Gas station without pumps

2013 June 13

Credit card identity theft part 2

Filed under: Uncategorized — gasstationwithoutpumps @ 21:45
Tags: , , , , ,
About a month ago, I replaced my credit card because of the Vendini security breach (see Credit card identity theft), which caused some spurious Amazon transactions to appear on my bill.  There were also a number of transactions with a local business (Aptos Natural Foods) where we have never shopped, so I challenged those as well.  I just got my first bill for the new card, and there were three new transactions for Aptos Natural Foods on it!  I could not figure out reasonable ways that anyone could have gotten the new numbers so quickly.  Only a few merchants (whom I trusted) had the new number!
I talked with my wife (whose card had been used) and called Citi Cards, and we eventually came up with the conjecture that these were valid transactions that my wife had made at the Food Bin (just a few blocks from where we live), but credited to a different company.  We were used to seeing a few Food Bin transactions on our bill, and there were none.  My wife found some Food Bin receipts and they matched the charges in date and amount.
Citi Cards called the Food Bin and found that they had indeed merged management with Aptos Natural Foods (at about the time that they got new cash registers) and were aware that the credit card transactions would appear on bills as Aptos Natural Foods.
But they had never told their credit card customers, nor could I find any news items about the merger in the local papers.
I removed the disputes on the charges and will pay them in full, but I am rather miffed with the Food Bin for the incompetent way they handled their change of billing.  It is imperative that any business accepting credit cards tell their customers how the charges will appear on their bills, especially when there is a change from a decades-old practice! A brief notice on the counter would have been enough—or having “billed as Aptos Natural Foods” on the receipt.
I will say that working with the customer service agent at Citi Cards was about as pleasant as dealing with a billing problem could be.  There was no hold before being transferred to the service agent, and the person I talked to was both competent and friendly.  She found the Food Bin phone number while talking with me and called them while putting me on a brief hold, so that she could clear the confusion up right away.  So far, I have found the Citi Simplicity card to be a much better deal than the AT&T Universal Card that it replaced (dealing with AT&T customer service was never pleasant, and they had the most Byzantine way of charging late fees and interest for 3 months after missing one payment by one day).

2013 May 25

Credit card identity theft

Filed under: Uncategorized — gasstationwithoutpumps @ 17:19
Tags: , , , , ,

This week I got the following message:

May 23, 2013

Dear Patron:

We regret to inform you that on April 25, 2013, Vendini, Inc. detected an unauthorized intrusion into its systems.  Vendini provides box-office and online ticketing services to hundreds of entertainment venues, which include tour, casino, sports, and arts organizations across the U.S. and Canada. Based on our records, you used a credit card to make a purchase for an event that was processed through Vendini’s service, and your information may have been involved in this incident.

We are actively cooperating with federal law enforcement, and this notification to you was delayed specifically to support law enforcement’s investigation.  In addition, a full-scale, internal investigation is under way at Vendini with outside computer forensic and cyber security experts.  Although our internal investigation is ongoing, we believe that in late March, a third-party criminal actor used hacking technologies to access our databases and may have accessed your personal information, such as name, mailing address, email address, phone number, and credit card numbers and expiration dates. We do not collect credit card security access codes (e.g., CVV, CVV2, PINs), social security numbers, usernames or passwords.

It seems to me that taking a month to notify users of a security breach is really bad practice—it was unlikely to provide any extra forensic information, and left customers vulnerable for a really long time.  In fact, I think that they were also slow to recognize the breach (which they now think happened in March).  Amazon had notified me days earlier of an apparent identity theft:

Apr 19
Greetings from

We perform routine reviews of orders to protect our customers. During one of these reviews we discovered that an account was opened with a card used by you on another account. For your reference the card in question is a VISA.

As it appears the card was used without your authorization, we have closed this new account and cancelled any outstanding orders. If the account is indeed yours, we apologize for any inconvenience caused and ask that you notify us as soon as possible by replying to this message.

If the card was used without your authorization, we recommend you cancel the card immediately by contacting the financial institution that issued the card.

You should review all recent charges made to this card, reporting any unauthorized charges to your financial institution. The financial institution, in turn, will send you forms to formally dispute the unauthorized charges, the applicable merchants will be notified and charged back, and your account subsequently credited.

Although we are not permitted to provide you with any details about the unauthorized use, we will provide this information to any law enforcement agency investigating this matter.

I was pleased that Amazon had notified me of the potential identity theft, but a bit annoyed that they paid one of the clearly fraudulent charges (which was the same as the earlier one that had triggered the fraud alert, despite their claim that they had cancelled all outstanding orders).  I challenged the charge through the credit card company, and I expect that it will be resolved without problems.
One irritating “feature” of the Citicard system is that you can only challenge charges after they have been paid—they have no way of flagging an “approved” but unpaid charge as fraudulent, so even after I had talked with the Citicard customer service people, and identified the fraudulent charges, I had to monitor the account daily for over a week, waiting for them to pay the fraudulent charge so that I could challenge it.  Given how common security breaches and identity theft are, you’d think that they would have a way of marking pending transactions as probably fraudulent, and not have to wait until the transaction has been completed to challenge it.
I had, of course, cancelled the card and gotten a new one (a bit inconvenient, as I had three recurring charges billed to that card) long before Vendini bothered to inform me of the breach.  Needless to say, I will think twice about ordering tickets through Vendini ever again, as they are clearly incompetent at handling credit card security both before and after breaches.  My unwillingness to trust Vendini with my credit card info may mean not going to any shows at Cabrillo College unless they change ticket vendors.

%d bloggers like this: