Someone used my credit card online without my permission. My American Express statement showed a charge for software that I had not ordered. I notified Amex and they checked it out and said that the charge appeared legitimate. The problem was that the order data supplied was my card number, my address, and everything else, except the email address was not my email address.
Someone used all of my data and created a special email address to download software and charged it to my account. Amex has turned this over to their Fraud department, and my card number has been changed.
Can an email address be identified as to who originated it?
If a software provider gives a customer a license number for their software, can they revoke that license and make that software inoperable?
What you’ve experienced is very close to identity theft. Besides your credit card number, someone knows enough about you to correctly fill in the billing address used to verify card ownership.
The opportunities for full resolution are few and difficult.
Can the email address be traced? It’s extremely unlikely. Can the software be disabled? Ditto.
Let’s look at the steps you should take when this happens, and why resolution is rarely satisfactory.
Become a Patron of Ask Leo! and go ad-free!
What to do
You’ve already taken exactly the right steps: you called the credit card company and told them you had discovered a bogus charge on your card.
They, in turn, took exactly the right steps to protect you: invalidated your old credit card number and issued you a new card. Hopefully, they also refunded you the amount in question. (In the U.S., at least, I believe they’re required to, as long as you report the fraud within a certain amount of time.)
Those are the steps that need to happen quickly, as soon as you discover an issue. The sooner you report the issue, the sooner your card will be disabled, and the sooner you’ll stop getting additional bogus charges to your account.
Honestly, that’s about all you can do.
About the email address
At a minimum, the credit card company uses the expiration date to confirm you’re holding the card in your hand. They also often, but not always, check the billing address you provide against that registered for the account, as well as the extended validation code that may be requested from the back or front of your card. They may also use your phone number.
But the email address means nothing to them when it comes to proving you’re the rightful credit card owner.
In fact, it’s possible the merchant didn’t even require a valid email address at all. It’s obviously not good business practice, but the email address is generally used only to send informational messages like sales receipts — messages your thief won’t care about at all.
Obviously, if the product was to be delivered via email, that’s another matter. The email address had to be valid — at least long enough for the thief to get the delivery. Before and after that? It could be completely bogus.
Tracing email
Chances are there’s nothing to trace. The email address was either completely bogus, or existed only long enough to complete the transaction. The address had nothing to do with who the thief might be or where he is located.
Even if the thief was stupid enough to use a permanent email address that could somehow be associated with him, chances for tracing are still slim to none.
- I believe it would require legal action to force the email provider to reveal any information about an email address, such as the IP address from which a message might have been sent.
- I believe it would require further legal action to force the ISP who owns that IP address to reveal any information about it, such as its location.
Now, even if both entities were cooperative (which is highly unlikely), they may not have the data. That’s an enormous amount of data to log and keep. I expect providers flush their records regularly.
So, if you’re very lucky and it was technically possible to trace an email address, the harsh, practical, reality is that an email address cannot easily be traced — it simply requires too much cooperation from entities that are predisposed not to help.
You actually want things to be this difficult, because this is how your privacy is protected from those who might try to find you.
Kill switch
Revoking the license applied to software after it’s been purchased, installed, and activated amounts to a “kill switch”. A software vendor could decide — for any reasons it deems appropriate — that you’re no longer entitled to use the software.
Most software does not have a kill switch. Once activated, the software remains so until it’s reinstalled for some reason.
That’s not to say there isn’t software out there with a kill switch. Particularly these days, when software frequently “phones home” to contact the manufacturer’s servers for updates and the like, it wouldn’t be difficult at all.
But depending on the software and its intended audience, one false ‘kill’ — disabling a legitimate user’s software by mistake — could be a public relations nightmare.
Lessons learned
Any time issues like this come up, it’s important — after taking the time-sensitive steps I’ve mentioned above — to sit back and see what lessons can be learned to protect yourself from having it happen again.
How did the thief get your information in the first place? Has that issue been corrected, and if not, what’s to prevent it, or worse, from happening again?
Reviewing Internet Safety: 7 Steps to Keeping Your Computer Safe on the Internet would be a great place to start.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Vista, have a kill switch? Surely not, I thought. But sadly, t’was not to be. Straight from Ed Bott’s blog at http://blogs.zdnet.com/Bott/?p=148, Software Protection Platform…
“You’ll first lose access to key features, including the Aero interface, ReadyBoost performance enhancements, and Windows Defender antispyware detection. Eventually, if you don’t deal with the problem, the measures get more severe and you’re kicked into ‘reduced functionality mode’.”
This mode is described in more detail in a seperate white paper:
“The default Web browser will be started and the user will be presented with an option to purchase a new product key. There is no start menu, no desktop icons, and the desktop background is changed to black. The Web browser will fully function and Internet connectivity will not be blocked. After one hour, the system will log the user out without warning. It will not shut down the machine, and the user can log back in.”
(And this hot on the heels of a story that a bug in Microsofts servers caused thousands of genuine copies of XP to be mistakenly identified as pirated (http://blogs.zdnet.com/Bott/?p=150).)
