Credit card fraud, how does this happen?

[arunsakda]

I am a pilot and I just stayed 1 night at one of the best hotels in Manila on the company dime (direct billing). However I payed for room service and telephone with my own card, one I have not used in weeks. Immediately I started racking up strange charges in (Brazil of all places) and the credit card company contacted me and cancelled my card. It is a chipped metal "elite" card with no number on the face. I saw the woman at check out swipe the card and hand it back immediately. No time to take any info with surreptitious prestidigitation unless she was some sort of Pinay Houdini.

My question is this. Does this mean somebody in the hotel is in on this or simply that their data stream is somehow not secure from hacking? If it implies an inside job I will contact our corporate security, otherwise I won't bother.

Edited June 16, 2015 by arunsakda

[kkerry]

Maybe something happened as described in this article from October 2014.

Replay attacks spoof chip card charges

I had a card cloned years ago, and it had been used in only one place in the previous month, a well known business class hotel in KL.

The fraud section at my bank wouldn't say if the hotel staff were responsible but it seemed the obvious place to look.

[NeverSure]

They don't need thet thar prestidigitation shtuff. They get an electronic reading from the swipe. It's probably either hacked or there's a separate reader right there that picks it up. They can put one of those on an ATM and pick up your info from your debit card too.

I hate crooks.

[arunsakda]

Wow. My cards are U.S. Bank issued. They started with chips recently but still no PIN required as they are slow to invest in the new tech required at point of sale.

[Chicog]

Point of sale systems are effectively embedded computers and as such are prone to malware. They are also connected to networks via the Internet, so once the malware can start gathering POS data, it has a route out to Command and Control servers in Russia and the like.

The Target breach that leaked at least 40 million sets of card data was installed after hackers got login credentials they had given to their HVAC company.

Sources said that between Nov. 15 and Nov. 28 (Thanksgiving and the day before Black Friday), the attackers succeeded in uploading their card-stealing malicious software to a small number of cash registers within Target stores.

Those same sources said the attackers used this time to test that their point-of-sale malware was working as designed.

By the end of the month — just two days later — the intruders had pushed their malware to a majority of Target’s point-of-sale devices, and were actively collecting card records from live customer transactions, investigators told this reporter. Target has said that the breach exposed approximately 40 million debit and credit card accounts between Nov. 27 and Dec. 15, 2013.

If you want to do the decent thing, email the hotel and tell them that you think their POS system has been breached. They might thank you for it.

Edited June 16, 2015 by Chicog

[scorecard]

Here's another twist. Some years back I suddenly had numerous charges on my statement from both South Korea and Cairo on the same days.

Obviously impossible that I could have been in Seoul say at 09:00 am, Cairo at 10:00 am, then Seoul again at 11:30 am on the same day.

In all cases the charges were around US$500 and were actually at supermarkets.

I contacted VISA and they accepted there seemed to be something wrong. VISA also wanted sIgned copies of all my passports pages to prove I was in Thailand on all the dates concerned.

VISA insisted I approach the banks concerned and get various documents, VISA didn't help with this at al.

They eventually agreed that the charges were impossible and they removed the charges from my bill.

Then I got a call from a local in VISA Thailand who gave me a lecture about keeping my VISA card secure. The guy also mentioned that VISA and MASTERCARD have a policy - if this happens twice then the person names on the card is the prime suspect, the card will be cancelled and you are blacklisted for life.

[movsrus]

Here's another twist. Some years back I suddenly had numerous charges on my statement from both South Korea and Cairo on the same days.

Obviously impossible that I could have been in Seoul say at 09:00 am, Cairo at 10:00 am, then Seoul again at 11:30 am on the same day.

In all cases the charges were around US$500 and were actually at supermarkets.

I contacted VISA and they accepted there seemed to be something wrong. VISA also wanted sIgned copies of all my passports pages to prove I was in Thailand on all the dates concerned.

VISA insisted I approach the banks concerned and get various documents, VISA didn't help with this at al.

They eventually agreed that the charges were impossible and they removed the charges from my bill.

Then I got a call from a local in VISA Thailand who gave me a lecture about keeping my VISA card secure. The guy also mentioned that VISA and MASTERCARD have a policy - if this happens twice then the person names on the card is the prime suspect, the card will be cancelled and you are blacklisted for life.

