Hard at work

Why I love, love, love Discover Card

This morning did not start well. My alarm didn't go off, I ripped up a toenail trimming it and later, when shaking the creamer for my coffee, discovered that whoever used it last -- hi _sister_madly_! :) -- failed to close it. I usually don't care to spend my mornings mopping the kitchen, but such is life.

So while sitting at the table, drinking my coffee and noting that Whitney Houston was back in rehab and scientists are finally seeing the light of distant planets, my phone rings. It wasn't my cell phone. It was my home phone. It was my home phone whose ringer I was trying to figure out how to disable a couple of days ago. I couldn't, so I put it on low. I only use that line for DSL. Only foul, corrupt creatures bent on luring me away from dinner with fantastic tales of this glorious timeshare I might like are calling that number (though not much since the Do Not Call list was put in place.) So I ignore the phone, not wanting to further ruin my morning by yelling at a salesman.

Then I realized it wasn't dinner. Salespeople never call me during the day, so I went ahead and answered the phone. And someone asked if it was I on the phone and I, like usual, refused to confirm it until I knew who they were and what they wanted.

They were the Discover Card fraud unit and had I been purchasing stuff at Costco? And at Vetsmart? And at a variety of other places? In the past two days?

Someone managed to steal my card number and rack up $2100.00 in charges in two days. I haven't used the card since November, so this was pretty obviously some suspicious behavior. After confirming that I had not made those purchases, Discover closed the account, marked it as "lost or stolen" on the credit report, transferred over the undisputed balance to a new account and I should have my new card in 7 to 10 business days. They expect to mail me a report of their investigation in a couple of weeks.

I am very, very impressed with Discover. I suspect they could have sat quietly on this and stiffed me for thousands in extra bills. As it stands, they're potentially eating a couple of grand. This makes me very happy they would do that.

So here's what I want to know: the purchases were all local. I haven't used my card since November and that was at a local Fred Meyer. How the hell did someone make a bunch of local purchases on my card? There are two options that I can see. Option one is dumpster diving for receipts. They could use this info and know I was local. Many companies still use credit card machines that print your number on the receipt. However, they usually don't get the expiration date. That, generally, if I recall correctly, requires someone to be standing there to collect that info when the card is swiped, either visually, running it through a separate reader or by altering the software (none of which is really hard.) Still, waiting four months to use my card? That seems odd, but I can't say I know the "credit card fraud" business.

The second, more likely option, is that someone managed to attack an online resource to steal credit information about me. I rarely, if ever, use my cards online, but it's not impossible for this to occur. Unfortunately, we need action at a national level to force companies to report security breaches immediately (or at least immediately report compromised personal information), and we desperately need for software manufacturers to be liable for malpractice. I see so many examples of bad code out there that I know how serious this problem is. Programmers are really, really ignorant about software security.

I also want to know how they're spending the stuff in the local area. Did someone remotely sell my information to locals? Was it a local, inside job? Did someone spend a few bucks to purchase a magstripe writer? Hell, software to read magstripes is available as open-source and the author intends to add "write" capabilities soon. Pop on over to eBay, buy a magnetic stripe writer (and many of those come with the writing software) and you're good to go in the credit fraud business.

Card fraud is not as difficult as people think. Even without the aforementioned tactics, criminals used to covertly film customers entering their pins in bank machines and throwing their receipts away. By comparing the camera timestamp to the timestamp on the receipt (which frequently had the full bank account number), the thieves could write the numbers out to new cards and figure out the pin by watching what people typed in the video. Today, sometimes they'll just watch you type in your number somewhere and mug you. It's much easier to rip people off when you have the card in your hand.

Your card numbers aren't showing up on paper as often as they used to, but if you see your full number, scratch off all but the last four digits. If the restaurant or other business asks you why, tell them. They do not have to have that number on the receipt. They made need the last four digits to match up your receipt, but that and they time is all they need. It's stored in the equipment they swipe the card from and don't let them tell you different. I used to write software to process credit card info. Better yet, don't do business with companies that print out the numbers on the receipts and tell them why.

