Credit card fraud, how does this happen?

[GOLDBUGGY]

It is definitely an inside job!

I had this happen to me 2 times in 6 months so I know how you feel. The first time I used my Card at a few places, including a decent hotel in Pattaya, and the second time was only at this hotel. So I knew the second time who was doing this. I, like you, never though a decent hotel would try something like this.

I had a long chat with the security at this Credit Card Company and what they told me was this. They use the information from you card (name, number, expire date) which they have access to after you pay with your card. When they check the signature on the back of your card they may in fact be memorizing your I.D. Number, and when not looking write it down, along with the expiration date.

Next they sell this information to a syndicate for a small fee. In turn they make a duplicate card with your information on it. How they get around the chip I am not sure. Some machines can copy it while I guess for some items bought they don't need it. They may even have a method of installing their own chip.

I will never use my Credit Card to pay for a hotel ever again. I will flash my Gold Card, to show them I have it, but that is all they will see. Most times this is good enough but I don't mind paying in advance and even giving a small deposit to secure my Credit Card and Bar Fridge to prevent all the hassle of getting a new one. In one Five Star Hotel in Bangkok I was forced to use it or not get a room. So I was sure to get the name of the guy taking my card and writing it down in front of him, telling him all the while that this is the only place I used it. So if there is a problem later they will know exactly who caused it. That seemed to work.

I will only use my Credit Card now in only 3 places. First the bank, which I have used several times to pull money from many different banks, and never had a problem. Second is with Airline Companies, booking a flight on the Internet. Third is an ATM Machine, but only in an emergency. I have a separate International Bank Card for that so I only used my Visa Card for this 1 time in 5 years.

.

[GOLDBUGGY]

Here's another twist. Some years back I suddenly had numerous charges on my statement from both South Korea and Cairo on the same days.

Obviously impossible that I could have been in Seoul say at 09:00 am, Cairo at 10:00 am, then Seoul again at 11:30 am on the same day.

In all cases the charges were around US$500 and were actually at supermarkets.

I contacted VISA and they accepted there seemed to be something wrong. VISA also wanted sIgned copies of all my passports pages to prove I was in Thailand on all the dates concerned.

VISA insisted I approach the banks concerned and get various documents, VISA didn't help with this at al.

They eventually agreed that the charges were impossible and they removed the charges from my bill.

Then I got a call from a local in VISA Thailand who gave me a lecture about keeping my VISA card secure. The guy also mentioned that VISA and MASTERCARD have a policy - if this happens twice then the person names on the card is the prime suspect, the card will be cancelled and you are blacklisted for life.

I guess the second time this happened to me in 6 months my name must have come up under suspicion, even though I called them first to let them know something was wrong. One of the beauties of having On-line Banking and seeing charges right away. But I had a bit of luck on my side.

When the Visa Fraud Squad called me back to talk about this, and verified it was me as the Card Owner, at the exact same moment someone in South America was using it. That actually surprised the hell out of her, as it did me. So since I wasn't anywhere near this country they knew right away it wasn't me causing this. So I didn't have to sign any official documents and got my new card right away.

[umbanda]

The problems is.....

Hundred of millions of people have its credit cards and money accounts in the hands of crooks without any suspiction about....How?

Those guys are not just crooks and criminals...also they are computers experts and hard workers....living 12 hours hooked to their computers every day to manage thousand of other people's accounts.....taking just few $ every month from each one....automatically.

Those "experts" target people with large movement of money every month, because probably those people do not check every small "fee" debit.

Multiply $5.00 "fee" for just 4000 people a month to get a nice "salary" mounting $20.000 every month...after one day...when they see a nice deposit on the account.......they take ALL. And I said 4000 people...but probably are 40000 or a lot more thanks to technology.

Those "professionals" are the new "global computer and internet millionaires" ....and it is a growing profession.

I was a victim long ago...and everytime I talk about with others...and they check their accounts.....they found out that are joining the list of "sponsors".

If you are a "sponsor"....believe that those people knows more about your finances than you do.

Did you checked your money statements lately?

[GOLDBUGGY]

It's all well and good to say don't let your card out of your sight but easier said than done sometimes.

You are dining out and pay by credit card. How many people are going to get up from their table in a large restaurant and follow their server and stand over them while they swipe your card?

Plenty of places where you pay at your table and not at a service desk when you leave.

You purchase something in a several big department stores and the Thai sales assistant scampers off, your card in their clutches, on to some unknown distant location, to return five minutes later with a wai, your receipt and your purchase. I bet very few people try and keep up and then stand over the assistant with eagle eyes to see just what it is they are doing with your card.

