OK, this was different.
A flurry of alerts informed us about charges on an “inactive” credit card account: someone started using my card from a joint account with Mary. Our two cards have different numbers and security codes, although they produce charges to the same account.
The account was inactive for a simple reason: I’d never taken my card out of its mailer and never bought anything with that number. It was activated when Mary turned on her card, although it still carries that sticker:
The customer service agent discovered Amazon had already issued a refund, so apparently the transaction tripped their fraud monitors.
He canceled that number and I’ll get another card, which I intend to continue not using, in a few days.
What I do not understand: how did my card number and security code end up in play, given that I never used it? AFAICT, the only two places that number appears are on the card and in the issuer’s database.
Do you know how such things work?
A casual web search for the (now invalidated) credit card number produces no hits. The simplest explanation: search engines don’t return results for sixteen digits resembling a credit card number.
Verily: just because you’re not paranoid doesn’t mean they’re not out to get ya!
The Smell of Molten Projects in the Morning 
Comments
4 responses to “Credit Card Fraud Puzzle”
As a small business, it’s possible (although a fraud-magnet) to configure the settings to accept cards without requiring the CV code to match, but Amazon generally doesn’t, more likely you’re the victim of a ‘BIN’ attack when bots will flood an ecommerce sites with thousands of card/cv combos to find a match.
I’d think sellers (definitely Amazon) would ban a user / IP address / whatever after the first thousand failed purchases, but …
Another charge was to audible-dot-com, owned by Amazon: perhaps that buy confirmed the cracked card numbers before they got down to serious spending. Given my deflicted hearing, audio books are definitely not a thing, so we knew it had to be fraud.
IME (as a site admin) the BIN hackers target smaller ecommerce sites with guest checkout and use many IP addresses to do the farming. A merchant can set limits but generally don’t in fear of losing sales.
A surprisingly large number of valid transactions take a few attempts get right, especially if the merchant has turned on address matching or such like, and phone-based buyers frequently all come through the same IP addresses of their provider’s exit nodes.
So that’s why that electronic parts retailer demanded that I pass a CAPCHA before they’d look at my userid and password for my account at their store.
I hate crime.