I placed an order for some supplies from a popular woodworking supplier on Saturday. Monday a bunch of fraudulent charges showed up and/or were attempted on my Amex. Some are in the general vicinity of this vendor, while others were online charges. I'm not going to name the company unless I found out beyond a reasonable doubt that that's what happened, but I would suggest if you've ordered supplies recently, that you keep an eye on your account.

Amex mistakenly blocked a bunch of legitimate charges due to them not understanding English (see the English thread) , including the one for this company. I've received the order, but I'm considering not unblocking their payment until they have a member of their upper management call to discuss and provide me some reasonable evidence that they've ensure the security of their systems.

I agree with you that the vendor is the most likely and obvious source of the security leak. I support your effort to get some assurance from the vendor that they've taken the right security measures. Unfortunately, most vendors are likely to see data security as a problem to be handled by someone else; smart consumers need to push back on that.

Other ways that credit card numbers can be compromised include submitting it online over an unsecured web connection. One should ALWAYS look for "https://..." and NEVER "http://..." on the actual page you put the payment info.

Using a credit card in person, watch out for "shoulder surfing" - when the next person in line gets a little too good a line of sight onto your card, and the "double swipe" - when the cashier passes your card through two different mag-stripe readers.

Most likely it was a rogue employee. It's very easy for credit card companies to zero in on where the breach occurred - all you need is a few reports of stolen credit cards. You take the lists of places where purchases were made and compare the lists. There will likely be only one or two places that show up on all the lists - and if you have enough reports there will only be one.

The credit card company calls the company and tells them that if there's another report, they'll cut them off from being able to take credit cards, which is death to a web company. The company will take it VERY seriously.

Mike

[And, of course, the credit card company has a financial incentive to quickly crack down on fraudulent activity. They're pretty good at it.]

i would suspect an unscrupulous employee for fraudulent charges also .

In person purchase or online?

I will second Mr. Aspinall's opinion.

There is almost certainly a person involved.

We use a heavily encrypted third party processor (authorize.net) for the web site and we never see the credit card number. No one every sees it. It is all done on the computer under encryption. This is standard for the Internet.

We never keep any credit card information. If you order at noon and call back at 12:02, we need your number again.

Even a little outfit, such as ours, spends a couple thousand dollars each month on security.

This is not at all unusual. All the major woodworking sites are also extremely well protected.

In addition, we have security measures in place to monitor the staff that take credit cards over the phone.

This is for their protection as much as yours. One of the jobs I had working my way through college was as a manager at McDonald’s. One day one of the nice little girls was cleaning the dining area and found a lost purse. She turned it in and we called the owner. When she picked it up it had the cash in it but the owner said the diamond earrings were missing. Fortunately the owner came back later and told us she had found the earrings at home. This incident made me realize that my accounting teacher was really right. Good, tight financial security measures protect everyone

First, I'm sorry. This can be a nightmare.

Second, I'm with Tom.

As a former database guy (among other things), with an e-commerce company, it is RARELY easy for most employees to access credit card data, in anything approaching a reputable e-commerce company. In many cases, it's almost impossible for all but a few key IT people to access it, and ... I would venture to say ... that MOST could tie particular numbers back to the customer service representatives who TOOK the order, if it was placed by phone.

If their site were hacked, or if the site of one of their transaction host/facilitator (payment center) was hacked, that could easily spell trouble.

Either way ... a good reminder for all of us, and sound advice. ALWAYS review your credit card statements, either before they come or ... more frequently than that.

Did you call or did you do it on line? A friend of mine had their card stolen when the site they were trying to enter their card to was hijacked. This happened when it asked them to reenter their card again. The site looked the same but wasn't. This happened about 9 years ago, but I always do a login again if it happens to me just to make sure I'm on the legit site.
Dan

Well, shucks, that kinda puts any order in question now, doesn't it? Guess its sometimes tough to choose to protect the seller. Wonder if Paypal is a safer option, although CC misfortunes are protected.

