Complain about a product or service

Credit Card Theft Takes Many Forms

Merchants often the big losers; consumer vigilance essential

By Mark Huffman
ConsumerAffairs.com

September 23, 2007

“It was a service they offered when I signed up for the card,” she told ConsumerAffairs.com. “I checked a box that requested them to notify me by email anytime more than $200 was charged to my account.”

Because that was the only unusual charge, Betsy said she concluded the purchase was just a mistake in the system. GM Mastercard removed the charge but Betsy did not cancel her card.

Ten days later, she received another email from the credit card company, informing her that a big screen TV, valued at more than $1,000, had been purchased from an online site and charged to her account.

Now realizing that she was indeed a victim of credit card fraud, Betsy immediately called the credit card company’s fraud division and reported the charges as unauthorized. The company instantly closed out the account and began the process of issuing her a new card.

Informed that the TV set had been purchased from a merchant called Just FTA.com, based in Glendale, California, Betsy called the store and reported the purchase as fraudulent.

“We were very lucky that she called,” said David, the store’s owner. “We had shipped the merchandise the day before and it was one day away from being delivered. We called Federal Express and put a stop on the order and had it returned.”

Merchants take the hit

In this case, JustFTA.com was spared the loss of a big screen TV, but in the world of credit card fraud, it is merchants like David who usually take the real hit. The consumer’s liability is limited to $50 and the credit card company withholds payment in cases of fraudulent purchases, so it doesn’t lose money.

But if a merchant ships merchandise in what turns out to be a fraudulent purchase, he’s stuck with the loss. David says that in 2006, JustFTA.com lost over $20,000 to credit card fraud.

There are systems in place designed to prevent fraudulent purchases like this from taking place, but clever thieves have found ways around them. When a credit card purchase comes in, the merchant can link up with the bank to verify that the billing address and the shipping address match the information in the bank’s file. But in this case, it wasn’t much help to JustFTA.com.

“In the case of this consumer, the system worked,” David said. “When we verified her billing address with the shipping address, it came back from the bank 100 percent verified.”

That’s because Betsy’s case was a much more serious instance of credit card fraud. Not only had a thief stolen her account information, he had somehow gained access to her personal, identifying information so that he could change her billing address.

By calling the credit card company and providing her mother’s maiden name or her Social Security number, the thief was able to change Betsy’s real address to one in Louisville, Kentucky, most likely a “safe house” or drop point.

So how, Betsy wanted to know, could this have happened?

Personal information

“In most cases of credit card fraud, a criminal has hacked into an e-commerce site and stolen the credit card information,” said Dan Clement, president of CardCops.com, a Malibu, California-based security firm. “It’s becoming so common that we see a couple of hacks each week now.”

Clement said accounts are also compromised in some retail locations where security cameras are in use. Unscrupulous employees, he said, sometimes direct the cameras at credit card data entry points and later review the tapes to capture account numbers and PINs.

But in Betsy’s case, Clement says that scenario is highly unlikely.

“Someone hacking into an e-commerce site could have gotten the information they needed to use her credit card, but not to change her billing address. That information could have been acquired only by two methods,” he said.

The first is some type of “phishing” scam. The thief might have sent her an email, made to look like it was from her credit card company, asking her to click on a link and enter personal information. Did she respond to such an email in the days before the theft?

“Absolutely not,” Betsy said.

The only other way, said Clement, is that someone learned some personal information about her and physically gained access to her credit card. An unsettling prospect, but in this case, concludes Clement, the likely scenario.

Clement took Betsy’s old account number and, using his sophisticated software, conducted a sweep of Internet chat rooms to see if it showed up. Often, he says, he can find where a particular account has been sold, in sort of an eBay for credit card thieves.

In Betsy’s case, there was no match, indicating that the thief either did not sell the stolen card or else sold it in a face-to-face transaction on the street. If her account was in fact sold, it in all likelihood brought a higher price than a typical pilfered account, because of the “change of billing” -- “cob” in the vernacular of the street.

Longer shelf life

If a thief can change the billing information associated with the card, the stolen account has a longer shelf life. It may be weeks before the consumer learns the account has been compromised. It also allows the thief to more easily have shipments sent to the new address.

Though there’s no conclusive proof to establish exactly how Betsy’s account was stolen, the anti-fraud feature of her credit card account and her prompt action combined to minimize losses. By asking to be notified in the event of a large credit card purchase, Betsy was able to head off the thief. And her quick response was greatly appreciated at JustFTA.com.

“Most consumers don’t bother to call,” David noted. “They have three months to contest an authorized change, and most take their time. Because she acted so quickly it saved us big time.”

Fraud alert

Clement says more banks should offer these kinds of fraud alert services and consumers should take advantage of them. He also says consumers can take other steps to protect themselves from the growing threat of credit card fraud.

“When credit card companies issue you a new card each year, ask them to assign you a new account number as well,” he said. “Your credit card information is sitting in databases maintained by banks, hotels, rental car companies and other places, year after year, and could be the source of compromise.”

Debit cards, he says, are especially dangerous, since a thief can take all the money in a compromised account. Clement suggests consumers change their debit card PIN every six months.

“It’s a hassle, but it provides another layer of protection,” he said.

Check your bill

Consumers should also closely review their bill each month. Clement says often a thief will “ping” a compromised account by entering a $1 charge to a charity. If the charge goes through uncontested, the thief then orders up a big-screen TV or other expensive item.

“The consumer is the best line of defense, Clement said. “I’ve seen statistics showing that consumers find 52 percent of all credit card fraud.”

And there’s plenty of it. The U.S. Federal Trade Commission estimates that 10 million consumers have their personal information stolen or misused each year, costing businesses like JustFTA.com as much as $48 billion.

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

Back to the top |