Debit card fraud (OT, a bit long)

OK I have had something similar and it highlights a dirty little secret about credit card transactions that they would really rather you didn't know. The transaction I had go spectacularly wrong was a rerun of a final payment for an entire fitted kitchen fully *three* years later!

Not surprisingly this stuck out like a sore thumb.

Once a company has your details and full verification the credit card transaction can be run more than once and unlike a cheque it *never* times out. They will unwind it quickly once you point it out.

They would wouldn't they. I would get your bank fraud department to check again. My strong suspicion is that that vendor inadvertently reran an old batch of transactions somehow and that you are not alone.

It is a good one to ask one of the money pages. I doubt if your card has really been compromised. My suspicion is that human error has resulted in a rerun of the exact same batch of transactions verbatim.

That DOB and/or mothers maiden name have been changed is more worrying. Perhaps you should be worried. Time to do a deep AV scan...

I reckon that means it was a rerun phantom transaction.

It could also mean that your home computer is compromised by a keylogger and the miscreants now have enough info to fake being you. The puzzle is that they should buy another Dyson rather than something more easily traded secondhand.

It is better to be safe than sorry but apply a bit of pressure about the curious numerical coincidence that the transaction was for the exact same amount and demand to know the delivery address.

Genuine malicious attacks on cards tend to be along the lines of a small donation to a charity followed by a top of the range iPhone.

Thank you for the prompt response, much to think about there. By good fortune (I think) my wife does all her shopping on a Chromebook which I'd like to believe is much less vulnerable to keyloggers etc than a Windows PC.

OK, this is not directly related to what has happened to you, but does fall into the category of 'how credit cards work in ways you didn't realise'.

One day, I go to te village shop, and my credit card is rejected. I leave te shopping there and go home and get on te phone.

'Your credit card was rejcetd because its out of date' 'No, its valid till the end of the next month' 'It was unti8l you used your new one' 'I haven't even recieved my new one yet' 'Yes you have, because there's a transaction of £6.50 on it' 'Not by me there ain't. Who is the payee?' 'The Financial Times' 'I do have an online subscription with them, but how would they know to use my new card that I haven't received yet?' 'Oh they would get notified *automatically*' 'Right, so basically you can not send me a new card, and before I receive it let alone activate it, someone without my knowledge or consent can cause my old card to be cancelled, and you think that's OK?' 'Yes, basically'.

In fact I found the card. My (soon to be ex-) wife had thrown it in a pile of junk mail ..

newshound scribbled

Ask the bank for a new debit card number.

Might not help.

Colleague of mine is still unwinding the fraud from his corporate card.

They stopped his card, cancelled the transactions, and sent a new card.

With the same number, which undid the cancellation. Fraud restarted.

So they sent him another card, this time with another number.

Timeout was hit on the cancellation, so the fraud restarted - and the fraudulent transactions were automatically transferred to the new card number.

This time they cancelled his new card. But not the old one...

He's now on his 4th card since Christmas. Luckily he hasn't had to go anywhere!

Andy

Vir Campestris scribbled

Time to cancel the bank account.

I once had fraud on a new debit card. I'd only used it once - at an indoor machine in the bank. I suspected internal fraud - the bank was very cagey.

I had the same on a company account some years ago. There were two cards, one was used on a regular basis. The other was never used.

Both had substantial debits made against them to overseas accounts. Abbey were quick to return the money without any ado.

Sounds like the crooks are now wise to the way banks look for unusual transactions and thus can slip under the radar. I don't think a payment method has ever been foolproof, and the more we use cashless systems the more the crooks desert the real world and inhabit the virtual one. The challenge as it has always been is to find ways to stay ahead of the pack. I'm expecting some issues when Apple Pay and the new 30 quid limit come to pass in the contactless world Come September. Brian

I wonder what strings the FT can pull to have that happen?

