Suffice to say that I am having really bad luck, or something:
- In early December there was fraud on my Chase Sapphire Reserve; I was alerted to this because Chase sent me a message saying they received a call from an unknown number, and when I looked at my statement there were purchases at a Hampton Inn and Lowe’s in Florida
- In late December there was fraud on my Amex Platinum; I only found out about this because I was alerted that I had used an Amex Offer that I hadn’t actually used, and then looked at my statement and saw purchases all over the place in Florida as well
Well, I’m currently in Sri Lanka and received an email from Chase asking me to verify a purchase on my Sapphire Reserve.
That didn’t look familiar, but it’s also not a huge purchase, so I figured that maybe I had bought something online and that’s how it appeared. But then I looked at my statement and saw it said “DING EZETOP TOPUP,” and based on that, it looked like this is an online recharge for prepaid cellphones.
Then I looked at my statement in more detail, and saw that this was only the tip of the iceberg. There were over $6,500 in fraudulent airfare charges as well, including:
- A $3,004.49 purchase from TAP Air Portugal
- A $2,262.29 purchase from Qantas
- A $1,339.47 purchase from Iberia
I had three initial thoughts based on that:
- Airfare seems like a dumb thing to purchase fraudulently, unless you’re traveling same day
- How do you even spend $3,000+ on TAP Air Portugal, as their fares are usually super cheap?
- Maybe it’s a coincidence, but I also feel like card issuers track spend patterns and obviously I purchase a ton of airfare, so did the person who stole my card know that, and act accordingly?
The crazy part here is that I just got my new card a few weeks ago, as the previous one was closed down due to fraud. I really haven’t made that many transactions since then, so I’m surprised my information was compromised that quickly.
I’ve long said “oh, I’m not worried about credit card fraud, because consumers aren’t at risk when it happens.” While that’s true, if I keep having to change my card numbers every few weeks, it sure takes the ease out of the process of paying by credit card!
Does anyone have a theory of what’s going on here? Am I just having really bad luck the past few weeks? I thought my previous two hacks may have been related to the Starwood data breach, but the card that was just compromised is a new card number that I’ve only had for a few weeks.
Are the airfare purchases a coincidence, or what exactly is going on here?
I’m now carefully checking out the pending purchases on my credit cards daily, because I sure am suspicious.
Has there been any new developments? I ask because I’m also in the point and mike game, but it becomes harder to rack up points once your a victim of account takeover/identity theft. End of 2016 Capital One called me asking about some charges that were not mine (oddly they were the only ones to reach out to me). Later that day my @icloud email password was changed, and I have two factor authentication (which...
Has there been any new developments? I ask because I’m also in the point and mike game, but it becomes harder to rack up points once your a victim of account takeover/identity theft. End of 2016 Capital One called me asking about some charges that were not mine (oddly they were the only ones to reach out to me). Later that day my @icloud email password was changed, and I have two factor authentication (which is useless in my case), long story short the next day It was taken over, all security info changed, a year and a half later I was able to regain access. I still get alerts that it’s on the dark web. I also lost my gmail account which I still can’t not regain access and is being used once again (the fraudsters were arrested but started using it again or their friends are). After investigation I learned all my emails from banks and reward sites were being forwarded to this email “[email protected]”. My story is the extreme case. To keep this from being an essay I will just include mention some of the damage done and some that I’m still fixing. People like us with so many accounts makes the clean up a true nightmare. So, they rented a car from hertz as me, they actually stole the car since never returning it. My Chase sapphire card was used for a bill for over$3000.00. Chase fixed it immediately. Hertz still put me on the DNR list. Later the car was found with the suspects yet I’m still on the DNR list even after proven innocence. Why? Hertz email me an affidavit twice to the wrong email, the one the thieves had access to. They would not send a third one to my correct email. I use to store Amex Plat number, Chase Private Client number and many others in my contacts.With access to my iCloud they changed they were able to route the calls to themselves. I discovered this after speaking to a who I thought was Verizon fraud department where I spoke to a man who eventually made mistakes and became obvious he did not know how to answer my questions. At the time I had 28 credit cards and not all of them were routed. They even called the police station in Texas where my tip led to the first arrest in the case. They pretended to be my father and told the detective not to listen to me because I was crazy and so on. Not to bright since if I was crazy how did they get arrested. It goes on and on. Now to what was taken over, 8 bank accounts, 25 credit cards, 6 fraudulently opened in my name. Even my fiancé, mother and father were victims. My reward points were all sold to Flipmymiles.com and cashformiles.com. It’s shocking when you log into your southwest account and there’s 15 flights booked. Plus all those little accounts we have like prepaid cards, or those we have tried to use for MS. All gone and emptied. They had full control over everything until May 31st 2017, when the big arrest came. In Ardmore, OK using my Hyatt account they were caught checking in. Most of the fraud took place in Texas and Oklahoma. The police told me all their victims were in 5 different states. They must have been released because I’m dealing with it yet again but much smaller scale. I’m sorry this is long please keep in mind this is 10% of my story. One last thing, because I tell my story to help others. These people were so void of mortality that they learned my dad and I bank at some of the same banks. They transferred my dads money to my account then stole it. Chase fixed it all while Union Bank thought I was stealing from my father. If done on purpose then it works because instead of fixing all my problems right away I had to prove it wasn’t me. They sent the money to my PayPal account also which didn’t help. I spoke to PayPal where on speaker phone my family was told it was not me. To bad Union Bank wasn’t in on that call because they have been horrible to work with. Even convincing my dad it was probably me. Proving my innocence is what helped them do more damage. Lesson learned. My points and miles were all returned, I’m still dealing with some credit cards and banks. USAA is the absolute worst for these situations, I also do not have a branch in California. I offered to fly there to help prove it was me they said it wouldn’t help because my account was locked up. Chase on the other hand were amazing with my accounts and my dads. Amex wasn’t bad but not great. I have ideas on how it was done but can’t say for sure. Happy to discuss this with anyone in further detail, I had to leave details out so my apologies if parts don’t make sense. My last comment is the kicker. After I had access to my iCloud and my pictures I noticed two pictures taken in Oklahoma. They were accidents because it’s of a woman’s leg in a car and another of the windshield and part of the dash, in the stolen car. Oh and AT&T didn’t think it was odd that 9 accounts were opened for a month. If I didn’t call questioning a phone number I never would have known. Between me and my family over $200,000 was stolen from mainly credit cards and banks. They must have become cocky because my Walmart money card and PayPal accounts have them sending money to their real names. Crazy.