If my card was cloned where I think it was then I would have had to jump the reception desk of a large hotel to see if it was being scanned correctly and even if it wasn't I probably couldn't tell if the machine was dodgy or not.

Like others, I have never had a Thai credit card due to the poor reputation banks here have of reimbursing their customers compared to other countries. Easier to stick to my overseas cards as whenever something has gone wrong, my account was credited fairly quickly.

I think you missed the important message people were trying to say.

Which is if you can't do this then don't use your Credit Card. They take Cash don't they?

But to be honest I don't see this helping anyway. When you sign for the bill they have all this information on the receipt. How else can they collect from the Credit Card Company?

Much better if you only use your Credit Card only when really needed in trusted establishments, like a Bank.

[ksamuiguy]

I get an instant sms or e mail from my Thai Bank, and my U.S. Banks as soon as my cards are used any where in the world.

Also never let your card out of your site, the only time I had a problem was 15 years ago in Malaysia, the clerk ducked under the counter to swipe my CC. within 4 hours charges began appearing on that card.

[Guest]

If you pay by card make sure it doesnt leave your sight. If it does the information used for cloneing can be copied in a matter of seconds.

when you have used your card check your statement online for several days after it and notify the issuing bank if you see something strange like the OP did.

What planet do you live on where your card "never leaves your site?"

[F4UCorsair]

Australian banks regard all South East Asian countries as high risk.

It's best to advise your bank where you'll be travelling and when. I can do it electronically with my bank.

Frequently, if your card is compromised, the new/ unauthorizedcharges will appear as if billed from another country.

Recently I used a card in Bangkok at a tailor shop, and at no other place. Within 24 hours three charges appeared, a 'proving' transaction of a few $$ in Brazil, 50 quid in London, and 800+ krona in Sweden.

Because the bank knew my whereabouts, and misuse normally follows the escalating value transaction pattern, I was advised and further transactions blocked.

I suffered no loss which is as it should be, but it took a few weeks for the dispute to be resolved and funds ctedited.

I also regularly track my card transactions online, but on this occasion the bank got there before me.

So, let your bank/card provider where you'll be.

Edited June 17, 2015 by F4UCorsair

[IMHO]

I don't trust anything to do with card transactions, in person or online, yet I really have no choice but to use them in this day and age.

My solution is fairly simple:

I have two accounts with Kasikorn - one which holds my money and doesn't even have so much as an ATM card, the other which holds no money, and has a linked debit card (kshopping virtual card) and an ATM card. Whenever I need to buy something, it takes me 30 seconds to login to internet banking and transfer the required funds between accounts (which is also free). I then spend it down. Same goes for when I want to pull money out of an ATM. Unless the criminals are very fast, and are watching to know exactly when I make these account transfers, it's hard to beat this system.

The only weakness in this system is the online banking system itself, but many of the risks with that are mitigated because every transfer requires an SMS'd OTP.

So far, so good, as they say.... famous last words?

[vaultdweller0013]

It is definitely an inside job!

I had this happen to me 2 times in 6 months so I know how you feel. The first time I used my Card at a few places, including a decent hotel in Pattaya, and the second time was only at this hotel. So I knew the second time who was doing this. I, like you, never though a decent hotel would try something like this.

I had a long chat with the security at this Credit Card Company and what they told me was this. They use the information from you card (name, number, expire date) which they have access to after you pay with your card. When they check the signature on the back of your card they may in fact be memorizing your I.D. Number, and when not looking write it down, along with the expiration date.

Next they sell this information to a syndicate for a small fee. In turn they make a duplicate card with your information on it. How they get around the chip I am not sure. Some machines can copy it while I guess for some items bought they don't need it. They may even have a method of installing their own chip.

I will never use my Credit Card to pay for a hotel ever again. I will flash my Gold Card, to show them I have it, but that is all they will see. Most times this is good enough but I don't mind paying in advance and even giving a small deposit to secure my Credit Card and Bar Fridge to prevent all the hassle of getting a new one. In one Five Star Hotel in Bangkok I was forced to use it or not get a room. So I was sure to get the name of the guy taking my card and writing it down in front of him, telling him all the while that this is the only place I used it. So if there is a problem later they will know exactly who caused it. That seemed to work.

I will only use my Credit Card now in only 3 places. First the bank, which I have used several times to pull money from many different banks, and never had a problem. Second is with Airline Companies, booking a flight on the Internet. Third is an ATM Machine, but only in an emergency. I have a separate International Bank Card for that so I only used my Visa Card for this 1 time in 5 years.

.

