Go Back  Bike Forums > The Lounge > Foo
Reload this Page >

Watch your credit card statements...

Foo Off-Topic chit chat with no general subject.

Watch your credit card statements...

Reply

Old 02-09-09, 12:41 PM
  #1  
Little Darwin
The Improbable Bulk
Thread Starter
 
Little Darwin's Avatar
 
Join Date: Jul 2005
Location: Wilkes-Barre, PA
Posts: 8,403

Bikes: Many

Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 3 Post(s)
Watch your credit card statements...

I am not overly paranoid, but I do keep an eye on things.

I just got a call this morning from Citibank about one of my cards that I don't use online... there were some suspicious charges on it for Napster and the New York Times and a couple of other places. Most of it for under $2. Apparently, one of the patterns is people will make small charges to validate that a card is valid, and then make a larger charge or series of charges on it.

After doing an online search, it appears that a significant breach happened at a big payment company last year that impacted some credit cards whether they are used for online purchases, or in stores... While I don't know whether this is how my credit card was compromised, it could be.

http://www.2008breach.com/

I have now closed the compromised account, cut up the card, and a new credit card is on the way with a new number.

I found out quickly thanks to the automated notification by the credit card company.

Be careful out there.
Little Darwin is offline  
Reply With Quote
Old 02-09-09, 01:24 PM
  #2  
wahoonc
Membership Not Required
 
wahoonc's Avatar
 
Join Date: Jan 2005
Location: On the road-USA
Posts: 16,849

Bikes: Giant Excursion, Raleigh Sports, Raleigh R.S.W. Compact, Motobecane? and about 20 more! OMG

Mentioned: 4 Post(s)
Tagged: 0 Thread(s)
Quoted: 65 Post(s)
I monitor our card(s) daily. So far so good, but our Credit Union did issue us a new card and PIN on one account just as a precaution...more than I can say for a lot of banks.

Aaron
__________________
Webshots is bailing out, if you find any of my posts with corrupt picture files and want to see them corrected please let me know. :(

ISO: A late 1980's Giant Iguana MTB frameset (or complete bike) 23" Red with yellow graphics.

"Cycling should be a way of life, not a hobby.
RIDE, YOU FOOL, RIDE!"
_Nicodemus

"Steel: nearly a thousand years of metallurgical development
Aluminum: barely a hundred
Which one would you rather have under your butt at 30mph?"
_krazygluon
wahoonc is offline  
Reply With Quote
Old 02-09-09, 01:28 PM
  #3  
iamlucky13
Footballus vita est
 
iamlucky13's Avatar
 
Join Date: Jun 2002
Location: Portland, OR
Posts: 2,118

Bikes: Trek 4500, Kona Dawg

Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
I had the same thing happen as wahoonc. I got a notice about a possible account compromise on the part of a company related to Visa, and my credit union sent a new card and pin as a precaution.

Thanks for calling out the small charges bit. Banks usually watch for unusually large charges and call to confirm, but it would be really easy for these warning signs to slip through the cracks.
__________________
"The internet is a place where absolutely nothing happens. You need to take advantage of that." ~ Strong Bad
iamlucky13 is offline  
Reply With Quote
Old 02-09-09, 02:41 PM
  #4  
HardyWeinberg
GATC
 
Join Date: Jul 2006
Location: south Puget Sound
Posts: 8,637
Mentioned: 27 Post(s)
Tagged: 0 Thread(s)
Quoted: 438 Post(s)
I had a <$2 charge (from NY Times) on one debit card, and a ~$40 and ~$80 on the other, so called the bank, got the cards closed. They were debit cards but these transactions ran as credit so my PINs were safe. -ish.

The lowest 2 charges never finalized, the 3rd did (ftd.com ; apparently a lot of husbands tell their wives who don't get flowers that the ftd charges are mistakes) anyway ftd finalized the charge, which the other 2 didn't, refused the bank's request to cancel it unless I told them to on a conference call and then, once the bank got me on the line for the conference call, ftd told them they'd drop it w/o ever joining the call.

Anyway, cards closed so no more charges on them. 2 wks now and new cards have not shown up yet.
HardyWeinberg is offline  
Reply With Quote
Old 02-09-09, 02:44 PM
  #5  
ehidle
T-Shirt Guy
 
ehidle's Avatar
 
Join Date: Jul 2008
Location: Lansdale, PA
Posts: 464

Bikes: 2005 Fuji Team Issue, 2007 Fuji SL-1

Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
What they do with the small charges is attempt to fool the fraud-detection algorithms that will raise the red flag based upon location, size, and frequency of purchases. By making a bunch of small, seemingly random purchases, the fraud algorithms become a bit desensitized. Then, when they make the "big one," it is less likely to get declined.
__________________
Yellow + Blue Jerseys!