When I read this my first thought was that someone bought the ticket as part to defraud a third party for cash. Now I read this article which supports that thought, if I buy a ticket and receive a ticket number and reference code I would not be suspicious of the 'agent', only differedce I avoid third party booking sites and would never pay cash. However, I know many people who are at risk and...
When I read this my first thought was that someone bought the ticket as part to defraud a third party for cash. Now I read this article which supports that thought, if I buy a ticket and receive a ticket number and reference code I would not be suspicious of the 'agent', only differedce I avoid third party booking sites and would never pay cash. However, I know many people who are at risk and are too trusting: https://www.thisismoney.co.uk/money/beatthescammers/article-6705859/New-scam-flight-holiday-warning-heres-stay-safe.html
I had two cards hit within 48 hours. I'm not sure which account was hit to find the card info ... but it happened. Luckily both card issuers were very helpful when it came to removing the fraudulent charges.
@Marc
This article is also worth a read
https://www.wired.com/2017/03/russian-hacker-spy-botnet/
@Marc
Like another post above wrote to you, the Russian government doesn't go after local cyber criminals that don't target Russia.
https://www.nytimes.com/2017/04/21/technology/russian-hacker-sentenced.html
https://nakedsecurity.sophos.com/2017/04/25/russian-pioneer-of-identity-theft-and-card-fraud-jailed-for-27-years/
This bunch was stupid enough to travel too AMS.
https://www.theregister.co.uk/2018/02/16/two_russians_jailed_credit_card_hacks/
And finally a bit old, but why this is happening. Aka how the money is made.
https://www.zdnet.com/article/how-credit-card-fraud-in-the-us-supports-russias-underground-economy/
@Marc
Like another post above wrote to you, the Russian government doesn't go after local cyber criminals that don't target Russia.
https://www.nytimes.com/2017/04/21/technology/russian-hacker-sentenced.html
https://nakedsecurity.sophos.com/2017/04/25/russian-pioneer-of-identity-theft-and-card-fraud-jailed-for-27-years/
This bunch was stupid enough to travel too AMS.
https://www.theregister.co.uk/2018/02/16/two_russians_jailed_credit_card_hacks/
And finally a bit old, but why this is happening. Aka how the money is made.
https://www.zdnet.com/article/how-credit-card-fraud-in-the-us-supports-russias-underground-economy/
I doubt Lucky is being target individually, if that’s what’s happening here, his life would be around upside-down as those criminals would try to shake his professional work and perspnal life.
Still doen’t hurt to check, but I doubt it very much.
If we knew more about how you used the cards during the relevant period, we could probably provide better guidance on how your cards were compromised. That being said, online theft is very rare. Most popular merchants have secure transmission protocols. If you think about the major data breaches they mostly occurred through theft of point-of-sale transactions (i.e. swipes) and not through online transactions. So - unless you used the cards at sketch websites, I...
If we knew more about how you used the cards during the relevant period, we could probably provide better guidance on how your cards were compromised. That being said, online theft is very rare. Most popular merchants have secure transmission protocols. If you think about the major data breaches they mostly occurred through theft of point-of-sale transactions (i.e. swipes) and not through online transactions. So - unless you used the cards at sketch websites, I think it unlikely that was the cause of your problems. Ditto for MRC charges for cable, phone, Starbucks reloads, etc.
The more likely scenario is that one of your regular merchants was the source of your problem. This could be a gas station swipe (where my info was recently stolen) a restaurant (very common) or any other point-of-sale merchant. What you need to do is examine the common charges (if there are any) and then by process of elimination you may be able to determine where the breach occurred.
This also highlights why you should always designate a single card for your monthly recurring payments and the put it in the sock drawer and use that card NOWHERE ELSE. Because it is a royal PITA to change all of your MRCs every time a card is compromised.
Finally I note the fraudulent charges rarely provide a clue as to how your card was compromised. Usually the info is sold on the darkweb and the card info is then cloned and used at home improvement stores, etc until a fraud alert is set off. The online ticket airline purchases are a bit odd because it would be easy to catch someone who tries to use a fraudulent ticket. Maybe they were resold to morons
As others have said, It's probably your computer.
Not sure if this is a AMEX thing or applies to all companies, but when my AMEX was compromised I had to specifically ask them to allow no charges from my old card number. They pushed back and asked if I was sure due to reoccurring charges and I finally said I would cancel the card for good if they allowed charges from the old card. All has been good since then.
I don't know why everyone doesn't have their credit card notifications set up to send a push notification for any transaction over $1, so when that $750 charge from Forever 21 pings your phone you know you've got a problem.
Similar situation happened to me with my bank. I noticed pending charges on my debit card that I hadn't made and alerted the bank. (Thankfully I log into my accounts daily and watch my accounts to the penny, so I caught that quickly.) Within a week of getting my replacement debit card, more fraudulent charges popped up. I had signed up for alerts and I was receiving alerts saying my card was being used for...
Similar situation happened to me with my bank. I noticed pending charges on my debit card that I hadn't made and alerted the bank. (Thankfully I log into my accounts daily and watch my accounts to the penny, so I caught that quickly.) Within a week of getting my replacement debit card, more fraudulent charges popped up. I had signed up for alerts and I was receiving alerts saying my card was being used for a $1900 dollar purchase on the opposite coast...while I was at working! Went into the bank again and finally went high up enough to find out what was going on.
