Unexpected fraud on card

[aja8888]

Just yesterday, AMEX sent me an email stating they are sending my replacement Blue Cash card to my alternate address.

1. I have not used this card in the last 12 months (not travelling anymore).

2. I don't have an alternate address.

3. My card was not lost.

So I called and stopped the replacement and closed my account as I don't need it anymore.

Go figure!!

 

[Sunset]

Guilty to the both Paranoia and the use of Schwab Debit Cards for ATMs in Europe.

Our solution - we set the Debit card limit to $0.01 and use only the ATMs.

Agree that Schwab would reimburse us for any fraudulent transactions, but since we prefer the credit card fraud handling, we converted the Schwab card to ATM only.

I have a Schwab debit card, which is GREAT for getting cash out of ATM's when travelling.

I limit my exposure by only keeping $2,000 in that account, until we travel and then I add an extra $2,000 for the trip time. Later I pull the remaining extra out once the trip is over.

Mostly I use CC when traveling, but access to cash is still needed.

I will look into the limit setting.

 

[Sunset]

The last time we had a US card cloned was in 2013, 4 months into a European trip and the fraud person then told us it was common to wait several months before using a cloned card. 15 months since we last used this card but still likely to have been that last time we used it as it gas only ever been used at an ATM. Since the only financial institution that has the card details is our bank then it is not beyond the realms of possibility that is an inside job.

Possibly it was stolen from you recently in the UK, using an RFID scanner, if you keep the card in your wallet when in the UK

 

[bobandsherry]

Just yesterday, AMEX sent me an email stating they are sending my replacement Blue Cash card to my alternate address.



1. I have not used this card in the last 12 months (not travelling anymore).



2. I don't have an alternate address.



3. My card was not lost.



So I called and stopped the replacement and closed my account as I don't need it anymore.



Go figure!!

You may be concerned if you are victim of identity theft. Obviously someone had enough knowledge of your personal information to pass the verification process at AMEX in order for them to have made the request. You should do a free credit check to be sure there isn't any new credit in your name and being sent to your alternative address. I had this happen many years ago with Discover, their investigation determined there was internal irregularities, eg inside job.

 

[Alan]

Possibly it was stolen from you recently in the UK, using an RFID scanner, if you keep the card in your wallet when in the UK

My US debit card NEVER leaves the house except when I travel to the USA where I only ever use it to withdraw cash from an ATM. The last time it was used was in September 2017 in Texas. As I said in my OP the unexpected part of the fraud to me is that it has taken about 16 months since the card was last exposed to the outside world for it to be cloned and used.

 

[MichaelB]

My US debit card NEVER leaves the house except when I travel to the USA where I only ever use it to withdraw cash from an ATM. The last time it was used was in September 2017 in Texas. As I said in my OP the unexpected part of the fraud to me is that it has taken about 16 months since the card was last exposed to the outside world for it to be cloned and used.

Have you always only used it at ATM’s, or did you use it for payment at some point, even years ago?

 

[EastWest Gal]

Possibly it was stolen from you recently in the UK, using an RFID scanner, if you keep the card in your wallet when in the UK

At AAA store I purchased RFID blocker envelopes for my credit and debit cards. Also for my passport. DH and DS got RFID blocking wallets for Christmas. That’s a solvable problem.

 

[Alan]

Have you always only used it at ATM’s, or did you use it for payment at some point, even years ago?

Nope, we opened our US HSBC account from the UK in 2016 and at that time got a US credit card and this debit card from them. The US credit card is useful as there are no foreign transaction fees and we use it when traveling in Europe as well as traveling in the USA. Incidentally it is also contactless and I do carry it around with me in the UK as well, as a backup in case my UK credit card is ever blocked. I also have a UK debit card which only leaves the house, like today, when I want to get £s from an ATM.

We will be traveling to the USA end of February which will be the next time I use it, to get cash in $s.

I’ve had credit cards compromised 4 times, including one that was cloned, while living in the USA so am more than familiar with the process on getting the charges reversed but this latest incident is just plain weird. I’ve also had a credit freeze in place for many years now.

 

[MichaelB]

Nope, we opened our US HSBC account from the UK in 2016 and at that time got a US credit card and this debit card from them. The US credit card is useful as there are no foreign transaction fees and we use it when traveling in Europe as well as traveling in the USA. Incidentally it is also contactless and I do carry it around with me in the UK as well, as a backup in case my UK credit card is ever blocked. I also have a UK debit card which only leaves the house, like today, when I want to get £s from an ATM.

