I I’m no stranger to credit card fraud: in the past I cloned my card and stole the details from a hacker at a retailer. But I figured a card I’d never used would be safe from the threat of crime. I was wrong.
Even if you lock your credit card in a safe as soon as you receive it, you could still be the target of criminal charges. But how can criminals steal your card details if you’ve never used them?
At 10pm on a quiet Thursday evening in January, I received a text message from my bank, Halifax, saying that my credit card had been used on an order worth £30.67 at Domino’s Pizza.
After 30 minutes on hold on an extremely busy Halifax line, the customer service representative asked why I was calling. “Cheating,” I said. “Domino?” he answered. Apparently I wasn’t the only one paying for someone else’s meal.
In fact, the UK seems to have been caught in a takeaway scam boom. Recently, a colleague’s card details were used to order £300 worth of takeaways in the Andover area in a single weekend.
This week, thousands of First Direct customers found their cards had been used to order chicken dinners from Nando’s. Mention to friends or family that your card has been used by scammers to buy takeaways, and they’ll soon learn you’re not alone.
In my case, Halifax froze my card to prevent further charges and the next morning the card was canceled and the charges marked for refund. A replacement card arrived on the doormat three days later. After activating it, I stowed it away safely in a drawer. The next day I checked my statement to make sure the pizzas had been refunded – only to find, to my horror, seven new fraudulent charges totaling £465 – all on my new card. These were not at Domino’s but at an unknown sportswear company in the Midlands.
Assuming I had only activated the card 16 hours earlier, hadn’t used it, entered the new number into Apple Pay or some other service, it hadn’t left the house and no one else had access to it, how on earth did anyone already have money spent on it?
I’m not the only person who’s asked this question recently – this week Guardian Money reader Phoebe Maddrell came forward to say her debit card details were used in fraudulent transactions even though she’d never used them – including online or personal.
In my case, the Halifax fraud investigation team said I was the victim of a so-called “guessing attack” in which an organized criminal gang found out the card number and expiry date. They didn’t have to have stolen the card number in a hack or physical theft and could use it once it was activated.
When you look at a bank card’s 16-digit card number and four-digit expiry date, you might think that the combination would be too complex to simply guess. Unfortunately it is very much not the case.
“The first thing to realize is that you’re not randomly guessing all 16 numbers,” says Jake Moore, a global cybersecurity consultant at Eset. “The first six digits of a credit card number identify the card network and issuing bank, while the last digit is the Luhn algorithm Checksum.”
This means they only have to guess seven numbers, while that last Luhn digit helps verify that the rest of the card number is valid. The checksum was originally developed to detect manual input errors such as typos or transposed digits, but it can also be used by criminals to verify that a number is real.
“There are websites that have Luhn verifiers that help locate these numbers in little or no time, making the chances of locating a card used relatively high,” says Moore.
Once a criminal gang has a potentially valid credit card number, they can try it to see if it’s being used. The Card Verification Value (CVV) — the three digits usually printed on the back of the card in or near the signature strip — helps prevent these types of attacks by putting an extra burden on criminals.
“However, there are many websites – often outside the UK – that accept card payments without requiring a three-digit CVV number or other proof of identity,” says Moore.
Banks and card companies have sophisticated technologies to detect and prevent these types of attacks based on specific characteristics of each transaction in real time. Post fact reports help refine the systems so they can stop more of the same.
Criminals typically target websites that handle large volumes of low-value transactions, making it harder to spot fraud based on hundreds of thousands of real purchases.
Once an attack is identified, additional checks will be implemented to block it and prevent further similar scams, but some will happen first.
In my case, Domino’s requested the CVV of the first card, but that too was guessed, allowing two of the transactions to pass before more transactions were flagged by Halifax’s systems. Takeways appear to be purposeful as they regularly process low-value purchases when the card isn’t there. Criminals use a card’s data to make a series of quick purchases until the card is blocked.
A Halifax spokesman says: “Through our multi-layered fraud detection systems, we never stop preventing fraud and block the vast majority of attempts. Unfortunately, even sophisticated criminal gangs never stop breaching our defenses, and some scammers come through.”
This case has certainly made me reconsider the number of bank cards I own and why. Every time I open an account, another card is added, which can lead to me becoming a victim of fraud even if I never use it. Credit card fraud cost the UK £574.2m in 2020, including £376.5m of e-commerce fraud, according to UK Finance. While banks have refunded 98% of customers and prevented a further £983m in fraud over the year, there’s always a risk this could happen to you.
What can you do to protect yourself?
It’s difficult to defend against a guessing attack, but there are things you can do to prevent the damage they cause.
Never approve a transaction you didn’t expect. Measures to comply with the new Strong Customer Authentication regulations will be phased in ahead of the March 2022 deadline. These usually require customers to verify some transactions via a one-time passcode sent via SMS or banking app prompt about every fourth online transaction.
Most card issuers allow you to freeze or temporarily disable all or part of card functionality. This includes blocking transactions outside of the UK, online or over the phone, in person or contactless payments. Bans stop non-recurring transactions, direct debits, or transactions where the merchants don’t ask the bank for verification, such as bank transfers. B. on public transport.
Report fraud to your bank as soon as you discover it. Moore says, “I always advise people to check their bank statements regularly, even daily, to spot any discrepancies. If card data is stolen and slips through the net a few times, those cards become very valuable and can be used multiple times, even for years, without raising suspicion.”
“I’m worried that something strange is going on”
Phoebe Maddrell, from Herefordshire, was one of thousands of First Direct customers affected by fraudulent spend at fast food chain Nando’s.
She received a message on the morning of February 17 requesting a payment of £42 from the debit card linked to her account. She saw it when she woke up and replied that she hadn’t made the payment.
“I then logged into my internet banking and saw that there were several transactions through Apple that I wasn’t aware of,” she says.
“I opened the account last June for savings. I never took the card out of the house; It has never been used at a retailer.”
Maddrell immediately contacted the bank and was told that the transaction had been blocked by Nando and that the card would be canceled and Apple payments would not be charged to her account. Later that day, however, Apple payments went through.
“I’m really worried that something strange is going on,” she says. “There is no way the scammers could have obtained the card details from anywhere. Unless they were somehow injured when the card was mailed to me.”
Maddrell’s bank would not shed any light on how the scam happened and said it couldn’t do so for security reasons, but said there had been no data breach.
It states that Maddrell will be paid back in full and will not need to speak to the scam team.
A spokesman for First Direct said: “We are aware of some unauthorized low-value retail transactions that appear on a small number of our loyalty cards.
“We would like to reassure affected customers that they will not be left out of pocket and apologize for any inconvenience caused.
“We take the safety of our customers very seriously and will be reaching out to affected customers in the coming days.
“We encourage our customers to regularly review their bank statements and report any suspicious activity.”
Maddrell has complained to the Information Commissioner’s Office about her case and to the Financial Ombudsman about First Direct’s unwillingness to explain how the fraud happened and because she was initially unable to reach the fraud team and told them they were waiting four weeks need a call back.
Hilary Osborne
Comments are closed.