Wednesday, September 02, 2015

Credit card fraud seems to involve automatically generating many transactions against "random" merchants

On Sunday afternoon, August 23, 2015, I got a sudden text from Bank of America about potential fraud on one of my Visa cards with the bank.  This was accompanied by emails and a phone call, which I took, even as I had to leave for an event.

The card was cancelled immediately and replaced within two days.  But what was curious was the speed with which fraudulent charges had accumulated, from merchants that had no logical connection to one another.

I still had the card.  But I do recall that in the past, BoA has sometimes sent more than one copy of a card (not a good idea). 

There was some reason to think that some of the charges might have come from Florida.  I had visited the Disney and Universal theme parks there in mid-July and gone to a street celebration in downtown Orlando on a Saturday night.  I never used this particular card while there.  But it is conceivable that someone in one of the parks or on the street could have used a scanner capable or reading cards in my wallet.  Also, it is conceivable that these particular entities don’t check card security code, just name and expiration date.

It’s also conceivable that the scam could come from some business that was hacked where this card has been used legitimately, but none of the companies reported in the media would match.
But it’s hard to see how this kind of a scheme could make the fraudster any money, as a practical matter.  The card will almost certainly get denied quickly.  The charges themselves seemed to have been generated by an automated script that might not have even required contacting the merchants.  Maybe the scam needs to make money from only 1% or so of all the transactions if the scammer can generate enough transactions.   It seems likely that the ultimate source of the scam comes from Russia or China.