How do fraudsters get your bank details these days

friolento

pseudodox said:

   First 8 digits of the card number are not personal so a computer only has to compute the last 8 to get a number that works. 

The card number is not sufficient to make a purchase; at a minimum, they also need the expiry date and the CVV, perhaps also the name. Many purchases also need authorisation through the card provider's app. I can't imagine that the potential for organised crime by fraudulent credit card is very high.

boingy

Having never previously experienced any form of credit card fraud I've had 4 instances of it in the last six months, all blocked by the respective banks. Three were on the same card so I scrapped that card and account completely. One was on a card that I have only ever used on Amazon UK. Two of the attempts were payments to local govt authorities outside of my area. Amounts ranged from £50 to £200.

No idea how the attempts were made but it made me wonder whether someone has figured out a new technique for this type of fraud.

lr1277

I had an attempted fraud transaction on my debit card last night but thankfully the bank rejected it.

The first I knew was a notificiation from the bank's app saying 0.01 transaction by Stripe.

As I said the bank rejected it.

A f ew hours later when I saw the notification I contacted the bank who said the attempt had been made against my debit card. The attempt was apparently made from America.

What puzzles me is that as well as guessing the card number, the whoever/whatever would also have to guess the CVV for which there are 999 possibilities. Or as it is a computer system, does it generate a card number and then try 999 times for a transaction? No idea but I suppose it is possible.

The previous attempted fraud on my debit card was in June or July of 2024. Since then I only use the card for cash withdrawals. I don't buy anything with it nor is it in my Apple wallet. So to me it is plausible this is a computer generated card number and CVV.

bobblebob

boingy said:

Having never previously experienced any form of credit card fraud I've had 4 instances of it in the last six months, all blocked by the respective banks. Three were on the same card so I scrapped that card and account completely. One was on a card that I have only ever used on Amazon UK. Two of the attempts were payments to local govt authorities outside of my area. Amounts ranged from £50 to £200.

No idea how the attempts were made but it made me wonder whether someone has figured out a new technique for this type or fraud.

You sometimes get a notification when buying to authorise the transaction with the online banking app. Its great as it stops online fraud in its tracks as someone needs access to your online banking app to authorise payments.

Trouble is this seems to be hit and miss and optional for retailers. It should be made mandatory on all transactions over a certain amount

bobblebob

lr1277 said:

I had an attempted fraud transaction on my debit card last night but thankfully the bank rejected it.

The first I knew was a notificiation from the bank's app saying 0.01 transaction by Stripe.

As I said the bank rejected it.

A f ew hours later when I saw the notification I contacted the bank who said the attempt had been made against my debit card. The attempt was apparently made from America.

What puzzles me is that as well as guessing the card number, the whoever/whatever would also have to guess the CVV for which there are 999 possibilities. Or as it is a computer system, does it generate a card number and then try 999 times for a transaction? No idea but I suppose it is possible.

The previous attempted fraud on my debit card was in June or July of 2024. Since then I only use the card for cash withdrawals. I don't buy anything with it nor is it in my Apple wallet. So to me it is plausible this is a computer generated card number and CVV.

I suspect their is some form of automation involved so people with enough knowledge can do it. I know its hard to guess fraudsters motives, but buying fake details on say the dark web to use them on a pizza delivery that would have been linked to an address seems daft

AmityNeon

For the sake of convenience, when you order a replacement card, the card's existing tokens aren't deleted and will carry over to the replacement card, so card details don't have to be manually updated everywhere where they've been saved; incomprehensibly, this remains the case even if you 'cancel' a card due to fraud (provider dependent, but this was Lloyds).

I discovered this when my replacement card, still in its sealed envelope, suffered a fraud attempt from the same retailer (Amazon), and my bank's fraud department confirmed that all tokens remained active, including the fraudulent tokens from Amazon. The advisor was incredibly helpful, chronicling the entire token history of the card account (not just a singular card), allowing me to identify the full extent of the fraudulent tokens, e.g. when and where they were created, how long they were active, when they were deleted, and which remained active — it's a shame we can't see these details for ourselves, or receive notifications when our card details have been tokenised (other than for digital wallets). I then explicitly requested for every single active token to be deleted, the card to be cancelled, and another replacement card sent.

