One of the simpler fraud checks is velocity (rapid orders) and flag them. In this scenario, he should do a charge back (through his bank) to recover the funds.
I'm not sure it's possible to do a "charge back" on a PIN-based debit transaction.
It was years ago, but someone once stole my debit card number once and it took a few weeks to get my money back ("provisionally") from my local community bank.
Assuming this was setup on a website/phone app, it was not a pin-based transaction, most likely run over the credit or debit rails as a card not present or pre-approved transaction.
The customer should be able to request chargebacks through their bank without issue.
I would suggest you investigate getting a better local bank, as this is something any bank should be able to easily do.
My understanding is that one way to reduce the impact of card skimming would be to use a credit card for general purchases rather than a debit card. I would especially avoid pin-based transactions whenever possible.
One thing that helps about credit cards - credit card companies extend you more protection, which means they assume more liability. From what I've seen/heard, this translates (as you would hope) to increased vigilance on their part.
Personal example - driving cross country, I filled up maybe 4-5 times across several states. Got a call from my credit card company after the 4th fill-up. It had been less than 24 hours since the "spree" started, and I got the call in the middle of the night, from a human! (I was driving through the night)
Also, the authorization that merchants do to make sure you have the money will tie up that money on your account even if you cancel the purchase before being charged. On a credit card it will tie up the equivalent credit, but at least it is not cash being locked up.
My question is why would the scammers launder the money through Starbucks then to eBay or some third party service... there seems to be too many points of failures... Starbucks can easily deactivate all the cards once they have been notified... eBay restricts the number of gift cards you can list, plus there are the fees and the credit card charge back, etc... Seems there are better ways to do this...
Most likely one of the easier ways to "cashout" on stolen credit cards. There is nothing to pick up/ship, its fairly anonymous and if you have the volume it can easily be worth it.
Contrary to what the article states, this is almost definitely not due to skimming of any kind. It is most likely related to a database leak or breach, whether it is documented or not is another question.
Also, typically these are not "actual" (card-present, pin entered) debit transactions. Starbucks, much like Amazon, authorizes some online purchases as pinless debit card transactions, due to the lower processing rate incurred by the merchant. This can all be done completely online, for example, via Starbucks Online Reload system.[1]
This is truly nothing new, Gift card fraud has been booming since 2006-2007, when companies (starting with Starbucks, followed by Subway, Walmart[2], Whole Foods, etc.) began offering reloads to existing cards. Unfortunately, most of these companies have laughably bad fraud detection.
For example, Whole Foods uses a platform formerly known as "Giftango", which was rebranded as "InComm" in the last couple weeks. They quite literally will let a credit card thief reload hundreds of dollars from an IP anywhere in the world, to any gift card powered by their platform. No fraud scoring, velocity checks, geolocation, etc. You can imagine how easy this would be just by taking a look at their default gift card management portal, used by Whole Foods.[3]
Conveniently for credit card theives, WalMart even offers an option to reload a spreadsheet, or a CSV list of cards off a single credit card, easy right?[4]
Overall, I think this problem is only going to grow, especially with Cardpool acquired by Safeway, and now offering instant cash for gift cards in stores. This is an extremely easy method to cash out these fraudulently created gift cards, conveniently located at your local grocery store.
You would think that pinless debit card transactions would carry higher fees since there is a higher risk of fraud. Any thoughts as to why it's the opposite?
I wouldn't say there is any higher potential for fraud, as they're essentially verifying the same about of data. It may make it slightly more difficult to recover funds if your card is used without your permission, however.
The processing rate is typically lower because of agreements between issuing banks and debit processing networks, and is a somewhat hot topic at the moment as technically pinless online debit transactions are only intended for when the customers identity has been "confirmed", such as individuals with running accounts at a wireless carrier.
However, for whatever reason, some big companies are being allowed to use the MasterCard Debit/Maestro/Visa Debit/STAR/PULSE networks in this manner. In this case that company is Starbucks.
