Merry Christmas to whoever stole my CC card info

[ICspots]

Had to close out a credit card yesterday, got a call from their fraud dept. They said someone charged $327 in Singapore on Christmas day and $1727.00 yesterday in Illinois. Merry Christmas to whoever stole my info and may God bless your soul. Too bad you can't use it anymore though, sorry for that.
My new card will be here in a week or so and I am not responsible for the charges they made.
I always make sure I use secure sites before using my credit card so I am not sure how they got it. Was thinking maybe a site I used it on got hacked and thats how they got it, not sure. Anyway be careful folks, there are untrustworthy people out there. I am just hoping it wasn't any of the sites I recently bought flashlights and LED dropins from, that would be a shame.

EDIT: I am not saying someone here did this, I am just posting it here for everyone to be aware.

 

[mechBgon]

Keystroke loggers are also a possibility. If you're running a Windows OS, you might want to get a "second opinion" with one or two online virus scanners. I like F-Secure's, which uses a couple of antivirus engines and also checks for spyware, potentially-unwanted software and rootkits. http://www.f-secure.com/security_center/ This scanner uses ActiveX to do its work, so use Internet Explorer.

Assuming you're using Windows, you also might want to check your system for known vulnerabilities at http://secunia.com/software_inspector; most systems can use some updates.

Sorry about your CC woes Been there myself, it's quite frustrating.

 

[FRANKVZ]

This happened to me earlier this year. I now use virtual CC #s for online purchases. Its a real pain in the butt getting everything straightened around. Some vendors shipped products to my house and I had to ship everything back. It sucks.
Frank

 

[ICspots]

No infections here of any kind, I use Symantec Corporate edition and Spysweeper. I occasionally check with Trend Micro and Panda's online scanners but nothing ever finds anything other than some harmless cookies.
I am not real worried about it, someone stole my identity years ago and got issued credit cards using my name. Need to make sure my credit blocks are still in effect.

 

[geepondy]

Do you think any of those protect your identity and fraud alert companies such as freecreditreport.com are worthwhile?

A few years ago I got a call from my CC company saying a website had been compromised and my card number may have been one of the ones stolen but he wouldn't divulge the name of the site. The CC company canceled my card and issued a new one.

 

[da.gee]

A lot of times restaurants and other B&M stores are prime suspects. Employees are generally not high paid and somewhat transient. Online is really pretty safe. YMMV.

 

[Manzerick]

That's horrible!!! I'm glad you are not on the hook for the $$!!!

 

[bitslammer]

Eat at Wendy's lately????


December 27, CBS 2 Chicago – (Illinois) Wendy's worker charged in credit card scam. A woman who worked at a suburban Illinois Wendy's fast food restaurant has been charged in a credit card scam and now faces seven counts of identity theft. A spokesman for the Plainfield Police Department says it was a "sophisticated theft operation the likes of which he's never seen in his 17 years on the force." The woman kept a credit card reader in her pocket and swiped customer credit cards through it so that she could hook the reader up to her laptop and create fake credit cards. Credit card readers are "available on the Internet for less than $100 in many cases." Police say the woman would take orders and swipe cards through the restaurant's credit card reader. Then she would swipe it through her own credit card reader. The woman has admitted to swiping and stealing the numbers of between 40 and 50 Wendy's customers. Source: http://cbs2chicago.com/westsuburbanbureau/wendys.credit.card.2.619062.html

 

[TOOCOOL]

A lot of times restaurants and other B&M stores are prime suspects. Employees are generally not high paid and somewhat transient. Online is really pretty safe. YMMV.

+1

 

[powernoodle]

My debit card got zapped last month at a Greek travel agency for $2300. Thats worse than a cc problem, because money actually left my checking account.

It was all resolved in a couple of weeks and the funds were restored, but I won't use a debit card anymore for that reason.

 

[mechBgon]

No infections here of any kind, I use Symantec Corporate edition and Spysweeper. I occasionally check with Trend Micro and Panda's online scanners but nothing ever finds anything other than some harmless cookies.

That's good news. Be aware that the "right-now" detection rate on in-the-wild malware can be lower than you might expect, though. In this test I did earlier this year, Symantec Corporate only detected about half of the malware samples I'd collected from the wild (43 of 95 in this batch). SpySweeper got 24 of 95. The thread is actually not intended to steer the reader towards any particular security software, but to illustrate why it's a good idea to add other layers of defense besides antivirus, starting with the built-in capabilities of one's operating system itself and the elimination of known vulnerabilities.