Expiry dates and CVVs aren't strictly required when adding/saving card details; it's entirely dependent on the platform. I tested this by adding the new, untouched (fresh out of the envelope) credit card to Amazon, and the 16-digit number alone was sufficient. I was on the phone to my bank's fraud department as I did this, and they confirmed that an Amazon token had just been newly created for the card. I then informed Amazon, and the advisor flagged it as a security flaw in their systems as he was adamant at least the CVV was required (which was not the case, and likely had not been the case for months).

Freezing cards does not prevent tokenisation. This entire debacle occurred on an unused 0% credit card which had been app-frozen for at least six months, and was frozen when it was fraudulently added to Amazon (as per token history). The crux of my investigation lay with my additional card holder, whose physical card had never been used, yet a fraudulent Amazon token (created in a similar timeframe) was also identified for that particular card, which had an almost identical 16-digit number except the last three digits, but obviously a different CVV.

bobblebob

AmityNeon said:

For the sake of convenience, when you order a replacement card, the card's existing tokens aren't deleted and will carry over to the replacement card, so card details don't have to be manually updated everywhere where they've been saved; incomprehensibly, this remains the case even if you 'cancel' a card due to fraud (provider dependent, but this was Lloyds).

I discovered this when my replacement card, still in its sealed envelope, suffered a fraud attempt from the same retailer (Amazon), and my bank's fraud department confirmed that all tokens remained active, including the fraudulent tokens from Amazon. The advisor was incredibly helpful, chronicling the entire token history of the card account (not just a singular card), allowing me to identify the full extent of the fraudulent tokens, e.g. when and where they were created, how long they were active, when they were deleted, and which remained active — it's a shame we can't see these details for ourselves, or receive notifications when our card details have been tokenised (other than for digital wallets). I then explicitly requested for every single active token to be deleted, the card to be cancelled, and another replacement card sent.

Expiry dates and CVVs aren't strictly required when adding/saving card details; it's entirely dependent on the platform. I tested this by adding the new, untouched (fresh out of the envelope) credit card to Amazon, and the 16-digit number alone was sufficient. I was on the phone to my bank's fraud department as I did this, and they confirmed that an Amazon token had just been newly created for the card. I then informed Amazon, and the advisor flagged it as a security flaw in their systems as he was adamant at least the CVV was required (which was not the case, and likely had not been the case for months).

Freezing cards does not prevent tokenisation. This entire debacle occurred on an unused 0% credit card which had been app-frozen for at least six months, and was frozen when it was fraudulently added to Amazon (as per token history). The crux of my investigation lay with my additional card holder, whose physical card had never been used, yet a fraudulent Amazon token (created in a similar timeframe) was also identified for that particular card, which had an almost identical 16-digit number except the last three digits, but obviously a different CVV.

So say you have your card stored on Uber, you get it frozen/cancelled by the bank and a new card issued. That old card can stilk be used to book a taxi?

SacredStephan

A few years ago, I spotted dodgy transactions on my Capital 1 credit card account.

They were all Uber and Uber Eats transactions - I don't use either of those services.

Further investigation by Cap1 revealed one Uber journey was from London to Leicester and the Uber Eats orders were for high-value alcohol bought from a Costcutter shop and delivered to a nearby community centre in a part of London that I never visit. I filled in a form declaring that I had no knowledge of the 20+ transactions and the charges of about £500 were refunded. I recall that, at the time, neither Uber nor Uber Eats required a CVV when processing a CC transaction.

AmityNeon

bobblebob said:

AmityNeon said:

For the sake of convenience, when you order a replacement card, the card's existing tokens aren't deleted and will carry over to the replacement card, so card details don't have to be manually updated everywhere where they've been saved; incomprehensibly, this remains the case even if you 'cancel' a card due to fraud (provider dependent, but this was Lloyds).

I discovered this when my replacement card, still in its sealed envelope, suffered a fraud attempt from the same retailer (Amazon), and my bank's fraud department confirmed that all tokens remained active, including the fraudulent tokens from Amazon. The advisor was incredibly helpful, chronicling the entire token history of the card account (not just a singular card), allowing me to identify the full extent of the fraudulent tokens, e.g. when and where they were created, how long they were active, when they were deleted, and which remained active — it's a shame we can't see these details for ourselves, or receive notifications when our card details have been tokenised (other than for digital wallets). I then explicitly requested for every single active token to be deleted, the card to be cancelled, and another replacement card sent.

