Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

What Recourse Do I Have If Someone Used My Credit Card Online?

//

Someone used my credit card online without my permission. My American Express statement showed a charge for software that I had not ordered. I notified Amex and they checked it out and said that the charge appeared legitimate. The problem was that the order data supplied was my card number, my address, and everything else, except the email address was not my email address.

Someone used all of my data and created a special email address to download software and charged it to my account. Amex has turned this over to their Fraud department, and my card number has been changed.

Can an email address be identified as to who originated it?

If a software provider gives a customer a license number for their software, can they revoke that license and make that software inoperable?

What you’ve experienced is very close to identity theft. Besides your credit card number, someone knows enough about you to correctly fill in the billing address used to verify card ownership.

The opportunities for full resolution are few and difficult.

Can the email address be traced? It’s extremely unlikely. Can the software be disabled? Ditto.

Let’s look at the steps you should take when this happens, and why resolution is rarely satisfactory.

Become a Patron of Ask Leo! and go ad-free!

What to do

You’ve already taken exactly the right steps: you called the credit card company and told them you had discovered a bogus charge on your card.

They, in turn, took exactly the right steps to protect you: invalidated your old credit card number and issued you a new card. Hopefully, they also refunded you the amount in question. (In the U.S., at least, I believe they’re required to, as long as you report the fraud within a certain amount of time.)

Those are the steps that need to happen quickly, as soon as you discover an issue. The sooner you report the issue, the sooner your card will be disabled, and the sooner you’ll stop getting additional bogus charges to your account.

Honestly, that’s about all you can do.

About the email address

Credit CardWhile your credit card company probably has your email on file so they can send you promotional and administrative information, it’s not used to validate your credit card when you check out.

At a minimum, the credit card company uses the expiration date to confirm you’re holding the card in your hand. They also often, but not always, check the billing address you provide against that registered for the account, as well as the extended validation code that may be requested from the back or front of your card. They may also use your phone number.

But the email address means nothing to them when it comes to proving you’re the rightful credit card owner.

In fact, it’s possible the merchant didn’t even require a valid email address at all. It’s obviously not good business practice, but the email address is generally used only to send informational messages like sales receipts — messages your thief won’t care about at all.

Obviously, if the product was to be delivered via email, that’s another matter. The email address had to be valid — at least long enough for the thief to get the delivery. Before and after that? It could be completely bogus.

Tracing email

Chances are there’s nothing to trace. The email address was either completely bogus, or existed only long enough to complete the transaction. The address had nothing to do with who the thief might be or where he is located.

Even if the thief was stupid enough to use a permanent email address that could somehow be associated with him, chances for tracing are still slim to none.

  • I believe it would require legal action to force the email provider to reveal any information about an email address, such as the IP address from which a message might have been sent.
  • I believe it would require further legal action to force the ISP who owns that IP address to reveal any information about it, such as its location.

Now, even if both entities were cooperative (which is highly unlikely), they may not have the data. That’s an enormous amount of data to log and keep. I expect providers flush their records regularly.

So, if you’re very lucky and it was technically possible to trace an email address, the harsh, practical, reality is that an email address cannot easily be traced — it simply requires too much cooperation from entities that are predisposed not to help.

You actually want things to be this difficult, because this is how your privacy is protected from those who might try to find you.

Kill switch

Revoking the license applied to software after it’s been purchased, installed, and activated amounts to a “kill switch”. A software vendor could decide — for any reasons it deems appropriate — that you’re no longer entitled to use the software.

Most software does not have a kill switch.  Once activated, the software remains so until it’s reinstalled for some reason.

That’s not to say there isn’t software out there with a kill switch. Particularly these days, when software frequently “phones home” to contact the manufacturer’s servers for updates and the like, it wouldn’t be difficult at all.

But depending on the software and its intended audience, one false ‘kill’ — disabling a legitimate user’s software by mistake — could be a public relations nightmare.

Lessons learned

Any time issues like this come up, it’s important — after taking the time-sensitive steps I’ve mentioned above — to sit back and see what lessons can be learned to protect yourself from having it happen again.

How did the thief get your information in the first place? Has that issue been corrected, and if not, what’s to prevent it, or worse, from happening again?

Reviewing Internet Safety: 7 Steps to Keeping Your Computer Safe on the Internet would be a great place to start.

Podcast audio

Play

31 comments on “What Recourse Do I Have If Someone Used My Credit Card Online?”

  1. Vista, have a kill switch? Surely not, I thought. But sadly, t’was not to be. Straight from Ed Bott’s blog at http://blogs.zdnet.com/Bott/?p=148, Software Protection Platform…

    “You’ll first lose access to key features, including the Aero interface, ReadyBoost performance enhancements, and Windows Defender antispyware detection. Eventually, if you don’t deal with the problem, the measures get more severe and you’re kicked into ‘reduced functionality mode’.”

