One morning last month I awoke to emails from two of our credit card companies. The dreaded, “Do you recognize this purchase?” $2000 in plastic surgery in Miami, FL? Nah. $500 for a Canadian visa application? Don’t think so. Crap, hacked again. Upon checking the transactions on a third card, I saw a series of online purchases at app building sites. Not me, but I wish because that seems pretty lucrative… I wanna be a millionaire one download at a time please. (I am a bit concerned that bank didn’t flag the purchases as fraud and it was me who discovered the issue. This set off a maddening chain of events where the bank assumed more charges were fraudulent-- they weren't-- and since the charges were made with ApplePay on my phone I was flagged as a trouble maker. They wouldn't speak to me on the phone about the problem, only to the hubz as primary card holder. And now neither of us can add any cards to our phones to pay, but that’s a complaint for another day.)
Now with three cards hacked things are looking a little fishy. I really only use one of the cards on a daily basis. One hadn’t been used in months. So let me get this straight. All three of the cards I carry were compromised in the same week? Well, that seems to be the case. But how?
There’s a technique called shimming that utilizes a device slid into the card chip reader. That wasn’t it because 2 out of the three cards haven’t been out of my wallet. And I “boop it” when And that would most likely just be one card not all of them.
Then there’s a process called wireless skimming, where someone with a skimmer can be within 3-5 feet of a wallet and pickup the RFID signal from the chip in a card. That seems the most likely, but there are logistics that make using these stolen numbers a bit tricky. First, wallets usually store credit cards right next to each other. That makes it hard for a scanning device to differentiate between card numbers. That’s a lot of data to get perfectly right. Second, hackers have to make a clone of the card pretty quickly and then use the card before the owner does. This is because the skimmer grabbed a one time use CVV code that means the info will be invalid if the owner uses the card first. That is certainly likely with two of the cards, and I guess the third doesn’t get a ridiculous amount of use these days as I’m staying home most of the time. Lastly, there needs to be an opportunity for a hacker to sit around scanning purses and wallets. I live in CCTV land, where punishment for crimes is pretty steep (probably deportation, or at least time in a nasty prison.) There is crime here (as much as the government insists there isn’t.) Seriously, a street fight in Dubai last month ended with a severed hand being found in the road later that night. That’s some next level shit. But anyway.
All that’s to say, I don’t really know what happened. I’m going with wireless skimming because the cards have never been out of my possession. If anyone has other theories, I’d love to hear about them.
What to do about it? Well, there are of course RFID blocking wallets that retailers claim can protect against this sort of thing. I do have to wonder how prevalent the problem really is. I mean, if it’s so easy, people would be getting multiple cards hacked way more than we hear about it. Though I’ll be honest, I don’t frequently discuss financial data breaches over drinks with the gals. Although whining about the difficulty of getting replacement cards overseas in a timely fashion did yield a useful bit of knowledge that one card will express ship a new card to my home in Abu Dhabi despite not having actual street addresses here.
The best we can do is to remain aware of where our cards are and to monitor transactions frequently. I’ve come to accept credit card hacks as a part of having them. Of course it was less of a hassle when all replacement cards would arrive at my US home in a couple days. Now I deal with two cards with a mailing address of my mom’s house in Virginia, and another using our DPO box which goes through Chicago.
I’d love to hear your experiences with getting credit cards compromised. Bonus points for humorous fraudulent purchases. I once had to ask my husband (pulling him aside during a visit to friends of his parents) if he had joined match.com and sent his new love interest flowers. Awkward!