Penfed fraud detection, or lack of it

[Alan]

We are traveling in Europe and Penfed has a pretty neat on-site method of reporting when you are going to be away. For international travel it asks that you list the countries you will be visiting as well as the dates that you will be out of the USA. This I did, and have not been checking my Penfed CC account very often as I'm not using it, using my UK bank card instead.

I checked today to find a balance of over $19k (my typical balance at month end when in the USA is ~$2k). Looking at the details I see that it has been used extensively this last 4 days at brick and mortar stores in New York and Georgia, most purchases being many hundreds of $. In talking with Penfed they say it sounds like the card was swiped some months ago and duplicate(s) made. I now have 33 disputed charges to deal with, affidavits to sign etc while traveling abroad. (off to France in 3 days where I won't even have easy access to internet for 3 weeks).

My biggest gripe however is why their fraud detection systems didn't notice either an unusual pattern of buying, or the fact that my account is flagged as us being out of the country during the period when $19k worth of purchases are run up in 4 days in physical locations where I have said I will not be.

I wonder if the USA will ever switch to CHIP and PIN for their cards like Europe or if the cost is just too high for the industry. With CHIP and PIN, not only do you have to enter a PIN for every purchase, your card never leaves your possession because even at a restaurant the server brings a device to your table.

When we get back to the USA I think I am going to try and carry enough cash at restaurants so that the card never leaves my possession. More fool me, I should have started doing this after my card was electronically stolen the last time....

 

[Meadbh]

I wonder if the USA will ever switch to CHIP and PIN for their cards like Europe or if the cost is just too high for the industry. With CHIP and PIN, not only do you have to enter a PIN for every purchase, your card never leaves your possession because even at a restaurant the server brings a device to your table.

Alan, I am so sorry to hear about this fraud. It's stressful at any time, but particularly when you are out of the country. I hope it is quickly resolved.

We have had CHIP and PIN cards in Canada for several years and most restaurants have the point of sale devices. Recently I had an interesting problem: I went to fill up the tank at an unfamiliar gas station and punched in the wrong PIN three times....and you're out! I was able to pay by taking my credit card to the cashier. The following day I flew to the US. I bought breakfast at the airport, only to discover that my credit card was frozen. When I called the toll free number I was informed that I would have to visit a branch of the bank to reset it. It was too late to do that, but since I was going to the US, I was able to use the card over the next two weeks and reset the PIN when I came home. It's lucky I wasn't a thief!

With regard to notifying the financial institution that you will be away, I think this is mostly CYA and unfortunately they do not always act on the information they receive. I have had my card frozen in Paris for unusual activity (!) and later in Saudi Arabia, even though I notified them exactly when and where I was going.

 

[JoeWras]

We are traveling in Europe and Penfed has a pretty neat on-site method of reporting when you are going to be away. For international travel it asks that you list the countries you will be visiting as well as the dates that you will be out of the USA. This I did, and have not been checking my Penfed CC account very often as I'm not using it, using my UK bank card instead.

So... One has to wonder if your indication of being away is the actual cause of the fraud. I know that sounds sinister. But consider if there is an insider who sells the info. Perhaps the scammers think it might be easier to get away with it while you are away because they know you won't check as much?

Just wondering. I'm probably wrong.

 

[REWahoo]

The fact PenFed did such a poor job detecting the fraud (as in entirely missed it) is disconcerting. I thought they were better than that.

When we get back to the USA I think I am going to try and carry enough cash at restaurants so that the card never leaves my possession.

I doubt that will help all that much. I've been the victim of CC fraud three times in recent years (twice at PenFed, once at USAA) and each appeared to be a case of electronic theft.

 

[Alan]

So... One has to wonder if your indication of being away is the actual cause of the fraud. I know that sounds sinister. But consider if there is an insider who sells the info. Perhaps the scammers think it might be easier to get away with it while you are away because they know you won't check as much?

Just wondering. I'm probably wrong.

