Debit Card Fraud

RG2015

I recently saw debit card transaction for Amazon on my bank account that I did not recognise. I reported it online and got the following email response.

Your claim is successful
I am pleased to let you know that we will refund you.

When you will get your money
One or more of the fraudulent payments are pending. This means they need to clear your account before we can refund you.

The process was very quick, but my bank balance had been reduced by the payment amount. This was not corrected until the initial payment cleared and the refund was posted four days later.

What does concern me is how this has happened. The transaction was online so how did the fraudster know my name? Surely the 16 digit number that they randomly guessed is not enough on its own to generate a payment.

p00hsticks

RG2015 said:

What does concern me is how this has happened. The transaction was online so how did the fraudster know my name? Surely the 16 digit number that they randomly guessed is not enough on its own to generate a payment.

Why would they need to know your name ? It's not information that's needed for a debit card transaction, online or otherwise.

For an online card transaction there is additional protection for the retailer if they ask for and check with the card issuer the CVV number on the card (to show that the purchaser physically has the card in their possession) and the house number and postcode of the billing address (some retailers will insists that goods are only despatched to the billing address, at least for the first time).

However I don;t think Amazon request either - presumably a market decision that they are prepared to take an increased hit on fraud in order to not force their customers throguh additional hoops - and so for the fraudster the 16 digit number, however obtained, was probably adequate (they may have needed to input the expiry date of the card as well)

Editted to add - if you use your debit card at all I think it's far more likely that somewhere that you've used it has been hacked to provide card number & expiry date or that your card has been skimmed than that the fraudsters have just randomly generated a number

TadleyBaggie

Have you ever given out your card details? If so you might be part of a data beach somewhere.

Happened to me once, someone tried to buy insurance from Direct Line and a computer from HP. Noticed the problem when my available balance was around £600 less than expected and not major transactions had been made. Called the back and was told nothing could be done until the amounts were actually taken. The Direct Line one was take a day or so later, so I reported it as fraudulent and a temporary amount was added to my balance. Some weeks later Direct Line refunded the payment, the bank took back the temporary deposit and I was back to where I should have been. The HP transaction was never taken and dropped off at 7 days or so.

All in all a fairly painless process.

RG2015

p00hsticks said:

RG2015 said:

What does concern me is how this has happened. The transaction was online so how did the fraudster know my name? Surely the 16 digit number that they randomly guessed is not enough on its own to generate a payment.

Why would they need to know your name ? It's not information that's needed for a debit card transaction, online or otherwise.

For an online card transaction there is additional protection for the retailer if they ask for and check with the card issuer the CVV number on the card (to show that the purchaser physically has the card in their possession) and the house number and postcode of the billing address (some retailers will insists that goods are only despatched to the billing address, at least for the first time).

However I don;t think Amazon request either - presumably a market decision that they are prepared to take an increased hit on fraud in order to not force their customers throguh additional hoops - and so for the fraudster the 16 digit number, however obtained, was probably adequate (they may have needed to input the expiry date of the card as well)

Editted to add - if you use your debit card at all I think it's far more likely that somewhere that you've used it has been hacked to provide card number & expiry date or that your card has been skimmed than that the fraudsters have just randomly generated a number

It would be surprising if Amazon did not check the buyer’s name with the card holder’s name.

I suppose that the expiry date was trial and error.

As to being hacked, the debit card has never been used and never even been out of a drawer in my house.

born_again

> Surely the 16 digit number that they randomly guessed is not enough on its own to generate a payment.<

They are not randomly guessed. They are compromised at some point where the card has been used. Amazon do not require CVV or name/address to process any payments.

Was it a purchase or was it a subscription at amazon?

As if card has been previously used there, and the main card has expired. Any subscriptions default to the next listed card. Now that can be for any account the card may have been used on.
It's amazing how many claim fraud on amazon subscriptions & it turns out to be a family member who has the card details in their account.
Not saying that is the case, but worth checking 👍

robatwork

RG2015 said:

p00hsticks said:

RG2015 said:

What does concern me is how this has happened. The transaction was online so how did the fraudster know my name? Surely the 16 digit number that they randomly guessed is not enough on its own to generate a payment.

