Weird credit card fraud

[m8547]

I noticed a pending charge on my credit card that I don't recognize. I haven't used this card in a few months, so it's obviously fraudulent. I've had this happen before on other cards, no big deal. But the weird thing this time is that I've only used this card for exactly three transactions, all of them through Paypal. The only reason I even have it is for the signup bonus. I checked the Paypal links I used to make the transactions, and they are not phishing links. I have no idea how someone could have gotten my info. I'd like to figure it out because now i'm worried they might have access to my personal/financial info in a way I don't know about.

I always access Paypal securely with HTTPS, and I usually check that I'm not clicking on phishing links. I haven't seen any abnormal activity in my Paypal account. I use a Mac, so malware is unlikely (though not impossible). This card has been safely sitting at home, so it's unlikely that anyone could have physically gotten it. My email has 2-factor authentication, so it should be fairly secure.

Has anyone had anything like this happen before? Any ideas about how someone could have stolen my card info? Is there any comprehensive way to check my mac for malware?

[bacchi]

AmEx?

[Cathy]

...Is there any comprehensive way to check my [computer] for malware?

Not through any simple means, which you can deduce purely through logic with the following argument. Let's suppose you had a program Q that, when run, attempted to determine whether there is malware present on your computer (for some definition of "malware"). When you run program Q, the malware can simply detect that you are running program Q and cause program Q to report that no malware is present, even if that is false. Therefore, as a matter of logic, there is no way to run a program on your computer and thereby determine whether your computer has malicious code installed.

Sophisticated forensic analysis would involve taking a backup of the entire live state of the machine and analysing that data using a known-clean computer (not the computer that might be compromised).

[marty998]

...Is there any comprehensive way to check my [computer] for malware?

Not through any simple means, which you can deduce purely through logic with the following argument. Let's suppose you had a program Q that, when run, attempted to determine whether there is malware present on your computer (for some definition of "malware"). When you run program Q, the malware can simply detect that you are running program Q and cause program Q to report that no malware is present, even if that is false. Therefore, as a matter of logic, there is no way to run a program on your computer and thereby determine whether your computer has malicious code installed.

Sophisticated forensic analysis would involve taking a backup of the entire live state of the machine and analysing that data using a known-clean computer (not the computer that might be compromised).

Are you saying all anti-virus programs are redundant?

[bacchi]

Therefore, as a matter of logic, there is no way to run a program on your computer and thereby determine whether your computer has malicious code installed.

Boot from a USB/CD and run the scanner from there...

[Cathy]

Are you saying all anti-virus programs are redundant?

"Redundant" isn't quite the right word. As a matter of logic, an anti-virus program running on the possibly compromised machine cannot, in general, detect malicious code. However, in practice, malicious code isn't always perfect at hiding itself, so anti-virus programs can detect some specific malicious things.

Boot from a USB/CD and run the scanner from there...

There are a variety of reasons why this doesn't overcome my argument. For example, the malicious code may have overwritten the firmware of the hard drive and therefore be able to hide itself even from the kind of scanner you mention. Or on the other end of the spectrum, the malicious code might be only in RAM, and when you reboot the computer to boot from USB, all evidence of it is lost.

[bacchi]

Boot from a USB/CD and run the scanner from there...

There are a variety of reasons why this doesn't overcome my argument. For example, the malicious code may have overwritten the firmware of the hard drive and therefore be able to hide itself even from the kind of scanner you mention. Or on the other end of the spectrum, the malicious code might be only in RAM, and when you reboot the computer to boot from USB, all evidence of it is lost.

Yes, it could be in the firmware but be realistic. A lot of sophisticated forensic software can't even detect firmware malware. You might as well worry about the NSA spying on the OP's computer (in other words, if it's true, you're hosed -- accept it or get off the internet).

If it's in RAM and can re-insert itself, it came from somewhere, right? It's on the computer drive(s) or it's using an ET program. Those have signatures that good scanners can and do find. If good scanners can't find them, because they're super-secret and cost millions to create, we're back to the above scenario (accept it or get off the internet).

[Cathy]

If it's in RAM and can re-insert itself...