I'd estimate the rate paid by Amazon/Starbucks for processing pinless debit is 0.8% or less. Compare this with the 0.9 - 2.2% interchange fee (depending on card type) they'd incur if they processed these transactions as credit. It might not sound like a lot, but at that scale it probably ends up being millions per day saved.
I had a fraud issue caught by a bank once. What's strange is they caught the test at a bar I had frequented. That made me assume that it was skimmed. (But perhaps they saw many others tested there?)
It's unlikely for a skimmed card to be used online in this fashion, because the thieves wouldn't typically have the CVV2, only the CVV1 which is included on the magnetic stripe track. Most merchants which offer gift card reloads will decline on an incorrect CVV2.
Additionally, cost benefit wise, card data sells for $2-3 max, while track data sells for much much more ($25-50), and typically someone capable of acquiring this data themselves would not be wasting their time with Starbucks card reloads.
Do you know if InComm/Giftango take on any of the burdens of fraud?
There already seems to be a big moral hazard problem with credit card companies and merchants, where the merchants have to cover the entire loss if I understand correctly.
I'm hoping competition from startup payment processors might put pressure on credit card companies, as this ends up costing businesses and consumers a lot of money.
As far as Giftango goes, they simply provide the platform, Whole Foods (or whomever is the actual gift card merchant) is responsible for any fraud which occurs due to abuse of the platform. Assuming the fraud was successful, Whole Foods will lose both their product and their money.
While I agree that it is not due to skimming, I dont think it is database leak or breach. If it was, thieves would probably go for smaller transactions (since they are harder to notice ) on large scale. My guess is that she either got phished or shopped on compromised website. That could also explain hosting purchase.
Phishing for credit card information alone is extremely rare, as it doesn't make any financial sense to people whom are committing fraud, if someone were phishing they'd be interested in login information and identity data instead.
In my experience, most database breaches result in data being sold, not used. It's more profitable and results in far less risk (Ex: 100k cards @ $2/ea via anonymous payment methods) vs attempting to use the cards.
As such, the people who end up actually creating the transactions are usually low level individuals whom are trying to figure out a way to "cash out"
Not to say there isn't a chance you're right, but card data is cheaply and readily available elsewhere, which is why I don't think this was related to a phishing attack. If there were other signs (ex: bank logins compromised, credit inquiries, etc.) then I'd be much more inclined to agree. Either way, it's hard to come to a certain conclusion based on the information provided in the article.
They wouldn't necessarily even need to do that. With a camera just below the counter, and a little practice, they could capture the front and back of the card easily without appearing to do anything unusual. That would contain all the information they need to make a copy.
> After the perpetrators skimmed my debit-card number (perhaps at a subway-station vending machine or a local merchant)
Incidentally, someone cloned one of my credit cards and tried to buy gas with it in NY (not a big deal -- AmEx caught it when they tried to use it). I'd recently traveled to NYC and the only times I used the card were the subway ticket machine and an LIRR ticket machine. I think they need to keep a more careful eye on those machines.
Those MTA machines usually have security cameras pointed at them and (at least at the stations I frequent) cops are abound. Of course, I don't know exactly to what degree the readers are tamper-resistant.
This is another reason I try not to use my card in any machines, especially when I'm travelling. Cash can be risky, but it's good to keep a small amount on you at all times just in case.
what surprises me most is the high amount these cards sell for on ebay, when they presumably get electronically wiped pretty quickly once reported.
the link from the article has many of these, eg currently a $10 card with 5 bids at $9.39 - surely there's more than 7% of risk that the card ends up worthless for a buyer?
* None of the sellers of auctions ending today with bids has less than a 100% feedback rating and a long feedback history. There does not appear to be a population of newly created accounts selling only gift cards.
* Should an account sell a worthless gift card, the auction would be disputed through eBay and PayPal, and if lost there, possibly through the credit card issuer too. One or two scams and the accounts would be locked.
* eBay, PayPal, and the buyer's credit cards all separately promise full reimbursement protection against fraud on eBay, so the risk to the buyer is small even if fraud were to occur.
