Stolen Credit Card Numbers and Companies with a Clue (was Re: TidBITS#772/28-Mar-05)

R.A. Hettinga rah at
Mon Mar 28 21:20:13 PST 2005

At 5:48 PM -0800 3/28/05, TidBITS Editors wrote:
>Stolen Credit Card Numbers and Companies with a Clue
>  by Adam C. Engst <ace at>
>  Credit card number theft is one of those events that seems
>  to happen only to other people... until it hits you. That
>  just happened to me, and the repercussions proved a bit more
>  instructive and far-reaching that I would have initially
>  anticipated.
>**Awkward Dating** -- The first hint that something was wrong
>  came when Tonya was reviewing the charges on the MasterCard we
>  use solely for business purchases. There was a $19.95 charge to
>  something related to Yahoo, but it wasn't possible to tell exactly
>  what service from the limited information on the credit card
>  statement. Tonya knew she hadn't ordered anything online that
>  could have generated such a charge, and when she asked me, I
>  couldn't remember anything either. To verify that I wasn't simply
>  losing my memory, I searched all my received email around the
>  date in question, and even went so far as to search my OmniWeb
>  history for Yahoo URLs around the date.
>  The situation was becoming more curious, so Tonya called the
>  phone number on the credit card statement, and waited on hold
>  for a while. As she waited, she realized that what she had
>  called was Yahoo Personals - Yahoo's online dating service.
>  She immediately yelled for me to get on the phone, figuring
>  that the whole situation was just going to generate snickers
>  for the customer service people if they heard a wife calling
>  to find out about a dating service charge on her husband's credit
>  card. I was good and refrained from making jokes about how I
>  didn't even get any dates from Yahoo Personals once the customer
>  service people came on the line.
>  It took a little back and forth with Yahoo's customer service
>  people, since we weren't willing to give them much more personal
>  information, some of which they claimed they needed to look up the
>  account that had made the charges. Eventually we got them to tell
>  us that the Yahoo Personals account did indeed have the same user
>  name as my My Yahoo account (I immediately changed that account's
>  password, just for good measure), but that the birth date listed
>  with the Yahoo Personals account did not match either of our birth
>  dates. That was sufficient for them to cancel the account and
>  refund our money.
>**Cleaning Up from Cancellation** -- The Yahoo Personals customer
>  service rep recommended that we cancel the credit card used, which
>  we were already planning as the next call. Our credit card issuer
>  was totally on top of it, cancelling the card and issuing us
>  another one before we'd even had a chance to explain the full
>  situation. Tonya keeps records of merchants that are automatically
>  withdrawing from that credit card, so next she reset all of those
>  accounts. The morning was shot, but it seemed that we were out
>  of the woods. Unfortunately, it wasn't to be.
>  A few days later, Tristan and I were out driving when I remembered
>  that our other car likely had a flat tire due to a slow leak I'd
>  been monitoring. That normally wouldn't have been an issue, but
>  Tonya had an appointment before we would be home, and I wanted
>  to alert her to blow up the tire and to remember her cell phone
>  in case she needed me to come change the tire while she was out.
>  In New York State, it's illegal to drive while talking on a cell
>  phone unless you're using a hands-free system, so I pressed the
>  speed-dial number for home and handed Tristan the phone so he
>  could give her the message. A few seconds later he gave me back
>  the phone, saying "It's being weird." I pulled over and listened,
>  and indeed, I'd somehow ended up with Verizon Wireless customer
>  service. I hung up and tried again, and got them again. This time
>  I waited until I could talk to a person, who promptly informed me
>  that they had disabled our service because the monthly bill had
>  been rejected by our credit card - apparently one auto-withdrawal
>  had slipped past Tonya's record keeping. Luckily, I was able to
>  use another phone later to walk Tonya through inflating the tire,
>  but the credit card fraud was increasing in annoyance.
>  The next week Tonya managed to get the account reinstated, and
>  protested sufficiently vehemently when Verizon Wireless tried
>  to charge a $15 fee for doing so that they waived the charge.
>  She pointed out that it would have been trivial for them to notify
>  us via voicemail or text messaging that our auto-withdrawal had
>  failed, but needless to say, the customer service drone couldn't
>  do anything but forward the feedback (if even that).
>  That wasn't the end of the bother, though the next one was purely
>  my fault. I'd set up a Google AdWords account for Take Control
>  that also withdrew money from that MasterCard, and I'd forgotten
>  to inform Tonya that it needed to be added to the list of auto-
>  withdrawal services. As you'd expect, the next time Google tried
>  to charge money to the card, it was rejected, too.
>  But here's the difference between Verizon Wireless and Google.
>  Where Verizon Wireless didn't bother to inform us that they'd
>  disabled our service and thus caused us unnecessary trouble,
>  Google sent me a nice email message, informing me of the problem,
>  telling me that they'd temporarily disabled our ads, and giving
>  me a link to my account so I could enter a new credit card number.
