Credit Card Fraud

[ambientech]

I really think a lot of this nonsense can be stopped by people being more careful about their computer security in general. Things like keeping anti-virus software updated and current as well as performing regular spyware and adware scans.

I used to do computer repair as a way to make a little extra money. Almost 100% of the machines I repaired had no antivirus software on them, outdated definitions, or expired antivirus software. Blaming the ecig market is ridiculous, in my opinion. It's the other garbage you download on your machine that will get ya'!

Yes, by all means pay attention to the website's security features. But every vendor I deal with has enough security in place to make me comfortable.

I've also noticed that people will get on public machines and order things online. Then they walk away and leave their info right there for the next person to see as they do not log out of the system before walking away from it.

While I agree many don't take computer security serious some like me do and yet I have had my card hacked twice since I started vaping.

I run norton internet security along with weekly malwarebytes scans. I also use Trusteer Rapport on any site I use a cc. I am behind both a software and hardware firewall. I don't download anything from suspicious sites let alone visit them. So if anyone wants to get my info they would have to work really hard to get it. My bet is anyone smart enough to break through my security isn't wasting their time on my computer but applying their time more efficiently on banks of cc numbers on servers......

 

[six]

is it against forum rules to post which vendors we've used to see who's website needs a security update?

If the vendor is PCI compliant, they have no access to your CC info. It is the CC processor at fault. There are not that many CC processors in the world. It seems like there is, but it washes down to just a handful of actual companies and most of those are majority owned by one or more of the big banks like wells fargo and citi. - Two of the biggest cc processors have admitted to being hacked recently. One said they lost information belonging to up to 250k -1.5 million users. A few articles I've read have authors that believe that 1.5 million should not be the upper number, but the lower one. one author stated he believed it was probably closer to 15 million than 1.5 million.

 

[Mookie]

Just happened to me too. First charge at a South African airlines, and then a money order in South Africa. This is a Mastercard that is kept in my desk drawer and has only been used for vaping purchases. I use a Mac, have up-to-date anti-virus software, and make sure the sites I buy from have a secure form.

One of my cards was hit with South African airlines also! That is odd!

 

[Mookie]

My master card was also hacked last week. I had to cancel my card. First time for me although I did have my new checks from bank stolen out of my mail box and that was far worse! It was amazing how many merchants cashed checks without an ID. It took me about six months to get my account straight.

Wow, that really sucks!!! Must have been a nightmare getting that sorted out.

It also always amazes me how cashiers rarely check the signature on cc. I've let me kids and husband use my cards several times and no one ever noticed. They obviously don't even look at the name let alone check the signature.

I also heard a radio report a couple days ago saying that something like (don't quote me exactly on the number) 60% of people use unprotected wireless at home or coffee shops, etc. And that it only takes 5 seconds for a hacker to get all your personal info including cc#'s, SS#, passwords, even your pictures.

I got a prepaid visa at the drug store the other day. It cost $5 and you could put up to around $500 on it. Be careful though and read the fine print. There is one called green dot (or something like that) that is free and you can keep adding money to it. Sounded good until I got out my little ole granny glasses and read the fine print. You would have to provide you SS# and/or bank account to transfer the funds to the card. How in the world is that going to protect you? I figured I'd rather spend $5 on security.

 

[NicLiq]

One of my cards was hit with South African airlines also! That is odd!

The fraud department person told me it was most likely a sold list without expiration dates. They guess at dates by making a charge under $1, and as soon as it hits, they try to make a big cash purchase.

 

[trepalium]

I just wanted to make sure that everyone should know that just because a site has an HTTPS in front of it doesn't make it reputable or secure. I can make my own SSL certificates without an issue and have the HTTPS. You want to make sure you verify the SSL certificate itself and make sure it is from a reputable certificate vendor. Even then it may not be secure. Keep in mind that this only encrypts traffic to and from your computer during the transaction. It has no bearing on the websites security or your own machine. Doesn't matter how secure the connection is. If either the client or server is compromised it doesn't make a difference. Your best bet is to order from a reputable vendor, keep your antivirus up to date scanning regularly, and monitor your bank and credit card accounts regularly. Also it's a good idea to have two checking accounts. One you keep the majority of your money and one that you transfer to to make online and other shady credit card purchases. Banks now days, at least in the US, have pretty good refund policies on fraud, but just to be safe it's good to not give the cyber criminal access to the whole kit and caboodle.

That's my two cents on the topic.

 

[nanovapr]

I work with online security, and have been online since 1981, I would wager that I am at least as paranoid as anyone here. For 6 years I maintained 100 servers across the world with CC and POS. I know about zero-day, and my name is mentioned in O'Reilly books about security.

Yet? My debit/Visa got nicked recently. I can pretty much guarantee that my personal networks cannot be hit, without something amiss in the logs. I had a $3 'test charge' at a hotel in Ohio, and then a $1400 hit at a clothing store in the UK. I am not nearly that well-dressed....

