Recently, my credit card was attacked: around $800 was stolen via internet purchase. I’m still not sure how this occurred (probably an on-line merchant was careless with my credit card details, but who knows). Fortunately, my bank accepted my disclaimer of the transaction and cancelled it.
However they also advised me to disable internet credit card payments, as this is the primary way in which hackers are able to monetise identity hacks. So for online purchases, there are few options left available: personally, I choose to use only two, namely direct bank transfer and PayPal (as they enable me to make payments without providing sufficient information for a hacker to ever do the same). However this is severely limiting, as many sellers only allow credit card purchases.
Are other members also affected by this? What do you think is needed? One option would be for banks to be required to provide true debit cards (i.e. ones where they guarantee not to allow transactions beyond the balance). We could limit liability by keeping only a small credit balance, and transferring further funds only when making a purchase. Unfortunately, as far as I can tell, no banks currently offer this. I checked only with my primary bank, but for them, even travel cards do sometimes allow transactions beyond the balance so long as the bank’s algorithms believe the transaction is safe - for the bank! Of course I don’t have access to the bank’s algorithms, but I strongly suspect that a component of the algorithm would be other funds held with the bank that they could attach…
It’s noteworthy that Choice itself seems to be one of the worst offenders: only credit card subscription seems to be available. Unless this gets changed, it means that my subscription is going to expire in a couple of weeks and there’s nothing I can do about it…
Generally if a transaction occurs where credit card details have been compromised, a card issuer will issue a new card (with card number, expiry date and CVV) and cancel the old card so that future transactions, including fraudulent ones, can’t be made.
I am surprised that they asked you to disable internet credit card payments. I am not sure how this would be done, as many payments even through point of payment systems used in store go through the internet - the one our business uses does. This means your card may be next to useless.
I wonder if they disabled payments which are not made in person - only allowing the debit card to be used as an EFTPOS card. This means that your card details can’t be used if entered manually. This is more likely to be the case, but again, might pose challenges if you want to travel, purchase things over the phone or using it to set up automatic bill payments (which highlights another issue, if your card has been used for regular, automatic payments in the past, will these now also fail).
I suggest that you contact your card issuer and ask why the card wasn’t cancelled and reissued. When you call them, make sure that you use a number from your bank statement/bank letter rather than from something that has been sent to you.
It would also be interesting to know how you identified that $800 was stolen. The reason I ask is there is a scam where criminals posing as a bank makes contact to advise that one’s card/bank account has been hacked as part of the ruse. If they contacted you, I would be calling them immediately on a number from your bank statement/bank letter to ensure that the contact was the bank and not a scammer.
In relation to debit card limits, I agree that there are some restrictions but not water tight. This website explains it well:
Hi phb, and thanks for your reply. Sorry, my original post wasn’t perhaps detailed enough.
The bank did issue a new card, but they still recommended disabling internet purchases. That’s how it was monetised - the scammer managed to persuade amazon they were me, and I assume registered my credit card to a new amazon account (exceedingly slack of amazon, as it was also registered to my real amazon.com and amazon.com.au accounts). My bank had no trouble accepting it was scammed, as the purchase was overseas (I think Canada), and the bank would have had pretty strong contrary evidence from other transactions that I had never left Australia.
So anyway, my card still works fine on EFTPOS. It also works for regular automatic payments if these are set up through the bank, not sure how it would work if they were set up through the merchant. But it doesn’t work for internet purchases. That’s generally fine by me, just irritating when merchants don’t support anything other than credit card purchases. And yes, the contact was the bank (I was physically in the bank branch).
I identified it as stolen pretty quickly because I saw it by chance in my account transactions within a few hours, and was very aware that I hadn’t made a $800 purchase from Amazon in Canada at 3am (this is a personal account, not a business account, so I’m generally pretty aware of what transactions should be there).
The link you provided is about transaction limits, not about whether the account is allowed to go into negative balance. What I believe we should still have available is what bank accounts generally were in the past: debit accounts only. Overdrawing would then have required personal knowledge on the part of the bank staff. If you told them not to allow overdrawing on an account, they would generally accept that.
