Fun with stolen credit-card numbersRisks Digest 23.02

[Dave Farber <dave () farber net>]

Date: Sun, 26 Oct 2003 21:29:57 -0500
From: Jonathan Kamens <jik () kamens brookline ma us>
Subject: Update: Fun with stolen credit-card numbers (RISKS-22.93)

RISKS readers might appreciate the following update to my experience with
the theft of my AmEx card number....

Over a month after I canceled the stolen number and got a new one, two charges
I did not make from America On-Line showed up on my statement.

According to AOL, my number was used to open two AOL accounts, but by the
time AOL tried to bill the number, I had canceled it.  AmEx's policy for
this situation is not what you would expect, i.e., to reject a charge to a
number canceled due to fraud, but rather TO TRANSMIT THE NEW NUMBER TO THE
MERCHANT.  Yes, that's right, AmEx gave AOL my replacement card number, and
AOL turned around and rebilled me using the new number.  According to AOL,
other card issuers handle this situation more sanely, but AmEx is
"notorious" about correcting card numbers for merchants when they shouldn't.

AOL assured me that once a number has entered their system, users can't see
it, so even after AmEx sent the new number to AOL, whoever opened the
accounts would not have been able to use them to find out my new number.

AmEx denied that they would ever transmit a replacement number to a
merchant.  However, their denial is not credible, because:

* AmEx confirmed that the charges from AOL were made using my new card number;

* The AOL accounts were opened before my replacement number was issued, so
  it's impossible that they could have been opened using the replacement
  number; and

* AOL told me exactly when they billed AmEx with the old number, when AmEx
  sent them the new one, and when they rebilled successfully using it.

I told the AmEx rep. that since he and AOL were giving me different stories,
I wanted him to call AOL and figure out the truth.  He said only the AmEx
"fraud department" could do that, but he could hand the matter over to the
fraud department only by initiating a fraud dispute and canceling my new
number.  I refused to allow him to do this, because I did not believe my new
number had been compromised, and I did not intend to waste more time
changing all of my recurring transactions to a new number twice in two
months.  He said there was no way I could speak to the fraud department
directly.  I finally got him to give me a U.S. Mail address which I could
use to write to them.

Needless to say, I have written them a rather strongly worded letter
demanding a credible explanation for how AOL got my new card number.  It'll
have to be a very good explanation indeed to convince me not to take my
business elsewhere.

As if all this weren't bad enough, AOL gave me one more piece of very
disconcerting information.  One of the AOL accounts was opened using my name,
and the other was opened using MY FIVE-YEAR-OLD DAUGHTER'S NAME.  This elevates
the situation from a simple stolen credit-card number to something potentially
much more serious (and scary).  Therefore, I'll be spending tomorrow making
phone calls to various law-enforcement agencies trying to find someone willing
to initiate an investigation.  I am pessimistic about my chances of success.

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/