Attempted fraud on Bank of Ireland credit card

L

Lucius Lamb

Registered User
Messages
37
Bank of Ireland has blocked my credit card after fraudsters tried to charge an online transaction (Spotify purchase) for €9.99. Hats off to the bank for picking it up because, if this transaction were successful, the fraudster would have come back for more.
My problem is that this is the fourth such occurrence since December: three on my spouse's card and once on mine (one account with two cardholders). The bank says that, by generating enough random numbers, fraudsters eventually get lucky by hitting on the right combination of number, expiry date and CCV code of a valid card.
It's a real nuisance because every time the card has to be reissued, which takes 5-7 working days. Regular subscriptions charged to the card have to be switched to the replacement card. I've been left without a card over bank holiday weekend.
Am I just unlucky or does this happen as regularly to other people and at other banks? I appreciate that fraud is rampant but four successful hits in as many months? I'd move to another card company if I thought they'd be less susceptible to fraud attacks.
 
Lucius Lamb said:
The bank says that, by generating enough random numbers, fraudsters eventually get lucky by hitting on the right combination of number, expiry date and CCV code of a valid card.
Click to expand...
That seems a bit odd. Spotify should have systems that block these kinds of automated attempts.

I would use Occam's Razor here and suspect that some provider is leaking your card details to fraudsters. It was 20 years ago, but I once worked in a small firm that had literally hundreds of credit card details on paper in filing cabinets. We would ring customers up to get the CVV code and were instructed to record it! My guess is that a smaller merchant who makes debits via a physical terminal is the risk factor. Credit card details rarely get leaked from Shopify, Amazon, etc.

Lucius Lamb said:
My problem is that this is the fourth such occurrence since December: three on my spouse's card and once on mine (one account with two cardholders).
Click to expand...
Another option is a family member or someone in your house who has access to the cards......

Otherwise you have strong customer authentication set up via app? See here. It would make these kinds of attempts very difficult.
 
Thanks for the feedback. I have set up strong customer authentication on the Bank of Ireland app.
If someone leaked my details to fraudsters, how do the they get the new details after every time the cards are reissued with different numbers, expiry and CCV? Could be an inside job, as you suggest, but there's only me and my spouse in the house

I have a Revolut account but no money in it. Quickest way to add money is from my credit card, which is blocked ........
 
Is your anti virus software on your devices up to date?
Is it possible there's something on your laptop that's capturing the card details...
Maybe with a new card vary things up - only use your phone for payments or only use one particular card for online and see which card gets hacked.
 
Lucius Lamb said:
If someone leaked my details to fraudsters, how do the they get the new details after every time the cards are reissued with different numbers, expiry and CCV?
Click to expand...

I have never heard of card fraud via pure guesswork. Even if you have the card number there are 1000 possible CVV combinations and maybe another 60 possible expiry dates. If you keep entering wrong guesses the system will block you pretty soon.

My guess is that some provider has your details. It's possible there is malware either on your home PC that records your new credit card details each time.

If the pattern is repeated it is less likely to be chance and instead some form of hacking.
 
Lucius Lamb said:
Quickest way to add money is from my credit card
Click to expand...

It's just as quick to suck it out of your bank account. Or ask someone else to transfer money to you while you sort out the problem.

Does adding money from your credit card not result in high charges as, I presume, it's a cash withdrawal?

Brendan
 
All Spotify, sometimes an attempted transaction with zero value. Bank of Ireland says it's a easy way to test the waters. If not intercepted, fraudsters will strike again but for much bigger amounts.
 
My husband has issues with his cards (credit and debit) for about a year now.
First started with a purchase in Amsterdam either early 2021 or late 2020, basically during lockdown. Purchase was coming up as a club for around €200 card was blocked and BOI contacted him to ask if he was making a purchase for that amount. Card was blocked and new one issued.
Few months ago he was using his card and was declined. Called bank and card had been blocked due to suspicious activity, new one issued.
We share bank and credit card (he’s the additional holder). It is strange as I’ve never had any issues (touch wood). Annoying because he has to use my card until he gets issued a new one.
 
Bank of Ireland are correct in saying it's an easy way for fraudsters to test the waters. I ran a low value online platform for a number of years and it was a regular event to see fraudsters with partial credit numbers or a full credit number and no CVC number to make numerous attempts at a low value transaction. We'd stop most but the odd one will often get through (and this was before 2FA) and then we'd never see the card again. It'll be gone off and used on Amazon or some other site. Nowadays, with random number generators and bots, it's even easier.

Likelihood is that your details were harvested elsewhere. One option to consider is to change your name on your new card, so instead of having Lucius on it, have Luc or just L. That might help. However, I hate to say this, it's a problem we all will have to get used to which is why we should all be using our apps to check our bank and card accounts daily.
 
I had two rounds of BOI cards being hacked around 2018/2019. The model was similar each time, start out with a few small transactions then larger ones, though still fairly modest individually (< €100) for eBay or Amazon sales. One of the purchases was for a licence to use music in adverts, bizarrely.

The only common trend between the two cards at the time was Google Pay. I stayed off it for a couple years, though I've gone back more recently without any difficulties.
 
Lucius Lamb said:
It's a real nuisance because every time the card has to be reissued, which takes 5-7 working days. Regular subscriptions charged to the card have to be switched to the replacement card. I've been left without a card over bank holiday weekend.
Click to expand...
The same thing happened to me in recent weeks with BOI and and a spotify transaction.

If you have the card registered to apple pay / wallet, you benefit from getting the new card available to use on your phone immediately, with no waiting for a card to be sent out, which is great here, invaluable if you were travelling. Not sure if similar is available via google pay or other banks?
 
Four different cards belonging to a husband and wife being successfully defrauded in three months through the successful guessing of 16 digit number together with correct CVC number and correct expiry date I would suggest is almost impossible.

Your card details are being leaked somewhere. To be honest, I would look at where the cards were used just before these attempts and see if there is any pattern. You say your husbands cards have been inactive for years so why have them? Cancel them completely for a start. You can get credit cards from any bank.
 
When you’ve received the new card, how many providers have obtained the new details? That shouldn’t be that hard to work out, no?
 
It's actually very easy to guess the 16 digits
  1. the first 6 digits signify the bank and the card issuer. You can look those up online in about 5 seconds for each bank
  2. the last digit is a checksum digit
so therefore you need only guess 9

The 16 digits adhere to an alogrythm called a Luhn alogrythm so with a competent number generator hooked up to a Luhn algorythm, it would be easy to work out card numbers. If you actually understand how the algorythm works (and it's not rocket science and after all, this is a fraudsters livelihood) you could probably work it out by hand or on excel in a few minutes. I used to work in a bank and if we got a damaged cheque, sometimes we'd have to work out account number by hand if you were missing a few digits. It's not hard (although in the case of a cheque it is only 14 digits, 6 digit sort code, 8 digit account, so easier)

the harder thing to guess is the expiry date (one chance in 36) and the CVV number (one chance in 999) but again, bots can try things automatically. Hence the growing complexity of captcha's and MFA.

I'm not encouraging fraud here by the way!!
 
Peanuts20 said:
the harder thing to guess is the expiry date (one chance in 36) and the CVV number (one chance in 999) but again, bots can try things automatically. Hence the growing complexity of captcha's and MFA.
Click to expand...

So still only a one in 36,000 chance that you will get it right even if you have the card number.

My very strong assumption is that Spotify have tools to block attempts from actual card numbers where there are multiple false entries of expiry date and CVV.

A much more plausible assumption is that the OP's card details have been compromised either physically or electronically.
 
You must log in or register to reply here.
Menu
Log in
Register