Card fraud attempts - is it me?

lr1277

Hi

Sorry this is bit of a rant/moan. No I have not been defrauded.

Earlier this year somebody called up about a suspect transaction on my credit card. They wanted me to go through security. I didn't but called my bank instead who cancelled the card and sent me a new card.

Then 2 months after receiving this new card, another call this time with a suspect transaction against this new credit card. Again told bank who cancelled the card and sent me a new card.

Then earlier today a text message from my bank asking if a transaction was legitimate on my debit card. Well 2 texts actually, one named as from my bank, the 2nd one from an unknown number asking me to confirm or deny the transaction of $0.00. Admittedly the bank caught this so that is good.

Again I phoned the bank and told them I had not made that transaction. They did tell somebody might be trying to find out if that card is working (I can't remember the exact wording they used). Again card cancelled and now waiting for a new debit card.

Each fraud attempt means I am without my credit card or debit card. I would love to have a backup account but due to my lack of income, I don't think any bank (that I would want to bank with) would take me on as a customer.

Is anybody else experiencing multiple fraud attempts across their cards from one bank?

Anyone have knowledge of whether the fraudsters are making up card numbers or are they getting the card numbers from somewhere? Especially linking card numbers to mobile phone numbers. And in the 1st attempted fraud, they had all my details like name, address etc  and I think my email address, which I had not given to my bank.

So in your opinion am I typical or an outlier?

Edited to add: Thanks for any info you can provide.

Ergates

That is quite a lot of fraud attempts.   You're not unique in that, but most people don't experience that many.

Where are you using your cards?

lr1277

Hmm a window into my life.

Before the 1st attempt, every internet purchase was on my credit card. Also my subscriptions to Apple, Amazon and 2 US newspapers. Finally used the credit card for my Just Eat account. One newspaper bills yearly and the other newspaper bills every 4 weeks.

After the 1st attempt I move all transactions, accounts and subscriptions to my debit card.

Edited to add: after the 2nd fraud attempt, again everything was moved to the debit card until the 3rd credit card arrived.

When the 2nd card arrived, I moved the internet purchases, my Amazon account and my Just Eat account to the new credit card. Apple and the newspaper subscriptions stayed on my debit card. Annoyingly I subscribed for the monthly 

Ad-free shows on Amazon Prime. This was initially taken from my credit card, then my debit card when I changed the card details. However after receiving the 2nd credit card and changing the card details on my account, the Ad-free service is still taken from my debit card. This may be because I still have the debit card listed as a potential card to use by Amazon but it is not my default card.

Then when the 3rd card arrived, everything that was on the prior credit card moved to the new credit card. The items on my debit card stayed put.

The attempted fraud on my debit card was in dollars and the bank said the attempt was to put a transaction through a restaurant with a Japanese name. Also there was an attempt to add my card to Google Pay. The attempted frauds were at 11:41 uk time. Which means because the range of time zones in the US, it could have been happening between 6:41am and 00:41am.

I have no idea if this is related but I also received a text message today about a parcel needing picking up or some such nonsense. But the text message called me Catherine which is definitely not my name.

2nd edit: I may have confused myself and you with talk of 2nd and 3rd credit cards.

Let's say the 1st card was the one before any hacking.

The 2nd card was the one received after the 1st hacking attempt.

The 3rd card was the one received afther 2nd hacking attempt.

AmityNeon

Each time you called your bank, were they (their fraud department) able to see the transaction attempts? If they block a transaction due to suspected fraud, they should have detailed logs with related information (including IP addresses).

Do you know the merchant where the attempted fraudulent transactions took place? Amazon doesn't (or didn't) require CSC verification to add a new card, so it's a common target for generated card numbers.

When a card is successfully saved by a merchant, a tokenised version of the card is stored (instead of the actual card details), and that token can be used for future transactions, but tokens are both merchant-specific and context-bound, so a stolen token is useless elsewhere, a token for a Continuous Payment Authority (CPA) cannot be used for manual transactions, and tokens can also be restricted by transaction limits.

