Hard at work

Why I love, love, love Discover Card

This morning did not start well. My alarm didn't go off, I ripped up a toenail trimming it and later, when shaking the creamer for my coffee, discovered that whoever used it last -- hi _sister_madly_! :) -- failed to close it. I usually don't care to spend my mornings mopping the kitchen, but such is life.

So while sitting at the table, drinking my coffee and noting that Whitney Houston was back in rehab and scientists are finally seeing the light of distant planets, my phone rings. It wasn't my cell phone. It was my home phone. It was my home phone whose ringer I was trying to figure out how to disable a couple of days ago. I couldn't, so I put it on low. I only use that line for DSL. Only foul, corrupt creatures bent on luring me away from dinner with fantastic tales of this glorious timeshare I might like are calling that number (though not much since the Do Not Call list was put in place.) So I ignore the phone, not wanting to further ruin my morning by yelling at a salesman.

Then I realized it wasn't dinner. Salespeople never call me during the day, so I went ahead and answered the phone. And someone asked if it was I on the phone and I, like usual, refused to confirm it until I knew who they were and what they wanted.

They were the Discover Card fraud unit and had I been purchasing stuff at Costco? And at Vetsmart? And at a variety of other places? In the past two days?

Someone managed to steal my card number and rack up $2100.00 in charges in two days. I haven't used the card since November, so this was pretty obviously some suspicious behavior. After confirming that I had not made those purchases, Discover closed the account, marked it as "lost or stolen" on the credit report, transferred over the undisputed balance to a new account and I should have my new card in 7 to 10 business days. They expect to mail me a report of their investigation in a couple of weeks.

I am very, very impressed with Discover. I suspect they could have sat quietly on this and stiffed me for thousands in extra bills. As it stands, they're potentially eating a couple of grand. This makes me very happy they would do that.

So here's what I want to know: the purchases were all local. I haven't used my card since November and that was at a local Fred Meyer. How the hell did someone make a bunch of local purchases on my card? There are two options that I can see. Option one is dumpster diving for receipts. They could use this info and know I was local. Many companies still use credit card machines that print your number on the receipt. However, they usually don't get the expiration date. That, generally, if I recall correctly, requires someone to be standing there to collect that info when the card is swiped, either visually, running it through a separate reader or by altering the software (none of which is really hard.) Still, waiting four months to use my card? That seems odd, but I can't say I know the "credit card fraud" business.

The second, more likely option, is that someone managed to attack an online resource to steal credit information about me. I rarely, if ever, use my cards online, but it's not impossible for this to occur. Unfortunately, we need action at a national level to force companies to report security breaches immediately (or at least immediately report compromised personal information), and we desperately need for software manufacturers to be liable for malpractice. I see so many examples of bad code out there that I know how serious this problem is. Programmers are really, really ignorant about software security.

I also want to know how they're spending the stuff in the local area. Did someone remotely sell my information to locals? Was it a local, inside job? Did someone spend a few bucks to purchase a magstripe writer? Hell, software to read magstripes is available as open-source and the author intends to add "write" capabilities soon. Pop on over to eBay, buy a magnetic stripe writer (and many of those come with the writing software) and you're good to go in the credit fraud business.

Card fraud is not as difficult as people think. Even without the aforementioned tactics, criminals used to covertly film customers entering their pins in bank machines and throwing their receipts away. By comparing the camera timestamp to the timestamp on the receipt (which frequently had the full bank account number), the thieves could write the numbers out to new cards and figure out the pin by watching what people typed in the video. Today, sometimes they'll just watch you type in your number somewhere and mug you. It's much easier to rip people off when you have the card in your hand.

Your card numbers aren't showing up on paper as often as they used to, but if you see your full number, scratch off all but the last four digits. If the restaurant or other business asks you why, tell them. They do not have to have that number on the receipt. They made need the last four digits to match up your receipt, but that and they time is all they need. It's stored in the equipment they swipe the card from and don't let them tell you different. I used to write software to process credit card info. Better yet, don't do business with companies that print out the numbers on the receipts and tell them why.