* If a listing category on eBay were generating >7% chargebacks for PayPal, which is owned by eBay, they'd restrict or eliminate that category the same as they've done with others. The fact that it's available as a category is evidence that there is not widespread fraud.
I don't think there's a 7% chance of buying a worthless gift card on eBay. I don't think eBay buyers paying 93% face value of gift cards are stupid.
So having had the experience of having a 'starbucks card' get charged to a compromised account, I asked Starbucks about this and at that time (a bit over a year ago) they didn't invalidate the card because it was causing a lot of customer service complaints. Given the prevalence of the fraud I wonder if that was a wise choice, perhaps they have changed since then.
I had a credit card # stolen from a locked hotel safe. (It was overseas, I hadn't used the card on the trip, and there were charges to a sporting goods store down the street.)
If someone wants the #, they can get it. The nice thing is that the data analysis seems to be getting better and better. It gets caught very quickly nowadays (the current story being a poor counterexample) and it's been a few years since I had a false positive.
I still get this - they call with an automated system, give vague descriptions of the transactions which I can't actually recognise them from, then I go online and actually check the transactions.
From the article the original debit card #, exp date and cvv could have been stolen online or via physical card skim. Online via database hack (this is a serious PCI-DSS violation if the perpetrator has the encryption keys or the system storing the info isn't protecting the data), could have been stored in her browser cache and someone sneaked a peak at starbucks when she went to the bathroom. Or a physical card skim which typically happens from skimming devices appended to gas station and atm card readers, or a server at a restaurant quickly skims the card data while taking your card away to pay for the meal.
Either way they got the card #. I don't think it's feasible to completely prevent card info from being compromised, too many possibilities for human error on behalf of the cardholder or merchants/processors trying to protect the data, which face a seemingly never ending list of people willing to steal card info for a quick buck.
Part of what makes thefts like this hard to track down is the fact that there are numerous parties and systems involved in the transaction. There's starbucks website, and I'm sure they use and outsourced provider to manage their stored value accounts, who in turn uses an outsourced payment provided to process the credit/debit card payments, who plugs into MC or Visa rails to hit the cardholder's bank. In my mind all of these parties are at fault for not catching this, but I admit it's easier said than done when processing billions of electronic transactions every day.
The easiest way to prevent identify this type of fraud would have landed on her bank's shoulders. First recognizing the initial test txn in Ohio was questionable, and then they should have had a velocity trigger on the same account # being used at the same merchant numerous times. Starbucks (and their partners) should have a similar velocity trigger looking for repeat purchases from the same card# within a certain time frame regardless of dollar amount.
In the end the crooks learn the fraud rules, adjust their practices, and the good guys have to play catchup while trying not to prevent good transactions from getting stopped.
Maybe the best way to protect yourself as a consumer is to routinely (daily, twice a week, etc) review the purchases made on your accounts. It's clear you can't depend on the companies making money off your spending (i.e. electronic payment providers and your bank) as they get paid when you spend more, and they'll only go so far to protect you before the ROI isn't there.
I destroyed most of my debit cards and the rest is locked away. I carry an ATM card (no expiration also, I had to request it from Chase to replace the debit card) and few credit cards. With a credit card I can charge back any transaction up to 180 days later.
Are you not allowed to charge back debit card transactions? Granted, it’s only 6 weeks for me, but not being able to do that at all rather surprises me.
I am not sure if there is any advantage at all of using a debit card over a credit card. Bottom line is that debit card fraud comes straight from your bank account and can cause problems with other payments etc. These days it is not possible to escape fraud even if you are very vigilant. You cannot assure that merchants are handling this data properly. For this reason I specifically requested that Chase stop sending me debit cards as my ATM card, and now I have a plain blue card that just says "ATM card" If you have a credit card use that and pay it off every month, far easier and safer.
46 comments
[ 2.8 ms ] story [ 123 ms ] threadIt was years ago, but someone once stole my debit card number once and it took a few weeks to get my money back ("provisionally") from my local community bank.