    This mode is described in more detail in a seperate white paper:

    “The default Web browser will be started and the user will be presented with an option to purchase a new product key. There is no start menu, no desktop icons, and the desktop background is changed to black. The Web browser will fully function and Internet connectivity will not be blocked. After one hour, the system will log the user out without warning. It will not shut down the machine, and the user can log back in.”

    (And this hot on the heels of a story that a bug in Microsofts servers caused thousands of genuine copies of XP to be mistakenly identified as pirated (http://blogs.zdnet.com/Bott/?p=150).)

    But the worst is yet to come.

    “If the Software Protection Platform determines that the core binaries of your system have been hacked with, you will get a notification that operating system has been tampered with. Reinstallation is the remedy. … When an anti-tampering warning first appears, you have three days to reinstall or otherwise fix your copy of Windows Vista or shift into reduced functionality mode.”

    Ouch. Never thought I’d say this, but the Slashbots may have had a point…

    Regarding identity theft, I’d always thought that part of the point of using a credit card was that the credit card company were ultimately liable for any fraudulant use of the card. That’s definitely the case in the UK — Consumer Credit Act 1974, reconfirmed by Consumer Credit Act 2006; though I’m not sure whether it’s the same in the US.

    Reply
    • “Chip and Pin” technology is the credit card company’s way out of total liability. You want chip and pin, and so does the credit card company. The credit card company tracks whether your card was swiped, keyed, tapped, or chip and pin. Swiped and keyed are the biggest sources of fraud and most credit card companies these day have to eat the cost. But with chip and pin, they no longer accept the liability. You alone are responsible for the security of your PIN. The chip indicates the card was present for the transaction and if your PIN is used, then you are out of luck. The credit card company will make you pay for the purchase, reasoning that either you did the transaction or you did not keep your PIN secure. Either way, they see it as your fault.

      So is the answer to not use chip and pin? No, because it also protects you. I had the credit card company call me one day because while I was using chip and pin to buy my groceries, someone was swiping my card 1,000 miles away from home. The credit card company was sure the swipe was fraudulent, they just wanted to confirm with me before cancelling my card. Chip and pin saved my bacon because the credit card company knew exactly what my transaction was and the fraud department could be proactive. By shutting down my card sooner, the credit card company saved me from some inconvenience and they limited their liability to one transaction instead of a whole bunch of transactions by the time i got my statement and was able to review it.

      Reply
  2. Yes, AMEX….I’ve had dealings with them in the past. They do NOT guarantee their cards against
    forged charges the way VISA and MASTERCARD do. I know from personal experience. You can report things to them and they will say they are investigating, but that’s as far as it goes. I’ve cancelled my account with them and will NEVER use them again!

    Reply
  3. I also had problem(s) with AMEX! They showed up on my Credit Report a few months ago – noting that I had an account with them. Well, I notified them I never had an account with them & to correct their records….ALL TO NO AVAIL!! I formally notified them & logged a complaint – all to NO AVAIL!! They really “don’t take care of business”!! BEWARE!!

    Reply
  4. Can someone trace my credit card details through my IP address? I have been billed by some websites like membersla.com for memberships on websites which I didn’t sign up. How did they manage to bill me when no credit card details were provided? I have referred my case to the fraud department of my credit card company but I am not sure what outcome I will get out of it.

    No, you cannot get a credit card number from an IP address.

    – Leo
    24-Nov-2008
    Reply
  5. Hello i have the same problem but i little more different regarding that on the statement was written pioneer.com and a purchase of $835 and i had to change my card and now i dont know what the bank will do will they track him or should i do something how can i find out where is the thief because i think that is not a internet order seems like a delivery …. i dont know what to do i would like to investigate on how to find out the thief and turn him. Your website is great

    Reply
  6. i bought a camera online with me hsbc credit card.thats the only time i have used it on line.some one opend a account with the company http://www.moneybookers.com to send money somwere using my card detailes and usuing a email address [email address removed].i asked bookers for detaile of were the money was sent to but the only info they would give was the email used.i have been cedited with the money back by hsbc but no one seems to be interested in trying to trace the fraudster.can this be done

    Reply
  7. i scheduled my non tourist visa appoint using visapoint of us embassy in manila..on the confirmation email i was only charged 10 dollars but on my card statement i am charged 500 dollars..what can i do to get my money back

    Contact your credit card company.

