Unfortunately, it happens.
Someone used my credit card online without my permission. My American Express statement showed a charge for software that I had not ordered. I notified Amex and they checked it out and said that the charge appeared legitimate. The problem was that the data supplied was my card number, my address, and everything else, except the email address was not my email address.
Someone used all of my data and created a special email address to download software and charged it to my account. Amex has turned this over to their Fraud department, and my card number has been changed.
Can an email address be identified as to who originated it?
If a software provider gives a customer a license number for their software, can they revoke that license and make that software inoperable?
What you’ve experienced is identity theft. Besides your credit card number, someone knows enough about you to correctly fill in the billing address used to verify card ownership. The opportunities for full resolution are few and difficult.
Can the email address be traced? It’s extremely unlikely. Can the software be disabled? Ditto.
Let’s look at the steps you should take when this happens, and why resolution is rarely satisfactory.
Become a Patron of Ask Leo! and go ad-free!
Someone using your credit card online?
When you discover a bogus charge on your credit card, the single most important thing to do is to call your credit card company immediately to report it so they can take appropriate action. Beyond that, there’s little you can do to prevent a repeat occurrence other than try to figure out how someone got your information.
First steps
You’ve already taken exactly the right steps: you called the credit card company and told them you had discovered a bogus charge on your card.
They, in turn, took exactly the right steps to protect you: invalidated your old credit card number and issued you a new card. Hopefully, they also refunded you the amount in question. In the U.S., at least, I believe they’re required to, as long as you report the fraud within a certain amount of time.
Those are steps that need to happen as soon as you discover an issue. The sooner you report the issue, the sooner your card will be disabled and the sooner you’ll stop risking additional bogus charges.
And that’s where it ends. Honestly, that’s about all you can do about the incident.
About that email address
While your credit card company probably has your email on file so they can send you promotional and administrative information, it’s not used to validate your credit card when you purchase something.
At a minimum, the credit card company uses the expiration date to confirm you’re holding the card in your hand. They’ll also sometimes check the billing address or postal code you provide against the account, as well as the extended validation code that may be requested from the back or front of your card. They may also use your phone number.
That a different email address was used means nothing.
In fact, it’s possible the merchant didn’t even require a valid email address at all. It’s obviously not good business practice, but the email address is generally used only to send informational messages like sales receipts — messages your thief won’t care about at all.
Obviously, if the product was to be delivered via email, that’s another matter. The email address had to be valid — at least long enough for the thief to get the delivery. Before and after that? It could be completely bogus.
Tracing email
Chances are there’s nothing to trace. The email address was either completely fake or existed only long enough to complete the transaction. The address had nothing to do with who the thief might be or where he was located.
Even if the thief was stupid enough to use a permanent email address that could somehow be associated with him, chances for tracing are still slim to none.
- I believe it would require legal action to force the email provider to reveal any information about an email address, such as the IP address from which a message might have been sent.
- I believe it would require further legal action to force the ISP who owns that IP address to reveal any information about it, such as its location or ownership.
- Even the location might not be enough if it’s shared by multiple users.
Now, even if both entities were cooperative (which is highly unlikely), they may not have the data. That’s an enormous amount of data to log and keep. I expect providers flush their records regularly.
The harsh, practical reality is that an email address cannot easily be traced if the sender sets it up to remain hidden. It simply requires too much cooperation from too many entities who are predisposed not to help.
You actually want things to be this difficult, because this is how your privacy is protected from those who might try to find you.
Kill switch
Revoking the license applied to software after it’s been purchased, installed, and activated amounts to a kill switch. A software vendor could decide — for any reasons it deems appropriate — that you’re no longer entitled to use the software.
Most software does not have a kill switch. Once activated, the software remains so until it’s reinstalled for some reason.
That’s not to say there isn’t software out there with a kill switch. Particularly these days, when software frequently “phones home” to contact the manufacturer’s servers for updates and the like, it wouldn’t be difficult at all.
But depending on the software and its intended audience, one false ‘kill’ — disabling a legitimate user’s software by mistake — could be a public relations nightmare.
Do this
Any time issues like this come up, it’s important — after taking the time-sensitive steps I’ve mentioned above — to sit back and see what lessons can be learned to protect yourself from having it happen again.
How did the thief get your information in the first place? Has that issue been corrected, and if not, what’s to prevent it, or worse, from happening again?
Reviewing Internet Safety: 7 Steps to Keeping Your Computer Safe on the Internet would be a great place to start.
