Credit Card Fraud - my card was used fraudulently, how might it have happened?

Tunstallstoven

Hi all

I was recently the victim of credit card fraud.  I live in a no-mobile-signal area, but I was visiting family last Thursday and received a text from Halifax saying a transaction had been declined, etc.  Lucky I was in signal!  I wasn't sure if it was spam, so I logged in and - lo and behold - the transaction in question was sitting in pending.  But then to my shock, I noticed 6 payments that had gone through successfully, one of which was 6 weeks old!  

Halifax were very helpful and refunded the money.  However, they did say that at their end they could see 4 pages worth of declined payments spanning back to the beginning of April.  I am quite shocked that they did not try to contact me in all this time. 

It has left me feeling a little stressed and vulnerable.  Most of all I'd like to know how the fraudsters might have managed to get my details.  I don't use the card often.  In the last 18 months, I have only used it to pay 7 different companies.  Aside from Paypal. I don't have my card details registered/saved on any websites.  I don't use it at cash machines, nor in physical stores.  What are the usual ways in which people can get enough card details to be able to use it fraudulently? 

Many thanks 

[Deleted User]

Physical breach, insecure devices, malware, hacking, data breaches, brute force, etc. The cause is often close to home, more often than not.

Tunstallstoven

Thanks for the quick reply.  

I'm quite a recluse at the best of times, so since covid I barely leave the home (except for work which is totally safe).  I think that therefore rules some of those out.  

Seeing as I haven't used the card physically for 2+ years (maybe more), does that narrow it down to:  

- My PC has been hacked / has malware that is able to steal my details when I put them in to a website
- A website that holds my details has had a data breach.  I'm not sure how companies keep one's details, but as far as I know Paypal are the only ones where I have the card details saved.  

Is that a logical conclusion?  Is it almost certain that I'll never get tot he bottom of it, or will enough digging get me somewhere so I at least know through which route the details were stolen?  

Ta

[Deleted User]

It doesn't really rule out any of the routes. Your details could have been stolen either physically or remotely sometime ago and only recently been put up for sale.

Unless you find specific malware, a company tells you that your data was breached or a family member or work colleague owns up, you won't find out.

FaceHead

When the BA data breech happended it was through a malicious advert which was on their website and exploiting a vulnerability in their website.  It harvested payment details and the point of use, rather than by stealing stored details. 

Just because the websites don't store the details doesn't mean the website can't be compromised and the details stolen in real time. 

Given the loads of declined transactions, it's likely the fraudster had only partial information and, for example, needed to guess the address or CVV. I had fraud against my Amex once, and I'm convinced the source of it was someone taking a photo of it, as the CVV on an amex is on the front. 

Tunstallstoven

Hi

Thanks again for the replies and help.

Deleted_User said:

It doesn't really rule out any of the routes. Your details could have been stolen either physically or remotely sometime ago and only recently been put up for sale.

Do fraudsters sometimes hold onto details for several years?  Is that common practise?  I guess not or else the card might have expired by then!  I presume they sometimes wait so that the theft is more difficult to track back?  Or are there other reasons too?

Deleted_User said:

Unless you find specific malware, a company tells you that your data was breached or a family member or work colleague owns up, you won't find out.

I regularly check my PC for malware etc and have not found any.  So unless it is well hidden...  Family members I barely see, and I have no work colleagues.  

FaceHead said:

When the BA data breech happended it was through a malicious advert which was on their website and exploiting a vulnerability in their website.  It harvested payment details and the point of use, rather than by stealing stored details. 

Actually, you've just reminded me...  I did buy BA tickets using the card!  But that was in June 2019.  From what I can see the breach was in 2018 so I guess not related.  

FaceHead said:

Just because the websites don't store the details doesn't mean the website can't be compromised and the details stolen in real time. 

That makes sense that details can be taken in real time.  If that happened due to a website being hacked, are the company likely to know about it by now?  Seeing as I only used it for a handful of companies in the last 18 months, I have contacted them all to ask if they know of any data breaches.  I could do the same for companies used more than 18 months ago?? 

Is there any chance the details could have been taken from PayPal?  Should I contact them about it?

FaceHead said:

Given the loads of declined transactions, it's likely the fraudster had only partial information and, for example, needed to guess the address or CVV. I had fraud against my Amex once, and I'm convinced the source of it was someone taking a photo of it, as the CVV on an amex is on the front. 

That makes sense, expect that if they were purely guessing the CVV it seems unlikely they would have got it right 6 times.  Also, what's strange is that the first successful use was at the beginning of April and the others last week.... 

Cheers 

[Deleted User]

Seagull27 said:

Hi

Thanks again for the replies and help.

Deleted_User said:

It doesn't really rule out any of the routes. Your details could have been stolen either physically or remotely sometime ago and only recently been put up for sale.

Do fraudsters sometimes hold onto details for several years?  Is that common practise?  

Yes. The people who steal card details are not usually the ones who use them. They're different specialisms.

They'll be sold in large batches, some are used, sold on again and so on.

datostar

I had fraud on a Santander Debit Card which I had never used since issue over a year previously and which was securely stored at home, never having left there.  They did notify me of a suspicious transaction, blocked several other attempts and refunded the first one.  Now even the banks supposedly don't know PIN numbers but somebody did!  Who prepares the cards and prints off the PIN numbers for despatch to the cardholder?

ThisnotThat

datostar said:

I had fraud on a Santander Debit Card which I had never used since issue over a year previously and which was securely stored at home, never having left there.  They did notify me of a suspicious transaction, blocked several other attempts and refunded the first one.  Now even the banks supposedly don't know PIN numbers but somebody did!  Who prepares the cards and prints off the PIN numbers for despatch to the cardholder?

Third parties produce the cards, but even if a third party company produced both the card and the PIN slip it would almost certainly not be the same one.

How was the card used?  Unless it was in-person a PIN would not have been used and I'm certain that those third parties who produce the cards don't have enough access to "reproduce" an already produced card, which would be the only way for someone working there to knock out a working Chip & Pin card.