Can’t shake this feeling - credit card fraud

[BalaamsAss]

Woke this morning to an email from a company we have a weekly subscription with, to say that our credit card payment had been declined.

Really odd, and while the email looked totally genuine I took all the correct precautions and logged on via the website rather than clicking a link in the email, and input the CC details again. It was once again declined.

DH then checked the CC on the app and discovered 3 transactions we hadn’t made - totalling nearly £6k.

Immediately got onto the phone to the bank who claimed they had spoken to us last night before they had blocked our account.

We hadn’t spoken to them at all. Whoever got our card details wasn’t content with shopping at our expense but also phoned our bank to impersonate us and try and get the card unblocked.

The card is now blocked but apparently we can’t do anything else until we can go into a branch in person - they are all closed until 10am on Wednesday.

I feel utterly sick to my stomach. I feel violated. I feel completely uneasy. I want to cry. I want to stamp my feet and scream. I want to know who did it.

We do shop online a lot, esp at the minute, but we are also super careful. We have no idea how someone got our details.

I hate this. I hate this. I hate this.

Rant over.

Oh, and no, my card details aren’t stored in my Argos account

Hopefully all sorted.

The guy in the Ulster Bank branch was brilliant - couldn’t fault him. He was able to get through to the fraud team on our behalf and gave a wee ID number to prove we were in branch, then authorised both sets of ID and then passed the phone on to DH.

The initial £150 transaction had gone through but it will now be refunded to us. The first Argos transaction had gone through but had already been refunded and the second Argos transaction had been declined at the time.

Apparently the fraudsters had called NatWest and added a new phone number and email address to the account. They had even gone so far as to make up a new email address which included DH’s name.

NatWest couldn’t explain how they had got through security enough to do that.

Apparently once it was flagged and because there had been a recent change to phone number, that was why DH wasn’t sent a warning text to authorise the unusual activity. It’s also why he was locked out of the app from an hour or two after he had made his original phone calls to NatWest.

Our money is coming back, our cards have been cancelled and new cards will be sent out with new numbers etc, and DH has added additional security questions onto the account. It doesn’t explain how it happened in the first place, but hopefully it will stop it from happening again. (Or at least lower the risk)

Apparently his details have also been added to some central database thing so that if there is any other new activity instigated in his name (like new cards taken out or new accounts in his name) it will also require additional checks.

It is a bit of a faff as we have a few regular payments set up which will all go through at the start of each month and we will need to contact them now to try and delay them. The old CC is no longer valid, and we won’t have the new ones with the new number before Jan 1st to update the accounts. The accounts are overseas so we don’t like using debit cards, but we’ll have to see if we can put things through on debit cards for 1 month only and then revert back to the CC once we get the new cards.

Good news. Could you not just set up a one off online transfer for your imminent bills, assuming the funds are in your account.

Late to the thread but pleased it is all sorted OP. Have they said what will happen to the person who committed the fraud or is that a matter for the police?

Yes the funds are all there - they are regular subscriptions hence why it’s a bit of a faff to change. One is a regular book subscription, the other two are regular monthly charity giving - one specifically sponsors a child in Zambia - so I definitely don’t want to halt them for a month. I am away to email all three now - time differences and the break between Christmas and New Year, as well as the cost of calling internationally, means email is probably the best option.

@louisejxxx nothing at all about the person who committed the fraud. We did log it with Action Fraud, but I don’t know if anything will be done about it. (A PP’s previous response about Action Fraud doesn’t fill me with much confidence!)

Good news OP.
I would urge you to make a complaint to NatWest about the fraudster's ability to get through their security questions. This is something that should in theory be almost impossible, so something has gone wrong somewhere in their procedures, and they really need to investigate what that is and sort it out immediately. You, and every other NatWest customer (myself included) need to have total faith that this can't happen again.
I used to work in banking Compliance and this sort of thing will have several people running around like crazy to find the problem. I suspect someone will also be getting some fairly robust 'retraining', or at least they should be.

Op both of you should sign up to Experian (or similar), check any applications or accounts in your name and sign up for their web monitoring

This happened to me many years ago and the tip-off was a random email from bus company in an entirely different country saying that a payment for a bus ticket had been declined. Whoever did it racked up thousands in Apple Store, ASOS etc. Fortunately the bank refunded everything but there didn't seem to be any interest in pursuing the perpetrators even though there must have been addresses linked to the orders. The card was in my possession all the time as well.

After some research it turns out that credit card details are very insecure. Literally any hotel, website or shop where you use your card could potentially clone it. I suspect it was a hotel I stayed at shortly before it happened, however I also did online shopping around that time and e-commerce safety wasn't as solid in the early 2010s.

