19
Jan 15

How Was Your Credit Card Stolen?

Almost once a week, I receive an email from a reader who has suffered credit card fraud and is seeking help figuring out which hacked merchant was responsible. I generally reply that this is a fruitless pursuit, and instead encourage readers to keep a close eye on their card statements and report any fraud. But it occurred to me recently that I’ve never published a primer on the types of card fraud and the likelihood with each of the cardholder ever learning how their account was compromised. This post is an effort to remedy that.

carddominoesThe card associations (Visa, MasterCard, et. al) very often know which merchant was compromised before even the banks or the merchant itself does. But they rarely tell banks which merchant got hacked. Rather, in response to a breach, the card associations will send each affected bank a list of card numbers that were compromised.

The bank may be able to work backwards from that list to the breached merchant if the merchant in question is not one that a majority of their cardholders shop at in a given month anyway. However, in the cases where banks do know which merchant caused a card to be compromised and/or replaced, the banks rarely share that information with their customers.

Here’s a look at some of the most common forms of credit card fraud:

Hacked main street merchant, restaurant:
Most often powered by malicious software installed on point-of-sale devices remotely.

Distinguishing characteristic: Most common and costly source of card fraud. Losses are high because crooks can take the information and produce counterfeit cards that can be used in big box stores to buy gift cards and/or expensive goods that can be easily resold for cash.

Chances of consumer learning source of fraud: Low, depending on customer card usage.

Processor breach:
A network compromise at a company that processes transactions between credit card issuing banks and merchant banks.

Distinguishing characteristic: High volume of card accounts can be stolen in a very short time.

Chances of consumer learning source of fraud: Virtually nil. Processor breaches are rare compared to retail break-ins, but it’s also difficult for banks to trace back fraud on a card to a processor. Card associations/banks generally don’t tell consumers when they do know.

Hacked point-of-sale service company/vendor:

Distinguishing characteristic: Can be time-consuming for banks and card associations to determine vendor responsible. Fraud is generally localized to a specific town or geographic region served by vendor.

Chances of consumer learning source of fraud: Low, given that compromised point-of-sale service company or vendor does not have a direct relationship with the card holder or issuing bank.

Hacked E-commerce Merchant:
A database or Web site compromise at an online merchant.

Distinguishing characteristic: Results in online fraud. Consumer likely to learn about fraud from monthly statement, incorrectly attribute fraud to merchant where unauthorized transaction occurred. Bank customer service representatives are trained not to give out information about the breached online merchant, or address information associated with the fraudulent order.

Chances of consumer learning source of fraud: Nil to low.

A Bluetooth enabled gas pump skimmer lets thieves retrieve stolen card and PIN data wirelessly while they gas up.

A Bluetooth enabled gas pump skimmer lets thieves retrieve stolen card and PIN data wirelessly while they gas up.

ATM or Gas Pump Skimmer:
Thieves attach physical fraud devices to ATMs and pumps to steal card numbers and PINs. For more on skimmers, see my All About Skimmers series.

Distinguishing characteristic: Fraud can take many months to figure out. Often tied to gang activity.

Chances of consumer learning source of fraud: High. Bank should disclose to cardholder the source of the fraud and replace stolen funds.

Crooked employee:
Uses hidden or handheld device to copy card for later counterfeiting.

Distinguishing characteristic: Most frequently committed by restaurant workers. Often tied to a local crime rings, or seasonal and transient workers.

Chances of consumer learning source of fraud: Nil to low.

Lost/Stolen card:

Distinguishing characteristic: The smallest source of fraud on cards. Consumer generally knows immediately or is alerted by bank to suspicious transactions, which often involve small test transactions to see if the card is still active — such as at automated gas station pumps.

Chances of consumer learning source of fraud: High.

Malware on Consumer PC

Distinguishing characteristic: Malicious software that hooks into the victim’s browser, and records all data submitted into Web site forms, including credit card information. Leads to authorized online charges.

Chances of consumer learning source of fraud: Discovering the infection? Fairly good. Definitively tying card-not-present card fraud to a malware infection? Very low.

Physical record theft:
Merchant, government agency or some other entity charged with storing and protecting card data improperly disposes of card account records.

Distinguishing characteristic: Usually not high-volume. Less common form of fraud than it used to be.

