credit card scam: lenovo

About fifteen days ago I placed an order at Lenovo.com (UK store) for nice little IdeaPad S10-3T netbook. Or, at least I thought I did. The ordering process failed multiple times, but hey - I want that netbook! On about the 5th go or so, success! They accepted the order and I waited.

For ten days.

For nothing.

On the ninth day, I contacted them and they replied on the tenth saying that my order wasn't accepted. Erm, but it said it was? Nice. Ten very impatient days waiting for something that was destined to never arrive. I tried ordering again, but continually got a different error of Our server is under heavy load, please try again later. I gave up.

While checking my online bank statement, I noticed there was a debit for £30 with the transaction ID of O2UK (Nelson) 01753 565969. I last used my O2 phone 1.5 years ago, so this... ain't good.

It appears I became the victim of fraud. For the second time.

How Did It Happen?

I'm not entirely sure. There appears to be two current theories on why it happens, and continues to happen to hundreds - if not thousands - of people every day. It's a very common occurrence. For completeness, I've included an additional common method.

Compromised Server. The first theory is that the company you're purchasing from has a server that is compromised in some way. This can be anything from logging software to an employee taking notes on phoned-in payments. I used the Dreamhost website (based in the US) for the first time to place an order a few years back, and I got defrauded two days later, by another US company. The same happened with Lenovo; my very first order with them and I got defrauded shortly later. I'm inclined to say something about the payment process was compromised.

This could all be a coincidence, but I use my card online quite a bit and have never had any problems. The ordering problems with Lenovo, as mentioned above, seem to make me think that it may not be a coincidence.

Sequential Numbering. This one sounds plausible until you actually think about it a bit. Someone, or a lot of someones, generate a huge amount of valid card numbers (very easy to do, but they simply pass a verification check and nothing else) and test those numbers with a series of expiry dates and C2V numbers until they get a valid combination.

There are reportedly 10 quintillion combinations if the long number and CV2 are taken into account (maybe ~10 billion actual usable combinations due to the built-in checksum check digit). This makes the numbering method sound impossible. Even so, it's apparently a much-used approach.

Skimming. The oldest of the three listed methods and the only one that directly involves the physical card itself.

This can happen at a petrol station, a restaurant, or any other place that can hide your card momentarily from you for it to be swiped, or even right under your nose if it's an ATM. A card reader (skimmer) is installed, possibly with a video camera to observe you inputting your PIN, and made to look like part of the original hardware. Your card information (and any associated video) is stored for later retrieval.

In the case of a petrol station or restaurant, the card can be swiped without the card holder's knowledge. For example, there could be a swiping machine under the counter at a petrol station.

£30? Why Not More?

The £30 mobile top-up is a test by the fraudsters to see if the card is valid, and if it is, it's an amount small enough to hopefully go unnoticed. Sometimes they will try and charge an amount equalling around 1 pence, with the reason being that some banks don't actually show such a small charge in bank statements; although the Unavailable and Available cash balances will reflect that change.

Why O2 or Vodafone? Because, especially in O2's case, these two companies have very lax security and have no qualms with a customer immediately using any new card with their account - there is no card-to-account association required. O2 - formerly BT Cellnet - have allowed this since the year 2000. It's a fraudster's card-verifying dream.

Once the card has been verified to be usable, the large transactions begin. The card gets absolutely hammered.

For informational purposes, the mobile top-ups are typically of the following variety: "O2UK (Nelson) 01753 565969", "O2(UK)LTD PREPAY", "Vodafone CR Card TopUp".

Are the Banks Doing Anything About This?

In a word, no. Some banks will alert their customers to any transactions that look suspicious, but they don't appear interested in stopping these fraudulent practices. Simply stated, it's cheaper and easier for a bank to merely write off the lost money on their insurance than to do a true investigation, despite having dedicated fraud departments.

O2 make significant amounts of money for any top-ups that are not eventually charged-back. They use the excuse that adding any additional security checks would make life more difficult for customers.

So, What Ultimately Happens?

You'll notify the bank about the rogue charges on your account (do this immediately!) and they will contact O2 or whomever took the money and then perform a charge-back, possibly requiring you to sign a form beforehand to confirm that it wasn't you. You'll more than likely get your money back, and you'll hear absolutely nothing about what the outcome was.

Further Information

Below are some choice quotes from the following thread from MoneySavingExpert.com. Blah99 says...

"The cause of this issue is to do with how purchase transactions are validated by some retailers, and a piece of software fairly well known in the fraud world. I won't explain exactly what it is on a public forum, but it exploits how credit and debit cards are issued. As you know, all credit and debit cards have the same structure of data on them. This is a common standard known as ISO7812, and it defines how the data is structured and stored. Using certain techniques and software fraudsters are able to generate huge numbers of card details, which they then use in test transactions to check validity.

This is the cause of the O2 purchases people are seeing. Whilst it is possible that your card has been skimmed and this has happened, it's unlikely. A known working card wouldn't be used against a tiny test transaction - it would be hit for a significant amount, because it's "known good".

The bad news is that you have to get your card changed (so that the account number etc changes). The good news is that this is not identity theft, and people aren't running up charges on your credit that you can't see."

Snarf999 says...

"The guy from MBNA said that this kind of activity is known and is usually from a brute force attack, trying as many credit card numbers as possible until one works."

Like-a-Dream says...

"A Bank manager admitted to me that fraud was already so high the banks don't want the public to be aware so they try and hush-up the extent of the frauds."

Posted: 2011-02-22 at 22:36:33,