Slashdot Mirror
Dealing with Internet Credit Card Fraud?
Where's My CreditCard asks: "Recently There has been a large increase in the amount of press relating to identity theft and the related crimes. I have recently been subject to several fraudulent transactions on my credit card and debit card through the internet. It has been over a month and my bank is still stringing me along saying it will take up to 10 weeks to get my money back. What have other on Slashdot done in this type of situation. What is the best way to keep things moving forward?"
My answer has been to never use my debit card on the internet. Why give out something that provides instant access to your bank account, when a credit card should always be sufficient? Credit cards put the primary risk on the credit issuer, not on your bank account.
I use a technology credit union.
http://www.1sttech.com/
If I have a problem I call them and fax in a chargeback form. The money is returned the next day. I've only had to do it twice but it was very easy.
--Chris
Your debt card should never be used for anything other than cash withdrawal at the ATM. I pay my credit cards off each month, so I treat it as a convenient version of my checkbook. As a credit card, I am protected from fraudulent use - a maximum $50 liability without any special 'identity protection' program. Your debt card has none of this... In practice, my wife had her credit card number nicked. She audits our account each statement and caught it right away. (One of the advantages of on-line statements, btw) The credit card company canceled the card, issued a new one, and reversed all the charges. The longer delay between the time you figure out the theft and report it, the more you will pay out of your own pocket.
+++ UGUCAUCGUAUUUCU
change cards to someone.
Vote with you feet. If they don't provice a decent service move.
Also you say what country you're from so we can't give any legal advice.
Several Credit Card companies, including CitiCard, will allow you to generate a one time use only virtual credit card number. CitiCard's is especially nice, because you can set a limit to how much can be charged to that number.
In the case of unauthorized use of your card, you should report the fraud to one of the major credit bureaus:
TransUnion: 800-888-4213
Equifax: 800-525-6285
Experian: 800-397-3742
While you're at it check out http://www.ftc.gov/ for more information about your rights in resolving credit card problems.
In the uk, you can threaten them with going to the ombudsman if you think that things are taking too long. http://www.adviceguide.org.uk/n6m/index/your_right s/civil_rights/how_to_use_an_ombudsman/index/your_ rights/civil_rights/how_to_use_an_ombudsman.htm Shows you how they are used in the UK. Looks like an ombudsman is a lawyer, so if you cannot find one, maybe a Lawyer will do.
I'm just here to regulate Funkyness
I have a MasterCard type debit card. Late last year, someone got ahold of it's info (including the 3-digit code form the back). I suspect that it may have been related to an insecure form I submitted for an online purchase. I noticed 2 charges that I didn't recall making on my (online) statement; they totaled a bit over $200. After contacting my bank, they suggested I first try to contact the businesses that charged the card, then come back to them if I had any difficulty. They assured me my maximum liability was $50, and issued me a new card with a new number. So, armed with a pair of phone numbers, I called the two businesses: one was a phone-card seller, and the other issued prepaid debit cards. In two weeks, all my funds had been returned. A few weeks later, my bank's investigations unit contacted me to ask if I knew anyone in Lansing, MI, where the charges had originated. I answered "no," as I'm not sure I've ever known a Michigander (or whatever). And that was the last I've heard of it. Scary, but not as awful as it might have been.
Ceci n'est pas un post.
I had this happen to me. My debit card is also a some-time credit card. I used it for a web purchase in 2000. I found out that charges (for "male enhancement pills", no less!) had been made to my card.
My bank was USELESS. The same 10 weeks, no protection, we don't really care, and are actually rather annoyed that we have to find these forms for you to fill out.
The online company got wind of it (I presume through the bank), CALLED me, said "hey, where you ever in Khazakstan? No? Okay, this is obviously fraud. We'll credit you back right now."
Weeks later I received a letter from my bank saying "we are dismissing your claim because the money has been returned." Yeah, thanks for nothing!
Contrast that with my credit card*:
A week after I rented a Budget rental truck (in MD) I notice a $5 charge from Budget in Colorado. Total red flag. I call the credit card company and they said "we'll take care of it." They did.
*-note, this could have been dumpster diving or internal Budget fraud; not necessarily online fraud. However I did book the truck online which is why I assume its internet fraud.
In the future, I would want to not be isolated from my friends in the Space Station.
This happened to me about 4 years ago...
I had a bogus $400 charge show up on my checking account debit card. I saw the charge almost immediately (about two days after it happened) because I routinely monitor my checking account from online daily. I contacted the bank and the police. The police told me that they couldn't take the report unless the bank initiated it. The bank said they would start an investigation, which they did. In the meantime, they put $400 back in my account.
