Credit card compromised--Amazon ???

[pmanton]

In recent months I have had 2 instances of my credit card being compromised. In each case the "test purchases" were immediately discovered, the charged reversed and a new card issued.

The first time this happened I had made an on line purchase from Amazon.com a few days before the bogus charged showed up on my card. I was suspicious but was assured that Amazon's security was impregnable.

Just a couple of days ago I made another purchase from Amazon. Guess what ? More bogus charges! This time the card hadn't been used for anything recently except the on line Amazon purchases.

Of course Amazon vehemently denies any possibility of their having any responsibility.

I use online buying on a regular basis and have only had a problem these two times---both right after transactions with Amazon.

I'd be interested in hearing if anyone else had had a problem with a credit card compromise after an Amazon transaction.

Cheers:

Paul
N1431A
2AZ1
www.indianhillsairpark.com

 

[PilotAlan]

I have had some credit card issues. The purchases did not use the Card Verification Number.
After the last round, we now have four credit cards. Two that my wife and I carry around, and two that we each use for online purchases. We want to be able to figure out where these are coming from.

Another possibility is spyware on your machine passing the data to a third party, and Amazon's not actually involved at all.

 

[ScottM]

I'd be interested in hearing if anyone else had had a problem with a credit card compromise after an Amazon transaction.

I never have and I use them a lot.

 

[gprellwitz]

This is one of the reasons I like the one-time-use card numbers provided by tha AOPA BofA card (and others).

 

[rpadula]

This is one of the reasons I like the one-time-use card numbers provided by tha AOPA BofA card (and others).

Completely agree!

 

[Ghery]

Haven't had a problem with on-line purchases. 15 years ago I had bogus charges show up on a card I wasn't even using, but that's another story.

 

[Everskyward]

I never have and I use them a lot.

Same here.

 

[TMetzinger]

No problems and I use amazon a lot.

sent from my android

 

[RJM62]

Never had a problem with Amazon.

 

[Capt. Geoffrey Thorpe]

Another possibility is spyware on your machine passing the data to a third party, and Amazon's not actually involved at all.

I would consider that possibility - not every scan / antivrus / firewall tool catches every malware...

I would think that iffen Amazon had been hacked, it would be big news.

 

[sba55]

It's not Amazon's fault. It's really that simple.

It's either a coincidence, you have spyware on your computer, or you didn't notice that Amazon said they would make those small charges.

-Felix

 

[DawnW]

No problem with Amazon.
Paypal also does the one-time use numbers, and it has a plug-in for your browser. It's pretty easy to use.

 

[wbarnhill]

Another possibility is spyware on your machine passing the data to a third party, and Amazon's not actually involved at all.

I'd bet on this, sad to say.

 

[oldShar]

In recent months I have had 2 instances of my credit card being compromised. In each case the "test purchases" were immediately discovered, the charged reversed and a new card issued.

The first time this happened I had made an on line purchase from Amazon.com a few days before the bogus charged showed up on my card. I was suspicious but was assured that Amazon's security was impregnable.

Just a couple of days ago I made another purchase from Amazon. Guess what ? More bogus charges! This time the card hadn't been used for anything recently except the on line Amazon purchases.

Of course Amazon vehemently denies any possibility of their having any responsibility.

I use online buying on a regular basis and have only had a problem these two times---both right after transactions with Amazon.

I'd be interested in hearing if anyone else had had a problem with a credit card compromise after an Amazon transaction.

Cheers:

Paul
N1431A
2AZ1
www.indianhillsairpark.com

=======================================
Wow!
Since you mention it:

I've had two cards hacked in the past two months, but found a triple trojan active on my computer.

