Security's Everyman

Security's Everyman

Thursday, December 27, 2007

Where's the Breech?!

I was driving back home yesterday from my in-laws with my wife and kids. As usual the girls didn't sleep and they were tired from the long Christmas weekend and they were fussy and grumpy. One would do something just to irritate the other and I was the one getting really irritated.

Shortly after we got on the road my cell phone rang. I answered it to be greeted by a recorded message saying "This is Visa calling to verify some activity on your card. Please call back as soon as possible at 800-br-549". Immediately a red flag went off in my brain. I had only used this card once and that had been several months earlier. In fact I got the card because I had a gift certificate for this online shopping site and they were giving you a "bonus" if you signed up for the card and used it to purchase your items. So I did. I was able to get what I wanted and still have about a $5 credit on the card. So I never even had to enter the card number into the system. The card came in the mail a few days later and I locked it away in a safe place and never even called to activate it.

I called the number that they gave me and it was promptly answered by a IVR asking for the card number of the card I was calling about. Being the ever alert security professional that I am I was not about to actually enter the number into a unknown system (that and the fact that I didn't have the card number with me). I decided that the best and safest way to handle this was to wait until I got home and find the card and get the number off of the documentation that they had provided.

I arrived home late last night and after unloading the car I found the "official" number to call for customer service and gave them a call. Once again I was greeted by an IVR asking for the card number that I was calling about. I entered the number and answered a few security questions before I was asked to verify recent activity. I patiently listened as the recorded voice read off one transaction. A $1 fuel purchase earlier that day. Now the red lights were flashing and bells were ringing. My card had been compromised. If you know anything about stolen credit card numbers then you know that one of the things that they bad guys do when they buy a fresh bunch of numbers is to test them with small transactions usually at gas stations because it is a low visibility place where they can test several cards with small chance of being caught.

I was then transferred to the fraud department where I answered more security questions and promptly had my card canceled. I was assured that I would not be responsible for this or any other charges on the card that may have occurred since the "test". I was told that a new card would be issued and that the credit bureaus would be notified of my misfortune so that they too can be on the look out for my credit well being. All is well.

Now, I've not been notified by any company of a compromise of credit card data since receiving this card so my question is "Where's the breech?". Where along the line did my card info get compromised? Was the online shopping site compromised? Was it the issuing bank? What about the bank that is used by them to process transactions? Maybe it was the clearing house or was it my computer? Since I never entered the number on my computer I don't think that is the problem so where is the problem? Maybe someone stole a copy of the bill that they send me every month (even though I have no transactions) out of the mail. Does this place also have more credit card numbers of mine? Will I be getting more calls on this nature?

I guess I'll have to pay "extra special" attention to my credit reports and my transactions for a while. You gotta love having one more thing to add to the list of things to pay more attention to. Oh well, I guess I should be happy that it was caught and caught early. It could have been a real nightmare.

2 comments:

Unknown said...

Sobering, to say the least, no? And the best we can do as consumers right now is to be the IDS...checking our statements for fraudulent activity.

Greg said...

Hey - great post. I've been reading the blog a while now. The same thing happened to me today. I called the number on my statement and was told the account had suspicious activity on it. Fine. They closed the account, issued new cards, etc. My question to them was, where was the activity, or what merchant? The CSR wouldn't tell me. How can I feel safe using the new card if they don't tell me where the problem lies. What's to say I won't get a call from the credit card company in a couple of weeks with the same issue?

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.