Cloned cards R us

c: | f: /

Gah, it appears I’m merely another statistic in the credit card fraud graph. But I think I’ve figured out why this form of crime is rife. And it’s not the obvious answer.

This morning I opened an envelope addressed to a badly-spelled version of my name to find an official DVLA document inside stating that my car had been released from the pound as per my telephone request. Attached was a receipt with my credit card details on it and a sizeable amount debited. Barring the fact the person who filled in the details couldn’t spell my name, everything about the form — the receipt, card expiry and my home address — checked out.

Except it’s not my car. And never has been.

Fraud department

First stop was the credit card company of course. The call centre lackey didn’t care much and referred me to the fraud dept, which was closed — being a Saturday — until 9am.

When I got through to them, they were much more helpful — I guess since it’s their cash on the line — and confirmed that someone had been having a whale of a time with my credit card in London for the past three days: making autotrader transactions, eating out, buying PAYG mobile top ups, staying in hotels, along with the aforementioned car incident.

There were none of the usual telltale signs of fraud — like a tiny test transaction to see if the card was active. This normally takes the form of a few quid spent via a badly-designed website, or a charitable donation which flies under the radar before the real spending begins. So someone knew the account was valid.

Regardless, the firm cancelled my account immediately.

The weekend starts here

Next stop was the DVLA. Rather surprisingly, they didn’t seem to care that there was a car out there that somebody had the audacity to claim was mine. Filled me full of confidence in the database they claim can smell wrongdoing from 10 000 paces. Their fraud department was also closed for the weekend and the call centre chump didn’t really think it was important to take any details from me.

It crossed my mind that, since pretending to be me wasn’t exactly legal, there was every chance the car would be involved in some criminal circumstance before the fraud department roll into work on Monday morning. And since the car’s details — perhaps a car with cloned plates — are possibly lodged in their database as “mine”, I’m half expecting the police to knock on my door (or that of the real car owner) any moment and make an arrest for holding up a London post office with a balaclava and an axe.

With that thought, I called the police. Guess what: they didn’t care either. Apparently, unless the car is involved in a future crime, or the credit card had been used to obtain stolen goods, they weren’t interested.

But one further thing was going round my head: the payment to the hotel was a pending transaction, thus had been swiped on checkin as surety and would be later debited when the hotel did their billing run.

Which meant the perpetrator was probably still staying there. With “my” car in the car park.

Fraud mechanics

Next thought was how it happened. I can all but rule out the following:

  • ATM skimming: I’ve never used my credit card in an ATM.
  • Someone getting my details from my bins: I haven’t thrown away any statements in over a year and even when I did, the parts were scattered between bins at different times in different locations — and some parts in the compost, or in with the regular rubbish, or burnt, or chewed and spat out (yes, I’m that anal about it).
  • Traditional skimming at a petrol station or restaurant can’t have happened because the card never leaves my sight. The only possible avenue would be if the card reader itself was bogus or had a wireless reader attached that I hadn’t noticed.
  • PIN theft — I have never typed one of my PINs without my hand or wallet covering the keypad so visual or camera-operated stealth is impossible. I also randomly move my hand about while typing to foil guesswork and quickly scrub all the keys afterwards with my fingertips.
  • Visually obtaining my CVV (those 3 digits on the back of the card) because I memorise them and either scratch them off or they wear off very quickly.
  • Man in the middle attack / spyware because I know what the hell I’m doing with technology

That leaves the ball firmly in the court of corporate data loss / theft, or a corrupt employee as the data leak. Something, incidentally, the credit card company acknowledged but played down heavily — they implied it was most likely my insecure data management policy that was to blame. Clearly they don’t know me.

Forget Miss Marple

So if nobody was going to take this seriously on my behalf, there’s only one person who could help: the Internet. Using my powers of deduction and some blind luck I guessed the make of the car based on how old the registration was, and found out all the details about it: colour, model, engine capacity, the lot. And, surprise surprise, it was untaxed and unlicensed.

Maybe the autotrader activity on my card was the perp finding out about a car which had recently been declared SORN, or even arranging to buy such a car. Or they were fishing for information in order to clone the plates.

The mobile number that was given on the car impound receipt was — as expected — a dead end. No record of it anywhere which meant it was a new handset, probably purchased at the time of top-up using my card and then binned after calling the impound centre.

I did locate the restaurant (well, fast food joint) from which my clone dined and found that there was indeed a hotel nearby that matched the description of the pending transaction, which placed “fake me” in a particular area of the country right that moment.

It’s not my problem, guv

To sum up the issues at play here, the following hold true:

  1. there is another physical card out there with my name on it. I know this because all hotels take a swipe of a real credit card when checking in. There’s a slim possibility the card was used online to book and pay for a hotel stay in advance, but the fact it was a pending transaction, and that time is of the essence (I could notice fraudulent activity on my bill any day and cancel the card before the stay commenced) renders this unlikely.
  2. the person who allowed the payment to be made at the impound centre didn’t bother to check with the DVLA to see if the person paying the fine was the registered keeper. They also either took payment:
    1. without asking for my CVV.
    2. by requesting my CVV, which the attacker knew because the leak was from the credit card company (or stolen data in transit).
  3. autotrader suffer the same CVV deficiencies stated above. As do O2 when topping up by credit card online.
  4. my PIN has not been compromised. I believe PINs are stored and verified by the card itself — so a new PIN could have been generated when the chip on the cloned card was blown — but interestingly, the credit card company said my replacement card would have the same PIN as my current card, which means there’s a central record somewhere.
  5. my home address is known to the attacker.
  6. nobody is employed to care, except maybe the people in one department of the credit card company who are paid to minimise the amount lost from the bottom line.

That last point is the killer. The one overriding factor that I believe holds the key to credit card fraud is timeliness. I was soooo close to phoning the hotel and asking if “I” had checked in and alerting them to the fact that the people staying there under my name will likely be in a stolen car and the payment for the room is going to bounce next week. What they did with that information was up to them. They could choose to ignore it or they could act on it and maybe end up catching the people involved, which might lead to a bigger bust.

So what stopped me? Two things. Firstly, I know that hotel front desk staff won’t care. It’s not their job and they’re all jobsworths: they don’t give two hoots that the company they work for is going to lose a few hundred quid, because they’re on a crappy wage for the amount of flack they take. If I phoned head office, they won’t care because they’ll claw the money back from the credit card firm. Best case they’ll say it’s a police matter and I’ve already established the police don’t care until such time as someone dies or the car ends up in a lake.

As it stands now, by the time I report this to DVLA’s fraud department and they get their thumbs out of their noses and act upon it, the trail will be very cold; the only hot things will be the car burning by the roadside and my credit rating which I’ll now have to fight to clear after having a car I don’t own impounded in my name.

My second reason for keeping quiet is that the perps know where I live and if they get a hint of who tipped them off I don’t know what the consequences would be. I’ve read cop novels: small crime rings or multi-national fraud cartels all stand to lose big. Playing vigilante is tempting in this world of non-doers, but self preservation is a compelling mistress. Cowardly? Hell yes. Sense of civic duty? No chance in this country. If the police don’t care because they’re too hogtied with paperwork and chasing false flag terror plots, why should I care?

And that’s the problem: nobody cares. Well, that and nobody in any authority works at the fucking weekend.

I want your brainjar


(required, never made visible)

(optional, linked with rel="nofollow")