Credit Card Fraud

[familiarstranger]

When it comes to protecting your self online (if you feel unsure about the merchant) the best solution has been mentioned a few times. The virtual, temporary, or online card number is king. I set the expiration date for month and do any risky business on this card. A changing card number can be a hassle, so for large merchants I still store my normal card number (ie Amazon, utility companies, paypal, etc)

If you don't have a credit card that offers this feature then the best tools you have are judgement and reputation. Know who you do business with. It is also not a bad idea to have your card reissued once every 18-24 months. Try to do it in a month other than the one your current card expires on to further protect yourself. Every time you change your exp. date your CVV changes as well.

Keep in mind that unfortunately online is just one of the many ways fraudsters obtain information, so finding out how your card issuer handles fraud is very important. Find out if you have fraud monitoring on your card, find out if they hold you liable for any amount, and for debit cards find out if they offer provisional credit.

How about telling us how you personally handle your credit cards to lower risk?

 

[spider362]

I use a ShopSafe (virtual) CC number on every online purchase. The amount of time it takes to get a new number is MUCH less than the amount of time it takes to straighten out a mess on your real number.

ShopSafe rocks!!!!!

 

[Hondo69]

Ironically, the credit card companies charged merchants $80 a pop at the first of the year for “security improvements”. Within a few months, they had been hacked. As a merchant, I’ve prepared a little love note for our beloved credit card companies . . .

Look, it’s your job to provide security. That’s why we pay you billions of dollars a year.

Don’t sluff off on your job, then all of sudden decide to do it correctly and then bill me $80 for the trouble. You’re not the government so don’t think you can screw me to the wall then send me a bill for the screwing. If I want to get screwed I have better options.

Now go do your job!

 

[TheBlueAdept]

Ummm... no 'puter whiz here, but I have read that the o-s method can still be 'captured'. Any 'xperts out dere?

No matter how you enter text on a windows machine, at a low level they still get translated into keypress or other events that can also be intercepted. There is no defense except avoiding the malware in the first place via good software kept up to date and safe browsing/email habits.

Finally, the internet stack is vulnerable too, so they can peek at all data posted to a webpage.

Sent from my phone; Please excuse typos / autocorrections.

 

[gordong11]

This just happened to me, I don't want to single out possible vendors but I am so ....... $200 plus in fraud charges in the last 3 days . DO NOT USE BANK CARDS, unless you at very trusted website. Obviously large companies is less chance than a mom and pop type store.

Phone charges, video game charges etc are the major culprits. A few jerks have spoil it for everyone.

 

[PONKAW]

Yup got stung today too.
I have only used this card at a couple of vaping sites.
I saw a $350 carge to a national box store.
Cancled the card and called the companys fraud division.
Someone had all my info and ordered a large item that was supposed to be shipped to a state i haven't been to in 20 years.

The throw away cards sounds like the way to go now. Ugh.

Don

 

[Big Screen D]

I can personally attest that a hacked CC is a complete PIA. I actually was notified of suspicious activity while on vacation! Good thing I had funds available through my debit card, or I would have been in a real fix. To make matters worse, my AMEX card had expired at the end of May, and since I hadn't used it in a long time, I hadn't noticed.

This was last Thursday, and I still haven't received the new card. I have five different bills that are on auto pilot with this card, and I can not reauthorize these bills until I receive the new card. Sigh.

In light of this, I had my bank issue me a separate card today that will only be used for online purchases. At least when the new card is compromised, I'll still have a good one in place.

Good news is, while a hassle, we should keep in mind that cardholders are not responsible for any fraudulent charges due to online purchases, and is limited to $50 (if memory serves) to cards presented in person so long as notice of fraud is given to the lender promptly.

3 big credit card data breach secrets- MSN Money

Under the Fair Credit Billing Act, which protects consumers in the case of credit card fraud, federal law limits liability for fraudulent charges to $50 in most cases. But if the card is not presented in the actual transaction -- i.e., the card number is stolen and used online -- then cardholders aren't responsible for any fraudulent charges.



