A couple of weeks ago, I had my debit card stolen. I found out because I logged into my bank account and noticed a pending purchase of $50 from Facebook. Now Facebook is a lot of fun, but I’ve never bought anything from Facebook, and probably never will. Below is what I saw on my account:
As I looked a little more closely, I also noticed, in reverse chronological order,
(1) another FB transaction for $60.52
(2) a reversal for $1.01
(3) another FB transaction for $1.01
(4) an amount of $2.52 to someone or something called JEFFREY (obscured)
I knew instantly that I had not made any of these transactions, so to paraphrase the immortal words of Jeff Foxworthy: “This was my sign”.
The bank assured me that JEFFREY (obscured) was an Ethiopian airline, but Google and I could not confirm that. The bank was happy to agree that the charges were fraudulent, and gave me a credit pending an investigation. They canceled my card, and sent me a new one.
I called Facebook next, and it turned out that they had a web page already set up for exactly this purpose, and which answered exactly the right questions. Placing my tongue firmly in my cheek, there is some chance that this was not an isolated incident.
I have to say that Facebook was very quick and professional about handling this. A human quickly responded to my web page submission, and they immediately agreed that the charges were fraudulent. They were even prepared to share that the charges were for fraudulent ads on a fake account, which they had now canceled.
All in all, no lasting harm was done, other than a bit of inconvenience with having to get a new card.
What Can We Learn From This?
The first interesting question is: Where did they get my card? Right after this happened, Barnes and Noble admitted that some of their stores had been hacked or skimmed, and customer’s cards stolen, so I initially thought that this would be the explanation. I realized that my state was not one of the ones that had stores compromised, and also, the Facebook purchase had required the three-digit verification code from the back of my card, which meant that the card details probably did not leak from a physical presentation. In other words, when you buy something by physically presenting your card, they just swipe it or imprint it, and as far as I know, your mag stripe doesn’t store the three-digit CVC code from the back. Most likely, another site where I’d used the card online failed, and no one knows which one, and maybe we never will.
The second interesting question is: How did they verify that they had the right credentials for my card? First, a small transaction to JEFFREY (obscured), followed by a small one at Facebook, which they then reversed, and then the couple of bigger ones at Facebook. I guess they were hoping to do a bunch before I noticed.
What this all really means, however, is that we have to be careful. If they can nail my card, they can nail yours, because no matter how careful you might be, we’re only as safe as each and every website that you ever buy from.
If you’re going to buy things online, it’s a really good idea to get a small-balance credit card for exactly that purpose. Credit card purchases are protected by Federal Law (http://www.ftc.gov/bcp/edu/pubs/consumer/credit/cre16.shtm), and at least there will be a limit on how much they can steal if they get your card.
Using a debit card online is not a great idea. Oh, and watch your bank account closely.
In my next post, I’ll share more lessons learned from a similar experience that followed soon after this debacle. Stay tuned for more information, and keep safe, folks.