I had a chance to analyze a credit card transaction that was repudiated by the owner and reversed by the bank. Unfortunately, the transaction was reposted after investigation showed that the CVV2 matched.
The bank did their job. They were
able to contact the merchant who in turn provided them with the sales record. The
transaction was payment for a file hosting site in Ukraine. It shows the Gmail
account of the buyer, but not the real name. Searching Google with the email
account as keyword yielded nothing.
I reviewed the sales order and
noted the unique login name indicated. Did he use the same username on another
site? I fired up Google and searched for his username. Two entries appeared,
but clicking the links showed that the user is no longer a member. However, the
Google search results cached some important details—the account owner’s location,
is a female, and born in 1978. Whoever got the credit card details lives in the
same province as the card owner. Incidentally, the website is already suspended
when I checked it today. It was a local movie download site.
I reviewed the credit card
transaction details and noted that the CVV2 matched. However, address
verification was marked as not applicable. Either the billing address was not
asked or was ignored during card verification.
I went to Google Plus and searched
for her profile using her email address. A female name appeared, but the gender
was male. Unfortunately, the card owner does not know anyone with that name,
and I cannot get additional information online. She can report it to the
police, knowing that the thief is local, but that is her call.
Should we now be paranoid and
follow the waiter or gas attendant to the cashier, just to ensure that our card
details are not copied?
/royc
No comments:
Post a Comment