Credit Card Details Stolen

#1
Hi All,

Friday afternoon I was in the queue at Gregg's ready to stuff my face when I received a text from Natwest asking if I had made various transactions.

I responded No and my credit card was immediately blocked. Upon further investigation, it turns out 5 mins prior they had spent £25 on Deliveroo then £747 at Powerhouse which was declined.

Bank is going to refund and re-issue new cards,I have got off pretty lightly. My problem is that I try to be really careful, I shred everything, I only use my card on encrypted websites, I have a dual firewall and decent malware/ant-virus programs.

As I take the precautions above I am worried that I am missing something? really keen to hear any thoughts or ideas as to how they got my details and also what other precautions I can take?

Thank you in advance.
 
#3
Handed over your card at a petrol station lately?
 
#4
Hi All,

Friday afternoon I was in the queue at Gregg's ready to stuff my face when I received a text from Natwest asking if I had made various transactions.

I responded No and my credit card was immediately blocked. Upon further investigation, it turns out 5 mins prior they had spent £25 on Deliveroo then £747 at Powerhouse which was declined.

Bank is going to refund and re-issue new cards,I have got off pretty lightly. My problem is that I try to be really careful, I shred everything, I only use my card on encrypted websites, I have a dual firewall and decent malware/ant-virus programs.

As I take the precautions above I am worried that I am missing something? really keen to hear any thoughts or ideas as to how they got my details and also what other precautions I can take?

Thank you in advance.
You can’t take precautions when sonebody sells your details
The deliveroo one is interesting as they will have a delivery address
 
#6
You can’t take precautions when sonebody sells your details
The deliveroo one is interesting as they will have a delivery address
I have mentioned this to be the bank, TBH they did not seem particularity interested, I guess they see this everyday and for such a small sum of money it would not be worth their while however I wish they would track them down!
 
#7
Hi All,

Friday afternoon I was in the queue at Gregg's ready to stuff my face when I received a text from Natwest ............really keen to hear any thoughts or ideas as to how they got my details and also what other precautions I can take?

Thank you in advance.
Don’t go to Greggs

Could have been anything.

All they need are a name, card number, expiry date, 3 digit code and address.
This could be obtained in many ways from a hacked system to having seen your card

Any investigators if it’s actually looked into can trace the delivery addresses used on the orders, but could easily be a hotel room booked on another dodgy card or any other dodgy address.

Check any computers for viruses and spyware but otherwise continue to be careful and consider whether you have traded with anyone dodgy

A woman I worked with had some dodgy transactions and initially blamed the ethnics at the garage, as per standard daily mail hype. However it turned out to be internet banking which someone had set up without their knowledge, and managed to do so because she had never used internet banking herself
 
#8
I got a similar text some years ago asking if I had recently ordered custom car parts from a company in California and something else from the US which was a small amount. Needless to say the answer was no at which point my card was immediately blocked. Several days before I had bought petrol from a station that I had not used before in Rotherham which was staffed by some dusky chappies. I had not lost sight of my card but turned out that they had skimmed the details and sold them on.

I was reported in the local Sheffield Star I believe and can still be found online if your Google fu is hot as the perps were later jailed.

The other potential source is if you have ever used your card with TalkTalk or another large company with insecure IT security.

Almost certainly not your fault. Take the new card and move on.
 
#9
I like to use cash whenever out and about. I get money out of reputable cashpoint machines, I cover my PIN as I enter it. This helps in two ways, first, it keeps my statements down to manageable size, paying for all the odds and sods with contactless is going to make checking statements a daunting task and second, no chance of skimming.

I like to pay by credit card on-line (I pay off the full amount every month) where there is no premium for doing so.

When I do pay by card in the big wide world I watch it very carefully and also check exactly what I am being charged. It is amazing how many people don't check a damn thing or keep watch. Would they hand over wallet/purse in such a way? Clearly not but for some strange reason this piece of plastic that can be ripped off for all you have generates no concern at all.
 

Wordsmith

LE
Book Reviewer
#10
Bank is going to refund and re-issue new cards,I have got off pretty lightly. My problem is that I try to be really careful, I shred everything, I only use my card on encrypted websites, I have a dual firewall and decent malware/ant-virus programs.
For starters.

Cross-site scripting - Wikipedia

You might be secure - it doesn't follow the website is.

Top 10 vulnerabilities.

Top 10 2013-Top 10 - OWASP

Some major websites have a number of these top 10 flaws.

Basically:
  • Never follow a provided link to a website that's on another website. Google it and use the google link.
  • Never click on a link in an email.
  • If the website unexpectedly opens up a dialog box asking you to re-login - don't.
  • If the website suddenly looks subtly different, close your browser.
  • Always use the logout button in normal use, don't just close the website.
Wordsmith
 
#12
For starters.

Cross-site scripting - Wikipedia

You might be secure - it doesn't follow the website is.

Top 10 vulnerabilities.

Top 10 2013-Top 10 - OWASP

Some major websites have a number of these top 10 flaws.

Basically:
  • Never follow a provided link to a website that's on another website. Google it and use the google link.
  • Never click on a link in an email.
  • If the website unexpectedly opens up a dialog box asking you to re-login - don't.
  • If the website suddenly looks subtly different, close your browser.
  • Always use the logout button in normal use, don't just close the website.
Wordsmith
Thank you, every day is school day!
 
