Stolen Credit Card Numbers and Companies with a Clue (was Re: TidBITS#772/28-Mar-05)
rah at shipwright.com
Mon Mar 28 21:20:13 PST 2005
At 5:48 PM -0800 3/28/05, TidBITS Editors wrote:
>Stolen Credit Card Numbers and Companies with a Clue
> by Adam C. Engst <ace at tidbits.com>
> Credit card number theft is one of those events that seems
> to happen only to other people... until it hits you. That
> just happened to me, and the repercussions proved a bit more
> instructive and far-reaching that I would have initially
>**Awkward Dating** -- The first hint that something was wrong
> came when Tonya was reviewing the charges on the MasterCard we
> use solely for business purchases. There was a $19.95 charge to
> something related to Yahoo, but it wasn't possible to tell exactly
> what service from the limited information on the credit card
> statement. Tonya knew she hadn't ordered anything online that
> could have generated such a charge, and when she asked me, I
> couldn't remember anything either. To verify that I wasn't simply
> losing my memory, I searched all my received email around the
> date in question, and even went so far as to search my OmniWeb
> history for Yahoo URLs around the date.
> The situation was becoming more curious, so Tonya called the
> phone number on the credit card statement, and waited on hold
> for a while. As she waited, she realized that what she had
> called was Yahoo Personals - Yahoo's online dating service.
> She immediately yelled for me to get on the phone, figuring
> that the whole situation was just going to generate snickers
> for the customer service people if they heard a wife calling
> to find out about a dating service charge on her husband's credit
> card. I was good and refrained from making jokes about how I
> didn't even get any dates from Yahoo Personals once the customer
> service people came on the line.
> It took a little back and forth with Yahoo's customer service
> people, since we weren't willing to give them much more personal
> information, some of which they claimed they needed to look up the
> account that had made the charges. Eventually we got them to tell
> us that the Yahoo Personals account did indeed have the same user
> name as my My Yahoo account (I immediately changed that account's
> password, just for good measure), but that the birth date listed
> with the Yahoo Personals account did not match either of our birth
> dates. That was sufficient for them to cancel the account and
> refund our money.
>**Cleaning Up from Cancellation** -- The Yahoo Personals customer
> service rep recommended that we cancel the credit card used, which
> we were already planning as the next call. Our credit card issuer
> was totally on top of it, cancelling the card and issuing us
> another one before we'd even had a chance to explain the full
> situation. Tonya keeps records of merchants that are automatically
> withdrawing from that credit card, so next she reset all of those
> accounts. The morning was shot, but it seemed that we were out
> of the woods. Unfortunately, it wasn't to be.
> A few days later, Tristan and I were out driving when I remembered
> that our other car likely had a flat tire due to a slow leak I'd
> been monitoring. That normally wouldn't have been an issue, but
> Tonya had an appointment before we would be home, and I wanted
> to alert her to blow up the tire and to remember her cell phone
> in case she needed me to come change the tire while she was out.
> In New York State, it's illegal to drive while talking on a cell
> phone unless you're using a hands-free system, so I pressed the
> speed-dial number for home and handed Tristan the phone so he
> could give her the message. A few seconds later he gave me back
> the phone, saying "It's being weird." I pulled over and listened,
> and indeed, I'd somehow ended up with Verizon Wireless customer
> service. I hung up and tried again, and got them again. This time
> I waited until I could talk to a person, who promptly informed me
> that they had disabled our service because the monthly bill had
> been rejected by our credit card - apparently one auto-withdrawal
> had slipped past Tonya's record keeping. Luckily, I was able to
> use another phone later to walk Tonya through inflating the tire,
> but the credit card fraud was increasing in annoyance.
> The next week Tonya managed to get the account reinstated, and
> protested sufficiently vehemently when Verizon Wireless tried
> to charge a $15 fee for doing so that they waived the charge.
> She pointed out that it would have been trivial for them to notify
> us via voicemail or text messaging that our auto-withdrawal had
> failed, but needless to say, the customer service drone couldn't
> do anything but forward the feedback (if even that).
> That wasn't the end of the bother, though the next one was purely
> my fault. I'd set up a Google AdWords account for Take Control
> that also withdrew money from that MasterCard, and I'd forgotten
> to inform Tonya that it needed to be added to the list of auto-
> withdrawal services. As you'd expect, the next time Google tried
> to charge money to the card, it was rejected, too.
> But here's the difference between Verizon Wireless and Google.