But, since you mention it, I also made online purchases from Amazon during the same period, but also had to change the credit card I used to pay Earthlink (since the first had already been compromised). The second card was compromised 2 days after using it to pay Earthlink -- and it was used in Duluth Georgia (3 - $200+ fraudulent charges) -- so I figured that Earthlink is/was responsible (and I'm still not convinced their cronies are blameless).
I'm still on pins about this whole thing and would also appreciate corroborating information

 

[Everskyward]

But, since you mention it, I also made online purchases from Amazon during the same period, but also had to change the credit card I used to pay Earthlink (since the first had already been compromised). The second card was compromised 2 days after using it to pay Earthlink -- and it was used in Duluth Georgia (3 - $200+ fraudulent charges) -- so I figured that Earthlink is/was responsible (and I'm still not convinced their cronies are blameless).
I'm still on pins about this whole thing and would also appreciate corroborating information

I have never had problems with Earthlink either and I have had credit card billing with them for, I'm guessing, at least 10 years.

 

[mantakos]

Ever since I gave amazon.com my credit card number all those many years ago I have seen thousands of dollars in charges appear on it. Very troubling. And the UPS guy has brought a disturbing number of those little brown boxes to my door, all filled with books, and video games, and bits of technological gadgetry of dubious necessity.

I have met the enemy, and he is me. As the old joke goes "My wife's credit card was stolen, but we didn't report it, because the thief was spending less than she did!" (bah-doom!)
-harry

 

[pcatling]

This happened to me today. I got an email from amazon.de telling me that someone had opened and account using my name and visa no., but that the addresses given did not match any of those in my "other" account (my real one), and that this had been discovered during a "routine" check of accounts. I phoned my VISA provider to be told that, yes, $350 had been charged to my VISA via Amazon.de three hours previously. It was marked as fraud, credited back to my account, and my card was cancelled. I happen to be away on holiday - good thing I brought my laptop and checked my emails! Strange that the fraud involved Amazon use, and that Amazon picked it up so quickly - makes me think that they must be aware that their data has been compromised.

 

[BillTIZ]

BoA offers one time use "virtual" credit card numbers for on line purchases. You can even have a virtual card active for a set time period and the it dies. I'm sure there are other banks offering the same service.

I had a card companies fraud division call me about a charge on the opposite coast. The card had not been used for months and was in the home safe. So how did they get that number? They card company immediately canceled the charge and card and issued replacements.

Amazon was not involved.

 

[John221us]

It is highly unlikely to be Amazon. They have to meet very high encryption and processing standards. I have been compromised a few times. I am pretty sure most if not all were retail purchases. In fact the last one was confirmed. 100's were compromised from a particular local restaurant (someone had tapped the phone line used by the Visa machine. Another popular scam is for a waiter or waitress to have a device which they scan the card through, when they take it from you to process the bill. Internet processing is much safer than when people are involved.

 

[gprellwitz]

It is highly unlikely to be Amazon. They have to meet very high encryption and processing standards. I have been compromised a few times. I am pretty sure most if not all were retail purchases. In fact the last one was confirmed. 100's were compromised from a particular local restaurant (someone had tapped the phone line used by the Visa machine. Another popular scam is for a waiter or waitress to have a device which they scan the card through, when they take it from you to process the bill. Internet processing is much safer than when people are involved.

Yes, the PCIDSS mandates are quite strict, and really make the weakest link in the chain a person handling your number, be it a waiter/waitress or a telephone operator. The computer systems used by merchants, especially major merchants like Amazon, are audited to ensure compliance.

 

[denverpilot]

Having worked with "Visa machines", the data on the phone line is encrypted and has been for decades.

No one bothers to "tap" the phone line unless they're doing it for a challenge at the DEFCON convention in Las Vegas.

Tapping a serial cable between a Point of Sale system and the card processing device was once common, as was putting a keylogger on the PC-based keyboards if the connections were accessible on the back of a cheap Point of Sale system instead of kept inside the case of the unit.

As far as restaraunts go, the servers don't bother carrying around special swipe devices to get the card numbers. That's (relatively) expensive and difficult for petty theft, and requires knowledge of how they're encoded.

They just whip out their cell phone and take a photo of both sides of your card. Much easier.

