Now I swear this is entirely coincidental, but only this month I wrote a very tongue-in-cheek piece titled Good news – your credit card is fine and only your irreplaceable things were hacked! The basic premise of this piece was that when you see a company proudly asserting that your credit card is fine even though they’ve just been pwned six ways from Sunday (hi Ashley Madison!), that assurance is of little consequence to the customer of the site themself. My reasoning was that other aspects of identity data like passwords and deeply personal information such as bedroom rituals is far more sensitive and of far higher value to the individual than their card info. In fact I summarised with this point:
Despite appearances, assurances of credit card sanctity are not there for the owners of the cards, they’re there for the banks.
Consumers enjoy pretty neat fraud protection offered by their banks and when things go wrong and a nasty transaction does hit the account, they simply give you your money back. You’ll probably have to cancel your card and wait a few days for a new one, but that’s about the extent of the inconvenience.
Now those who follow this blog will know that I’m very fond of actually showing what I write about; working demos or GTFO, if you like. And so fortuitously, a mere three days after writing that post, I discovered that my credit card had fraudulent transactions on it. More specifically, Kylie’s card had the nasty payments but they all appeared on the one statement. After the prerequisite “don’t-you-know-how-it-makes-me-look-as-a-security-pro-when-your-card-keeps-getting-pwned” talk (this was not her first rodeo…) and then after I apologised for having that talk, true to my word on that earlier post, the banking fairies took care of things.
Here’s what happened: firstly, I found a debit quickly followed by a credit of equal amount like this:
This is in Aussie dollars which translates to about $1.4k in American money these days so no small amount. The obfuscated section of that image is the last four digits of the card number which helps you identify which cardholder’s plastic copped the charge. Incidentally, it also helps fraudsters verify your identity yet PCI is quite happy if you store them in the clear (hi again Ashley Madison!) which means once they’re pwned then attackers have a healthy leg up in the identity theft department.
So getting back to the story, on the same day as that transaction pair above, there was also this one:
Same deal, obviously for a lesser sum though. Whilst these zero out, they also serve a purpose and that is they provide the fraudster with verification that not only is the card valid, but that the available funds are somewhere north of either $1,986 or $2,700 depending on when those charges actually hit the account and debited the available balance. By immediately refunding the charge, as far as the card holder is concerned their balance remains the same and nothing odd is going on.
Now there’s time for the attacker to monetise the card itself. I can only speculate here because the bank doesn’t exactly willingly hand over information about it’s fraud investigations, but often you’ll see valid cards being sold on the dark markets. You see, having a card that works is one thing, actually turning it into cold hard cash and laundering money out of it is quite another. Often these two disciplines will be run by different groups or individuals so you might have one party doing the doing the pwning of an online service somewhere or skimming cards at a terminal while another one altogether then buys the cards and monetises the content.
Inevitably, precursor transactions like those were ultimately going to result in one like this:
Except this time, there was no credit following it and we were out of pocket a grand and a half. Now there is simply no way this was Kylie’s transaction not only because this was not the card she normally uses, but we were away snowboarding at the time and not buying a grand and a half worth of home wares on Zoxoro. We certainly weren’t buying it with an overseas merchant either which makes it kinda odd given that Zoxoro is an Aussie brand, although it may be that there’s an overseas merchant under the same name.
Here’s the point of all this though: I noticed the fraudulent transactions on the account on a Monday the 7th. I went down to the bank that day (it’s just around the corner, you can easily do this via phone too) and lodged a dispute plus cancelled the card. That same day, a credit transaction appeared on the card for the fraudulent charge and it was processed and money back on the account on Thursday:
A new card arrived Friday. And that is all. Job done.
I have spent more time writing this blog post than what I have dealing with the actual fraud of the card. This experience has been exactly the same as multiple prior experiences when cards have been pwned and whilst I don’t want to have criminals charging my card, it’s nothing personal and it’s a minor inconvenience.
When credit cards are compromised, it’s the merchants and the banks who pay the price. They’ve had to sort this all out, get the cash back and someone is inevitably attempting to chase down the fraudster. It’s a zero-sum game for us, a mere inconvenience of no financial consequence.