There's not necessarily any reason to assume that the malicious code has any persistence mechanism. In fact, all evidence of it could already be gone at this point, which is another reason that it's logically impossible for the OP to know whether malware is behind the rogue credit card charge.

...If good scanners can't find them, because they're super-secret and cost millions to create...

My post was restricted to commenting on a pure logical claim and was not a discussion of any practical information. Your practical comments might be true but are tangential to the point I was making. That said, I am sceptical of your specific claims, such as that it would "cost millions to create" malicious code that isn't detected by an anti-virus program. Have you ever tried? I estimate it would take you a few hours to design your own malicious program that isn't picked up by an off-the-shelf anti-virus program. Even if you value your time at $1,000 per hour, that isn't approaching millions of dollars.

[m8547]

The bigger problem is that antivirus software for Macs does not seem as advanced as for Windows computers. And even then, most of them seem to rely on definitions that are imperfect. I've never found traditional scanning definition based AV to be useful, even booting from a read only CD OS or something like that.

I have a good understanding of how Windows malware works and where it likes to hide from years of dealing with it. There are utilities like Malware Bytes and Hijack This that find things that are in places they are not supposed to be, even if they are not know by definitions. I've never dealt with malware on a mac, so I don't even know where to start. It looks like there is a version of MBAM for mac, so I'll try that. MBAM won't run on 10.6.8. Maybe it's time to upgrade.

It seems unlikely that it would be malware since it's so subtle. Out of all the financial info that goes through this computer, the only thing compromised was a credit card I almost never use. That would be weird. They could get a lot more money and have a better chance of getting away with it if they had full access to my computer.

[Cathy]

I have no idea what the explanation for your rogue charge is. I just picked this thread as the vehicle to post the logical argument above (and the argument above applies to programs like "Malware Bytes" and "Hijack This" as well). The vendors of these programs grossly overstate their value. See, e.g., Brian Krebs, Antivirus is Dead: Long Live Antivirus, Krebs on Security (May 7, 2014).

[bacchi]

If it's in RAM and can re-insert itself...

There's not necessarily any reason to assume that the malicious code has any persistence mechanism. In fact, all evidence of it could already be gone at this point, which is another reason that it's logically impossible for the OP to know whether malware is behind the rogue credit card charge.

Ah, yes, good point. Practically, though, even the super-sophisticated firmware code left some evidence lying around.

...If good scanners can't find them, because they're super-secret and cost millions to create...

My post was restricted to commenting on a pure logical claim and was not a discussion of any practical information. Your practical comments might be true but are tangential to the point I was making. That said, I am sceptical of your specific claims, such as that it would "cost millions to create" malicious code that isn't detected by an anti-virus program. Have you ever tried? I estimate it would take you a few hours to design your own malicious program that isn't picked up by an off-the-shelf anti-virus program. Even if you value your time at $1,000 per hour, that isn't approaching millions of dollars.

By the time any scanner is run, the definitions will have been updated. Unless we're talking about a first-day exploit/malware where the OP boots to an USB stick immediately, this won't be a problem. The "millions" of dollars obviously is in reference to the firmware malware developed by Equation.

Of course, if we're going to use extremely unlikely scenarios to prove a purely logical claim, we may as well toss out the "known clean" computer comparison, too. The drive itself could be infected at the manufacturer (see: routers from China). Or the "known clean" drive+mobo was physically removed, altered, and replaced by operatives. Etc., etc.

In other words, you're right -- it is logically impossible to determine if a computer has been infected.

For the world in which we live, and to answer the OP's question, you would boot off a USB stick.

[Sibley]

Since all sorts of companies are getting hacked, it's possible that you're not the source at all. Paypal or the credit card company could have gotten hacked. Or it could be simple error. Wait for the transaction to fully post, then call the credit card company to get it removed from your account.

I recently closed a "spare" cc account because of this sort of thing, though I knew exactly what happened and it wasn't fraud.

[arebelspy]

And sometimes they--literally--just try numbers, and no one was hacked, you were just randomly hit on.

Don't stress about it.

[TravelJunkyQC]

I had a fraudulent charge on my credit card (first time it has happened) exactly 2 days after signing up for and paying for something through PayPal. I don't really trust them anymore honestly... It's too weird of a coincidence to me.