They then have the number and the little hash number on the back that the card companies ask to "verify" the transaction is a "card present" transaction versus a "card not present" one.

If its an AMEX they only need to shoot the front. The four digits are top-right on the face of the card.

Even a thief with a good vantage point over an outdoor ATM with a mediocre telephoto lens on a pocket digital camera can "shoulder surf" for hours getting card numbers.

Europe's cards with storage memory really need to be mandated here by the card companies. It's way too easy to get the info needed to say you have someone's card in hand.

 

[John221us]

Having worked with "Visa machines", the data on the phone line is encrypted and has been for decades.

No one bothers to "tap" the phone line unless they're doing it for a challenge at the DEFCON convention in Las Vegas.

Tapping a serial cable between a Point of Sale system and the card processing device was once common, as was putting a keylogger on the PC-based keyboards if the connections were accessible on the back of a cheap Point of Sale system instead of kept inside the case of the unit.

As far as restaraunts go, the servers don't bother carrying around special swipe devices to get the card numbers. That's (relatively) expensive and difficult for petty theft, and requires knowledge of how they're encoded.

They just whip out their cell phone and take a photo of both sides of your card. Much easier.

They then have the number and the little hash number on the back that the card companies ask to "verify" the transaction is a "card present" transaction versus a "card not present" one.

If its an AMEX they only need to shoot the front. The four digits are top-right on the face of the card.

Even a thief with a good vantage point over an outdoor ATM with a mediocre telephoto lens on a pocket digital camera can "shoulder surf" for hours getting card numbers.

Europe's cards with storage memory really need to be mandated here by the card companies. It's way too easy to get the info needed to say you have someone's card in hand.

I was told at the time they tapped the phone line. I just looked it up and it was a computer hack. Why they were storing credit card data on a computer, I don't know. http://www.news10.net/news/story.aspx?storyid=95735&catid=2

John

 

[denverpilot]

Yup. It's a mess out there.

 

[Jim_R]

This happened to me today. I got an email from amazon.de telling me that someone had opened and account using my name and visa no., but that the addresses given did not match any of those in my "other" account (my real one), and that this had been discovered during a "routine" check of accounts. I phoned my VISA provider to be told that, yes, $350 had been charged to my VISA via Amazon.de three hours previously. It was marked as fraud, credited back to my account, and my card was cancelled. I happen to be away on holiday - good thing I brought my laptop and checked my emails! Strange that the fraud involved Amazon use, and that Amazon picked it up so quickly - makes me think that they must be aware that their data has been compromised.

Why do you think that because someone opened an account on Amazon with your credit card info, that Amazon's data had been compromised? Your CC data could have come from anywhere---copied down when being swiped at a restaurant, re-used by an illegitimate online retailer, skimmed at a compromised ATM, etc.

Once someone has your CC data, they have to actually use it somewhere. Since they don't have the physical card, that means online. If they want to buy something from Amazon, they'd have to open an account there. This is apparently what happened to you.

Amazon routinely monitors their account data, and when they see duplicate CC#s used in different accounts, they dig a little. In your case, they found something fishy, and they alerted you. What you should take from that is not that Amazon's data had been compromised, but that your data had been compromised somewhere else, and Amazon caught it when the thief tried to use the compromised data at Amazon.

Most banks that issue CCs now also have "fraud detection" units that monitor for "unusual" CC use. For instance, I recently tried to buy $1000 of tires at a city 300 miles from home. When the store tried to run my card, it was declined, and 15 seconds later I got an automated phone call from Chase asking me if I tried to make the purchase. I had to press a button to authorize it, and then the store re-swiped the card and it went through.

Amazon's routine monitoring is a similar fraud-detection mechanism.

 

[zaitcev]

Paypal also does the one-time use numbers, and it has a plug-in for your browser. It's pretty easy to use.

Spyware at Paul's PC can grab passwords for Paypal just as easily. Paypal protects against a compromise at the merchant, but not at the customer.

P.S. I use Linux desktop. No problems with Amazon, except that I have to use pymazon to get their MP3s.

