At 5:48 PM -0800 3/28/05, TidBITS Editors wrote:
Stolen Credit Card Numbers and Companies with a Clue ---------------------------------------------------- by Adam C. Engst <ace@tidbits.com>
Credit card number theft is one of those events that seems to happen only to other people... until it hits you. That just happened to me, and the repercussions proved a bit more instructive and far-reaching that I would have initially anticipated.
**Awkward Dating** -- The first hint that something was wrong came when Tonya was reviewing the charges on the MasterCard we use solely for business purchases. There was a $19.95 charge to something related to Yahoo, but it wasn't possible to tell exactly what service from the limited information on the credit card statement. Tonya knew she hadn't ordered anything online that could have generated such a charge, and when she asked me, I couldn't remember anything either. To verify that I wasn't simply losing my memory, I searched all my received email around the date in question, and even went so far as to search my OmniWeb history for Yahoo URLs around the date.
The situation was becoming more curious, so Tonya called the phone number on the credit card statement, and waited on hold for a while. As she waited, she realized that what she had called was Yahoo Personals - Yahoo's online dating service. She immediately yelled for me to get on the phone, figuring that the whole situation was just going to generate snickers for the customer service people if they heard a wife calling to find out about a dating service charge on her husband's credit card. I was good and refrained from making jokes about how I didn't even get any dates from Yahoo Personals once the customer service people came on the line.
It took a little back and forth with Yahoo's customer service people, since we weren't willing to give them much more personal information, some of which they claimed they needed to look up the account that had made the charges. Eventually we got them to tell us that the Yahoo Personals account did indeed have the same user name as my My Yahoo account (I immediately changed that account's password, just for good measure), but that the birth date listed with the Yahoo Personals account did not match either of our birth dates. That was sufficient for them to cancel the account and refund our money.
**Cleaning Up from Cancellation** -- The Yahoo Personals customer service rep recommended that we cancel the credit card used, which we were already planning as the next call. Our credit card issuer was totally on top of it, cancelling the card and issuing us another one before we'd even had a chance to explain the full situation. Tonya keeps records of merchants that are automatically withdrawing from that credit card, so next she reset all of those accounts. The morning was shot, but it seemed that we were out of the woods. Unfortunately, it wasn't to be.
A few days later, Tristan and I were out driving when I remembered that our other car likely had a flat tire due to a slow leak I'd been monitoring. That normally wouldn't have been an issue, but Tonya had an appointment before we would be home, and I wanted to alert her to blow up the tire and to remember her cell phone in case she needed me to come change the tire while she was out. In New York State, it's illegal to drive while talking on a cell phone unless you're using a hands-free system, so I pressed the speed-dial number for home and handed Tristan the phone so he could give her the message. A few seconds later he gave me back the phone, saying "It's being weird." I pulled over and listened, and indeed, I'd somehow ended up with Verizon Wireless customer service. I hung up and tried again, and got them again. This time I waited until I could talk to a person, who promptly informed me that they had disabled our service because the monthly bill had been rejected by our credit card - apparently one auto-withdrawal had slipped past Tonya's record keeping. Luckily, I was able to use another phone later to walk Tonya through inflating the tire, but the credit card fraud was increasing in annoyance.
The next week Tonya managed to get the account reinstated, and protested sufficiently vehemently when Verizon Wireless tried to charge a $15 fee for doing so that they waived the charge. She pointed out that it would have been trivial for them to notify us via voicemail or text messaging that our auto-withdrawal had failed, but needless to say, the customer service drone couldn't do anything but forward the feedback (if even that).
That wasn't the end of the bother, though the next one was purely my fault. I'd set up a Google AdWords account for Take Control that also withdrew money from that MasterCard, and I'd forgotten to inform Tonya that it needed to be added to the list of auto- withdrawal services. As you'd expect, the next time Google tried to charge money to the card, it was rejected, too.
But here's the difference between Verizon Wireless and Google. Where Verizon Wireless didn't bother to inform us that they'd disabled our service and thus caused us unnecessary trouble, Google sent me a nice email message, informing me of the problem, telling me that they'd temporarily disabled our ads, and giving me a link to my account so I could enter a new credit card number. The entire process took only a couple of minutes, and most of that was exclaiming to Tonya about how Google had a clue in comparison to Verizon Wireless.
