Check Your American Express Statement!

This is not about something that happened to a friend or a long time ago. This happened to me today.

If you have an American Express card, you need to check your account or statement right away.

I have an American Express card, because I almost live at Costco. I happened to look at the statement that just arrived via e-mail a few hours ago.  There was two charges for something called True.com. These charges really stuck out as I only use this card for Costco.

This card hasn’t been out of my possession.  I do not use this card to buy things on the internet.  I looked up true.com.  It is a matchmaking service.  I am not interested in matchmaking services and had never heard of True.com before.

I called American Express and they immediately credited ~$60 back to my account.  They suggested that I had somehow been tricked into giving my credit card number out on the internet.  But I never use this card on the internet.  They said they had no explanation for me.  They recommended that I call the company in question and tell them that I was not interested in their services.  So I called them and they asked for my credit card number, which, for obvious reasons, I didn’t feel comfortable giving them.  I called Amex back.  The nice man at Amex then admitted that they have seen a huge surge in True.com charges recently and are working with True.com (which they say is a legitimate company) to figure it out.  I called True.com back and gave them the credit card number so that they could delete all accounts associated with that number.  The person I spoke to said, “And I bet your card is still in your possession right?”  ”Yes,” I said.  ”The problem,” she explained, “is that a lot of American Express cards are closely linked.  The first 12 digits are the same.  So someone who wants to commit fraud just has to manipulate the last few digits until they find one that works.”

YIKES!

1) I like using my American Express card at Costco.  2) They were very helpful in reversing the charges promptly today.  3) I don’t want to throw out the baby with the bathwater . . .

but I am tempted to just cancel the card.  If what True.com says is true, then my card could be used for all sorts of internet purchases without ever leaving my wallet.  And why did I have to call them about these True.com charges?  Shouldn’t they have been proactively searching their database for True.com charges and reversing them?

Social Media:
  • Digg
  • Kirtsy
  • StumbleUpon
  • Facebook

May 7, 2009 | Filed Under Outrageous, Technology 

Comments

12 Responses to “Check Your American Express Statement!”

  1. Robin on May 7th, 2009 1:37 pm

    Hm, that’ scary. I’ve often wondered if that were possible to do with credit card numbers. It’s also kind of odd that someone who wanted to commit that kind of fraud would be so interested in his love life. I would guess they have some kind of way of filtering the money into a separate account. Well, I don’t have an AmEx card, but I’ll pass on the info. We actually shop at Sam’s Club instead of Costco because we can use our Mastercard there.

  2. Lis on May 8th, 2009 7:07 am

    That sort of thing happens at Mike’s work all the time. They spend a lot of time working on their system to make sure it detects fraud because people sign up over and over testing card numbers. If the sign up works they know they have a valid number.

  3. Pmom on May 8th, 2009 9:51 pm

    Lis, that is terrible! But that explains a lot. I was wonderlng, like Robin was, what the fraudster was going to do with hundreds or thousands of matchmaking site memberships. I mean, once you pass ten . . . But this explains a lot.

    However, I still wonder exactly how they make a profit at this (and I hope I don’t find out through personal experience). Because if they buy something and have it shipped to them, then their address is known. There would be no point in shipping it to me and they don’t have my address anyway, right? They could buy lots and lots of internet services, but how many Wall Street Journal and Cook’s Illustrated subscriptions do you need?

    I am going to for sure keep an eye on my bill now.

  4. HardDiscDriven on May 10th, 2009 5:29 pm

    I can shed some light on this — keep in mind that these thoughts are my own.

    #1, it is quite easy to generate a list of valid credit card numbers, as the numbering system is not a secret. I’ll spare you the algorithm, but essentially, the only security built in is to help prevent the wrong card from being charged if the numbers are transposed — meaning that if you accidently swap the position of the 7th and 8th digits in your card number when buying something online, the transaction will decline, because the transpostion made the card number invalid.

    If a site utilizes little or no precautions for verifying the billing address (read between the lines as “shady”), it is possible to charge a card without having any clue who it belongs to. However, it is somewhat trivial for a savy criminal to do a reverse-lookup via a bit of marketing-database mining. But I digress.

