UGH: My Third Case Of Credit Card Fraud In Weeks

Suffice to say that I am having really bad luck, or something:

  • In early December there was fraud on my Chase Sapphire Reserve; I was alerted to this because Chase sent me a message saying they received a call from an unknown number, and when I looked at my statement there were purchases at a Hampton Inn and Lowe’s in Florida
  • In late December there was fraud on my Amex Platinum; I only found out about this because I was alerted that I had used an Amex Offer that I hadn’t actually used, and then looked at my statement and saw purchases all over the place in Florida as well

Well, I’m currently in Sri Lanka and received an email from Chase asking me to verify a purchase on my Sapphire Reserve.

That didn’t look familiar, but it’s also not a huge purchase, so I figured that maybe I had bought something online and that’s how it appeared. But then I looked at my statement and saw it said “DING EZETOP TOPUP,” and based on that, it looked like this is an online recharge for prepaid cellphones.

Then I looked at my statement in more detail, and saw that this was only the tip of the iceberg. There were over $6,500 in fraudulent airfare charges as well, including:

  • A $3,004.49 purchase from TAP Air Portugal
  • A $2,262.29 purchase from Qantas
  • A $1,339.47 purchase from Iberia

I had three initial thoughts based on that:

  • Airfare seems like a dumb thing to purchase fraudulently, unless you’re traveling same day
  • How do you even spend $3,000+ on TAP Air Portugal, as their fares are usually super cheap?
  • Maybe it’s a coincidence, but I also feel like card issuers track spend patterns and obviously I purchase a ton of airfare, so did the person who stole my card know that, and act accordingly?

The crazy part here is that I just got my new card a few weeks ago, as the previous one was closed down due to fraud. I really haven’t made that many transactions since then, so I’m surprised my information was compromised that quickly.

I’ve long said “oh, I’m not worried about credit card fraud, because consumers aren’t at risk when it happens.” While that’s true, if I keep having to change my card numbers every few weeks, it sure takes the ease out of the process of paying by credit card!

Does anyone have a theory of what’s going on here? Am I just having really bad luck the past few weeks? I thought my previous two hacks may have been related to the Starwood data breach, but the card that was just compromised is a new card number that I’ve only had for a few weeks.

Are the airfare purchases a coincidence, or what exactly is going on here?

I’m now carefully checking out the pending purchases on my credit cards daily, because I sure am suspicious.

Comments

  1. I set up alerts to get a text AND an email for every credit card transaction over $1. I know it’s a pia but I feel like I’m a little more in control.

  2. @Lucky

    Will you still get 5x MR for the fraudulent airfare purchases? Cool if you do and get the money back as well HAHA

  3. @david – Of course not.

    Credit card fraud is on the rise. One of my cards (whether I use it a lot or not) gets replaced every few months. It’s getting worse.

  4. @Lucky,
    It happened to me as well with my amex. Got a new card and with in days it was compromised.
    Most likely its not your fault but a service you might be using for that card which has their database hacked.
    A good thing to do is check transactions just before the second compromise and see if it matches and purchases just before the first compromise.

  5. Sometimes Amex still lets certain charges through on an old card number, like if you have recurring monthly bills — although that might be more commonly allowed if it’s a card that was cancelled because the card was damaged or something, rather than the card was compromised. But still, maybe Chase is just still letting charges through on your old card number because lots of airfare looked like your usual spend pattern? I have no idea if Chase customer service would disclose to you what card number was used for these transactions.

    If it is the new card number, obviously worth scrutinizing the places you’ve used the new card so far…did you update any online profiles with the new card (like your Marriott account or AA account or something) where someone else might have compromised your password and is extracting your card number that way? Granted usually you can’t just see your card number if you log into such a website though.

  6. The only way I can see a TAP fare that much is if they’re flying 2 people or 3 people on the same reservation.
    Sorry about this as it feels like a hassle when it does happen. I setup alerts for large purchases so a purchase like that from Qantas or TAP would certainly get my attention asap.

  7. If you’ve only had the new card number for a few weeks, the question in my mind is where have you used it? Unfortunately, credit card fraud can happen anywhere that you use your credit card number. Even if it isn’t part of some massive breach, someone with access to the card numbers at a hotel, for example, could make a side business of selling them.

    However, airfare seems a really strange thing to do fraud on. Names must be attached to a reservation, and are often passed through to the credit card company (along with origin/destination info). Refunds can only be to the original payment method, so it’d have to be same-day travel for someone who has a fake passport.

