Dealing with Internet Credit Card Fraud?

Where's My CreditCard asks: "Recently There has been a large increase in the amount of press relating to identity theft and the related crimes. I have recently been subject to several fraudulent transactions on my credit card and debit card through the internet. It has been over a month and my bank is still stringing me along saying it will take up to 10 weeks to get my money back. What have other on Slashdot done in this type of situation. What is the best way to keep things moving forward?"

Why use debit on the internet?

[Asgard]

My answer has been to never use my debit card on the internet. Why give out something that provides instant access to your bank account, when a credit card should always be sufficient? Credit cards put the primary risk on the credit issuer, not on your bank account.

Re:Why use debit on the internet?

[1967mustangman]

Amen to that. Debit cards are so much more dangerous then a credit card. ON a credit card at least you can cancel the card and dispute the charges. The only thing I ever use my debit card is for getting cash from an ATM machine (and shopping at the one major grocery store I know of that does take credit).

Re:Why use debit on the internet?

[Old+Uncle+Bill]

Who do you bank with? My bank provides instant rollbacks on unauthorized transactions on my debit card, just as the credit card companies. I get all the benefits, they take all the risk. And yes, I have had to test this. Some clown in Texas used my debit card to charge $400 in DSL fees. Called the bank and had the money back in my account in 15 minutes.

Re:Why use debit on the internet?

[ebrandsberg]

Uh... Maybe because not everybody HAS credit cards. If you have ever had issues with credit as a result of say... a tech stock downturn, or divorce, you would realize that credit cards are not given to everybody instantly. Many of use are forced to use debit cards. Just like many people will want to use CASH (you know that old paper stuff) for their transactions, don't assume everybody uses credit cards or even checks.

Re:Why use debit on the internet?

[Tricot]

Reg E limits the liabilty that you have when using your debit card

Ahh.. but the fundamental difference between a debit and a credit card is that on a debit while the fraudulent charge is being contested, the money isn't in your account. He said the bank told him it will be up to 10 weeks before he gets his money back. I've heard of horror stories where it takes over 6 months and (cumelatively) 20 or 30 hours on hold before the money is put back in your account. I remember protesting strongly that I didn't want that Visa/MC symbol on my ATM card for that very reason, but pretty much no bank offers an ATM card without it any more. (It's too big a profit center.)

Re:Why use debit on the internet?

[MarkGriz]

"Uh... Maybe because not everybody HAS credit cards."

While that is certainly true for some, I know several people that have credit cards, yet actually prefer to use a debit card.
I can't for the life of me understand why, particularly because with a credit card
1) I keep my money for an extra 25 days or so
2) I actually EARN money using it
3) I don't have to keep track of my usage to make sure I have enough money in the bank
4) I don't have to worry about any problems giving people direct access to my bank account

It's true that many banks have gotten better about providing protection of your account when fraud occurs, but I'd rather not worry about it. Besides, #1 and #2 are certainly enough incentive to use credit over debit if you have the choice.

Don't use a debt card on the net...

[(H)elix1]

Your debt card should never be used for anything other than cash withdrawal at the ATM. I pay my credit cards off each month, so I treat it as a convenient version of my checkbook. As a credit card, I am protected from fraudulent use - a maximum $50 liability without any special 'identity protection' program. Your debt card has none of this... In practice, my wife had her credit card number nicked. She audits our account each statement and caught it right away. (One of the advantages of on-line statements, btw) The credit card company canceled the card, issued a new one, and reversed all the charges. The longer delay between the time you figure out the theft and report it, the more you will pay out of your own pocket.

Re:Don't use a debt card on the net...

[TykeClone]

Check out your bank's Reg E disclosure - if you catch fraudulent activity in a timely manner, your liability is also limited to $50 for the debit card.

Virtual Credit Card Numbers

[bofh31337]

Several Credit Card companies, including CitiCard, will allow you to generate a one time use only virtual credit card number. CitiCard's is especially nice, because you can set a limit to how much can be charged to that number.