**Following Up on the Credit Report** -- We were relating this story to a friend over dinner the other day, who said she'd had a similar thing happen. In her case, though, the fraud had included the perpetrator changing the billing address related to the card, so she hadn't even received a tip-off statement. She recommended that we run a credit report as well, just to make sure any additional hanky-panky wasn't going on with our finances.
A bit of investigation revealed that recent U.S. legislation requires the three major credit reporting companies - Equifax, Experian, and TransUnion - to provide anyone who asked with a free credit report once every 12 months (so you can get one credit report from each company all at once, or you can request a report from one of the companies every four months to be on the lookout for problems). Unfortunately, the credit reporting companies were given quite some time to roll out the service to the entire country, so although people in western and midwest states can request their free credit reports right now, people in the south must wait until 01-Jun-05, and those of us in the eastern states must wait until 01-Sep-05. (Some states - Colorado, Georgia, Maine, Maryland, Massachusetts, New Jersey, and Vermont - also require that residents be allowed to request one or two free credit reports each year.)
<https://www.annualcreditreport.com/> <http://www.epic.org/privacy/fcra/> <http://www.epic.org/privacy/preemption/>
Our friend said she'd used another service called FreeCreditReport.com, which gives you a free credit report, but requires that you sign up for a slew of fee-based credit reporting and monitoring services that could be useful, particularly if you wanted to be informed about changes to your credit report over time. You can (and I did) cancel the membership without paying anything - hence the "free" aspect of the credit report, and of course, you can pay about $10 for a credit report if you don't want to play the "cancel my membership" game. Luckily, my credit report showed nothing of significant concern, though they apparently think I'm a year younger than I am. I'll have to fix that at some point. It's entirely likely that other problems haven't shown up yet, and I plan to start running regular credit reports in September.
<http://www.freecreditreport.com/>
**Lessons Learned** -- In this day and age, shopping on the Internet is simply a fact of life for many people. I don't believe that using a credit card on the Internet is any more or less likely to result in credit card number theft than using it over the phone or in person, but the more you use credit cards, the more likely it is some miscreant will obtain your number and abuse it. It's mostly an annoyance with credit cards (though not necessarily with debit cards!), since your liability is limited to $50 in the United States, and I've never heard of anyone ever being charged even that. But the hassle factor can be large, as our experience proved, and credit card fraud could be the first step in a more complete identity theft. So, I recommend the following precautions.
* Review your credit card statements every month, and make sure you made every purchase. Thieves often charge a small amount, like our $19.95 fee for Yahoo Personals, to see if you're paying attention (and if you're not, the purchases will increase).
* Always keep email receipts for online purchases for reference purposes, and if you anticipate wanting to look back to what you've done in the past on the Web, use a browser like OmniWeb or a utility like St. Clair Software's HistoryHound to record your tracks.
<http://www.omnigroup.com/applications/omniweb/> <http://www.stclairsw.com/HistoryHound/>
* Although we still have no idea how our credit card number was stolen, wallet thefts are a common way for this to happen. To simplify canceling credit cards and other accounts in the event of such a theft, photocopy the contents of your wallet and store those pages in a safe location.
* Keep a list of all automatic withdrawals from your credit card in the event you have to cancel the card. Also remember to write down merchants (like the iTunes Music Store) that might have your credit card number stored for sporadic use.
* If you're in the U.S. (other countries may have similar practices), be sure to take advantage of the free credit reports to make sure all the information is correct, and if you find incorrect information, make sure to fix it promptly. Visit the Federal Trade Commission Web site for additional suggestions and links to useful resources:
<http://www.consumer.gov/idtheft/>
Many instances of credit card number theft may not be within your sphere of influence. The Register has an article listing a number of stories of large businesses, educational institutions, and other organizations losing control of sensitive personal information in this month alone. There's nothing you can do about such situations (apart from checking data security practices when possible), but some common sense and effort on your part can reduce the impact of credit card number theft if it does happen to you. I got off easy this time, and I hope this is the end of the story (for a much more exciting story of credit card number theft, read the page at the second link below).
<http://www.theregister.com/2005/03/23/id_theft_cannot_be_escaped/> <http://www.livejournal.com/users/publius_ovidius/111672.html>
-- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'