  8. Do you enter your cards somewhere on this site or maybe the “hackers” have your advertising account info or something and can find it that way?

  9. I don’t think this is a coincidence. In November I signed up for the Fidelity Visa Cash Back card. A few weeks after normal use i noticed a $700 fraudulent charge from a moving company in…Florida. This is strange because I live on opposite coast and did not move or travel during this time period. So I don’t think this is a coincidence

  10. Someone at your hotel copied your card info and sold that off. Usually I never use credit cards to buy anything abroad using hotel wi-fis, a couple of times that I’ve done that the card has inevitable been fraudulently used. It can also happen when the hotel(or any establishment) swipes your card, it happened to me at a restaurant in Florence once.

  11. My guess is that this is a professional fraud outfit that probably found a way to get people’s card numbers through a chase vendor, like the mailing company or printer or something. With the airfare, they are probably selling cheap tickets to legitimate consumers so if it ever gets traced to the name/person on the ticket, they won’t know anything about the fraud, just that they bought a ticket through a travel agent that seemed like a really good deal.

  12. Where have you used the cards physically? You might have some spyware or virus watching your online transactions.

    Do you use a VPN when traveling?

  13. I would check all online accounts too anyone where they may have stored credit card numbers(credit card accounts, Amazon, subscription services, online shopping sites you frequent, FF accounts) and change out all old passwords. Not sure on your current setup but especially with how public lots of your information is(part of the nature of running blogs) I would start using a password app that’s gives random hard to hash passwords and switching those every few months. And use 2FA wherever possible.

  14. I recently got nailed on my Amex Platinum too for a fraudulent iPhone X purchase. Also had a debit card get nailed too for a Sears.com purchase (Bankrupt Sears? Really?).

    As someone with banking experience, it’s incredibly easy to guess/decode a valid credit card number. The first four digits indicate the bank that issued it, so everyone’s numbers are the same (for everyone with a CSR for example). The next four numbers are basically an “account number” that almost always indicates how many cards you’ve had issued by that bank. So, a 0001 indicates your first account with the bank, or 2022 usually indicates it is your second card, etc.

    So now, any scammer can easily guess the first 8 of the 16 digits of a valid card number. Then you have six or seven digits that represent your personal account number with the issuer. However, these are only issued according to an algorithm which is easy and readily available.

    The last digit or two is a “check digit” which is basically a number 0 to 9 which validates that you have a valid card.

    It is insanely easy for scammers to generate thousands of “valid” card numbers. What is difficult is getting the 3 or four digit security code printed directly on the card, but a lot of online merchants don’t even require that for a purchase. Many merchants also do not match ZIP codes before putting through a transaction.

    Almost all of this fraud is coming out of China and Russia for the most part.

    Banks know all of this and can fix it, but it would involve a big investment in chip-and-PIN technology, or disposable, one-time use technology. Until the amount of fraud becomes bigger than that required investment, the banks will continue to look the other way. It stinks for consumers.

  15. Agree with @Bgriff. I had fraud on a Chase card and payments were still processed with the old number after I had canceled it. I think Chase does a poor job of handling fraud compared to some of my other cards. Definitely add alerts to your account so you are informed sooner.

    Any chance the airline purchases are miles? Fraudsters tend to buy gift cards, so miles could be a way to launder what they’ve stolen.

  16. Sounds like they’ve hacked a payment processor, which you can’t really do anything about.

    However, if you are not currently, I would certainly be using VPN everywhere (including the US) all the time, make sure all of your accounts that support it, have two factor enabled, and finally, I would factory reset your phones, tablets and other devices you routinely use to access said services. Freeze your credit reports as well.

    You have to operate as if everything has already been breached (because it has) and do what you can to limit the damage – you may think that the end users aren’t responsible and you’d be correct, but the companies are going to get tired of overnighting credit cards to far flung places in the world – when it starts to cost them money, they’ll drop you in a second.

  17. While it’s true that credit card fraud is a problem everywhere, it seems like Florida (for whatever reason) is a hotbed of this type of activity. The two most obvious fraud scams that I had to deal with started with my overnight stays in Miami and (on another trip) Tampa.

    In Miami, I’m sure that the desk clerk at the Marriott I stayed at was involved because the scammers had all my information and it was a quick overnight stop where I only used my AmEx card once. These idiots tried to buy $3000 worth of audio equipment from a retailer in L.A. and have it shipped to Miami (on me, of course) – the retailer was suspicious and called me. I let AmEx handle the rest!

  18. Lucky, have you ever had an issue when you are flying and they ask to see the credit card you booked the ticket with? Certainly a problem if you no longer have the card.