My statement to the bank was as follows:
My debit card has never been missing
My debit card has never been used by anyone other than myself
No one else knows my pin number (not even my wife)
I had never used the ATM where the charge was recorded (the bank sent me a statement from some third party bank showing the address of the ATM and the transactions that had been attempted. There were 8 tries late at night for different amounts, starting at $1100 and going down until the $400 transaction worked).
About 4 months later (after bugging them about once a week to find out what was going on), the bank came back and said the transaction was valid because a debit card had been used to make the transaction and so they were taking their $400 back. This is actually what they said, even after I had told them that I had not used my card for the transaction and the pattern of transactions obviously showed that someone was fishing for an amount that would be accepted.
As far as the bank was concerned, case closed. Fortunately for me, I had the foresight to marry a lawyer. Being a personal injury attorney, my wife was somewhat familiar with the rules the bank had to follow in a situation like this and luckily for us one of their duties was to perform a timely investigation, which had been defined in our area of the world as within 45 days. So, only because they took so long we were able to make them hand us back the $400.
However, in the course of our investigation, we learned a number of things I found quite fascinating. First, we found out many (if not most) ATM cameras are no longer maintained. So, a lot of the time there is no visual record of who is using the ATM machine. Second, the bank didn't consider the pattern of tries to be significant, as they felt it was only an attempt by me to fool them into thinking it was someone else(and obviously ignoring the fact that by the same logic if I was trying to defraud them, I would have also said my card had been stolen or lost). Third, the only place I had EVER used my pin prior to this transaction was at the local grocery store. I mean EVER. I am very careful about where I use my pin and up to that point I had only ever used it at the local grocery store (I had never even used it at the bank's ATMs). This probably means someone at the store saw me enter the pin (probably using the store's surveillance cameras) and had enough access to my bank's debit card information to create a new card using my account number and pin. This last part is speculation but I don't know of any other way they could have used a real debit card to make the withdrawal. Unless, of course the bank was lying to us and their computers had been hacked (but in that case, why the multiple tries?). In any case, we concluded something out of our control was wrong at the grocery store and/or the bank, so we stopped using the store and changed banks.
Since then, we keep two checking accounts at our current bank: One for the money and one for the debit card. We keep a minimum balance for day-to-day purchases (gas, food, etc.) in the debit card account and we plan big purchases and ALL online purchases in advance by transferring the money from the money account to cover the purchase right before we make it. At least that way the debit card has a lowered risk because the balance is always very low and the other account is only accessed through the bank's computer. Yes, I know it isn't perfect, but it is better than having all of our cash exposed.
The NSA: The only part of the US government that actually listens.
I have had a paypal account for a long time, I know almost instantly what's happening on it just by hitting the website. They do have credit and debit cards as well. If I don't like a charge I am on the phone to them and they deal with it. Also a lot of online sellers are taking paypal directly.
- Disclaimer, I don't work for Paypal.
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
Your financial institution is required by law (in the U.S.) to either resolve any EFT (debit or credit) dispute within 10 business days or, if it has not been able to resolve the dispute, provisionally credit your account with the amount in question until it is able to do so.
IAAB.
Marxist evolution is just N generations away!
I'd never get a debit card! A Visa hose for a clerk at a store to steal? Jeez, you asked for it.
"This mission is too important to allow you to jeopardize it." -- HAL
Put yourself in their shoes. Suppose somebody called you up and said, "You owe me $1000 because ..." Never mind the "because", it's a reason that might or might not be valid. Are you immediately going to write them a check? No, you're going to carefully examine their claim, check the facts, maybe talk to a lawyer. Why should your bank be any less careful? Because they have lots of money? They soon won't have any money at all if they give it away to anybody who claims they deserve it.
I believe for real banks there is a federally imposed time limit for adressing fraudelent use of your account, and it certainly isn't 10 weeks.
I had my credit card attached to my paypal account, and someone broke into my paypal account and emptied it (thereby cleaning out my credit card and bank account). I called paypal who wanted me to fill out tons of forms, get them notorized, snail mail them in, and wait 90 days for a judgement. And this AFTER they admitted it was due to their lowsy security.
So I called my bank and said "paypal ripped me off." The bank had my money back in my account the same day, and they went after paypal to get paid back.
If you're bank is really going to make you wait 10 weeks, you need a new bank. You can always deal with Visa or Mastercard or whoever directly and they're pretty good about getting your money back.
or else!
I know this is getting a little off topic but I don't have a credit card, and yet purchasing books saves you a TON of money (30-70%) if you buy online. So how do I do it? Of course I could get someone to buy it and I would pay them back - OR - I could go into a store and put money on the gift card, and then I could go home and use that gift card's # to purchase my books, and I end up saving a lot of money. So if you're so paranoid that you don't even want to use a credit card or a bank card, try to look for other ways to pay for stuff, because it's possible you can do it with gift certificates.