Possibly, but in looking at the transactions the first group were in stores in Brookland, NYC and another city or area in NYC. The next group were in Atlanta, Georgia.

We stayed overnight in New York at the end of March before we flew out so I'm thinking the card was swiped at the airport or the details noted by the take-out restaurant we ordered our food from. (they didn't have the card in their possession but had all the info from my phoned-in order)

 

[Alan]

Mead,

I noticed that when we were in Canada a couple of years ago that when we used our Penfed card in a restaurant that they brought the device to the table and were able to swipe the card. The devices in the UK also support swipe as well as PIN so the cost to US businesses is actually quite small to provide POS payment without taking your card away.

It also amazes me to think that stores like Target were accepting the fake card for purchases over $1,000. I guess then that the thieves had fake id to show, unless they know that Target never ask for id for big purchases.

 

[gauss]

Sorry to hear about your experience.

FWIW my experience (the opposite is described below)

I recently traveled in Canada with a PenFed Chip enabled card. I went to an automated gas pump to verify that the PIN was what I thought it was. It did not prompt me for a PIN so I cancelled the transaction.

Later when I tried to check into the Hotel, the PenFed card was declined. When I spoke to PenFed, it appeared that the gas transaction may have triggered the fraud system. I may have forgotten to put the travel alert on the account in that it was only a two day trip and we live in a US-Canada border town.

-gauss

 

[haha]

When we get back to the USA I think I am going to try and carry enough cash at restaurants so that the card never leaves my possession. More fool me, I should have started doing this after my card was electronically stolen the last time....

Sorry about your bad luck Alan. I also have begun doing what you now do, even though I have not had any bad charges. Using cash can be entertaining sometimes- a few days ago I put down a $20 for a $12 check; the cheeky waitress said -You want any change?

Cute as you are Lollipop, I think I must have some change.

Ha

 

[gauss]

I think EMV cards (ie Chip enabled) will become the norm in 2016 or so in the USA with VISA's change in policy that merchants would be liable for fraud on transactions that are accepted without EMV equipment.

-gauss

 

[Alan]

I also had the opposite experience with Penfed back in 2009. They called me one afternoon and asked if I had just made a purchase for electronic equipment on-line at a cost of ~$300. I said no, confirmed the 2 purchases I had made that day and they cancelled the card.

That is why this time it is so frustrating. How can they be so on the ball then, and fail to spot it this time?

 

[Alan]

I think EMV cards (ie Chip enabled) will become the norm in 2016 or so in the USA with VISA's change in policy that merchants would be liable for fraud on transactions that are accepted without EMV equipment.

-gauss

Excellent - I had not heard that.


However, aren't merchants liable now? Target are going to be out over $10k on this fraud alone, with $9k spread over several other merchants who accepted a fake card.

 

[MichaelB]

Excellent - I had not heard that.


However, aren't merchants liable now? Target are going to be out over $10k on this fraud alone, with $9k spread over several other merchants who accepted a fake card.

Merchants are liable. Are they going to ship you a new card?

 

[Alan]

Merchants are liable. Are they going to ship you a new card?

They will ship a new card to my address in the US, which our son will collect for us, but we don't need it as we always travel with a spare for occasions like this. We also have a card that never leaves the house which is used for all the automated payments.

 

[MichaelB]

They will ship a new card to my address in the US, which our son will collect for us, but we don't need it as we always travel with a spare for occasions like this. We also have a card that never leaves the house which is used for all the automated payments.

Smart idea to have a card just for the monthly bill pay.

 

[Alan]

Smart idea to have a card just for the monthly bill pay.

Yeah I got that idea 2 fraud's ago

 

[Sarah in SC]

Bummer, in a big way. That has got to be nerve-wracking. And good thing you carry a few backups. Us too.

Thanks for the reminder--I went through that endless online dealie at PenFed to register our new card (we just had the last one cancelled a few months ago--fraud that they detected) for travel. They only allow something like 10 countries, so I had to improvise.