Several years ago, I went to doctor. An employ didn't return after lunch, and several CC numbers were compromised. About a week later I bought a couple items at local farm supply store, and a pair of sneekers in Austrailia a couple minutes later. My CC company caught both trans actions. My neighbor went to races at Charlotte. Paid for his lodging with a CC he hadn't used in over a year, and nothing else. By time he got home, over $10,000 had been charged to his CC.

Report it to the cc company, ask for a new card. The should tell you they are sending one without asking. Dispute any charges in error. Let the credit card company deal with the merchant. It's their problem, and as noted, they have the clout to get to the bottom of it. If your credit card company isn't responding appropriately Get a card from someone else. A good company will want to minimize their losses and minimize your frustration!

Unfortunately, Matt's experience is a daily occurrence. There is little incentive for the credit card issuers to fix the system since, for the most part, they are not on the hook for the fraudulent charges. In all but a very few cases, the charge gets reversed to the vendor who is the one who eats the charges. And with Internet transactions, the burden falls even less on the credit card issuer since the card itself was not physically present during the transaction. I spent a number of years at the end of a Law Enforcement career investigating these kinds of cases. I can't tell you the number of times I called banks trying to get information on fraudulent transactions in order to be able to continue an investigation only to basically be told the bank wasn't interested in helping. Whatever transactions the banks can't put back on the vendor they just write off as a loss and take the tax deduction.

If all that is compromised is a credit card number, then cancelling the card and getting a new number usually takes care of the issue for the victim. If for some reason the company also collected other personal identifying information that was compromised as well, then that's when you'd need to become more proactive at monitoring your credit history on a regular basis for at least a year. Depending on the state where the data breach occurs, there may be a requirement for the vendor to notify their customer of the breach.

One recommendation I always made (and follow myself) is to have one credit card that you use for Internet transactions only. If that card is compromised, then replacing it isn't too difficult and you will have a general idea when and where the crooks got hold of the card number.

Mark

OK - I am no doubt naive - so enlighten me (and I will check my own policy). On the credit card terms that I have I am only responsible for the first $50 (or something like this) of fraudulent charges. I feel fortunate that I have never had to contest this.

I have had some erroneous charges - but its rare and each time I called the vendor and they corrected the charges (they really were erroneous, and one at least had someone elses signature and just a data entry issue on the numbers - some time ago).

During international travel I have been contacted a few times where the cc company detects 'unusual' activity, and wants to be sure the charges are legit. I like that they are monitoring usage this way.

Its my understanding that most cc fraud is done by employees, and some restaurants/bars/etc have caught employees with 'scanners' where they swipe your cc info before running it through the register. A black market for fresh cc numbers - $50 each, more for high end cards.

Matt - sorry it happened to you. I wouldnt unblock ANYTHING, but just end that account and issue a new card (and let the vendor transfer the legitimate charges to another card #).

Also, I tend to cancel and reissue a cc number every year or two. There are a lot of 'subscription' based automatic payments that get cleaned up this way (even if they havent been charging, doesnt mean they dont have an active # on file). Also, I keep a different card for certain types of purchases (but only want one card, with one backup for two total - more cards just means more risks). Definitely check your bill each month but this isnt enough.

Pull your credit report. You might be surprised what accounts are on there for long past credit that you didnt know about (like a 15 yr old sears/jcpenny cc account that is still technically 'active')

I placed the order that I think might have started this on Saturday morning using their web site on my cell phone. I'm sure I was on the legitimate site. Their site had my card number stored from a previous transaction. I only had to update my expiration date. So my number was never entered on my cell phone, not that I think that's a likely device to be hacked anyway.

Amex did an amazing job detecting illegitimate charges. I went to a wedding in Cleveland on Saturday, then was supposed to fly from Cleveland to Kansas City for work. I got to Chicago Midway and then KC's Southwest terminal got shut down due to an incident with a fake bomb, so I ended up flying to St. Louis and driving to Kansas City. So despite a winding pattern of charges (hot dog in Chicago, rental car in St. Louis, cell phone charger at Walmart in Wentzville, MO, Coffee in Concordia, MO, hotel checkin and dinner in Independence, MO) they managed to in the end automatically put through all legit charges (at least that I can remember) and block all the illegitimate ones. And by block, I mean all were put on hold pending verification with me or just downright declined.