The chips cannot be cloned, or at least we're talking NSA level of complexity to break. The issue is that chips are not universally required or even accepted around the world, so all they really need is the mag stripe. They then just perform the transactions in locations that don't support chip cards or accept both chip and mag stripes. In the latter case, the cloned card will either just not have a chip or it will have a chip that has been broken (e.g. with a good hammer smash) so the retailer has to fall back to the mag stripe.

The big change in the US is that starting later this year (or maybe next year; I don't remember exactly), fraud liability will transfer from the issuing bank to the merchant if a card present transaction is done without using the chip. Alternatively, if a bank does not issue cards with chips, they continue to have liability. Ultimately, and it may take 10-20 years, all cards should be chip only, but rest assured, criminals will still find ways to commit fraud, there may just be a little less of it.

[hawker9000]

... The monies were always withdrawn several months after so were possibly the details were sold on.

This is why it is good to regularly check online any accounts that are linked to any plastic, credit or debit, that is used for ATM or POS transactions. Skimmed data may not necessarily be used instantly although typically it is within a short time frame. If your bank has a system of sms, email notice of transactions, you should enroll in these.

Just a note: these transaction alerts via SMS can have a monthly fee associated with them (ex - KBank).

[MKAsok]

As I said, this has been discussed. One needs to be very careful with Thai issued credit cards and debit cards.

Here's my own experience with Kasikorn:

1. Receive an SMS that a transaction has been approved for around $1,000 USD on my Kasikorn credit card at an online retailer. No idea what this is and the card has never left my sight.

2. Call Kasikorn who stop the card, ask me to download and fill out a simple form confirming it wasn't me and that I didn't authorise any such transaction.

3. Email form to Kasikorn.

4. 3 days later receive new card and charge is removed.

I can't speak for any other Thai bank in relation to credit cards, but Kasikorn were excellent. Amex Thailand are also good and usually call me before they allow any major charges to be applied to the account.

[Si Thea01]

There are many ways that fraudsters can get your information, the most common are the POS modification devices. Now these are terminals which register the sale and give you a printout, as per normal. however, they have been altered so that they can capture the data on your card and allow it to be stored, or transmitted, via a Bluetooth device, to criminals any where in the world.

They are often installed when the fraudsters distract the attendant and replace the terminal, which, is identical to the one previously installed, it still allows the sales to be processed but provides your data to others. It can also be installed with the assistance of the attendant, who is paid a percentage of the amount syphoned off an account. The third is where the attendant can obtain the necessary equipment and modify the POS themselves and neither you or the business owner are any the wiser.

You would be surprised the number of frauds that were carried out in Australia using only these three tactics. Millions were syphoned off, when McDonalds, Australia, were hit a few years back, and it wasn't only confined to their stores. So you have to very careful now, as credit card fraud is one of the fastest growing types of criminal activity on the planet.

[Chicog]

$14 Billion gets stolen from card payment services every year (possibly more, that's an old number).

As a percentage of what goes through, it's tiny.

[mmh8]

incredibly interesting the study of credit card fraud, as posters state from swiping your credit card through their own machine to scanning your card while its in your pocket or similar. The lack of chip and pin in parts of the world can exacerbate.

my credit card company call me when any large payments are made or anything out of the ordinairy, even with travelling a purchase from a shopping mall has triggered a call from my bank and they have frozen the card before when in another country and not telling them in advance.

as a pilot I guess you potentially use it all over the world so charges in Philipines one day and Brazil the next may n ot be out of the ordinariy.

suggest you get a prepaid card so only a certain amount can get stolen.

you want to read more into the technoilgoies invovled you can read the history such as darkmarkets etc. where the whole business is outlined,

just because you saw the swipe does not mean a magnetic reader can not be on the swiper reading your infromation as well, but none the less the most advanced swipers don't need physical contact , jsut proximity to read magnetic information

Edited June 17, 2015 by mmh8

[off road pat]

Here's another twist. Some years back I suddenly had numerous charges on my statement from both South Korea and Cairo on the same days.

Obviously impossible that I could have been in Seoul say at 09:00 am, Cairo at 10:00 am, then Seoul again at 11:30 am on the same day.

In all cases the charges were around US$500 and were actually at supermarkets.

I contacted VISA and they accepted there seemed to be something wrong. VISA also wanted sIgned copies of all my passports pages to prove I was in Thailand on all the dates concerned.

VISA insisted I approach the banks concerned and get various documents, VISA didn't help with this at al.

They eventually agreed that the charges were impossible and they removed the charges from my bill.

Then I got a call from a local in VISA Thailand who gave me a lecture about keeping my VISA card secure. The guy also mentioned that VISA and MASTERCARD have a policy - if this happens twice then the person names on the card is the prime suspect, the card will be cancelled and you are blacklisted for life.