Now that I think about it...I have a fair number of cards, say 10 atm. And I've gotten chip and pin for about 4 of them in prep for our trip, using them some to make sure they work. It is only the Penfed that I've experienced fraud with, this last being the 4th time in the 5 years or so I've been with them. Hmmm, why don't my Chase and Citi cards have the same problems?

Oh, and just checking--did this happen with the new Penfed that has the chip and pin?

 

[Chuckanut]

I am sorry to hear about your problems. Thankfully with a real credit card you have plenty of legal protection.

The lack of pin and chip is beginning to be annoying when overseas. Recently, I had my card identified as being from France and the payment device insisted I go through the authorization process in French. Thankfully, the clerk was there to help me. But, I did find myself trying to get a train ticket from an overseas automated machine where there where was no human ticket window. My card would not work though the cards of others did. No Chippy, No Ticky! Fortunately, I had enough cash and found a machine that would take native currency. How quaint.

 

[gauss]

EMV Liability Shift - USA Visa

Here is one reference to the upcoming "liability shift" in the USA to encourage EMV adoption. Visa Announces Plans to Accelerate Chip Migration and Adoption of Mobile Payments

Establish a Counterfeit Fraud Liability Shift
Visa intends to institute a U.S. liability shift for domestic and cross-border counterfeit card-present point-of-sale (POS) transactions, effective October 1, 2015. Fuel-selling merchants will have an additional two years, until October 1, 2017 before a liability shift takes effect for transactions generated from automated fuel dispensers. Currently, POS counterfeit fraud is largely absorbed by card issuers. With the liability shift, if a contact chip card is presented to a merchant that has not adopted, at minimum, contact chip terminals, liability for counterfeit fraud may shift to the merchant's acquirer. The liability shift encourages chip adoption since any chip-on-chip transaction (chip card read by a chip terminal) provides the dynamic authentication data that helps to better protect all parties. The U.S. is the only country in the world that has not committed to either a domestic or cross-border liability shift associated with chip payments.

 

[Alan]

Oh, and just checking--did this happen with the new Penfed that has the chip and pin?

I didn't even know that Penfed offer a CHIP and PIN card. Is this the new deal, or do you have to request one, even if it didn't work as CHIP and CHIP in the USA I wonder if it is harder to copy with a scanner as it apparently has with mine.

 

[Alan]

Gauss, thanks for that link, very interesting.

Chuckanut, I've had similar issues to those you describe, but these days I have my UK CHIP and PIN card that I can use in Europe.

 

[gauss]

PenFed chip enabled cards are available by request.

I requested one via the web site,after logged in, where there is a link to this.

Mine had snafu's in that the PIN I selected during the request was different than the PIN that was sent to me in the mail. I hope they have this straightened out by now. Had no obvious way in the USA to verify which PIN was encoded into the chip when manufactured.

-gauss

 

[Sarah in SC]

You have to request it, but I saw the offer on their website. I've been scanning for these i in my "fleet" whenever possible, just because I knew they'd be easier to use overseas.
When they canceled and reissued the last time, I made sure when I talked to them that the replacement would also be chip and pin.
My new Marriott rewards from Chase and my Sapphire are chip and pin as well.

 

[martyb]

My federal credit union has been really good about this issue. In fact, they called me this morning concerning what they thought might be a questionable charge for $29.99 from a company in Germany. It turned out to be a computer anti-virus company that was attempting to auto-renew because I purchased the software a year ago & it's time to renew. I don't remember giving them permission to auto-renew, but maybe I did. The company is Avira. Anyhow, my FCU has alerted on several occasions over the years. I feel like they're on the job for me.

 

[Alan]

Thanks for the tip on the CHIP and PIN from Penfed, I've ordered my new card to be that.

 

[comicbookgujy]

For the past 6 years, my BOFA Debit card has been "hacked" by someone in Asia at least once a year and they usually purchase Apple Product in Taiwan.

I try to keep my BOFA balance as low as possible since BOFA seem to have a bad security system. Only reason why I haven't closed the account is because BOFA ATM is everywhere