As would subscribing to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I have a case like this where netflix was charging several dollars on one of my cards. I had a netflix account then charged on my airtime credit. That is one of the puzzles. Let us assume it was my fault that somebody got my card details. They issued me another card which I unpacked in my room and covered all numbers on it since day 1. The same charges occured even on the next card issued. Fot the 2 replacement cards there should be no way somebody else can get those card info. I ended up closing my account but the card company still issued a third replacement which I kept in a box and never activated. Now I receive emails from this company saying I am charged of the same things. I have reason to believe that these frauds are done internally. And that their assumed and so called security measures are just so overrated and abused.
Subscription services are often automatically transferred to your new card when it’s issued without your needing to do anything. If you have a charge on your card that you didn’t make that you want removed you must dispute that charge with your credit card issuer.
scammers accessed my computer and made unauthorized charges on my credit card. I contacted all appropriate agencies and the bank and filed with the FBI immediately. Given this was the method (computer accessed credit card )used my bank has told me in a letter that the charges were authorized and I’m liable. Is there a difference between fraud and scam? Can they state in the denial letter using the word Authorized charge. when in truth the ‘word’ unauthorized was the action? Do I have recourse?
I honestly don’t know, this result isn’t something I’m particularly well versed in. Credit card companies have always done right by me. I might contact your state attorney general’s office, or some other local consumer protection agency.
2 times my VISA was used without my o.k.
I can say it was my fault. I always buy through Amazon, but those 2 times I went out of the Amazon way and bought directly from the maker of the items. I have learned my lesson to always buy through Amazon, no matter if I have to change manufactures to get what I want to buy. What a world.
I’ve found fraudulent items on my checking account (associated with my debit card) two times in about the past year or so on the day they posted as pending transactions (I review my account every day or two). I immediately contacted my bank. I had the bank disable my debit card and issue a new one with a different number, etc. The bank investigated and determined the transactions were both indeed fraudulent so they reimbursed me for my losses (less than $20.00US each) on both occasions. My bank includes information about the organization with whom the transaction occurs, so I contacted them as well so they have the opportunity to take any action they deem appropriate (It’s not my place to tell them what actions to take, even if that’s what I want to do).
I have no idea how anyone obtained my debit card information or enough additional personal information about me to be able to steal my identity (I’m very careful about publicizing my personal information online) but both events occurred in spite of my caution. My personal recommendation to everyone is to keep a very careful eye on the transactions associated with your financial accounts. When you find anything amiss, contact your bank/financial institution ASAP to get the issue resolved. You may also want to contact the organization with whom the transaction was made.
I hope this helps others,
Ernie (Oldster)
When I am using my Barclaycard online in the UK I am inveriably put through two step authentication, e.g.. I receive code to my mobile which I have to fill in before the transaction takes place. See https://www.barclaycard.co.uk/personal/customer/confirm. That should prevent most if not all mentioned fraudulent transactions.
Over the last few months my VISA credit-card has been hacked for several small amounts (max $80). On every occasion my card was cancelled and replaced, and the money refunded by the bank. This involves additional time to notify any auto-renew providers, not to mention having to wait for a new card to arrive. Since my credit-card account is one of three sub-accounts, one of which contains most of my savings, I decided to open a small-balance ($100) savings account with a separate provider. This limits the potential losses to scammers. I use it exclusively for online purchases. I also top it up with cash across-the-counter at the local office of my bank, thus avoiding all potential access to my credit-card account.
My bank is a credit union, with which I have a debit/credit card. I have one other credit card with a national bank. On both accounts I have it set up to text me for any debit or credit greater than $1. Normally if I make a purchase, either in person or online I receive the text message within minutes, if not seconds with the amount and the company that debited the card. I can immediately check the amount. The credit union is on the ball when there’s a suspect transaction. Once I received a call from the CU saying I had used my card locally to buy dinner (I live in Georgia) and within an hour the same card had been used to buy gas in Chicago. They’d already disallowed the Chicago charge and cancelled my card, with a replacement on the way.
One other thing. If you have a debit card and it’s compromised your account can be wiped out overnight. It can take days or weeks to get it straightened out, but you’ll eventually (probably) get reimbursed. Meanwhile checks and automatic billpay are bouncing. If you use a credit card, on the other hand, you’re not required to pay any disputed amount until the dispute is settled. I only use my debit card to get cash back from a local national retailer. My credit card offers cash back on all purchases. I use the credit card for everything and pay off the balance monthly or sooner so there’s never any interest. End of the year I get a nice check.