  19. I have had fraud on my AMEX Everyday Preferred card twice in past year and they replaced the card and refunded the money. I think skimmed at 2 different Valero stations in Texas

    Last one 2 weeks ago for diesel purchase in city 300 miles away.

  20. > Lucky, have your computer checked for key-logger malware. Seriously.

    What GuruJanitor said. Good chance your computer is compromised.

  21. I’d say you need to run spyware on your laptop to check for any malware. Other than that maybe change your account passwords if you haven’t done so recently.

  22. The Amex Plat was weird, given how little exposure that card has, but I agree with the others that the CSR fraud is likely because of where you’re using it.

    Whether it’s a restaurant/coffee shop that you frequent, a series of sketchy hotel clerks, or an unnoticed skimmer on a taxi, parking structure, gas station, etc.

    It’s also definitely possible that there’s malware on your (very old and well-traveled) laptop, but then it seems like you might be having issues with other cards you use for online purchases.

  23. As an amateur in this game of miles/points (almost two years now), I’ve had around 30 cards (credit cards/charge cards) or more and no fraudulent (knock on wood!).

    Although about 10-12 years when I only carried one credit card, I had an unusual charge that was traced to Sprouts groceries. My guess, on a trip to Sprouts, the cashier got gold of my credit card number and used it?

  24. Sounds like an issue with your computer, unless you can identify a specific merchant used with both cards. With chase the fraud emails/texts can be set at $0.01.

  25. I had someone buy an airfare fraudulently on my card. The wheels of the bank’s anti-fraud process move slowly, and the flight they booked (I eventually got sent a copy of the booking including their name and address!) was departing and returning within 2 weeks of when they bought it. So they got their free flight and the travel agent lost out.

  26. The freaking Taxi drivers are one of the worst I must say, a group of criminals working in that field, one time I paid by visa from airport to home so they have my full name, address and card number, they called the bank many times and got a bit more info by pretending it’s me with the above info already obtained by my ride home, and created a bank account and made a transfer from the cc to the new bank account, luckily they called so many times and raised a flag by the security system that is in place y the bank.

    Another possibility is one of the apps you have installed on your phone, often these apps require permission to your folders, photos, contact list etc. so if you stored the card number in like apple/Android/Samsung pay etc they have your info I think but I could be wrong.

  27. I can’t be for sure, but the fraudulent charges on your new card may have been charged to your old cancelled number and Chase system basically sent the charges to the new account. I hope they did not do this, but my previous experience with AMEX a couple of year ago taught me something about how AMEX deals with a “closed “account.

    I had a personal AMEX Platinum card for a few years before I closed it (not because of fraud). A few years later, a fraudulent charge went through on that same card, and I received a paper bill in mail for the charges. I called AMEX and talked to someone in the fraud department, who told me (at least at that time), the account number associated with a closed credit card was still somehow active (WTF???) and that’s how this fraudulent charge went through.

  28. Too bad your statement didn’t mention anything in detail with the airfare purchase.
    Both Citi and Chase will provide the flight origin / destination, date and ticket number.

  29. Ugh if someone got my Platinum card I’d be so sad…that’s the one I have memorized 🙁 I use it kind of a lot too for non-bonus spend (don’t @ me I know I can do better).

  30. 1. TAP Portugal prices are not cheap. At least from Boston, because they fly direct, they are pretty pricey.
    2. The tickets were most likely used the same day and people who flew on them probably were just buying a “cheap” ticket using cash from people who stole your credit card info. Airlines are notorious for saving your info and you may find that your previous card was used. In my case, it was an Amex two cards back with a different last 4 digits. And still, someone bought JetBlue tickets to Pierto RICO. I caught it the same day after the plane took off but before it landed. Neither Amex nor JetBlue were willing to do anything, they just took my report and Amex credited the money back (taking it from the JetBlue). They could have easily gotten the suckers….
    3. My experience with Chase (cards) has been excellent up until last week when they tempted me to open their bank account offering $600. What a nightmare….They botched this promotion big time….

  31. My bet is on your computer.

    In 20 years of using a dozen credit cards all over the world, I’ve only had one instance of fraud. I don’t do anything special to protect my cards, but I’m extremely careful about the security of my computers.

  32. Currently, my parents are going through tax fraud, as some woman is using our address to tell the government where she lives instead of where she actually lives and apparently doesn’t want to pay her land taxes so now my parents are facing getting their house auctioned off unless this woman is dealt with, (Does anyone know a Lucille Weed?)