We will be traveling to the USA end of February which will be the next time I use it, to get cash in $s.

I’ve had credit cards compromised 4 times, including one that was cloned, while living in the USA so am more than familiar with the process on getting the charges reversed but this latest incident is just plain weird. I’ve also had a credit freeze in place for many years now.

So, your debit card was compromised, and you only use it at ATMs? Yikes. Those transactions are managed directly by the bank, not through third party processors, right? If so, that sure narrows the list of possibilities. Either an ATM was compromised, the bank is compromised, or there are some shenanigans going on with the bank. Hard to see identity theft as a possibility when your credit is frozen.

 

[audreyh1]

So, your debit card was compromised, and you only use it at ATMs? Yikes. Those transactions are managed directly by the bank, not through third party processors, right? If so, that sure narrows the list of possibilities. Either an ATM was compromised, the bank is compromised, or there are some shenanigans going on with the bank. Hard to see identity theft as a possibility when your credit is frozen.

Yeah - this makes me queasy if it was never used to buy gas or some other point of sale type transaction. Compromised ATM or compromised bank.....

 

[SecondCor521]

So, your debit card was compromised, and you only use it at ATMs? Yikes. Those transactions are managed directly by the bank, not through third party processors, right? If so, that sure narrows the list of possibilities. Either an ATM was compromised, the bank is compromised, or there are some shenanigans going on with the bank. Hard to see identity theft as a possibility when your credit is frozen.

I thought there was a way for bad actors to generate credit/debit card numbers without actually stealing someone's card data from the actual card.

 

[Sunset]

My US debit card NEVER leaves the house except when I travel to the USA where I only ever use it to withdraw cash from an ATM. The last time it was used was in September 2017 in Texas. As I said in my OP the unexpected part of the fraud to me is that it has taken about 16 months since the card was last exposed to the outside world for it to be cloned and used.

I guess you have higher standards about thieves than I.
To me they are not the hardest working individuals, some are pretty lazy, looking for the easy way, so to be slack at the timing is not much of a surprise.

Maybe they had to do some time in jail before getting back to their bank fraud work

I have certainly heard of compromised ATM's , they use a tiny camera to record the pin.
I only use ATM's inside banks (here in USA) as it's harder but not impossibly for a ATM to be compromised inside the bank.
When traveling I try to use an inside one, or at least a busy outside one (Barcelona).

 

[Alan]

With a contactless card you don't need a PIN to do transactions up to $50 so the small camera must have seen my card before I inserted it into the slot or there was a bar code scanner on top of the ATM keyboard that I hadn't seen. (I assume that in the USA the cards are not 100% PIN and still have an easily readable magnetic strip)

I always cover the keypad with my hand when entering my PIN at an ATM.

I don't know how contactless cards for buying stuff works in the USA but they are very common in the UK, both debit and credit. The limit in the UK is £30 and if you buy 10 items using contactless (for our bank) it won't let you buy anymore without using your PIN. (All credit cards are CHIP and PIN here). This limits the bank's exposure to no more than £300 of fraudulent transactions as contactless payments have the same protections as other purchases.

Pay by phone is everywhere that pay by contactless card is offered so I always pay by phone as I prefer the more secure protocol and fingerprint or face recognition when paying. If my card is stolen anyone can use it for contactless payments but if my phone is stolen they would need my fingerprint or 8 character PIN to access the phone.

 

[Alan]

I thought there was a way for bad actors to generate credit/debit card numbers without actually stealing someone's card data from the actual card.

There probably is, but the fraud alert I received was for the number on my debit card, which is unique and different to my bank account number.

 

[audreyh1]

With a contactless card you don't need a PIN to do transactions up to $50 so the small camera must have seen my card before I inserted it into the slot or there was a bar code scanner on top of the ATM keyboard that I hadn't seen. (I assume that in the USA the cards are not 100% PIN and still have an easily readable magnetic strip)

I always cover the keypad with my hand when entering my PIN at an ATM.

I don't know how contactless cards for buying stuff works in the USA but they are very common in the UK, both debit and credit. The limit in the UK is £30 and if you buy 10 items using contactless (for our bank) it won't let you buy anymore without using your PIN. (All credit cards are CHIP and PIN here). This limits the bank's exposure to no more than £300 of fraudulent transactions as contactless payments have the same protections as other purchases.