In the case of unauthorized use of your card, you should report the fraud to one of the major credit bureaus:

TransUnion: 800-888-4213
Equifax: 800-525-6285
Experian: 800-397-3742

While you're at it check out http://www.ftc.gov/ for more information about your rights in resolving credit card problems.

Is there some sort of Ombudsman you can use?

[the_xaqster]

In the uk, you can threaten them with going to the ombudsman if you think that things are taking too long. http://www.adviceguide.org.uk/n6m/index/your_right s/civil_rights/how_to_use_an_ombudsman/index/your_ rights/civil_rights/how_to_use_an_ombudsman.htm Shows you how they are used in the UK. Looks like an ombudsman is a lawyer, so if you cannot find one, maybe a Lawyer will do.

My Own Experience

[the+darn]

I have a MasterCard type debit card. Late last year, someone got ahold of it's info (including the 3-digit code form the back). I suspect that it may have been related to an insecure form I submitted for an online purchase. I noticed 2 charges that I didn't recall making on my (online) statement; they totaled a bit over $200. After contacting my bank, they suggested I first try to contact the businesses that charged the card, then come back to them if I had any difficulty. They assured me my maximum liability was $50, and issued me a new card with a new number. So, armed with a pair of phone numbers, I called the two businesses: one was a phone-card seller, and the other issued prepaid debit cards. In two weeks, all my funds had been returned. A few weeks later, my bank's investigations unit contacted me to ask if I knew anyone in Lansing, MI, where the charges had originated. I answered "no," as I'm not sure I've ever known a Michigander (or whatever). And that was the last I've heard of it. Scary, but not as awful as it might have been.

Banks SUCK

[mekkab]

I had this happen to me. My debit card is also a some-time credit card. I used it for a web purchase in 2000. I found out that charges (for "male enhancement pills", no less!) had been made to my card.

My bank was USELESS. The same 10 weeks, no protection, we don't really care, and are actually rather annoyed that we have to find these forms for you to fill out.

The online company got wind of it (I presume through the bank), CALLED me, said "hey, where you ever in Khazakstan? No? Okay, this is obviously fraud. We'll credit you back right now."

Weeks later I received a letter from my bank saying "we are dismissing your claim because the money has been returned." Yeah, thanks for nothing!

Contrast that with my credit card*:
A week after I rented a Budget rental truck (in MD) I notice a $5 charge from Budget in Colorado. Total red flag. I call the credit card company and they said "we'll take care of it." They did.

*-note, this could have been dumpster diving or internal Budget fraud; not necessarily online fraud. However I did book the truck online which is why I assume its internet fraud.

My story

[It+doesn't+come+easy]

This happened to me about 4 years ago...

I had a bogus $400 charge show up on my checking account debit card. I saw the charge almost immediately (about two days after it happened) because I routinely monitor my checking account from online daily. I contacted the bank and the police. The police told me that they couldn't take the report unless the bank initiated it. The bank said they would start an investigation, which they did. In the meantime, they put $400 back in my account.

My statement to the bank was as follows:
My debit card has never been missing
My debit card has never been used by anyone other than myself
No one else knows my pin number (not even my wife)
I had never used the ATM where the charge was recorded (the bank sent me a statement from some third party bank showing the address of the ATM and the transactions that had been attempted. There were 8 tries late at night for different amounts, starting at $1100 and going down until the $400 transaction worked).

About 4 months later (after bugging them about once a week to find out what was going on), the bank came back and said the transaction was valid because a debit card had been used to make the transaction and so they were taking their $400 back. This is actually what they said, even after I had told them that I had not used my card for the transaction and the pattern of transactions obviously showed that someone was fishing for an amount that would be accepted.

As far as the bank was concerned, case closed. Fortunately for me, I had the foresight to marry a lawyer. Being a personal injury attorney, my wife was somewhat familiar with the rules the bank had to follow in a situation like this and luckily for us one of their duties was to perform a timely investigation, which had been defined in our area of the world as within 45 days. So, only because they took so long we were able to make them hand us back the $400.