A continuing payment authorisation seems to persist across cards with the same number but I have had to put the new expiry date *manually* into my online payment details for the likes of Amazon, Tesco etc.

It is clearly a major breach of security if they give out the CVV number and expiry date of your new card to third parties! I suspect what they mean is a week or two after they send out your new card they process any long term continuing payments against it.

There is a common scam at the moment being perpetrated against rural customers like farmers who have mailboxes at the gate end of long drives. Essentially ordering a new credit card bound to that address, following the postie on his rounds and stealing it without the addressee ever knowing it existed.

The first they find out is when bills start arriving on the mat. A couple of local friends have had identity theft problems like this.

There was a spate of that some years ago - it was an internal fraud. Banks were telling people to cut up their cards when it was reported, which very conveniently destroyed the transaction sequence number in the card chip which was the only proof that the fraudulant transaction which was verified by PIN had not been done using the customer's card at all.

Agreed, plenty of banks out there. But this is a coporate card, OPs colleague may not have control of who the company banks with. But it certainly seems like time for a email to the MD/CEO, MD Finance of the company cc'd to the CEO/MD MD Customer Service of the card co/bank. Expressing ones "disappointment".

BTDTGTTS, except this time the cards fraud protection had been tripped. I don't carry cash apart from a few quid in coins. Bit bloomin' embarassing when your card gets rejected and you can't pay for seven quids worth of groceries. The second reason why I have two cards on different card systems and different banks, the first being business/private.

What tripped the fraud protection? The way a large computer related online store validated my card for a couple of hundred quid transaction the night before. They asked for validation of a £1 transaction but didn't follow through and take it when they got "yep that's OK". This request orginated in the US, seconds later they bang in the validation and a payment request for the goods, same co ID etc, but from the UK.

None at all, when the card issuer changes a cards number that change is passed up the chain to subscriptions etc.

They are only needed to "prove" the card is in the possession of the person entering the data into an online transaction.

I should imagine subscriptions to cards are handled like DD's to a bank account. The account has to have a record that company A will ask for a fixed/variable amount with this reference to enable the transaction to happen. All the card co is sending to company A is "you know that sub you have to card X ref Y, please use card Z from now on".

Even so if the card needs activation *any* attempted transaction to the new card before activation should be rejected. Otherwise what's the point of activation? With subs card co says "oh sorry, new number we told you about is not valid yet, please use old number" note that old number is not sent, to prevent a hacker spoofing this reject message with a different "old number".

Or a bent postie, it's perfectly obvious that a bit of post contains a card. The return address will indicate what the card is. I wonder how long it would take to be noticed that a card is "lost in the post" once every 3 to 6 weeks on a particular walk? Remember postie can select which bank and card issuer from the return address so the "loss" is spread across banks/issuer. The downfall of many is getting greedy...

Could it be that her email account has been hacked and someone is reading h er emails? Then they'd see the notifications of purchase amounts and would use those same amounts so as to conceal them.

Robert

When these cards first appeared, I had to go into my bank branch and sign for mine. That's security.

Our last four trips abroad have suffered from card protection measures. Often for trivial amounts---

Nowadays that would depend on the postman also identifying the mail with the pin number sent separately, and being on duty when both items are out for delivery. Since the last changes at Royal Mail my post seems to be delivered by one of three postmen.

I'd wondered that, she is not particularly security savvy, but this seems to be a one-off, and the transaction (which was only pending) has not actually gone through. I'm inclined to think it might well be, as Martin suggested, a retailer or bank issue with a re-run transaction batch.

Thanks to all for the comments and suggestions!

That must date back to when banks had branches.

Only one in town now, Barclays, and thats' on weird hours and they can't actually do anything without refering upwards, other than counter cash/cheque things.

HSBC have just slammed the door shut, boarded up the windows and taken away the ATM, all in the space of about 3 months with no warning to the staff either. Damn shame as they could actually do things without refering upwards.

Next nearest branches are 20+ miles away.