>  The entire process took only a couple of minutes, and most of that
>  was exclaiming to Tonya about how Google had a clue in comparison
>  to Verizon Wireless.
>**Following Up on the Credit Report** -- We were relating this
>  story to a friend over dinner the other day, who said she'd had a
>  similar thing happen. In her case, though, the fraud had included
>  the perpetrator changing the billing address related to the card,
>  so she hadn't even received a tip-off statement. She recommended
>  that we run a credit report as well, just to make sure any
>  additional hanky-panky wasn't going on with our finances.
>  A bit of investigation revealed that recent U.S. legislation
>  requires the three major credit reporting companies - Equifax,
>  Experian, and TransUnion - to provide anyone who asked with a
>  free credit report once every 12 months (so you can get one credit
>  report from each company all at once, or you can request a report
>  from one of the companies every four months to be on the lookout
>  for problems). Unfortunately, the credit reporting companies
>  were given quite some time to roll out the service to the entire
>  country, so although people in western and midwest states can
>  request their free credit reports right now, people in the south
>  must wait until 01-Jun-05, and those of us in the eastern states
>  must wait until 01-Sep-05. (Some states - Colorado, Georgia,
>  Maine, Maryland, Massachusetts, New Jersey, and Vermont - also
>  require that residents be allowed to request one or two free
>  credit reports each year.)
>  Our friend said she'd used another service called
>, which gives you a free credit report,
>  but requires that you sign up for a slew of fee-based credit
>  reporting and monitoring services that could be useful,
>  particularly if you wanted to be informed about changes to
>  your credit report over time. You can (and I did) cancel the
>  membership without paying anything - hence the "free" aspect
>  of the credit report, and of course, you can pay about $10
>  for a credit report if you don't want to play the "cancel my
>  membership" game. Luckily, my credit report showed nothing of
>  significant concern, though they apparently think I'm a year
>  younger than I am. I'll have to fix that at some point. It's
>  entirely likely that other problems haven't shown up yet, and
>  I plan to start running regular credit reports in September.
>**Lessons Learned** -- In this day and age, shopping on the
>  Internet is simply a fact of life for many people. I don't
>  believe that using a credit card on the Internet is any more
>  or less likely to result in credit card number theft than using
>  it over the phone or in person, but the more you use credit cards,
>  the more likely it is some miscreant will obtain your number and
>  abuse it. It's mostly an annoyance with credit cards (though not
>  necessarily with debit cards!), since your liability is limited
>  to $50 in the United States, and I've never heard of anyone ever
>  being charged even that. But the hassle factor can be large, as
>  our experience proved, and credit card fraud could be the first
>  step in a more complete identity theft. So, I recommend the
>  following precautions.
>* Review your credit card statements every month, and make sure
>  you made every purchase. Thieves often charge a small amount,
>  like our $19.95 fee for Yahoo Personals, to see if you're paying
>  attention (and if you're not, the purchases will increase).
>* Always keep email receipts for online purchases for reference
>  purposes, and if you anticipate wanting to look back to what
>  you've done in the past on the Web, use a browser like OmniWeb
>  or a utility like St. Clair Software's HistoryHound to record
>  your tracks.
>* Although we still have no idea how our credit card number was
>  stolen, wallet thefts are a common way for this to happen. To
>  simplify canceling credit cards and other accounts in the event
>  of such a theft, photocopy the contents of your wallet and store
>  those pages in a safe location.
>* Keep a list of all automatic withdrawals from your credit card
>  in the event you have to cancel the card. Also remember to write
>  down merchants (like the iTunes Music Store) that might have
>  your credit card number stored for sporadic use.
>* If you're in the U.S. (other countries may have similar
>  practices), be sure to take advantage of the free credit reports
>  to make sure all the information is correct, and if you find
>  incorrect information, make sure to fix it promptly. Visit the
>  Federal Trade Commission Web site for additional suggestions
>  and links to useful resources:
>  Many instances of credit card number theft may not be within
>  your sphere of influence. The Register has an article listing
>  a number of stories of large businesses, educational institutions,
>  and other organizations losing control of sensitive personal
>  information in this month alone. There's nothing you can do
>  about such situations (apart from checking data security practices
>  when possible), but some common sense and effort on your part can
>  reduce the impact of credit card number theft if it does happen
>  to you. I got off easy this time, and I hope this is the end of
>  the story (for a much more exciting story of credit card number
>  theft, read the page at the second link below).

R. A. Hettinga <mailto: rah at>
The Internet Bearer Underwriting Corporation <>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

More information about the cypherpunks-legacy mailing list