 

[Baron2PG]

For several years I used a citibank card and they provided a small application that you would run whenever shopping on-line. It generated a unique 1-time VISA card number and automatically filled in the payment fields. It was great as you never had to worry about your card being stolen while shopping on-line or having some business trick you into automatic renewal or other payments because it wouldn't work.

Unfortutanely Citibank sucked overall and I cancelled that card. I am very surprised that other credit card companies haven't followed suit. It has to be great protection against fraud. The only thing I can think of is somehow the credit card companies are making money off the fraudulent transactions.

 

[Jim_R]

I am very surprised that other credit card companies haven't followed suit. It has to be great protection against fraud. The only thing I can think of is somehow the credit card companies are making money off the fraudulent transactions.

Or some company owns the software patent for that nifty feature and is charging more than other banks are willing to pay to license it.

 

[Let'sgoflying!]

Who could use 'one time' cards?? All those digits would have to be recorded accurately for every sale.
I use mine about 60x per month and it has to be the same number so that I can memorize it and spit it out online or on the phone without looking it up each time. Its a killer when my card gets corrupted or they just decide to change my number.

This security is getting wild, I can't make a trip even within the state now and they block my card, start calling to see if I really am in X town.
Aggravating to be denied. Used to be that would only happen traveling out of the country.

 

[Ghery]

This security is getting wild, I can't make a trip even within the state now and they block my card, start calling to see if I really am in X town.
Aggravating to be denied. Used to be that would only happen traveling out of the country.

If that happened I'd have a very hard time. Like Scott I spend a fair amount of time away from home. When I dig out the cards I expect them to work. So far, they have.

 

[N5922S]

I have an Amazon Visa and use it A BUNCH. I had one bogus charge and Chase (card issuer) called me, cancelled the card and overnighted me a new one.

Outstanding service!!

 

[Let'sgoflying!]

I am using Amex (Platinum I think) and Visa mainly.
I spend about 60K per year with them, and get little in points or cashback or airmiles.
Everyone else is getting free trips to Europe, gift cars, how do I get in on that??

 

[rainsux]

> iffen Amazon had been hacked, it would be big news.

Not necessarily. Obscurity is one (very poor) form of security. Iffen the
Big-A has been hacked, we won't hear about it until it's all fixed.

WiFi is once again, the Wild, Wild West ... several retail chains have
been victims of mega WiFi hacks over the years. Expect a *LOT* more
WiFi hacks.

WPA & WPA2 encryption was recently compromised due to a goofy
(inexcusable) design choice in the "WPS" easy-setup feature. It is now
trivial to recover the encryption keys and sniff card data from the ether.
The suits at the Wi-Fi Alliance chose to ignore the recommendations of
the consulting cryptographers. Short PINs are bad. Static PINs are bad.
So they chose to use a PIN that is both short and static. Stoopid, stoopid,
stoopid.

If you've got a WiFi-branded access point that is not mfg'd by Apple, you
are almost certainly exposed:

- Go into the setup screens and disable WPS; then ...
- Change your WPA/WPA2 key

Unless you have a Linksys/Cisco AP ... their DISABLE feature, doesn't work.
They promise new firmware, sometime in March.

The only mfgr of WiFi access points that seems to have gotten it "right" is
Apple ... while their "Airport" family uses a 4-digit pin, it is only good for 2
mins and it changes every time it is used.

Think you are "safe" because WiFi is distance limited? I've got a small
WiFi antenna on the roof. When I sweep the horizon, I count almost 300
access points. Seventeen can be cracked instantly because the mfgr used
the same PIN for every WiFi product they've shipped. The others will take
less than 10 hours.

 

[zaitcev]

WPA & WPA2 encryption was recently compromised due to a goofy (inexcusable) design choice in the "WPS" easy-setup feature.