Chances of consumer learning source of fraud: Nil to low.

I hope it’s clear from the above that most consumers are unlikely to discover the true source or reason for any card fraud. It’s far more important for cardholders to keep a close eye on their statements for unauthorized charges, and to report that activity as quickly as possible.

92 comments

  1. I had been told that AMEX will in fact tell you the name of the merchant who had compromised the data – perhaps because these are directly issued by AMEX and not a local bank.

    My “solution” is simpler. If EMV or NFC is not available, use cash. This won’t work 100% of the time (i.e. paying for fuel), but each cash transaction is one less opportunity for the bad guys to get my card number.

    • @Eric… You are correct. Using cash absolutely eliminates that opportunity. However, I am old enough to remember the days when banks, police departments, merchants, restaurants, etc… all encouraged the use of plastic money to prevent one from being mugged, robbed, rolled, whatever you want to call it.

      I once calculated how many convenience stores one would need to rob to equal the amount of money Rupert Murdoch stole from his investors. At an average take of $125.00 per store I think it was 117 million stores had to be robbed.

      The point is people have lost far more money dealing with plastic but your personal risk of assault goes up with the amount of cash one carries. Odds vary dependent on one’s immediate environment of course. Behave accordingly and be safe.

    • My solution is to have one “primary” credit card that I use for “relatively” secure transaction for monthly charges and the like and then have 2 or more “disposable” credit cards to use around town. I don’t use those credit cards for anything other than “risky” transactions. If one of those cards gets compromised, I just switch to another card while the compromised card gets replaced.

      This way, I don’t have the head-ache of having regularly scheduled transaction having to be updated over and over while still being able to use a credit card everywhere.

      This has seemed to work well lately. I just got a notice that one of my “disposable” cards was being replaced due to some sort of breach. My reaction was “meh, check transactions on that account and start using the other card. No big deal.

      • @JeffG… this is exactly the method that I have settled on.

        It is the best, most rational approach, in my opinion and after the previous round of card replacements (from the Target breach in late 2013), I switched everything up to this approach and it is much less hassle to deal with.

        When I had a card compromised by the Home Depot breach, I ended up having to use an alternate card for about 48 hours until a replacement was overnighted to me from the bank issuing my primary card.

        Recurring, automatic billing transactions – which is where the real hassle of card replacement comes from – were unaffected.

  2. Many credit card accounts can be set to send email or text message alerts in real time whenever a transaction above a certain amount of your choice takes place. Or, you may be able to get daily text messages with your balance and transaction history. A little late but I find this very helpful after being a victim of the Target breach.

    • Yes, I use that now too. We only have debit cards, no credit cards. But we use them like credit cards. I have mine set to $0. So all outgoing transactions generate an email. It is a bit of a pain at the beginning of month when monthly bills come in, but if something occurs that neither my wife or I recognize, I can be on it pretty quickly.

      • “We only have debit cards, no credit cards. ” Debit cards are “keys” to your checking account. A stolen debit can result in a drained checking account.
        Source: http://krebsonsecurity.com/2014/09/in-wake-of-confirmed-breach-at-home-depot-banks-see-spike-in-pin-debit-card-fraud/
        “But if the crooks who buy stolen debit cards also are able to change the PIN on those accounts, the fabricated debit cards can then be used to withdraw cash from ATMs.” “KrebsOnSecurity also heard from an employee at a much larger bank on the West Coast that lost more than $300,000 in two hours today to PIN fraud on multiple debit cards that had all been used recently at Home Depot. ”
        Source: http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach
        There are 620 comments in this story. Search on “debit card” for the horror stories.

        A credit card has no access to your checking account. The only way the bank controlling your credit card gets your money is if you send a payment to the bank. You can contest illegal transactions in your credit card account without any loss of cash from your checking account.

    • I also have set “alerts” on my Chase cards for any transaction above $3. For some reason, purchases as gas stations never show up, but all others, including automated, recurring monthly charges, do. nice to have as an early warning system to help detect fraud and keep track of my wife’s vacation binges. :)

  3. Hi Brian, Thanks for this explanation.

    One additional thought:

    You said: “It’s far more important for cardholders to keep a close eye on their statements for unauthorized charges, and to report that activity as quickly as possible.”

