I just talked to a nice chap from my bank about my Visa card number being ripped off. Again. I'm getting a new card, they're sending me a form to fill out to get the fraudulently spent money back, blah blah blah. The usual drill, and not that much of a hassle for me, since I don't use the card very often.
The last time this happened - which was actually the first time it'd ever happened to me - was late last year. Someone bought himself a couple of lovely iPods and attempted, unsuccessfully, to purchase $US1500 worth of Ultrasone headphones.
So far, so normal.
This time's a bit different, though. There was just the one charge, working out at a hundred and forty-something Australian dollars, to a payee listed only as "TRENITA". The nice man from the bank told me this was "Trenitalia"; someone was trying to buy Italian train tickets with my credit card.
The charge was instantly noticed by Visa and/or the bank, who did that precautionary-card-lock thing that's usually what you want but which can be a big problem if you've actually gone overseas for a holiday and would now rather like to be able to buy things.
According to the bank bloke, there's been a sudden rash of these Trenitalia charges just over the last few days, indicating that some major company has, yet again, cheerfully handed zillions of card numbers over to what will inevitably be described as "hackers" when someone writes a news story about it.
Sometimes these mass card-number leaks actually do happen because an attacker managed to compromise the security of one or more companies' card databases, or just sniffs a network to harvest any numbers that pass by. But, more often, serious blue-chip businesses seem to just put a billion numbers in plaintext on a laptop and then leave it on a train, or burn a copy of their unencrypted database to a CD and mail it to the wrong person. Or they print the numbers out and send them to newsagents for professional distribution. Or they put them on an open Web server, and Google indexes them. (And there's no reason to suppose that financial institutions will be any smarter.)
I would, out of morbid curiosity, like to know who trod on their dick this time. It'll probably be one company - quite possibly a bank - with which all of the compromised accounts did business. It could also be a credit-card processing firm or "payment service provider", though, that provides card-handling services to many small businesses.
I've only had this card since December last year, but that doesn't narrow it down much. Tell me if you see any news stories about this.
1 October 2008 at 4:19 pm
I bet it was the company that processes your pr0n subscription.
1 October 2008 at 4:26 pm
Yep, I had my Visa details used recently as well - about a month and a half back, the first time something like that had ever happened to me. It was a total surprise. In my case the bank didn't notice it and I had to notify them, at which point they cancelled my card and so on; a total inconvenience. They've only just refunded the unauthorised charges and apparently there are still two months for them to be re-charged if the bank decides that the merchant has a right to do so. I've thought about the places I've purchased things online but can't figure out where the details could have been leaked, but obviously someone, somewhere, has lax processing or storage security.
1 October 2008 at 4:27 pm
(as an addendum, the card was used to purchase hundreds of dollars worth of something from Swisscom and to make two donations to online charity websites!)
1 October 2008 at 5:40 pm
From memory, Trenitalia let you buy tickets online, with the "ticket" being a SMS sent to your phone that you show the conductor. Chances are then that the bad guy did in fact get away with it in this case - they'd be working on the assumption that the travel would be completed before the charge got noticed/disputed.
1 October 2008 at 6:01 pm
The online charity donations are a way to test a card to see if it's valid. Send $1 to Red Cross, and you'll know if you've got a working card.
1 October 2008 at 6:45 pm
Funny you should mention that. My girlfriend and I holidayed in Italy in January and used the mostly excellent trains to travel between cities.
The one major hiccup was in attempting to buy tickets from one of Trenitalia's automated machines at Florence station. One of my Commonwealth Bank Visa cards refused to work, although the other one worked fine.
Minutes later, my mobile rang and it was someone at the "Security Centre" of the bank asking if I was in Italy attempting to buy train tickets. This was despite my calling the bank a week before we left telling them where we'd be and would they kindly allow us to transact in peace.
Apparently the reason the one card didn't work was because Trenitalia automatically blocked it as "foreign". This is despite the other one naturally having the same billing address. And also despite the rather obvious fact that you're going to have the occasional foreigner using an intercity train service.
The upshot of this is that talking to some tool at the bank cost me about $20 in exorbitant international mobile call receive rates. And it seems that financial security systems are either so full of false positives and negatives and at such random frequency as to render them mostly impotent against any actual fraud.
2 October 2008 at 1:51 am
I had a random charge appear on my card earlier in the year. Admittedly I was slow to react, but this was back in May and it took a good 3 months to get the charge reversed. Oddly it was only for some flowers from a florist in Queensland (I live in NSW) which was under $100. Correspondence was slow, and it was only briefly mentioned that I would have to get a new card, which never eventuated.