Expiry dates and CVVs aren't strictly required when adding/saving card details; it's entirely dependent on the platform. I tested this by adding the new, untouched (fresh out of the envelope) credit card to Amazon, and the 16-digit number alone was sufficient. I was on the phone to my bank's fraud department as I did this, and they confirmed that an Amazon token had just been newly created for the card. I then informed Amazon, and the advisor flagged it as a security flaw in their systems as he was adamant at least the CVV was required (which was not the case, and likely had not been the case for months).

Freezing cards does not prevent tokenisation. This entire debacle occurred on an unused 0% credit card which had been app-frozen for at least six months, and was frozen when it was fraudulently added to Amazon (as per token history). The crux of my investigation lay with my additional card holder, whose physical card had never been used, yet a fraudulent Amazon token (created in a similar timeframe) was also identified for that particular card, which had an almost identical 16-digit number except the last three digits, but obviously a different CVV.

So say you have your card stored on Uber, you get it frozen/cancelled by the bank and a new card issued. That old card can stilk be used to book a taxi?

No, the old card details (card number, expiry date, CVV) will no longer function, but the Uber token will likely remain active on your card account and your card network will automatically point the token to the new card details. If the replacement card is appropriately frozen, then no, the card details (and its corresponding tokens) cannot be used to authorise transactions because freezing blocks transactions at the account level, although the card details themselves could potentially still be tokenised, and you probably won't be notified if this happens (unless it's added to a digital wallet).

bobblebob

AmityNeon said:

bobblebob said:

AmityNeon said:

For the sake of convenience, when you order a replacement card, the card's existing tokens aren't deleted and will carry over to the replacement card, so card details don't have to be manually updated everywhere where they've been saved; incomprehensibly, this remains the case even if you 'cancel' a card due to fraud (provider dependent, but this was Lloyds).

I discovered this when my replacement card, still in its sealed envelope, suffered a fraud attempt from the same retailer (Amazon), and my bank's fraud department confirmed that all tokens remained active, including the fraudulent tokens from Amazon. The advisor was incredibly helpful, chronicling the entire token history of the card account (not just a singular card), allowing me to identify the full extent of the fraudulent tokens, e.g. when and where they were created, how long they were active, when they were deleted, and which remained active — it's a shame we can't see these details for ourselves, or receive notifications when our card details have been tokenised (other than for digital wallets). I then explicitly requested for every single active token to be deleted, the card to be cancelled, and another replacement card sent.

Expiry dates and CVVs aren't strictly required when adding/saving card details; it's entirely dependent on the platform. I tested this by adding the new, untouched (fresh out of the envelope) credit card to Amazon, and the 16-digit number alone was sufficient. I was on the phone to my bank's fraud department as I did this, and they confirmed that an Amazon token had just been newly created for the card. I then informed Amazon, and the advisor flagged it as a security flaw in their systems as he was adamant at least the CVV was required (which was not the case, and likely had not been the case for months).

Freezing cards does not prevent tokenisation. This entire debacle occurred on an unused 0% credit card which had been app-frozen for at least six months, and was frozen when it was fraudulently added to Amazon (as per token history). The crux of my investigation lay with my additional card holder, whose physical card had never been used, yet a fraudulent Amazon token (created in a similar timeframe) was also identified for that particular card, which had an almost identical 16-digit number except the last three digits, but obviously a different CVV.

So say you have your card stored on Uber, you get it frozen/cancelled by the bank and a new card issued. That old card can stilk be used to book a taxi?

No, the old card details (card number, expiry date, CVV) will no longer function, but the Uber token will likely remain active on your card account and your card network will automatically point the token to the new card details. If the replacement card is appropriately frozen, then no, the card details (and its corresponding tokens) cannot be used to authorise transactions because freezing blocks transactions at the account level, although the card details themselves could potentially still be tokenised, and you probably won't be notified if this happens (unless it's added to a digital wallet).

Thank you. Its more frustrating as i do suffer with anxiety, so things like this make my brain go in overdrive