Thief ordered a takeaway using my current account details, card kept in a safe since it was issued.

greekpig

Hello Yorkshire_Pud and all.
On Sunday 14th March I was contacted via my mobile by Lloyds (defo a legit Lloyds call - I gave no personal info and phoned them back using the number on the back of the card via my landline) to inform me that there had been payments from a card in my name, with one transaction from Deliveroo. I'm in a similar situation to yours. I have a Lloyds account that I opened in February 2020 to be used with a will trust (the intention is to hardly ever use it), so although the card was used fraudulently the physical card was still gummed to the Lloyds paper it came with (so the 3 digits had never been read from the rear of the card), the PIN notification remains unopened, and the card had never been activated. The card and the PIN letter were carefully filed away.
I am mystified to think how on earth this card was used fraudulently, but Lloyds reported that it was, and so I got a replacement card in the post.
On the few days leading to this incident, I received a suspicious call on my mobile which I think was saying that I was at risk from fraud and I was put through to an "officer", but there was no organisation name given so I put the phone down immediately. The call appeared to come from a mobile number, which also made me think it was 100% a scam. I received a similar call to my landline where a message was left, and have not received such calls before or since. I'm left thinking - was this part of the scam? Whatever, apart from answering the mobile, not giving any personal details and terminating the call rapidly, there is nothing they got from me at all to identify me or the account.
How can this happen? If an unactivated and never-used card can be used fraudulently, then this presumably means that all cards are at risk and we are all at risk, whatever their status or however careful we are.
I've called the FCA to see if they would like to investigate, but they have no interest.
All payments were removed from the account so I've lost nothing apart from my faith in the banking system.
What do you think?
Thanks.

colsten

p00hsticks said:

They should NEVER be storing the CVV - that's strictly against the the card issuer rules.

They must be storing it as you don't need to enter it after the initial purchase.

BTW, Amazon are not on their own. I just deposited £20K into my iWeb account, using the stored debit card details. I wasn't asked for a CVV, so I assume they stored it when I originally set up the payment method.

General_Grant

greekpig said:

Hello Yorkshire_Pud and all.
On Sunday 14th March I was contacted via my mobile by Lloyds (defo a legit Lloyds call - I gave no personal info and phoned them back using the number on the back of the card via my landline) to inform me that there had been payments from a card in my name, with one transaction from Deliveroo. I'm in a similar situation to yours. I have a Lloyds account that I opened in February 2020 to be used with a will trust (the intention is to hardly ever use it), so although the card was used fraudulently the physical card was still gummed to the Lloyds paper it came with (so the 3 digits had never been read from the rear of the card), the PIN notification remains unopened, and the card had never been activated. The card and the PIN letter were carefully filed away.
I am mystified to think how on earth this card was used fraudulently, but Lloyds reported that it was, and so I got a replacement card in the post.
On the few days leading to this incident, I received a suspicious call on my mobile which I think was saying that I was at risk from fraud and I was put through to an "officer", but there was no organisation name given so I put the phone down immediately. The call appeared to come from a mobile number, which also made me think it was 100% a scam. I received a similar call to my landline where a message was left, and have not received such calls before or since. I'm left thinking - was this part of the scam? Whatever, apart from answering the mobile, not giving any personal details and terminating the call rapidly, there is nothing they got from me at all to identify me or the account.
How can this happen? If an unactivated and never-used card can be used fraudulently, then this presumably means that all cards are at risk and we are all at risk, whatever their status or however careful we are.
I've called the FCA to see if they would like to investigate, but they have no interest.
All payments were removed from the account so I've lost nothing apart from my faith in the banking system.
What do you think?
Thanks.

So a burglar gaining access to wherever you stored these physical items would have the card and PIN and could activate the card for their use.

nick74

colsten said:

p00hsticks said:

They should NEVER be storing the CVV - that's strictly against the the card issuer rules.

They must be storing it as you don't need to enter it after the initial purchase.

BTW, Amazon are not on their own. I just deposited £20K into my iWeb account, using the stored debit card details. I wasn't asked for a CVV, so I assume they stored it when I originally set up the payment method.

They don't store the CVV, some retailers have an agreement with their payment processor that once a cardholder has successfully entered the correct CVV for the first purchase on the card any subsequent purchases with that card at the same retailer don't require a CVV at all.
Giffgaff for example do this. I have put it to the test, in that the first topup with Giffgaff requires the correct CVV to be entered, but then with any subsequent topups you can enter any random 3 digits you like in the CVV box and the payment will still go through!

greekpig

Hi General_Grant.
A possible theory, but the PIN letter remains unopened, the card and pin remain filed away effectively hidden, and we haven't been burgled. 

onthebench

Chino said:

Yorkshire_Pud said:

During my searching for facts it’s surprising how many just eat and deliveroo fraud orders are made! Alan Davies the Jonathan Creek actor was scammed about a week ago firstly the Royal Mail pay £2.99 type delivery scam where he gave his card details to pay the ‘fee’ and then a further scam on the back of the first scam where an order to just eat was made for circa £30. Story in the express.