Get your Cranky T-Shirt!
Men's
and Women's designs available
ehidle is offline  
Reply With Quote
Old 02-09-09, 02:45 PM
  #6  
HardyWeinberg
GATC
 
Join Date: Jul 2006
Location: south Puget Sound
Posts: 8,637
Mentioned: 27 Post(s)
Tagged: 0 Thread(s)
Quoted: 438 Post(s)
Originally Posted by Little Darwin View Post
impacted some credit cards whether they are used for online purchases, or in stores... While I don't know whether this is how my credit card was compromised, it could be.
A friend who does computer security for Sandia at Los Alamos says that online https transactions are safer than brick/mortar ones, whatever route the info takes is less accessable. Don't know if that's true but it makes me feel better online. Until something happens like in my previous post, anyway.
HardyWeinberg is offline  
Reply With Quote
Old 02-09-09, 03:09 PM
  #7  
ehidle
T-Shirt Guy
 
ehidle's Avatar
 
Join Date: Jul 2008
Location: Lansdale, PA
Posts: 464

Bikes: 2005 Fuji Team Issue, 2007 Fuji SL-1

Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
I know for a while that all Best Buy cash registers transmitted credit card info to the store's central terminal in plaintext over an unencrypted wireless network. That was fun...
__________________
Yellow + Blue Jerseys!

Get your Cranky T-Shirt!
Men's
and Women's designs available
ehidle is offline  
Reply With Quote
Old 02-09-09, 03:15 PM
  #8  
timmhaan
more ape than man
 
timmhaan's Avatar
 
Join Date: Nov 2003
Location: nyc
Posts: 8,094
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 4 Post(s)
Originally Posted by ehidle View Post
I know for a while that all Best Buy cash registers transmitted credit card info to the store's central terminal in plaintext over an unencrypted wireless network. That was fun...
wow.
timmhaan is offline  
Reply With Quote
Old 02-09-09, 04:46 PM
  #9  
trsidn 
Jeff Vader
 
trsidn's Avatar
 
Join Date: Jul 2007
Location: Putting the 'fun' in dysfunctional
Posts: 373

Bikes: Cannondale CAAD8, Trek SU200

Mentioned: 1 Post(s)
Tagged: 0 Thread(s)
Quoted: 1031 Post(s)
Originally Posted by ehidle View Post
I know for a while that all Best Buy cash registers transmitted credit card info to the store's central terminal in plaintext over an unencrypted wireless network. That was fun...
__________________
We are all a litter of piglets in the barn fire of life - Piney McKnuckle
trsidn is offline  
Reply With Quote
Old 02-09-09, 05:49 PM
  #10  
phillypino215
Senior Member
 
Join Date: Jul 2008
Posts: 109
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 3 Post(s)
that comment makes me feel reaaaaaalllll safe.
phillypino215 is offline  
Reply With Quote
Old 02-10-09, 05:13 PM
  #11  
no1mad 
Thunder Whisperer
 
no1mad's Avatar
 
Join Date: Apr 2008
Location: NE OK
Posts: 8,864

Bikes: '06 Kona Smoke

Mentioned: 6 Post(s)
Tagged: 0 Thread(s)
Quoted: 270 Post(s)
Originally Posted by ehidle View Post
I know for a while that all Best Buy cash registers transmitted credit card info to the store's central terminal in plaintext over an unencrypted wireless network. That was fun...


Hence my new economic policy: Pay cash in person or pay cash in person for a gift card to be used online. Wait, that would limit my choices for vendors. New idea: use reloadable money cards from the bank.
__________________
Community guidelines
no1mad is offline  
Reply With Quote
Old 02-10-09, 05:23 PM
  #12  
bikebuddha 
Senior Member
 
bikebuddha's Avatar
 
Join Date: Oct 2003
Location: Somewhere in time
Posts: 1,137
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 1 Post(s)
I had the same problem as darwin, a couple of small transactions at the itunes store, and then a massive shopping spree at the apple online store. Luckily apple flagged it as a fraudulent transaction but still it sucks.
__________________
The few, the proud, the likely insane, Metro-Atlanta bicycle commuters.
bikebuddha is offline  
Reply With Quote
Old 02-10-09, 07:19 PM
  #13  
ericm979
Senior Member
 
ericm979's Avatar
 
Join Date: May 2007
Location: Santa Cruz Mountains
Posts: 6,169
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 2 Post(s)
Originally Posted by HardyWeinberg View Post
A friend who does computer security for Sandia at Los Alamos says that online https transactions are safer than brick/mortar ones, whatever route the info takes is less accessable. Don't know if that's true but it makes me feel better online. Until something happens like in my previous post, anyway.