The manager told me that my checking ACCOUNT had been hacked and that the fraud would keep occurring until I changed ALL my passwords, account numbers, etc. It turned out that my account was getting hacked by an employee INTERNALLY. I suspect the same issue is going on with your account. Major inconvenience to change everything, but that's what I had to do. I changed all my usernames, passwords, and all account numbers. Thankfully, that did the trick and I (knock on wood) haven't had to deal with the issue again. If I were you, I would:
-Change ALL ACCOUNT numbers and associated numbers with said accounts.
-Change your USER ID and PASSWORD for your accounts. ALL of them! Most likely your current one is compromised.
-Reconsider who is storing your credit information for auto bill pay, etc. I now usually just pay manually from my bank whereas before I had companies store my credit card number for auto-billing. Every time a company stores your credit card info, it's another chance for this type of hassle when there is a security breach. (See Marriott!)
-Sign up for free account alerts. Seriously, they really do help. I particularly like American Express Alerts because they are really quick, but I have alerts on all accounts.
-Commit to checking your accounts at least once every day to protect yourself, catch fraud, etc.
-I agree with the other comments about gas station skimmers...last issue I had was for just that reason, but of course the fraud was stopped before it got to my account and the bank issued a new card immediately. (Mastercard in that case, but they were really on the ball...they caught the fraud before I even did!)
-Totally sucks that you're dealing with this. I know I was super annoyed at having to change all my account numbers, bill pay, etc. It happened to me years ago and it still sort of irritates me, to say nothing of the fact that the bank I was trusting actually had an employee committing the theft!
Opps, CSR app (not CSV).
The reference to Russia and China fraud is not from merchants there, but the organized crime / state sponsored hacking outfits.
It's hard to believe that an airline purchase would appear on the statement without an additional description, or is this not being displayed in the posting.
Perhaps this is an MCO (Miscellaneous Charge Order) being used to "hide" the real ticket purchase, as someone mentioned.
Lucky, the CSV app has a "lock-Unlock" feature. Why aren't you using that? Keep the card locked until you need to use it then immediately lock it back up after. Even is someone gets the card information, they won't be able to use it unless they try to run a charge at the exact same time that you're using it as well.
@andre
Exactly, credit card fraud is big in the US as the credit card companies have been exceedingly slow at adapting things like chip cards, pin codes, and second layer verification on online purchases. Maybe it is easier to make the transactions the old fashioned way, but it also leaves the door wide open for fraud.
If the US credit card companies fully embraced the modern technologies this would be reduced to a fraction....
@andre
Exactly, credit card fraud is big in the US as the credit card companies have been exceedingly slow at adapting things like chip cards, pin codes, and second layer verification on online purchases. Maybe it is easier to make the transactions the old fashioned way, but it also leaves the door wide open for fraud.
If the US credit card companies fully embraced the modern technologies this would be reduced to a fraction.
I have had one case of credit card fraud in all of my life, which was after using my card in Miami Florida. And I travel pretty extensively
would it not all be much simpler if the US CC's applied the EU rules - i.e. use a PIN and a chip with every card for real life transactions and a security with an extra pin check via your mobile on any online transaction. No fraud anymore and you feel comfortable and safe
Azamaraal ....how do you block and unblock a card? I thought only the bank can do that for you?
Set all cards credit and banks...to text you when any charge is made on them .. set to lowest $amount they allow..even $1.00..if they allow it that low
They will text within a few moments of a charge. Then you will know if it was you or not!
Maybe it's just how backward US banks are but all my cards have Verified by Visa which requires an OTP sent by SMS to complete online purchases. In-store purchases generally require a PIN (in some countries they can still swipe without a PIN)
You should set up Apple Pay for all your cards. Then you at least get push notifications when there are any transactions the second they happen.
Just to throw out a more “out there” possibility – it could be an inside job. The best way to combat it may be to set up automatic alerts on your account and to contact Chase the moment you receive one.
I have a credit card that I only use for international travel, but for a while, I wasn’t traveling internationally very often. In 2016, I visited Montreal, Canada and used my international travel credit...
Just to throw out a more “out there” possibility – it could be an inside job. The best way to combat it may be to set up automatic alerts on your account and to contact Chase the moment you receive one.
I have a credit card that I only use for international travel, but for a while, I wasn’t traveling internationally very often. In 2016, I visited Montreal, Canada and used my international travel credit card while I was on that trip. A few months after the trip, the credit card company contacted me and asked me to review a (Australian?) transaction that looked suspicious.
I told the credit card company that the transaction was not mine, so they reissued that card and also sent me a form for me to use to attest that the transaction was not mine.
I did not have any international travel again until spring 2018, so my new, pristine international travel credit card just remained at home, literally under lock and key. I didn’t even use it for online transactions.
In fall 2017, I got “password religion” and instituted the use of a password manager, plus the use of strong random passwords. I stayed up very late hardening and entering the first batch of passwords, which included the password for my international travel credit card account.
Just before I was about to go to sleep, I received either a text or email alert – which I’d set up previously – from that account. I called the credit card company within minutes of receiving the alert.
Once again, the credit card company reissued the card and said they’d send me the usual form. The reissued credit card came, but the usual form never came.
So that left me wondering. Had someone inside the company been sitting on my old password (which was admittedly somewhat weak), and had my hardening of that password somehow prompted them to take one last stab at my credit card account?
And, given the "pristine card" circumstances that I’d explained to the fraud representative, did the credit card company figure out that it was an inside job?
I should add that my travel credit card is more of a ”premium” credit card, somewhat like the Chase Sapphire Reserve card.
My international travel credit card did get hit again in fall 2018, but I’d taken it on two international trips in spring 2018. I don’t think that I received the fraudulent transaction form to fill out for the 2018 occurrence.
In any case, I’d suggest setting up automatic text/email alerts.
My credit card issuer (at least one) allows me to block the card and unblock it when I want to use it. With the issues Lucky has just identified and the fact that the BA leak cost me one hacking I am beginning to think of using this blocking feature.
A funny alert about fraud for me, I love this story. We fly often and have many charges on hotels and Airlines and car leases all over Europe, but what caught Chase's "eye" was a small charge to Avon! They know me so well! Have never charged any kind of make up ever! But I guess the culprit thought since I was a woman it was a safe bet! This always makes me laugh!
