Identity theft-anyone else been hit? Anyone know what the "facts" really are? (1 Viewer)

[Chris Bardon]

So I checked my credit card transactions online this morning (as I often do just to keep track of what I'm spending), I noticed three transactions that definitely weren't mine. Long story short-someone got ahold of both my credit card number, expiry date, and home address and phone number. the $800 or so in transactions don't really worry me-the company will charge them back, and I'll get credited, but it's how the guy got my card number that I want to know.

Now I delete any email that looks suspicious, don't open unsolicited attachments, and keep norton and windows up to date. I use my cards online, but any of those transactions have been through a secure connection, and I find it hard to believe that someone has broken RSA. I can't think of what (or how) something could have made it onto my computer without my knowledge. Norton hasn't picked up anything, and it's been a while since I ran ad-aware or anything-could there be something more malicious out there? Any suggestions on how to find it?

It's probably something like one of the businesses I've bought something from online either selling or having their database stolen (i.e. no fault of mine), but it raises some interesting questions. I've seen a lot of paranoia about what people can get from your computer, and am wondering how much of it is really justified. From what I understood, the worst any of this "adware" or "spyware" could do is to track web activity-not actually capture anything that's sent to an encrypted source. I also know that there are scams out there that will put out fake links to sites that ask for CC info (and look legit), but I can't think of any time when I've clicked on one of those either. Anyone have any thoughts as to how my infomation might have gotten out there?

 

[Vince Maskeeper]

Likely internal fraud- most cases are employees getting access to data inside. Also, do you use your cards anywhere offline? I have heard of kids at dept stores or restaurants nicking people's info from the point of purchase. Obvioulsy stolen mail, credit card statements, other records are potential sources.

As far as digital stuff- there are viruses (and hardware) that will steal keystrokes (even if sending to encrypted location, if an app is running on your machine, the keystrokes can be logged).

But I had my stuff stolen a while back, in the Ken Crane's fiasco of a few years ago-- nothing charged, but they gave me new account numbers. In that case it was a database hacked from the outside- but from what I've read the biggest vunerability is on the inside.

-V

 

[Chris Bardon]

I know that key snoopers do exist, but I'm wondering what it actually takes to install some of this stuff. First it was infected exe files, then word and excel macros could deliver viruses, now? What other delivery systems should I be watching out for?

As for offline transactions, I'd expect that in a second except for the fact that they had my shipping address as well as the number. Either someone offline stole the number and did a lot of research, or it was an online database theft. Either way it's a hassle, but like I said, I'm glad I'm not liable for any of it...

 

[Vince Maskeeper]

You mean 513 Fallingbrook Dr?


I assume you have a PO box you use for deliveries & billing aside from your home address?

 

[Chris Bardon]

No PO box, but I suppose that it would be as simple as using a phone directory... Still, I'm assuming laziest common denominator. Had there been more identical entries, it would have been more ambiguous.

Anyhow, you've proven your point, but I still suspect that it's one of the online retailers (probably the ones I bought my mp3 player from) that either got their database stolen, or have someone less than honest working there.

 

[Vince Maskeeper]

Well if Fallingbrook is really your address, it took me 9 second to find it.

 

[Scott L]

Vince, you're scaring me. Now what's mine?

 

[Aaron_*P]

Most identity theft in stores is internal. In theory sending credit card info online is actually safer then over the phone or in the store, as when you send it online its encrypted, over the phone you can tap the line and in the store or a resturant a clerk can just write it down.

However, on a computer there a few main ways to steal credit cards (I am Microsoft Certified, and use my knowledge for SYSTEMS ADMINISTRATION AND SECURITY ONLY, I would NEVER use it for any illegal purpose), the easiest is finding an insecure website and sniffing out packets until you find a credit card, keyloggers are also very popular, easy, and are widely availible to script kiddies and newbies who usually have no idea what there doing.

If you do traditional business over the phone or in a store or even if you call your credit card company and an employee takes down a number, inside jobs are very common, however online many times the other party never sees the credit card company only the payment processor (not always true, but many times).

Also it is highly unrecommended storing this data on your computer if it gives you the option to save it for easy form fill in next time as it is stored in the registry with very weak or no encryption.

Lastly, this is a common issue I deal with so I will address it here, don't get spooked by emails sent to you from your address, it is easy and legal to do and you do not have any identity theft, in fact a nice website for sending emails from any address you want (has many great legitimate uses) is mail.titocell.de.vu.

 

[Francois Caron]

You don't need a computer to steal credit card numbers.

http://www.discount-pos-pricing.com/magnetic/TA48.htm



It's self-contained, fits in your pocket, and can store plenty of credit card numbers including the name and expiration date.

Ever wondered what happens to your credit card in a restaurant when the waiter walks away with it?

As strange as it may seem, on-line transaction processing is much more secure than transactions processed by hand.

 

[Dean Martin]

There is a big article worth reading in this month's Wired magazine regarding Identity theft. Insane as it sounds, there are people that put/copy their driver's licsence on the Internet and that's how a lot of ID theft is done.

The article said that it generally takes an average of 60-70 hours of work by the victim to sort it all out.