Back on topic, I got a snail-mail from Capital One earlier this year, indicating that there'd been suspicious activity on my account, and would I please call them. So I did, and asked them how anyone could charge anything to my account since I'd never activated my current Capital One card. I mean heck, if *I* can't charge stuff, how did anyone else charge stuff? The CSR said she had no idea. She said they'd send me some paperwork to fill out, which they didn't. After waiting a couple months for the non-existent paperwork, I called and cancelled the account, over the objections of the CSR who tried to explain the unauthorized charge as some sort of recurring thing I must've authorized in the past without realizing it (in which case, why did they snail-mail me about it being suspicious?).

 

[jzmtl]

Man, you guys are making me nervous. Lost my wallet two days ago, cancelled everything, hope nothing like this will happen. Running around getting all the cards replaced is a major pain in the ***, especially that those unionized gouverment drones doesn't get back to work till the 4th.

 

[Diesel_Bomber]

Glad you got it taken care of and got your money back.

I had my debit card info stolen at a restaurant. Discovered what'd happened and was able to head the thief off at the pass before any $$ was stolen, but it was a PITA. Not too long ago a gas station attendant stole my debit card info and drained the account. I don't keep enough money in my general-use checking account for me to care if it gets drained, but it was still a hassle getting everything sorted out and I wasn't about to let a thief get away inconvenienced.

Caution: Minor rant ahead.

The part that annoys me the most is that I'm a fairly nice guy. I started out in the world at rock bottom, living in my car and eating dry top ramen. The occasional package of bologna and some crackers was a treat. I'm successful now and willing to help out those who honestly need it. The key word is honestly. Even at the lowest I was when getting started, thievery never once crossed my mind. Someone could have put a thousand dollars in my glove box and gotten every penny of it back whenever they came for it. If these people needed money to feed their kids or pay rent, and could convince me that it wasn't their own stupidity or laziness that caused the lack of $$, I'd happily have bought them a truckload of groceries or wrote a check to their landlord. I have no patience for greed; the gas station attendant bought a plasma TV and some stereo equipment and my lawyer made sure the police threw the book at him. There's a lot of wisdom in chopping thief's hands off.

:buddies:

 

[gadget_lover]

Unfortunately, they don't really have to grab your credit card info. They can guess it, and the system is set up to help them.

The credit card format is fixed. The first part identifies the bank. There is a formula used to generate some of the characters so that the credit card processing sites can recognize bad input. This is known as a checksum. That means the bad guys only need to guess the middle part of the number,generate the checksum and guess the expiration.

To guess the expiration, they only need to have a way to test 60 combinations. That's 10 - 12 for the next 5 years, since most credit cards expire within 5 years. In reality, they are more likely to expire in the next 24 months. But how do they test the expiration dates?

That's where the internet charities come in. The bad guys have recently been using the online charities to test the expiration dates. They make small donations and let the charity clear it with the credit card company. The keep doing it with different dates until the donation is accepted. Bingo!

At that point they have the card number and date, and that's good enough for many merchants.

If they do this with a stolen dial-up account or anonymous wi-fi access, it's very, very hard to trace. They don't use your numbers themselves, but sell them online to others who live in areas where law enforcement is not a problem.

The moral is that you have to keep an eye on all your accounts every month now. Sad, but that's life.

Daniel.

P.S. We had a card that was used fraudulently. It was activated, but had never been used anywhere, online or real store.

 

[Trashman]

Unfortunately, they don't really have to grab your credit card info. They can guess it, and the system is set up to help them.

The credit card format is fixed. The first part identifies the bank. There is a formula used to generate some of the characters so that the credit card processing sites can recognize bad input. This is known as a checksum. That means the bad guys only need to guess the middle part of the number,generate the checksum and guess the expiration.

To guess the expiration, they only need to have a way to test 60 combinations. That's 10 - 12 for the next 5 years, since most credit cards expire within 5 years. In reality, they are more likely to expire in the next 24 months. But how do they test the expiration dates?

That's where the internet charities come in. The bad guys have recently been using the online charities to test the expiration dates. They make small donations and let the charity clear it with the credit card company. The keep doing it with different dates until the donation is accepted. Bingo!

At that point they have the card number and date, and that's good enough for many merchants.

If they do this with a stolen dial-up account or anonymous wi-fi access, it's very, very hard to trace. They don't use your numbers themselves, but sell them online to others who live in areas where law enforcement is not a problem.