Perhaps someone will know your details and make a $20,000 Cathay Pacific First Class purchase. You’ll earn 60,000 UR points. How good is that?
I am also facing the same issues. I had used my Citibank AA card to purchase British Airways tickets online. A few days later someone attempted to buy luxury watches in Luxemburg for an amount of 30000 USD!!!! Luckily the bank denied the transaction and called me. I am wondering if it is related to the breach of security with BA...wodner if any more attempts would still occur. Some time earlier, my supplementary AX SPG...
I am also facing the same issues. I had used my Citibank AA card to purchase British Airways tickets online. A few days later someone attempted to buy luxury watches in Luxemburg for an amount of 30000 USD!!!! Luckily the bank denied the transaction and called me. I am wondering if it is related to the breach of security with BA...wodner if any more attempts would still occur. Some time earlier, my supplementary AX SPG card was used to buy 2 air tickets on Delta and again for inflight wifi. I even got the names of the passengers and notified AX. Would the fraud department track them down and arrest them??
Why can't we lock our credit cards with an app and then unlock it when we need to make a charge? Some banks do this with debit cards. It would surely cut down on the fraud.
i mean you do have a blog where you display to the world all the credit cards you have...but it might be so many other things like living in Florida, or a virus on your computer, or not using VPN when youre banking on ur phone in ur travels....
im sorry this happened to you bro =/
Credit cards are a scam. In China everyone uses mobile pay. Much less transaction cost, more secure, easier. But hey, we like making Visa and MasterCard rich.
As someone earlier mentioned the cc numbers do partially follow a pattern. I had a Hyatt card a while ago that was cancelled due to fraud. I got a replacement and had NEVER used it but someone still attemped to use my number. It didn’t go through because they didn’t know my zip code and the security code.
Of course having a popular blog may make you an intentional target and I would not rule that out.
FLORIDA. That's it. Particularly Tampa/Miami. I've never had so much credit card fraud until I lived there for over 6 years combined. It's mostly gone since I left that state and have new cards.
I turn off WiFi, whether supposedly secure or not, while traveling whenever I need to access personal data on my devices or spend money . And use a VPN. Can’t always prevent a live person from stealing numbers, though. That’s usually the weakest link.
I had the same event several times. If you use your credit card to pay at the pump- stop. Your transaction information is sent wirelessly from the pump to the office. It’s easy to skim. Since I stopped paying at the pump there have been no more problems. Just my experience.
Those happened over 3 days - I would set up Chase Alerts for texts & emails at levels appropriate for you so you can at least shut it down quicker. Especially foreign transactions as you are away so frequently. Make sure you have VPN on your cell or wherever you conduct banking business on the road.
Same for me in last few weeks. First INK Preferred, then Freedom, then Freedom Unlimited.
I'm beginning to feel like it'd be less inconvenient to track the fraudsters down myself and get the police involved than to keep going over charges and having to get new cards.
The banks are seriously not losing enough to make it worthwhile to prosecute?
@Lucky. I had a string of them with Amex Platinum a few years ago. One after the other. It turned out to be an internal issue as revealed to me (not saying how). Imagine the number of American Express employees (and other cards) that can access information, patterns, and card numbers.
Too many evil people in the world preying on the rest of us. Hacking, digital fraud, identity theft, etc. should be capital offenses! Off with their heads!
This is sort of an obvious point, but you run a public-facing blog that largely revolves around your credit card usage. It seems plausible that you might be a specific target for fraud, rather than the sort of wholesale identify theft that most victims experience.
If you ever charge someone at a restaurant and the waiter takes the credit card away - you risk the number and pin being copied down and used.
Oddly enough I travel every summer to Siberia and have used my Sapphire card everywhere that accepts it including small grocery stores in small towns. One charge was approved for 6 cents - I had failed to tell the cashier I needed a bag so she just grabbed my card and swiped it. In three years I have yet to have a fraudulent charge in Russia. In China I use the card as well but...
Oddly enough I travel every summer to Siberia and have used my Sapphire card everywhere that accepts it including small grocery stores in small towns. One charge was approved for 6 cents - I had failed to tell the cashier I needed a bag so she just grabbed my card and swiped it. In three years I have yet to have a fraudulent charge in Russia. In China I use the card as well but there are very few places that accept an international card. Again zero fraud. In the US there have been fraudulent charges more than once so I'm not sure why a reader suggests most of the fraud comes out of Russia and China. If it does, it is definitely not because one uses their card routinely in those countries.
@Jacques, I do exactly the same thing. Plus, I check my statements at least once a day, every single day of my life.
Just had several Fraud purchases on a Chase Credit Card. Only noticed it when paying the bill. I wondered why it was so high!
2 roundtrip tickets Emirates DXB to BRU
1 hotel charge in Milan
and one 2 weeks earlier for only $20 to Vayama.com which looks like an airline booking site.
Set up alerts! I still can't understand why everybody doesn't do this.
I m also with Rob, it got compromised at the hotel level.
I've heard from a friend of a friend who worked at a Sheraton how easy and how often its done.
I would imagine googling your (unique) name - and reading your numerous credit card pitches... errr... posts, a hotel clerk would know exactly how you spend your money.
As other mentioned, I think your computer as been compromised.
11pm last night someone used my Amex Biz Platinum card in the netherlands, so amex caught it right away, froze it and alerted me. New card overnighted, should be here friday.
A month or so ago my wifes Sapphire Reserve had a airline ticket charged to it; sfo to shanghai, about $10,000. AA called just to make sure it was legit, which of course it wasnt, so it didnt even make it to the credit...
11pm last night someone used my Amex Biz Platinum card in the netherlands, so amex caught it right away, froze it and alerted me. New card overnighted, should be here friday.
A month or so ago my wifes Sapphire Reserve had a airline ticket charged to it; sfo to shanghai, about $10,000. AA called just to make sure it was legit, which of course it wasnt, so it didnt even make it to the credit card company.