 

[Michael*K]

Had my credit card number (actually a bankcard tied to my checking account) lifted twice within two weeks a few years ago. The bank called me the first time and asked why I continued trying to make unauthorized purchases at a mall after I'd drained my bank account. Turns out the bastards went on a spending spree and tried store after store, even after they were rejected. I didn't know who could have gotten the card number, but I was suspicious about a gas purchase I made about five miles from the mall. The next time I got gas, I started watching my bank account and sure enough, within two days, unauthorized charges started showing up again...at the same mall. Turns out that even though I never handed my card to anyone at the gas station (I pay at the pump), the employees can make a printout of all the cardmember names, the account numbers and the expiration dates. Then they can create replacement cards complete with the magnetic strip on the back. The bank insisted that I don't try to take matters into my own hands. They said their fraud department would look into it and let me know what happens. I never heard back from them and they refused to divulge any information on follow-up calls.

 

[Brett DiMichele]

You pick up the phone to call in an order.. Someone is
listening in on your conversation.. BOOM they have the CC
Number and Name..

You go to the store and buy something with the CC and a
person standing behind you memorises your name and pin...
BOOM they have the CC Number and Name..

You go to the store and after checkout the clerk makes a
copy of your name and CC Pin. BOOM they have it...

You go to the store and buy something and the clerk throws
the duplicate receipt in the trash. When the trash goes out
a dumpster diver gets the receipts.. Boom they got it..

You sit at home doing your online shopping over a WIFI...
Someone outside your home is also tapped in.. BOOM they got
it..

You do a transaction over the internet and someone has a
key logging trojan on your PC... Boom they got it..


There are so many ways thieves can get you.. There isn't a
way to be 100% safe aside from not owning plastic at all.

 

[JustinCleveland]

Vince,

What was the Ken Crane's Fiasco?

 

[Vince Maskeeper]

Someone hacked their DB and compromised the numbers. No details were ever really released, but many members of this forum got the same letter from their card issuer, so a process of elimination made it obvious what we all had in common.

-V

 

[Ted Lee]

a lot of this stuff is "inside jobs". there was a big story here about some business that handled a ton of credit card transactions. some employee had whatever code was necessary to pull all the info and was selling the stuff.

i also remember one time, when i was working in my previous job. we were running reports on the as400 system and decided to do a little "poking around". long story short, we came up with a database containing all the customer purchase info, credit card numbers, etc. all we literally had to do was export the file and print - it would have been that easy. the file wasn't even password protected.

also, when i was younger, some friends and i did have a scam going. we had somebody who worked in the restaurant at our local country club. let's just say he tried to be the cashier as often as possible.

so, it was easy back then...i can only imagine it's even easier now.

oh ... did i mention one day i received a sears credit card in the mail. since i know i didn't request one, i knew something was up. before i even had a chance to cancel it, someone had bought some miscellaneous items. luckily sears didn't hold me accountable.

 

[David Norman]

I had a somewhat stranger one recently. I had a an old card which had changed banks a couple years ago and they reissued the card with new numbers, etc. I never called the 800 number to activate the new card and assumed (apparently incorrectly) that the account was either dormant or cancelled. I never received another statement or correspondance from the BankCC since I had a zero balance at the transfer.

A few months ago I get a call at work about 3 charges from the same day -- $500 Amazon, $10 American Diabetes Donation, and some other $10 charge all done online (I'm guessin the smaller charges were just to see if they had access to the card number first before they made the big charge) . Since the account hadn't been used in 18 months, the BankCC Dept. was correctly suspicious and called to check. Of course they cancelled the card and charges, but it was still a scary event. The only place that had access to that number and exp date was the Bank CC Dept and their computer since the new account number had never been used online or offline and I still had the cards stored in a locked safe so it definately was the ultimate inside job.

 

[Chris Bardon]

Well, I can tell you from having worked in a bank that there are a lot of people that can access client data. I spent 8 months as a CSO for Mastercard, and at that point had access to every credit card number and other relevant piece of client data that we had. It would have been pretty easy to steal a few numbers here and there, and I heard of more than one occasion where this happened. Let's face it-a lot of people are dishonest by nature, and will take advantage of things like this. Fortunately however, a lot of them are stupid as well. One example I've heard of was someone using a stolen card number to order magazine subscriptions...to their own address.

 

[Cees Alons]

My bank now has a new service they call e-Wallet. It consists of a tiny program on your PC, that contacts the bank and generates a unique creditcardnumber and safetycode for each transaction (and that amount only). Of course, the bank maps the transaction to my real cc.

To your on-line retailer service it will test OK, but it cannot be stolen, because it will refuse the transaction the next time (and if the parameters don't match, e.g. another amount). I don't know more details, but it seems a terribly safe system to me.

Note that illegal use of the number also points to the retailer for this transaction (let's say: who it was stolen from)!

Familiar to anyone?


Cees

 

[David Norman]

MBNA has a program for its CC called ShopSafe that's pretty neat for on-line or phone purchases. You can generate a unique number linked to the master account for a onetime purchase, monthly drafts, or up to a year with it's own Credit Limit, but each number is only good for One Store -- I use it for Sat TV account, my normal DVD store, Paypal, Amazon, LandsEnd, etc -- I think at one time I had up to 14 different active numbers. I guess you could use it at a B&M store, but I bet they would balk if you just read them an account number/exp date in person though the stores do it over the phone all the time.

 

[JonSpice]

One thing I would like to add, only the DVDs I buy online, all the rest I use a corded phone. I look for their W.A.T.S. (Wide Area Telephone Service) a free call for you but a collect call from whom your ordering. A safe way as long as you don't use a cell or a home wireless phone that hackers listen to, while your changing channels to get a line that isn't being used!