> Where Verizon Wireless didn't bother to inform us that they'd
> disabled our service and thus caused us unnecessary trouble,
> Google sent me a nice email message, informing me of the problem,
> telling me that they'd temporarily disabled our ads, and giving
> me a link to my account so I could enter a new credit card number.
> The entire process took only a couple of minutes, and most of that
> was exclaiming to Tonya about how Google had a clue in comparison
> to Verizon Wireless.
>**Following Up on the Credit Report** -- We were relating this
> story to a friend over dinner the other day, who said she'd had a
> similar thing happen. In her case, though, the fraud had included
> the perpetrator changing the billing address related to the card,
> so she hadn't even received a tip-off statement. She recommended
> that we run a credit report as well, just to make sure any
> additional hanky-panky wasn't going on with our finances.
> A bit of investigation revealed that recent U.S. legislation
> requires the three major credit reporting companies - Equifax,
> Experian, and TransUnion - to provide anyone who asked with a
> free credit report once every 12 months (so you can get one credit
> report from each company all at once, or you can request a report
> from one of the companies every four months to be on the lookout
> for problems). Unfortunately, the credit reporting companies
> were given quite some time to roll out the service to the entire
> country, so although people in western and midwest states can
> request their free credit reports right now, people in the south
> must wait until 01-Jun-05, and those of us in the eastern states
> must wait until 01-Sep-05. (Some states - Colorado, Georgia,
> Maine, Maryland, Massachusetts, New Jersey, and Vermont - also
> require that residents be allowed to request one or two free
> credit reports each year.)
> Our friend said she'd used another service called
> FreeCreditReport.com, which gives you a free credit report,
> but requires that you sign up for a slew of fee-based credit
> reporting and monitoring services that could be useful,
> particularly if you wanted to be informed about changes to
> your credit report over time. You can (and I did) cancel the
> membership without paying anything - hence the "free" aspect
> of the credit report, and of course, you can pay about $10
> for a credit report if you don't want to play the "cancel my
> membership" game. Luckily, my credit report showed nothing of
> significant concern, though they apparently think I'm a year
> younger than I am. I'll have to fix that at some point. It's
> entirely likely that other problems haven't shown up yet, and
> I plan to start running regular credit reports in September.
>**Lessons Learned** -- In this day and age, shopping on the
> Internet is simply a fact of life for many people. I don't
> believe that using a credit card on the Internet is any more
> or less likely to result in credit card number theft than using
> it over the phone or in person, but the more you use credit cards,
> the more likely it is some miscreant will obtain your number and
> abuse it. It's mostly an annoyance with credit cards (though not
> necessarily with debit cards!), since your liability is limited
> to $50 in the United States, and I've never heard of anyone ever
> being charged even that. But the hassle factor can be large, as
> our experience proved, and credit card fraud could be the first
> step in a more complete identity theft. So, I recommend the
> following precautions.
>* Review your credit card statements every month, and make sure
> you made every purchase. Thieves often charge a small amount,
> like our $19.95 fee for Yahoo Personals, to see if you're paying
> attention (and if you're not, the purchases will increase).
>* Always keep email receipts for online purchases for reference
> purposes, and if you anticipate wanting to look back to what
> you've done in the past on the Web, use a browser like OmniWeb
> or a utility like St. Clair Software's HistoryHound to record
> your tracks.
>* Although we still have no idea how our credit card number was
> stolen, wallet thefts are a common way for this to happen. To
> simplify canceling credit cards and other accounts in the event
> of such a theft, photocopy the contents of your wallet and store
> those pages in a safe location.
>* Keep a list of all automatic withdrawals from your credit card
> in the event you have to cancel the card. Also remember to write
> down merchants (like the iTunes Music Store) that might have
> your credit card number stored for sporadic use.
>* If you're in the U.S. (other countries may have similar
> practices), be sure to take advantage of the free credit reports
> to make sure all the information is correct, and if you find
> incorrect information, make sure to fix it promptly. Visit the
> Federal Trade Commission Web site for additional suggestions
> and links to useful resources:
> Many instances of credit card number theft may not be within
> your sphere of influence. The Register has an article listing
> a number of stories of large businesses, educational institutions,
> and other organizations losing control of sensitive personal
> information in this month alone. There's nothing you can do
> about such situations (apart from checking data security practices
> when possible), but some common sense and effort on your part can
> reduce the impact of credit card number theft if it does happen
> to you. I got off easy this time, and I hope this is the end of
> the story (for a much more exciting story of credit card number
> theft, read the page at the second link below).
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
More information about the cypherpunks-legacy