In your search for facts, you misread the amount of the claimed "fee" - it was £1.99, not £2.99. There's also no mention that the actor provided his card details. There's also no claim that an order of "circa £30" was placed; that was merely the actor's speculation about what might have happened next.
https://www.express.co.uk/celebrity-news/1413547/Jonathan-Creek-Alan-Davies-twitter-royal-mail-scam-warning-news-latest-update

In the version of this scam I heard, the scammers phone the victim pretending to be their bank, asking whether they have recently responded to a message pretending to be from Royal Mail.
When the victim says yes, the "bank" tells them that their account has been compromised and the bank will provide them with a new account number and sort code. So in order to activate this change, the victim must transfer all the funds from their account into their "new" account number. (And three guesses who that account number really belongs to...)

General_Grant

greekpig said:

Hi General_Grant.
A possible theory, but the PIN letter remains unopened, the card and pin remain filed away effectively hidden, and we haven't been burgled. 

I wasn't suggesting that that is what happened but rather questioning whether it was a good idea to provide such a route for fraud to be committed.

robatwork

greekpig said:

Hello Yorkshire_Pud and all.
On Sunday 14th March I was contacted via my mobile by Lloyds (defo a legit Lloyds call - I gave no personal info and phoned them back using the number on the back of the card via my landline) to inform me that there had been payments from a card in my name, with one transaction from Deliveroo. I'm in a similar situation to yours. I have a Lloyds account that I opened in February 2020 to be used with a will trust (the intention is to hardly ever use it), so although the card was used fraudulently the physical card was still gummed to the Lloyds paper it came with (so the 3 digits had never been read from the rear of the card), the PIN notification remains unopened, and the card had never been activated. The card and the PIN letter were carefully filed away.
I am mystified to think how on earth this card was used fraudulently, but Lloyds reported that it was, and so I got a replacement card in the post.
On the few days leading to this incident, I received a suspicious call on my mobile which I think was saying that I was at risk from fraud and I was put through to an "officer", but there was no organisation name given so I put the phone down immediately. The call appeared to come from a mobile number, which also made me think it was 100% a scam. I received a similar call to my landline where a message was left, and have not received such calls before or since. I'm left thinking - was this part of the scam? Whatever, apart from answering the mobile, not giving any personal details and terminating the call rapidly, there is nothing they got from me at all to identify me or the account.
How can this happen? If an unactivated and never-used card can be used fraudulently, then this presumably means that all cards are at risk and we are all at risk, whatever their status or however careful we are.
I've called the FCA to see if they would like to investigate, but they have no interest.
All payments were removed from the account so I've lost nothing apart from my faith in the banking system.
What do you think?
Thanks.

If your post is taken at face value, and no real reason to think you're making it up or deluded (but just for info, people on this forum are rightly sceptical about newcomers so would prefer if you had a few years of posting behind you), then this once again would point to an inside job. Someone at the bank has inadvertently or deliberately leaked your details. 

Also possible is that someone in your household has the details. 

Nothing else makes much sense. 

eskbanker

robatwork said:
If your post is taken at face value, and no real reason to think you're making it up or deluded (but just for info, people on this forum are rightly sceptical about newcomers so would prefer if you had a few years of posting behind you), then this once again would point to an inside job. Someone at the bank has inadvertently or deliberately leaked your details. 

Also possible is that someone in your household has the details. 

Nothing else makes much sense. 

An alternative (and more likely IMHO) explanation is fraudsters generating valid card numbers (from longer lists of potential numbers) via brute force modelling - I can't recall if it was on this thread but I pointed out recently that if there really was an inside job, it would be exploited in a far more productive way than ordering low-value takeaway food from Deliveroo....

Edit: yes, it was this thread: https://forums.moneysavingexpert.com/discussion/comment/78200098/#Comment_78200098

robatwork

eskbanker said:

robatwork said:
If your post is taken at face value, and no real reason to think you're making it up or deluded (but just for info, people on this forum are rightly sceptical about newcomers so would prefer if you had a few years of posting behind you), then this once again would point to an inside job. Someone at the bank has inadvertently or deliberately leaked your details. 

Also possible is that someone in your household has the details. 

Nothing else makes much sense. 

An alternative (and more likely IMHO) explanation is fraudsters generating valid card numbers (from longer lists of potential numbers) via brute force modelling - I can't recall if it was on this thread but I pointed out recently that if there really was an inside job, it would be exploited in a far more productive way than ordering low-value takeaway food from Deliveroo....

Edit: yes, it was this thread: https://forums.moneysavingexpert.com/discussion/comment/78200098/#Comment_78200098

Interesting but can you explain the mechanism for this?  So anyone can generate a valid number, but once I have that, I don't have any related info that I would need even for a low value transaction like Deliveroo. I don't have the expiry dates - albeit not hard to brute force, and I don't have the name, address or CVV. I can't order on Deliveroo without CVV.