How can a credit card be hacked on the day it was dispatched ?

[glenn.im]

I am having a nightmare with my credit cards. 3 Credit cards compromised in the last 3 weeks.
1: Compromised online via a site with broken SSL.
2: Another one got stolen from my post box and used for small transactions locally.

However, this 3rd scenario is pretty scary or may be just unfortunate.

So fed up with ANZ cards, I decided to order an Amex Platinum Business Card. So my Credit Card was approved on 2nd June and Dispatched from New South Wales on 3rd June 2016.

I received my card on 8th and activated it yesterday and to my surprise, I saw a couple of transactions worth 900$ already on my card and both of them dated 3rd June.

I quickly rang up Amex and spoke to their fraud team and even they could not explain it. I mean how can a card be used for transactions on the same day it was dispatched from Amex Office and not to forget without activating the card.


How on earth is it even possible? First, I thought maybe someone used my ID and booked the transactions via a concierge. But the customer service guys told me, both the transactions were performed by keying in the credit card numbers.


I have never had such scenario in the past. I can understand someone stealing my credit card and using it and another one getting compromised online. But getting your card compromised before it's delivered to you and on the same day it was dispatched is very scary and stressful.




What are the possible scenarios or situations you think would have happened ?


Here is the screenshot of the transactions
Screenshot by Lightshot

I activated the card yesterday i.e 10th June.

 

[MEL_Traveller]

I know what you're going through. I've had three ANZ cards compromised this year. Some of the transactions ANZ was aware of (some on-line gaming thing that apparently hit lots of accounts, not just mine), but others - 'travel services Sydney' - can't be explained and ANZ has never provided details. With the latter, the card was new, only used once by me for a legitimate transaction.

I wonder if the hackers somehow randomly generate numbers?

 

[Quickstatus]

someone in the bank diverting the info?

 

[robtemt]

I agree. A friend of mine who worked for a credit card fraud team said up to 80% of credit card fraud involves an employee of the card company/bank or its contractors. I think that sound a little high, but I believe there are plenty of employees who help. I had a bad year in 2015. My PayPal got compromised, and my CBA Gold card associated with it was cancelled. This was discovered when I woke up to go catch a flight to USA, and CBA refused to get me a card sent to my family home in USA. I was going to be gone for over a month. Then later in the year, 3 cards all compromised. I narrowed it down to Alamo Car Rental in Kauai. It was the only place I used all three cards (One card for deposit, QF Cash to pay the balance, and another to pay for something else with them for some reason). A month later, "I" attempted to buy $5,000 at Best Buy on the deposit card, charge $500 on the other, and tried to buy with QF card with no funds on it......

Point is, a lot of scum bags will take your card details and wait a while. I typically cancel a card as lost after using a rental car company now when I get home. It keeps them from using my card (there just seems to be a certain type of person at car rental places), and then they can't charge me for tolls, tickets, etc. after the fact.

Also my Amex Plat Charge welcome package was open when it arrived at my house. That wasn't suspicious or anything!

 

[Tremere]

But the customer service guys told me, both the transactions were performed by keying in the credit card numbers.

Keyed in via a physical EFTPOS terminal? I think they require just the number for a 'Card not present' transaction?

There is an algorithm used to determine if a number represents a valid card (Luhn Algorithm), given a bunch of random numbers you can determine which ones could work. The bank/country/card type parts of the card number are well known, I believe.

Some have figured out how new cards are sequenced in as well :shock:
Example: Hacker predicts AMEX card numbers, bypasses chip and PIN • The Register

 

[glenn.im]

Wow!
But without activation ? Would it be possible to do that?

 

[theblank]

So fed up with ANZ cards,

Dont get me started on ANZ, IMO their customer service has really dropped the ball over last 4 years or so. I have eventually migrated everything away from them, but, those two circumstances of your cards being compromised is not their fault, and if it wasn't for the legislation and/or regulations they could have held you responsible for both. Fortunaly we consumers have much protection from credit card fraud.

I have never had such scenario in the past. I can understand someone stealing my credit card and using it and another one getting compromised online. But getting your card compromised before it's delivered to you and on the same day it was dispatched is very scary and stressful. .

I can understand that its stressful, and its an inconvenience, but you are 100% risk free in this situation, the loss will always be worn by the credit card provider (and sometimes the merchant). Amex security will know exactly how this happened and they will never admit it, and likely the Amex customer service staff dont even know. Its too much of a security risk and bad publicity to make such information public.

You are never going to get an answer I am afraid.

Its interesting that the scammers paid for airline tickets. GIven that tickets have a persons name on it, you would think it would be fairly easy for AMEX to track them down.

 

[Haplo]

It has to be someone internally as generally speaking, a card that is not activated cannot be processed for transaction via the traditional means.

 

[MEL_Traveller]

It has to be someone internally as generally speaking, a card that is not activated cannot be processed for transaction via the traditional means.