Debit cards are covered by a different law, the Electronic Funds Transfer Act (.pdf file). Under the EFTA, consumers have no liability for unauthorized access when the card (or "access device") was not lost or stolen.



I am not implying that card issuers would try to hold consumers liable for fraudulent transactions as the result of a data breach. But cardholders who do run into any problems as the result of one should realize that federal law is on their side.

 

[gordong11]

Keep in mind that even if the website has a secure website, some sites may have a relay system. This is when you put the cc info in the secure website but instead of it being processed online, the store gets the info and manually enters it into a credit card machine in store, or online via quickbooks or similar. This opens up things to bad employees or bad secondary processing. Most vapor shops will have this type of system in place to process cards. I know this because my durable goods store i work at, does it this way, and know most especially small shops do as well. I have access to every order & cc info and im usually the one doing the processing through quickbooks. This is a federal offense to steal CC info and most people aren't that stupid and are honest.

Added: it can be easy to tell if a secondary system is in place. there will be no processing delay just after placing the order (usually lasts around 10 seconds after pressing submit), and/or you will get a confirmation email just after the order (no delay after pressing submit, thank you page loads instanly), and then another processed email at a later time, before the shipped email.

 

[RayN]

Keep in mind that even if the website has a secure website, some sites may have a relay system. This is when you put the cc info in the secure website but instead of it being processed online, the store gets the info and manually enters it into a credit card machine in store, or online via quickbooks or similar. This opens up things to bad employees or bad secondary processing. Most vapor shops will have this type of system in place to process cards. I know this because my durable goods store i work at, does it this way, and know most especially small shops do as well. I have access to every order & cc info and im usually the one doing the processing through quickbooks. This is a federal offense to steal CC info and most people aren't that stupid and are honest.

Added: it can be easy to tell if a secondary system is in place. there will be no processing delay just after placing the order (usually lasts around 10 seconds after pressing submit), and/or you will get a confirmation email just after the order (no delay after pressing submit, thank you page loads instanly), and then another processed email at a later time, before the shipped email.

A "Processing" e-mail doesn't mean the person has access to your data. I send out processed notices all the time. It's a built in function of the shopping cart software. I update an order to processing status once I've pulled the paperwork, then update to shipped when it's shipped.

 

[Stinknugget]

I believe the biggest risk for personal data (financial) is in the collections industry. Most credit card companies utilize 3rd party collection agencies if you default long enough and furnish them with all of your personal information. Ofcourse they are audited but it is usually VERY lax and the 3rd party agency knows well in advance to prep.

Me, i stick with paypal. Never had a problem.

 

[jamie]

Hit again here too. Over 16 years of purchasing online with ZERO problems, then I start buying ecigs and now 3 times have to cancel cards for fraud - ONLY cards that have been used for ecig purchases.

 

[Rick_H]

There seems to be several active threads on this and it seems to be a real issue in the e-cig community. Sure would be nice if they were grouped together some how.

I too was just hit. I do agree that there are other options to protect one's self but we do put trust in our e-cig vendors, especially the ones represented here at the forum. Fortunately for me (or us), I only purchased from one e-cig vendor with this card prior to getting hit. I am trying to verify this vendor against other people's suspected vendors so we have more conclusive information to provide. I'm hoping it's not so much the vendor as a bad employee or the CC processing company they are using. I have called and emailed the one from my card but have not received a response as of yet.

Will definitely keep you all apprised.

Rick

 

[Vego]

I was hit for the first time last month for $100. Credit card co. is doing an investigation and I hope to be relieved of those charges. Only use that card for e-cig stuff. I'm going to get a SmartAccess pre-paid card and use only that from now on for all my e-cig purchases. Beware folks, there's preditors lurking about.

 

[supergerbil]

A while back I opened an e-checking (the free one at most major US banks) account at different bank than the one I normally use. No overdraft protection so if the charge is over the amount in the account it is rejected. I physically deposit the $$$ in the account everytime I know I will need to make a purchase so there is no link online to any of my other accounts. Yes it is a pain to have to make a deposit every time I want to order vaping gear but on the plus side if the account number gets jacked there is nothing to steal.