Was your card issued by a US bank? I travel with US bank issued credit cards and also have been contacted by the bank with suspicious charges that I did not make. Each time I told the bank I did not make the charge, authorize it to be made and had the card in my possession at all times. The bank did not require any documentation from me other than a reply to an email in which I stated the charges were fraudulent. They did not ask for copies of my passport pages or anything else- just a statement that I didn't make the charges and did not authorize anyone else to do so.

In the US, federal law limits your liability to $50 for a fraudulent charge and almost all credit card companies waive any liability on your part if your card is hacked or used for an unauthorized purchase.

I use US based credit cards here in Thailand exclusively since if I ever get hacked and someone steals my credit card information to make purchases I am fairly certain that I won't be held accountable. Do credit cards issued by Thai banks have the same protection? if someone makes an unauthorized purchase on a card issue by a Thai bank are you still held responsible?

[Scouse123]

arunsakda

It could be data stream, it could be a corrupt member of staff or a secret card reader installed. Are you absolutely sure as well that you haven't used it anywhere at all outside? Not in a restaurant or a mall?

It's fairly obvious access to your private information has been gained. I had it years ago in Thailand. The only place I recalled letting it out of my sight was in Central when they used to disappear from whatever counter you were at and go and get the card authorised miles away at a fixed central point in the mall, a long way from the purchase area of whatever goods you had bought.

However, I banked in Singapore, those guys are quick off the mark! , and they contacted me quickly via e mail asking about transactions in the USA, when I had not made nor been there. There were a number of transactions which were stopped by my bank.

I would report the matter both to your bank and the hotel management as a safeguard. Get new cards and be safe.

Edited June 16, 2015 by Scouse123

[nithisa78]

Sir, Its a warning. Contact security, ASAP.

The chip doesn't help how your information has been pirated.

Thieves can often imitate Houdini and other greats.

[timendres]

Here's another twist. Some years back I suddenly had numerous charges on my statement from both South Korea and Cairo on the same days.

Obviously impossible that I could have been in Seoul say at 09:00 am, Cairo at 10:00 am, then Seoul again at 11:30 am on the same day.

In all cases the charges were around US$500 and were actually at supermarkets.

I contacted VISA and they accepted there seemed to be something wrong. VISA also wanted sIgned copies of all my passports pages to prove I was in Thailand on all the dates concerned.

VISA insisted I approach the banks concerned and get various documents, VISA didn't help with this at al.

They eventually agreed that the charges were impossible and they removed the charges from my bill.

Then I got a call from a local in VISA Thailand who gave me a lecture about keeping my VISA card secure. The guy also mentioned that VISA and MASTERCARD have a policy - if this happens twice then the person names on the card is the prime suspect, the card will be cancelled and you are blacklisted for life.

You need to talk to a new Bank! My Visa CC has been "stolen" twice in Thailand. In both cases, someone simply wrote down my CC # and Security number from the back of the card while they took it to charge my purchase. Within 8 hours in both cases, someone started racking up online charges. The occurrences were two years apart.

I am careful to monitor my account online for just this reason. In both cases, I contacted my bank (Capital One) within 48 hours of the theft - immediately upon my noticing the bogus charges. In both cases, they dealt with the problem over the phone. They canceled my existing card, issued a new card, and voided all charges. Not even a form needed to be filled out. Excellent service. Total respect.

Anyone telling you that Visa or MasterCard will blacklist you because of a second mishap like this is blowing smoke. Unless, of course, you are clearly trying to rip them off yourself. These banks lose almost $1Billion every year to this type of fraud, and they are not blaming their customers for it.

[duanebigsby]

Yes it's nasty business. Usually the banks pick up on it and shut it down right away. I had a card skimmed at a beer store once and the dumb kid started racking up porn charges. That was highly unlikely for my purchase history so they shut him down.

If he had gone to a computer store and racked up big ticket items, he would have gotten away with it as that's what I had been charging.

[guzzi850m2]

That's one reason I normally pay cash and withdraw typically 10.000 baht from a ATM (not just any ATM off-course) and then use them up and then withdraw again.

Maybe better just keep all you money under the pillow

[jamie2009]

I have had my Credit Card and Debit Cards done in Italy, Tenerife and Thailand. No idea how, because they are backed by Visa and I had not disclosed my PIN number all the monies were refunded. In Bangkok who ever had my Debit Card just stood at the same ATM until it stopped paying out, over £1500, on that visit I had never been near Bangkok, think it must have been cloned some where else. I did ask the bank but they don't give any details out. The monies were always withdrawn several months after so were possibly the details were sold on.