I read a thread just the other day where this is entirely possible! (use of the card without formal activation.) Apparently for some card issuers and for small transactions, the card is good to go from time of issuing.

 

[MEL_Traveller]

... and if it wasn't for the legislation and/or regulations they could have held you responsible for both. Fortunaly we consumers have much protection from credit card fraud.

Yes - but it's also highly commercial from the banks' perspective. If they didn't cover us for fraud, how many people would stop using credit cards? Without credit cards, banks wouldn't earn interest or merchant fees.

 

[Franky]

Point is, a lot of scum bags will take your card details and wait a while.

We were in Phoenix June 2010, and they waited until the week before Xmas before hitting up the account at various locations around that fair city..

 

[nonscenic]

I have found over the years that some banks are far more "on the ball" in detecting possible fraud than others, but that scammers are finding ways of getting around the fraud security measures.
My first being hacked occurred in 2005 when I was on a work conference in Beijing. The CBA rang home to check if I had bought dog food from a convenience store in the US. It turned out that a hotel employee was skimming the credit cards used at check in of over a third of the conference attendees (about 60 victims). In 2006 while on a holiday in the UK (and having told the CBA of my holiday plans), I was rung up (at 3am!) to verify that I had purchased petrol on my card in a location probably not on the tourist beat. I had, so all was ok. In 2011 when paying online for a Russian river cruise, I received a call almost immediately from the CBA asking me a lot of questions to verify that it was not fraud.
In recent years I have discovered the cheaper option when overseas or buying from overseas online of the 28degrees Mastercard, but have often wondered that it does not seem to challenge what could well be spurious transactions. To date, all has been ok but I sometimes wonder how long, given that when using the card in some countries the merchants terminals still use signatures rather than PINS

Paywave seems to be the next utopia for hackers and my daughter has already had to dispute resolutions with the CBA bank. I would have thought that multiple gift cards and phone recharges of $20 or $50 (small transactions below the Paywave limit) on the same day would have triggered an alert, but the banks seem to be making the cardholder be more alert.

 

[ozjuice]

Got back from the USA on 13th June and found out on Monday that my card had been skimmed and i was just robbed of a payment to AT&T for $2500. My cards have been stopped now.
Also found out my brothers cards were also skimmed. It seems to be rife these days.

 

[Jo145]

In recent years I have discovered the cheaper option when overseas or buying from overseas online of the 28degrees Mastercard, but have often wondered that it does not seem to challenge what could well be spurious transactions. To date, all has been ok but I sometimes wonder how long, given that when using the card in some countries the merchants terminals still use signatures rather than PINS

I use a 28degrees Mastercard when travelling and last year in London was texted a message saying their had been suspicious activity and to contact them (I'd used the card the evening prior to book a car transfer and a hotel). Unfortunately the number the free call number they provide can not be dialled outside Australia (pretty useless). I resorted to contacting them via Facebook and when I finally received a response hours later it was rude and told me nothing. Essentially they said everything was OK and would not provide any more information. I called them when I returned home and they were no more helpful.

 

[yohy?!]

Wow!
But without activation ? Would it be possible to do that?

if they pick the right industry they can put offline transactions through without approval from the bank meaning there's no check for activation

 

[ramboflyer]

I've had credit cards since 1998 and never had any fraud until the last 2 months when there have been 2. My Jetstar MasterCard was used for 2 transactions in Russia totalling over $4000 including fees, I received a text about 2 days later to say the account had been suspended. After some phone calls and form filling the transactions were reversed but they have still yet to confirm that I will not have to wear the transactions.

My ANZ Amex was hacked earlier this week. I received a call from the ANZ Falcon people to confirm I had not made 2 Japan Airline bookings which I had not. Credit to them for picking the transactions up so quickly and nothing showed up on my account. The card was cancelled and a new one issued.

I don't know for certain how this has happened but I dont think it is my PC as I have plenty of security. The cards may have been skimmed as they both happened after interstate trips but its only a guess. I have now put all my cards in RFID jackets just in case.

 

[clifford]

This prompted me to just now check my cards' status online. Looks OK for now, even though I've recently personally used them in UK, IT, MY and TH, to name but a few.

But, I have had a lot of CC fraud in the last couple of years, mainly from online purchases in CN, TK, VN, RU, and several other places. I pretty much know who is doing this, but what's the alternative? At least CBA allows you to specify transaction limits and deny foreign transactions.

 

[serfty]

Two years ago I used my 28° in Japan - 2 minutes later I had a call from them verifying the purchase.

 

[MCM]

Does anybody know if these aluminium card cases really work against your card being scammed?

 

[Isochronous]

This prompted me to just now check my cards' status online. Looks OK for now, even though I've recently personally used them in UK, IT, MY and TH, to name but a few.

But, I have had a lot of CC fraud in the last couple of years, mainly from online purchases in CN, TK, VN, RU, and several other places. I pretty much know who is doing this, but what's the alternative? At least CBA allows you to specify transaction limits and deny foreign transactions.

As in you know the individual fraudster? Then why not report them?