Got my VISA card cloned long time ago in Sayuri Massage Parlor Chiang Mai......This was stupid of my to pay by VISA as I had enough money in my pocket...!

It took a very long time to do, they said the Telephone connection was bad....!!!

When I got back home 4 months later I checked my bank account and the equivalent of a 150 000 ThB was spend in Japan.....I had never been to Japan.....

I phoned VISA bank card company and they told me to send all the Bills I had paid and (copy's of the pages of my passport. I think) this was on a Monday.

At Friday I got all the money back on my bank account.....great service THX VISA.

I never use my visa card for simple small bills anymore. only hotel and airline costs....and only reputable companies. there is no guaranty dough...

Best regards. Off Road Pat.

Edited June 17, 2015 by off road pat

[scorecard]

Here's another twist. Some years back I suddenly had numerous charges on my statement from both South Korea and Cairo on the same days.

Obviously impossible that I could have been in Seoul say at 09:00 am, Cairo at 10:00 am, then Seoul again at 11:30 am on the same day.

In all cases the charges were around US$500 and were actually at supermarkets.

I contacted VISA and they accepted there seemed to be something wrong. VISA also wanted sIgned copies of all my passports pages to prove I was in Thailand on all the dates concerned.

VISA insisted I approach the banks concerned and get various documents, VISA didn't help with this at al.

They eventually agreed that the charges were impossible and they removed the charges from my bill.

Then I got a call from a local in VISA Thailand who gave me a lecture about keeping my VISA card secure. The guy also mentioned that VISA and MASTERCARD have a policy - if this happens twice then the person names on the card is the prime suspect, the card will be cancelled and you are blacklisted for life.

Was your card issued by a US bank? I travel with US bank issued credit cards and also have been contacted by the bank with suspicious charges that I did not make. Each time I told the bank I did not make the charge, authorize it to be made and had the card in my possession at all times. The bank did not require any documentation from me other than a reply to an email in which I stated the charges were fraudulent. They did not ask for copies of my passport pages or anything else- just a statement that I didn't make the charges and did not authorize anyone else to do so.

In the US, federal law limits your liability to $50 for a fraudulent charge and almost all credit card companies waive any liability on your part if your card is hacked or used for an unauthorized purchase.

I use US based credit cards here in Thailand exclusively since if I ever get hacked and someone steals my credit card information to make purchases I am fairly certain that I won't be held accountable. Do credit cards issued by Thai banks have the same protection? if someone makes an unauthorized purchase on a card issue by a Thai bank are you still held responsible?

This was a card issued here in Thailand by a Thai bank, it was about 6 or 7 years ago.

Whether protection of the card holder has changed I don't know.

[Chicog]

There are a number of steps involved in POS intrusions. POS systems aren’t public-facing and are segmented on a corporate network. Attackers can brute-force a remote login system and search for vulnerabilities in external facing systems. pcAnywhere, Remote Desktop, and other remote administration utilities are often used for entry

.

Next, hackers identify the CDE (cardholder data environment) to gain access to the POS system, where they are asked for credentials. Attackers can use spear phishing, keystroke logging, and other means to access credentials, but many POS systems use credentials set by default, which is a major security flaw of these machines.

Then, the POS system is breached and malware tailored to the targeted environment is installed and tested rigorously to avoid removal and detection. The malware scraps cardholder data from RAM memory and routes it to a compromised server within the network to aggregate in the log files.

Finally, the data is exfiltrated as the log file is encrypted and sent to a third-party server compromised by the hacker. The transmissions mimic legitimate communication to avoid detection and removal.

http://www.information-age.com/technology/security/123459633/how-retailers-can-combat-deadly-point-sale-malware-threats

Edited June 17, 2015 by Chicog

[augustwest]

Rat out the hotel to your company. Tell all your pilot friends to be careful and have them mention your problem when registering.

Order a new card ASAP and don't take no for an answer

Don't trust Thailand credit cards! Get cash from ATM

[scottiejohn]

The answer may be in the fact you said you do not normally use the card and this is the first use in a long time! In visa the card goes 'dormant' after 3 months (it is still alive and usable but marked 'dormant' - this has major implications to how the card is managed internally by Visa) By re-using your card it may have triggered the scammers into knowing your card was back in use. The scam could well have been done around the time you previously used the card.

Contrary to popular belief the ('professional')scammers do not necessarily us the card immediately!

The above applies to UK Visa and may not apply in the US.

[arunsakda]

Update. Corporate security not interested. Form email received to contact card issuer and credit bureaus.

All that has been done already. We have our own forum where we share info on layovers and there is a thread on hack locations. Seems like much of this crime IS coming out of Brazil.