Am I Just Having Bad Luck or What? Compromised Cards

It is so hard when this happens during a trip to a foreign country. We had new cards shipped to us in Italy by overnight FedEx at bank’s expense.. When in the US, we have fraud on our cards a couple of times a year. CapitalOne and WellsFargo. Both banks have found the fraud quickly, canceled the card.
It seems odd that the fraud is happening in the US while you are in Europe.

I guess the Capital One card must have been compromised in Europe if that's the only place you ever use it--i.e., it's not stored on Amazon's website or anything like that?

I have had credit cards compromised multiple times, but it has always happened in the US. Never a problem with an ATM card.

I suppose there may have been a skimmer and a camera--or whatever the crooks are using these days--installed on the airport ATM. I can see that an airport would be an attractive location for number theft since the ATM is probably very heavily used, and by people who are on the move and may not figure out there's a problem as fast as they would at home.

I do take a look at an ATM before I use it, but I am by no means certain I would recognize a hardware alteration if there was one present. You can go to YouTube for videos on how to spot modified ATMs.

Capital One had a massive data breach last summer:
A hacker gained access to 100 million Capital One credit card applications and accounts.
That might have something to do with it.

I am not sure this will be any consolation, but it could have happened just as easily in the states as well. I have had my Citicard compromised three times in the last 4 months. It started with an AAdvantage card, I went to their new Mile up card and it has happened twice more. I have changed every password and done all I can do on my end. What scares and frustrates me is that they send me a new card and that one is compromised within a month. I have decided to give up the card (although they are insisting on sending me a new one.) I will activate the new one, put it in the safe, and then see if it is compromised. When I talk to them they always say it was something I did.

"When I talk to them they always say it was something I did."

Oh Connie. That would just totally p*ss me off. I think your plan is good - activate and store it.

Agree with Pam, Connie. I would be mad if they tried to blame it on me. With my debit card, I had notified the bank where I would be using it so I feel that was a bit their fault. I guess I am surprised how much of a non-issue it seems to be with them. I guess fraud is a lot more common that I imagined.

what is safe to use when traveling?

I try to use ATMs that are inside bank premises, during banking hours - when I can make that work with my travels. I feel more secure, personally. But also, along the same lines stated above where some ATMs may be more attractive as targets for bad actors, perhaps ATMs inside the bank lobby/vestibule are less attractive.

And then, to your point and as you do, I carry multiple cards in the event that one is compromised.

Oh so sorry, Leslie! I had three issues in about as many months in late 2018. The first was my Advantage card, but then it was my Cap One. And then a few months later, it was my new Cap one number. No one tried to blame it on me, though, and neither company tried to offer me reasons or suggestions, either. It had never happened before and the. to have it happen 3 times with 3 numbers was a little crazy.

I live in Florida and card skimming at a gas pump is common enough that I'm not an outlier for having to replace cards 3-4 times because they got skimmed there. Still, the last card fraud problem I had to deal with was traced to a data breach at the third party system my county contracted to process water-sewer-trash bills and a few months lates, I got a call from AmEx's fraud department asking if I'd just bought breakfast at a Tim Horton's in the Greater Toronto Area (because even scammers need their Timmies) and had made 20+ small charges at itunes, Amazon and the like.

I no longer post anything on FB while I’m away. A card I once tried to use on small overseas airline whose website made me uncomfortable was hacked the day I posted that we were on our way to Cuba. Did someone in that country get the info from the airline website and wait for me to be away!

Leslie,

It seems like too much of a coincidence that two of your cards issued by different financial institutions were compromised at about the same time. It's also odd that one of the cards is only used occasionally on trips to Europe. That sounds more like an identity theft scenario. The first question that occurred to me is who might have access to your card numbers, and who knew you were away in Europe?

Some of my credit cards are now allowing card holders to deactivate cards or perform other functions right from an App on their smartphone. I haven't used that feature yet, but it's a good one to have.

It could be someone 2 faced close to you also,; happens all the time.
Some knucklehead stole my card number when I ran a tab in Washington D.C. at a bar where all the government workers go.

I no longer post anything on FB while I’m away.

Which in a way indicates that you're away.....

When I want to check if my favourite restaurant is open and Marco the owner is doing the cooking, I check his FB page, if he has not posted anything in a few days, it means he is away.... at this stage pretty much everyone in the town knows this.

I'd say you've had good luck in having had so very incidents....

Cards can be compromised any where along the processing line these days, so it is very difficult to say where or when the actual event occurred. You can go into a store in the US and do a transaction, but the store might be using a cloud service in Dublin or Frankfurt to store their data (they may not even know where it is stored), that might be hacked by someone in Australia who holds the data for a while before selling it to someone who tries to use it.... there is just no way of knowing.

I don't know how it is in the US now, but here in Europe we have the possibility to enable two levels of authentication. When I use my card, I need to authorise the transaction from my mobile phone for it to actually get processed. Last week one morning I woke up to find a request to authorise a payment of $700 to a shop in Hong Kong at 3:00am and since I did respond within the time it was blocked. So that seems to work for the moment.

I remember reading (perhaps even here) a few years ago that most card-number thefts in the US occurred at restaurants when cards were taken away from the table to be run. Plenty of time at that point to put the card in a second device. Card technology has changed since then, so the restaurant thing may no longer be true.

Leslie, this was your debit card, not your credit card, right? Were the fraudulent transactions done "as credit", i.e., no PIN? That was a clue to my bank, since I never use my debit card as credit. I thought the Chips were supposed to prevent that. If they were debit transactions, that means they had your PIN too, right?

I've had several events like this happen in the US, to the point where I only use my debit card at a few regular places at home (one of which got hacked) and have reverted to cash for most small things. The fraud people told me that the skimming or hacking could have occurred months before the attempts. It may have been just a coincidence that you were overseas at the time someone bought your number off the dark web and tried to use it.

