Credit card details used to open fraudulent account! (1 Viewer)

[Minxy]

As most of you will know I'm pretty savvy regarding finances etc, especially when it comes to security, so this is annoying to say the least!!!

I ordered some gas stuff from 'LPG shop' on 7/1/17 using my Asda credit card and found on Monday 9/1/17 that a fictitious account had been set up with e-buyer and goods costing £409 had been purchased using it, which I hadn't done - I only found out as hubby checked our card balances.

I've just emailed LPG Shop to ask them to investigate, especially how CC details are treated/stored as I hadn't used it for a while and it seems too coincidental for this to happen just after I'd made a purchase from them.

Hubby has contacted e-buyer who have confirmed it was a fraudulent transaction and the debit will be refunded, and Asda to get new cards so the 'thief' can't use the old one anymore.

I will report back as/when I get more info.

 

[Minxy]

Hubby's just found out from Asda that someone has also tried to use it at Very on line too which was fortunately refused as it was for over £300 and took it over the card's available remaining credit balance.

 

[Minxy]

Just had the below response from LPG Shop:

Hello Mel,
thank you for your email,
all credit card payments on our shop are processed by Paypal on their external terminal, so we do not have any access to customer card details,
our website is secured by GeoTrust SSL certificate and has been recently certified by Google as secure for online transactions.
We have not had any issues like this so far but we take very seriously security of our customers so I will ask Paypal to investigate your transaction and if there is something suspected.
Please also consider to scan for any malicious software on your computer.​

I replied:

Thank you for your quick response ... you didn't sign your email so I don't know who I'm 'talking' to.

I have now found out that someone has tried to use it for purchases from Very online too, who I don't buy from, but fortunately as they were 'greedy' the transaction amount would have taken me over my credit limit so it didn't go through. Asda have blocked the card but it is still a concern as I hadn't used it for anything other than your shop. I would appreciate you letting me know the outcome of the Paypal investigation.​

Thanks for the suggestion ref malware but I do this regularly anyway.

Regards.

Mel​

^{_{Subscribers  do not see these advertisements}}

 

[Langtoftlad]

I wonder if one of their employees used a Card Skimmer?
I know you're not meant to let a card out of your sight these days, and as you say you're very aware - but it only takes a couple of seconds if distracted.

I once had a credit card cloned in Boston [USA] but as it was one only used for duty free shopping, I could quite easily tell the bank which outlet I'd last used it & a description of the employee ...

But - also I caught another card being used fraudulently on Amazon.com - and was actually on the phone to the bank as another transaction appeared . Although I was instantly refunded & a new card issued, I was disappointed that they seemed less than interested in pursuing the fraudster... they surely would have had an IP and presumably a delivery address for the fraudster.

 

[Robert Clark]

We had a similar issue after giving our card details over the phone to Rentguard landlord insurance.

 

[Langtoftlad]

Just a thought - was the Asda Card "Contactless".
One obviously can get RFID protector card holders - but that won't protect you when actually using the card & a Skimmer is nearby.

^{_{Subscribers  do not see these advertisements}}

 

[GJH]

The circumstances appear similar to those which a number of us suffered following the Peterborough Show a couple of years ago.
The likelihood is that no rogue employee or card skimmer was involved.
The fact that the card issuing companies allow transactions to be processed without requiring either PIN or CVV code to also be entered means that thieves can attempt such frauds merely by generating the main card number and using that.
The "security" employed by the card issuing companies is a joke. So long as the extra income generated by allowing insecure transactions exceeds the amount they have to pay out in compensation they are happy. They don't care one jot for the effect on customers, which is demonstrated by the fact that they offer no compensation for that.

 

[Minxy]

I wonder if one of their employees used a Card Skimmer?

Just a thought - was the Asda Card "Contactless".
One obviously can get RFID protector card holders - but that won't protect you when actually using the card & a Skimmer is nearby.

It was ordered online so no 'physical' card was presented to them, just via their website.

 

[hilldweller]

It was ordered online so no 'physical' card was presented to them, just via their website.

But PP has been mentioned so you should have seen a re-direct to https: paypal and the gas firm saw non of that.

^{_{Subscribers  do not see these advertisements}}

 

[Minxy]

But PP has been mentioned so you should have seen a re-direct to https: paypal and the gas firm saw non of that.

Nope ... it was processed by Paypal, not paid via Paypal ... you get a choice of:

I selected credit card and this came up (example image, not actual transaction), no mention of Paypal on this.

 

[Gromett]

Online fraudsters tend not to use cards straight away. For instance if they got into company bills-wellies.com they would not defraud cards immediately as everyone would quickly make the link to bills-wellies and their hacking efforts would be short lived.

What they do is wait weeks, sometimes months before using the card details they have retrieved to try to throw you off the scent.

Secondly if the LPG people are using paypal then that won't be the source of the fraud. Paypal may not be perfect but when it comes to security I believe them to be one of the best out there.

 

[Gromett]

@Minxy Girl you posted while I was typing

ok. If you are typing the card details into their webpage then it is possible to get defrauded that way. However my first point above stands.

^{_{Subscribers  do not see these advertisements}}

 

[hilldweller]

[QUOTE="Minxy Girl, post: 21[/QUOTE]

I'm lost now. Can't see the address you were logged on to, I'd assumed https: paypal. So I guessed incorrectly.

It's happened to me a few times, it's just life today, I've been inconvenienced but always got the money back.