(I work for a major credit card processor, First National Merchant Solutions. We represent businesses on the other side of these kinds of disputes -- we process cards for merchants, and we must *answer* chargebacks like this one.)
I'm a little confused by whether this is a Visa/Mastercard issue or a debit network issue. Debit networks (Interlink, Maestro, AFFN, Shazam, Cash Station, Tyme, Star, Mac, NYCE, Pulse, Accel, Honor, etc.) require both the card and the pin number be present at the point of sale, so if these were Internet merchants then these are not debit sales.
(If someone else has more information about debit cards, please reply. We are trained to believe that these debit networks are only available card-present with pin. If that's wrong -- if people can take debit network account numbers over the Internet -- cards which are not also Visa/Mastercard/Discover/AMEX/JCB/International Diners/Novus etc. -- please let me know.)
So in the absence of more information, I would say because the transaction is over the Internet, and the original poster seemed to indicate it was also a debit card, it's probably been processed either as a Visa or a Mastercard.
If that's true, here's the flow of events:
1) Customer notices a fraudulent charge. They notify their bank, and their bank issues a chargeback with a reason code of something like M85 (Fraudulent Transaction - No Cardholder Authorization)
2) Along with the chargeback, the bank who issued the customer's card sends a debit to the merchant's processor (a company like us). So in accordance with the rules, the bank now has the customer's money back in their hands.
3) The bank provisionally credits those funds to the customer. This isn't risky (in case the customer was lying) because if regulations say the bank must pay the merchant back, the bank is responsible for collecting those funds from the customer. (So if the customer closes their account and flees to Mexico or something, the bank still has to pay.)
4) The merchant's processor (again, a company like us) usually then bills the merchant the amount of the chargeback, and notifies them that a chargeback has been filed against them. The merchant then has some time (30 days? 45 days?) to prepare their case, and submit documentation defending their charge.
5a) If the merchant doesn't respond, or the documentation they provide is obviously faulty ("But this gentleman from Nigeria sounded so honest!"), no response is sent. The time to respond to the chargeback case expires, and the bank (and customer) get to keep the money. STOP
5b) If the merchant does respond, with documentation which proves the charge really was authorized, the merchants processor (a company like us) sends the documentation back to the bank, along with a debit which takes money back from the bank and gives it back to the merchant.
6) The customer's bank now has documentation which explains both sides of the story. I don't know what really goes on here, but I assume the bank consults with the customer and tries to get more information from them. The bank is then given some time (30 days? 45 days?) to respond back.
7a) If the customer sees the documentation and says "oops, sorry, I guess I did authorize that one, never mind" then the bank just doesn't respond, and the chargeback drops. STOP
7b) If the bank talks to the customer and finds out the charge really *is* unauthorized, the bank debits money *again*, and things go back to the merchant for the last time.
8) The merchant's processor consults with the merchant, and they decide what they want to do. If the merchant wants to dispute the bank's second decision:
9a) If the charge is a Visa, that second chargeback is actually a "pre-arbitration notice", where the bank is stating that they're prepared to go to Visa for a (costly) independent arbitration. They're *sure* they're right. If the merchant (and their processor) are also *sure* they're right, and no agreement can be reached, the case goes to arbitrati
My debit number was stolen and $600+ of vitamins and other drugs were charged to my account. I tracked down the company, though they were in another country. Before I could call my bank, they called me first, saying they suspected fradulent activity. I called them back, launched an investigation, and the funds were returned to my account almost immediately. That's how a bank should work: to protect its clients and resolve all problems immediately. This is the reason I am nervous about smaller banks and credit unions, because I'm unsure whether they could provide the same level of service.
:)
As for using cards online, I now make sure that the website is absolutely secure and reputable. I still don't know how my number was stolen, but that's history now!
A blog like any other.
If you have a Visa/MasterCard debit card (or check card) you are protected from fraudulent charges as long as your report them within 60 days. In fact, money should be back in your account within 2 business days.
There are a few ways to use a debit card.
Straight debit cards don't have MC/Visa logos. They are basically ATM cards. They have 2 uses...
1) ATM - withdraw cash, use to access account for deposit, check balance, etc.
2) Point of Sale - Stores with those PIN Pads where you swipe the card yourself, you can usually use them there.
Either way, card and pin must be used. The network being used in the case of a point of sale is going to be something like NYCE, Star, Honor, MAC, Maestro, or Interlink.
With the check card, or Visa/MC branded debit card, things are different. The ATM method is still useable, but the POS option divides:
1) Debit / PIN Based - you swipe the card yourself, and enter a pin on the pad. No signature. This is through the network like like NYCE, Star, Honor, MAC, Maestro, or Interlink. Funds are withdrawn immediatly (like that second).