The bank many believe you have been subject of identity theft, and one way to reduce their/your risks with them is to lock down the account as much as possible. This may reduce risks of your accounts/cards being used for other fraudulent uses. It may not prevent further identify theft, but may risks with the accounts with them.
Sorry, I accidentally posted the previous message before it was complete. Just to add that as soon as the bank contact system came online, I contacted them and had the transaction and the card cancelled. A pain, because it took a while to get the replacement card. The advice to disable internet purchases came when I went physically to the bank branch to pick up the new card. Since I had been using PayPal for payment whenever possible anyway, it hasn’t been that much of an inconvience. But it’s annoying when sellers don’t permit more secure methods.
And yes, the primary risk is not of the identity being stolen at the time of the transaction (though with some ma-and-pa businesses and organisations, I think that still is a real risk), but rather that internet purchases are one of the main ways that existing identity breaches are monetised.
Many banks now will issue a digital card you can download into their app and/or into ‘Wallet’ (previously called GooglePay) and similar. They are good for online purchases/bills and can be used in-store at shops with Wallet (etc) enabled terminals. When we had to cancel my Westpac card last time I was only without a functioning card for about 10 minutes although it would only work at most but not all bricks and mortar locations. The plastic arrived in 5 days but for online bill payments and purchases never had a problem using it.
If you have another need for a new card ask if your issuer has joined that ‘world’ of services/products’.
BTW those payment systems generate virtual card numbers and/or CVCs and are supposedly more secure than the card itself.
@bnp I agree. Apple Pay and Google Wallet do seem to be more secure than the physical cards. I had a similar experience with having the card compromised. My bank (Westpac) detected it before I did and, with my agreement, cancelled the card. Like you, I had the electronic version of the replacement card available within minutes, with the physical replacement arriving in the mail just a few days later. It meant that I wasn’t inconvenienced at all.
I’m pretty sure the card had been compromised the previous night when I used its physical version to enter and exit a public car park. I’m pretty sure their system had been hacked. Fortunately the bank refunded the $3000.
I’m now very much sold on the electronic wallet.
Link a 2FA process to the card, not the retailers transaction processing procedure.
When a transaction initiates, the bank would send a 2FA request to the consumer via an authorised pre-defined protocol, i.e, 2FA app, online bank account msg, (email, sms not preferred) etc…
This would obviously change the way transactions are processed, and would add a step in the process for the consumer, with the intent to make the approval process the responsibility of the bank and consumer.
This is a very simplified explanation, and not necessarily easy to execute, but not impossible either!
This could also be added when a bank wants to deduct any amount over the cards limit.
Verified by Visa and Mastercard Identity Check (and others) already do that for certain online transactions, although not close to 100% of them. The technology has been around for years just not deployed for every card transaction and certainly not for non-card transactions/transfers.
If the financial institutions were legally responsible for any losses due to unauthorized access of a persons bank account, credit/debit card or any other means of payment for an online transaction, then they would make a greater effort to improve security.
I’m pretty sure this is the case in some countries.
This tip may help some members: Westpac have an option whereby they will email me every day with the balance of my account. This helpful and reliable service alerts me promptly to any unexpected transactions. ANZ do not offer this service.
You can use the same strategy with a credit card i.e. have two credit cards, one for online use and which has a low credit limit, thus limiting the risk for both parties.
Hah! Maybe someone from Choice should respond to that.
I guess that, for a subscription, a direct debit arrangement would be an option. That may or may not be acceptable to any given customer. Personally I try to avoid direct debit, as it can be nasty if the business relationship sours.
Well it turns out that Choice does provide bank transfer as an option, but you have to ask for it, it’s not advertised on the website. I think the fact that it’s available is good, but I don’t think it’s quite so positive that you have to ask for it… Anyway, I’ve now been able to update my subscription. Let’s see what happens next year.
