I just closed my MasterCard account after it was used fraudulently — for the second time in less than a month.
This isn’t the first time a card of mine has been compromised but it is the first time it’s happened twice in a row. Even weirder, we
have never used only used the new replacement card that MasterCard sent us one time at a 76 gas station. And finally, this compromised card was an EMV chip card, supposedly more secure.
MasterCard’s fraud detection seems to have worked well. Out of the 51 million transactions MasterCard handles every day, it flagged a $642 purchase at Nordstrom’s that some criminal made with my card on Dec. 23 in San Diego. The MasterCard agent told me that the purchase was refused at the store and I was notified before I even knew a problem existed.
It’s not clear how my information was obtained in the Dec. 23 incident but MasterCard notes in its SEC filing that data breaches “typically involve external agents hacking the merchants’ or third-party processors’ systems and installing malware to compromise the confidentiality and integrity of those systems.”
That’s happened before with my American Express card and others. But then came the dealbreaker. After MasterCard sent me a new replacement card with a new number — it flagged a $99 purchase today at a gas station in Los Angeles. (Update: The folks who have my card tried to use it again yesterday at a gas station in San Francisco). Again, the fraud detection system worked, but there’s something more troubling afoot.
How was the information on my new replacement compromised so quickly?
This time there was no hacking; the number had never been used. Tracing this backwards, the breach like occurred at the 76 gas station. Or someone penetrated the computer of MasterCard, Citibank or the third-party processing systems.
But who knows? Maybe the postman has sticky fingers. Or maybe, since my card has a chip that can be read at a distance using RFID, could someone have obtained my information that way? It’s theoretically possible, but not likely.
So who pays? Not me. By law, if my credit card number was stolen, but not the card, I’m not liable for unauthorized use. Someone is paying, though, and it’s either the merchant that processed the card, the third-party that processed it or the bank that issued it, in my case Citibank.