Written – June 2023
Two days ago I was checking the transactions on one of my credit cards and immediately spotted two transactions that had clearly not been made by me. Both were for Amazon and for different amounts, one for around £2 and one for over £90. I knew these were fraudulent as I had not been online in the last week because I have friends visiting.
It was late though so I used the option in the app to freeze the card, highly useful this, and said I’d call the bank the next morning. When that time came there was another transaction that had been made before I froze the card, this one for around £60.
I spoke to the bank who asked me to chat to Amazon and see if they could sort it out first. Amazon were very good and efficient. They confirmed that my card was indeed being used by a different account and after asking if that could be a friend or family member (which it wasn’t) said I’d have to go back to the bank.
The bank then asked me to check my Amazon purchase history and see which transactions on the card were genuine and which weren’t. This was because it looked like there had been more of these fraudulent transactions going back some time.
On checking my Amazon purchase history and comparing it to the card transactions statements I found eleven fraudulent transactions going back to September 2021, almost two years ago, and all for Amazon. But how had I missed these? I’m a very security conscious guy, and I even have a security appliance on my home / office network that was recommended to me by a former head of cyber at Britain’s GCHQ intelligence office.
What I discovered was that the criminals had been making one or two transactions within a few days of each other, and then leaving the card for several months, up to six months in some cases, before trying again. This is clearly intended to make it much more difficult for the victim to spot the fraudulent transactions.
Then came the question of why all the purchases were for Amazon? Very obviously the criminals weren’t using my card for their weekly shop, as that has to be delivered somewhere, making it all traceable. What would really be happening I decided would be that the criminals would have their own Amazon seller account, several of them most likely, and be using stolen card data to purchase non-existent goods from them, effectively using Amazon to launder the money.
The other reason for their using Amazon is that the retailer has a special agreement with banks so that purchases don’t have to be approved in your own banking app, once a card is approved once, it’s approved until it expires.
Anyway, Amazon have been good and my bank has been good, and while there were a few hoops to jump through, my bank reassured me that I didn’t have to worry and the almost £700 that had been stolen over the period would be returned to me in a few weeks.
You might wonder though how I could have been so lax as to allow my card details to be stolen, and which Turkish restaurant I had been visiting. Well I saw the first fraudulent transaction being in September 2021, which means my card details will have been obtained shortly before that date. This, of course, was during the pandemic when everybody was in lockdown, not travelling and not going anywhere, especially Turkey or restaurants.
I concluded the only reasonable explanation was that my data had been gathered through a data breach, and one of the businesses or companies I had used the card with before, which wasn’t many as I didn’t use the card often and had only had it for a year by that point, would be the single point of failure.
I’ve passed this suggestion to the bank so that hopefully they can look at other customers who have spent money with the same businesses, look in partnership with Amazon for fraudulent transactions on their accounts to identify the company that got hacked and then, working with law enforcement, perhaps even recover some of the money.
It’s a lesson for me, but I think also a lesson for all of us. We often bemoan the constant need to authorise every single card transaction online, but when that fails the criminals have a route to steal your money. It’s also true that no matter how strict you are with your security, if your data is stolen in a data breach, anybody can become a victim.
I’m annoyed personally that it’s been going on so long without my noticing. I was suspicious some time ago something might be wrong but I couldn’t see any evidence of it. This was because of the way the criminals were operating. I will certainly study my credit card statements much more intently in the future, and I’d urge everybody else to do the same with theirs.