Someone used my credit card online without my permission. My American Express statement showed a charge for software that I had not ordered. I notified Amex and they checked it out and said that the charge appeared legitimate. The problem was that the order data supplied was my card number, my address, and everything else, except the email address was not my email address.
Someone used all of my data and created a special email address to download software and charged it to my account. Amex has turned this over to their Fraud department, and my card number has been changed.
Can an email address be identified as to who originated it?
If a software provider gives a customer a license number for their software, can they revoke that license and make that software inoperable?
What you’ve experienced is very close to identity theft. Besides your credit card number, someone knows enough about you to correctly fill in the billing address used to verify card ownership.
The opportunities for full resolution are few and difficult.
Can the email address be traced? It’s extremely unlikely. Can the software be disabled? Ditto.
Let’s look at the steps you should take when this happens, and why resolution is rarely satisfactory.
Become a Patron of Ask Leo! and go ad-free!
What to do
You’ve already taken exactly the right steps: you called the credit card company and told them you had discovered a bogus charge on your card.
They, in turn, took exactly the right steps to protect you: invalidated your old credit card number and issued you a new card. Hopefully, they also refunded you the amount in question. (In the U.S., at least, I believe they’re required to, as long as you report the fraud within a certain amount of time.)
Those are the steps that need to happen quickly, as soon as you discover an issue. The sooner you report the issue, the sooner your card will be disabled, and the sooner you’ll stop getting additional bogus charges to your account.
Honestly, that’s about all you can do.
About the email address
While your credit card company probably has your email on file so they can send you promotional and administrative information, it’s not used to validate your credit card when you check out.
At a minimum, the credit card company uses the expiration date to confirm you’re holding the card in your hand. They also often, but not always, check the billing address you provide against that registered for the account, as well as the extended validation code that may be requested from the back or front of your card. They may also use your phone number.
But the email address means nothing to them when it comes to proving you’re the rightful credit card owner.
In fact, it’s possible the merchant didn’t even require a valid email address at all. It’s obviously not good business practice, but the email address is generally used only to send informational messages like sales receipts — messages your thief won’t care about at all.
Obviously, if the product was to be delivered via email, that’s another matter. The email address had to be valid — at least long enough for the thief to get the delivery. Before and after that? It could be completely bogus.
Chances are there’s nothing to trace. The email address was either completely bogus, or existed only long enough to complete the transaction. The address had nothing to do with who the thief might be or where he is located.
Even if the thief was stupid enough to use a permanent email address that could somehow be associated with him, chances for tracing are still slim to none.
- I believe it would require legal action to force the email provider to reveal any information about an email address, such as the IP address from which a message might have been sent.
- I believe it would require further legal action to force the ISP who owns that IP address to reveal any information about it, such as its location.
Now, even if both entities were cooperative (which is highly unlikely), they may not have the data. That’s an enormous amount of data to log and keep. I expect providers flush their records regularly.
So, if you’re very lucky and it was technically possible to trace an email address, the harsh, practical, reality is that an email address cannot easily be traced — it simply requires too much cooperation from entities that are predisposed not to help.
You actually want things to be this difficult, because this is how your privacy is protected from those who might try to find you.
Revoking the license applied to software after it’s been purchased, installed, and activated amounts to a “kill switch”. A software vendor could decide — for any reasons it deems appropriate — that you’re no longer entitled to use the software.
Most software does not have a kill switch. Once activated, the software remains so until it’s reinstalled for some reason.
That’s not to say there isn’t software out there with a kill switch. Particularly these days, when software frequently “phones home” to contact the manufacturer’s servers for updates and the like, it wouldn’t be difficult at all.
But depending on the software and its intended audience, one false ‘kill’ — disabling a legitimate user’s software by mistake — could be a public relations nightmare.
Any time issues like this come up, it’s important — after taking the time-sensitive steps I’ve mentioned above — to sit back and see what lessons can be learned to protect yourself from having it happen again.
How did the thief get your information in the first place? Has that issue been corrected, and if not, what’s to prevent it, or worse, from happening again?
Reviewing Internet Safety: 7 Steps to Keeping Your Computer Safe on the Internet would be a great place to start.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!