Why would they need to know your name ? It's not information that's needed for a debit card transaction, online or otherwise.

For an online card transaction there is additional protection for the retailer if they ask for and check with the card issuer the CVV number on the card (to show that the purchaser physically has the card in their possession) and the house number and postcode of the billing address (some retailers will insists that goods are only despatched to the billing address, at least for the first time).

However I don;t think Amazon request either - presumably a market decision that they are prepared to take an increased hit on fraud in order to not force their customers throguh additional hoops - and so for the fraudster the 16 digit number, however obtained, was probably adequate (they may have needed to input the expiry date of the card as well)

Editted to add - if you use your debit card at all I think it's far more likely that somewhere that you've used it has been hacked to provide card number & expiry date or that your card has been skimmed than that the fraudsters have just randomly generated a number

It would be surprising if Amazon did not check the buyer’s name with the card holder’s name.

I suppose that the expiry date was trial and error.

As to being hacked, the debit card has never been used and never even been out of a drawer in my house.

Do you really mean the card had NEVER been used - not even by yourself online with Amazon or any other vendor?

eskbanker

born_again said:

They are not randomly guessed. They are compromised at some point where the card has been used.

OP clarified that:

RG2015 said:
the debit card has never been used and never even been out of a drawer in my house.

My understanding is that numbers are (sometimes) effectively guessed randomly by brute force number-generating attacks....

k_man

Similar discussion here:

https://forums.moneysavingexpert.com/discussion/comment/79633980/#Comment_79633980

While the details may have been compromised elsewhere, the use of Amazon, a retailer that doesn't require CVV, and a card that has never been used online or in person, suggests otherwise.

ETA: so more likely a number generator was used, against a week retailer system to brute force the expiry.

@RG2015, which bank was this with?
My instance was TSB, as was one of the banks in the linked thread, albeit that may just be coincidence.

k_man

Forgot to add, in my instance, card had never been used, including on Amazon. The purchase was on someone else's Amazon account.

I found it on the bank account, as @RG2015 did.

RG2015

born_again said:

> Surely the 16 digit number that they randomly guessed is not enough on its own to generate a payment.<

They are not randomly guessed. They are compromised at some point where the card has been used. Amazon do not require CVV or name/address to process any payments.

1) Was it a purchase or was it a subscription at amazon?

2) As if card has been previously used there, and the main card has expired. Any subscriptions default to the next listed card. Now that can be for any account the card may have been used on.

3) It's amazing how many claim fraud on amazon subscriptions & it turns out to be a family member who has the card details in their account.

4) Not saying that is the case, but worth checking 👍

1) Purchase or subscription? I have no idea. All it has is K*M42MS47N5 , AMAZON.CO.UK GB .

2) and 3) The card has never been used so could not have been compromised

4) Nothing worth checking as the card has never been out of a drawer in my house. 

RG2015

robatwork said:

RG2015 said:

p00hsticks said:

RG2015 said:

What does concern me is how this has happened. The transaction was online so how did the fraudster know my name? Surely the 16 digit number that they randomly guessed is not enough on its own to generate a payment.

Why would they need to know your name ? It's not information that's needed for a debit card transaction, online or otherwise.

For an online card transaction there is additional protection for the retailer if they ask for and check with the card issuer the CVV number on the card (to show that the purchaser physically has the card in their possession) and the house number and postcode of the billing address (some retailers will insists that goods are only despatched to the billing address, at least for the first time).

However I don;t think Amazon request either - presumably a market decision that they are prepared to take an increased hit on fraud in order to not force their customers throguh additional hoops - and so for the fraudster the 16 digit number, however obtained, was probably adequate (they may have needed to input the expiry date of the card as well)

Editted to add - if you use your debit card at all I think it's far more likely that somewhere that you've used it has been hacked to provide card number & expiry date or that your card has been skimmed than that the fraudsters have just randomly generated a number

It would be surprising if Amazon did not check the buyer’s name with the card holder’s name.

I suppose that the expiry date was trial and error.

As to being hacked, the debit card has never been used and never even been out of a drawer in my house.

Do you really mean the card had NEVER been used - not even by yourself online with Amazon or any other vendor?

Yes. I REALLY mean the card has never been used.