    What I do is have my credit cards and financial institution accounts set to alert me on every transaction. It is real time monitoring…and it costs nothing!

    • Was doing the same for years.

      Now I’m using Pay on my iPhone 6, and it sends the notifications for all charges direct to my lock screen. Because of this, I’ve been able to discontinue the email notifications.

      Also because of Pay I think my risk of credit card data being captured has dramatically reduced to those situations where Pay is not supported (in which case I’m modifying my merchants of choice), or NFC is not yet present; and this should decline over time too.

  4. Great article. There is a common misconception that card fraud and other forms of identity fraud can be easily attributable to a source. That’s why it is frustrating when I see organizations that launch a data breach response include contingencies that the fraud must be “connected” to the data breach incident, or in the case of a card breach, like Target, to require that the consumer have a credit monitoring alert before they are given access to resources to help with the fraud problem. In the latter the criminals were using existing credit accounts, which do not trigger a credit monitoring alert. These tactics are designed to keep costs low by discouraging consumers from stepping forward because there is no evidence that their identity fraud was caused by the breach incident at hand. But there never is!

  5. If one frequently monitors card use via alerts as above or otherwise, and discovers a breach, it’s actually fairly easy to discover (guess) as to the breach’s origination: “Where did I last use this card? Did the waiter take it? ATM? Gas station?, etc.” The real question is what to do about it? Obviously report it to the card company. Then what? The gas station or restaurant will likely do nothing but, if you’re lucky, apologize. Knowing where the breach occurred won’t get you much.

    • Unfortunately, this isn’t true. Your card can be compromised months in advance of the time it is used. Sophisticated criminals (unlike the idiot with the notebook mentioned in these comments!) often like to remove any equipment and/or malware to cover their tracks so that there is no evidence of the compromise. This increases the chances of the compromise being repeatable.

      I work for a large acquirer – one of the other reasons that cardholders are not given any information on where the compromise occurred is because investigators do not want people showing up saying “you hacked my card!” – it puts cardholders in danger AND totally blows any investigation that may be occurring.

      • I agree with these reasons as being most plausible.

        I also wonder if there are agreements between merchants and issuers not to publicize such events because it is not good for either party consumer confidence wise; better to just do the investigation, replace the card, and hope the Feds can bring the perps to justice.

      • You’re correct in which a card can be compromised months ahead of fraud. Normally this is the case with the larger breaches. It is too easy to find the common point of purchase if they do it sooner, plus it goes to fraudulent supply chain from hacker, to broker (dump site), and then to the card shop that purchased the cards. I have seen with smaller mom and pop breaches, the turn around time could be as quick as 48 hours. However, we have learned that these cards were not for sale on a dump site and the individuals using the cards were the same group the placed the malware. The reason why we do not tell what merchant/processor has the breach is that it comes down to possible litigation. As we have seen with Michaels, PF Changs, and Sallys…the breach happened almost 1 year before the press release was issued despite being informed by an array of issuers, LEO, and the brand owners. If you name the merchant before hand they have a tendancy of throwing down a lawsuit despite the information being true. Case and point, there is a horrible POS processor which has been breached at least a couple of times in different areas of the country. Their lawyers will C&D you if you mention their name as being a breach and/or directly reach out to their POS clients.

  6. Thanks Brian,
    I agree with you. I have been contacted by my issuer’s Credi card sending me a big document describing all the real scenario in which the fraudster baught goods fron Internet stores (3 purchases, from AppleStore, eBay and local web site Alcohol depot). They asked me to validate and to sign the attached forms.

    Mika

  7. In September Capital One notified me of fraudulent charges on my cc account. They also notified me that someone had attempted to take over my credit card account by changing the statement mailing address. I assured them I was the legitimate account holder but had to jump through many hoops with Capital One before they would restore access to my cc account.

    But, like Brian stated, the bank would not tell me whether or not my cc number got hacked during the Home Depot Breach.

    Due to this event and my own paranoia, I filed an affidavit with the IRS to make sure no one tries to file a fraudulent tax return involving a big refund check. Just sayin.