But where do they get the info to do this? i NEVER use my platinum card except to get into lounges, and once in a while on line for a big purchase from legit companies. Nothing else. But they still managed to get the info.
A few years ago I made a trip to Asia with a few other side trips purchased while I was there. Our company was small at the time and my boss checked AMEX statements daily. He messaged me to go over some charges and then he got to 5 flights from the UK to various places in mainland Europe. It was crazy because the passenger names seemed almost fake to match where they were going....
A few years ago I made a trip to Asia with a few other side trips purchased while I was there. Our company was small at the time and my boss checked AMEX statements daily. He messaged me to go over some charges and then he got to 5 flights from the UK to various places in mainland Europe. It was crazy because the passenger names seemed almost fake to match where they were going. A pair of tickets to Russia for Boris and Ivanka, Guillermo flew to Spain, Pierre flew to France, a poor guy with no vowels in his name flew to Prague. We had no issues disputing the charges. Some of the flights had already happened and others were pending.
This continued for a few months with other cards. One coworker was charged $50 for a necklace from QVC. We disputed it and AMEX actually declined it. They sent the order form and it had my coworker's name but identified as Mrs. It had his work address but his home ZIP. The package was delivered to his name (as Mrs.) to a home in Palo Alto despite him living in LA. I googled the house and found it was owned by two Stanford grads. One worked for the CDC and the other owned a bio company. Their house payment was estimated at $7k a month. Why would they commit credit card fraud for $50? That is when I found they had an inlaw home in the back they rented out. I sent them a message and warned them about what was going on.
After a few more months and compromised cards (I think AMEX had a threshold of 10) they cancelled all of our cards and issued a brand new set with a different numbering sequence.
My dad had a BoA card reported for fraud. Before even getting his hands on the new one, there was fraudulent activity on that one as well. Go figure!
Does it make it easier to hack that the whole world knows your name and what credit cards you have?
The interesting thing with airfare is that the name of the pax shows up on your statement, with ticket numbers and dates of travel, so if they are booking for themselves it should be easy to track. If it appears to be an individual based in the US, Canada, Australia, NZ, or Europe, I would recommend making a criminal referral to the local police.
With regard to your card access, it sounds like someone has...
The interesting thing with airfare is that the name of the pax shows up on your statement, with ticket numbers and dates of travel, so if they are booking for themselves it should be easy to track. If it appears to be an individual based in the US, Canada, Australia, NZ, or Europe, I would recommend making a criminal referral to the local police.
With regard to your card access, it sounds like someone has access to your computer or accounts through malware (especially if Chase confirms this was done with your new card). I would recommend changing ALL of your passwords to unique passwords (I highly recommend LastPass to assist). Finally, I would bring your computer and phones into a computer technician to see if any malware or key tracker exisits on your computer.
Also agree about adding a text/email notification for every transaction over 0.01.
I see everything that happens on my account.
Only scary part is sometimes the charge doesn't post instantly but rather a batch (usually overnight). Waking up to a text from a hotel/restaurant you ate at previously can sometimes catch you offguard.
Like @ Rob suggested, you should consider that your card may have been compromised at the vendor level. It's something to think about considering your notoriety as travel blogger who probably has high credit limits on every account, the fact there were large airline purchases that went unflagged by the bank, and also that you often write about exactly which cards you're going for and/or getting. Not much you can do about the latter since...
Like @ Rob suggested, you should consider that your card may have been compromised at the vendor level. It's something to think about considering your notoriety as travel blogger who probably has high credit limits on every account, the fact there were large airline purchases that went unflagged by the bank, and also that you often write about exactly which cards you're going for and/or getting. Not much you can do about the latter since its part and parcel of travel blogging but perhaps avoid writing in too much detail about the cards that will be sent to you especially around the time they're being mailed.
Although there is some good advice here, some of it is absolutely rubbish:
1. Using a VPN protects only the path from your device to the egress point of the VPN provider. There is zero additional protection between that egress point and the actual service you're connecting to. If TLS isn't being used to protect the connection, interception is still possible and if TLS is being used to protect the connection, a VPN will protect...
Although there is some good advice here, some of it is absolutely rubbish:
1. Using a VPN protects only the path from your device to the egress point of the VPN provider. There is zero additional protection between that egress point and the actual service you're connecting to. If TLS isn't being used to protect the connection, interception is still possible and if TLS is being used to protect the connection, a VPN will protect you from DNS leakage at most unless you're stupid enough to bypass security warnings from apps and/or your web browser.
2. Recurring payments will only continue to be honoured upon a card number change if the biller has marked the transaction recurring and they should only be doing so if they've validated the initial transaction with the CVV2/CSC2 value that is physically on the card (and this is the only place on the planet that the value should be stored after the card is manufactured). If an issuer is not enforcing this, they're inept (and I highly doubt Chase or American Express fall into this category).
3. A WiFi network not featuring encryption does not present any obstacle to sniffing traffic to a sophisticated attacker, just as a wired network is no more secure unless configured properly (the vast majority are not). Again, the details in point 1 above apply - unless the site/service you're connecting to have a solid security posture, a VPN service is of minimal help (and actually presents a man-in-the-middle opportunity).
4. The idea that someone gaining access to an online account for a merchant that has stored your card details meaning that the attacker can get access to the card itself is ludicrous. Any merchant of this nature that displays the full PAN to authenticated users is in violation of the rules involved in accepting scheme cards and should be cut off by their acquiring bank/payment processor.
Depending on where a scheme card transaction is processed, there are plenty of opportunities to get around validation. Due to poor customer experience, Verified By Visa, MasterCard SecureCode and American Express SafeKey are rarely used by merchants and AVS (the system that confirms that you've entered the correct ZIP code) is often poorly implemented or not at all for non-US merchants.
Beyond that, some merchants do not submit the CVV2/CSC2 information at all - there have been mandates by all of the schemes to try and stamp this out but they've not succeeded (Amazon is a terrible offender in this instance).
If issuers were to properly mandate VbV/SecureCode/etc, this problem would be massively minimised.
@ben have your ACCOUNT numbers changed.