Last time was when many FUNsters got stung at the same time after recently making a booking but of course this was shown to be total coincidence.

 

[Minxy]

Brian, if you go on their site and do a fictitious order you'll eventually get to the payment page so will be able to see it for yourself.

 

[Minxy]

If you are typing the card details into their webpage then it is possible to get defrauded that way.

What I don't like is that there is no requirement to put in a CVV so now makes me question just how secure their site is.

However my first point above stands.

Agreed

^{_{Subscribers  do not see these advertisements}}

 

[hilldweller]

Brian, if you go on their site and do a fictitious order you'll eventually get to the payment page so will be able to see it for yourself.

George Cluney now has an account there.

Payment. I selected credit card and it stays on their site requesting details. There is no involvement with PP. Thought it was an https: connection I guess that does not count for much.

 

[GJH]

What I don't like is that there is no requirement to put in a CVV so now makes me question just how secure their site is.

The point is that no credit/debit card payments are secure.

As the UK Cards Association (finally) admitted in October 2014:

In the UK, the card schemes (Visa, MasterCard, American Express etc) strongly recommend that retailers always seek the CVV2 value whenever handling say, a telephone order transaction. However to avoid potentially inconveniencing a bona fide customer, who genuinely may not be able to provide the CVV2 at time of the order and with whom the merchant has perhaps an established relationship, provided goods to the same delivery address as in the past, and being prohibited from storing card holder card details including CVV data (under payment card industry data security standards), there may be good reason to enable the transaction to occur. If the merchant is comfortable to proceed, they can, on the basis that should the transaction be subsequently disputed they will take the liability. Clearly if the retailer is at any point concerned or suspicious about a transaction, they should not proceed. Ultimately it is a decision for the retailer to take on a case by case basis, as they are in the best position to do so.

i.e. in order to maximise throughput (their profits) the card issuers were perfectly happy to open a back door. Once that was done it was open to exploitation by thieves, and still is. They don't even have to have a card in their hands; all they need do is generate the 16 digit main number and enter that on-line.

 

[DBK]

I would doubt the lpg shop are to blame as they should have had no access to your card details. From their response the transaction was processed by PayPal which means the card details would have been run through their system and I'm fairly sure the number would have been encrypted as it passed through the lpg shop's system.
Because no CVV was entered, which I admit isn't normal these days, then if someone at the lpg shop got the card number how did they then buy something from Asda who I suspect do require it?
As already mentioned, the card details may have been stolen earlier.

^{_{Subscribers  do not see these advertisements}}

 

[hilldweller]

in order to maximise throughput (their profits) the card issuers were perfectly happy to open a back door.

Quite similar to the toxic mortgage situation that wrecked the world a few years ago. Profit profit profit greed greed greed.

 

[hilldweller]

From their response the transaction was processed by PayPal which means the card details would have been run through their system

When I did the test run a few minutes ago at no time did I see a direct connection to PP.

 

[GJH]

Because no CVV was entered, which I admit isn't normal these days, then if someone at the lpg shop got the card number how did they then buy something from Asda who I suspect do require it?
As already mentioned, the card details may have been stolen earlier.

See my previous posts. It's more frequent than we realise for CVV/PIN not to be used, obviating the need to steal a card.

It was an Asda card number used, not an attempt to purchase from Asda.

^{_{Subscribers  do not see these advertisements}}

 

[Louis]

Nope ... it was processed by Paypal, not paid via Paypal ... you get a choice of:

View attachment 142090

I selected credit card and this came up (example image, not actual transaction), no mention of Paypal on this.

View attachment 142089

If this is an accurate copy ( spelling) I would suggest that it's fraudulent (Expiration Date???) never seen that word used to date, and also as mentioned- no box for CVV? Very odd

 

[TJBi]

If this is an accurate copy ( spelling) I would suggest that it's fraudulent (Expiration Date???) never seen that word used to date, and also as mentioned- no box for CVV? Very odd

"Expiration date" = US English.

 

[Louis]

"Expiration date" = US English.

Didn't deny that the word existed, merely stating that I have not come across that word being used on a transaction page !!

^{_{Subscribers  do not see these advertisements}}

 

[Reallyretired]

I had a card cloned in some way. It was a new card and I had only used it once (Forestry Commission) and on the next statement I saw it had been used to pay for hotel accommodation in New York. I got my money back but it could be a problem as credit cards have such large credit limits (tens of thousands and they keep putting them up), it was lucky Minxygirls card was maxed out otherwise they might have got away with it.
At one time I had a card with a credit limit of a couple of hundred, which I used exclusively on line, but the card issuer kept increasing it.

 

[meanders]

There are many ways of integrating payments through PayPal and the other payment gateways. Some are much more secure than others. If @Minxy Girl has cut and pasted the reply from the retailer verbatim, then I'd be very worried about their understanding, and certainly grasp of punctuation and grammar!

The fact the retailer is Google approved means zilch. I can see nothing on their site that says they are PCI-DSS compliant and that's the question you need to write back and ask. Also ask when the last compliance scan was? We used to run our every three months as things change and you can't be sure it hasn't affected anything. The compliance authority will be the company bank.

Full PCI-DSS will give reassurance that the integration to Paypal's payment gateway is a good one. There are still a lot of web-sites out there that capture the card data to their own server and then effectively 'paste' it into the payment gateway. This is breach of PCI-DSS.