However, in the course of our investigation, we learned a number of things I found quite fascinating. First, we found out many (if not most) ATM cameras are no longer maintained. So, a lot of the time there is no visual record of who is using the ATM machine. Second, the bank didn't consider the pattern of tries to be significant, as they felt it was only an attempt by me to fool them into thinking it was someone else(and obviously ignoring the fact that by the same logic if I was trying to defraud them, I would have also said my card had been stolen or lost). Third, the only place I had EVER used my pin prior to this transaction was at the local grocery store. I mean EVER. I am very careful about where I use my pin and up to that point I had only ever used it at the local grocery store (I had never even used it at the bank's ATMs). This probably means someone at the store saw me enter the pin (probably using the store's surveillance cameras) and had enough access to my bank's debit card information to create a new card using my account number and pin. This last part is speculation but I don't know of any other way they could have used a real debit card to make the withdrawal. Unless, of course the bank was lying to us and their computers had been hacked (but in that case, why the multiple tries?). In any case, we concluded something out of our control was wrong at the grocery store and/or the bank, so we stopped using the store and changed banks.

Since then, we keep two checking accounts at our current bank: One for the money and one for the debit card. We keep a minimum balance for day-to-day purchases (gas, food, etc.) in the debit card account and we plan big purchases and ALL online purchases in advance by transferring the money from the money account to cover the purchase right before we make it. At least that way the debit card has a lowered risk because the balance is always very low and the other account is only accessed through the bank's computer. Yes, I know it isn't perfect, but it is better than having all of our cash exposed.

Report them

[E_elven]

Your financial institution is required by law (in the U.S.) to either resolve any EFT (debit or credit) dispute within 10 business days or, if it has not been able to resolve the dispute, provisionally credit your account with the amount in question until it is able to do so.

IAAB.

Get real!

[fm6]

It has been over a month and my bank is still stringing me along saying it will take up to 10 weeks to get my money back.

Like so many Ask Slashdots, this one revolves around somebody's misperception that the world revolves around them. Ten weeks is not "stringing along". It's a reasonable period to investigate a serious fraud. You don't mention how much money is at stake, but I assume it's a substantial amount, or you wouldn't be so pissed off. In effect, they're handing that money over to you, money they're probably never recover. Do you really expect anybody to do that without checking everything out carefully?

Put yourself in their shoes. Suppose somebody called you up and said, "You owe me $1000 because ..." Never mind the "because", it's a reason that might or might not be valid. Are you immediately going to write them a check? No, you're going to carefully examine their claim, check the facts, maybe talk to a lawyer. Why should your bank be any less careful? Because they have lots of money? They soon won't have any money at all if they give it away to anybody who claims they deserve it.

Need clarification

[Michael+Spencer+Jr.]

(I work for a major credit card processor, First National Merchant Solutions. We represent businesses on the other side of these kinds of disputes -- we process cards for merchants, and we must *answer* chargebacks like this one.)

I'm a little confused by whether this is a Visa/Mastercard issue or a debit network issue. Debit networks (Interlink, Maestro, AFFN, Shazam, Cash Station, Tyme, Star, Mac, NYCE, Pulse, Accel, Honor, etc.) require both the card and the pin number be present at the point of sale, so if these were Internet merchants then these are not debit sales.

(If someone else has more information about debit cards, please reply. We are trained to believe that these debit networks are only available card-present with pin. If that's wrong -- if people can take debit network account numbers over the Internet -- cards which are not also Visa/Mastercard/Discover/AMEX/JCB/International Diners/Novus etc. -- please let me know.)

So in the absence of more information, I would say because the transaction is over the Internet, and the original poster seemed to indicate it was also a debit card, it's probably been processed either as a Visa or a Mastercard.