HTTPS (HTTP over SSL/TLS) is pretty secure. The TLS protocol is good, and most browsers/web servers these days use strong good quality cryptography. The problems are in two places:

0. The server certificate. Your browser has a set of Certificate Authority certs that it came with. Those are automatically trusted to sign merchant server certs. Not all of them are 100% trustworthy although all the major players are. Some servers send "self signed" certs, which anyone can make. They don't mean squat but people will click "ok" anyhow. And some CAs have been tricked into issuing certs to names that look legit, say "www.paypa1.com", where in some fonts the '1' may look like an 'l'. You should look at the server cert and who signed it before you send any important data.

1. the back end. After your credit card comes out of the nice secure TLS pipe to the merchant, it's in the clear. Good merchants will re-encrypt it when they store it in their database, and keep it encrypted as much as possible. They will have to decrypt it to send it (in another encrypted pipe) to the payment processor. The same thing happens at the payment processor- good ones keep the card encrypted except when they decrypt it to send it (re-encrypted of course) to the bank to clear.

Good setups will use strong crypto in a well-designed system with limited access. (disclaimer: the company I work for makes such things, among other cryptographic products). Poor setups, well, it can be difficult to do this sort of thing well. The card associations (Visa, MC) have a set of rules called PCI which merchants and payment processors have to adhere to in order to continue to be allowed to process cards. But it is rare for that to happen, most companies who are not in compliance can get a waiver.

Whatever you do, use a credit card and not a debit card. At least in the US, with a credit card you are liable only for $50 if your card is stolen, and most banks will even waive that. With debit cards, the money is sucked right out of your bank account, and they can take all of it.


With brick-and-mortar, the credit card # is encrypted as it is sent from the reader (if it's a separate reader that is not part of the POS terminal) to the processor. After that its treated the same as the online card. If the reader is part of the POS terminal then the CC# is protected only as much as the POS data is... which might be sent over an unencrypted WiFi connection.
ericm979 is offline  
Reply With Quote
Old 03-13-09, 12:47 PM
  #14  
baldsue
pedaler
 
Join Date: Jul 2008
Location: NYC
Posts: 255

Bikes: 2009 Yellow Schwinn Madison, 2015 Silver Xootr Swift

Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
One of my credit cards was breached on Feb. 6, another was breached this week. Anyone else getting hit this hard by fraud? I've no idea whether either has anything to do with the Heartland breach. I did some analysis and found there were only two vendors (both online bike shops) where I used both cards. I'm hesitant to buy anything from either vendor again.
baldsue is offline  
Reply With Quote
Old 03-13-09, 01:03 PM
  #15  
pgoat
BatŁwŁ Griekgriek
 
pgoat's Avatar
 
Join Date: May 2005
Location: NYC - for the moment...
Posts: 2,908

Bikes: 1985 Trek 500, 1986 Trek 500 Tri Series, 2005 Cannondale R1000

Mentioned: 2 Post(s)
Tagged: 0 Thread(s)
Quoted: 22 Post(s)
Watch the fine print on your checking/debit card accounts as well. I now have to make at least seven purchases per month with my debit card or my checking is no longer free.
__________________
Originally Posted by jsharr View Post
People whose sig line does not include a jsharr quote annoy me.
pgoat is offline  
Reply With Quote
Old 03-13-09, 01:08 PM
  #16  
mlts22 
Senior Member
 
Join Date: Aug 2006
Posts: 998
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
The most secure setup I've seen was a merchant that had two forms of accepting credit cards. The first was PayPal, so credit card processing was done by them, and the numbers never touched the site.

The second was via a SSL connection, and the form once posted was PGP encrypted to a private key stored on a box not on the Internet, and the credit order E-mailed to a mailbox. Then, every morning, the store would take all the orders in the inbox copy them to the offline machine, decrypt them, and run them through a credit card terminal that wasn't online. Nowhere were the numbers ever stored on the Internet in plaintext.
mlts22 is offline  
Reply With Quote
Old 03-13-09, 02:53 PM
  #17  
Hickeydog
Crushing souls
 
Hickeydog's Avatar
 
Join Date: Jun 2007
Location: Sagamore Hills, Ohio.
Posts: 1,591

Bikes: Trek 1500

Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Just checked my credit card. No purchases that I didn't make.
Hickeydog is offline  
Reply With Quote
Old 03-13-09, 03:52 PM
  #18  
klondike300
klondike300
 
klondike300's Avatar
 
Join Date: Feb 2005
Location: Looking for my lung on Green Mountain or flowing the trails at Port Gamble
Posts: 297