#13
I got a similar text some years ago asking if I had recently ordered custom car parts from a company in California and something else from the US which was a small amount. Needless to say the answer was no at which point my card was immediately blocked. Several days before I had bought petrol from a station that I had not used before in Rotherham which was staffed by some dusky chappies. I had not lost sight of my card but turned out that they had skimmed the details and sold them on.
They modify the pinpad and install a video camera in the roof above it thus catching your card details on the pinpad and the numbers you enter on the camera.
 

Wordsmith

LE
Book Reviewer
#14
Thank you, every day is school day!
Without going into the boring details of (for example) how a cross-site scripting vulnerability works, an attacker could embed malicious JavaScript on a websites's page in the comments section for a product. When you open the page, it loads the malicious code and executes it. That could result in (for example) your login details being fired off to an attacker. And you wouldn't know it happened.

The problem is that retailers aren't fined enough for security breaches resulting from this sort of vulnerability. So there's a temptation to accept some of it as an occupational hazard rather than spend money fixing it. The worst offenders have an annual security assessment - if you look at last year's report, you can see they've done nothing to fix the issues.

Wrdsmith
 
#15
Without going into the boring details of (for example) how a cross-site scripting vulnerability works, an attacker could embed malicious JavaScript on a websites's page in the comments section for a product. When you open the page, it loads the malicious code and executes it. That could result in (for example) your login details being fired off to an attacker. And you wouldn't know it happened.
Wrdsmith
...the Web is a place full of dodgy sites and nefarious types, take Arrse for instance... :)
 
#16
They modify the pinpad and install a video camera in the roof above it thus catching your card details on the pinpad and the numbers you enter on the camera.
I always cover with my hand but your post had me thinking.

The fact that I use (as most others do) contactless these days does it mean that my card details, i.e card number, expiry date and last 3 are somehow transmitted?
 
#17
Without going into the boring details of (for example) how a cross-site scripting vulnerability works, an attacker could embed malicious JavaScript on a websites's page in the comments section for a product. When you open the page, it loads the malicious code and executes it. That could result in (for example) your login details being fired off to an attacker. And you wouldn't know it happened.

The problem is that retailers aren't fined enough for security breaches resulting from this sort of vulnerability. So there's a temptation to accept some of it as an occupational hazard rather than spend money fixing it. The worst offenders have an annual security assessment - if you look at last year's report, you can see they've done nothing to fix the issues.

Wrdsmith
Right it's getting complex - I was an Infanteer! ;)

Is there an app or program I could have running that picks up on 'cross-site scripting'
 

Wordsmith

LE
Book Reviewer
#18
Right it's getting complex - I was an Infanteer! ;)

Is there an app or program I could have running that picks up on 'cross-site scripting'
Nope. You have to rely on the retailer doing due diligence on their website. Generally, a major retailer will be more secure than a minnow, but that's not an infallible guide.

It boils down to "has the retailer developed their website in a secure manner?" Bigger retailers are often placed to spend the money doing that.

But the rules I put in an earlier post are a good set to follow: they'll protect you again many threats.

Wordsmith
 
#19
Handed over your card at a petrol station lately?
Stopped at a service station on the M1 for fuel, down by Milton Keynes. Filled up went in to pay, handed over the card and the EASTERN EUROPEAN WOMAN swiped it through the POS widget and then picked up another card reader from under the counter connected to a cable and swiped it again.

Me: "Why did you swipe my cards through two different card readers"?

Her: "Is security check".

Me: "Is not security check, is you stealing my card details".

Her: "Is security check"

Me: "Really, I'll just call my wife at Barclaycard and ask her shall I"

So I did. She laughed and told me the woman was cloning the card and she would inform Barclaycard security.

Still standing in the petrol station shop: I call my constabulary HQ control room and ask them for the number of Bedforshire CID. I call them and the bloke tells me they will get out to speak to the service station operator and interview the woman to scare her shitless. FYI technically no really worthwhile prosecutable crime is committed until they use your details to obtain goods, or services.

All the while the woman is less than ten feet from me, with me smiling at her. Phone calls made I take out my warrant card, show it to her and wish her a nice day, advising her that she should be more careful who she pisses off and that should my details be used I know what she looks like and will come and visit and have a chat with her and her husband.
 
#20
You mean your bank has. It's their problem if they lose your money.
The wifes employer in the UK had to more or less write off 100 million squids a year to fraud.

It all gets very organised. There was a team out there doing the rounds of banking call centres. When I say team I mean a gang of around 20 - 30 of them, all non-white people. At the end of the scam they would simply resign and move on to the next target.

They would apply for and then get jobs in the call centres where as individuals they had limited access to customer information. However as a team they had access to all of it. So they would spend around 4 - 6 months building up their own database of customer information so that they had: names, addresses, account numbers, passwords, transaction information...........the lot. Then they would do purchases and transfers of money from one account to third party accounts. Stinking millions from most of the major high street names, all unrecovorable.

They did the rounds of the call centres and as I remember it some of them were still at the call centre of the wifes employer when the nice people from the security services started pouncing. Being non-white people there were tentative links to Bin Wotsit and his crew.

There was another case of a major UK mail order company that became the common hub for people who been the subject of credit card fraud. Turned out it was a couple of bints working the phones, they had scammed half a million before they were caught.
 

Similar threads

Latest Threads

Top