Gas station without pumps

2013 May 25

Credit card identity theft

Filed under: Uncategorized — gasstationwithoutpumps @ 17:19
Tags: , , , , ,

This week I got the following message:

May 23, 2013

Dear Patron:

We regret to inform you that on April 25, 2013, Vendini, Inc. detected an unauthorized intrusion into its systems.  Vendini provides box-office and online ticketing services to hundreds of entertainment venues, which include tour, casino, sports, and arts organizations across the U.S. and Canada. Based on our records, you used a credit card to make a purchase for an event that was processed through Vendini’s service, and your information may have been involved in this incident.

We are actively cooperating with federal law enforcement, and this notification to you was delayed specifically to support law enforcement’s investigation.  In addition, a full-scale, internal investigation is under way at Vendini with outside computer forensic and cyber security experts.  Although our internal investigation is ongoing, we believe that in late March, a third-party criminal actor used hacking technologies to access our databases and may have accessed your personal information, such as name, mailing address, email address, phone number, and credit card numbers and expiration dates. We do not collect credit card security access codes (e.g., CVV, CVV2, PINs), social security numbers, usernames or passwords.

It seems to me that taking a month to notify users of a security breach is really bad practice—it was unlikely to provide any extra forensic information, and left customers vulnerable for a really long time.  In fact, I think that they were also slow to recognize the breach (which they now think happened in March).  Amazon had notified me days earlier of an apparent identity theft:

Apr 19
Greetings from

We perform routine reviews of orders to protect our customers. During one of these reviews we discovered that an account was opened with a card used by you on another account. For your reference the card in question is a VISA.

As it appears the card was used without your authorization, we have closed this new account and cancelled any outstanding orders. If the account is indeed yours, we apologize for any inconvenience caused and ask that you notify us as soon as possible by replying to this message.

If the card was used without your authorization, we recommend you cancel the card immediately by contacting the financial institution that issued the card.

You should review all recent charges made to this card, reporting any unauthorized charges to your financial institution. The financial institution, in turn, will send you forms to formally dispute the unauthorized charges, the applicable merchants will be notified and charged back, and your account subsequently credited.

Although we are not permitted to provide you with any details about the unauthorized use, we will provide this information to any law enforcement agency investigating this matter.

I was pleased that Amazon had notified me of the potential identity theft, but a bit annoyed that they paid one of the clearly fraudulent charges (which was the same as the earlier one that had triggered the fraud alert, despite their claim that they had cancelled all outstanding orders).  I challenged the charge through the credit card company, and I expect that it will be resolved without problems.
One irritating “feature” of the Citicard system is that you can only challenge charges after they have been paid—they have no way of flagging an “approved” but unpaid charge as fraudulent, so even after I had talked with the Citicard customer service people, and identified the fraudulent charges, I had to monitor the account daily for over a week, waiting for them to pay the fraudulent charge so that I could challenge it.  Given how common security breaches and identity theft are, you’d think that they would have a way of marking pending transactions as probably fraudulent, and not have to wait until the transaction has been completed to challenge it.
I had, of course, cancelled the card and gotten a new one (a bit inconvenient, as I had three recurring charges billed to that card) long before Vendini bothered to inform me of the breach.  Needless to say, I will think twice about ordering tickets through Vendini ever again, as they are clearly incompetent at handling credit card security both before and after breaches.  My unwillingness to trust Vendini with my credit card info may mean not going to any shows at Cabrillo College unless they change ticket vendors.

1 Comment »

  1. […] theft About a month ago, I replaced my credit card because of the Vendini security breach (see Credit card identity theft), which caused some spurious Amazon transactions to appear on my bill.  There were also a number […]

    Pingback by Credit card identity theft part 2 | Gas station without pumps — 2013 June 13 @ 21:45 | Reply

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: