At 5:48 PM -0800 3/28/05, TidBITS Editors wrote: >Stolen Credit Card Numbers and Companies with a Clue >---------------------------------------------------- > by Adam C. Engst <[EMAIL PROTECTED]> > > Credit card number theft is one of those events that seems > to happen only to other people... until it hits you. That > just happened to me, and the repercussions proved a bit more > instructive and far-reaching that I would have initially > anticipated. > > >**Awkward Dating** -- The first hint that something was wrong > came when Tonya was reviewing the charges on the MasterCard we > use solely for business purchases. There was a $19.95 charge to > something related to Yahoo, but it wasn't possible to tell exactly > what service from the limited information on the credit card > statement. Tonya knew she hadn't ordered anything online that > could have generated such a charge, and when she asked me, I > couldn't remember anything either. To verify that I wasn't simply > losing my memory, I searched all my received email around the > date in question, and even went so far as to search my OmniWeb > history for Yahoo URLs around the date. > > The situation was becoming more curious, so Tonya called the > phone number on the credit card statement, and waited on hold > for a while. As she waited, she realized that what she had > called was Yahoo Personals - Yahoo's online dating service. > She immediately yelled for me to get on the phone, figuring > that the whole situation was just going to generate snickers > for the customer service people if they heard a wife calling > to find out about a dating service charge on her husband's credit > card. I was good and refrained from making jokes about how I > didn't even get any dates from Yahoo Personals once the customer > service people came on the line. > ><http://personals.yahoo.com/> > > It took a little back and forth with Yahoo's customer service > people, since we weren't willing to give them much more personal > information, some of which they claimed they needed to look up the > account that had made the charges. Eventually we got them to tell > us that the Yahoo Personals account did indeed have the same user > name as my My Yahoo account (I immediately changed that account's > password, just for good measure), but that the birth date listed > with the Yahoo Personals account did not match either of our birth > dates. That was sufficient for them to cancel the account and > refund our money. > > >**Cleaning Up from Cancellation** -- The Yahoo Personals customer > service rep recommended that we cancel the credit card used, which > we were already planning as the next call. Our credit card issuer > was totally on top of it, cancelling the card and issuing us > another one before we'd even had a chance to explain the full > situation. Tonya keeps records of merchants that are automatically > withdrawing from that credit card, so next she reset all of those > accounts. The morning was shot, but it seemed that we were out > of the woods. Unfortunately, it wasn't to be. > > A few days later, Tristan and I were out driving when I remembered > that our other car likely had a flat tire due to a slow leak I'd > been monitoring. That normally wouldn't have been an issue, but > Tonya had an appointment before we would be home, and I wanted > to alert her to blow up the tire and to remember her cell phone > in case she needed me to come change the tire while she was out. > In New York State, it's illegal to drive while talking on a cell > phone unless you're using a hands-free system, so I pressed the > speed-dial number for home and handed Tristan the phone so he > could give her the message. A few seconds later he gave me back > the phone, saying "It's being weird." I pulled over and listened, > and indeed, I'd somehow ended up with Verizon Wireless customer > service. I hung up and tried again, and got them again. This time > I waited until I could talk to a person, who promptly informed me > that they had disabled our service because the monthly bill had > been rejected by our credit card - apparently one auto-withdrawal > had slipped past Tonya's record keeping. Luckily, I was able to > use another phone later to walk Tonya through inflating the tire, > but the credit card fraud was increasing in annoyance. > > The next week Tonya managed to get the account reinstated, and > protested sufficiently vehemently when Verizon Wireless tried > to charge a $15 fee for doing so that they waived the charge. > She pointed out that it would have been trivial for them to notify > us via voicemail or text messaging that our auto-withdrawal had > failed, but needless to say, the customer service drone couldn't > do anything but forward the feedback (if even that). > > That wasn't the end of the bother, though the next one was purely > my fault. I'd set up a Google AdWords account for Take Control > that also withdrew money from that MasterCard, and I'd forgotten > to inform Tonya that it needed to be added to the list of auto- > withdrawal services. As you'd expect, the next time Google tried > to charge money to the card, it was rejected, too. > > But here's the difference between Verizon Wireless and Google. > Where Verizon Wireless didn't bother to inform us that they'd > disabled our service and thus caused us unnecessary trouble, > Google sent me a nice email message, informing me of the problem, > telling me that they'd temporarily disabled our ads, and giving > me a link to my account so I could enter a new credit card number. > The entire process took only a couple of minutes, and most of that > was exclaiming to Tonya about how Google had a clue in comparison > to Verizon