  33. I canceled a card a few years ago when the card was lost and had a new card sent. The person who stole my old card continued to make purchases that the bank simply transferred to my new card number. It was really strange that they would do that but they said the charges fit my spending pattern so they let them go through. Hell, I can’t even make real purchases sometimes because they banks are worried about theft but the thieves somehow get theirs approved.

    If that isn’t the case here, as others above have stated I’d check for malware.

  34. I’ve had a card hacked twice- first time was a gas station skimmer (not uncommon in Florida, so these days I frequently try to use Publix’s regular ‘$50 gas card for $40’ promotion to pay for fuel) and the second time was when the third party processing service my county used to handle water-sewer credit and debit card payments got hacked and those card numbers got sold all over the internet.

    I remain somewhat amused by the second one because the cloned card ended up in Canada, and resulted in AmEx sending me a text message asking me if I had made a purchase at a Tim Horton’s in Toronto that morning. Because apparently the first thing a Canadian does after buying a stolen card is get their Timmie’s fix.

  35. I had fraudulent transactions charged from Virgin Australia and Qantas and was also wondering why fraudsters would book flights. The reason given to me was that often they will refund the flights to a voucher and then sell that voucher to an unwitting buyer online. Because it takes the airlines a few weeks to catch up with the fraud, the voucher will look ‘legit’ to the purchaser until it is eventually cancelled.

  36. GuruJanitor says:
    January 30, 2019 at 2:39 pm
    Lucky, have your computer checked for key-logger malware. Seriously.

    Agree with all the other posters regarding key-logger malware. The other option is that your router is infected. Have you used the new card for any on-line purchases?

  37. I agree with GuruJanitor, this seems like it might be related to your computer having key logger software.

    That or Ford is living a second secret life.

    Good luck!

  38. Once i got a card compromized BEFORE i got to use it for any purchase… I applied for one card from new bank (never dealt with it before), got it in mail, activated over the phone and forgot about it for 2 weeks. Then I made a small purchase in staples (brick and mortar one). Went online to check how long the bank needs to move it from “pending” to posted. Lo and behold, there was 4500 worth of automotive purchases on the card already! In another province that I never set foot into. Eye opening, for sure.

    What I found extremely useful is how Amex operates when you add it to GooglePay (Apple pay is likely the same) – you get small notification for ANY purchase made by card, by any method (not just through Gpay). It was freaking my husband in the beginning, as I would congratulate him from home on good business lunch as he was paying for it (we had both added same card to both phones, to help with minimum spend). It also left us scratching our heads when amazon would post some charge a week after order was placed… that we have forgotten about in meantime. Yes, it requires data connection, but it is very real-time and any charges piling up while you are relaxing on the beach will be quite noticeable.

  39. @ben have your ACCOUNT numbers changed.
    Get NEW laptops and phones to get rid of malware, some is not removable.
    Buy a privacy filter for your screens to stop people seeing details.
    STOP posting when you are going away, post AFTER you’ve done it.

    @marija – amazon now do this, they don’t take money until despatch, which is wrong, they should take at time of order so as not to put people in a position where they may not be able to pay

  40. Although there is some good advice here, some of it is absolutely rubbish:

    1. Using a VPN protects only the path from your device to the egress point of the VPN provider. There is zero additional protection between that egress point and the actual service you’re connecting to. If TLS isn’t being used to protect the connection, interception is still possible and if TLS is being used to protect the connection, a VPN will protect you from DNS leakage at most unless you’re stupid enough to bypass security warnings from apps and/or your web browser.
    2. Recurring payments will only continue to be honoured upon a card number change if the biller has marked the transaction recurring and they should only be doing so if they’ve validated the initial transaction with the CVV2/CSC2 value that is physically on the card (and this is the only place on the planet that the value should be stored after the card is manufactured). If an issuer is not enforcing this, they’re inept (and I highly doubt Chase or American Express fall into this category).
    3. A WiFi network not featuring encryption does not present any obstacle to sniffing traffic to a sophisticated attacker, just as a wired network is no more secure unless configured properly (the vast majority are not). Again, the details in point 1 above apply – unless the site/service you’re connecting to have a solid security posture, a VPN service is of minimal help (and actually presents a man-in-the-middle opportunity).
    4. The idea that someone gaining access to an online account for a merchant that has stored your card details meaning that the attacker can get access to the card itself is ludicrous. Any merchant of this nature that displays the full PAN to authenticated users is in violation of the rules involved in accepting scheme cards and should be cut off by their acquiring bank/payment processor.

