Credit Card fraud - restaurants/servers...

I remember reading about a scenario where a server will run the customer's credit card through a magnetic copying mechanism before running it through for the bill - thus being able to replicate a copy of a customer's card. I was unable to find it, so perhaps it was on Chowhound. Nevertheless - the Wife was victim to this at some point recently, as someone in Seoul, South Korea tried to charge nearly 10k worth of goods to her card this weekend. The bank luckily blocked it before confirming the charges, but it was disturbing nonetheless.

Anyone else dealt with this? If so, what can really be done? It seems as though this is a pretty clear loop hole in the world of CC Fraud - as it's often impossible to watch your card the entire time in a restaurant.

It's also frustrating because there is no way of knowing which restaurant jacked the number.

Luckily, your liability is reduced to near zero, it's only the pain-in-the-assness of the whole process.

The credit card companies have little incentive to stamp out all fraud, it's too costly, and they have very little liability themselves.

The ones who get truly hosed are the merchants. If that place that had the order for $10K of electronics had shipped them, they'd be out with no recourse except to try to sue the person to whom they shipped.

My wife's biz gets submissions of very shady credit cards on a regular basis. There's a handful of countries (incl. Singapore, Nigeria and Romania) from which we won't ship product without a photocopy of the credit card. The billing address is often the 'real' address, and the ship-to is in the middle of nowhere. There's not even a way to report your suspicions.

Are you sure it was at a restaurant that the number was stolen? There are a ton of different ways it can happen. I had one a few years ago that was comprimised after some people cracked into an online retailer where I had bought something months before. $600 in online sports betting later, I got a call from my bank.

Anyway, you probably aren't liable for anything. I wasn't.

JoelF wrote:Luckily, your liability is reduced to near zero, it's only the pain-in-the-assness of the whole process.

The credit card companies have little incentive to stamp out all fraud, it's too costly, and they have very little liability themselves.

They do have some incentive -- high levels of fraud makes people less likely to use their card, and large retailers might stop allowing cards from networks that have a higher than expected incidence of fraud.

The statistic they trotted out today on a piece about credit card fraud on NPR was that $0.05 out of every $100 charged is fraudulent, down from $0.10 10 years ago.

One very large e-commerce site I once worked for had a massive anti-fraud algorithm. It was very good at sorting likely fraud to the top of the pile for humans to review. Visa, Mastercard, etc, are all doing their fraud detection in near realtime. When the merchant tries to authorize the request, Visa does their whole fraud checking thing in about 2 seconds and either approves, rejects, or flags for review by a human.

That's why you'll sometimes get a call the next day asking if you really did buy that $2000 powerbook.

I also wonder why you believe your CC# was stolen by a restaurant. Considering that the news of the last couple months has been filled with stories of personal information being compromised by sloppy data management practices of the credit issuers themselves (Citigroup sends your info to a credit bureua on unencrypted tapes via UPS?!?!?) I'd think there's a heck of lot more chance your info was lifted by something other than a restaurant. Is there a particular restaurant you suspect or something (and why)?

Kman wrote:I also wonder why you believe your CC# was stolen by a restaurant. Considering that the news of the last couple months has been filled with stories of personal information being compromised by sloppy data management practices of the credit issuers themselves (Citigroup sends your info to a credit bureua on unencrypted tapes via UPS?!?!?) I'd think there's a heck of lot more chance your info was lifted by something other than a restaurant. Is there a particular restaurant you suspect or something (and why)?

Honestly - the only reason I believe it was a restaurant is because the bank fraud department said that was the likely culprit. Having read about it here before, I just went with it. It's absolutely a possibility that someone took this info online - I guess I was under the assumption that they had to physically posess your card to make duplicates of this nature, rather than just the numbers, which would open it to all online purchases and such.

We are going to review the last couple months of purchases on the card (it is actually a Debit Card), as it is brand new (old number, new exp date), only a handfull of purchases so far. I doubt I'll be able to pinpoint one thing, but perhaps it'll give me some ideas of where it may have happened.

Is there a particular restaurant you suspect or something (and why)?

Hi,

If you are going to name names, then maybe it is appropriate to report your issue to the police or another authority rather than a food forum. Otherwise your problem is an interesting one where we can all learn something from.

We keep our receipts and match our expenses to the bill. Every once in a while we get the unusual charge. Once it was a men's store in Atlanta. When the credit card company asked if maybe the gentleman of the house made a purchase, we laughed ourselves silly. Nothing on his back is purchased by him. On another occasion, we had a charge for scuba equipment in Australia. In both cases, the credit cards were closed, the amount wiped off our bill and shortly thereafter new cards were issued.

A few years ago, Yourpalwill purchased a gift card at a restaurant. When he checked his account online he found there was a 20% tip added, which really alarmed him. It turns out this 20% is added automatically by the credit card company. Later the restaurant does a reconciliation and the tip is dropped all within a few days. If Will was not so alert in following his financial records, then it probably would have been resolved without his notice.

