How to recover money if your credit card was used to make a fraudulent online purchase

To make an online credit card purchase cybercriminals must have knowledge of the information on the front and back of the credit card, namely expiry date, cardholders name and CVV number. Online, it does not matter whether the credit card used the stronger chip and pin technology or the old fashioned magnetic stripe as the physical card is not needed.

Credit card information is a highly perishable asset in the underground market whose value is largely determined by its validity, and enhanced if additional information such as the owners buying behavior and home location is known.  Stolen credit card data is sold in batches using dedicated websites or forums to criminal outfits which either resells them in smaller batches -, much like a retail supply chain comprising of producers, distributors and resellers. At each stage the buyer may resell the same information multiple times. With time the value of the cards drop as the percentage of non-valid cards in a batch increase. To validate if a card is active; criminals use a process called “carding”. Carders will take a batch of stolen credit cards and attempt to use them to make small low-value purchases to verify the card works.

The continued spate of data breaches is a clear indication of the thriving market for credit card information. Once stolen, criminals normally are in a race for time to extract as much money as possible, usually within the first few weeks of a breach.  They exploit two time windows; the first between the actual theft and the victimized company notifying its affected customers and the second is the time taken by a notified card owner to deactivate it. The entire window of exposure from theft to card deactivation can range from between a few weeks to months. Data breaches are just one of the ways by which thieves get hold of credit card details; information could be obtained from normal use at stores, hotels, copies we make for visa’s applications and so on.

To facilitate a more secure online experience credit card companies have instituted an additional authentication measures called 3D Secure which requires a user to enter a preregistered secret code.  Unfortunately, getting past this additional authentication mechanism is not difficult as the cybercriminal could easily guess the code; reset it with publicly available information such as the credit card holder date of birth and mother’s name or as in most cases phish the information.  Very recently, the system seems to have been made more secure using a One Time Password sent directly to a mobile phone instead of having to enter a passcode. One lacuna is lack of an alert if an incorrect password was entered, which would indicate a criminals attempt to use the card online. While the OTP system is much more secure it can be compromised if your phone becomes infected with sophisticated malware designed to pass on such SMS’s to cybercriminals, but it will negate the value of bulk stolen data in underground markets.

The best way to protect against fraudulent losses is to maintain vigilance of transactions made and to swiftly block the card the moment a fraudulent transaction occurs. In India, credit card companies send a SMS alert to the card owner each time a transaction is made. If that fails, the next option is to scan the monthly credit card statement. Quick deactivation of the card helps to curb losses and to claim insurance.

Choose a credit card where there are few caveats and hassles to claim a refund for fraudulent transaction is a good idea. When signing up for a card, it is always a good idea to find out what the fine print reads when claiming a refund.  Most of these come with caveats, for example the value of the insurance, valid time to make a claim, in some cases the refund is applicable only if the fraudulent transaction is reported within 24 hours or if the card was previously reported as stolen.  Insurance payouts may be higher if transaction used 3DSecure authentication and some insurance companies may allow you to claim within 15 days of receiving your credit card statement. Most require that a police complaint is filed.

While the main intention behind this article was on online fraudulent purchases, in countries which still use magnetic strip cards, the stolen data is used to clone cards which are then used to make in store purchases. Chip and pin users are safer as the technology is difficult to clone. In many countries no alert is issued through SMS. If you are aware that your card was stolen, then report it immediately. The other advice remains the same as in online frauds.