    Depending on where a scheme card transaction is processed, there are plenty of opportunities to get around validation. Due to poor customer experience, Verified By Visa, MasterCard SecureCode and American Express SafeKey are rarely used by merchants and AVS (the system that confirms that you’ve entered the correct ZIP code) is often poorly implemented or not at all for non-US merchants.

    Beyond that, some merchants do not submit the CVV2/CSC2 information at all – there have been mandates by all of the schemes to try and stamp this out but they’ve not succeeded (Amazon is a terrible offender in this instance).

    If issuers were to properly mandate VbV/SecureCode/etc, this problem would be massively minimised.

  41. Like @ Rob suggested, you should consider that your card may have been compromised at the vendor level. It’s something to think about considering your notoriety as travel blogger who probably has high credit limits on every account, the fact there were large airline purchases that went unflagged by the bank, and also that you often write about exactly which cards you’re going for and/or getting. Not much you can do about the latter since its part and parcel of travel blogging but perhaps avoid writing in too much detail about the cards that will be sent to you especially around the time they’re being mailed.

  42. Also agree about adding a text/email notification for every transaction over 0.01.

    I see everything that happens on my account.

    Only scary part is sometimes the charge doesn’t post instantly but rather a batch (usually overnight). Waking up to a text from a hotel/restaurant you ate at previously can sometimes catch you offguard.

  43. The interesting thing with airfare is that the name of the pax shows up on your statement, with ticket numbers and dates of travel, so if they are booking for themselves it should be easy to track. If it appears to be an individual based in the US, Canada, Australia, NZ, or Europe, I would recommend making a criminal referral to the local police.

    With regard to your card access, it sounds like someone has access to your computer or accounts through malware (especially if Chase confirms this was done with your new card). I would recommend changing ALL of your passwords to unique passwords (I highly recommend LastPass to assist). Finally, I would bring your computer and phones into a computer technician to see if any malware or key tracker exisits on your computer.

  44. My dad had a BoA card reported for fraud. Before even getting his hands on the new one, there was fraudulent activity on that one as well. Go figure!

  45. A few years ago I made a trip to Asia with a few other side trips purchased while I was there. Our company was small at the time and my boss checked AMEX statements daily. He messaged me to go over some charges and then he got to 5 flights from the UK to various places in mainland Europe. It was crazy because the passenger names seemed almost fake to match where they were going. A pair of tickets to Russia for Boris and Ivanka, Guillermo flew to Spain, Pierre flew to France, a poor guy with no vowels in his name flew to Prague. We had no issues disputing the charges. Some of the flights had already happened and others were pending.

    This continued for a few months with other cards. One coworker was charged $50 for a necklace from QVC. We disputed it and AMEX actually declined it. They sent the order form and it had my coworker’s name but identified as Mrs. It had his work address but his home ZIP. The package was delivered to his name (as Mrs.) to a home in Palo Alto despite him living in LA. I googled the house and found it was owned by two Stanford grads. One worked for the CDC and the other owned a bio company. Their house payment was estimated at $7k a month. Why would they commit credit card fraud for $50? That is when I found they had an inlaw home in the back they rented out. I sent them a message and warned them about what was going on.

    After a few more months and compromised cards (I think AMEX had a threshold of 10) they cancelled all of our cards and issued a brand new set with a different numbering sequence.

  46. 11pm last night someone used my Amex Biz Platinum card in the netherlands, so amex caught it right away, froze it and alerted me. New card overnighted, should be here friday.

    A month or so ago my wifes Sapphire Reserve had a airline ticket charged to it; sfo to shanghai, about $10,000. AA called just to make sure it was legit, which of course it wasnt, so it didnt even make it to the credit card company.

    But where do they get the info to do this? i NEVER use my platinum card except to get into lounges, and once in a while on line for a big purchase from legit companies. Nothing else. But they still managed to get the info.

  47. I m also with Rob, it got compromised at the hotel level.
    I’ve heard from a friend of a friend who worked at a Sheraton how easy and how often its done.

    I would imagine googling your (unique) name – and reading your numerous credit card pitches… errr… posts, a hotel clerk would know exactly how you spend your money.

  48. Just had several Fraud purchases on a Chase Credit Card. Only noticed it when paying the bill. I wondered why it was so high!
    2 roundtrip tickets Emirates DXB to BRU
    1 hotel charge in Milan
    and one 2 weeks earlier for only $20 to Vayama.com which looks like an airline booking site.

  49. @Jacques, I do exactly the same thing. Plus, I check my statements at least once a day, every single day of my life.