[Minnehaha]

This has been discussed on Thaivisa before... I think within the last few months.

Thai banks do not handle credit card fraud like US banks. Their agreements state the client is responsible for all charges and must prove otherwise. I know a couple people who have had their Thai bank issued credit cards (Visa in one case, Mastercard in another), ripped after they used them in the USA.

In the US, one is responsible for the first $50 in charges and must report in a timely fashion. But Thai banks the story is very very different.

As I said, this has been discussed. One needs to be very careful with Thai issued credit cards and debit cards.

[Guest]

I was a risk fraud analyst for a major card processor.

I think the evidence clearly points to the moment the card left your hands at the hotel.

You company has enormous clout within the hospitality industry and aircrews are the backbone of the revenue management curve.

You owe it to yourself to nip this in the bud via their power. Also, the hotel chain will most likely comp the stay, and upgrade you on future trips.

Any breach to your personal information, and financial in particular, should be treated the same way you would if the fire alarms went off in your plane. Pull out the checklist and work your way to the source of the problem.

Best of luck.

Edited June 16, 2015 by Guest

[hawker9000]

Here's another twist. Some years back I suddenly had numerous charges on my statement from both South Korea and Cairo on the same days.

Obviously impossible that I could have been in Seoul say at 09:00 am, Cairo at 10:00 am, then Seoul again at 11:30 am on the same day.

In all cases the charges were around US$500 and were actually at supetrmarkets.

I contacted VISA and they accepted there seemed to be something wrong. VISA also wanted sIgned copies of all my passports pages to prove I was in Thailand on all the dates concerned.

VISA insisted I approach the banks concerned and get various documents, VISA didn't help with this at al.

They eventually agreed that the charges were impossible and they removed the charges from my bill.

Then I got a call from a local in VISA Thailand who gave me a lecture about keeping my VISA card secure. The guy also mentioned that VISA and MASTERCARD have a policy - if this happens twice then the person names on the card is the prime suspect, the card will be cancelled and you are blacklisted for life.

You need to talk to a new Bank! My Visa CC has been "stolen" twice in Thailand. In both cases, someone simply wrote down my CC # and Security number from the back of the card while they took it to charge my purchase. Within 8 hours in both cases, someone started racking up online charges. The occurrences were two years apart.

I am careful to monitor my account online for just this reason. In both cases, I contacted my bank (Capital One) within 48 hours of the theft - immediately upon my noticing the bogus charges. In both cases, they dealt with the problem over the phone. They canceled my existing card, issued a new card, and voided all charges. Not even a form needed to be filled out. Excellent service. Total respect.

Anyone telling you that Visa or MasterCard will blacklist you because of a second mishap like this is blowing smoke. Unless, of course, you are clearly trying to rip them off yourself. These banks lose almost $1Billion every year to this type of fraud, and they are not blaming their customers for it.

Disagree, if we're talking about a thai bank issuer. They apply any "blacklisting" (or other) rules they please.

With some issuers at least, it is remarkably easy to "hijack" a credit card account, and have a card sent to the hijacker's address, without the actual account holder knowing anything about it until bogus charges start popping up. Things like SSN & DOB not even needed (again, with some issuers). But in this case, it does sound like a POS issue, and something you would HOPE wouldn't be a problem at any halfway reputable establishment.

I wouldn't take out a thai cc if it were handed to me on a silver platter. There might be some fraud protection there, but nothing like the US. 'Have had some fraudulent charges on a couple of cards (even assisted with a successful prosecution of one piece of scum - very satisfying...), and the hassle of having cards cancelled and reissued, but never even a hint of a question about removal of the charges.

[Chicog]

I have a savings account with a Thai Bank and the first thing I did was cancel the debit card, as I never use it and I don't want anyone to be able to say I did.

Made it a bit inconvenient to reset my eBanking password, but I'll settle for that for the peace of mind.

I have heard numerous tales of people being cleaned out and the bank saying "someone must have used your card".

[Scouse123]

The system I use now with my savings account and debit card in Thailand, it is linked to my phone and automatically registers within seconds of the transaction. A good way of keeping track on the balance as well as any fraudulent use.

I use credit and debit cards issued by Thai banks and do not worry about it any more than in my home country.

Edited June 16, 2015 by Scouse123

[hawker9000]

The system I use now with my savings account and debit card in Thailand, it is linked to my phone and automatically registers within seconds of the transaction. A good way of keeping track on the balance as well as any fraudulent use.

I use credit and debit cards issued by Thai banks and do not worry about it any more than in my home country.