If that's true, here's the flow of events:

1) Customer notices a fraudulent charge. They notify their bank, and their bank issues a chargeback with a reason code of something like M85 (Fraudulent Transaction - No Cardholder Authorization)
2) Along with the chargeback, the bank who issued the customer's card sends a debit to the merchant's processor (a company like us). So in accordance with the rules, the bank now has the customer's money back in their hands.
3) The bank provisionally credits those funds to the customer. This isn't risky (in case the customer was lying) because if regulations say the bank must pay the merchant back, the bank is responsible for collecting those funds from the customer. (So if the customer closes their account and flees to Mexico or something, the bank still has to pay.)
4) The merchant's processor (again, a company like us) usually then bills the merchant the amount of the chargeback, and notifies them that a chargeback has been filed against them. The merchant then has some time (30 days? 45 days?) to prepare their case, and submit documentation defending their charge.
5a) If the merchant doesn't respond, or the documentation they provide is obviously faulty ("But this gentleman from Nigeria sounded so honest!"), no response is sent. The time to respond to the chargeback case expires, and the bank (and customer) get to keep the money. STOP
5b) If the merchant does respond, with documentation which proves the charge really was authorized, the merchants processor (a company like us) sends the documentation back to the bank, along with a debit which takes money back from the bank and gives it back to the merchant.
6) The customer's bank now has documentation which explains both sides of the story. I don't know what really goes on here, but I assume the bank consults with the customer and tries to get more information from them. The bank is then given some time (30 days? 45 days?) to respond back.
7a) If the customer sees the documentation and says "oops, sorry, I guess I did authorize that one, never mind" then the bank just doesn't respond, and the chargeback drops. STOP
7b) If the bank talks to the customer and finds out the charge really *is* unauthorized, the bank debits money *again*, and things go back to the merchant for the last time.
8) The merchant's processor consults with the merchant, and they decide what they want to do. If the merchant wants to dispute the bank's second decision:
9a) If the charge is a Visa, that second chargeback is actually a "pre-arbitration notice", where the bank is stating that they're prepared to go to Visa for a (costly) independent arbitration. They're *sure* they're right. If the merchant (and their processor) are also *sure* they're right, and no agreement can be reached, the case goes to arbitrati

The other side of this...

[jafo]

My company has a merchant account, which allows us to process credit cards. The number one thing we get fraudulent orders for is Linux based Virtual Private Servers (VPS). Last week we got orders for two VPSs. The orders claimed to be from different people, but used the same root password and were from the same IP address in Russia. The orders were also both placed twice.

I decided to try tracking this down on our end to see where we could lead it. I called our merchant processor with what they call a "code 10", but the result of that call was basically just that they would tell me what bank had issued the cards and what the phone number to that bank was. Both cards were issued by Citibank.

After spend around 30 minutes on the phone with Citibank, all they would do is verify if I had the correct information for the account, and tell me that they wouldn't do anything unless the card-holder called in.

The interesting thing was that on one card the expiration date was wrong. I don't know how my merchant processor authorized the charge with the wrong expiration date. Also, the phone number on both was wrong, but it was correct in the first 6 digits, it was just the last 4 that were different. I wondered if the person making the charge was using VoIP to make it appear that they were in that area when actually they were in Russia.

We ended up reaching one of the actual people by phone that afternoon, and they confirmed that they had not made this charge, the phone number was incorrect, and they also said that they weren't using that card actively at the moment. The other person I couldn't track down by other means, so we sent them a letter.

I find it extremely odd that, as a merchant there is relatively little I can do when I get a fraudulent charge. I guess maybe I should report it to the police and see if there's anything they want to do with it. Citibank couldn't have cared less, no requests for the IP addresses the charges were made from, etc.

If I were to get screwed by a credit card company for charges I didn't make, I'd probably start looking at things like this that make it clear they don't really follow up on this fraud, which could be seen as negligence. Particularly if they had authorized a charge on a card with the wrong expiration date and/or billing phone number, I'd wonder what they're doing to earn their cut in the first place.

Sean

Re:Bank of America SUCKS

[Katrina48]

I agree with you - I have had experience with this bank and they are not very user-friendly. I have continued my relationship with them but I constantly monitor my accounts online and when there are issues, I contact customer service immediately, jump through all their hoops to get the problems resolved, etc. One particular issue to watch for is if you lose a BOA credit card or it's stolen and the account has to be closed and they set up a new account, they will charge you a balance transfer fee in the process of setting up the new account. I have never run into that with any other bank.