Monitor Your Credit Card Acounts

  The other day I was online to check the activity of one of my credit cards, and found a five-figure charge which came through PayPal. This was a purchase I had not made, and I immediately understood that somehow, someone had hacked the account number. Whether it was a online or offline theft, I currently do not know, but since the account number was relatively new, I do not have too many possible sources to investigate. In addition, I discovered the theft four days after it occurred, and about two weeks before I would have normally been sent my current account statement.

I immediately called PayPal about the charge, and was informed that the my account was red-flagged, as a suspicious purchase; however, as mentioned above, the charge did go through to the credit card company. PayPal informed me of two facts: 1)the charge would be reversed or cancelled, and 2) the name of the purchaser, which appears to be that of a Vietnamese individual (because of the spelling), although it might also be Korean. PayPal fraud prevention personnel are currently investigating the incident.

I notified my credit card company, which was informed of the fraudulent activity by PayPal, and which is issuing me a new account number.

I was happy to see that PayPal flagged the account to prevent further activity. I have a couple of merchant accounts with PayPal, and have always been very satisfied with the company. In this incident, they did the right thing, except, that since the purchase was suspicious, I should have been immedialely contacted by PayPal re: the ligitimacy of the purchase and user.

In 1994, when I was in Panama, I used an American Express card to purchase some items, and before the purchase went through, the shop keeper was contacted by Amex security and was asked to speak with me in order to confirm that I was the authorized purchaser - a process which took about twenty minutes. As a security consultant, I was, to say the least, impressed with Amex's security awareness. So if Amex was able to perform this service via telephone, my question is, why couldn't PayPal have contacted me by phone or e-mail? Other than that, as I previously stated, what they did do was fine.

The point of all this is two-fold. Online purchases using secure transmissions are fine, though, since I can only assume that the account number was hacked online, they may not be 100% effective. On the other hand, the theft could have been done by a person working for the credit card company or other source initially receiving the account number for purchases made, meaning, of course, that one of the security weaknesses might lay in the human sector (hiring procedures), rather than on the technological side.

In addition, let this brief story serve as a reminder of the value of the value of accessing your credit card information online. Regularly check all purchases at least once a week,depending on the frequency of your card use. Do not hesitate to contact sellers and your credit card company whenever you know or believe a problem exists. And when and if possible, press for the prosecution and conviction of anyone found to have committed credit card fraud/theft. Everyone - sellers, credit card companies, and buyers, will appreciate that effort.

For more information, contact joec@cgroup.com