Alert - STC SAWA Credit Card Fraud

The Merg · 07-21-2007, 04:16 PM

I just wanted to post a warning about a credit card fraud issue that occurred to me recently.

On 07/13, I received a call from Citibank of possible fraudulent charges on my Mastercard. Apparently there were two $80 charges for STC SAWA RECHARGE made on my card on 07/12 at 1812 hrs. STC SAWA are prepaid phone cards from the Saudi Telecom Company in Riyadh, Saudi Arabia. Citibank was only able to tell me that the charge was made via telephone or web and that a card was not swiped.

Searching on the internet, I found another person who was the victim of fraud with the same charges only a few days before me, so it appears that this might be more than a one-time thing. I have not been able to get in touch with the other person to see what sites we have in common that we placed internet orders with.

Of course, we immediately canceled that card number and had new cards issued. No other fraudulent charges have shown up. We also placed fraud alerts on our credit with the major credit bureaus.

I consider myself to be a well-informed internet shopper in that I use reputable companies, make sure that credit card purchases are made via secure connections, and routinely check my credit card statement. Of course, I'm upset that something like this happened, but if I can use it to help other people protect themselves, I can live with it.

- Merg

Peter Cornstalk · 07-23-2007, 05:53 AM

Employees in organizations that keep your credit card on record sell these lists. You should always make sure you are using SSL connection to transmit your CC data, but that won't prevent you from losing the CC data if it is being stored someplace.

I wouldn't be surprised if someone got a dump directly from Citibank with your card info in it.

The Merg · 07-23-2007, 07:33 AM

Well, I have to trust that Citibank is keeping my card information secure. If I don't, then I'll never be able to use a credit card again. As for making on-line purchases, I always make sure I have a secure connection or I won't use that store.

My thought is that one of the stores I used had an unscrupulous worker that grabbed my information. I guess I should consider whether the store is just collecting my information and then running it through manually later.

- Merg

shoshannah · 07-23-2007, 01:16 PM

Same thing happened to me, posted 7/22, not sure of the time. The operator at Citibank told me "Citibank is aware of the issue". Whether or not that means it's solely a Citibank issue is not clear to me. I too am a careful internet shopped. I feel like I've been slimed!

The Merg · 07-23-2007, 02:00 PM

Same thing as in same exact charge? Hmmm.... That is interesting. I think I might be calling Citibank up and inquiring a bit more.

- Merg

skobel · 07-23-2007, 02:03 PM

hi, same thing happened to me, but not via a credit card, the TWO $80 charges were deducted from my BB&T checking account and BB&T called me to notify me, they immediatly cancelled my check card and is sending me a new one. From googling and talking to my wife's uncle, it seems they might be grabbing these debit and credit card #'s at gas stations, what do u all think about that theory?! Also, i e-mailed my concerns via the contact us page on stc.com/sa, which i think is the company that is showing up on the explanation of charges. talk to u later ! my email is spkobel@us.ibm.com if u have any further questions, Thanks. what i've been doing since this is started buying gas at non-foreign gas stations, there used to be a list circulating, i think CITGO is foreign but shell isn't, but not positive !

The Merg · 07-23-2007, 03:30 PM

Quote:

Originally Posted by skobel

hi, same thing happened to me, but not via a credit card, the TWO $80 charges were deducted from my BB&T checking account and BB&T called me to notify me, they immediatly cancelled my check card and is sending me a new one.

Well, I'm assuming that you used your check card as a "credit card" for purchases and not just as a debit card. By using it as a check card/credit card and not a debit card, you are subject to all the same downsides as a user of a credit card is and, unfortunately, in your case the money comes straight out of your checking account.

Quote:

Originally Posted by skobel

From googling and talking to my wife's uncle, it seems they might be grabbing these debit and credit card #'s at gas stations, what do u all think about that theory?!

Well, I take all of my receipts and shred them, so I don't think they got my number from there. I'd be interested as to what companies you used your card number for when purchasing on-line.

- Merg

Peter Cornstalk · 07-23-2007, 04:43 PM

Quote:

Originally Posted by The Merg

Well, I have to trust that Citibank is keeping my card information secure. If I don't, then I'll never be able to use a credit card again. As for making on-line purchases, I always make sure I have a secure connection or I won't use that store.

My thought is that one of the stores I used had an unscrupulous worker that grabbed my information. I guess I should consider whether the store is just collecting my information and then running it through manually later.

- Merg

Apparently you never heard about this:

http://www.infoworld.com/infoworld/a...sesdata_1.html

They don't directly say if there was credit card info in the batch, but that doesn't mean there wasn't.

I have seen many dumps of customer credit card informations from databases that were storing the info from various sources. I know where a website is right now where the guy posts dumps of credit card info every week for people to try out before they buy lists from him.

You are not responsible for fraudulent charges, so there is no reason why you would not use a credit card in any case. I have been hit on my personal chase and a company AMEX. Guess what, neither one of them were stolen online.

The Chase I never used, so I am positive it was stolen from Chase.

The AMEX was stolen by a waiter at Denny's in Seattle WA where I ate one time when on a business trip.

chafanet · 07-23-2007, 04:48 PM

Hi, I'm from Mexico

in my case it was a charge for $80 dollars, the bank is INBURSA and i've never put my credit card number in any computer, i don't use internet for shopping or something like that. I don't know how it has happended!

(i'm not so good in English)

Peter Cornstalk · 07-23-2007, 05:03 PM

As far as online stores storing your information, there is a way to tell if they are storing it. The first time you run the credit card, make the expiration date bad in the future. If they accept it without returning an error, they are collecting the info and not authorizing it real time.

That means if you are giving them the CVV2 "security code", they are storing that too.

Some big online stores do store your credit card. They may store one or more credit cards to make it easier for you to purchase without having to enter the card again. You know they are storing and sometimes they have the option not to store. Most of them are big enough they have to file PCI compliance reports and such and at least you know the data is encrypted and they are probably not storing the CVV2 code after the card is authorized the first time.

The problem is the stores that don't tell you this and are really collecting it and then authorizing it manually later.

Being there is a valid "Hacker Safe" logo or similar means nothing because you can make them say valid, all you have to do is turn off checks that fail, and it will say valid. Even if it fails a check that is turned on, the "Hacker Safe" logo will report "safe" for 72 hours and then just disappear after that. Some of the other logos may just dissappear. So the logo will never tell customer that the server is "unsafe", the logos simply do not show.

A valid SSL connection is worthless if they are collecting the data into a non-encrypted database on a server that is vulnerable to being broke into or they have crook employees with access to the data.