2) Credit / Signature Based - like a credit card, the card is swiped or keyed in (by you or the clerk), and then you sign the reciept / sign the signature box with a stylus. Now, the network here is Visa or Mastercard. The funds are "held" by the bank, and appear withdrawn, but are actually taken out a couple days later (usually).
Either way, you are paying for what you bought.
The only difference is that the Visa/MC option means you can use your card at more places (places without PIN pads, restaraunts, online, etc.) It also means you don't have to know your PIN (there are people with check cards who don't know their pin, but use them since you can just sign... kind of dumb because you won't be able to use an ATM without a PIN, but hey...)
Now, the real difference between credit and debit choice is protection.
Yes - debit is faster in some cases (no signing), and you can get cash back... but you lose protections you get with the Visa/MC transaction
1) *ZERO* Liability for fraudulent charges: This includes lost/stolen card, card number stolen, if the clerk skimmed the card, etc. You do not have to pay $50 under the current Visa/MC regulations. You pay 0.
2) Fund replacement - you get the money back within 2 business days. Some banks do it in 1 business day.
Now you may have to agree to sign something stating that you are not lying about your card stolen, and that you'll help the bank prosecute whoever stole / used the card fraudulently if they are caught. That's not a big deal (besides, wouldn't you want to help get the person who stole your card punished?)
Personally, I am confident in using my Visa Check Card, online and offline, because of the zero-liability policy.
Offline, though, I always use credit (unless it is a place like Walgreens, Supermarket, etc, where you can get cash back with debit and I actually need to do this. Using credit is just safter to do.
The problem here is that using credit, a fraudster can easily use the card.
SIGN YOUR CARD[S] - this means if it is stolen the thief can't just sign it. Writing "see id" is not acceptable (they can REFUSE your card... don't believe me, check the Visa website.)
First of the month, I received a BoA credit card statement. Problem is, I don't HAVE a BoA card! I immediatly called their customer service phone number. Woman on the line wanted to know all of my personal info - SSN, mother's maiden name, etc. Which I refused to give out; I've never had one of their cards, never applied - there is NO WAY they could verify this information. The woman refused to help, refused to allow me to speak to a supervisor, refused to give me contact info for their legal dept., and refused to identify herself. Immediatl upon hanging up on this useless individual, I wrote a letter to BoA and contacted my lawyer. This was over two weeks ago and I haven't heard anything yet. Tuesday, certified letter documenting all this go out to the Better Buisiness Bureaus and the State attorney generals of the related states, the credit bureaus, as well as one to BoA demanding followup.
Chaos maximizes locally around me.
Why not use a virtual account number from Citi? With this you do not have to give your card details when you shop online - they let you generate a virtual credit card number to make purchases online - you can also set a limit for the transaction if you want to reduce your exposure further. I think MBNA and Discover have something similar.
My company has a merchant account, which allows us to process credit cards. The number one thing we get fraudulent orders for is Linux based Virtual Private Servers (VPS). Last week we got orders for two VPSs. The orders claimed to be from different people, but used the same root password and were from the same IP address in Russia. The orders were also both placed twice.
I decided to try tracking this down on our end to see where we could lead it. I called our merchant processor with what they call a "code 10", but the result of that call was basically just that they would tell me what bank had issued the cards and what the phone number to that bank was. Both cards were issued by Citibank.
After spend around 30 minutes on the phone with Citibank, all they would do is verify if I had the correct information for the account, and tell me that they wouldn't do anything unless the card-holder called in.
The interesting thing was that on one card the expiration date was wrong. I don't know how my merchant processor authorized the charge with the wrong expiration date. Also, the phone number on both was wrong, but it was correct in the first 6 digits, it was just the last 4 that were different. I wondered if the person making the charge was using VoIP to make it appear that they were in that area when actually they were in Russia.
We ended up reaching one of the actual people by phone that afternoon, and they confirmed that they had not made this charge, the phone number was incorrect, and they also said that they weren't using that card actively at the moment. The other person I couldn't track down by other means, so we sent them a letter.
I find it extremely odd that, as a merchant there is relatively little I can do when I get a fraudulent charge. I guess maybe I should report it to the police and see if there's anything they want to do with it. Citibank couldn't have cared less, no requests for the IP addresses the charges were made from, etc.
If I were to get screwed by a credit card company for charges I didn't make, I'd probably start looking at things like this that make it clear they don't really follow up on this fraud, which could be seen as negligence. Particularly if they had authorized a charge on a card with the wrong expiration date and/or billing phone number, I'd wonder what they're doing to earn their cut in the first place.
Sean