Crucially, when a replacement card is issued, tokens are not automatically deleted. For the sake of convenience, tokens persist through to replacement cards, and it's via this mechanism that merchants can automatically receive updated card details, with the payment networks (Visa etc.) mapping replacement cards to existing tokens. You can (and should) specifically request the deletion of all active tokens associated to a card in cases of suspected fraud.

Your bank has access to your card's full token history, when each token was created, where they were created, and when they were deleted (or if they're still active). It's likely many of our cards have tokens we're not even aware of (or forgot about) because we're never actually notified when our card details are tokenised (except in digital wallets like Apple Pay).

lr1277 said:

And in the 1st attempted fraud, they had all my details like name, address etc  and I think my email address, which I had not given to my bank.

You'll need to provide more details. What exactly happened when you received this phone call? Persisting tokens from generated card numbers may be one aspect involved in your chain of events, but they wouldn't explain whatever seems to have initially occurred here.

AmityNeon

That is a lot of fraud of varying types to be occurring in such a short space of time. If I were in your position, I would immediately review/reset access to all important accounts. If the service allows, forcibly log out of all sessions everywhere and remove all associated devices. Change your passwords and enable 2FA via authenticators or hardware keys if possible. I would also recommend using multiple email addresses (via an aliasing service if convenient), each one for a specific purpose, so the email address you provide to your bank(s) is never given out anywhere else.

lr1277

@AmityNeon Thanks for replying. This might be long.

The 1st attempt was against my credit card (card1). A woman with an English accent called me saying there had been attempted transactions against my card in Manchester and Croydon. She read my address back to me but mispronounced my town's name. I didn't think you could mispronounce my town's name especially if you have lived in England but that is what happened. She wanted to take me through security but I stopped her and told her I would call the bank and if she gave me her name, then I would get the front-line staff to transfer the call to her. I can't remember if she gave me her name but I ended that call and called the bank. They confirmed nobody from the bank had called me. Also they had no record of a fraudulent transaction  on my credit card account. The caller made the mistake of calling me from a phone number that my phone showed me, so I gave that number to the bank.

Then a few minutes later I got a call from a man on a withheld number. I told him I had called my bank and they had not called me. He then read my details back to me including my email address, which I have not given to my bank. He said he would send me a link so I ended the call.

I called the bank again and this time spoke to the fraud department. They again comfirmed nobody had called me and I confirmed to them I had not clicked on any link sent to me.

2 days later I got a text message from the bank asking if I had made a particular transaction. Unfortunately I saw that message 2.5 hours after it was sent, but I replied N. This transaction was for £0.00.

I called the bank to confirm I had not made that transaction. Unfortunately I did not write down the merchant's name against the transaction. For the bank's satisfaction I listed all my recent transactions against this card. But the bank was worried that somebody had got hold of my card details so cancelled card1 and sent me a new card (card2)

Then a couple of months later I got another call. I don't have as many details about this call as I did not write them down. The caller had the last 4 digits of card2. When I said I was going to call my bank he gave me some nonsense about not getting through to him but they would write to me and I could reply to the letter. This time the suspicious transactions were somewhere in the North West of England, though I don't remember where.

I called the bank and they confirmed NO transactions had been attempted on my credit card. But they closed the card and sent me a new card (card3)

Then today's shenannigans was getting 2 texts about a fraudulent transaction for $0.00. I phoned the bank and they gave me the details of the suspect transaction. I think the restaurant's name was Santoshi (not sure about that) and as I said above an attempt to add my card to Google Pay. So there is my debit card till  now (dcard1) and I will get the new debit card (dcard2). The bank may have the details you mentioned but they did not tell me anything. Also they said they would cancel all places where my debit card was used for subscriptions so that means my Apple/iTunes account and my Ad-free Amazon Prime. I didn't know they had that kind of control but there you go. I asked about reporting to ActionFraud and they said as there had been no fraud, that was not necessary.

