I I’m no stranger to credit card fraud: in the past my card was cloned and the details stolen in a retailer hack. But I thought a card I had never used would be safe from the threat of crime. I was wrong.
Even if you lock your credit card in a safe the moment it arrives, you can still be the victim of criminal charges. But how can criminals steal your card details if you’ve never even used them?
At 10pm on a quiet Thursday evening in January, I received a text from my bank, Halifax, saying my credit card had been used at Domino’s Pizza for an order of £30.67.
After 30 minutes of waiting on an extremely busy line in Halifax, the customer service representative asked me why I had called. “Fraud”, I say. “Dominos? ” he has answered. Obviously, I wasn’t the only one paying for someone else’s takeout.
In fact, the UK seems to have been in the throes of a takeaway fraud boom. Recently, a colleague’s card details were used to order £300 worth of takeaway in the Andover area in a single weekend.
This week, thousands of First Direct customers discovered their cards had been used to order chicken dinners at Nando’s. Tell your friends or family that your card was used by scammers to buy takeout, and you’ll soon learn you’re not alone.
In my case, Halifax froze my card to avoid further charges, and the next morning the card was canceled and the charges marked for refund. Three days later, a replacement card arrived on the doormat. After activating it, I stored it safely in a drawer. The next day I checked my statement to make sure the pizzas had been refunded – only to discover to my horror seven new fraudulent charges totaling £465 – all on my new card. It wasn’t at Domino’s but at an unknown sportswear company in the Midlands.
Since I had only activated the card 16 hours before, hadn’t used it, entered the new number in Apple Pay or any other service, it hadn’t left the house and no one else had access to it, how the hell had anyone ever spent money on it?
I’m not the only person who has asked myself this question recently – this week Guardian Money reader Phoebe Maddrell got in touch to say her debit card details had been used for fraudulent transactions even though she doesn’t had ever used it – either online or in person.
In my case, the Halifax Fraud Investigations Team said I had been the victim of what is called a “guesswork attack”, where an organized criminal gang calculates the card number and date expiry. They didn’t need to have the card number stolen during a hack or physical theft, and could use it as soon as it was activated.
Looking at a bank card’s 16-digit card number and four-digit expiration date, you could be forgiven for thinking the combination would be too complex to just guess. Unfortunately, that’s really not the case.
“The first thing to realize is that you’re not guessing the full 16 digits at random,” says Jake Moore, global cybersecurity adviser at Eset. “The first six digits of a credit card number signify the card network and the issuing bank, while the last digit is the Luhn’s algorithm checksum.
This means they only have to guess seven digits, while Luhn’s last digit checks if the rest of the card number is valid. The checksum was originally designed to help spot manual input errors, such as mistyped numbers or transposed sequences, but it can also be used by criminals to verify that a number might be real .
“There are websites that have Luhn checkers that help find these numbers in a short time, or even no time, making the odds of locating a card in use relatively high,” Moore says.
Once a criminal gang has a potentially valid credit card number, they can then try it out to see if it’s being used. The Card Verification Value (CVV) – the three digits typically printed on the back of the card in or next to the signature strip – helps prevent this type of attack by adding additional burden to criminals.
“There are, however, many websites – often located outside the UK – that accept card payments without the need for a three-digit CVV number or any other proof of identity,” says Moore.
Banks and card companies have implemented sophisticated technologies to detect and prevent these types of attacks from occurring in real time by using certain characteristics of each transaction. After-the-fact reports help fine-tune systems so they can shut down more.
Criminals typically target websites that handle large volumes of low-value transactions, making it harder to detect fraud among the hundreds of thousands of genuine purchases.
Once an attack is identified, additional checks are implemented to block it and prevent other similar frauds, but some will pass first.
In my case, Domino’s asked for the CVV of the first card, but that too was guessed, allowing two of the transactions before other transactions were flagged by the Halifax systems. Takeout appears to be targeted as they routinely deal with low value purchases without a card. Criminals use card details to make a series of quick purchases until the card is blocked.
A Halifax spokesperson said: “Thanks to our multi-layered fraud detection systems, we never stop fighting to prevent fraud, blocking the vast majority of attempts. Unfortunately, highly sophisticated criminal gangs never stop trying to breach our defenses and some frauds get through.
This case has certainly made me reconsider how many bank cards I hold and why. Every time I open an account, another card comes along that could make me a victim of fraud even if I never use it. Credit card fraud cost the UK £574.2million in 2020, according to data from UK Finance, including £376.5million from e-commerce fraud. While banks refunded 98% of customers and prevented a further £983m of fraud during the year, there is always a risk of it happening to you.
What can you do to protect yourself?
It’s hard to protect against a guessing attack, but there are things you can do to avoid the damage they cause.
Never approve a transaction you weren’t expecting. Measures to comply with the new strong customer authentication regulations are being phased in ahead of the March 2022 deadline. These will generally require customers to verify certain transactions via a one-time password sent by SMS or a banking app for about one in four online transactions.
Most card issuers allow you to temporarily freeze or disable some or all of the card’s functions. These include blocking transactions outside the UK, online or over the phone, in person or contactless. Freezes do not stop recurring transactions, direct debits, or transactions where merchants do not request verification from the bank, such as public transportation.
Report the fraud to your bank as soon as you spot it. Moore says, “I always advise people to check their bank statements regularly, even daily, to spot any discrepancies. If the card details are stolen and slip through the net a small number of times, these cards indeed become very valuable and can be used many times even for years without arousing suspicion.
“I’m afraid something strange is going on”
Herefordshire’s Phoebe Maddrell was one of thousands of First Direct customers hit by fraudulent spending at fast food chain Nando’s.
She received a message on the morning of February 17 asking for a payment of £42 on the debit card linked to her account. She saw it when she woke up and replied that she hadn’t made the payment.
“I then logged into my online banking and saw that there were several transactions through Apple that I didn’t recognize,” she says.
“I opened the account last June to save. I never took the card out of the house; it was never used at a retailer.
Maddrell immediately contacted the bank and was informed that Nando’s transaction had been blocked, the card would be canceled and Apple payments would not be debited from her account. However, later that day the Apple payments were made.
“I’m really worried that something strange is going on,” she said. “There is no way the fraudsters could have obtained the card details from anywhere. Unless somehow these were violated when the card was mailed to me.
Maddrell’s bank did not shed light on how the fraud happened, saying it could not for security reasons, but said there was no data breach.
He says Maddrell will be fully reimbursed and won’t need to speak to the fraud team.
A First Direct spokesperson said: ‘We are aware of some unauthorized low value retail transactions appearing on a small number of our customers’ cards.
“We want to reassure affected customers that they will not be left behind and we apologize for any inconvenience caused.
“We take the safety of our customers very seriously and will be contacting affected customers in the coming days.
“We advise customers to check their statements regularly and contact us if they notice any suspicious activity.”
Maddrell complained to the Information Commissioner’s Office about her case and the Financial Ombudsman about First Direct’s refusal to explain how the fraud happened, and because she was unable to join the team early fraud and said there was a four week wait for a call back.