Ovid (publius_ovidius) wrote,

  • Mood:

Why I love, love, love Discover Card

This morning did not start well. My alarm didn't go off, I ripped up a toenail trimming it and later, when shaking the creamer for my coffee, discovered that whoever used it last -- hi _sister_madly_! :) -- failed to close it. I usually don't care to spend my mornings mopping the kitchen, but such is life.

So while sitting at the table, drinking my coffee and noting that Whitney Houston was back in rehab and scientists are finally seeing the light of distant planets, my phone rings. It wasn't my cell phone. It was my home phone. It was my home phone whose ringer I was trying to figure out how to disable a couple of days ago. I couldn't, so I put it on low. I only use that line for DSL. Only foul, corrupt creatures bent on luring me away from dinner with fantastic tales of this glorious timeshare I might like are calling that number (though not much since the Do Not Call list was put in place.) So I ignore the phone, not wanting to further ruin my morning by yelling at a salesman.

Then I realized it wasn't dinner. Salespeople never call me during the day, so I went ahead and answered the phone. And someone asked if it was I on the phone and I, like usual, refused to confirm it until I knew who they were and what they wanted.

They were the Discover Card fraud unit and had I been purchasing stuff at Costco? And at Vetsmart? And at a variety of other places? In the past two days?

Someone managed to steal my card number and rack up $2100.00 in charges in two days. I haven't used the card since November, so this was pretty obviously some suspicious behavior. After confirming that I had not made those purchases, Discover closed the account, marked it as "lost or stolen" on the credit report, transferred over the undisputed balance to a new account and I should have my new card in 7 to 10 business days. They expect to mail me a report of their investigation in a couple of weeks.

I am very, very impressed with Discover. I suspect they could have sat quietly on this and stiffed me for thousands in extra bills. As it stands, they're potentially eating a couple of grand. This makes me very happy they would do that.

So here's what I want to know: the purchases were all local. I haven't used my card since November and that was at a local Fred Meyer. How the hell did someone make a bunch of local purchases on my card? There are two options that I can see. Option one is dumpster diving for receipts. They could use this info and know I was local. Many companies still use credit card machines that print your number on the receipt. However, they usually don't get the expiration date. That, generally, if I recall correctly, requires someone to be standing there to collect that info when the card is swiped, either visually, running it through a separate reader or by altering the software (none of which is really hard.) Still, waiting four months to use my card? That seems odd, but I can't say I know the "credit card fraud" business.

The second, more likely option, is that someone managed to attack an online resource to steal credit information about me. I rarely, if ever, use my cards online, but it's not impossible for this to occur. Unfortunately, we need action at a national level to force companies to report security breaches immediately (or at least immediately report compromised personal information), and we desperately need for software manufacturers to be liable for malpractice. I see so many examples of bad code out there that I know how serious this problem is. Programmers are really, really ignorant about software security.

I also want to know how they're spending the stuff in the local area. Did someone remotely sell my information to locals? Was it a local, inside job? Did someone spend a few bucks to purchase a magstripe writer? Hell, software to read magstripes is available as open-source and the author intends to add "write" capabilities soon. Pop on over to eBay, buy a magnetic stripe writer (and many of those come with the writing software) and you're good to go in the credit fraud business.

Card fraud is not as difficult as people think. Even without the aforementioned tactics, criminals used to covertly film customers entering their pins in bank machines and throwing their receipts away. By comparing the camera timestamp to the timestamp on the receipt (which frequently had the full bank account number), the thieves could write the numbers out to new cards and figure out the pin by watching what people typed in the video. Today, sometimes they'll just watch you type in your number somewhere and mug you. It's much easier to rip people off when you have the card in your hand.

Your card numbers aren't showing up on paper as often as they used to, but if you see your full number, scratch off all but the last four digits. If the restaurant or other business asks you why, tell them. They do not have to have that number on the receipt. They made need the last four digits to match up your receipt, but that and they time is all they need. It's stored in the equipment they swipe the card from and don't let them tell you different. I used to write software to process credit card info. Better yet, don't do business with companies that print out the numbers on the receipts and tell them why.

This is bugging me. I wrote software for this, but it's been so long ago that I can't remember all of the detail. I know that if the card is presented in person, no one ever checks the cvv/cvc number on the card. If you turn your card over, those are extra numbers printed in the signature area and can be used for extra security with online transactions since you generally have to have physical possession of the card to know that number. Businesses that ask for that number online are not supposed to store it. Neither these numbers nor your PIN are stored in the magstripes, so that's a bit of extra security, but not much.

Hmm ... lots of stuff I should brush up on.

In any event, thank you Discover! You've made a horrible situation a happy one.
  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded