I don’t have to do anything and my credit card information gets breached

Yesterday, while reading a book on my Kindle app (on my PC), I got an email from American Express with the subject line “Fraud Protection Alert.”

“Fraud protection?” I said (out loud, to no one in particular, except for possibly my cat who did not respond).

Yes, fraud protection. In the email message, it had the last 5-digits of my account number so I knew it was probably my card and then it had the name of a merchant – Shell Canada – and a charge of $20.00 Cdn funds.

image

I racked my brain. Did anyone I know have my credit card in Canada at the moment? No, they don’t. I looked at the contact information and gave Amex a call where I subsequently reversed the charges, got the card cancelled and got a new one.

I don’t know how this card could have been breached. It is my corporate credit card, and I use it very rarely – only to travel on business. It stays with me at all times. How did some scammer steal it and use it?

I started making a paper trail in my head. Since nobody had physical access to my card, I could only assume that it was a breach – some hacker broke in to a business I had used and leaked all the credit card data, probably pasting it online somewhere. Some other scammer (or possibly the same one) used that leak to buy gasoline.

Working my way backwards, my theory is that the probable source of the leak is proportional to how recently I used the card. That is, if the last time I used the card was May 1, then that is the most likely source of the leak. If the second last time I used the card was April 28, then that is the second most likely source.

Now, you may not agree with this theory; however, because I use this card so rarely and the time space between major transactions is weeks (or months), it’s a good place to start for my usage-pattern.

image

Using this as a starting point, I started thinking about what I’ve purchased in the past two months:

  1. Airline tickets
  2. Booked a hotel

Well, that doesn’t help much. Either the airline leaked it, or the hotel leaked it. If I were to guess, I’d guess the hotel leaked it since they are tempting targets for identity thieves because of their clientele (business travelers) and hotels don’t always have the same safeguards that banks do (airlines are under more scrutiny).

I called up my credit card company and canceled the card. They sent me a new one and it arrived today. Upon checking my account, I discovered that said thief charged three different purchases at a gas station in Montreal.

I am no closer to figuring out where this leak may have happened.

* * * * * * * * * * * * *

Fast forward to today, and I got a letter from my bank. I opened it up and inside is a new debit card. For you see, while they were doing routine fraud detection, they discovered some fraudulent activity on my card and sent me a new one.

What in the world?

First my credit card, now my debit card?

As disconcerting as this is to lose two cards in a week, it also potentially helps narrow down the target. Where did I use my debit card and credit card in the same place?

I went to my credit card website and made a list of all purchases from the start of the year. I figured that a likely suspect was this past February while I was at the MAAWG conference in San Francisco. That’s when I would use my corporate credit card.

Next, I checked my debit card purchases during that same time frame, looking to see if there were any vendors that were in common.

There was: the Buckhorn Grill in San Francisco. One day I went there because I was there on business, but I stayed an extra day in San Francisco and paid for it myself.

Two cards in one place.

Both cards leaked this week.

This could be a coincidence, but I don’t think so. I think that’s where the data leak occurred. I don’t remember much about the transaction, but either the card information wasn’t encoded and someone wrote down the number, or they had a breach.

My theory about the “recentcy” effect was right, but I didn’t go back far enough. I had to go back 3 months in time rather than a few weeks.

While I don’t like getting my data exposed, it does make me feel better to engage in this detective work and figure out a likely place of origin.