Highly unusual RBS credit card fraud

pcbbc · 22 April 2021 at 2:56PM

In early 2018 I received a replacement credit card, which was issued by RBS who took over the Mint business. This new card was immediately cut up and returned to RBS, never having being used anywhere. In fact even I did not take note of the new card number (although I know it was different from the Mint one), let alone expiry date or CVV2.

No purchases were made with the card for 3 years. Then suddenly in January 2021 a fraudulent Amazon purchase for £28.86 appears on my statement. Upon querying this RBS hinted that they knew exactly what had happened, and immediately refunded the transaction.

Ignoring the fact that I should have cancelled the card in the first instance...

How can it be possible for a card that was never used "in the wild", and without known expiry or CVV2, to be compromised? RBS are remaining very tight lipped on the matter stating only "ongoing investigations".

[Deleted User] · 22 April 2021 at 3:00PM

It's not uncommon. Thousands of combinations of numbers are tried until one gets through.

RBS won't tell you any more.

TVAS · 22 April 2021 at 4:05PM

Inside job? Unlikely to have waited for 3 years to commit the fraud. Weird.

pcbbc · 22 April 2021 at 4:10PM

The card issuers got wise to that game a long time ago. They not longer issue sequentially incrementing card numbers to successive accounts. So given a valid card number you can't "guess" a set of other valid cards simply by adding 1 and calculating the Luhn. The search space to hit on a valid card by chance is vast, and then you have to factor in "guessing" of other checks made for online purchases (expiry, CVV2, etc).

They may try many transactions as you say, but those will all be with known card numbers from some data breach of card numbers (from your local petrol station used to be a favourite). The interesting thing about this is that only myself and RBS should have had access to the details.

pcbbc · 23 April 2021 at 10:23AM

TVAS said:

Inside job? Unlikely to have waited for 3 years to commit the fraud. Weird.

Yes, my guess is that some inside information must have been provided as the card details should have been known only to myself and RBS.

So I don't think that this was in any way related to me cutting up and returning the original card 3 years previously. But the fact that I did raises some very grave concerns about the source of the account details necessary to conduct this fraud.

Regrettably it seems neither Action Fraud not the ISO are interested in pursuing this further.

eskbanker · 23 April 2021 at 11:59AM

Contrary to the thread title, this really isn't "highly unusual" at all - just search the forum for all the similar reports of otherwise-unused cards being used in similar ways (low-value online purchases), Deliveroo being a popular choice and a suitable candidate for a search.

These threads do usually feature cardholders who remain convinced that the only explanation is some sort of 'inside job', despite the odds of this being vanishingly infinitesimal, and the fundamental question remains: why would anyone with inside information participate in a scheme with such high risks but tiny rewards?

It's obviously difficult to prove one way or the other but zx81's explanation has to be favourite, i.e. brute force guessing of card numbers (and associated expiry/CVV data), which doesn't have to have any correlation with known numbers in the way implied above....

mustiuc · 23 April 2021 at 2:24PM

I have the exact problem. CC been used last time 2 months ago, prior to that unused for more than 6 mths. Found after 4 days from the "transaction" date a payment to "amazon * random numbers and letters". Got in touch with CC customer service, froze my account, issued another card, on going investigation. No one contacted me since - apparently they have 21 days to respond.
Very weird as the only card to be vulnerable for me would be the debit card/account... Which looks like a war zone, payments after payments everywhere and to anyone (online and/or retail).
£25.50 been spent, my amazon account/services been used in feb-mar last time. Customer services were still insisting maybe I've done an order and i forgot about it despite telling them multiple times I'm not a fan of amazon shopping and I know exactly what I do in my life and where my money goes each time.
I won't be surprised to be refunded but no explanation to be given.

born_again · 23 April 2021 at 7:24PM

mustiuc said:

I have the exact problem. CC been used last time 2 months ago, prior to that unused for more than 6 mths. Found after 4 days from the "transaction" date a payment to "amazon * random numbers and letters". Got in touch with CC customer service, froze my account, issued another card, on going investigation.

Most card compromises happen a long time ago. If someone takes a lot of card details, they then sell them on (dark Web) in batches. So in many cases it can be years before a lot surface.
If they have expired, they just change the exp date, as they are pretty easy to guess. Replacement cards mostly have the same card no. CVV is not used for most fraud.
Think back to the BA compromise in 2018. We had to cancel Thousands of cards, not one with fraud on it. Started to see in in the security system about a year later. Of course all declined as stopped cards.

phillw · 23 April 2021 at 10:47PM

pcbbc said:

and then you have to factor in "guessing" of other checks made for online purchases (expiry, CVV2, etc).

Has Amazon started requiring CVV yet?

If you control a large bot net then running random card numbers and expiry dates through amazon should be pretty simple.