Get NEW laptops and phones to get rid of malware, some is not removable.
Buy a privacy filter for your screens to stop people seeing details.
STOP posting when you are going away, post AFTER you've done it.
@marija - amazon now do this, they don't take money until despatch, which is wrong, they should take at time of order so as not to put people in a position where they may not be able to pay
Once i got a card compromized BEFORE i got to use it for any purchase... I applied for one card from new bank (never dealt with it before), got it in mail, activated over the phone and forgot about it for 2 weeks. Then I made a small purchase in staples (brick and mortar one). Went online to check how long the bank needs to move it from “pending” to posted. Lo and behold, there...
Once i got a card compromized BEFORE i got to use it for any purchase... I applied for one card from new bank (never dealt with it before), got it in mail, activated over the phone and forgot about it for 2 weeks. Then I made a small purchase in staples (brick and mortar one). Went online to check how long the bank needs to move it from “pending” to posted. Lo and behold, there was 4500 worth of automotive purchases on the card already! In another province that I never set foot into. Eye opening, for sure.
What I found extremely useful is how Amex operates when you add it to GooglePay (Apple pay is likely the same) - you get small notification for ANY purchase made by card, by any method (not just through Gpay). It was freaking my husband in the beginning, as I would congratulate him from home on good business lunch as he was paying for it (we had both added same card to both phones, to help with minimum spend). It also left us scratching our heads when amazon would post some charge a week after order was placed... that we have forgotten about in meantime. Yes, it requires data connection, but it is very real-time and any charges piling up while you are relaxing on the beach will be quite noticeable.
I agree with GuruJanitor, this seems like it might be related to your computer having key logger software.
That or Ford is living a second secret life.
Good luck!
GuruJanitor says:
January 30, 2019 at 2:39 pm
Lucky, have your computer checked for key-logger malware. Seriously.
Agree with all the other posters regarding key-logger malware. The other option is that your router is infected. Have you used the new card for any on-line purchases?
I had fraudulent transactions charged from Virgin Australia and Qantas and was also wondering why fraudsters would book flights. The reason given to me was that often they will refund the flights to a voucher and then sell that voucher to an unwitting buyer online. Because it takes the airlines a few weeks to catch up with the fraud, the voucher will look ‘legit’ to the purchaser until it is eventually cancelled.
I've had a card hacked twice- first time was a gas station skimmer (not uncommon in Florida, so these days I frequently try to use Publix's regular '$50 gas card for $40' promotion to pay for fuel) and the second time was when the third party processing service my county used to handle water-sewer credit and debit card payments got hacked and those card numbers got sold all over the internet.
I remain somewhat...
I've had a card hacked twice- first time was a gas station skimmer (not uncommon in Florida, so these days I frequently try to use Publix's regular '$50 gas card for $40' promotion to pay for fuel) and the second time was when the third party processing service my county used to handle water-sewer credit and debit card payments got hacked and those card numbers got sold all over the internet.
I remain somewhat amused by the second one because the cloned card ended up in Canada, and resulted in AmEx sending me a text message asking me if I had made a purchase at a Tim Horton's in Toronto that morning. Because apparently the first thing a Canadian does after buying a stolen card is get their Timmie's fix.
I canceled a card a few years ago when the card was lost and had a new card sent. The person who stole my old card continued to make purchases that the bank simply transferred to my new card number. It was really strange that they would do that but they said the charges fit my spending pattern so they let them go through. Hell, I can’t even make real purchases sometimes because they banks...
I canceled a card a few years ago when the card was lost and had a new card sent. The person who stole my old card continued to make purchases that the bank simply transferred to my new card number. It was really strange that they would do that but they said the charges fit my spending pattern so they let them go through. Hell, I can’t even make real purchases sometimes because they banks are worried about theft but the thieves somehow get theirs approved.
If that isn’t the case here, as others above have stated I’d check for malware.
Currently, my parents are going through tax fraud, as some woman is using our address to tell the government where she lives instead of where she actually lives and apparently doesn't want to pay her land taxes so now my parents are facing getting their house auctioned off unless this woman is dealt with, (Does anyone know a Lucille Weed?)
My bet is on your computer.
In 20 years of using a dozen credit cards all over the world, I've only had one instance of fraud. I don't do anything special to protect my cards, but I'm extremely careful about the security of my computers.
1. TAP Portugal prices are not cheap. At least from Boston, because they fly direct, they are pretty pricey.
2. The tickets were most likely used the same day and people who flew on them probably were just buying a “cheap” ticket using cash from people who stole your credit card info. Airlines are notorious for saving your info and you may find that your previous card was used. In my case, it was...
1. TAP Portugal prices are not cheap. At least from Boston, because they fly direct, they are pretty pricey.
2. The tickets were most likely used the same day and people who flew on them probably were just buying a “cheap” ticket using cash from people who stole your credit card info. Airlines are notorious for saving your info and you may find that your previous card was used. In my case, it was an Amex two cards back with a different last 4 digits. And still, someone bought JetBlue tickets to Pierto RICO. I caught it the same day after the plane took off but before it landed. Neither Amex nor JetBlue were willing to do anything, they just took my report and Amex credited the money back (taking it from the JetBlue). They could have easily gotten the suckers....
3. My experience with Chase (cards) has been excellent up until last week when they tempted me to open their bank account offering $600. What a nightmare....They botched this promotion big time....
Ugh if someone got my Platinum card I'd be so sad...that's the one I have memorized :( I use it kind of a lot too for non-bonus spend (don't @ me I know I can do better).
Too bad your statement didn't mention anything in detail with the airfare purchase.
Both Citi and Chase will provide the flight origin / destination, date and ticket number.
I can't be for sure, but the fraudulent charges on your new card may have been charged to your old cancelled number and Chase system basically sent the charges to the new account. I hope they did not do this, but my previous experience with AMEX a couple of year ago taught me something about how AMEX deals with a "closed "account.
I had a personal AMEX Platinum card for a few years before I...
