Caught in the payment fraud net: when, not if?

Caught in the payment fraud net: when, not if?

Sometimes, I think there are three certainties in life: death, taxes, and some form of payment fraud. Security reporter Danny Palmer experienced this a little while ago, and has spent a significant amount of time tracking the journey of his card details from the UK to Suriname. His deep-dive confirmed that it is easy to become tangled up in fraud, even if you’re very careful. I myself have experienced one of the more peculiar forms of credit card theft, detailed below.

Sometimes it’s you…

Right off the bat, let’s clarify that there are ways to both help and hinder the security of your payment information.

Maybe you switched something off while traveling for easy access and forgot to turn it back on at the other end. Perhaps there was some ancient Hotmail account still tied to something important with a password on six hundred thousand password dumps. Maybe you did one of those “Without giving your exact date of birth, please tell us something you’d recognise from your childhood and also your exact date of birth and credit card number” things bouncing around on social media.

These are all ways you can inadvertently generate problems for yourself at a later date.

Sometimes it isn’t you

On the other hand, instead of winding up in one of the above examples, let’s say you successfully navigated all perils.

You secured your desktop, installed some security software, followed the advice to keep your system up to date, and avoided all dubious installs. Locking down your phone was a great idea. Reading some blogs on password managers was the icing on the cake. You’ve done it all, and anything going wrong after this will have to be one heck of a fight.

There is, however, a third path outside of what you do or don’t do to keep data secure.

Occasionally, the issue is elsewhere

Maybe people you don’t know, who you entrusted with the well-being of your card data, did something wrong. Perhaps a Point of Sale terminal is missing vital patches. The store across town didn’t keep an eye on their ATM, and the company responsible for it didn’t have a means to combat the skimmer strapped across the card slot. The clothing store you bought your jacket from did a terrible job of locking down payment data and everything is sitting in the clear.

This is absolutely one of those “whatever will be, will be” moments.

The…good?…news about hacks outside of your control is, they can happen to anyone. Including people who work in security. As a result, you shouldn’t feel like you’ve done something wrong. In many cases, you almost certainly haven’t. It’s way beyond time to normalise the notion that huge servings of guilt aren’t a pre-requisite for data theft.

Setting the scene: My experience with card fraud

When I received my fraud missive through the post, it was shortly after an incredibly time consuming and complicated continent-spanning house move. Did I make a multitude of payments in all directions? You bet. Shipping, storage, local transportation, and a terrifyingly long list of general administrative and paperwork duties from one end of a country to another.

I avoided using my banking debit card throughout the process, relying on my credit card instead. There’s a reason for this.

Interlude: why I used a credit card

If you buy something with your debit card and it ends up with a scammer, you may have problems recovering your funds. You may well have to endure a lengthy dispute process, or prove you weren’t being negligent in order to get your money back.

Increasingly, banks are making this a little harder to do.

If you bank online, you’ll almost certainly have seen a digital caveat any time you go to transfer money. They’re usually along the lines of waiving the ability to reclaim your money back if tricked into sending your cash to a scammer. They’ll ask you to confirm you know who you’re sending the money to or place the responsibility for transferring funds directly on your own shoulders. Perhaps they’ll try and get out of paying up if your PC was compromised by malware. If you pay by cheque, you could get into all sorts of tedious wrangling behind the scenes too.

Even without all of the above, your bank may well have a number of minimum best practices for you to follow. Unless you want to run into potential pitfalls, try and keep things ship-shape there too.

Meanwhile, the credit card is a fast-track to getting your money back, because it’s the incredibly large and powerful credit company getting their money back. You’re just there for the ride, as it were. This in no way removes your requirement to be responsible with your details, but from experience, I’ve had more success righting a cash-related wrong where it involved credit rather than debit. It’s an added form of leverage and protection. The real shame is that isn’t usually the case when paying with your own money. Once again, we’re back in the land of “whatever will be, will be”.

End of interlude: when things go wrong

I don’t know exactly what happened with my card, or who took the details. I’ve no idea if the details were swiped from an insecure database, or a store had Point of Sale malware on a terminal. I can’t say if it was cloned from one of the few times I had to use an ATM.

Stop and think about the places you frequently buy items from. Maybe even draw up a list on a map. You’ll almost certainly have a handful of stores you use regularly, with a few random places thrown in for good measure. Perhaps you avoid ATMs completely, opting for cashback in stores instead. You probably shop online at the same places too, with a few more off-the-beaten-track sites popping up here and there, too.

You may get lucky and discover one of them has had a breach. If they’re small shops or family businesses, sorry…you probably won’t read about it in the news. Website compromises can lay undetected for a long time. Same for Point of Sale malware on physical terminals. Your shopping circle of trust only extends so far and is only useful for figuring out a breach up to a point. After that, it’s guesswork and for various reasons, your bank/credit card company won’t disclose investigation information.

The scammers strike

What I do know, is that a letter came through the door telling me someone had tried to make a purchase of around 14 thousand pounds on my credit card. Their big plan was to order a huge supply of wine from a wine merchant. What I was told by the bank, is that these aren’t places you can typically wander in off the street and throw some wine in a shopping trolley. These are organisations which sell directly to retailers.

Logic suggests that card fraud circles around small, inconspicuous transactions to remain off the grid. Nothing screams small, inconspicuous transactions like “a purchase more than the limit on your card for a bulk supply of rare, expensive wine from a direct to store wine merchant unavailable to the public”.

Though this is outside my realm of experience, my guess is a successful purchase would’ve resulted in the wine being sold on in ways which obscure the source of the original funds. By the time anyone has figured out what happened, the scammer has turned a profit and I’m left holding the incredibly large wine bag.

Luckily for me, “Make small inconspicuous transactions” doesn’t appear to have been in their playbook. Even if the fraud detection team had somehow missed this utterly out of character purchase, the scammers also managed to blow past my credit card limit. I assume the big fraud detection machine exploded and required a bit of a lie down afterwards to recover.

Dealing with the aftermath

I was very lucky, if you can call it that, because of the baffling way the scammers tried to rip me off. If the ludicrous size of the attempted payment hadn’t set alarm bells ringing, the unusual items purchased probably would have given the same end result. Similarly, Danny Palmer’s card flagged the fraud tripwires before any money was taken. Banks and credit card companies are constantly adding new ways to detect dubious antics and also make logging into banking portals a safer experience.

All the same, we shouldn’t rely on others too much to ensure our metaphorical bacon is saved at the last minute. Keep locking things down, be observant when using ATMs, and familiarise yourself with the security procedures for your payment method of choice. We can’t stop everything from going wrong, but we can certainly help tip the odds a little bit more in our favour.

I probably won’t crack open a bottle of wine to celebrate, though.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.