  50. Oddly enough I travel every summer to Siberia and have used my Sapphire card everywhere that accepts it including small grocery stores in small towns. One charge was approved for 6 cents – I had failed to tell the cashier I needed a bag so she just grabbed my card and swiped it. In three years I have yet to have a fraudulent charge in Russia. In China I use the card as well but there are very few places that accept an international card. Again zero fraud. In the US there have been fraudulent charges more than once so I’m not sure why a reader suggests most of the fraud comes out of Russia and China. If it does, it is definitely not because one uses their card routinely in those countries.

  51. If you ever charge someone at a restaurant and the waiter takes the credit card away – you risk the number and pin being copied down and used.

  52. This is sort of an obvious point, but you run a public-facing blog that largely revolves around your credit card usage. It seems plausible that you might be a specific target for fraud, rather than the sort of wholesale identify theft that most victims experience.

  53. Too many evil people in the world preying on the rest of us. Hacking, digital fraud, identity theft, etc. should be capital offenses! Off with their heads!

  54. @Lucky. I had a string of them with Amex Platinum a few years ago. One after the other. It turned out to be an internal issue as revealed to me (not saying how). Imagine the number of American Express employees (and other cards) that can access information, patterns, and card numbers.

  55. Same for me in last few weeks. First INK Preferred, then Freedom, then Freedom Unlimited.
    I’m beginning to feel like it’d be less inconvenient to track the fraudsters down myself and get the police involved than to keep going over charges and having to get new cards.
    The banks are seriously not losing enough to make it worthwhile to prosecute?

  56. Those happened over 3 days – I would set up Chase Alerts for texts & emails at levels appropriate for you so you can at least shut it down quicker. Especially foreign transactions as you are away so frequently. Make sure you have VPN on your cell or wherever you conduct banking business on the road.

  57. I had the same event several times. If you use your credit card to pay at the pump- stop. Your transaction information is sent wirelessly from the pump to the office. It’s easy to skim. Since I stopped paying at the pump there have been no more problems. Just my experience.

  58. I turn off WiFi, whether supposedly secure or not, while traveling whenever I need to access personal data on my devices or spend money . And use a VPN. Can’t always prevent a live person from stealing numbers, though. That’s usually the weakest link.

  59. FLORIDA. That’s it. Particularly Tampa/Miami. I’ve never had so much credit card fraud until I lived there for over 6 years combined. It’s mostly gone since I left that state and have new cards.

  60. As someone earlier mentioned the cc numbers do partially follow a pattern. I had a Hyatt card a while ago that was cancelled due to fraud. I got a replacement and had NEVER used it but someone still attemped to use my number. It didn’t go through because they didn’t know my zip code and the security code.

    Of course having a popular blog may make you an intentional target and I would not rule that out.

  61. Credit cards are a scam. In China everyone uses mobile pay. Much less transaction cost, more secure, easier. But hey, we like making Visa and MasterCard rich.

  62. i mean you do have a blog where you display to the world all the credit cards you have…but it might be so many other things like living in Florida, or a virus on your computer, or not using VPN when youre banking on ur phone in ur travels….

    im sorry this happened to you bro =/

  63. Why can’t we lock our credit cards with an app and then unlock it when we need to make a charge? Some banks do this with debit cards. It would surely cut down on the fraud.

  64. I am also facing the same issues. I had used my Citibank AA card to purchase British Airways tickets online. A few days later someone attempted to buy luxury watches in Luxemburg for an amount of 30000 USD!!!! Luckily the bank denied the transaction and called me. I am wondering if it is related to the breach of security with BA…wodner if any more attempts would still occur. Some time earlier, my supplementary AX SPG card was used to buy 2 air tickets on Delta and again for inflight wifi. I even got the names of the passengers and notified AX. Would the fraud department track them down and arrest them??

  65. Perhaps someone will know your details and make a $20,000 Cathay Pacific First Class purchase. You’ll earn 60,000 UR points. How good is that?

  66. A funny alert about fraud for me, I love this story. We fly often and have many charges on hotels and Airlines and car leases all over Europe, but what caught Chase’s “eye” was a small charge to Avon! They know me so well! Have never charged any kind of make up ever! But I guess the culprit thought since I was a woman it was a safe bet! This always makes me laugh!

  67. My credit card issuer (at least one) allows me to block the card and unblock it when I want to use it. With the issues Lucky has just identified and the fact that the BA leak cost me one hacking I am beginning to think of using this blocking feature.