I envy you your sense of security. Chime in again AFTER you've been skimmed or had your account raided, and your thai bank has made good your losses. Most others who've shared their experiences over the last few years, that I've read anyway, here don't seem to have been all that satisfied, but I'd like to hear some success stories if there are any. I DO think the separate savings account with no linked debit/atm card, and the SMS transaction notifications, are prudent. I'd also like to see banks offering the ability to turn debit/atm cards on & off online.

[gandalf12]

If you pay by card make sure it doesnt leave your sight. If it does the information used for cloneing can be copied in a matter of seconds.

when you have used your card check your statement online for several days after it and notify the issuing bank if you see something strange like the OP did.

[Scouse123]

Not sure if I have a great sense of security as much as I have the credit card to my phone and I check regularly ( habit ) online with it regards any transactions and my debit is linked with SMS to my mobile.

I had a small problem with my debit card two months ago actually, it was at an ATM at the petrol station that registered a withdrawal on my phone, and then the ATM machine went crazy and flashed up a Windows message. IT WAS 20,000 BAHT and I had to wait 10 days in total for the ATM to be checked and the cameras verifying the time and date and the refund to go back into my bank.

Edited June 16, 2015 by Scouse123

[kkerry]

It's all well and good to say don't let your card out of your sight but easier said than done sometimes.

You are dining out and pay by credit card. How many people are going to get up from their table in a large restaurant and follow their server and stand over them while they swipe your card?

Plenty of places where you pay at your table and not at a service desk when you leave.

You purchase something in a several big department stores and the Thai sales assistant scampers off, your card in their clutches, on to some unknown distant location, to return five minutes later with a wai, your receipt and your purchase. I bet very few people try and keep up and then stand over the assistant with eagle eyes to see just what it is they are doing with your card.

If my card was cloned where I think it was then I would have had to jump the reception desk of a large hotel to see if it was being scanned correctly and even if it wasn't I probably couldn't tell if the machine was dodgy or not.

Like others, I have never had a Thai credit card due to the poor reputation banks here have of reimbursing their customers compared to other countries. Easier to stick to my overseas cards as whenever something has gone wrong, my account was credited fairly quickly.

Edited June 16, 2015 by kkerry

[TallGuyJohninBKK]

I'd also like to see banks offering the ability to turn debit/atm cards on & off online.

Among the Thai banks, they all have their different, individual policies and procedures...

At BKK Bank, for example, you can use their automated phone system at will to either turn on or turn off the POS Point of Sale purchase functionality on their debit cards. Off means setting the daily POS limit to Zero.

But at Standard Chartered, by comparison, they won't allow you to adjust the present daily POS limit on their debit cards, which is quite high, or turn off the POS functionality. But at least for some accounts, they will allow you to have the account that normally comes with a debit card, and then simply cancel the card altogether.

If memory serves, at Bank of Ayudhya/Krungsri, I believe, they also have a preset POS limit on their debit cards and no ability for the card holders to adjust it or turn off the POS functionality.

Given the poor consumer protection aspects of Thai banking (compared to the U.S., for example), I'd want an account like BKKB's where I can turn off POS at will or even one like SC, where I can cancel the debit card at least.

Or, as others have noted, if you're going to have a POS enabled card where you can't adjust its limits or disable it, at least keep any large balances in a non-ATM card linked savings account.

PS - One of the nice things about using U.S. issued bank cards is the U.S. consumer protection laws apply to your cards and any purchases or fraud involving them -- regardless of whether the transaction occurs in the U.S. or outside the U.S. Just don't get ones that have substantial foreign currency transaction fees.

Edited June 16, 2015 by TallGuyJohninBKK

[maxcorrigan]

Not sure if I have a great sense of security as much as I have the credit card to my phone and I check regularly ( habit ) online with it regards any transactions and my debit is linked with SMS to my mobile.

I had a small problem with my debit card two months ago actually, it was at an ATM at the petrol station that registered a withdrawal on my phone, and then the ATM machine went crazy and flashed up a Windows message. IT WAS 20,000 BAHT and I had to wait 10 days in total for the ATM to be checked and the cameras verifying the time and date and the refund to go back into my bank.

Scouse if i might ask how do you go about getting your card linked to your mobile,can it be done on line? i have recently acquired a debit card from KTB Sattahip, have'nt used it yet, but was assured i could use it safely worldwide as it is Visa linked,the reason i got this card was my Halifax Visa debit and Mastercard credit card both expire this month, and they will not send a replacement cards to Thailand as they have an embargo on sending cards to Thailand i don't know if this applies to all UK banks or what the reasons were they would not tell, saying that, i have been getting regular correspondents from this bank with no problems.