The customer should be able to request chargebacks through their bank without issue.
I would suggest you investigate getting a better local bank, as this is something any bank should be able to easily do.
Personal example - driving cross country, I filled up maybe 4-5 times across several states. Got a call from my credit card company after the 4th fill-up. It had been less than 24 hours since the "spree" started, and I got the call in the middle of the night, from a human! (I was driving through the night)
I thought it meant they placed more liability with retailers &c.
Also, the authorization that merchants do to make sure you have the money will tie up that money on your account even if you cancel the purchase before being charged. On a credit card it will tie up the equivalent credit, but at least it is not cash being locked up.
Also, typically these are not "actual" (card-present, pin entered) debit transactions. Starbucks, much like Amazon, authorizes some online purchases as pinless debit card transactions, due to the lower processing rate incurred by the merchant. This can all be done completely online, for example, via Starbucks Online Reload system.[1]
This is truly nothing new, Gift card fraud has been booming since 2006-2007, when companies (starting with Starbucks, followed by Subway, Walmart[2], Whole Foods, etc.) began offering reloads to existing cards. Unfortunately, most of these companies have laughably bad fraud detection.
For example, Whole Foods uses a platform formerly known as "Giftango", which was rebranded as "InComm" in the last couple weeks. They quite literally will let a credit card thief reload hundreds of dollars from an IP anywhere in the world, to any gift card powered by their platform. No fraud scoring, velocity checks, geolocation, etc. You can imagine how easy this would be just by taking a look at their default gift card management portal, used by Whole Foods.[3]
Conveniently for credit card theives, WalMart even offers an option to reload a spreadsheet, or a CSV list of cards off a single credit card, easy right?[4]
Overall, I think this problem is only going to grow, especially with Cardpool acquired by Safeway, and now offering instant cash for gift cards in stores. This is an extremely easy method to cash out these fraudulently created gift cards, conveniently located at your local grocery store.
[1] https://www.starbucks.com/card/reload/one-time
[2] http://www.walmart.com/cp/Reload-Gift-Card/1097444
[3] https://app.giftango.com/GiftCardPortal/WholeFoods/GiftCardP...
[4] http://www.walmart.com/cp/Reload-Gift-Cards/416242
The processing rate is typically lower because of agreements between issuing banks and debit processing networks, and is a somewhat hot topic at the moment as technically pinless online debit transactions are only intended for when the customers identity has been "confirmed", such as individuals with running accounts at a wireless carrier.
However, for whatever reason, some big companies are being allowed to use the MasterCard Debit/Maestro/Visa Debit/STAR/PULSE networks in this manner. In this case that company is Starbucks.
I'd estimate the rate paid by Amazon/Starbucks for processing pinless debit is 0.8% or less. Compare this with the 0.9 - 2.2% interchange fee (depending on card type) they'd incur if they processed these transactions as credit. It might not sound like a lot, but at that scale it probably ends up being millions per day saved.
I had a fraud issue caught by a bank once. What's strange is they caught the test at a bar I had frequented. That made me assume that it was skimmed. (But perhaps they saw many others tested there?)
Additionally, cost benefit wise, card data sells for $2-3 max, while track data sells for much much more ($25-50), and typically someone capable of acquiring this data themselves would not be wasting their time with Starbucks card reloads.
There already seems to be a big moral hazard problem with credit card companies and merchants, where the merchants have to cover the entire loss if I understand correctly.
I'm hoping competition from startup payment processors might put pressure on credit card companies, as this ends up costing businesses and consumers a lot of money.
Who cares about gift card fraud when they are laundering billions for criminals, cartels etc.
If you get too much oversight, they might accidentally find all the other crap banks are upto.
If there is any institution you can be assured of fraud; it's banks.
In my experience, most database breaches result in data being sold, not used. It's more profitable and results in far less risk (Ex: 100k cards @ $2/ea via anonymous payment methods) vs attempting to use the cards.
