I had a chance to analyze a credit card transaction that was repudiated by the owner and reversed by the bank. Unfortunately, the transaction was reposted after investigation showed that the CVV2 matched.
The bank did their job. They were able to contact the merchant who in turn provided them with the sales record. The transaction was payment for a file hosting site in Ukraine. It shows the Gmail account of the buyer, but not the real name. Searching Google with the email account as keyword yielded nothing.
I reviewed the sales order and noted the unique login name indicated. Did he use the same username on another site? I fired up Google and searched for his username. Two entries appeared, but clicking the links showed that the user is no longer a member. However, the Google search results cached some important details—the account owner’s location, is a female, and born in 1978. Whoever got the credit card details lives in the same province as the card owner. Incidentally, the website is already suspended when I checked it today. It was a local movie download site.
I reviewed the credit card transaction details and noted that the CVV2 matched. However, address verification was marked as not applicable. Either the billing address was not asked or was ignored during card verification.
I went to Google Plus and searched for her profile using her email address. A female name appeared, but the gender was male. Unfortunately, the card owner does not know anyone with that name, and I cannot get additional information online. She can report it to the police, knowing that the thief is local, but that is her call.
Should we now be paranoid and follow the waiter or gas attendant to the cashier, just to ensure that our card details are not copied?