But the worst is yet to come.
“If the Software Protection Platform determines that the core binaries of your system have been hacked with, you will get a notification that operating system has been tampered with. Reinstallation is the remedy. … When an anti-tampering warning first appears, you have three days to reinstall or otherwise fix your copy of Windows Vista or shift into reduced functionality mode.”
Ouch. Never thought I’d say this, but the Slashbots may have had a point…
Regarding identity theft, I’d always thought that part of the point of using a credit card was that the credit card company were ultimately liable for any fraudulant use of the card. That’s definitely the case in the UK — Consumer Credit Act 1974, reconfirmed by Consumer Credit Act 2006; though I’m not sure whether it’s the same in the US.
“Chip and Pin” technology is the credit card company’s way out of total liability. You want chip and pin, and so does the credit card company. The credit card company tracks whether your card was swiped, keyed, tapped, or chip and pin. Swiped and keyed are the biggest sources of fraud and most credit card companies these day have to eat the cost. But with chip and pin, they no longer accept the liability. You alone are responsible for the security of your PIN. The chip indicates the card was present for the transaction and if your PIN is used, then you are out of luck. The credit card company will make you pay for the purchase, reasoning that either you did the transaction or you did not keep your PIN secure. Either way, they see it as your fault.
So is the answer to not use chip and pin? No, because it also protects you. I had the credit card company call me one day because while I was using chip and pin to buy my groceries, someone was swiping my card 1,000 miles away from home. The credit card company was sure the swipe was fraudulent, they just wanted to confirm with me before cancelling my card. Chip and pin saved my bacon because the credit card company knew exactly what my transaction was and the fraud department could be proactive. By shutting down my card sooner, the credit card company saved me from some inconvenience and they limited their liability to one transaction instead of a whole bunch of transactions by the time i got my statement and was able to review it.
Yes, AMEX….I’ve had dealings with them in the past. They do NOT guarantee their cards against
forged charges the way VISA and MASTERCARD do. I know from personal experience. You can report things to them and they will say they are investigating, but that’s as far as it goes. I’ve cancelled my account with them and will NEVER use them again!
I also had problem(s) with AMEX! They showed up on my Credit Report a few months ago – noting that I had an account with them. Well, I notified them I never had an account with them & to correct their records….ALL TO NO AVAIL!! I formally notified them & logged a complaint – all to NO AVAIL!! They really “don’t take care of business”!! BEWARE!!
Can someone trace my credit card details through my IP address? I have been billed by some websites like membersla.com for memberships on websites which I didn’t sign up. How did they manage to bill me when no credit card details were provided? I have referred my case to the fraud department of my credit card company but I am not sure what outcome I will get out of it.
24-Nov-2008
Hello i have the same problem but i little more different regarding that on the statement was written pioneer.com and a purchase of $835 and i had to change my card and now i dont know what the bank will do will they track him or should i do something how can i find out where is the thief because i think that is not a internet order seems like a delivery …. i dont know what to do i would like to investigate on how to find out the thief and turn him. Your website is great
i bought a camera online with me hsbc credit card.thats the only time i have used it on line.some one opend a account with the company http://www.moneybookers.com to send money somwere using my card detailes and usuing a email address [email address removed].i asked bookers for detaile of were the money was sent to but the only info they would give was the email used.i have been cedited with the money back by hsbc but no one seems to be interested in trying to trace the fraudster.can this be done
i scheduled my non tourist visa appoint using visapoint of us embassy in manila..on the confirmation email i was only charged 10 dollars but on my card statement i am charged 500 dollars..what can i do to get my money back
06-Mar-2010
Used My AAA Visa card to purchase a cell phone online with AAA now someone used it to buy $280 worth of phones and contracts..Authorities really aren’t doing much to help.I feel it was someone that works at the company I purchased from.
This same thing just happened to me on 3/5/10. I e-mailed the software company after going online to research the charge, and they e-mailed back with the e-mail address that was used, which wasn’t mine. I am now disputing it with the credit card company (American Express) and told the software company they need to revoke the license, since this was acquired illegaly. But how did they get the information to do this. Don’t they have to enter a pin or security code?
I ordered a work at home web access for 5.94 it was posted on my account the same day and I asked the seller if that was all the charges she said yes but 5 days later i got a 98.26 posted on my bank card i tried to call but the numbers i found were disconnected or they would say leave your name and phone number and we will get back to you.
i called my bank i am filing a fraud report to get my money back.
thanks
phyllis
You say “it would require legal action to force that email provider to reveal any information about that account that could help – like the IP address from which it was created”
Rather than finding the IP adress from the email provider who registered the email, could i take legal action with the company who sold to my card number theif to acquire the IP adress of the computer that it made the purchase with?
01-May-2011
I ordered lunch on-line and next thing I know I got illegal charges on my card. what can i do. the resturant told me to call the cc company.
10-Jan-2012
@Nichols
Definitely contact your credit card company. The attack very likely had nothing to do with the restaurant. How protected was the internet connection where you made the purchase? Here’s an article that explains how an unprotected internet connection puts you at risk:
How do I stay safe in an internet cafe?
I have started using virtual credit cards (eg Entropay but there are others) for online purchases for all purchases except from companies I really trust. One loads only the required funds to the virtual card so there is no possibility of extraneous charges as there are no funds there. Also avoids automatic renewals or extensions without your explicit agreement. Cost is about 3 to 4%. We’ll worth it.
Definitely makes online shopping safer, especially if you’re buying from a company or person you don’t know, a prepaid card is the way to go. But I’ve done online shopping hundreds of times and the only times I’ve ever suffered fraud was twice when my credit card numbers were copied down by rogue workers and one time, someone forged my check number and wrote 2 checks.
After that happened, I started scraping off the security number from the back of my cards and keeping the numbers encrypted on my computer.
There are some defensive measures one can take to reduce CC fraud without having to wait for the bill to arrive. I have several cards from AMEX, VISA and MC and found that AMEX and the various banks involved all have options for notifications that can be set up to alert the cardholder of potential fraud activity. I have text & email alerts set for “Card Not Present” transactions (i.e. online/telephone/mail order purchases), “High Dollar Amount” transactions (you can set the high dollar threshold), foreign transactions and cash/transfer transactions to name a few. When any of these events occur a notification is sent within seconds so you can get on the phone to the card company to report fraud in real time. In any case, in the US, by law you are not responsible for more than $50 for any fraudulent transaction provided you report it as soon as you discover it and within 2 billing cycles and most banks offer zero dollar liability. Read your cardholder agreement.
I noticed a unauthorized char:e on my see but card. Statement it seems a friend used my numbers to purchase cell phone mins. Can I cancel her phone
Unlikely. Contact your credit card provider.
Can some one be. Charge and do jail time for a purchase on a credit card online with the person permision .the amount of $489 ..can they go to jail ..
No way to know. You’d have to contact law enforcement for your jurisdiction.
The person used my credit card number online to purchase a item worth around $489 .wat can I do after I report the credit card company I dint gave permision
Your credit card company should give you instructions on what to do next.
Can my bank tell me who uses my card if the person use their name and address for a shipment ?
Best I can say is maybe. It really depends on the merchant that processed the sale. I think they’re supposed to be able to, but I don’t believe that’s always the case.
I used someones computer to make a purchase with my card. We have rhe same address. My card was declined due to an unauthorized purchase I did not make & couldn’t pay bills.The package came in their name. So if they knew my name e-mail etc, could they have had access to my card for that order? Their trying to blame the site for their theft, This person has ordered this sort of stuff before. Also does not make sense that the order site would use my card, My money has been refunded.
I used someones computer to make a purchase with my card. We have rhe same address. My card was declined due to an unauthorized purchase I did not make & couldn’t pay bills.The package came in their name. So if they knew my name e-mail etc, could they have had access to my card for that order? Their trying to blame the site for their theft, This person has ordered this sort of stuff before. Also does not make sense that the order site would use my card, My money has been refunded. That comment was not mine. Just yes or no can this person have access to my card
There no way for me to know. Sorry.
I just noticed that my credit card has been Charged $700+ unauthorized on Oct. 18, 2019 and now is Oct. 19, 2019 so I called my Bank and the agent told me that she needs to cancel my CC and send me a new one but my question is that will the Charge will post or not?
You’ll have to ask someone at your bank about that. My bank reversed the charges the times unauthorized charges were posted.
That’s a question for your credit card support person. (Generally the answer is no, but you must ask the credit card company to be certain.)
I have a case like this where netflix was charging several dollars on one of my cards. I had a netflix account then charged on my airtime credit. That is one of the puzzles. Let us assume it was my fault that somebody got my card details. They issued me another card which I unpacked in my room and covered all numbers on it since day 1. The same charges occured even on the next card issued. Fot the 2 replacement cards there should be no way somebody else can get those card info. I ended up closing my account but the card company still issued a third replacement which I kept in a box and never activated. Now I receive emails from this company saying I am charged of the same things. I have reason to believe that these frauds are done internally. And that their assumed and so called security measures are just so overrated and abused.
Subscription services are often automatically transferred to your new card when it’s issued without your needing to do anything. If you have a charge on your card that you didn’t make that you want removed you must dispute that charge with your credit card issuer.
scammers accessed my computer and made unauthorized charges on my credit card. I contacted all appropriate agencies and the bank and filed with the FBI immediately. Given this was the method (computer accessed credit card )used my bank has told me in a letter that the charges were authorized and I’m liable. Is there a difference between fraud and scam? Can they state in the denial letter using the word Authorized charge. when in truth the ‘word’ unauthorized was the action? Do I have recourse?
I honestly don’t know, this result isn’t something I’m particularly well versed in. Credit card companies have always done right by me. I might contact your state attorney general’s office, or some other local consumer protection agency.