Credit card fraud

asterix

Comrade Member
Location
Limoges or York
My card has been stopped because a dodgy transaction turned up today.

The transaction was spending with 'UK2' but only for £0.01. However the card fraud team say this is an attempt to register the card online somewhere and has been common lately. (UK2 turn up as a web host).

Since my first talk with them another transaction turned up with Amazon Market place although not shown on my Amazon account nor did I get the usual email confirmation. Hopefully whatever was ordered won't be sent but in any case the card co. say they have cancelled it as far as I am concerned.

The card provider say it is nothing that I have been careless about and there is no action I need to take now the card has been stopped. I suspect they have a good idea how the problem arose but don't feel it necessary to tell me.
 

ttcycle

Cycling Excusiast
Call me cynical and suspicious but they might not want to tell you what happened cause it might have been the bank/company at fault ie loss of data etc.

Still, good that they were onto it straight away.
 
A lot of these are "tests" to see if a cloned card is still valid and has credit on it before going to use it or pass iy on.
 

PBancroft

Senior Member
Location
Winchester
I'm not sure that they CAN tell you. If its a credit card, although you are the customer the money is theirs. I wonder if they are legally able to tell a third party about a potential fraud (which you may or may not have been involved in from their point of view) before the case has been dealt with by the relevant authorities.

Just a hunch, no sources to back it up.
 

TVC

Guest
When my card details were taken a year ago, Barclaycard spotted it immediatly when a test transaction of $1 was made in the USA and attempted purchase of a TV in France an hour later was refused. Like you, Barclaycard fraud dept wouldn't discuss the details with me, but it was easy to work out because I had only used the card once and that was to book a hotel in Paris. When I got to Paris a couple of months later, the hotel had my card details printed out on the e-mail Hotels.com had sent them
 
OP
OP
asterix

asterix

Comrade Member
Location
Limoges or York
Looking back on my transactions suggestions that it was most likely to have been Waterstones site.

The only online transaction I made in the period was with them, and there was a problem when I tried to login - first try was a page of techspeak, 2nd try was successful but the buying process (of an e-book) did not work properly (although they took the money) and I had already emailed Waterstones to complain before the fraud was detected.
 

byegad

Legendary Member
Location
NE England
I've had this a few of times over the years.

Capital One have always spotted the suspicions transaction and cancelled the card. When it first happened they told where (and for how much) the rogue transaction took place, recently they have refused claiming DATA protection.

After the first couple of times I immediately worked out which firm had leaked my details. I suppose these firms have pressured Capital One to not release details in order to save their businesses. I know I used to spend several hundred pounds a year with the firm I identified and have not spent a penny with them since.
 
Location
Rammy
My card has been stopped because a dodgy transaction turned up today.

The transaction was spending with 'UK2' but only for £0.01. However the card fraud team say this is an attempt to register the card online somewhere and has been common lately. (UK2 turn up as a web host).

they are indeed a web host, I've had my site hosted with them for over a year now and have little reason to believe them to be anything but your average online hosting company.

My assumption with card companies refusing to give details, and hiding behind data protection, is because it often is not a company's specific fault, more an unscrupilous employee

although I agree that hotel.com or whatever the company was, shouldn't have just e-mailed card details to a hotel!
 
OP
OP
asterix

asterix

Comrade Member
Location
Limoges or York
I used to spend several hundred pounds a year with the firm I identified and have not spent a penny with them since.

It's very irritating as Mrs A. was planning to buy books from Waterstones for her e-reader we just bought! First one we buy and this happens.

I've now sent several emails to W'stones, each of which gets an automated response. Their only reply ignores the issue I raised and just repeats the web page instructions.

On the plus side, not having a credit card for a few days must be a bonus!
 
Location
Gatley
Looking back on my transactions suggestions that it was most likely to have been Waterstones site.

The only online transaction I made in the period was with them, and there was a problem when I tried to login - first try was a page of techspeak, 2nd try was successful but the buying process (of an e-book) did not work properly (although they took the money) and I had already emailed Waterstones to complain before the fraud was detected.

I wouldn't limit your suspicions to online places (in fact large retailers online services are usually less likely) - restaurants and hotels used to be big sources (as the staff take the card away to process it in many places) and petrol stations have been a pretty large source recently too...
 
