4

Today I had about $600US spread across 20 transactions taken from my debit card over the past three days (I notified my bank said they will give me a new card and will refund me)

This particular account I only use to transfer money in and out of to get bonus savings interest; I have never used it to make purchases online, the card has always been left in a draw and never been taken out of the house. I have never entered the card details into any form, nor stored the card details anywhere.

Given I have never entered the card details anywhere to make a transaction, and neither has the previous versions of the card ever been used, how could this have happened? I have never stored the card details anywhere.

Its unlikely the scammer could have enumerated card details (start from 0000-...-0000; 01/01 for expiry date and 000 for cvv and increment) as they would have also needed to get my billing address correct.

A G
  • 161
  • 1
  • 6

3 Answers3

4

Thieves get card numbers and expiration dates from somewhere it is stored or processed.

That could be a local with access to your home, access to the originating bank that issued the card, the post office, or any merchant processor along the line.

Tim Brigham
  • 3,762
  • 3
  • 29
  • 35
  • But if I have never entered or stored the card details anywhere or used it to make a payment, can I conclude the bank has been hacked? (and just haven't publicised it?) – A G Jun 30 '19 at 16:20
  • 1
    @ag that's exactly the point I'm trying to get across. Even if you have never entered it, there are a lot of other individuals who by nature of their business would have access to that data. That could be the bank, the supporting MD that services the bank, the post office, someone with access to your home, excetera. – Tim Brigham Jun 30 '19 at 20:29
0

I can think of three options that haven't been discussed yet:

  1. Account vs card number

Are you sure it was done with long debit card number?

In the UK, debit cards normally have details for Visa (or whoever) and an account number + sort code (which can be translated into IBAN). Account number and sort code do not change when card is renewed, as they're tied to account.

While one cannot "pay" just knowing account number and sort code, they can set up a direct debit. (A celebrity experienced this after claiming that data isn't sensitive: https://www.theguardian.com/money/2008/jan/07/personalfinancenews.scamsandfraud)

  1. Sequential card numbers

At my previous bank, after the card expired, they issues a new one with next number (that passes Luhn check). I think you can also be pretty sure expiry date will be consistent, so the unknown is only the short CVV, which isn't even required for all payments (How does Amazon bill me without the CVC / CVV / CVV2?)

  1. Payment links to the old card

Did you have any recurrent payments set up on the card before this one? It's apparently possible for mechants to get that info (https://www.creditcards.com/credit-card-news/recurring-charges-updater-1275.php) From personal experience, I have bought services and got refunds months later when that card was cancelled. Refunds came to the replacement card, so someone along the way made this redirection.

domen
  • 1,040
  • 10
  • 21
-2

  1. The scammer could be the first person who was between you and the payment gateway, in a remote-way manner rather than intern if you are the only one who has access to your network, and he/she could have tricked the bank personnell as acting he's the person on your debit card and so gained the credentials of all your credit/debit card. (this is unlikely)

  2. You have left traces somewhere that could lead to the perfect outcome, this can be a small note that you saved on you're device, while the device was compromised.

  3. The local bank is corrupt/bankrupt and has sold you're cvv to some one.

Guest
  • 1