    Leo
    06-Mar-2010

    Reply
  8. Used My AAA Visa card to purchase a cell phone online with AAA now someone used it to buy $280 worth of phones and contracts..Authorities really aren’t doing much to help.I feel it was someone that works at the company I purchased from.

    Reply
  9. This same thing just happened to me on 3/5/10. I e-mailed the software company after going online to research the charge, and they e-mailed back with the e-mail address that was used, which wasn’t mine. I am now disputing it with the credit card company (American Express) and told the software company they need to revoke the license, since this was acquired illegaly. But how did they get the information to do this. Don’t they have to enter a pin or security code?

    Reply
  10. I ordered a work at home web access for 5.94 it was posted on my account the same day and I asked the seller if that was all the charges she said yes but 5 days later i got a 98.26 posted on my bank card i tried to call but the numbers i found were disconnected or they would say leave your name and phone number and we will get back to you.
    i called my bank i am filing a fraud report to get my money back.
    thanks
    phyllis

    Reply
  11. You say “it would require legal action to force that email provider to reveal any information about that account that could help – like the IP address from which it was created”
    Rather than finding the IP adress from the email provider who registered the email, could i take legal action with the company who sold to my card number theif to acquire the IP adress of the computer that it made the purchase with?

    You’d need to speak to an attorney on that. I’m most definitely NOT a lawyer.

    Leo
    01-May-2011
    Reply
  12. I ordered lunch on-line and next thing I know I got illegal charges on my card. what can i do. the resturant told me to call the cc company.

    Call the credit card company.

    Leo
    10-Jan-2012
    Reply
  13. I have started using virtual credit cards (eg Entropay but there are others) for online purchases for all purchases except from companies I really trust. One loads only the required funds to the virtual card so there is no possibility of extraneous charges as there are no funds there. Also avoids automatic renewals or extensions without your explicit agreement. Cost is about 3 to 4%. We’ll worth it.

    Reply
    • Definitely makes online shopping safer, especially if you’re buying from a company or person you don’t know, a prepaid card is the way to go. But I’ve done online shopping hundreds of times and the only times I’ve ever suffered fraud was twice when my credit card numbers were copied down by rogue workers and one time, someone forged my check number and wrote 2 checks.

      After that happened, I started scraping off the security number from the back of my cards and keeping the numbers encrypted on my computer.

      Reply
  14. There are some defensive measures one can take to reduce CC fraud without having to wait for the bill to arrive. I have several cards from AMEX, VISA and MC and found that AMEX and the various banks involved all have options for notifications that can be set up to alert the cardholder of potential fraud activity. I have text & email alerts set for “Card Not Present” transactions (i.e. online/telephone/mail order purchases), “High Dollar Amount” transactions (you can set the high dollar threshold), foreign transactions and cash/transfer transactions to name a few. When any of these events occur a notification is sent within seconds so you can get on the phone to the card company to report fraud in real time. In any case, in the US, by law you are not responsible for more than $50 for any fraudulent transaction provided you report it as soon as you discover it and within 2 billing cycles and most banks offer zero dollar liability. Read your cardholder agreement.

    Reply
  15. I noticed a unauthorized char:e on my see but card. Statement it seems a friend used my numbers to purchase cell phone mins. Can I cancel her phone

    Reply
  16. Can some one be. Charge and do jail time for a purchase on a credit card online with the person permision .the amount of $489 ..can they go to jail ..

    Reply
  17. The person used my credit card number online to purchase a item worth around $489 .wat can I do after I report the credit card company I dint gave permision

    Reply
    • Best I can say is maybe. It really depends on the merchant that processed the sale. I think they’re supposed to be able to, but I don’t believe that’s always the case.

      Reply
  18. I used someones computer to make a purchase with my card. We have rhe same address. My card was declined due to an unauthorized purchase I did not make & couldn’t pay bills.The package came in their name. So if they knew my name e-mail etc, could they have had access to my card for that order? Their trying to blame the site for their theft, This person has ordered this sort of stuff before. Also does not make sense that the order site would use my card, My money has been refunded.

    Reply
    • I used someones computer to make a purchase with my card. We have rhe same address. My card was declined due to an unauthorized purchase I did not make & couldn’t pay bills.The package came in their name. So if they knew my name e-mail etc, could they have had access to my card for that order? Their trying to blame the site for their theft, This person has ordered this sort of stuff before. Also does not make sense that the order site would use my card, My money has been refunded. That comment was not mine. Just yes or no can this person have access to my card

      Reply
  19. I just noticed that my credit card has been Charged $700+ unauthorized on Oct. 18, 2019 and now is Oct. 19, 2019 so I called my Bank and the agent told me that she needs to cancel my CC and send me a new one but my question is that will the Charge will post or not?

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.