I can't be for sure, but the fraudulent charges on your new card may have been charged to your old cancelled number and Chase system basically sent the charges to the new account. I hope they did not do this, but my previous experience with AMEX a couple of year ago taught me something about how AMEX deals with a "closed "account.
I had a personal AMEX Platinum card for a few years before I closed it (not because of fraud). A few years later, a fraudulent charge went through on that same card, and I received a paper bill in mail for the charges. I called AMEX and talked to someone in the fraud department, who told me (at least at that time), the account number associated with a closed credit card was still somehow active (WTF???) and that's how this fraudulent charge went through.
The freaking Taxi drivers are one of the worst I must say, a group of criminals working in that field, one time I paid by visa from airport to home so they have my full name, address and card number, they called the bank many times and got a bit more info by pretending it's me with the above info already obtained by my ride home, and created a bank account and made a transfer...
The freaking Taxi drivers are one of the worst I must say, a group of criminals working in that field, one time I paid by visa from airport to home so they have my full name, address and card number, they called the bank many times and got a bit more info by pretending it's me with the above info already obtained by my ride home, and created a bank account and made a transfer from the cc to the new bank account, luckily they called so many times and raised a flag by the security system that is in place y the bank.
Another possibility is one of the apps you have installed on your phone, often these apps require permission to your folders, photos, contact list etc. so if you stored the card number in like apple/Android/Samsung pay etc they have your info I think but I could be wrong.
I had someone buy an airfare fraudulently on my card. The wheels of the bank's anti-fraud process move slowly, and the flight they booked (I eventually got sent a copy of the booking including their name and address!) was departing and returning within 2 weeks of when they bought it. So they got their free flight and the travel agent lost out.
Sounds like an issue with your computer, unless you can identify a specific merchant used with both cards. With chase the fraud emails/texts can be set at $0.01.
As an amateur in this game of miles/points (almost two years now), I've had around 30 cards (credit cards/charge cards) or more and no fraudulent (knock on wood!).
Although about 10-12 years when I only carried one credit card, I had an unusual charge that was traced to Sprouts groceries. My guess, on a trip to Sprouts, the cashier got gold of my credit card number and used it?
The Amex Plat was weird, given how little exposure that card has, but I agree with the others that the CSR fraud is likely because of where you're using it.
Whether it's a restaurant/coffee shop that you frequent, a series of sketchy hotel clerks, or an unnoticed skimmer on a taxi, parking structure, gas station, etc.
It's also definitely possible that there's malware on your (very old and well-traveled) laptop, but then it seems...
The Amex Plat was weird, given how little exposure that card has, but I agree with the others that the CSR fraud is likely because of where you're using it.
Whether it's a restaurant/coffee shop that you frequent, a series of sketchy hotel clerks, or an unnoticed skimmer on a taxi, parking structure, gas station, etc.
It's also definitely possible that there's malware on your (very old and well-traveled) laptop, but then it seems like you might be having issues with other cards you use for online purchases.
I'd say you need to run spyware on your laptop to check for any malware. Other than that maybe change your account passwords if you haven't done so recently.
> Lucky, have your computer checked for key-logger malware. Seriously.
What GuruJanitor said. Good chance your computer is compromised.
I have had fraud on my AMEX Everyday Preferred card twice in past year and they replaced the card and refunded the money. I think skimmed at 2 different Valero stations in Texas
Last one 2 weeks ago for diesel purchase in city 300 miles away.
Lucky, have you ever had an issue when you are flying and they ask to see the credit card you booked the ticket with? Certainly a problem if you no longer have the card.
While it's true that credit card fraud is a problem everywhere, it seems like Florida (for whatever reason) is a hotbed of this type of activity. The two most obvious fraud scams that I had to deal with started with my overnight stays in Miami and (on another trip) Tampa.
In Miami, I'm sure that the desk clerk at the Marriott I stayed at was involved because the scammers had all my information and...
While it's true that credit card fraud is a problem everywhere, it seems like Florida (for whatever reason) is a hotbed of this type of activity. The two most obvious fraud scams that I had to deal with started with my overnight stays in Miami and (on another trip) Tampa.
In Miami, I'm sure that the desk clerk at the Marriott I stayed at was involved because the scammers had all my information and it was a quick overnight stop where I only used my AmEx card once. These idiots tried to buy $3000 worth of audio equipment from a retailer in L.A. and have it shipped to Miami (on me, of course) - the retailer was suspicious and called me. I let AmEx handle the rest!
Sounds like they've hacked a payment processor, which you can't really do anything about.
However, if you are not currently, I would certainly be using VPN everywhere (including the US) all the time, make sure all of your accounts that support it, have two factor enabled, and finally, I would factory reset your phones, tablets and other devices you routinely use to access said services. Freeze your credit reports as well.
You have to...
Sounds like they've hacked a payment processor, which you can't really do anything about.
However, if you are not currently, I would certainly be using VPN everywhere (including the US) all the time, make sure all of your accounts that support it, have two factor enabled, and finally, I would factory reset your phones, tablets and other devices you routinely use to access said services. Freeze your credit reports as well.
You have to operate as if everything has already been breached (because it has) and do what you can to limit the damage - you may think that the end users aren't responsible and you'd be correct, but the companies are going to get tired of overnighting credit cards to far flung places in the world - when it starts to cost them money, they'll drop you in a second.
Hopefully, the will remember their business class ticket entitles them to using the lounge before departure!
Lucky, have your computer checked for key-logger malware. Seriously.
Agree with @Bgriff. I had fraud on a Chase card and payments were still processed with the old number after I had canceled it. I think Chase does a poor job of handling fraud compared to some of my other cards. Definitely add alerts to your account so you are informed sooner.
Any chance the airline purchases are miles? Fraudsters tend to buy gift cards, so miles could be a way to launder what they've stolen.
I recently got nailed on my Amex Platinum too for a fraudulent iPhone X purchase. Also had a debit card get nailed too for a Sears.com purchase (Bankrupt Sears? Really?).
As someone with banking experience, it's incredibly easy to guess/decode a valid credit card number. The first four digits indicate the bank that issued it, so everyone's numbers are the same (for everyone with a CSR for example). The next four numbers are basically an...