My bank is very good, I have used my card for two "atypical" transactions this year....

One was my student fees, and the other for a Bike.

In both cases they were on the phone within hurs to check they were legitimate transactions
 

Bman

Veteran
Location
Herts.
But how do they get your address??


Some sites dont require the billing address. Thats how they done me out of ~£500 a few years ago.

A spa day for two
Womens and mens clothing
Mens designer beauty products

I researched and called up the companies shown on my statement, found out what was ordered and to what name and address. Most of the companies I spoke to were very helpful. I managed to get through to the MD of one company, who was helpful and technical enough to even give me their IP address.


In the end I just reported it to the bank and let them deal with it. At the end of the day, it wasn't *my* money.
 
OP
OP
asterix

asterix

Comrade Member
Location
Limoges or York
I wouldn't limit your suspicions to online places (in fact large retailers online services are usually less likely) - restaurants and hotels used to be big sources (as the staff take the card away to process it in many places) and petrol stations have been a pretty large source recently too...

Agreed that these are more likely, however in this case

a) the card provider said it was an online provider
b) Waterstones are the only online seller I'd used shortly before the problem
c) the other transactions that day were also large retailers who never handled the card I'd put it into their readers myself

I asked the card provider if I could have done anything to prevent the problem and they said no, there was not!

To be fair, Waterstones have now replied, including the following information:

We use the strongest and most secure, commercially available version of 128-bit Secure Socket Layers (SSL) encryption. This is the industry standard for e-commerce and the best solution currently available for secure, online commerce transactions.

SSL encrypts all of your personal information, including your credit card number, name and address. This ensures that your details cannot be read as they travel over the Internet.


So, although it is a mystery, what is to stop hackers from cloning a sellers 'shop window', adding their own processing in place of the secure stuff to interecept the details they want? After all, Waterstones site did not work properly: I had to log on twice (the first time didn't work) and then when Waterstones site should have passed my logon id and password to Adobe, it failed to do so. I told Waterstones about this before I knew of the fraud but they have not explained the faults.

At the end of the day, it wasn't *my* money.

If these tea-leafs are robbing card providers and shops you can be sure that they will pass the cost on to their honest customers at the end of the day.
 
Location
Gatley
To be fair, Waterstones have now replied, including the following information:

....

So, although it is a mystery, what is to stop hackers from cloning a sellers 'shop window', adding their own processing in place of the secure stuff to interecept the details they want? After all, Waterstones site did not work properly: I had to log on twice (the first time didn't work) and then when Waterstones site should have passed my logon id and password to Adobe, it failed to do so. I told Waterstones about this before I knew of the fraud but they have not explained the faults.

Well, cloning the 'shop window' should be obvious from the address bar in your browser i.e. it should be https://www.waterstones.co.uk/... and web browsers will alert you if the certificate presented doesn't match the site name; in theory certificate issuers check that the certificate is issued to a bona-fide organisation. There are occasionally fakes sites, but generally they get taken down very, very quickly as most ISP/hosting providers will have nothing to do with them.

The response from Waterstone's suggests that either they have a badly written customer services' script or the organisation has no idea about e-commerce security; SSL does protect the card details while going from your computer to theirs, but the majority of attacks (that I know of) are either by unauthorised users gaining access to their servers (once the card data is on there) or from staff within the organisation.

What I'd expect to see from an organisation that actually knows what they are doing is something like:

"Your card information is protected by SSL encryption whenever it is transmitted over public networks to/from our systems. When it arrives on our systems it is encrypted before storage and securely discarded as soon as we no longer need it to process your order. Once on our system no individual user can retrieve the card number. All our web applications are written to industry best practice (Open Web Application Security Project - OWASP) and all our systems are kept up to date and regularly tested by independent penetration testing companies.

Additionally, we are fully compliant with all parts of the Payment Card Industry Data Security Standard (PCI DSS)."

In practice, I'd guess there are a large number of organisations who can't say most/all of the above - thankfully the credit card industry has to pick up the costs and as such Visa and Mastercard are starting to prevent merchants from trading who are not working towards the above.
 
Top Bottom