  68. Just to throw out a more “out there” possibility – it could be an inside job. The best way to combat it may be to set up automatic alerts on your account and to contact Chase the moment you receive one.

    I have a credit card that I only use for international travel, but for a while, I wasn’t traveling internationally very often. In 2016, I visited Montreal, Canada and used my international travel credit card while I was on that trip. A few months after the trip, the credit card company contacted me and asked me to review a (Australian?) transaction that looked suspicious.

    I told the credit card company that the transaction was not mine, so they reissued that card and also sent me a form for me to use to attest that the transaction was not mine.

    I did not have any international travel again until spring 2018, so my new, pristine international travel credit card just remained at home, literally under lock and key. I didn’t even use it for online transactions.

    In fall 2017, I got “password religion” and instituted the use of a password manager, plus the use of strong random passwords. I stayed up very late hardening and entering the first batch of passwords, which included the password for my international travel credit card account.

    Just before I was about to go to sleep, I received either a text or email alert – which I’d set up previously – from that account. I called the credit card company within minutes of receiving the alert.

    Once again, the credit card company reissued the card and said they’d send me the usual form. The reissued credit card came, but the usual form never came.

    So that left me wondering. Had someone inside the company been sitting on my old password (which was admittedly somewhat weak), and had my hardening of that password somehow prompted them to take one last stab at my credit card account?

    And, given the “pristine card” circumstances that I’d explained to the fraud representative, did the credit card company figure out that it was an inside job?

    I should add that my travel credit card is more of a ”premium” credit card, somewhat like the Chase Sapphire Reserve card.

    My international travel credit card did get hit again in fall 2018, but I’d taken it on two international trips in spring 2018. I don’t think that I received the fraudulent transaction form to fill out for the 2018 occurrence.

    In any case, I’d suggest setting up automatic text/email alerts.

  69. You should set up Apple Pay for all your cards. Then you at least get push notifications when there are any transactions the second they happen.

  70. Maybe it’s just how backward US banks are but all my cards have Verified by Visa which requires an OTP sent by SMS to complete online purchases. In-store purchases generally require a PIN (in some countries they can still swipe without a PIN)

  71. Set all cards credit and banks…to text you when any charge is made on them .. set to lowest $amount they allow..even $1.00..if they allow it that low
    They will text within a few moments of a charge. Then you will know if it was you or not!

  72. would it not all be much simpler if the US CC’s applied the EU rules – i.e. use a PIN and a chip with every card for real life transactions and a security with an extra pin check via your mobile on any online transaction. No fraud anymore and you feel comfortable and safe

  73. @andre

    Exactly, credit card fraud is big in the US as the credit card companies have been exceedingly slow at adapting things like chip cards, pin codes, and second layer verification on online purchases. Maybe it is easier to make the transactions the old fashioned way, but it also leaves the door wide open for fraud.
    If the US credit card companies fully embraced the modern technologies this would be reduced to a fraction.

    I have had one case of credit card fraud in all of my life, which was after using my card in Miami Florida. And I travel pretty extensively

  74. Lucky, the CSV app has a “lock-Unlock” feature. Why aren’t you using that? Keep the card locked until you need to use it then immediately lock it back up after. Even is someone gets the card information, they won’t be able to use it unless they try to run a charge at the exact same time that you’re using it as well.

  75. The reference to Russia and China fraud is not from merchants there, but the organized crime / state sponsored hacking outfits.

    It’s hard to believe that an airline purchase would appear on the statement without an additional description, or is this not being displayed in the posting.

    Perhaps this is an MCO (Miscellaneous Charge Order) being used to “hide” the real ticket purchase, as someone mentioned.

  76. Similar situation happened to me with my bank. I noticed pending charges on my debit card that I hadn’t made and alerted the bank. (Thankfully I log into my accounts daily and watch my accounts to the penny, so I caught that quickly.) Within a week of getting my replacement debit card, more fraudulent charges popped up. I had signed up for alerts and I was receiving alerts saying my card was being used for a $1900 dollar purchase on the opposite coast…while I was at working! Went into the bank again and finally went high up enough to find out what was going on.

    The manager told me that my checking ACCOUNT had been hacked and that the fraud would keep occurring until I changed ALL my passwords, account numbers, etc. It turned out that my account was getting hacked by an employee INTERNALLY. I suspect the same issue is going on with your account. Major inconvenience to change everything, but that’s what I had to do. I changed all my usernames, passwords, and all account numbers. Thankfully, that did the trick and I (knock on wood) haven’t had to deal with the issue again. If I were you, I would:

    -Change ALL ACCOUNT numbers and associated numbers with said accounts.