I recently got nailed on my Amex Platinum too for a fraudulent iPhone X purchase. Also had a debit card get nailed too for a Sears.com purchase (Bankrupt Sears? Really?).
As someone with banking experience, it's incredibly easy to guess/decode a valid credit card number. The first four digits indicate the bank that issued it, so everyone's numbers are the same (for everyone with a CSR for example). The next four numbers are basically an "account number" that almost always indicates how many cards you've had issued by that bank. So, a 0001 indicates your first account with the bank, or 2022 usually indicates it is your second card, etc.
So now, any scammer can easily guess the first 8 of the 16 digits of a valid card number. Then you have six or seven digits that represent your personal account number with the issuer. However, these are only issued according to an algorithm which is easy and readily available.
The last digit or two is a "check digit" which is basically a number 0 to 9 which validates that you have a valid card.
It is insanely easy for scammers to generate thousands of "valid" card numbers. What is difficult is getting the 3 or four digit security code printed directly on the card, but a lot of online merchants don't even require that for a purchase. Many merchants also do not match ZIP codes before putting through a transaction.
Almost all of this fraud is coming out of China and Russia for the most part.
Banks know all of this and can fix it, but it would involve a big investment in chip-and-PIN technology, or disposable, one-time use technology. Until the amount of fraud becomes bigger than that required investment, the banks will continue to look the other way. It stinks for consumers.
I would check all online accounts too anyone where they may have stored credit card numbers(credit card accounts, Amazon, subscription services, online shopping sites you frequent, FF accounts) and change out all old passwords. Not sure on your current setup but especially with how public lots of your information is(part of the nature of running blogs) I would start using a password app that’s gives random hard to hash passwords and switching those every few...
I would check all online accounts too anyone where they may have stored credit card numbers(credit card accounts, Amazon, subscription services, online shopping sites you frequent, FF accounts) and change out all old passwords. Not sure on your current setup but especially with how public lots of your information is(part of the nature of running blogs) I would start using a password app that’s gives random hard to hash passwords and switching those every few months. And use 2FA wherever possible.
Where have you used the cards physically? You might have some spyware or virus watching your online transactions.
Do you use a VPN when traveling?
My guess is that this is a professional fraud outfit that probably found a way to get people's card numbers through a chase vendor, like the mailing company or printer or something. With the airfare, they are probably selling cheap tickets to legitimate consumers so if it ever gets traced to the name/person on the ticket, they won't know anything about the fraud, just that they bought a ticket through a travel agent that seemed like a really good deal.
Someone at your hotel copied your card info and sold that off. Usually I never use credit cards to buy anything abroad using hotel wi-fis, a couple of times that I've done that the card has inevitable been fraudulently used. It can also happen when the hotel(or any establishment) swipes your card, it happened to me at a restaurant in Florence once.
Are there ticket numbers or could this be for miles purchases?
I don’t think this is a coincidence. In November I signed up for the Fidelity Visa Cash Back card. A few weeks after normal use i noticed a $700 fraudulent charge from a moving company in...Florida. This is strange because I live on opposite coast and did not move or travel during this time period. So I don’t think this is a coincidence
Do you enter your cards somewhere on this site or maybe the "hackers" have your advertising account info or something and can find it that way?
American Express card replacement numbers are predicable.
https://www.wired.com/2015/11/samy-kamkar-10-dollar-tool-can-guess-and-steal-your-next-credit-card-number/
If you've only had the new card number for a few weeks, the question in my mind is where have you used it? Unfortunately, credit card fraud can happen anywhere that you use your credit card number. Even if it isn't part of some massive breach, someone with access to the card numbers at a hotel, for example, could make a side business of selling them.
However, airfare seems a really strange thing to do...
If you've only had the new card number for a few weeks, the question in my mind is where have you used it? Unfortunately, credit card fraud can happen anywhere that you use your credit card number. Even if it isn't part of some massive breach, someone with access to the card numbers at a hotel, for example, could make a side business of selling them.
However, airfare seems a really strange thing to do fraud on. Names must be attached to a reservation, and are often passed through to the credit card company (along with origin/destination info). Refunds can only be to the original payment method, so it'd have to be same-day travel for someone who has a fake passport.
The only way I can see a TAP fare that much is if they're flying 2 people or 3 people on the same reservation.
Sorry about this as it feels like a hassle when it does happen. I setup alerts for large purchases so a purchase like that from Qantas or TAP would certainly get my attention asap.
Sometimes Amex still lets certain charges through on an old card number, like if you have recurring monthly bills -- although that might be more commonly allowed if it's a card that was cancelled because the card was damaged or something, rather than the card was compromised. But still, maybe Chase is just still letting charges through on your old card number because lots of airfare looked like your usual spend pattern? I have no...
Sometimes Amex still lets certain charges through on an old card number, like if you have recurring monthly bills -- although that might be more commonly allowed if it's a card that was cancelled because the card was damaged or something, rather than the card was compromised. But still, maybe Chase is just still letting charges through on your old card number because lots of airfare looked like your usual spend pattern? I have no idea if Chase customer service would disclose to you what card number was used for these transactions.
If it is the new card number, obviously worth scrutinizing the places you've used the new card so far...did you update any online profiles with the new card (like your Marriott account or AA account or something) where someone else might have compromised your password and is extracting your card number that way? Granted usually you can't just see your card number if you log into such a website though.
Oooof!!!
@Lucky,
It happened to me as well with my amex. Got a new card and with in days it was compromised.
Most likely its not your fault but a service you might be using for that card which has their database hacked.
A good thing to do is check transactions just before the second compromise and see if it matches and purchases just before the first compromise.
@david - Of course not.
Credit card fraud is on the rise. One of my cards (whether I use it a lot or not) gets replaced every few months. It's getting worse.
@Lucky
Will you still get 5x MR for the fraudulent airfare purchases? Cool if you do and get the money back as well HAHA
I set up alerts to get a text AND an email for every credit card transaction over $1. I know it's a pia but I feel like I'm a little more in control.