Pay by phone is everywhere that pay by contactless card is offered so I always pay by phone as I prefer the more secure protocol and fingerprint or face recognition when paying. If my card is stolen anyone can use it for contactless payments but if my phone is stolen they would need my fingerprint or 8 character PIN to access the phone.

I think a camera is used by thieves to try to capture the entering of the PIN, in conjunction with a skimmer to grab the card info.

I used to turn off or severely limit my debt/ATM card use from point-of-sale terminals.

 

[SecondCor521]

There probably is, but the fraud alert I received was for the number on my debit card, which is unique and different to my bank account number.

Please re-read what I wrote.

I said that I think there are ways for scammers to generate the number on your debit card, not your bank account number.

I think it is less common than the other forms of debit card number theft, but I thought it existed.

In other words, you may have done nothing wrong and may have never had your debit card number taken from your card. They just generated numbers that passed the validity checks, and tried them until they hit one that worked, and it happened to be yours.

 

[Alan]

Please re-read what I wrote.

I said that I think there are ways for scammers to generate the number on your debit card, not your bank account number.

I think it is less common than the other forms of debit card number theft, but I thought it existed.

In other words, you may have done nothing wrong and may have never had your debit card number taken from your card. They just generated numbers that passed the validity checks, and tried them until they hit one that worked, and it happened to be yours.

Wow.
Pretty impressive to get an exact match of that very long number on my debit card. I certainly didn’t realize such mechanisms existed.

 

[deserat]

Alan,

You are correct your situation is a weird one - and I agree with the posters that there may be some shenanigans at the bank. SecondCor is right, too, in that someone could just set up a program to run through a series of numbers and hit the jackpot, so to speak.

With regard to contact-less, I have not been a big proponent of that, however, I know that in many places overseas. you don't have much choice but to use the technology deployed. I had lived in Europe before the US had the chip/pin cards and had all my banking cards converted over to chip/pin early. However, unfortunately in the USA, most vendors and banks have not opted for the PIN portion of that technology, so it is not as safe as it could be.

I like how in Europe the merchant brings the card reader to you (especially in a restaurant), you watch them key in the amount, they hand it to you, you type in the PIN and then the receipt is printed. It's all fairly transparent and the card is not out of your possession and/or sight.

With regard to ATMs, I am like the poster here who uses it when traveling overseas for cash. I find that more convenient than using a credit card all the time. I only use the debit card to take out cash (US and foreign) and not for anything else.

In any case, I hope you are able to find out what happened and and early welcome back on your trip to America!!!

 

[Alan]

Alan,

You are correct your situation is a weird one - and I agree with the posters that there may be some shenanigans at the bank. SecondCor is right, too, in that someone could just set up a program to run through a series of numbers and hit the jackpot, so to speak.

With regard to contact-less, I have not been a big proponent of that, however, I know that in many places overseas. you don't have much choice but to use the technology deployed. I had lived in Europe before the US had the chip/pin cards and had all my banking cards converted over to chip/pin early. However, unfortunately in the USA, most vendors and banks have not opted for the PIN portion of that technology, so it is not as safe as it could be.

I like how in Europe the merchant brings the card reader to you (especially in a restaurant), you watch them key in the amount, they hand it to you, you type in the PIN and then the receipt is printed. It's all fairly transparent and the card is not out of your possession and/or sight.

With regard to ATMs, I am like the poster here who uses it when traveling overseas for cash. I find that more convenient than using a credit card all the time. I only use the debit card to take out cash (US and foreign) and not for anything else.

In any case, I hope you are able to find out what happened and and early welcome back on your trip to America!!!

Thank you. We are looking forward to our trip.

 

[retired1]

Make sure to put Lock (Freeze if possible) on all 3 credit bureaus just in case someone tries to open new account under your name.

 

[explanade]

So the th8ng I wonder about with a fraudulently cloned debit card is whether that allowed them to bypass the PIN.

When I use Apple Pay abroad, I don’t have to key in any PIN but if it’s above a certain amount, I will have to sign for the transaction.

Otherwise, the merchant isn’t even getting my true credit card number.

I haven’t tried using a debit card with Apple Pay, just credit cards.

So if they stole the debit card number, maybe they didn’t necessarily have the PIN for that card but with a low enough transaction, they wouldn’t have to provide a PiN?