Amex has done a really poor job of getting me a replacement card. They promised me one next day at my hotel and said they'd call my cell if there were going to be any problems , but it didn't show and I didn't get a call. When I called back, they said it would be there yesterday or today--only I was leaving before then. So now they have to cancel that card an issue yet another new one that won't get to me until Monday. The issue, apparently, is that Amex doesn't keep the info for Costco customers in their system so every time they generate a new Costco Amex, they first have to re-download the data from Costco which takes an extra day. Had they told me that the first day they could have just sent the card home and I'd have had it yesterday when I got home. Now due to the manual process of canceling and re-issuing it will be Monday. Luckily I have another card to use so I could get home. They did have a couple other options including their travel dept. taking care of any arrangements on my hotel, rental car, etc. And apparently I could have gone to an office somewhere in KC and had a temporary card printed on the spot. IMHO, it all goes back to that English thread...

I've seen the fraud detection twart my own actions twice before with other financial institutions. Once I returned from another business trip and went straight to Best Buy to buy my wife a laptop for her birthday. They allowed the charge, but called our house and asked my wife about the $500-something charge. She of course called me right away and asked if I did it and then of course the next question was "what the heck did you buy?" And a few weeks ago I used our debit card to by a few hundred dollars worth of Lowes gift cards at Kroger (for the gas points,) left Kroger and went to the Kroger gas station to fill up, went across the street to OReily to buy my wife a new headlight bulb, and drove across the parking lot to Home Depot to pick up some stuff Lowes didn't have. When I went to check my card was declined. My wife used hers and by the time I got to the car I had an email from the bank to call the number on the back of my card for a fraud alert.

Unless the web site has a very poor system PayPal is not going to be any safer.
My PayPal account got hacked some years back. PayPal tried to tell me that it was probably someone had guessed my password and accessed my account but I use large alpha-numeric passwords with non-dictionary based text.
And my password changes between sites so there is no chance someone hacked my password. They broke in through PayPal's security to get access to the account. Sometime later I read a lot of reports of others who had the same issue.
PayPal was good about reversing the charges and getting my money back though I did lost a small amount due to currency exchange rates between Pounds and Dollars when it was refunded back to me. But PayPal is as susceptible as anyone else to 0 day hacks.
You can get an extra measure of security by always using a credit card rather than direct debit as most credit cards have some level of protection against fraudulent purchases and give you better tools for disputing charges. Some even give you better warranties by buying with the card. You just have to worry about the extra cost for the interest charges.

Well, shucks, that kinda puts any order in question now, doesn't it? Guess its sometimes tough to choose to protect the seller. Wonder if Paypal is a safer option, although CC misfortunes are protected.

Matt thats a major bummer to go through. I had that happen with an order from a snowmobile performance center 2 winters ago. I had my card company call me within 2 hours of my order, fraud charges were coming in by the handfull. I called the business, which was located in Mpls. and spoke with the owner, he could have cared less about my problem. Needless to say I wont do business with them again!

We discussed this issue last October. See my post in the thread. It works. I use it all the time.

http://www.sawmillcreek.org/showthread.php?151307-Your-Card-number-on-file.

This company seemed interested when I called them yesterday. When I explained what was going on, I was transferred to their credit department. When I explained to that person, she immediately said "let me get a supervisor involved right away." The supervisor didn't dispute anything I said and took down my contact info and said I'd be hearing from someone soon. Kinda makes me wonder if it wasn't the only call they got.

I had this happen and while we were blaming everyone we did business with, I read in the paper that my bank was hacked and the numbers stolen from their computer.

And now for the kicker: this bank denied this when I called them, none other than the most honorable Bank of America. They backed down rather quickly after I gave them the FBI case number. You see, the bank had reported the hack to the feebs and I called them and got the case number.

The moral of the story is that you don't know how your info was obtained until you know.

Matt, you travel too much. And........those coffee expenses are gettin' totally out of hand.
Guess that we all have to be extra secure these days.
If all these bums would apply their "talents" we as a nation would not be suckin'.
Bill

Matt, you travel too much. And........those coffee expenses are gettin' totally out of hand.