My sister had an ATM card which was useable on the VISA credit card network. Someone stole her ATM card and cleaned her bank accounts latched to this card via VISA debit card purchases, which didn't require a pin code. Her bank returned the money to her account, though it was a very unpleasant surprise to find herself momentarily penniless. From her experience, I dropped the credit card convenience from my ATM card, now it is just a plain Jane ATM. Good enough for my purposes.

Regards,

You'd be surprised what you can buy online, and I don't mean legitimate goods.

Some cards are sold with the full number, expiration date, billing address, CVV (the 3 digit code on the back), and a username and password to login to the bank's website. Most don't have that much detail, but it's more common than you'd hope.

Is it at all possible that you or your wife fell victim to a phishing scam, where you get an email apparently from your bank, asking you to confirm your account information lest you get locked out? That's a really common way to do it, and some of the phishing emails can be very convincing.

If the online purchases were with really big retailers, like Amazon, I'd suspect it wasn't from there. But if you've bought something from smaller places, they might not have the best security practices in place.

Also, since it's a debit card (and presumably also an ATM card) there are devices called "skimmers". They're basically false fronts to ATMs that record the contents of the magnetic strip as the card is inserted for a fraudster to retrieve later. Sometimes they're able to retrieve the PIN, also. This is much more common than you'd think, especially at outdoor, independent ATMs, like the non-bank-affiliated ATMs stuck on the outsides of restaurants.

-ed

In some countries, the servers have portable credit card terminals, so they scan the card as you watch and return it to you immediately so that it is never out of your view. Nice system.

But there are so many methods to get ripped off these days. A friend had her identity stolen and it was two years before she became aware of it when the police showed up with a warrant for her arrest. The enormous amount of time and effort to restore her good name and credit were small compared to the emotional price she paid. As a result, I signed up for Equifax Credit Watch which emails me any time a credit inquiry or application is made or my balances exceed certain specified limits. It isn't cheap, but I have a discounted family plan to cover everyone. But after seeing how much agony my friend went through, it is a small price to pay. There are still countless ways I can be ripped off, but I think the credit watch plugs up a big hole.

Bill/SFNM

My card that was comprimised was a Debit/ATM card as well. The worst thing was that my bank covered the overdraft, and then charged me for it. So not only was I momentarily out the $600, but I was overdrawn and supposedly owed them $35 in fees.

I ended up not owing anything, but it was really annoying.

-ed

gleam wrote:You'd be surprised what you can buy online, and I don't mean legitimate goods.

Some cards are sold with the full number, expiration date, billing address, CVV (the 3 digit code on the back), and a username and password to login to the bank's website. Most don't have that much detail, but it's more common than you'd hope.

Is it at all possible that you or your wife fell victim to a phishing scam, where you get an email apparently from your bank, asking you to confirm your account information lest you get locked out? That's a really common way to do it, and some of the phishing emails can be very convincing.

If the online purchases were with really big retailers, like Amazon, I'd suspect it wasn't from there. But if you've bought something from smaller places, they might not have the best security practices in place.

Also, since it's a debit card (and presumably also an ATM card) there are devices called "skimmers". They're basically false fronts to ATMs that record the contents of the magnetic strip as the card is inserted for a fraudster to retrieve later. Sometimes they're able to retrieve the PIN, also. This is much more common than you'd think, especially at outdoor, independent ATMs, like the non-bank-affiliated ATMs stuck on the outsides of restaurants.

-ed

Phishing is out - didn't happen via email. As far as online purchases, it seems that there were zero since she got this new card (w/ new Exp. Date). In fact, there have been an extremely limited number of purchases total. The ATM scenario is possible as well.
Should be interesting to review the activity and try to single something out, but I don't plan on broadcasting any suspicions on here. At best it would be a good guess. I do plan on using a lot more cash in the future all around, and limiting card usage online.

You can disable the credit function on your debit card (okay, it's been two years since I've been abroad, so doublecheck that).

NPR had (for once) a nice story today on the morning show about how Artificial Intelligence) works to foil this. I can personally attest, dating back to the millenium, where a restauranteur put a fraudulent claim on our card. We had been travelling in Spain already for a week, and had used the card plenty, but upon leaving Ronda our card was refused, and upon arriving in Sevilla we wanted to straighten it out.

It was a clear case as is outlined in the NPR story this morning, which I am sure is available on line. It was a minor inconvenience, and it cost us ninety cents in phone fees, which were from the hotel, since we had to hook up to the 800 number through their switchboard.

But there are so many methods to get ripped off these days. A friend had her identity stolen and it was two years before she became aware of it when the police showed up with a warrant for her arrest. The enormous amount of time and effort to restore her good name and credit were small compared to the emotional price she paid. As a result, I signed up for Equifax Credit Watch which emails me any time a credit inquiry or application is made or my balances exceed certain specified limits. It isn't cheap, but I have a discounted family plan to cover everyone. But after seeing how much agony my friend went through, it is a small price to pay. There are still countless ways I can be ripped off, but I think the credit watch plugs up a big hole.

