Want to get paid for a vulnerability similar to this one?
Contact us at: email@example.com
A family member recently encountered credit card fraud. That isn’t unusual, but there were some features of the whole experience that seemed odd.
First off, the person involved is certain that the fraud relates to the use of the card at a tap/RFID/proximity reader. The card has been in use for some time, but the day before the fraudulent charges the card was used, for the first time, at a gas pump with a “tap” reader.
(I suspect this is wrong. The card owner feels that gas pumps, left unattended all night, would be a prime target for reader tampering. I can’t fault that logic, but the fact that an address was later associated with use of the card makes me wonder.)
At any rate, the day after the gas was purchased, two charges were made with the credit card. One was for about $600.00, and was with startech.com, a supplier of computer parts, particularly cables, based in Ontario. The other charge was for almost $4000.00, and was with megabigpower.com, which specializes in hardware devices for Bitcoin mining, and operates out of Washington state. (Given the price list, this seems consistent with about 8 Bitcoin mining cards, or about 20 USB mining devices.) The credit card company was notified, and the card voided and re-issued.
A few days after that, two boxes arrived–at the address of the cardholder. One came from startech.com via UPS and was addressed to John Purcer, the other was from megabigpower.com via Fedex and was addressed to Tom Smyth. Both were left at the door, refused and returned to the delivery companies. (At last report, the cardholder was trying to get delivery tracking numbers to ensure that the packages were returned to the companies.)
As noted previously, this is where I sat up. Presumably a simple theft of the card data at a reader could not provide the cardholder’s address data. An attempt might be made to ensure that the “ship to” address is the same as the “bill to” address (one of the companies says as much on its billing page), but I further assume that a call to the credit card company with a “hey, I forgot my address” query wouldn’t fly, and I doubt the credit card company would even give that info to the vendor company.
One further note: I mentioned to the cardholder that it was fortunate that the shipment via UPS was from the Canadian company, since UPS is quite unreasonable with charges (to the deliveree) involving taking anything across a border. (When I was doing a lot more book reviews in the old days, I had to add a standard prohibition against using UPS to all my correspondence with companies outside Canada.) When UPS was contacted about this delivery, the agent reported that the package was shown as delivered, with a note of “saw boy,” presumably since the cardholder’s son was home, or in the vicinity of the house, at the time of delivery. The cardholder was understandably upset and asked to have that note taken off the record, and was then told a) the record could not be changed, and b) that was a standard code, presumably built-in to the tracking devices the drivers carry.
Just a note to those of you who care anything about privacy …