I am no stranger to credit card fraud: in the past I have had my card cloned and had the details stolen from a hack on a retailer. But I thought a card I had never used would be safe from the threat of crime. I was wrong.
Even if you lock your credit card in a safe the moment it arrives, you can still fall victim to charges made by criminals. But how can criminals steal your card details if you’ve never even used them?
At 10pm on a quiet Thursday night in January, I got a text from my bank, Halifax, saying my credit card had been used at Domino’s Pizza for an order costing £30.67.
After 30 minutes on hold on an extremely busy Halifax line the customer service rep asked why I had called. “Fraud,” I said. “Domino’s?” he replied. Clearly, I wasn’t the only one paying for someone else’s takeaway.
In fact, the UK appears to have been in the grip of a takeway fraud boom. Recently a colleague’s card details were used to order £300 worth of takeways in the Andover area all over a single weekend.
This week, thousands of First Direct customers found their cards had been used to order chicken dinners in Nando’s. Mention to friends or family that your card was used by fraudsters to buy takeaways, and you will soon learn that you not alone.
In my case, Halifax froze my card to prevent further charges, and the next morning the card was cancelled and the charges marked to be refunded. Three days later a replacement card arrived on the doormat. Having activated it, I stashed it safely in a drawer. The next day I checked my statement to make sure the pizzas had been refunded – only to find to my horror seven fresh fraudulent charges totalling £465 – all on my new card. These weren’t at Domino’s but an unfamiliar sportswear company in the Midlands.
Given I had only activated the card 16 hours prior, hadn’t used it, entered the new number into Apple Pay or any other service, it hadn’t left the house and no one else had access to it, how on earth had someone already spent money on it?
I am not the only person to have found myself asking this question recently – this week, the Guardian Money reader Phoebe Maddrell got in touch to say that her debit card details had been used for fraudulent transactions even though she had never used it – either online or in person.
In my case, Halifax’s fraud investigations team said I had fallen victim to what is called a “guess attack”, where an organised criminal gang work out the card number and the expiry date. They didn’t need to have stolen the card number in a hack or physical theft, and were able to use it as soon as it was activated.
Looking at a bank card’s 16-digit card number and four-digit expiry date, you might be forgiven for thinking that the combination would be too complex to simply guess. Unfortunately, it is very much not the case.
“The first thing to realise is that you are not guessing the full 16 numbers at random,” says Jake Moore, a global cybersecurity adviser at Eset. “The first six digits of a credit card number signify the card network and the issuing bank, while the final digit is the Luhn algorithm checksum.”
That means they only have to guess seven numbers, while that final Luhn digit helps verify whether the rest of the card number is valid. The checksum was originally designed to help spot manual input errors, such as mistyped numbers or transposed sequences, but it can also be used by criminals to verify a number could be real.
“There are websites out there that have Luhn verifiers which help find these numbers in little or no time at all, making the chances of locating a card in use relatively high,” Moore says.
Once a criminal gang has a potentially valid credit card number it can then try it out to see if it is in use. The card verification value (CVV) – the three digits usually printed on the back of the card in or next to the signature strip – helps prevent this kind of attack by adding further burden on the criminals.
“There are, however, many websites – often located outside the UK – that will accept card payments without any need for a three-digit CVV number or any other proof of identity,” Moore says.
Banks and card companies have sophisticated technologies in place to spot and prevent these sorts of attacks from happening in real time using certain characteristics of each transaction. Reports after the fact help refine the systems so they can stop more like it.
Criminals typically target websites that handle large volumes of low-value transactions, which makes it more difficult to spot fraud from the hundreds of thousands of genuine purchases.
Once an attack is identified additional checks are implemented to block it and prevent further similar frauds but some will pass through at first.
In my case, Domino’s did request the CVV of the first card but that, too, was guessed, allowing two of the transactions through before further transactions were flagged by Halifax’s systems. Takeways appear to be targeted as they regularly process low-value purchases where the card is not present. Criminals use a card’s details to make a series of rapid purchases until the card is stopped.
A Halifax spokesperson says: “Through our multilayered fraud detection systems, we never stop fighting to prevent fraud, blocking the vast majority that is attempted. Unfortunately, highly sophisticated criminal gangs also never stop trying to break our defences and some fraud does get through.”
This case has certainly made me reconsider the number of bank cards I hold and why. With every account opened, another card arrives that could result in me being a victim of fraud even if I never use it. Credit card fraud cost the UK £574.2m in 2020, according to data from UK Finance, including £376.5m of e-commerce fraud. While banks refunded 98% of customers and prevented an additional £983m of fraud in the year, there is always a risk it could happen to you.
What can you do to protect yourself?
Protecting yourself against a guess attack is difficult but there are things you can do to prevent the damage they cause.
Never approve a transaction you weren’t expecting. Measures to comply with the new strong customer authentication regulations are being phased in before the March 2022 deadline. These will typically require customers to verify some transactions via a one-time passcode sent by SMS or banking app prompt for about one in four online transactions.
Most card issuers allow you to freeze or temporarily deactivate all or parts of the card’s functions. These include blocking transactions outside the UK, online or over the phone, in person or contactless payments. Freezes do not stop recurring transactions, direct debits or transactions where the retailers do not ask the bank for verification, such as public transport.
Report fraud to your bank immediately you spot it. Moore says: “I always advise people to check their bank statements regularly, even daily, to spot any discrepancies. If card details are stolen and slip through the net a small number of times, these cards become very valuable indeed and can be used multiple times, even for years on end, without raising suspicions.”
‘I am concerned that something strange is going on’
Phoebe Maddrell from Herefordshire was one of thousands of First Direct’s customers hit by fraudulent spending at the fast food chain Nando’s.
She received a message on the morning of 17 February querying a £42 payment from the debit card linked to her account. She saw it when she woke up, and responded to say she hadn’t made the payment.
“I then logged into my internet banking and saw that there were multiple transactions via Apple that I didn’t recognise,” she says.
“I started the account last June for saving. I’ve never taken the card out of the house; it’s never been used at a retailer.”
Maddrell contacted the bank straight away and was told that the Nando’s transaction had been blocked, and that the card would be cancelled and the Apple payments not charged to her account. However, later that day the Apple payments went through.
“I really am concerned that something strange is going on,” she says. “There is no way that the fraudsters could have obtained the card details from anywhere. Unless somehow these were breached when the card was sent to me in the post.”
Maddrell’s bank would not shed any light on how the fraud had occurred, saying it could not do so for security reasons, but said there had not been a data breach.
It says Maddrell will be repaid in full and will not need to speak to the fraud team.
A First Direct spokesperson said: “We are aware of some low-value unauthorised retail transactions appearing on a small number of our customers’ cards.
“We want to reassure impacted customers that they will not be left out of pocket and apologise for any inconvenience caused.
“We take our customers’ security very seriously and will be reaching out to affected customers in the coming days.
“We would advise customers to regularly check their statements and get in touch if they notice any suspicious activity.”
Maddrell has complained to the Information Commissioner’s Office about her case, and to the financial ombudsman about First Direct’s unwillingness to explain how the fraud happened, and because she was unable to reach the fraud team at first and told there was a four-week wait for a callback.