  8. Banks only have access to their customer’s transactions, which includes merchant info (Merchant ID, Terminal ID, Location etc…). When the breach is at the processor level, banks will see multiple merchants that are possibly the source of the compromise. The Global Payments breach is a good example as before it was identified that Global Payments was the source for cards associated with a spike in fraud, many in the industry thought NY Parking Garages and Taxi Cab firms were the source because when common point of purchase analysis was performed New York Parking and Taxi companies were at the top of the list. The payment processing system is very fragmented making identifying the single point of failure difficult when the source is not at the end point (e.g. merchant) but rather further up in the transaction flow like the payment processor.

    Interesting to note is when multiple merchants that are the same type (e.g. Pizza restaurant) are targeted. That is usually an indicator that a systems integrator is implementing the same payments solution to multiple merchants and the solution contains a vulnerability (e.g. default password or no password). After the attacker identifies how to exploit and exfil card data for the victim merchant, the attacker will replay the attack by searching for similar merchants that have the same implementation (e.g. vulnerability).

  9. I had a card that was “stolen” but not by electronic means. As you mentioned above Brian, it was indeed a restaurant worker, but in my case, the person did it the old fashioned way–when going to ring up my dinner they copied my name, card number, expiration, and CID all in to a notebook. This was a low-level crook who wasn’t interested in selling my information but rather used my card to call in to some restaurants for delivery orders, the kind that take your card over the phone and punch it in at the store. Lucky for me my credit union sends me an email for each purchase, so when I saw that I had ordered food from two different restaurants just 10 minutes apart while I was sitting in the first period of a hockey game, I knew something was up and reported the card stolen. The police ended up contacting me because they had found the person and the book.

  10. Don’t forget that when your identity is stolen a crook can take out a credit card in your name. You won’t know until it’s too late. Most people only check their credit when it’s time to make a big purchase: new car, house, etc.

  11. I travel a lot with my RV and do not find cash practical. My primary credit card notifies me via email of EVERY transaction against the card. I compare this to my receipts. Any credit card I have that does not do this gets used a lot less and in more controlled environments. All credit cards should offer this service.

    • The thought comes to mind that one could revert to using the cards for individual merchants. For example, carry a “Shell” card that you use to purchase Shell gasoline. If that card gets stolen, it is of far less use to the crooks than a Visa that could be used for virtually anything.

      And I get it – it would be a pain in the neck to do this in that you would have a lot more bookkeeping to do at the end of the month to make sure everyone gets paid on time.

      I suppose another possibility is to use a speedpass like device (which are better than a magnetic stripe, but still pretty weak from a cryptographic point of view (cloneable)).

      True story: Only once in my life have I ever had my wallet stolen, and it was while I was a student and the only card I had was for Texaco. They went and charged 40$ worth of something or another (this was back when gas was 2$ a gallon). All I had to do was notify them and the charge went away. But given that it was a Texaco card, there wasn’t much they could buy other than top off their fuel tank.

  12. I too signed up for card monitoring on several of my accounts but that requires “cookies” being attached to your to your account.

    Then after my first use my top end (eleminates everything) anti-virus prgram goes through and deletes those same cookies. That ends the monitoring.

    In order for card monitoring to work effectively the card issuer needs to tell you the name of each cookie that will be attached to your account so that the user cam add those cookies to the program’s “exclude list” so that it will not delete them.

    None of the card issuers have ever done that.

    • This. Also, they use flash cookies and third-party cookies from trust/fingerprinting sites as well as opt-out cookies.

      And then some sites you *want* cookies for advertising, just not tracked across the internet.

      Don’t even think about having any control over any of this on your phone browser with mitm apps phoning home with every interaction along with geolocation info and your contacts info.

      Truly sad that your identity is raped at every chance a website or app gets, and yet none offer any help when they are part of continuing to rape your identity after it really does get stolen.

      • Eh? What do cookies of ANY kind stored on your local machine have to do with SMS and/or email alerts sent to you from your bank’s data processing center?

        When you activate monitoring alerts using your bank’s website, your request is attached to the account records that your bank keeps in its internal database. Once activated, the bank sends the monitoring alerts to your phone and/or your email acct whether your local machine is on, off, or in the scrap heap. The ENTIRE process is handled automagically by the BANK, as part of their regular transaction processing workflow; it has nothing to do with anything stored on your local machine.

        I’ve got half-a-dozen credit cards, as well as several checking and savings accts. ALL of them have had email and SMS monitoring enabled for several years, and I have NEVER had any cookies of ANY kind attached to my accounts (whatever that means).