Even if there is an HTTPS connection present, that is no assurance that their upstream SQL password files are not plain-text.

There is a good probability that it was mom/pop vaping places. I point no fingers, all of the vendors I know are top-notch. The problem is probably beyond them. This is a boom industry, and it will have growing pains.

 

[AttyPops]

Thanks nano. Good points!

Yeah, my computer is constantly scanned (FWIW) and HTTPS or not, the problem is most likely either another use of the card (not online) or downstream from my system (or even downstream from the e-cig vendor). The worst part is there's no way for me to tell. Payment processors have been hacked recently too.

Well, off to call the bank now, dispute the charges that were still pending yesterday. PITA.

Even if I get a different card for online use (that I fund as needed)... hackers could still hit my "main account" card if it comes from a payment processor, or with the "guess my #" stuff. Still, I think I'll get one... so it isn't funded when not used.

 

[trepalium]

Thanks nano. Good points!

Yeah, my computer is constantly scanned (FWIW) and HTTPS or not, the problem is most likely either another use of the card (not online) or downstream from my system (or even downstream from the e-cig vendor). The worst part is there's no way for me to tell. Payment processors have been hacked recently too.

Well, off to call the bank now, dispute the charges that were still pending yesterday. PITA.

Even if I get a different card for online use (that I fund as needed)... hackers could still hit my "main account" card if it comes from a payment processor, or with the "guess my #" stuff. Still, I think I'll get one... so it isn't funded when not used.

For the most part, anyone who regularly orders items online regardless of their precautions will have at least one stolen credit card number in their lifetime. Luckily the bank shouldn't hassle too much when you dispute a transaction. I bank through PNC and when you dispute they automatically refund the disputed items until they finish their dispute investigation. I had to change my CC due to it being compromised once. Had some guy ordering pizza from it in Poland. They refunded all of my charges without so much as a gripe. Of course change your debit/credit card whenever this happens. I like to still place alerts on the the old cards when they get declined. To this day I still see people trying to use my old debit card around the world for everything from online pornography to mcdonalds. It's quite funny when I get an alert. I just laugh (queue Nelson from the Simpsons laugh).

 

[Mookie]

@Trepalium: "Also it's a good idea to have two checking accounts. One you keep the majority of your money and one that you transfer to to make online and other shady credit card purchases."

@AttyPops: "Even if I get a different card for online use (that I fund as needed)... hackers could still hit my "main account" card if it comes from a payment processor, or with the "guess my #" stuff. Still, I think I'll get one... so it isn't funded when not used.

Wouldn't that be just as dangerous because if you transfer between accounts they would then have access to both?

Which also now makes me wonder about the one time use card I bought at the drug store. Say I put $300 in it and use $100. That could probably be hacked and I would loose the $200 because it's not through a bank therefore no fraud protection?

Now I'm wondering is paypal even safe? I have my debit card attached to that. Maybe I should take that off?

Good to know about the HTTPS. I was always told that was safe. How do you verify the SSL certificate?

 

[trepalium]

@Trepalium: "Also it's a good idea to have two checking accounts. One you keep the majority of your money and one that you transfer to to make online and other shady credit card purchases."

@AttyPops: "Even if I get a different card for online use (that I fund as needed)... hackers could still hit my "main account" card if it comes from a payment processor, or with the "guess my #" stuff. Still, I think I'll get one... so it isn't funded when not used.

Wouldn't that be just as dangerous because if you transfer between accounts they would then have access to both?

Which also now makes me wonder about the one time use card I bought at the drug store. Say I put $300 in it and use $100. That could probably be hacked and I would loose the $200 because it's not through a bank therefore no fraud protection?

Now I'm wondering is paypal even safe? I have my debit card attached to that. Maybe I should take that off?

Good to know about the HTTPS. I was always told that was safe. How do you verify the SSL certificate?

It wouldn't compromise because the user has access to your credit/debit card not your actual bank account. They have no control over transfers and withdrawls. Only withdrawls using the card.

Also. This might be a little old, but here's some guide to checking SSL validity.
Check validity of SSL Certificate

 

[nanovapr]

If you get a call from 800.327.8622 don't ignore it. That is a 3rd party fraud contact company that is hired by many banks and credit unions. I ignore unknown calls, and usually look them up later. I found many people discussing this number online. It is a valid thing, I called my bank, they verified. I called it back, they only asked for my name and the number they originally called me on. As always, your bank will never ask for SS number if they call you.

It was an overseas operator, that spoke poor english, which made me suspicious initially.

Them: "Did you spend $6.21 at McDonalds on <time/date> at <location near me>
Me: "Probably"
Them "Did you spend $21.23 at <grocery store near me> on <time/date>
Me: "Probably"
Them: "Did you spend $1400 at <some clothing store in England>?
Me: "! ! ! !"

They froze my account right then. The bank was gracious, got the charges disputed, new number in a week.