As such, the people who end up actually creating the transactions are usually low level individuals whom are trying to figure out a way to "cash out"
Not to say there isn't a chance you're right, but card data is cheaply and readily available elsewhere, which is why I don't think this was related to a phishing attack. If there were other signs (ex: bank logins compromised, credit inquiries, etc.) then I'd be much more inclined to agree. Either way, it's hard to come to a certain conclusion based on the information provided in the article.
To my understanding, the concern is a store merchant who is palming a card scanner and sneaking a swipe of your card through their scanner.
Incidentally, someone cloned one of my credit cards and tried to buy gas with it in NY (not a big deal -- AmEx caught it when they tried to use it). I'd recently traveled to NYC and the only times I used the card were the subway ticket machine and an LIRR ticket machine. I think they need to keep a more careful eye on those machines.
This is another reason I try not to use my card in any machines, especially when I'm travelling. Cash can be risky, but it's good to keep a small amount on you at all times just in case.
the link from the article has many of these, eg currently a $10 card with 5 bids at $9.39 - surely there's more than 7% of risk that the card ends up worthless for a buyer?
http://www.ebay.com/sch/i.html?_trksid=p2050601.m570.l1313.T...
http://www.ebay.com/itm/Starbucks-10-Gift-Card-FREE-SHIPPING...
or is the answer just that some people on ebay are stupid? ...
* Should an account sell a worthless gift card, the auction would be disputed through eBay and PayPal, and if lost there, possibly through the credit card issuer too. One or two scams and the accounts would be locked.
* eBay, PayPal, and the buyer's credit cards all separately promise full reimbursement protection against fraud on eBay, so the risk to the buyer is small even if fraud were to occur.
* If a listing category on eBay were generating >7% chargebacks for PayPal, which is owned by eBay, they'd restrict or eliminate that category the same as they've done with others. The fact that it's available as a category is evidence that there is not widespread fraud.
I don't think there's a 7% chance of buying a worthless gift card on eBay. I don't think eBay buyers paying 93% face value of gift cards are stupid.
I had a credit card # stolen from a locked hotel safe. (It was overseas, I hadn't used the card on the trip, and there were charges to a sporting goods store down the street.)
If someone wants the #, they can get it. The nice thing is that the data analysis seems to be getting better and better. It gets caught very quickly nowadays (the current story being a poor counterexample) and it's been a few years since I had a false positive.
Either way they got the card #. I don't think it's feasible to completely prevent card info from being compromised, too many possibilities for human error on behalf of the cardholder or merchants/processors trying to protect the data, which face a seemingly never ending list of people willing to steal card info for a quick buck.
Part of what makes thefts like this hard to track down is the fact that there are numerous parties and systems involved in the transaction. There's starbucks website, and I'm sure they use and outsourced provider to manage their stored value accounts, who in turn uses an outsourced payment provided to process the credit/debit card payments, who plugs into MC or Visa rails to hit the cardholder's bank. In my mind all of these parties are at fault for not catching this, but I admit it's easier said than done when processing billions of electronic transactions every day.
The easiest way to prevent identify this type of fraud would have landed on her bank's shoulders. First recognizing the initial test txn in Ohio was questionable, and then they should have had a velocity trigger on the same account # being used at the same merchant numerous times. Starbucks (and their partners) should have a similar velocity trigger looking for repeat purchases from the same card# within a certain time frame regardless of dollar amount.
In the end the crooks learn the fraud rules, adjust their practices, and the good guys have to play catchup while trying not to prevent good transactions from getting stopped.
Maybe the best way to protect yourself as a consumer is to routinely (daily, twice a week, etc) review the purchases made on your accounts. It's clear you can't depend on the companies making money off your spending (i.e. electronic payment providers and your bank) as they get paid when you spend more, and they'll only go so far to protect you before the ROI isn't there.
I destroyed most of my debit cards and the rest is locked away. I carry an ATM card (no expiration also, I had to request it from Chase to replace the debit card) and few credit cards. With a credit card I can charge back any transaction up to 180 days later.