne.....
17 Barness Court, 6 Westbourne...
Flat 17, 6 Westbourne ....

The way that the banks do AVS (Adress Verification Service) is that you enter the digits from the street line as AVS1 and the digits from the post code as AVS2. So in your examples the AVS1 digits would be 1768, 176 and 176 respectively. If your postcode was SW12 4GL then your AVS2 would be 124. They will also enter the 3 digit security code on the back of the card as the CVV. (You only enter the digits so that it can be done on a standard numeric keypad)

Depending on whether the numbers entered exactly match the AVS1, AVS2 and CVV that the bank holds will determine the response that the bank gives back to the merchant. It is up to the merchant to then decide if they are going to process the transaction or not. Depending on the size of the merchant the bank may well charge different fees depending on the AVS/CVV response.

 

[devonwoody]

Roger did you also know that if you have had a credit card fraud committed your local police are no longer interested, they wont even take the details.

They now only will get involved with a credit card fraud transaction if instigated by the credit card company.

So you most probably will never receive justice.

Something wrong with the law?

PS have you turned your safe upside down to make sure it hasn't been opened (tin opener) and plundered.

 

[The Bear]

To clarify the victim in a credit card fraud is the credit card company and the business where the card was fraudulently used. Technically the card holder has lost none of their own money, it is the credit card companies money. Obviously the card holder is put to a lot of stress and inconvenience (see my post above ) but they are not the victim. The credit card companies fraud department is far better placed to investigate this than the police as they have access to the credit card databases and network which the police do not. If the police took the lead in the investigation then it would all still get done through the company just adding time and complication to the matter. Obviously the companies prefer to do it themselves and get themselves justice.

I reiterate my previous point, a credit card is far safer than a debit card where the card holder would be the victim.

Mark

 

[Losos]

I am also fairly cautious with the data I give out and have an 'internet' birthday, for example. I use this on sites that ask for my DoB but without any real justification............................................Ain't life complicated.

I did that only yesterday with photobucket, on their drop down menu they gave me the option of being born in 1880 :lol:

Being somewhat surprised I clicked on this year and it accepted me

So I'm now 128 years old...... :roll: .....................mind you I feel like I am some days :lol:

And yes life does get complicated, I now have to check anywhere I've put my correct birth date