Ironically, my card remained active until it accidentally fell out of my wallet (it's happened before, but normally I notice), and it was a very straightforward and painless procedure to have it changed. Commendations to the Commonwealth Bank.
I want to believe that the original charge was an honest mistake - is it possible to typo the odd number or two and end up accidentally using someone elses credit card number?
[It's possible, but spectacularly unlikely. -Dan]
Also, the name on the transaction was clearly not mine - I thought that getting the name right (or roughly right) would be a part of the verification process.
2 October 2008 at 2:24 am
jaypeabey: I've never heard of anyone buying tickets from Trenitalia and only having to show a SMS. I'm italian, and I have to use Trenitalia's horrible services about every week or two, so I'm pretty sure I'd have heard if they'd introduced something like that. Hell, Trenitalia has trouble keeping the 1970-vintage trains running at all, I don't even want to think what would happen if they tried to start a sms ticket system. Most likely the whole thing would fail less than a week after startup... then they'd stick it back together enough to sort-of work like they do with the trains, and there'd be lost SMS messages, paid-for tickets would vanish and the italians - who are already rather pissed at the company - would start riots in train stations.
Yes, it's really that bad.
2 October 2008 at 5:55 am
Sometimes card numbers are lost by major companies, but in the course of my investigating a few identity thefts (I'm a policeman), I find most cases involve someone dishonest getting physical access to a credit card and either skimming it with an electronic device or simply jotting down the numbers on a piece of paper. What makes it hard to identify the thief is that the more seasoned crooks will not themselves use the CC details they've just stolen; instead, stolen bank info is traded internationally and eventually abused by someone far removed from whoever swiped your card details. This way, there's no clear trail form where you've used your card to where it was abused.
I'm aware of at least one major case where a cab driver in Stockholm routinely skimmed the cards of every passenger who paid in plastic, and he then traded the card numbers over the net. A whole bunch of small-time crooks then did the risky business of actually using the info to purchase high-value and/or easily sold goods (that's easier than trying to get cash directly). These "end thieves" were all over the place, in several countries.
2 October 2008 at 9:03 am
I'm assuming this is pronounced "Tren Italia" (as itahlia), rather than "Trenitalia" (to rhyme with... well...)
2 October 2008 at 6:05 pm
Changes: I'm Italian too and the SMS Ticket stuff is real and works perfectly, (It's called Ticketless). No riots at the stations, no aliens stealing your tickets (it gets sent to your email address too), and it's 3 years since they started the service already.. wake up :)
2 October 2008 at 6:46 pm
@Changes: My info came from an otherwise intelligent and reliable workmate back in 2005, when I was about to travel to Italy myself, who claimed he used such a service. Personally I saw this as too big a risk of failure, so I paid a travel agent to get me paper tickets before I left.
This site describes a service that could be what he was talking about (scroll down, under the heading "On The Web"). I can't find anything on the Trenitalia site about this now, so it's possible they no longer offer such a service. This was about as close as I could find.
2 October 2008 at 9:31 pm
Incidentally, I am pretty sure it makes little or no difference to your risk whether you use the card online or only IRL; assuming your total frequency of usage does not change, your risk is probably about the same. There's no special magical reason why a place where you physically went can't lose their credit card database in the same manner as an outfit you only dealt with online, and while using the card on the internet technically makes things like MITM attacks possible, in practice it's easier, and results in a much larger batch of numbers, to get the information where it's stored.
So you either accept the risk of having your card number harvested from time to time, or you become a complete luddite and refuse to use credit cards at all.
2 October 2008 at 11:14 pm
I admit ownage and bow to your superior knowledge of our train system.
When I asked about ways to make things quicker the guy at the counter said a whole lot of nonsense about having to print out forms and whatnot, so I declare myself a victim of misinformation. :P
The bad quality of the trains, however, I'm 100% sure about...
3 October 2008 at 12:16 pm
I wonder how many CCs could you harvest if this viral email went around: "Type your CC number into Google to find out if it's been stolen".
I'm too chicken to try my own CCs -- maybe next time someone at work buys something over the telephone I'll have a look....
7 October 2008 at 5:24 am
steveq: You could search for the second and fourth group of numbers (or first and third, etc). They're useless on their own, and chances are that they're not that commonly seen together.
Of course, you could probably also just search for "CC#" and find a few dozen Excel sheets to comb through, just as you can "SSN". *shakes head*
18 October 2008 at 5:15 pm
hijjjjjjj....nice day!!!