This is bugging me. I wrote software for this, but it's been so long ago that I can't remember all of the detail. I know that if the card is presented in person, no one ever checks the cvv/cvc number on the card. If you turn your card over, those are extra numbers printed in the signature area and can be used for extra security with online transactions since you generally have to have physical possession of the card to know that number. Businesses that ask for that number online are not supposed to store it. Neither these numbers nor your PIN are stored in the magstripes, so that's a bit of extra security, but not much.

Hmm ... lots of stuff I should brush up on.

In any event, thank you Discover! You've made a horrible situation a happy one.
  • Current Mood: relieved relieved
Great advice.

Once I stopped at a gas station to fill up, realized I left my ATM card at home so instead used a credit card to fill up. 15 minutes later, I kid you not, the credit card company called me to confirm that it was me using the card, since I rarely used the card and never for gas. Talk about on top of it!
gas stations with pay-at-the-pump terminals are *very* popular as a place to test that a card is still valid. particularly if you rack up a very small amount on it.

i know a few long distance motorcyclists who've been nailed because they drive a few hundred miles, buy a few gallons of gas, then drive another few hundred miles and guy another few gallons of gas. to the card companies, this looks a lot like bad guy activity of "hey, is this card still good?" "okay, how about now?"
It always amazes me when they catch something and know that it is not likely a valid purchase. Two winters ago, Ryan's CC company contacted him about a $19.99 charge that they thought was fraudulent, and it was. How in the heck did they know that? It was impressive.

Although that same winter we went to buy a Christmas tree at Target and it was declined because they thought it was a fraud. Heh. I guess it seemed out of character for Ryan to purchase holiday decor?
Today, many companies use sophisticated artificial intelligence software to monitor people's purchasing habits and detect fraud. Inductive logic programming, neural networks and Bayesian networks are just some of the advanced techniques being used. It's the inductive logic programming aspect that really fascinates me. It's closely related to some software that I'm writing. While I still don't know much about it, it's fascinating in that it's software that learns. So, oddly enough, rampant fraud has been a huge boon to the field of artificial intelligence.
I've found that Citibank is very aggressive with their fraud checks - they contacted me a few times over the years about surprising transactions.

And I've actually *had* fraudulent transactions on both Amex and a Chase credit card and both companies were excellent about taking care of the whole issue. No hassle at all.

I suspect they could have sat quietly on this and stiffed me for thousands in extra bills.

Well, no. You'd not be stiffed for so much. At most $50 and even then, only if you didn't report the card stolen. And even at that, I've never heard of anyone ever actually having to pay the $50.

OTOH, this is a nice cautionary tale and a reminder that credit cards are way more your friends than debit cards. If it had been a debit card that had been compromised, you *would* actually be out the $2100, potentially bouncing checks and not having cash available in your checking account, until you contacted the company and asked for your money back. And even then, they have no obligation (though it is common practice) to put the money back into your account until *after* an investigation.
Holy moly. Thanks for reporting an ethical practice. Nice to see for a change.
I think that Discover won't be out the money, actually. The store gets stuck with the bill, not them.
It scared me how easy it was. I used to work and program for a company that did gift cards and credit card processing. It scared me to see how easy They machines could be turned into credit card pumping machines. And to see how transactions were processed. Very easy to get the information. I really want to know how you caught them.

Not exactly
>> As it stands, they're potentially eating a couple of grand. This
>> makes me very...

Uh, sorry. As expert as you may be on cc processing, your facts on Discover eating a couple of grand are not correct. The reason banks & cc companies don't bother pursuing the perps is because they get a 100% write off on fraud losses. So if you knew identity of perps but were unable to personally intervene, no amount of asking, cajoling, begging, or otherwise attempting to get Discover or other CC companies to pursue arrests & prosecution would work unless they felt it would benefit THEM in some way such as cracking a ring, making headlines, etc.

A 100% write off means the fraud doesn't cost them a cent in outlay, just hassle of changing entries in databases & cost of plastic & postage of sending out cards created, pressed & packaged for mailing through an automated system. The 100% write off means you & I & everyone reading pays for fraud because that couple grand in charges is a couple grand less in taxes they remit to the govt at end of their weekly tax payment period.