Wireless. > > >**Following Up on the Credit Report** -- We were relating this > story to a friend over dinner the other day, who said she'd had a > similar thing happen. In her case, though, the fraud had included > the perpetrator changing the billing address related to the card, > so she hadn't even received a tip-off statement. She recommended > that we run a credit report as well, just to make sure any > additional hanky-panky wasn't going on with our finances. > > A bit of investigation revealed that recent U.S. legislation > requires the three major credit reporting companies - Equifax, > Experian, and TransUnion - to provide anyone who asked with a > free credit report once every 12 months (so you can get one credit > report from each company all at once, or you can request a report > from one of the companies every four months to be on the lookout > for problems). Unfortunately, the credit reporting companies > were given quite some time to roll out the service to the entire > country, so although people in western and midwest states can > request their free credit reports right now, people in the south > must wait until 01-Jun-05, and those of us in the eastern states > must wait until 01-Sep-05. (Some states - Colorado, Georgia, > Maine, Maryland, Massachusetts, New Jersey, and Vermont - also > require that residents be allowed to request one or two free > credit reports each year.) > ><https://www.annualcreditreport.com/> ><http://www.epic.org/privacy/fcra/> ><http://www.epic.org/privacy/preemption/> > > Our friend said she'd used another service called > FreeCreditReport.com, which gives you a free credit report, > but requires that you sign up for a slew of fee-based credit > reporting and monitoring services that could be useful, > particularly if you wanted to be informed about changes to > your credit report over time. You can (and I did) cancel the > membership without paying anything - hence the "free" aspect > of the credit report, and of course, you can pay about $10 > for a credit report if you don't want to play the "cancel my > membership" game. Luckily, my credit report showed nothing of > significant concern, though they apparently think I'm a year > younger than I am. I'll have to fix that at some point. It's > entirely likely that other problems haven't shown up yet, and > I plan to start running regular credit reports in September. > ><http://www.freecreditreport.com/> > > >**Lessons Learned** -- In this day and age, shopping on the > Internet is simply a fact of life for many people. I don't > believe that using a credit card on the Internet is any more > or less likely to result in credit card number theft than using > it over the phone or in person, but the more you use credit cards, > the more likely it is some miscreant will obtain your number and > abuse it. It's mostly an annoyance with credit cards (though not > necessarily with debit cards!), since your liability is limited > to $50 in the United States, and I've never heard of anyone ever > being charged even that. But the hassle factor can be large, as > our experience proved, and credit card fraud could be the first > step in a more complete identity theft. So, I recommend the > following precautions. > >* Review your credit card statements every month, and make sure > you made every purchase. Thieves often charge a small amount, > like our $19.95 fee for Yahoo Personals, to see if you're paying > attention (and if you're not, the purchases will increase). > >* Always keep email receipts for online purchases for reference > purposes, and if you anticipate wanting to look back to what > you've done in the past on the Web, use a browser like OmniWeb > or a utility like St. Clair Software's HistoryHound to record > your tracks. > ><http://www.omnigroup.com/applications/omniweb/> ><http://www.stclairsw.com/HistoryHound/> > >* Although we still have no idea how our credit card number was > stolen, wallet thefts are a common way for this to happen. To > simplify canceling credit cards and other accounts in the event > of such a theft, photocopy the contents of your wallet and store > those pages in a safe location. > >* Keep a list of all automatic withdrawals from your credit card > in the event you have to cancel the card. Also remember to write > down merchants (like the iTunes Music Store) that might have > your credit card number stored for sporadic use. > >* If you're in the U.S. (other countries may have similar > practices), be sure to take advantage of the free credit reports > to make sure all the information is correct, and if you find > incorrect information, make sure to fix it promptly. Visit the > Federal Trade Commission Web site for additional suggestions > and links to useful resources: > ><http://www.consumer.gov/idtheft/> > > Many instances of credit card number theft may not be within > your sphere of influence. The Register has an article listing > a number of stories of large businesses, educational institutions, > and other organizations losing control of sensitive personal > information in this month alone. There's nothing you can do > about such situations (apart from checking data security practices > when possible), but some common sense and effort on your part can > reduce the impact of credit card number theft if it does happen > to you. I got off easy this time, and I hope this is the end of > the story (for a much more exciting story of credit card number > theft, read the page at the second link below). > ><http://www.theregister.com/2005/03/23/id_theft_cannot_be_escaped/> ><http://www.livejournal.com/users/publius_ovidius/111672.html>
-- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'