Is that the kind of detail you were looking for?

lr1277

AmityNeon said:

That is a lot of fraud of varying types to be occurring in such a short space of time. If I were in your position, I would immediately review/reset access to all important accounts. If the service allows, forcibly log out of all sessions everywhere and remove all associated devices. Change your passwords and enable 2FA via authenticators or hardware keys if possible. I would also recommend using multiple email addresses (via an aliasing service if convenient), each one for a specific purpose, so the email address you provide to your bank(s) is never given out anywhere else.

Thanks for your suggestions, but I am not sure I understand all of them.

Please would you give me more details on each action you suggested?

Many thanks.

AmityNeon

The previous attempts (prior to today/yesterday) seem like spearphishing based on compromised personal details, potentially from a data breach. As you say, the bank had no record of those supposed transaction attempts, and the cards weren't frozen by you.

The truncated card number (last four digits) is stored in plain text for convenient reference, so that alone is insufficient to prove the identity of a caller (not that any real bank would attempt this), but knowledge of it in addition to your phone number and earlier email address does suggest a compromise elsewhere in your information security, especially considering it was a recent replacement card.

Nil transactions are often used to test the validity of a card (for both legitimate as well as fraudulent purposes). It's useful to ask your bank whether the transaction attempts had the correct CSC provided, as that can indicate whether your actual card details have been compromised in full, or if it's just a brute-force attempt from a generated number.

lr1277

Thanks @AmityNeon will call the bank during the day.

AmityNeon

lr1277 said:

AmityNeon said:

That is a lot of fraud of varying types to be occurring in such a short space of time. If I were in your position, I would immediately review/reset access to all important accounts. If the service allows, forcibly log out of all sessions everywhere and remove all associated devices. Change your passwords and enable 2FA via authenticators or hardware keys if possible. I would also recommend using multiple email addresses (via an aliasing service if convenient), each one for a specific purpose, so the email address you provide to your bank(s) is never given out anywhere else.

Thanks for your suggestions, but I am not sure I understand all of them.

Please would you give me more details on each action you suggested?

Many thanks.

Essentially, you want to review the security settings of all your important accounts to ensure only you have access to them. This is likely to involve changing your passwords, especially for your email account. Also:

• Check your Apple Account device list to find where you’re signed in
  
  
• Amazon > Your account > Login & Security
  You'll see options for 2-step verification and what steps to take if you think your account has been compromised.
  
  
• Use a password manager to generate strong and unique passwords for all your login credentials.
  Bitwarden is free (and also supports passkeys).
  
  
• Use an app, such as Microsoft Authenticator or 2FAS, to generate one-time passcodes. If a service doesn't support this, you can fall back to receiving SMS to your mobile number as a last resort.
  (You can read more about hardware security keys if you really want to.)
  
  
• An email alias hides your real email address, and multiple aliases can all point to the same inbox. You can selectively create and provide different aliases depending on their purpose, e.g. one for banks, one for social media, one for newsletter subscriptions etc. This also makes it more difficult for hackers to gain access to your email account, as they don't know your real email address. Your password manager stores your login credentials so you don't have to remember your aliases either.
  Firefox Relay is an alias provider.
  
  
• If your mobile phone supports dual SIMs, you can use a second number (cheap to maintain with a PAYG SIM) specifically for banking and receiving sensitive one-time passcodes. Whilst you cannot control what others do with your phone number (e.g. uploading their contact list to anything and everything), you can control which number your contacts have for you, ensuring it's not the same number your bank would use to contact you.
  (There are non-SIM alternatives to obtaining additional numbers, but those numbers may not be accepted by all services.)

Theleak250

I once had fraud twice. The first a payment for £50 for some kind of subscription service. I called the bank and said it wasn’t me, they gave the money back, and sent a new card. Within two weeks of the new card another fraud occurred with a £1500 tv from a company up north. Again I called the bank and they gave the money back. 

It is therefore possible either it is an inside job, or someone has taken your card for a short time to make these purchases. Another alternative is that the card details have been randomly generated and they happen to get it right, but this is unlikely three times.

I never got to the bottom of mine but it didn’t occur after I moved to the third card. I came to the conclusion someone at work perhaps took my card from my wallet or it was an inside job. As the second card was brand new and not even saved anywhere.