Want to see real action on cc fraud & identity theft? Remove the 100% write off over a 5 year period. Year 1, 80% write off instead of 100%. year 2 60% write off instead of 100%, year 3 40% write off instead of 100%, etc. Watch how fast banks & credit card companies suddenly become interested & cooperative in pursuing cc & identity fraud even on the smallest level. Watch how fast laws change to increase penalties & jail time for identity fraud & cc fraud thieves.

Want to see a perfect example? See what is happening with companies suddenly admitting their databases were hacked, like Choicepoint & Bank of America's data tapes loss? That's a direct result of California law that went into effect in January requiring disclosure to Calif residents if their data including identifying info like drivers license, ss # or cc # were compromised. News today, US banking dept, or similar agency regulating banks made it mandatory to disclose to banking customers if their info is compromised. This includes banks covered by FDIC, S & Ls & other categories of banks & financial institutions. Of course, the bank lobby worked in some exclusions that benefits them, but the new rule goes into effect immediately iirc, & will trigger many new disclosures about banking customer details being compromised. This will make big headlines in the months to come and will spur the banks to change practices & methods to more tightly control their data so they (very conservative businesses to begin with) can stay out of headlines that scream, "150,000 id theft victims at Bank X!" & similar. That's the last thing in the world a bank wants to be associated with as they are the last refuge of widows & orphans when it comes to money safety.

As to the cvv/cvc number checking in person, I had a cc processing machine myself around 98-99. I made sure it was Y2K safe (made the processing company guarantee it), but in all the cc processing I did, nowhere did I ever see, read, or been told about the number or given an option to manually input the number into machine. From what I recall, the extra numbers on back of the cards were there for far earlier than 1998. So I don't know what the issue is about presenting the number in person. The number is visible to the merchant anyway when presenting card in person because you are supposed to check the signature on back. So number can be read off back by merchant whether you want to give it to him or not, but what would he do with the number?

As to online purchases, secure way to do it is to have processing company validate card, they issue a transaction number, & the transaction number is associated with transaction in merchant's database in real time, so a cc number, cvv/whatever number, & other cc details are never placed on merchant's database. Only transaction number is there for merchant to refer to, everything else with card is stored on 3rd party cc processing company's computers encrypted. While not every merchant does it this way I suspect there will be many merchants converting to this as one tactic to keep their distance from Calif. disclosure law. Great job though!
"Programmers are really, really ignorant about software security"
"Programmers are really, really ignorant about software security"

I was reading your story until I came across this quote of yours. Your presumptuousness shocks me. Most software developers that work on credit card processing software for e-commerce systems would make sure their work is of the highest quality. We are not ignorant when it comes to peoples security, especially when it is personal information or credit card details.

However, I am not saying that this does not happen. In business these days many companies and corporations offer work to the lowest bidding developer. This shocking trend is becoming more and more apparent. At this point, I would like to point out the old cliche of "You only get what you pay for". Retailers who intentionally risk their customers personal information just to save a few dollars on development costs should be more accountable than the develoers themselves.

In the end it is most likely that the information was taken during an offline transaction or when you threw your details in the garbage without ripping them up. It is very rare (although probable) that your information was stolen through an online transaction and then used locally. So, in the end it would seem that your information was taken due to *your* ignorance and not from the ignorance of those evil software developers.
Re: "Programmers are really, really ignorant about software security"
You are correct that the information was probably obtained through some oversight of mine. That's the easiest way to obtain said information. However, I am quite willing to stand by my stance that most programmers are ignorant about software security. I've done too many code reviews on too many awful pieces of software to come to any other conclusion. Some programmers have vague notions about XSS attacks or buffer overflows. Others might know about language-specific attacks like null byte hacks or algorithmic complexity attacks, but few realize that software security is a process, not a feature. How many programmers can simultaneously discuss SQL injection attacks and social engineering? Both are frequently used to achieve similar goals.