On the first part, no where near as much as some in my industry. Remote access has done wonders for that. On the latter...probably true.

I had this to happen to me locally. I went and bought vitamin supplement at GNC and the next day went to use my bank card and no funds. Luckily the bank called me and asked me if I had place quite a few orders on line for sporting goods items.. I replied NO... they said ok.. and got me my money back within 1.5 days. the guy had spent 400 dollars or tried to but the only thing that kept the sales from going thru was that the shipping address was different than on my account and then the bank stepping in and clarifying everyting. I wanted to pursue charges but noone, bank nor authorities, would intervene.

I had this to happen to me locally. I went and bought vitamin supplement at GNC and the next day went to use my bank card and no funds. Luckily the bank called me and asked me if I had place quite a few orders on line for sporting goods items.. I replied NO... they said ok.. and got me my money back within 1.5 days. the guy had spent 400 dollars or tried to but the only thing that kept the sales from going thru was that the shipping address was different than on my account and then the bank stepping in and clarifying everyting. I wanted to pursue charges but noone, bank nor authorities, would intervene.

I suspect that the fraud systems in place at the major CC outfits work so well that they find it less expensive to simply "detect and protect" than to prosecute criminals.

Credit card numbers serve two different purposes.
1. It's an account number; it identifies you, the payer.
2. It's an authorization-to-charge; if a vendor has it in hand, the credit card company assumes you, the payer, have given permission for the vendor to ask for your money.
The problem is that 1 wants to be permanent, or at least long-lasting, and 2 wants to be as short lived as possible.
Sooner or later, the entire system of using the same number to serve both purposes is going to collapse under its own weight.
I think some banks have already started to experiment with "single-use" credit card numbers; these look like a credit card number, but only function once for purpose #2.
I suspect, however, that the 14-digit (roughly *) space of credit card numbers isn't quite big enough to accommodate the long-term use and expandability of a single-use system.
But that's the way I'd like to see things headed.

(*) Yeah, I know credit card numbers have 16 digits. But the first digit is reserved for card company (4 = Visa, 5 = Mastercard,...) and there's a checksum digit.

Actually, the first six digits specify the issuer (Amex, Visa, etc.), and the last digit is the checksum. The number of digits varies from issuer to issuer (from 13 to 16)... for example, Visa has 6- and 9-digit account numbers (the remaining digits are sub-accounts, like your wife's card), Amex uses 7 digits for the account number, etc.

And I agree with your final assessment. Just like we're running out of IP numbers for net addresses, single-use CC numbers would require a serious rework of the system.

Actually, the first six digits specify the issuer (Amex, Visa, etc.), and the last digit is the checksum. The number of digits varies from issuer to issuer (from 13 to 16)... for example, Visa has 6- and 9-digit account numbers (the remaining digits are sub-accounts, like your wife's card), Amex uses 7 digits for the account number, etc.

And I agree with your final assessment. Just like we're running out of IP numbers for net addresses, single-use CC numbers would require a serious rework of the system.

The first digit is actually the MII [industry or category, as in banking (4 and 5) or petroleum (7)].
The first six digits (including the MII) form the issuer identifier (including syndicate). So 4XXXXX is Visa, 51XXXX-55XXXX are MC (syndicates). The XX's are the syndicate member (Bank of America, Chase, etc.).

The remaining digits up to the last (the Luhn check) are the account number. Syndicate members determine how they format their account numbers on their own.

I think a secured card with a limited balance is key for online purchases.

Not knowing if the issue had been quelled (identified via a logical process), I refrained from placing an order yesterday from that well known woodworking product supplier :(. Searching for this thread yielded nothing, expecting that it had been deleted due to the subject matter (some forums have no compunction to just delete subjects having threads addressing problems with suppliers. That was not the case here...happy to say...I just did not find this thread before time ran out :o.) Shame affected companies do not pursue with great prejudice...such can adversely affect sales. I too have no desire to argue such financial matters with folks who generally do not understand the English I speak....no prejudice implied. Will need to find a temporary alternate source for peppermills and the like, for Christmas gifts. The plan to give bowls has hit a huge snag :D.

