Credit card fraud - Weak online retailer security?

booneruk

Hi all,

I was flicking through my various credit card transactions this morning and spotted a pending transaction that I did not recognise at all on a card that I don't use any more (zero balance for months). The vendor was END. Clothing, which appears to be a funky youth clothing and trainers store.

I phoned Halifax fraud immediately and was taken through a number of attempted transactions (various Hotels, Justeat, Cinemas etc) across the last week. These were all online transaction transactions.

Aside from my disappointment that the Halifax app didn't notify me of any of this (I need to check if there are some alerts I can turn on), I find myself wondering how an order was successfully placed at END Clothing. Is it a case of their online store not being sufficiently secure and not using tech such as Verified By Visa, and perhaps not asking for the CVV number or even expiry date? I'd assume an online store would do the sensible thing of checking delivery address against registered card address too.

I know credit card numbers can be generated, with mathematics that can verify the number as potentially valid, but to guess my card number and expiry date/CVV would be a bit of a long shot surely?

I'm not out of pocket, this transaction has been refunded, card cancelled with a replacement being dispatched. I just find it a bit baffling.

Thumbs up to Halifax, the call was relatively painless.

Over and out.

born_again

As you have found out it is a painless process, just frustrating when it happens.

Odds on another retailer you have used has been compromised & your card details retrieved. 

VbV or 2FA as it is now only kicks in at certain transactions, not all. 

blue.peter

Yes, it ought to be a painless process. Sadly, it isn't always so.

Some years ago (about 2008, I think it was) I had a Halifax Amazon card. One morning, I logged in and found five fraudulent transactions of £100 each. Halifax were OK about refunding the original £500, but I got mired in a related issue. Because these transactions were online gambling, they were treated as cash advances, and I got stiffed for the associated fees and interest. I was also given information about this that later turned out to be incorrect. This all developed into a formal complaint. I did eventually win, but it was a lot of hassle.

DullGreyGuy

Its been a few years since I did any work on payments systems but certainly back then large retailers had choices, they could go all in on the security and get the lowest transaction fee or choose not to use certain features and pay a higher transaction fee. Rumour had it that some could even argue their own systems provided security and not be as heavily penalised for not having the standard options (Amazon was one in this camp). 

Clearly if they sell to fraudulent transactions then in the first instance they'll lose the goods, have to pay a chargeback fee and could see fees increase if the level of chargebacks are beyond the acceptable range. 

PRAISETHESUN

I had something similar happen last year with an unused Lloyds card. I had transaction alerts turned on so I got a notification about it, but Lloyds told me they couldn't actually act on it until the transaction had actually cleared. It got sorted eventually, but like you I ultimately wondered how they got the card details given I'd only ever used that card for a one-off BT deal years prior.

Smartest thing to do in mind my mind to help avoid these sort of problems is to freeze unused cards and turn on transaction alerts - most banks let you do this through online banking or in their app. The extra few minutes it takes to unfreeze card if you have to use it legitimately is nothing compared to the hassle of getting fraudulent transactions reversed.