    #2: The reason for the false charges coming through online dating/matchmaking sites such as true.com is because this is a big money-maker for social-engineering adept criminals. The following articles illustrate a good example, and a bit more detail on the subject…
    http://www.cbc.ca/canada/edmonton/story/2009/02/17/edm-dating-fraud.html?ref=rss
    http://www.scamtypes.com/what-exactly-is-online-dating-fraud.html

    If criminals like this can be likened to bacteria, and the internet to a body, the net is very sick.

  5. Jim F. on May 10th, 2009 7:27 pm

    Once they have a valid number, they can charge things to it, more than Cooks Illustrated and WSJ.

    Just ask Amex to issue a new number. Mastercard just did that for us because there was a suspicious charge on our account.

  6. Pmom on May 11th, 2009 9:35 pm

    I realize that, but my puzzle is how the collect the goods they buy. If they ship it to themselves can’t it be traced?

  7. Pdad on May 14th, 2009 7:26 pm

    I’m still not getting the whole picture here.
    a) Valid card number and expiration date is figure out at crummy site that doesn’t check the billing address
    b) Crook can use this at other crummy sites that don’t check the billing address
    That doesn’t seem like such a great deal…

    Or maybe the idea is that the crook wants an account that cannot be traced so the goal of using your credit card isn’t to avoid the charge (though that’s nice too) but to not have a way to tie the account back to them. so then when they do HardDiscDriven’s suggested type of fraud it is harder to catch them.

  8. Jim F. on May 14th, 2009 8:14 pm

    They ship it to an empty house, watch for the delivery, and pick it up from the door step.

  9. Kevin on May 27th, 2009 9:44 am

    The same incident happened to me recently. I logged into my Amex account online and saw 3 fraudulent charges from True.com. Of course when I contacted Amex, they immediately credited the charges back to my account, but I think I will be canceling my Amex account. It seemed to easy for someone to charge my credit card, and there is no guarantee that it will happen again. I seldom use this card and it pains me to think I would have to keep monitoring it to make sure that no one else is using it.

  10. Chris on June 24th, 2009 7:24 am

    What was said about the first 12 digits all being the same is completely incorrect. As the card number is only 15 digits long, if this were true, that would mean that there are only 1000 possible numbers, but due to Luhn (the algorithm that verifies a card number), this amount would be divided by 10, so that would mean only 100 Amex cards exist… Which is compeltely incorrect. Many also start with 3760, and some with 3778. These numbers, and the 2 that follow, depend on the country of issue and the currency of the card. :)

  11. Pmom on June 24th, 2009 10:50 am

    Readers, I’m not sure who Chris is–the e-mail address he provided is fictitious. However, his logic makes sense to me. But, given the number of keyword searches (with words like true.com and American Express) that have led people to my site, it does appear that I’m not the only one coping with fraud issues. Perhaps the first twelve digits aren’t the same, but the first six are. Or perhaps Costco-issue American Express cards have quite similar numbers. I have no idea. But something is making it possible for scam artists to guess at valid numbers and that is disturbing.

  12. Michelle W. on July 9th, 2009 9:12 am

    The same thing just happened to me with my AX card and True.com! I never use my AX card and it’s kept locked up in my desk so no one would be able to get ahold of it. I have charges from True.com from the last four months!! I called AX and they were able to credit some back and True.com was actually really helpful and was able to credit the outstanding balance that AX wasn’t able to credit back due to the fact that it was four months ago.

    This is crazy! I’ve never had anything like this happen again and I will definetely be keeping closer tabs on my credit accounts. I just thought I didn’t have to worry about it because the card is always locked up, but I was wrong!

    Thanks for posting this blog by the way! I used this as an example to both AX and True.com. True.com is admitting that many AX accounts have been compromised, but AX claimed they haven’t had any issues that they’re aware of with fradulent use of AX cards on True.com.

    Thanks again!!

    Michelle

Leave a Reply





CommentLuv Enabled