Monday, November 23, 2015

Cunning payment card fraud, or just a random glitch?

I have a strange tale to tell. I am sharing it here because I honestly don't know if it represents a simple computer glitch on the part of a bank or payment processor, or it it represents a breakthrough in payment card fraud. I have intentionally kept the dates and amounts approximate rather than exact, and am not doxxing the other party in this event, but otherwise what follows is a reasonably detailed sequence of events.

In early September, a charge I did not recognize appeared on my Chase credit card. I figured my card number had been taken in the latest Point of Sale card breach, so called Chase to report the fraudulent use. I expected they would identify it as fraud, close my account, and issue me a new card, as has happened 3 or 4 times in the past few years.

As I have written before, this type of fraud doesn't really bother me much - it's a bit annoying, but I've taken a few steps to limit any real consequences to me. This guide to financial fraud prevention explains what I do, and what I recommend my readers do too. By purchasing with credit cards and never debit cards, setting up transaction alerts by email or text message, and keeping a fraud alert on my credit report, I ensure that any card fraud is the bank's problem and not my problem.

Today's tale begins with an aforementioned transaction alert.

One day in early September I received a message from Chase, informing me of an online (aka "card not present" or CNP) transaction for approximately $85, from STUBHUB, INC.

StubHub is a clearinghouse of sorts for event tickets. It is especially popular as an aftermarket way to buy or sell tickets to sold-out concerts and sporting events, neither of which are high on my family's list of common activities.

I had not bought anything that day, and StubHub purchases seemed a bit out of character for my wife, so I checked with her to be sure. Unsurprisingly, she had not bought anything that day either.

My next call was to StubHub themselves, since the transaction had just occurred. By taking advantage of bank-provided alerts, I have more than once intercepted a fraudulent charge before the product was delivered and had the order cancelled. I wrote about one case in detail a few years ago - and was highly impressed with Walmart's quick and professional handling of that case.

Unlike the incident with Walmart, however, StubHub had no record of me as a customer. More surprisingly, they had no record of a transaction using my credit card number.

As an aside, I did give StubHub's fraud investigator my full card number to search for transactions. By that point, I was relatively sure my account had been compromised and that I would be getting a new number soon. I decided the risk of giving my card number to a customer service agent was low, and it was the most expedient way for them to search for matching transactions.

But there were no matching transactions.

Having done my part, I called Chase to report the fraudulent charge. Chase investigated with the merchant, and StubHub replied to the inquiry with purchase records and an image of the ticket, which Chase forwarded to me. 

The PayPal Transaction Details clearly show that a John B. of Lake Orion, Michigan purchased an end zone ticket to the September 12 college football matchup between Oregon State and the University of Michigan, using the StubHub mobile app.

The PayPal transaction detail also shows that the purchase was made with an entirely different credit card number from my own. Chase cannot (or will not) say how the charge came to be associated with my account number.

This could certainly be a case of a "glitch" either in PayPal's Braintree product (which StubHub uses for one-click purchases in its mobile app) or in Chase's payment processing. I am curious though if someone has figured out a way to exploit single-use virtual credit cards to create usable card numbers.

My questions to readers:

1. Is this merely an anomaly, or have others experienced similar incidents?

2. To readers associated with the banking industry, how is it possible for a charge to be applied to an account entirely separate from the one presented by the purchaser?

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.