    -Change your USER ID and PASSWORD for your accounts. ALL of them! Most likely your current one is compromised.

    -Reconsider who is storing your credit information for auto bill pay, etc. I now usually just pay manually from my bank whereas before I had companies store my credit card number for auto-billing. Every time a company stores your credit card info, it’s another chance for this type of hassle when there is a security breach. (See Marriott!)

    -Sign up for free account alerts. Seriously, they really do help. I particularly like American Express Alerts because they are really quick, but I have alerts on all accounts.

    -Commit to checking your accounts at least once every day to protect yourself, catch fraud, etc.

    -I agree with the other comments about gas station skimmers…last issue I had was for just that reason, but of course the fraud was stopped before it got to my account and the bank issued a new card immediately. (Mastercard in that case, but they were really on the ball…they caught the fraud before I even did!)

    -Totally sucks that you’re dealing with this. I know I was super annoyed at having to change all my account numbers, bill pay, etc. It happened to me years ago and it still sort of irritates me, to say nothing of the fact that the bank I was trusting actually had an employee committing the theft!

  77. I don’t know why everyone doesn’t have their credit card notifications set up to send a push notification for any transaction over $1, so when that $750 charge from Forever 21 pings your phone you know you’ve got a problem.

  78. As others have said, It’s probably your computer.

    Not sure if this is a AMEX thing or applies to all companies, but when my AMEX was compromised I had to specifically ask them to allow no charges from my old card number. They pushed back and asked if I was sure due to reoccurring charges and I finally said I would cancel the card for good if they allowed charges from the old card. All has been good since then.

  79. If we knew more about how you used the cards during the relevant period, we could probably provide better guidance on how your cards were compromised. That being said, online theft is very rare. Most popular merchants have secure transmission protocols. If you think about the major data breaches they mostly occurred through theft of point-of-sale transactions (i.e. swipes) and not through online transactions. So – unless you used the cards at sketch websites, I think it unlikely that was the cause of your problems. Ditto for MRC charges for cable, phone, Starbucks reloads, etc.
    The more likely scenario is that one of your regular merchants was the source of your problem. This could be a gas station swipe (where my info was recently stolen) a restaurant (very common) or any other point-of-sale merchant. What you need to do is examine the common charges (if there are any) and then by process of elimination you may be able to determine where the breach occurred.
    This also highlights why you should always designate a single card for your monthly recurring payments and the put it in the sock drawer and use that card NOWHERE ELSE. Because it is a royal PITA to change all of your MRCs every time a card is compromised.
    Finally I note the fraudulent charges rarely provide a clue as to how your card was compromised. Usually the info is sold on the darkweb and the card info is then cloned and used at home improvement stores, etc until a fraud alert is set off. The online ticket airline purchases are a bit odd because it would be easy to catch someone who tries to use a fraudulent ticket. Maybe they were resold to morons

  80. I doubt Lucky is being target individually, if that’s what’s happening here, his life would be around upside-down as those criminals would try to shake his professional work and perspnal life.
    Still doen’t hurt to check, but I doubt it very much.

  81. @Marc

    Like another post above wrote to you, the Russian government doesn’t go after local cyber criminals that don’t target Russia.

    https://www.nytimes.com/2017/04/21/technology/russian-hacker-sentenced.html
    https://nakedsecurity.sophos.com/2017/04/25/russian-pioneer-of-identity-theft-and-card-fraud-jailed-for-27-years/

    This bunch was stupid enough to travel too AMS.
    https://www.theregister.co.uk/2018/02/16/two_russians_jailed_credit_card_hacks/

    And finally a bit old, but why this is happening. Aka how the money is made.
    https://www.zdnet.com/article/how-credit-card-fraud-in-the-us-supports-russias-underground-economy/

  82. I had two cards hit within 48 hours. I’m not sure which account was hit to find the card info … but it happened. Luckily both card issuers were very helpful when it came to removing the fraudulent charges.

  83. When I read this my first thought was that someone bought the ticket as part to defraud a third party for cash. Now I read this article which supports that thought, if I buy a ticket and receive a ticket number and reference code I would not be suspicious of the ‘agent’, only differedce I avoid third party booking sites and would never pay cash. However, I know many people who are at risk and are too trusting: https://www.thisismoney.co.uk/money/beatthescammers/article-6705859/New-scam-flight-holiday-warning-heres-stay-safe.html

Leave a Reply

Your email address will not be published. Required fields are marked *