Avoid inputting credit card details directly into a website unless absolutely necessary. Paypal is the safest option of all, and you can easily link your credit card with your PP account. This encrypts your actual card details making it impossible to access even if the shop's database were hacked.

@ReplacementPlasticUterus yes I don’t understand that but either. The guy on the phone today was significantly better than any of the three DH spoke to on Monday - that may have been because they thought he was the scammer trying to unblock the account!

The guy today says he had no way to see what security questions had been asked. I think DH needs to ask for the call recordings to be checked. The guy seemed to think that sometimes the only security question asked is the 3 digit security code on the back of the card and if that was the case then it was sheer luck that they got through to someone who authorised the changes without full and comprehensive security checks

I wouldn't count on them telling you anything about the call in any detail (if they can even find it), but their systems should show what questions were asked. You'll probably get a bland response possibly admitting to an individual not following procedures and all relevant staff have been reminded/retrained or something. But it's always good to keep them on their toes!

After some research it turns out that credit card details are very insecure.

Depends what details. The card number and expiry date have to be public, really. Otherwise how could you give them to somebody ?

The main problem is then corroborating those details with something that only the cardholder would know - hence "security" questions. Which if answered honestly are fairly useless.

So the CV2 was introduced. And pretty much undermined almost immediately (hence my advice upthread).

Banks are in a pretty cushy position when it comes to fraud. They can refuse to disclose anything to you ("security"), while still peddling the same old shite that they are "unhackable" which means that their default stance is to disbelieve you from the get-go.

Just to play devils advocate, it would be possible to make things much more secure. The problem with that is the 80% of people that would then be unable to use the system.

Have you run checks for malware on all your devices?

I always delete the card information and only use it as and when it's needed as if I lost my tablet or left them somewhere they would still need the card details ect or if the account itself was cracked, then they hopefully would not be able to access any other information. Although these days with hackers skills you never know for sure.(think Kevin mitnick)

This type of fraud happens when card issuers use publically available info like mothers maiden name, postcode, and date of birth to verify customers who forget their passwords or don’t pass voice biometric tests. This is 100% the company’s fault and don’t let them fob you off - their fraud system realised the transactions were fraudulent as they were at retailers and over amounts you typically spend - it’s the person over the phone who over-rode that.

[quote BalaamsAss]@ReplacementPlasticUterus yes I don’t understand that but either. The guy on the phone today was significantly better than any of the three DH spoke to on Monday - that may have been because they thought he was the scammer trying to unblock the account!

The guy today says he had no way to see what security questions had been asked. I think DH needs to ask for the call recordings to be checked. The guy seemed to think that sometimes the only security question asked is the 3 digit security code on the back of the card and if that was the case then it was sheer luck that they got through to someone who authorised the changes without full and comprehensive security checks[/quote]
No, all static data is publically available. Date of birth, mothers maiden name, postcode. Things like last transaction or last 4 digits of mobile number is available when someone fraudulently logs into your account.

Open a formal complaint to investigate the bank’s handling of this

DH had a couple of £zero items on his CC recently, emanating from the USA. the CC company seemed a bit confused as to why he wanted the card cancelled. We tried to explain that this was possibly to test security on the card, prior to putting through an actual charge.
Eventually they agreed to cancel his card a issue a new one.

The back won't release the call recording to you. Fraud teams don't generally ask for card details as fraudsters can obtain that info. They usually ask personal information & information on your credit file.

Fraudsters frequently use another delivery dress or email address containing the real account holders name as it makes it appear genuine.

The banks can check the IP address used & cross check that with your online activity,

If the bank has refunded you, they believe it's fraud but further investigation will take place with visa who will provide details of the delivery address & items ordered

@GrumpyHoonMain

This type of fraud happens when card issuers use publically available info like mothers maiden name, postcode, and date of birth to verify customers who forget their passwords or don’t pass voice biometric tests. This is 100% the company’s fault and don’t let them fob you off - their fraud system realised the transactions were fraudulent as they were at retailers and over amounts you typically spend - it’s the person over the phone who over-rode that.

The trick here is to not use your mothers maiden name, but your own unique password that can't be discovered by research.

Sadly in a poll I did a while back at work, over 60% of people did use their mothers maiden name (etc etc).

It's generally accepted good practice now to let the customer chose the question and the answer.

(My "mothers maiden name" is Fubar for example)

@Vitaminsss

Open a formal complaint to investigate the bank’s handling of this

Which will go: nowhere.

They start from the fact the OP hasn't actually suffered a loss. "No harm, no foul" sort of attitude.

BTDTGTTS ...