@acraven, that restaurant thing happened to my sister-in-law. Police told her they suspected an employee was taking photos on phone of the fronts and backs of cards, and instantly sending them somewhere (Mexico in this case) where they were making fake cards.

@stan Yes, it was with my debit card. I went back and checked and it just says "card" for the three transactions. On all my other purchases, it shows "method' and then says things like "in person, online etc" those three don't show that. I was surprised the bank didn't notice it as they are usually good about it. The transactions all took place on the same day, at the same time and at the same place for $250, $250 and $273.44. Plus, I had notified the bank (Chase) that I would be out of the country on those dates. Luckily, they were quick in dealing with it and I had the money back the next day. The only hard part was this was right at the beginning of my trip and so as the card was canceled, I had very little cash for the remainder.

Just wanted to thank everyone for their responses. I guess it is more common than I realized. I always thought the biggest worry was that the ATM wouldn't give me any money.

couldn't be both places at once

It would be a simple matter to use an ATM at Schiphol and then be at a Sam’s Club in Michigan the same day, never mind the next day. There are 3 flights that leave AMS and arrive Detroit the same day by 6pm.

As to Capital One it’s easy to set up alerts, text, email or both, notifying you when a card is used. I have often gotten both and saying they are holding a charge until I manually approve it.

Hopefully things have changed, but certainly a couple of years ago it was common that if your card details were stolen in western Europe then the first place they'd be used illegally would likely be the US. That's because the US had a fairly third world banking system in terms of security where you could use the (fake) card without knowing its PIN.

@Tom_MN I guess I am lucky that my bank believed me.. And, I do have alerts set up on all my accounts. In my original post, I stated that CapitalOne had notified me with a text about the pizza charges.

Oh right it was a Chase account for the debit card.

It was probably just bad luck. For foreign travel I carry 2 debit cards just used for travel only with $1000 in each. I expect to charge nearly everything. I don’t bring my home bank debit card. Also Chase debit charges foreign fees so not a great choice.

Ha,ha right @emma especially not in basic economy.

For convenience more than anything else, the primary card I use whilst traveling has transactions by magnetic stripe and online disabled, allowing only PIN and contactless ( I can turn the latter off too as needed). No idea though if there are USA banks within this kind of option.

We minimise the risk, although cannot completely avoid it. Hit the ATM for euros, and pay cash for everything.

No one is flying from The Netherlands to use card data in Michigan

My point was there are many people every day who use their cards at Schiphol and their cards in Michigan the following day, so hardly an impossibility as stated in the OP.

THis happens yearly to me around June every year...I was starting to wonder if it was booking.com, because June is often when I have just returned from a trip. But I know once, the number (credit card) was stolen by a florist in Seattle (UW graduation weekend). But this was the most annoying time...I called the Visa company to let them know there was a $1000 online shoe charge that was not mine. They said "okay." Later, I got notice that I would be responsible for the charge so I called them:

Me: "Why am I being held responsible for this charge? I notified you quickly that it wasn't mine and you sent new cards."
Visa Girl: "We have contacted the delivery group who have a signature for delivery."
Me: "Well, were where they delivered?"
Girl: "Ummm...Texas"
Me: "And...look at my address...Where do I live? I don't know anyone in TX and didn't ship $1000 of shoes there."
Girl: "Oh...yeah. Sorry we'll reverse the charges."
Me: "So you have the address and signature of someone committing fraud. Why don't you go after them"
Girl; "Oh that costs us way more than just excusing the charge."

And there's the real problem...it is seen as "the cost of doing business."

As per above @emma is right and it doesn’t even take criminal groups all the work to actually place moles inside banking and financial centers.

It’s not that difficult to recruit disgruntled employees that’ll do anything to get back at their employer. At my former employer ‘very large US financial institution’ I saw this twice. It’s easy enough to trick some low level employee with social manipulation into thinking they’re getting back at the system by installing some software on their computer. Some Eastern European and Russian criminal groups used the Occupy Wall Street movement to find some angry employees who were stuck in jobs they hated and getting little to no raise while the executives got massive bonuses.

remember reading (perhaps even here) a few years ago that most card-number thefts in the US occurred at restaurants when cards were taken away from the table to be run. Plenty of time at that point to put the card in a second device. Card technology has changed since then, so the restaurant thing may no longer be true.

No, this is the US. Nothing has changed. Any time I eat at a restaurant and pay by CC, the server takes the CC to run it somewhere unseen.

Even with the poor implementation of chip technology by US based banks, overall fraud has gone way down for credit cards. But card-not-present fraud (phone and internet purchases) has gone way up compared to cloned card fraud (gas station and other purchases where a physical card is required). So as long as they have your card number expiry date and that code off the back of the card, criminals can shop till they drop.

And unfortunately, the statement by the customer service person that it costs too much to pursue the criminals is true. By the time the police would go to the house where the goods were delivered, they would find an empty house with no forwarding info. The house was probably empty to start with and the recipient of the stolen goods only there long enough to sign for the delivery. Or they delivered to someone who is completely unaware of what is going on and then the criminals dropped by their "neighbor's" house to collect their merchandise. Criminals are just too smart sometimes. I miss the days when the credit card companies would not authorize a payment if the delivery address didn't match the cardholder's address on file.

But card-not-present fraud (phone and internet purchases) has gone way up compared to cloned card fraud (gas station and other purchases where a physical card is required). So as long as they have your card number expiry date and that code off the back of the card, criminals can shop till they drop

This shouldn't have come as a surprise as this is what has happened where we of magstripe has been eliminated. That's what 3D secure was designed to counter. Again though USA card issuers seem to prefer to stand the loss, despite inconvenience to cardholders.