 

[yoSouth]

A while back I opened an e-checking (the free one at most major US banks) account at different bank than the one I normally use. No overdraft protection so if the charge is over the amount in the account it is rejected. I physically deposit the $$$ in the account everytime I know I will need to make a purchase so there is no link online to any of my other accounts. Yes it is a pain to have to make a deposit every time I want to order vaping gear but on the plus side if the account number gets jacked there is nothing to steal.

This is a really, really good idea. One that I think I am going to do! This hasn't happened to me yet, but since my checking account is my "credit card" (bank-attached card) I don't have to worry about spending money I don't have on a traditional credit card. But I would rather not have to close up my main bank account in the event that my cc# gets stolen or re-routed to some far-flung thug group.

 

[gtrthang]

I haven't had my CC number stolen, but I think I will get a new card number from my bask just to be safe. I have noticed one big issue with several of the e-cig vendors I've bought from and that is passwords.. I have had many of them email me my password after I create my account. This shows me right away that they are storing my password in their database. This should not be done. They should only store a hash of your password, which allows them to validate your password (by hashing the value you provided then comparing the hashes). If they are not storing your password, there is one less thing for a hacker to steal. Hopefully you all use unique passwords on each site you visit. You can also wrap extra characters around your password to make it longer to increase the strength (Instead of password VapingDude1, use 123123123VapingDude1123123123). It is still as easy to remember but a brute force attach would be next to impossible. I also recommend a tool like LastPass to help manage your passwords. Their security is rock solid, just choose a good, long, unique password for the service.

 

[thinkingaboutit]

Secure sites...passwords...etc etc. I work in security. If I wanted your CC number I would get a a job serving tables. FAR easier.

BUT...a hole can get hundreds or thousands of cards from a single merchant. A hole in a processing company would net far more.

I set a spending threshold of $1 with my banks notification system. At the end of each day I get an email summary of all charges over $1. Makes it easy to watch. Throwaway numbers are great also.

 

[Sdh]

A while back I opened an e-checking (the free one at most major US banks) account at different bank than the one I normally use. No overdraft protection so if the charge is over the amount in the account it is rejected. I physically deposit the $$$ in the account everytime I know I will need to make a purchase so there is no link online to any of my other accounts. Yes it is a pain to have to make a deposit every time I want to order vaping gear but on the plus side if the account number gets jacked there is nothing to steal.

Exactly! I have a internet only account. No overdraft protection...I keep nothing in it. I know how to transfer funds so it is the easiest option for me. I recently obtained a letter from a non ecig establishment describing how they were hacked. I was very frustrated that they would not disclose any facts on why my number would be in the database. I still have the same card. The hackers are not going to get a dime. I keep track of everything.

With that being said me & DH had our cards compromized. It was related to the bank itself. Someone hacked into their database. This is part of life. I can get bent out of shape or deal with it rationaly. Things will happen. It is how the event is played out is what matters.

 

[nanovapr]

Think I mentioned it earlier in the thread, a good password is your phone number, while you hold the shift key down. Or your mom's, or any phone number you can remember easily. It's a big string of garbage that certainly won't fall to a dictionary attack, and it's not important enough for the bad guy to take the time of a brute force attack, or use rainbow tables.

 

[Big Screen D]

Secure sites...passwords...etc etc. I work in security. If I wanted your CC number I would get a a job serving tables. FAR easier.

BUT...a hole can get hundreds or thousands of cards from a single merchant. A hole in a processing company would net far more.

I set a spending threshold of $1 with my banks notification system. At the end of each day I get an email summary of all charges over $1. Makes it easy to watch. Throwaway numbers are great also.

Keep in mind though, often a stolen CC# is first tested by charging only $1 first. Then the big purchase/purchases are made.

Good news is so long as one is aware of the fraudulent charge, and promptly notifies the bank, there is no or limited liability for the card holder. So email notification is a good tool.