 

[Rudy956]

Credit Card fraud is a hassle . I've had my paypal info stolen once and they stole around 400 pounds from me. Luckily paypal instantly reversed the transactions and I got back every single penny back.

 

[priorities]

Thank you for starting this thread...great info that everyone should be aware of..so sorry it happened to you...take care..Lee

 

[AttyPops]

...<snip>
Wouldn't that be just as dangerous because if you transfer between accounts they would then have access to both?

Which also now makes me wonder about the one time use card I bought at the drug store. Say I put $300 in it and use $100. That could probably be hacked and I would loose the $200 because it's not through a bank therefore no fraud protection?

No... assuming the 2nd account is not auto-funded. It's just a 2nd checking account that you have. You can transfer between them, but THE CARD WOULD BE SETUP TO ONLY BE TIED TO THE 2ND ACCOUNT...(not both). The 2nd account would normally have a zero, or very low balance. That's the rub. Card only on 2nd account/not auto funded.

Just a note to those above: auto-funding any of these solutions from your main account is a BAD IDEA. You don't want it to automatically give the crooks extra cash available! That's why I'm trying for a "fund as you go" approach. Limits my exposure (on that particular card anyway). I figure out what it will cost, but don't "checkout" yet.... go to bank, transfer enough to cover it into on-line-card-account. Then "checkout" at vendor.

I asked my bank about other options. I can get free gift cards, but they are not reloadable and I'd have to get one each month for vaping supplies. The 2nd account idea would cost me $7.00 ish a month unless a certain #/amount of deposits and checks go through it. Bummer. IDK. Still thinking.

 

[Jackiej5407]

Mookie ... I would also like to thank you from the bottom of my heart for starting this thread! I had never (stupidly) thought about cc/debit card fraud, even though I've been using both MANY times online since I began vaping. I shudder to think how catastrophic it would've been to hack any of my online purchases.

Thanks to you, I've just signed up for an AmEx prepaid card, and will ONLY use it for online purchases going forward.

Bless you for thinking of protecting this wonderful Vaping Community!!!

 

[AttyPops]

Good Idea Jackiej5407! If you have used your card a lot online, you may wish to have them deactivate the old one (that you have used online) and issue you a new one just to be safe... even though you are changing over to the pre-paid for the future. I think that the pro scammers wait a while (and also try random hits for expiration date and ccv) and then eventually "hit" you. So, it can be that something you've already used is compromised, but not "hit" yet.... can happen months later.

 

[Mookie]

@Jackie - Thank you for your kind words.

After thinking this all through this is what I'm thinking of doing from now on. I did buy a prepaid card but then realized that isn't protected from fraud like a bank issued cc is. So I'm using that one up and ditching it. Both my cc's that were hacked are from my bank so they are being replaced. I'm only going to use cc's for my regular shopping. From now on I'm only going to use my debit card at the bank. I have another cc that isn't from my bank and I reported it lost and requested a new number. I'm going to use that for on-line purchases only because it isn't connected to my bank. So now I will have all new cards that won't be connected to the recent massive hacking problems. I don't know if that really matters or makes sense but it feels right for now. The truth is credit is never really safe anywhere. We're just talking about it here because we have this vaping forum to support each other.

But, like you, I hadn't really been paying enough attention. I went in to all of my accounts on line (paypal, amazon, netflix, etc) and deleted all of my cards yesterday. I was so stupid I even had my debit card listed at a couple of places!

 

[spider362]

That's what I like about my "Shop Safe" virtual CC; new CC number, new expiration date, and an upper limit I choose on every purchase. Also, once the number is used, say on amazon.com, it can't be used anywhere else, like at Walmart, even if there's money left on it.

 

[Shining Wit]

Forgive me if I missed it when I read through this thread quickly, but if everyone used 3D Secure, Verified by Visa, or the equivalent, it would prevent a lot of fraudulent use. For those who are not signed up for it: it is a service from your Credit or Debit Card provider that interrupts any online transaction by requesting 3 random characters from an 8 character password which is set by you when registering for the service. This offers two way protection as it also prevents chargeback claims of 'unauthorised use' - the card requires a password only known by the owner, so if the password is used it is either the owner or an extremely lucky guess.
The drawback at the moment is that although it was mooted that all online merchants (In fact any seller without a chip and pin facility) would have to register for this system by the end of 2011, it wasn't made compulsory. If all automated non-chip + pin transactions on Credit or Debit Cards required three randomly generated characters from your it would greatly reduce fraud. Vendors who might oppose the idea now would be registered in a flash if it looked like they might lose sales by ignoring it.
This thing about trusting your card details to someone you have never met and are only dealing with online or over the phone is a key issue as once those details have left your possession they could be used by anyone anywhere. Adding a layer of unique personal verification is one good step toward closing the loophole.
You wouldn't stash your cash in a field somewhere and hope no-one found it would you?

John