Sorry if i have hi jacked this thread a bit, but having read how dodgy Thailand bank cards can be,(which is what i thought by the way)an instant text on a phone might be the way to go, would be better if they also provided a verification pin number.

Maxc......

[maxcorrigan]

Not sure if I have a great sense of security as much as I have the credit card to my phone and I check regularly ( habit ) online with it regards any transactions and my debit is linked with SMS to my mobile.

I had a small problem with my debit card two months ago actually, it was at an ATM at the petrol station that registered a withdrawal on my phone, and then the ATM machine went crazy and flashed up a Windows message. IT WAS 20,000 BAHT and I had to wait 10 days in total for the ATM to be checked and the cameras verifying the time and date and the refund to go back into my bank.

[Scouse123]

Scouse if i might ask how do you go about getting your card linked to your mobile,can it be done on line? i have recently acquired a debit card from KTB Sattahip, have'nt used it yet, but was assured i could use it safely worldwide as it is Visa linked,the reason i got this card was my Halifax Visa debit and Mastercard credit card both expire this month, and they will not send a replacement cards to Thailand as they have an embargo on sending cards to Thailand i don't know if this applies to all UK banks or what the reasons were they would not tell, saying that, i have been getting regular correspondents from this bank with no problems.

Sorry if i have hi jacked this thread a bit, but having read how dodgy Thailand bank cards can be,(which is what i thought by the way)an instant text on a phone might be the way to go, would be better if they also provided a verification pin number.

Maxc......

Hi,

Both my credit and debit cards are with KTB. Just walk in the branch to customer services and tell them you want it linked to your phone by SMS for debit card transactions. They will enter your phone into the system and it's done. KTB are doing it free for first three months and then 5 baht ( 10p ) a month thereafter. If you are regular or long term in Thailand, it might be worth getting your own permanent number and registering it at a local Telewiz shop. I took a monthly call package and it's a lot cheaper than pay as you go,( 300 baht a month,my phone, their package ). I have an AIS network SIM card and it is mine forever and logged with Telewiz, so even if I lose the phone, I can get my number back.

I use both these KTB cards in the UK without a problem. I also had the same problem of getting cards sent here from the UK. Thailand has too many " issues " as far as UK banks are concerned and I think they have an historical problem with reliability of the old postal system.

The debit card SMS won't register to your phone if you use it in the UK obviously, because you will be using a different SIM.

I find it great because as soon as I have made an ATM withdrawal or used it in Big C etc, it pings and it's there in a message on my phone with my current balance.

I do get verification codes but that is only when I use my credit card online or my debit card online for flights etc.That is also linked to the " verified by visa " and I get an OTP code which is another layer of card protection.

Edited June 16, 2015 by Scouse123

[NanLaew]

... The monies were always withdrawn several months after so were possibly the details were sold on.

This is why it is good to regularly check online any accounts that are linked to any plastic, credit or debit, that is used for ATM or POS transactions. Skimmed data may not necessarily be used instantly although typically it is within a short time frame. If your bank has a system of sms, email notice of transactions, you should enroll in these.

[kkerry]

I like this feature from CBA in Australia.

Lock, Block and Limit

[bendejo]

One day Amex contacted me and asked if I had just charged US$1,000 at J Crew. I suspected it was a friend pulling a joke, so I threatened her with a slander suit for simply suggesting I shopped there. Well, it turned out someone was making big charges on my card at other retail places, and they took care of it from there. A few months later I read an article about how scammers will use the compromised cards to buy up retail stuff then sell it, like on eBay.

NanLaew gives good advice above, personal notification of cc use is getting to be a common thing.

[NeverSure]

I use only US issued credit cards issued by US firms due to consumer protection laws. The most I can lose on fraud is $50 and most banks waive that.

Two major kinds of fraud are fraudulent applications and account hijacking. Since I'm covered on either a quick phone call from me or their suspicions will shut the card right down. If it's their suspicion I can get it activated immediately with a phone call telling them why I'm buying things 10,000 miles from home. If I remember I call in advance. They ask me for my "secret" answers and I'm golden.

I've never had more than 100,000 baht in a Thai bank nor have I had a Thai CC. I have a Thai ATM card but not enough balance to worry about.