I caution against over-focusing on the latest headline-grabbing attack vector. WPS is frankly insignificant as a threat. Very few have it implemented, let alone enabled, and they are geographically distributed. Finally, Amazon uses proper SSL with certificate checking for client connections, I would have no issues transacting with it over a pablic WiFi without any encryption even. I bet dollars to donuts that Paul's vulnerability is elsewhere (most likely a virus), and WPS has nothing to do with this thread.

 

[gprellwitz]

I caution against over-focusing on the latest headline-grabbing attack vector. WPS is frankly insignificant as a threat. Very few have it implemented, let alone enabled, and they are geographically distributed. Finally, Amazon uses proper SSL with certificate checking for client connections, I would have no issues transacting with it over a pablic WiFi without any encryption even. I bet dollars to donuts that Paul's vulnerability is elsewhere (most likely a virus), and WPS has nothing to do with this thread.

Well, WPS has nothing to do with this thread unless you are sending your credit card information over WiFi, which many are doing now. And I thought that most of the wireless router manufacturers have it implemented and, as in the cast of Linksys, don't even allow you to turn it off.

Now, you should still be protected by transmitting the CC information over SSH or TLS, but I seem to recall that these have flaws too. What this points out is that attacking the consumer side is a relatively easy vector for compromising a credit card number.

That's what I like about the one time use numbers generated by CitiBank and Bank of America. In fact, it's one of the things I actually like about my AOPA card. Plus, of course, that if I spent as much on the card as Dave does I would get about $600 in cash rebates every year. Other cards may give a better deal, though.

 

[Cap'n Jack]

=======================================
Wow!
Since you mention it:

I've had two cards hacked in the past two months, but found a triple trojan active on my computer.

But, since you mention it, I also made online purchases from Amazon during the same period, but also had to change the credit card I used to pay Earthlink (since the first had already been compromised). The second card was compromised 2 days after using it to pay Earthlink -- and it was used in Duluth Georgia (3 - $200+ fraudulent charges) -- so I figured that Earthlink is/was responsible (and I'm still not convinced their cronies are blameless).
I'm still on pins about this whole thing and would also appreciate corroborating information

I have never had problems with Earthlink either and I have had credit card billing with them for, I'm guessing, at least 10 years.

No problems for me @ Earthlink either over roughly the same time period.

 

[Let'sgoflying!]

Has anyone ever lost even one dollar (directly) in fraudulent transactions?
The credit card co's seem to cover everything. Not that helping them protect the card is a bad idea, it just seems like it is not motivated by monetary loss, yes?

 

[rainsux]

> WPS is frankly insignificant as a threat. Very few have it implemented, let alone
> enabled,

Incorrect & Incorrect.

If a mfgr wants to use the term WiFi and/or place the WiFi logo on the
package or hardware, they:

- MUST implement WPS
- WPS *must* be enabled by default

Virtually every WiFi-branded g/n access point shipped, is vulnerable by
default. The only vendor that got WPS right, is Apple. Buffalo has one
unbranded access-point that ships with DD-WRT; and it's okay because
DD-WRT doesn't implement WPS.

>> Linksys, don't even allow you to turn it off.

Actually; it is worse. Linksys has a "Disable" button, but it does not
"disable" WPS.

 

[gprellwitz]

>> Linksys, don't even allow you to turn it off.

Actually; it is worse. Linksys has a "Disable" button, but it does not
"disable" WPS.

True and understood. I should have been clearer.

 

[Palmpilot]

Unless you have a Linksys/Cisco AP ... their DISABLE feature, doesn't work.
They promise new firmware, sometime in March.

I guess I got lucky: My Cisco router doesn't have WiFi, because I thought I wasn't going to need it. When I later got a notebook computer, I plugged a Trendnet AP into the router. I hope its WPS disable button will work.

 

[rainsux]

> Trendnet AP

It can be cracked instantly. Apparently, every unit they've ever shipped, has the
same WPS PIN: 12345670

The WPS cracking utils try it first.

> I hope its WPS disable button will work.

Disable WPS. Then, change your WPA/WPA2 key. Longer is better.