Bikes: Cannondale(x3). Synapse, cyclocross and 29er Scalpel

Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 3 Post(s)
Originally Posted by Hickeydog View Post
Just checked my credit card. No purchases that I didn't make.
Crap, no wonder my Orbea purchase got denied.
Seriously though, I just bought someone a ticket on AirArabia. Second time in a year for my Visa. At least they've never got into my debit card.
klondike300 is offline  
Reply With Quote
Old 03-13-09, 04:04 PM
  #19  
trsidn 
Jeff Vader
 
trsidn's Avatar
 
Join Date: Jul 2007
Location: Putting the 'fun' in dysfunctional
Posts: 373

Bikes: Cannondale CAAD8, Trek SU200

Mentioned: 1 Post(s)
Tagged: 0 Thread(s)
Quoted: 1031 Post(s)
Never put your debit card on the interwebs. If you ever get hit, at least you can work it out with the CC card company without affecting your day to day money....
__________________
We are all a litter of piglets in the barn fire of life - Piney McKnuckle
trsidn is offline  
Reply With Quote
Old 03-13-09, 04:21 PM
  #20  
randya
Senior Member
 
randya's Avatar
 
Join Date: Jul 2003
Location: in bed with your mom
Posts: 13,696

Bikes: who cares?

Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
I have two credit union cards that they proactively arranged to replace after the recent security breach at Heartland
randya is offline  
Reply With Quote
Old 03-13-09, 04:37 PM
  #21  
JF1
Senior Member
 
JF1's Avatar
 
Join Date: Aug 2005
Location: Kaysville, Utah
Posts: 544

Bikes: 2006 Giant OCR 3 Composite

Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 1 Post(s)
Just happened this week on the 9th to one of my Visa cards to the tune of $1200. Those of you who don't get over to the Road Forum might check this thread out:
http://www.bikeforums.net/showthread.php?t=514152

My credit union has already returned my money and issued me a new credit card but it still just seems scary.

I see that there are several class action lawsuits against Heartland. Apparently, they may not have taken action fast enough once they knew about it.

http://www.securityfocus.com/brief/899
http://philadelphia.injuryboard.com/...oogleid=256534

Last edited by JF1; 03-13-09 at 04:42 PM.
JF1 is offline  
Reply With Quote
Old 03-13-09, 05:19 PM
  #22  
bmclaughlin807
Crankenstein
 
bmclaughlin807's Avatar
 
Join Date: May 2006
Location: Spokane
Posts: 4,038

Bikes: Novara Randonee (TankerBelle)

Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 1 Post(s)
I get a text message to my cell phone every time a payment or credit gets processed to my pre-paid debit... I generally get the text message before I even hit the door on the way out of the establishment.
__________________
"There is no greater wonder than the way the face and character of a woman fit so perfectly in a man's mind, and stay there, and he could never tell you why. It just seems it was the thing he most wanted." Robert Louis Stevenson
bmclaughlin807 is offline  
Reply With Quote
Old 03-13-09, 06:16 PM
  #23  
ascend
free mallocs
 
Join Date: Jan 2008
Location: melbourne, australia
Posts: 520
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Originally Posted by ericm979 View Post
0. The server certificate. Your browser has a set of Certificate Authority certs that it came with. Those are automatically trusted to sign merchant server certs. Not all of them are 100% trustworthy although all the major players are. Some servers send "self signed" certs, which anyone can make. They don't mean squat but people will click "ok" anyhow. And some CAs have been tricked into issuing certs to names that look legit, say "www.paypa1.com", where in some fonts the '1' may look like an 'l'. You should look at the server cert and who signed it before you send any important data.
FUD doesn't help anyone. There is nothing intrinsically insecure about "self signed" certs. It is important to know the difference between a CA-signed cert and a self-signed one, but simply telling people "self-signed certs don't mean squat" doesn't help anyone learn and understand the difference.

Regardless of who signed the certificate, the connection is still encrypted and is safe from third parties eavesdropping on the traffic. Whether you trust the party at the other end to correctly handle your data once it gets there is up to you to decide.

A CA-signed certificate does not tell you what the other party is doing with your data. What it does tell you is that the party at the other end have successfully convinced the CA that they are who they say they are. If you trust the party at the other end to do the right thing, and you trust the CA's confirmation of their identity, then you are good.

A self-signed certificate also does not tell you what the other party is doing with your data -- you still need to trust the party at the other end to do the right thing. The only thing you don't have is a third party confirmation that the people signing it are who they say they are. As long as you confirm this yourself, this is not a problem.

If you don't actually know who the CA's are, or what their policies are with regards to issuing certificates, or how strictly they follow their own policies, then you don't have any reason to place any more trust in their judgement than in your own.

You should look at the server cert and who signed it before you send any important data.
This is always good advice, regardless of which CA's your browser automatically "trusts" for you. (How much do you trust your browser to make that decision for you?)

ETA: The most important thing, of course, is to check that the site the certificate is for exactly matches the site you're visiting. Your browser will usually warn about this, regardless of who signed the cert.

Last edited by ascend; 03-13-09 at 06:33 PM.
ascend is offline  
Reply With Quote

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Thread Tools
Search this Thread

Contact Us Archive Advertising Cookie Policy Privacy Statement Terms of Service