Nothing has been deleted as far as I know. I purposely didn't identify them because I still, and probably will never know for sure. It could just as easily have been the hot dog vendor at the airport the next day or the waitress at the restaurant I at at Sunday night. Or even the Starbucks, or the Taco Bell I went to on Monday based on the speed others have seen it happen. Its just that there's a few other things that make me believe its the first. I am still waiting for the return call I was promised on Friday.

I'm really getting peeved at Amex. I STILL don't have a replacement card. The one promised last Wednesday was delivered Monday to the hotel I left last Thursday. They never canceled that card so technically someone could activate it. And the one they said they ordered for me Thursday to be delivered Monday wasn't ordered as of last night. Now they say I'll have one this Thursday by 10:30AM. They are blaming Costco for delays so I called Costco and the Customer Service rep I spoke to emailed the credit card people to give me a call today to see if there is anything they can do.

Folks, don't use your smart phones for online purchases. Transactions via cell phone are nowhere near as secure as using a laptop or pc. It's not the interface or the site, it's the way the data is transmitted. Cell transmissions are wide open, comparatively.

Sorry you got hacked, Matt.

To add to Gary's post... just read an article about two researchers who hacked SSL 1.0 (the certificate security method that allows secure https e-commerce). No current browsers support v1.1 or above, so with that hack you info can be snagged with a man-in-the-middle attack. Still takes a bit of work to get your info, but it's infinitely more doable now.

Same thing happened to me this week. Wonder if it is the same ww company i placed an order with?

Anyway the guy charged over $500 of classified ads selling a pick-up truck in papers all over the country. Secret Service said he is running a check scam where he sends you a check and you send part of it back.

Canceled the card, working with Law Enforcement to try to pen the guy, working with VISA to get money returned to my account. What a hassle!

I use a different approach that may cost me a few more $$$, but gives me peace of mind.

My Safeway sells reloadable (prepaid) Visa cards that received the Visa protection but aren't tied in any way to your other financial accounts or transactions. It costs you $3.95 to pre-pay from $20-$500 and you can buy more than one re-load at a time. It also costs $4.95/month and I use it solely for online purchases. I choose to leave <$50 in it after a purchase, which covers several months charges and then, when I'm ready to place an order, go to Safeway and pre-pay enough to get what I want and return the account to about $50. I then apply the pre-pay to the card immediately before placing the order.

Jim

That way an thief only has a very short window of time to get more than the $50 (from when I deposit until the legit vendor withdraws) and it isn't linked to my regular checking and savings accounts.

Mike and I communicated privately and we didn't order from the same company.

If Amex could do a card replacement as promised, this wouldn't have cost me more than an hour of my time. We'll see by 10:30 if they managed to get it right this time.

I use my phone all the time, but usually I guess its 1-click purchases on Amazon. But for example I use Southwest Airlines mobile site to make flight changes when my return trip gets changed. I'm curious about the cell phone security thing. How does that work? I believe the Android browser supports 128 bit ssl encryption, so once the data leaves my phone, its encrypted, isn't it? In addition, I was in a car on the highway (riding, not driving) and probably went through several cell sites.

I believe the Android browser supports 128 bit ssl encryption...
See my previous post... SSL is not as secure as once thought (though to be fair it still requires some major work on the part of a hacker to get access to the data stream, so take it all with a large grain of salt). Traffic from your phone is encrypted while traveling over the air, but once it hits the base station it's decrypted again for transfer to POTS lines. Even so, that's a different layer of encryption from your browser data, so irrelevant.

Right, so given that, it would seem to me that the cell phone is actually more secure given that:
1) I haven't heard anything about things like spyware for mobile phones yet.
2) The data is encrypted in the browser, then transmitted through the air encrypted again. Then its back to the standard level of encryption once on their internet backbone.
So am I missing something?

Anyway, probably not worth worrying about in my case as ALL my internet use is cellular anyway. Our home internet connection is a Verizon 3G device because its that or satellite. Someday maybe we'll get LTE--its available 5 miles to the south and 10 miles to the north, or maybe even DSL.