Monday, November 23, 2015

Cunning payment card fraud, or just a random glitch?

I have a strange tale to tell. I am sharing it here because I honestly don't know if it represents a simple computer glitch on the part of a bank or payment processor, or it it represents a breakthrough in payment card fraud. I have intentionally kept the dates and amounts approximate rather than exact, and am not doxxing the other party in this event, but otherwise what follows is a reasonably detailed sequence of events.

In early September, a charge I did not recognize appeared on my Chase credit card. I figured my card number had been taken in the latest Point of Sale card breach, so called Chase to report the fraudulent use. I expected they would identify it as fraud, close my account, and issue me a new card, as has happened 3 or 4 times in the past few years.

As I have written before, this type of fraud doesn't really bother me much - it's a bit annoying, but I've taken a few steps to limit any real consequences to me. This guide to financial fraud prevention explains what I do, and what I recommend my readers do too. By purchasing with credit cards and never debit cards, setting up transaction alerts by email or text message, and keeping a fraud alert on my credit report, I ensure that any card fraud is the bank's problem and not my problem.

Today's tale begins with an aforementioned transaction alert.

One day in early September I received a message from Chase, informing me of an online (aka "card not present" or CNP) transaction for approximately $85, from STUBHUB, INC.

StubHub is a clearinghouse of sorts for event tickets. It is especially popular as an aftermarket way to buy or sell tickets to sold-out concerts and sporting events, neither of which are high on my family's list of common activities.

I had not bought anything that day, and StubHub purchases seemed a bit out of character for my wife, so I checked with her to be sure. Unsurprisingly, she had not bought anything that day either.

My next call was to StubHub themselves, since the transaction had just occurred. By taking advantage of bank-provided alerts, I have more than once intercepted a fraudulent charge before the product was delivered and had the order cancelled. I wrote about one case in detail a few years ago - and was highly impressed with Walmart's quick and professional handling of that case.

Unlike the incident with Walmart, however, StubHub had no record of me as a customer. More surprisingly, they had no record of a transaction using my credit card number.

As an aside, I did give StubHub's fraud investigator my full card number to search for transactions. By that point, I was relatively sure my account had been compromised and that I would be getting a new number soon. I decided the risk of giving my card number to a customer service agent was low, and it was the most expedient way for them to search for matching transactions.

But there were no matching transactions.

Having done my part, I called Chase to report the fraudulent charge. Chase investigated with the merchant, and StubHub replied to the inquiry with purchase records and an image of the ticket, which Chase forwarded to me. 

The PayPal Transaction Details clearly show that a John B. of Lake Orion, Michigan purchased an end zone ticket to the September 12 college football matchup between Oregon State and the University of Michigan, using the StubHub mobile app.

The PayPal transaction detail also shows that the purchase was made with an entirely different credit card number from my own. Chase cannot (or will not) say how the charge came to be associated with my account number.

This could certainly be a case of a "glitch" either in PayPal's Braintree product (which StubHub uses for one-click purchases in its mobile app) or in Chase's payment processing. I am curious though if someone has figured out a way to exploit single-use virtual credit cards to create usable card numbers.

My questions to readers:

1. Is this merely an anomaly, or have others experienced similar incidents?

2. To readers associated with the banking industry, how is it possible for a charge to be applied to an account entirely separate from the one presented by the purchaser?

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen