Credit card identity theft

This week I got the following message:

May 23, 2013

Dear Patron:

We regret to inform you that on April 25, 2013, Vendini, Inc. detected an unauthorized intrusion into its systems.  Vendini provides box-office and online ticketing services to hundreds of entertainment venues, which include tour, casino, sports, and arts organizations across the U.S. and Canada. Based on our records, you used a credit card to make a purchase for an event that was processed through Vendini’s service, and your information may have been involved in this incident.

We are actively cooperating with federal law enforcement, and this notification to you was delayed specifically to support law enforcement’s investigation.  In addition, a full-scale, internal investigation is under way at Vendini with outside computer forensic and cyber security experts.  Although our internal investigation is ongoing, we believe that in late March, a third-party criminal actor used hacking technologies to access our databases and may have accessed your personal information, such as name, mailing address, email address, phone number, and credit card numbers and expiration dates. We do not collect credit card security access codes (e.g., CVV, CVV2, PINs), social security numbers, usernames or passwords.

It seems to me that taking a month to notify users of a security breach is really bad practice—it was unlikely to provide any extra forensic information, and left customers vulnerable for a really long time.  In fact, I think that they were also slow to recognize the breach (which they now think happened in March).  Amazon had notified me days earlier of an apparent identity theft:

Apr 19

Greetings from Amazon.com.

We perform routine reviews of orders to protect our customers. During one of these reviews we discovered that an account was opened with a card used by you on another account. For your reference the card in question is a VISA.

As it appears the card was used without your authorization, we have closed this new account and cancelled any outstanding orders. If the account is indeed yours, we apologize for any inconvenience caused and ask that you notify us as soon as possible by replying to this message.

If the card was used without your authorization, we recommend you cancel the card immediately by contacting the financial institution that issued the card.

You should review all recent charges made to this card, reporting any unauthorized charges to your financial institution. The financial institution, in turn, will send you forms to formally dispute the unauthorized charges, the applicable merchants will be notified and charged back, and your account subsequently credited.

Although we are not permitted to provide you with any details about the unauthorized use, we will provide this information to any law enforcement agency investigating this matter.

I was pleased that Amazon had notified me of the potential identity theft, but a bit annoyed that they paid one of the clearly fraudulent charges (which was the same as the earlier one that had triggered the fraud alert, despite their claim that they had cancelled all outstanding orders).  I challenged the charge through the credit card company, and I expect that it will be resolved without problems.

One irritating “feature” of the Citicard system is that you can only challenge charges after they have been paid—they have no way of flagging an “approved” but unpaid charge as fraudulent, so even after I had talked with the Citicard customer service people, and identified the fraudulent charges, I had to monitor the account daily for over a week, waiting for them to pay the fraudulent charge so that I could challenge it.  Given how common security breaches and identity theft are, you’d think that they would have a way of marking pending transactions as probably fraudulent, and not have to wait until the transaction has been completed to challenge it.

I had, of course, cancelled the card and gotten a new one (a bit inconvenient, as I had three recurring charges billed to that card) long before Vendini bothered to inform me of the breach.  Needless to say, I will think twice about ordering tickets through Vendini ever again, as they are clearly incompetent at handling credit card security both before and after breaches.  My unwillingness to trust Vendini with my credit card info may mean not going to any shows at Cabrillo College unless they change ticket vendors.