 

[Alan]

Make sure to put Lock (Freeze if possible) on all 3 credit bureaus just in case someone tries to open new account under your name.

Thanks. I did that years ago.

 

[Alan]

So the th8ng I wonder about with a fraudulently cloned debit card is whether that allowed them to bypass the PIN.

When I use Apple Pay abroad, I don’t have to key in any PIN but if it’s above a certain amount, I will have to sign for the transaction.

Otherwise, the merchant isn’t even getting my true credit card number.

I haven’t tried using a debit card with Apple Pay, just credit cards.

So if they stole the debit card number, maybe they didn’t necessarily have the PIN for that card but with a low enough transaction, they wouldn’t have to provide a PiN?

Contactless cards don’t require use of the PIN, that is why they are limited to $50 max per contactless transaction. More than that requires the PIN. I use Applepay and never use any card as contactless. My credit card is set up with my Applepay.

 

[always_learning]

I worked in banking years ago and while I can't remember the specifics now, the first four digits of a *credit card* signified Visa/MC/Discover, etc, the second four signified something else that escapes me at the moment, the third four signified your banking institution (each institution had its own number), and the final four ARE completely random. At least, that's how it was done about 15 years ago. Also, I may have confused the second and third set, but all four numbers were not random (back then). I do think that when I left the industry, they had moved to the last six being random, so the institution's number may have changed somewhat to accommodate that. Also, we didn't have the 3-digit code on the back at that point in time, either.

Debit card numbers were somewhat similar in structure, but back then, they were only ATM cards.

As for how OP's number was compromised, it could be a program, as others have suggested, or the place where the revolving charge (a charity, I think it was?) cold have been hacked, releasing those numbers.

I remember a story out of Canada a couple of years ago where one guy kept getting his number stolen and the bank didn't understand what was going on. They sent his card overnight and there were charges on it before he even got it. Then, the bank manager hand delivered it to him "hot off the press" so to speak, and there were charges on it. Turns out, an investigation revealed some hacker had discovered that institution's number-generating code and got the numbers randomly. Something like that. I was floored.

All in all, there is just no telling how these crooks get our numbers anymore.


Edited to add link:
Here is the link on the story I mentioned above. It's called "sequencing fraud" and is from 2015.

"Sequencing Fraud on 9 CIBC Visa Cards Like 'Groundhog Day' for Ottawa Man"

Fraudsters have technology to compromise both card numbers and 3-digit security codes, expert says.https://www.cbc.ca/news/canada/sequ...s-like-groundhog-day-for-ottawa-man-1.2989611

I've not posted a link before so let me know if i need to make changes to this post. I tried to give some info but I'm not sure if I did it right.

 

[Sunset]

I worked in banking years ago and while I can't remember the specifics now, the first four digits of a *credit card* signified Visa/MC/Discover, etc, the second four signified something else that escapes me at the moment, the third four signified your banking institution (each institution had its own number), and the final four ARE completely random. At least, that's how it was done about 15 years ago. Also, I may have confused the second and third set, but all four numbers were not random (back then). I do think that when I left the industry, they had moved to the last six being random, so the institution's number may have changed somewhat to accommodate that. Also, we didn't have the 3-digit code on the back at that point in time, either.

Debit card numbers were somewhat similar in structure, but back then, they were only ATM cards.

As for how OP's number was compromised, it could be a program, as others have suggested, or the place where the revolving charge (a charity, I think it was?) cold have been hacked, releasing those numbers.

I remember a story out of Canada a couple of years ago where one guy kept getting his number stolen and the bank didn't understand what was going on. They sent his card overnight and there were charges on it before he even got it. Then, the bank manager hand delivered it to him "hot off the press" so to speak, and there were charges on it. Turns out, an investigation revealed some hacker had discovered that institution's number-generating code and got the numbers randomly. Something like that. I was floored.

All in all, there is just no telling how these crooks get our numbers anymore.


Edited to add link:
Here is the link on the story I mentioned above. It's called "sequencing fraud" and is from 2015.

"Sequencing Fraud on 9 CIBC Visa Cards Like 'Groundhog Day' for Ottawa Man"

Fraudsters have technology to compromise both card numbers and 3-digit security codes, expert says.https://www.cbc.ca/news/canada/sequ...s-like-groundhog-day-for-ottawa-man-1.2989611

I've not posted a link before so let me know if i need to make changes to this post. I tried to give some info but I'm not sure if I did it right.

Really interesting story... link worked fine