This is bugging me. I wrote software for this, but it's been so long ago that I can't remember all of the detail. I know that if the card is presented in person, no one ever checks the cvv/cvc number on the card. If you turn your card over, those are extra numbers printed in the signature area and can be used for extra security with online transactions since you generally have to have physical possession of the card to know that number. Businesses that ask for that number online are not supposed to store it. Neither these numbers nor your PIN are stored in the magstripes, so that's a bit of extra security, but not much.

Hmm ... lots of stuff I should brush up on.

In any event, thank you Discover! You've made a horrible situation a happy one.
  • Current Mood: relieved relieved
Not exactly
>> As it stands, they're potentially eating a couple of grand. This
>> makes me very...

Uh, sorry. As expert as you may be on cc processing, your facts on Discover eating a couple of grand are not correct. The reason banks & cc companies don't bother pursuing the perps is because they get a 100% write off on fraud losses. So if you knew identity of perps but were unable to personally intervene, no amount of asking, cajoling, begging, or otherwise attempting to get Discover or other CC companies to pursue arrests & prosecution would work unless they felt it would benefit THEM in some way such as cracking a ring, making headlines, etc.

A 100% write off means the fraud doesn't cost them a cent in outlay, just hassle of changing entries in databases & cost of plastic & postage of sending out cards created, pressed & packaged for mailing through an automated system. The 100% write off means you & I & everyone reading pays for fraud because that couple grand in charges is a couple grand less in taxes they remit to the govt at end of their weekly tax payment period.

Want to see real action on cc fraud & identity theft? Remove the 100% write off over a 5 year period. Year 1, 80% write off instead of 100%. year 2 60% write off instead of 100%, year 3 40% write off instead of 100%, etc. Watch how fast banks & credit card companies suddenly become interested & cooperative in pursuing cc & identity fraud even on the smallest level. Watch how fast laws change to increase penalties & jail time for identity fraud & cc fraud thieves.

Want to see a perfect example? See what is happening with companies suddenly admitting their databases were hacked, like Choicepoint & Bank of America's data tapes loss? That's a direct result of California law that went into effect in January requiring disclosure to Calif residents if their data including identifying info like drivers license, ss # or cc # were compromised. News today, US banking dept, or similar agency regulating banks made it mandatory to disclose to banking customers if their info is compromised. This includes banks covered by FDIC, S & Ls & other categories of banks & financial institutions. Of course, the bank lobby worked in some exclusions that benefits them, but the new rule goes into effect immediately iirc, & will trigger many new disclosures about banking customer details being compromised. This will make big headlines in the months to come and will spur the banks to change practices & methods to more tightly control their data so they (very conservative businesses to begin with) can stay out of headlines that scream, "150,000 id theft victims at Bank X!" & similar. That's the last thing in the world a bank wants to be associated with as they are the last refuge of widows & orphans when it comes to money safety.

As to the cvv/cvc number checking in person, I had a cc processing machine myself around 98-99. I made sure it was Y2K safe (made the processing company guarantee it), but in all the cc processing I did, nowhere did I ever see, read, or been told about the number or given an option to manually input the number into machine. From what I recall, the extra numbers on back of the cards were there for far earlier than 1998. So I don't know what the issue is about presenting the number in person. The number is visible to the merchant anyway when presenting card in person because you are supposed to check the signature on back. So number can be read off back by merchant whether you want to give it to him or not, but what would he do with the number?

As to online purchases, secure way to do it is to have processing company validate card, they issue a transaction number, & the transaction number is associated with transaction in merchant's database in real time, so a cc number, cvv/whatever number, & other cc details are never placed on merchant's database. Only transaction number is there for merchant to refer to, everything else with card is stored on 3rd party cc processing company's computers encrypted. While not every merchant does it this way I suspect there will be many merchants converting to this as one tactic to keep their distance from Calif. disclosure law. Great job though!