Alternatively, collect your free annual copy of your credit report to review. I know someone in the banking industry who obtains it twice a year.

Regards,

I just finished my first year in the Masters of Information Technology and Privacy Law at John Marshall Law School. I second the notion that there are myriads of ways for credit card information (as well as a host of other personal information) to be compromised.

A semester long project in my Information Law and Policy class last semester was to compile a dossier on myself. Wow! It was eye opening; everything from all eight Chicago addresses and phone numbers I have had to grade school grades...(the dreaded Permanant Record!) What was once the domain of the fedora wearing private dick can now be accomplished with some deft keyboard strokes.

Fundamental changes in the banking industry such as the use of biometrics, (which of course is another invasion of privacy that can be abused) to a time stamped unique number along with a PIN as some European and African banks use would be a start, but social engineering (AKA sweet talking/conning) alwys has been around.

One caveat on the free credit reports. Generally they will have errors. Nothing major, but something to get you sign up and then pay for the opportunity to correct something that you might not really need to be concerned about. So be aware, always save your receipts and cross check them with your bills and invest in a shredder.

Four weeks ago, one of the department managers bought four pizzas in Crystal Lake at one of the pizza joints. He used a personal Visa card to make the purchase and then he left for a couple of weeks in Canada.

When he returned, he checked his account on-line to find out that about $1500 in additional charges were made in Crystal Lake and Lake in the Hills at a variety of retail establishments - auto parts stores, etc. He has all the local police departments working on it and they are close to identifying the perpetrator(s).

He was surprised at how excited the local departments were to address the issue. He has met with several detectives and has received a lot of follow-up as to the status of this investigation. Thay are convinced that the card number was stolen at the restaurant.

I have always been surprised that more merchants don't request IDs at the point of purchase. Both in London and in Canada that is almost a given that they'll check your ID regardless of whether you signed the credit card.

jlawrence01 wrote:I have always been surprised that more merchants don't request IDs at the point of purchase. Both in London and in Canada that is almost a given that they'll check your ID regardless of whether you signed the credit card.

This isn't directed specifically at you, since you didn't mention it, but:

A lot of people sign the back of their credit cards with "CHECK ID" or something similar. It generally doesn't work, but, more importantly, it technically means your card is invalid. Signing the back of the card isn't for security purposes, at least not officially. In reality, you're signing a contract. It means you've read and agreed to the provisions of the cardholder agreement.

Merchants are supposed to reject unsigned or mis-signed cards, but they never do. Just like they virtually never ask for ID.

Gleam,

The average bankcard is issued for about two years. I swipe the card at a minimum of 2-3 times a day. After about three months or so, the signature strip is obliterated. In fact, I have to remember the security code for internet purchases as it is long gone.

I have implemented credit/purchasing cards through several banks and American Express so I am intimately aware of all the security features (including some very recent ones). Most banks stronly encourage the merchant to check the signatures and the IDs. Chase is more of a stickler than most on that. In fact Chase and Citibank were among the first to use the photo ID approach.

Signing the card IS meant to be a security feature per a lot of the training materials through AMEX and the bankcards.

Indeed, and I'm grateful when they do check ID or the signature. My point was that signing "CHECK ID" instead of your real name was a violation of the cardholder agreement.

And that, in reality, most merchants don't check ID or the signatures. I can't recall the last time it happened to me.

Along those lines, here's some entertaining, if somewhat depressing, reading:

The credit card prank
The credit card prank II

Now that you are really depressed, I saw a number of receipts from British Columbia and South Texas on recent trips where the merchants are still printing out the ENTIRE 16 digit account code, Doesn't that make you feel good??

As a former restaurant manager I ran into another popular scam. The server would take a credit card for payment of a tab. Then they would wait for a large dollar cash tab and use the credit card information to close out that tab as well. It took about a month to figure out what was going on because people were not checking their statements. About $2000 was lost by the restaurant because of this one server. Needless to say he was caught and prosecuted for the crime. After that incident certain security measures had to be put into place.

Flip

jlawrence01 wrote:Now that you are really depressed, I saw a number of receipts from British Columbia and South Texas on recent trips where the merchants are still printing out the ENTIRE 16 digit account code, Doesn't that make you feel good??

I have noticed that many restaurants in Chicago are still doing this. I most recently had this happen at Semiramis. I try not to spend too much time worrying about such things, but it still makes me a little nervous. I just make sure I check my info on a regular basis.

Flip, I am former restaurant manager for a large Texas chain. Another popular server scam at the time was keeping a copy of a receipt and go to a bar/restaurant/retail outlet were their friends worked. They would then use the number to manually enter payment. They would rack up quite a bill before getting the card shut down.