Credit Card Fraud - It Happens to the Best of Us

Jon-Louis Heimerl

February 19, 2013 - Posted by Jon-Louis Heimerl to Security Insight

Yes, security geeks have security problems too.

But, the last fraudulent charge has disappeared from my credit card statement, so I will relate my own little tale of woe.

On December 23, my wife checked our credit card statement online. We do a considerable amount of online shopping, and we charge everything to a single card that is only used for online purchases. She suddenly asks me, “Did you buy something from Bloomingdale’s for $580?”

“Um… no.”

So, while I am on hold with the credit card company, she finds that the credit card has already rejected a series of charges from Amazon. I am told that my card activity was suspicious, and I replied, “I know.” But, this is where it gets interesting.

Apparently, on December 20, I had called in to my credit card company, changed my phone number, email address, and street address, which was a complete surprise to me. My credit card company then informed me that the caller had verified the changes by using the last four digits of my social security number and my mother’s maiden name.


Dealing with the credit card company has been relatively easy – they have been beyond cooperative, and took my report of the fraudulent charges over the phone. But the problem did give me cause for concern. Beyond the obvious worry that some of my identifying information was public, I was concerned about the additional controls that I thought I had setup on my account:

  1. I had set up my credit card account to notify me via SMS if any of my online account information was changed. This should have been triggered when my phone number was changed. I can only assume that they changed the phone number first and the SMS was delivered to the new phone number.
  2. I had set up my credit card account to notify me via email of any charge greater than $200. I did not get the email, so assume it was actually sent to – which is, by the way, the fraudulent email address created by the fraudster. (As a side note, Yahoo has refused to respond to my request to them to disable this email account that was only created to enable fraud, since this is NOT my account. Nothing. Nada. Nice.)

A few minutes of research also showed me that this was the same credit card and identifying information that we used for one of our service providers. It turns out that this service provider had been compromised on December 19, and my information had been used the very next day. I am guessing that there is a relationship there, though I do find it interesting that the service provider has never notified me that I was among the accounts that had been compromised.

Though this just ticked me off to no end, I tried to make my response as purposeful and deliberate as possible:

  1. I called my credit card company, disputed the fraudulent charges over the phone, cancelled my card and had them re-issue a new number.
  2. I changed my username, password, and security questions for my online credit card account. I also added additional security verification (yeah, like I am going to say what that is...)
  3. After I verified that my credit card company had all of the information that they needed, I changed my phone number, email address and street address back. I also verified that all my security alert information was still in place.
  4. I changed the passwords for all of our online card and biller accounts – every single one that we access via computer. Yeah - all of them.

It turns out, of all the things we did right, the best thing we did was probably the most simple thing: to check our holiday charges about every three days (yeah, I even have my wife paranoid now).

I was given a positive perception of my credit card company as well, since they noticed it about the same time that we did. (Though I did wonder how many of their cardholders change phone number, street address, and email address all at the same time. I am guessing that their anti-fraud algorithm factored in the recent changes when determining that the card was being used fraudulently.)

All in all, the problem did not feel so bad. It cost us nothing but some time, and some peace of mind.

And, I can only hope that the jail population increased by one in a suburb of Fort Worth, TX, (the location of the “new” phone number and “new” mailing address for my card).

Read more on Solutionary Minds about:

comments powered by Disqus

Voted one of the Best Computer Security Blogs 2016
NTT Security (US), Inc. (formerly Solutionary) is a security consulting and managed security services provider. The NTT Security blog is a place for IT professionals to both learn and talk about the latest in IT security and compliance.

Get the NTT Security Blog delivered to your inbox!

Enter your Email:

(We will not share your email or use it for anything else.)