        I clear browser cookies routinely at least once a day. I clear Flash cookies, too, but not as often. I’ve blocked several of the “fingerprinting” sites from setting ANY cookies, due to privacy concerns. And I generally do NOT accept ANY third-party cookies, unless the site fails to work correctly without them. (Citibank, I’m looking at you).

        So if there had been any issues relating to cookies on my local machine, I think I would have noticed something long ago (I haven’t).

  13. Alice LaChapelle

    Wonderful, much-needed practical info, Brian. What a great service you provide to us who falsely depend on banks and other financial institutions — and our government – to tell us what is REALLY going on out there and how to protect ourselves. The cyber and other felons seem to be running the show at times.

    The old adage ‘forewarned is forearmed.’

    I ordered your book. Am awaiting its delivery with anticipation.

    Thank you.

  14. Not only do I get email alerts of every transaction of my credit cards and bank accounts I also get message alerts on my cell phone.
    If my card gets compromised I generally know which shop or website it was compromised. There is a timestamp when the credit card company gets a payment request and I know where I have been that day and approximate time.
    Pay attention where you are, and my credit card companies are also monitoring “our habits” of shopping.
    I also let the companies know if I travel overseas and what country and cities I will be at.
    Be aware of when and where you use your cards.

    Thank you Brian for all the work you do.. I love your book.

    • So, just because your information is compromised on Monday doesn’t mean that a criminal will use it on a credit card on Tuesday.

      One of the things to note from Brian’s reporting is that there’s effectively a surplus of available purloined credit card credentials out there. It’s waiting for a potential criminal consortium to select and acquire them.

      I’m not sure what the average latency between compromised credentials and use of the same is, but it seems like it can be months. With that much of a lag time, unless you only use your card for one transaction of each type each month, you should have at least some difficultly determining the source of the compromise.

  15. Great article, but haven’t you ignored the flip side?ie what about client compromise?

    Malware infection on computing devices (laptops, phones) are also known to scrape or otherwise capture credit card details (along with banking passwords of course) and add up to a sizable proportion of the total risk.

  16. What is the motivation for the card associations not sharing information with banks or card holders? Is there a liability concern if they are wrong? I have been notified by my bank about suspicious transactions. If the card associations know that your neighborhood grocery store has been hacked before anyone else don’t they have an obligation to stop this activity? How do they know?

  17. I thought there were data breach laws in many states requiring notification to persons who’s data is stolen. Do those laws not require notice about which merchant the breach occured at?

  18. You say:

    “The card associations (Visa, MasterCard, et. al) very often know which merchant was compromised before even the banks or the merchant itself does. But they rarely tell banks which merchant got hacked.”

    On the surface this looks like collusion with criminals. What is the reasoning behind not pro-actively attacking the fraud.

    • One word “Liability”
      Associations can determine the most likely point of compromise on data breaches based on statistical analysis. If I was an attorney and I’m not, I wouldn’t allow the association to mention who they feel is the point of compromise based on statistical analysis but I can provide the compromised cards to the issuing banks and they can perform their own statistical analysis (commonly referred to as common point of purchase) to derive the compromised. Its a pain in the ass but it is the way things get done.

      The problem is if the compromise is not at the end point (ie Merchant) and the compromise is up stream at the payment processor or elsewhere in the payment transaction stream. Issuing banks don’t have full visibility into the card transactions to determine if the breach is somewhere upstream. The other problem is a numbers game or sample size. If the association alert does not contain a large enough sample size, banks may not have confidence to call merchant actually compromised and will apply various fraud strategies to monitor. So for smaller banks with a smaller portfolio, they may not obtain a large enough sample size from the association alerts to perform a CPP analysis.

  19. Earlier this month (January 2015), President Obama called for Federal Legislation intended to force American companies to be more forthcoming when card data is involved in a breach. It’s called the ‘Personal Data Notification and Protection Act’. It would be a national standard requiring companies to inform their customers within 30 days of discovering their data has been hacked.

  20. Thanks… Another good one.:.

  21. Good stuff – thanks for the info.

    It is worth reminding folks thinking that carrying cash is “a better option” that generally speaking credit card losses are not their liability. As long as they are diligent in reviewing charges, it is a much better option than cash. It also has time-value-of-money benefits.