You've just given support to my suspicions. I had to close out a credit card earlier this month. Fortunately, my credit card company called me immediately after detecting suspicious activity. Within 12 hours of the fraudulent purchase, they gave me a call to clear things up. They wanted to know if I had bought something in India the night before. "Nope," I told them, I'd never been to India and don't know anybody there (except for Viren....hmmm...heh, heh....J/K!). The people charged a mere $2.73 to my account. I didn't know how they got my #, but I had thoughts that they might have just guessed it and made the small purchase to confirm that they had "caught something," after which they'd go on and sell it. Now, after reading the above quoted post, I think, I may have been right. The bank confirmed that the purchase was made online, also. Payment was received by a bunch of Indian names (like the first names of a bunch of friend's). I guess, I should really consider myself lucky and thankful that my bank is really doing a fantastic job.

My bank is a credit union, BTW, and their service is fantastic: 9-7 during the week, 9-5 on Saturdays, and 10-4pm on Sundays (yep, they're even open on Sundays!). You know those Coinstar machines they've got in the supermarkets that charge like 9% to turn your change into cash? Well, my bank has one inside and it's absolutely free for members. (free meaning, they cash your change and take nothing!) Lots of other great perks at my bank, too. Yep, credit unions are the best!

 

[ICspots]

That's good news. Be aware that the "right-now" detection rate on in-the-wild malware can be lower than you might expect, though. In this test I did earlier this year, Symantec Corporate only detected about half of the malware samples I'd collected from the wild (43 of 95 in this batch). SpySweeper got 24 of 95. The thread is actually not intended to steer the reader towards any particular security software, but to illustrate why it's a good idea to add other layers of defense besides antivirus, starting with the built-in capabilities of one's operating system itself and the elimination of known vulnerabilities.

Thanks for the info, I am already aware of this. I test antivirus and antispyware software all the time, in a virtual environment of course. I can't risk my PC getting infected as I am in the computer business myself. Almost hate to say it but I am pretty sure it came from the internet as I don't use the card locally much at all, I use the debit card for that. I need to check my wifes PC as she uses the card too, but she pretty good at not going to undesirable sites that typically get you infected.

 

[turbodog]

Powernoodle's post was the most relavant here. Go back and read it if you didn't.

Debit cards simply do NOT offer the same legal protection as a credit card.

 

[nutz_about_lights]

Well I bet you that guy is going to spend his next Merry Christmas in a 6 X 4 cell...

 

[xevious]

Thanks for the link to Secunia. It's a free service they provide and they're a trusted/established company. I ran their check and they found some vulnerabilities (nothing critical really). They do a good job of checking for outdated software, although in some cases they go overboard. For example, my Quicktime was reportedly out of date and Secunia warned me that it's a security risk. I used the "update" function in Quicktime and it told me I'm up to date.

One tip I can give, though: COOKIES.

These are bits of information that websites store in your browser. However, they are accessible to ANY website that chooses to look at your stored cookies. Sometimes sensitive information is stored there that could be potentially abused. Even something like remembered data fields where you've typed in a credit card.

What I do is update the browser to prompt to accept SESSION cookies for 1st party websites and BLOCK cookies from all 3rd party websites. This way you can choose whether or not the website you are currently on is OK to store a cookie (such as your bank, Amazon, eBay, etc.). If you block a website from storing a cookie (as would be the case for all 3rd party websites--ones which are covertly linked to from the web page you are on, like AD websites), it cannot retrieve cookies from your browser.

Also, I recommend periodically examining the cookies on your browser and deleting those you don't recognize... sometimes AD websites are able to deposit something there, piggybacking on a 1st party accepted cookie (not sure how they do it)... I prefer to keep them in the dark and clear out their garbage.
Just a little security tip for the New Year. Cheers.

 

[gadget_lover]

One tip I can give, though: COOKIES.

These are bits of information that websites store in your browser. However, they are accessible to ANY website that chooses to look at your stored cookies. Sometimes sensitive information is stored there that could be potentially abused. Even something like remembered data fields where you've typed in a credit card.

According to the RFC, the cookie is only supposed to be visible to web sites in the same domain that originated it. There are, of course, security holes that can be exploited, but that usually requires that you be coaxed into executing some javascript that exposes the cookies. If your browser allows cookies to be viewed from 'everywhere' then it's time to change browsers.

Daniel