And frankly, that's not really a slam against programmers in general. It's merely how the software culture seems to have evolved. There's very little emphasis on security. Most programmers just don't know anything about it.
Re: "Programmers are really, really ignorant about software security"
they probably got it just by playing the numbers online, then found one that works, after that then made their own card.
Discover doesn't eat those charges...
Discover doesn't eat those charges, the retailer does.

For a huge company like Costco this is a problem but for really small retailers this is a HUGE problem.

Great huh?
Re: Discover doesn't eat those charges...
yeah except most of those large online purchases never ship out anyways, they call us to verify billing and shipping information. But if the store cannot prove that it was the true cardmember that made the purchase, then yes they get charged back for it. I should know, i work for Discover Card's fraud prevention.
Re: Discover doesn't eat those charges...
If they would verify signatures - and possible ask for ID - it wouldn't be an issue.

This is what the CC companies are trying to get ALL retailers to do... and if they don't - then consider the item a gift to the person who you didn't verify.

Don't fear, retailers have insurance as well. I would imagine for large frauds, they wouldn't loose much money. Besides - they didn't pay retail for the ill gotten goods anyway.
I suspect they could have sat quietly on this and stiffed me for thousands in extra bills

Nah. Your liability is limited to $50.00, unless you know about the fraud and don't report it. Even then I think it's still limited. That's why that "zero fraud liability" shit that some of the cc companies are playing up now just cracks me up.

Also, about the receipts at restaurants and such showing full cc numbers? I think that is illegal now, thanks to the FACT act. If you see it still, you should speak to management about it. I always do the same thing you do, but I really haven't seen my full number since the beginning of this year, which is when I think FACT went into effect full force.
at Discover Card, we do not make you pay a single cent of any fraud charges
Many credit card companies have zero fraud policies. Wouldn't sign up for one that didn't. And discover treated me like shite on the phone when I wanted to ask some simple questions before signing up, so I won't be using their services anyway.
CC liability
All the major credit card issuing companies that account for over 90% of all cards all have 0 liability for fraud. As vayacondia pointed out, that's only $50 less than what federal law has provided for over 20 years but most people aren't aware of.

My experience with "fraud detection" algorithms has been horrible. They once suspended my card while on vacation because I didn't return the call they left at my home. I have had numerous false alarms, and the one time I did have a fraudulent charge (a NEVER used Citibank card with a charge in Russian Rubles!) they didn't catch it.

There are many more important factors to consider when evaluating credit card companies. I for one find Discover to be the most abhorred of all.
NOT merely online transactions
> The second, more likely option, is that someone managed to attack an
> online resource to steal credit information about me. I rarely, if
> ever, use my cards online, but it's not impossible for this to occur.

It does not matter if your information was used online, it matters if the
company that has your information, from a brick-and-mortar transaction, stores
your information in a database that is accessible online.

Unfortunately, that is most all of them.

People feel (erroneously) safe if they don't use their cards online. It's
certainly wise to avoid online transactions, but that doesn't guarantee
data safety.
Guess who pokes in the "fraudulent transaction" data? The "affidavit of fraud" misrepresents a credit card company (a person, an identity) as being some sort of law enforcement authority, court appointed agent, or attourney. It uses the words purjury, penalty, police, and the phrase "law enforcement agency." Then it threatens the customer with "I am willing to cooperate in any prosecution." Sign it or be charged! I'm surprised this company is still in business. Biggest bunch of crooks in the country.
Did you check your Identity, m'man?
A LOT of people think credit monitoring will check their identity, but the sad thing is that it can barely even detect financial fraud: Experian actually admitted to the New York Times that their credit-monitoring products could not detect fraud cases in which a credit applicant used his/her own name, address and phone number with someone else's (i.e. YOU) Social Security number. Here’s the problem: 80 percent of identity fraud today is exactly what they admitted to not being able to detect. If one major Credit reporting bureau can’t, why would the others be any different? This type of Identity Theft is called synthetic ID fraud or ID cloning. What the ID thieves do is steal only your SSN and through a variety of nefarious, but quite clever methods, create a brand new person. The problem for you is that the fraud usually won’t show up on credit reports because the only identifier that matches you is the SSN. And what if the fraud is not financial in nature?

It won’t show up at all…comforting, huh?