So. Last Friday afternoon I got frantic calls from both my Falcon office and my bank. Some jerk stole my credit card information and tried to buy $1,300 worth of jewelry1 with it on Wednesday. Nice try. It set off the fraud alert.
It helped that on Thursday, I tried to renew my cell phone’s air time without actually getting the card out of my pocket and mis-remembered my CVV the first time. Then the crook made a $1 pre-authorization at Apple on Friday, which was enough suspicious activity for the card company to call me.
After I confirmed that yes, I bought the Net10 air time, no, I didn’t try to buy $1,300 of jewelry or visit Apple, they shut down the card. I won’t get another for about a week. Joy. Meanwhile, next thing on my agenda is to find out what happened to the charge for the air time I bought on the day in between fraud attempts. I don’t want Net10 to kill my account because of a chargeback, but it should be OK because I did tell the Falcon office that, of the suspicious transactions, that one was legitimate.
The list of possible “mea culpa” breaches is very short: My credit card information was stored in only a few places online. Many more brick-and-mortar merchants’ employees have had access to it since the card was activated last June. From Internet research, I see that I’m not alone in having this happen. I also see that there are myriad ways the crook(s) could have gotten my information.
Random guessing is pretty high on the list. Algorithms exist to generate valid card numbers for testing, and mine might have just randomly come up. I use library computers a lot, so one of them could have had spyware on it that was monitoring the information flow. Maybe Net10’s website isn’t as secure as I thought. Perhaps an employee at one company or another abused data access privileges and stole card information from customers. Could be that a company I bought from was hacked, or the payment processor was. Google Checkout might not be as secure as it claims to be. Maybe funds transferred from bank to credit card company are sent unencrypted and the crook grabbed info that way. (These are getting less and less likely, to the point of pointless speculation.)
Thing is, I don’t believe the CVV was stored anywhere except the back of the card and my memory. Armed with only a name, billing address, and an account number, what are the possible ways an attacker could use the stolen information? I don’t believe a billing address or CVV are required for telephone purchases, but then how to explain the Apple pre-authorization?
Whatever happened, I’ve placed a 90-day fraud alert on my credit report (as recommended by the FTC), changed several passwords and removed the deactivated card from all online accounts. Apparently this happens to some people every few months, but that just makes me curious about how lax such individuals are with their information security. I intend to be even more careful than before.
- Way over my limit. [↩]