    Nobody is there to reimburse you for losing a $20 bill from your pocket.

  22. BrJust for your own informal research/tracking on credit card fraud from the

  23. I’ve had a new CC issued about every 12 months for the last three years. Once it was patently clear where the issue was – the fraudulent user did a $1.00 authorization at a Toyota dealer which never turned into an actual charge, then a week later used the same card at a local Lexus dealer and authorized a bit over $3k. Because I do monitor my card activity, I caught both of these authorizations before they completed and informed my bank and the merchant the charges were fraudulent. And of course, who knows I own both a Toyota and a Lexus? Nationwide, my insurer who receives payment via my credit card. Imagine my lack of surprise when their compromise was announced. Also, imagine my inability to believe only card information was compromised in their breach.

    In the end, I was just being a nice guy. I would not have been liable for any of the charges, but certainly Nationwide didn’t compensate me for having to call all the recurring charge accounts I have and providing them the new payment information when my card was replaced. It took me quite some time the first time my card was compromised, now I have it down to about 2 hours. Still a PITA, and at my billable hourly, not cheap.

  24. Great info…but what is the best way to stop credit card fraud or is it just the price of doing business? In the old days you could just swipe an item for a few bucks now you swipe a cc and get many more bucks. Perhaps this is the price of progress

  25. Unfortunately most of the merchants are either not very helpful or don’t have the means to offer much assistance. Case in point is Chic-Fil-A, I had to replace my card simply because I was in a state where a store was affected earlier this month. Without knowing the location I had to assume I was at risk. To this day I have no idea if the location I frequent was affected or if it was a location 200 miles away.

    Total count, I’m on my fourth card in 13 months. Surely there has to be a better way outside of sticking to cash?

  26. Two months ago my credit card provider called to question me about activity they believed might be fraudulent on my card. Sure enough, someone had attempted in one day to use the cloned card at two restaurants and with a utility company located some 2000 miles away from my home. It was frustrating and inconvenient to replace the card, but ultimately the merchants ate the charges and I was held harmless. The most unsettling part of the experience for me, however, was that I had all sorts of alerts in place to show activity of more than $1.00 on my card, but didn’t receive any alerts on those fraudulent charges since my card provider only sends notifications for *actual* charges, not pending transactions. The fraudulent charges were still listed as “pending” when the system flagged the transactions for investigation. Fortunately the fraud was picked up before the pending transactions became actual charges and more damage was done, but card users should be aware that there is a fundamental flaw in the alert system, and my experience demonstrates that damage can be done before the actual alerts ever start arriving in one’s inbox.

    • Interesting. Chase sends out the alert as soon as the authorization is made, pending or not. Those emails show up in my inbox only a few seconds after I click “pay” or present the card for payment at a terminal.

  27. Thank you for the timely information Brian. The payment processor merchant accounts also deserve some future coverage because the failure to identify these links in the online transaction leaves consumers unaware of their involvement. The U.S. Congress should pass legislation to make transparent the payment processors on each credit and debit card statement. At this point, these financial organizations are getting a free pass based on the frequency of hosting / rehosting some of these merchant accounts that involve criminal revenue streams. Based on personal experiences and patterns developed during investigation.

  28. Another casualty of all this nonsense are companies whose customers cards are denied because the purchases are outside their usual pattern of use. It means start up businesses or businesses in minority neighborhoods are at an automatic disadvantage against the big chain stores in wealthy suburbs.

    • Is it really that granular that a card would be denied if a purchase is made in another neighborhood? I thought I had problems when using my cards in different countries, but after talking with the people at Chase’s fraud department, we got that ironed out. I think it’s worthwhile talking with your issuing bank’s fraud department if you find cards being denied through “normal” use. Still, I did have a card frozen last week when my wife took hers on a visit to Miami and I forgot to enter a travel notification on the web site. But that was easy to fix and the card worked again after that.

  29. My credit card number (but not my physical card) was recently used to make several large fraudulent purchases, in person, at a local department store which I’ve never shopped at. Does that make it more likely that my number was stolen locally?

  30. The government needs to expand the Uniform Crime Report Act (UCR) to include cyber thief, so that the industry can look at facts and see what mitigations work and what ones don’t.