Betsy, from England, was visiting family in the southern U.S. in early August when GM Mastercard, her credit card company, contacted her. There was, she was informed, suspicious activity on her account, a $333 charge for an EZPass New York toll pass.
It was a service they offered when I signed up for the card, she told ConsumerAffairs.com. I checked a box that requested them to notify me by email anytime more than $200 was charged to my account.
Because that was the only unusual charge, Betsy said she concluded the purchase was just a mistake in the system. GM Mastercard removed the charge but Betsy did not cancel her card.
Ten days later, she received another email from the credit card company, informing her that a big screen TV, valued at more than $1,000, had been purchased from an online site and charged to her account.
Now realizing that she was indeed a victim of credit card fraud, Betsy immediately called the credit card companys fraud division and reported the charges as unauthorized. The company instantly closed out the account and began the process of issuing her a new card.
Informed that the TV set had been purchased from a merchant called Just FTA.com, based in Glendale, California, Betsy called the store and reported the purchase as fraudulent.
We were very lucky that she called, said David, the stores owner. We had shipped the merchandise the day before and it was one day away from being delivered. We called Federal Express and put a stop on the order and had it returned.
Merchants take the hit
In this case, JustFTA.com was spared the loss of a big screen TV, but in the world of credit card fraud, it is merchants like David who usually take the real hit. The consumers liability is limited to $50 and the credit card company withholds payment in cases of fraudulent purchases, so it doesnt lose money.
But if a merchant ships merchandise in what turns out to be a fraudulent purchase, hes stuck with the loss. David says that in 2006, JustFTA.com lost over $20,000 to credit card fraud.
There are systems in place designed to prevent fraudulent purchases like this from taking place, but clever thieves have found ways around them. When a credit card purchase comes in, the merchant can link up with the bank to verify that the billing address and the shipping address match the information in the banks file. But in this case, it wasnt much help to JustFTA.com.
In the case of this consumer, the system worked, David said. When we verified her billing address with the shipping address, it came back from the bank 100 percent verified.
Thats because Betsys case was a much more serious instance of credit card fraud. Not only had a thief stolen her account information, he had somehow gained access to her personal, identifying information so that he could change her billing address.
By calling the credit card company and providing her mothers maiden name or her Social Security number, the thief was able to change Betsys real address to one in Louisville, Kentucky, most likely a safe house or drop point.
So how, Betsy wanted to know, could this have happened?
In most cases of credit card fraud, a criminal has hacked into an e-commerce site and stolen the credit card information, said Dan Clement, president of CardCops.com, a Malibu, California-based security firm. Its becoming so common that we see a couple of hacks each week now.
Clement said accounts are also compromised in some retail locations where security cameras are in use. Unscrupulous employees, he said, sometimes direct the cameras at credit card data entry points and later review the tapes to capture account numbers and PINs.
But in Betsys case, Clement says that scenario is highly unlikely.
Someone hacking into an e-commerce site could have gotten the information they needed to use her credit card, but not to change her billing address. That information could have been acquired only by two methods, he said.
The first is some type of phishing scam. The thief might have sent her an email, made to look like it was from her credit card company, asking her to click on a link and enter personal information. Did she respond to such an email in the days before the theft?
Absolutely not, Betsy said.
The only other way, said Clement, is that someone learned some personal information about her and physically gained access to her credit card. An unsettling prospect, but in this case, concludes Clement, the likely scenario.
Clement took Betsys old account number and, using his sophisticated software, conducted a sweep of Internet chat rooms to see if it showed up. Often, he says, he can find where a particular account has been sold, in sort of an eBay for credit card thieves.
In Betsys case, there was no match, indicating that the thief either did not sell the stolen card or else sold it in a face-to-face transaction on the street. If her account was in fact sold, it in all likelihood brought a higher price than a typical pilfered account, because of the change of billing -- cob in the vernacular of the street.
Longer shelf life
If a thief can change the billing information associated with the card, the stolen account has a longer shelf life. It may be weeks before the consumer learns the account has been compromised. It also allows the thief to more easily have shipments sent to the new address.
Though theres no conclusive proof to establish exactly how Betsys account was stolen, the anti-fraud feature of her credit card account and her prompt action combined to minimize losses. By asking to be notified in the event of a large credit card purchase, Betsy was able to head off the thief. And her quick response was greatly appreciated at JustFTA.com.
Most consumers dont bother to call, David noted. They have three months to contest an authorized change, and most take their time. Because she acted so quickly it saved us big time.
Clement says more banks should offer these kinds of fraud alert services and consumers should take advantage of them. He also says consumers can take other steps to protect themselves from the growing threat of credit card fraud.
When credit card companies issue you a new card each year, ask them to assign you a new account number as well, he said. Your credit card information is sitting in databases maintained by banks, hotels, rental car companies and other places, year after year, and could be the source of compromise.
Debit cards, he says, are especially dangerous, since a thief can take all the money in a compromised account. Clement suggests consumers change their debit card PIN every six months.
Its a hassle, but it provides another layer of protection, he said.
Check your bill
Consumers should also closely review their bill each month. Clement says often a thief will ping a compromised account by entering a $1 charge to a charity. If the charge goes through uncontested, the thief then orders up a big-screen TV or other expensive item.
The consumer is the best line of defense, Clement said. Ive seen statistics showing that consumers find 52 percent of all credit card fraud.
And theres plenty of it. The U.S. Federal Trade Commission estimates that 10 million consumers have their personal information stolen or misused each year, costing businesses like JustFTA.com as much as $48 billion.