[PLUG] Financial security on the net

[John Jason Jordan]

Thanks to all who responded, especially Tim. The wikipedia link was
very helpful and informative.

On Wed, 18 Aug 2010 14:06:40 -0700
Aaron Burt <aaron at bavariati.org> dijo:

>> Once Tiffany and I came to the conclusion that the order was bogus
>> Tiffany quickly canceled it. And upon hanging up the phone I
>> immediately called US Bank. It turns out that there was a charge for
>> $1 to zero.com for internet services, and a charge to Lowe's for
>> $2004.99. Both these charges had been immediately reversed by the
>> merchants in question. Neither US Bank nor I have lost a penny. Whew!
>
>Excellent, and good job on limiting the damage!
>Was the Lowe's purchase in-store somewhere or online?

I would like to know all the details of each of the three attempted
transactions. I am guessing that they were online because the card is
still in my pocket. But at this point US Bank has not supplied me with
any of the details. Of course, they are probably just beginning the
investigation. Or maybe they don't even investigate unless they lose
money. If it's as common a problem as Tim says, then it's probably not
cost effective for them to spend efforts investigating when there's
nothing to be recovered. Having your moral outrage vindicated does
nothing for the corporate bottom line.

>> The interesting thing is not that someone acquired the card number,
>> but that apparently they also have my name, address, and phone
>> number.

After reading all the replies and links I am pretty sure the problem
was not an evil merchant. It was almost undoubtedly a dishonest
employee of an online merchant. And I haven't used my PayPal/eBay
accounts for over six months, so those are unlikely sources of the
leak. In fact the entire account has been seldom used lately. The most
recent online transaction I can recall was Amazon from a few months
ago. 

It just occurred to me that Amazon does keep my card data. In
Firefox I have Amazon blocked from saving cookies on my computer
because it annoys the hell out of me to go to Amazon and have the web
site immediately say "hello John!" and "we have new items that we are
sure you can't wait to buy." So I use Firefox to browse Amazon
anonymously, but if I actually want to buy something I use Opera, where
I let Amazon give me its cookies. 

I do a lot of online shopping, but seldom actually buy. Once in a while
an online merchant's web site does not allow me to find out how much
shipping costs unless I add the item to my shopping cart and proceed to
checkout. I might go that far in order to find out the shipping
charges for the item, but I absolutely never proceed to give a card
number. 

I should add that my password with US Bank has not been compromised. No
one can log in to my account. In fact, not even me. I have never been
able to get US Bank to recognize my password. A long time ago I gave up
trying to see my account online. In any event, I am not the victim of a
keylogger or other exploit typical of Windows computers. I use only
Linux, except for Windows 2000 which is installed in Virtualbox OSE.
And my computer is behind a router with firewall at home. The present
situation is just a case of someone acquiring the card number, name,
address and phone number from an online merchant. It's possible that
the malfeasor did so by hacking the transmission of data between my
computer and the merchant, but it's more likely that it was an inside
job. There's a merchant out there with a dishonest employee.