[StacheInAFlash]

Or it could be simple error. Wait for the transaction to fully post, then call the credit card company to get it removed from your account.

Yeah, just call the CC company before tearing your computer apart looking for a string of malicious code. It is quite possible it is some random blip that will remove itself. Are your other credit cards you've used online still looking fine, I assume? It is probably something on their end and not yours.

[Daley]

Everybody slow down a minute on the whole infection malware or passing it off as a blip thing. OP posted this:

I've never dealt with malware on a mac, so I don't even know where to start. It looks like there is a version of MBAM for mac, so I'll try that. MBAM won't run on 10.6.8. Maybe it's time to upgrade.

Emphasis mine.

Snow Leopard hasn't gotten security patches since September 2013. Anyone remember what's happened between then and now?

Can't discount the possibility of malware, because WTF are you doing running an OS that hasn't gotten security updates in two years and has countless unpatched vulnerabilities!? That said... POODLE. It was probably a MITM crypto attack and OP was probably either on open, public, or WEP/WPA secured WiFi when doing one of those three transactions. That, or his router is also ancient and has been rooted itself due to unpatched and exploited vulnerabilities, which also isn't outside the realm of possibility with someone using an OS two years past it's sell by date.

m8547, update your router's firmware or see if it supports DD-WRT and consider flashing it over to that. Update your OS. 10.8 Mountain Lion lost security updates three months ago, and Apple is only supporting the three newest OSX releases and pushing new versions annually, so you need to run either 10.9 (Mavericks - probably EOL 09/2016), 10.10 (Yosemite - EOL 09/2017) or 10.11 (El Capitan - EOL 09/2018). Once you're current and secure? THEN change your passwords.

[TheOldestYoungMan]

Anecdotal, but three relatives at Thanksgiving independently reported an issue with a credit card they only use for paypal.

It wouldn't surprise me if paypal had a breach at some point.  It wouldn't surprise me if someone randomly guessed your info.

I would be shocked if it had anything to do with your computer.

I use an un-updated windows 98 machine (original clean install-no patches) for all my online banking.  There are about a zillion viruses that try to run whenever I turn it on, but fail because nothing can run on windows 98.

Yes, that was a joke.

[m8547]

I'm glad other people have had similar things happen with Paypal. I'm hesitant to trust them any more.

I know my OS is out of date. For a while (probably until around 2008), malware wasn't much of a problem on macs. I guess that's no longer true, but I didn't realize how bad it's gotten. 10.11 has major security improvements (like SIP), so I definitely want to upgrade, but it's a huge hassle with such an old computer. I have lots of software that will break if I upgrade. (NTFS writing KEXTs that SIP will disable, old Java software, old VMWare Fusion that I almost never use so I don't want to pay to upgrade, other old paid software that's nice to have around but not worth upgrading, etc.)

My router doesn't support DD-WRT. I was surprised to see that there have been several firmware updates since I last checked. I figured this thing was no longer supported. I rarely use this computer on shared wifi, and I almost never do financial stuff on shared wifi. My wifi at home is protected by WPA2 personal.

I still don't think it's malware, but I will definitely take steps to secure my computer and financial info. This was a good wake-up call, at least.

[Left]

I use one time use numbers when shopping online, don't trust other side to keep my numbers safe...

[arebelspy]

If you still want to use that old software, make a virtual image of your drive, wipe and update to new OS, and just load the virtual image when you need those rare items, and don't go online with it (i.e. have all forms of networking disabled).

[m8547]

If you still want to use that old software, make a virtual image of your drive, wipe and update to new OS, and just load the virtual image when you need those rare items, and don't go online with it (i.e. have all forms of networking disabled).

Except that doesn't work when the old software is the virtualization software!

I successfully upgraded to 10.11 yesterday. It was easier than I expected after I took the time to figure out what programs I actually need to have working. There's an old Java program I use regularly that I replaced, and I'll have to upgrade VMWare Fusion if I want to keep using it, but if anything else breaks, I don't need it.

I also upgraded the firmware on my router.

[shadowmoss]

Thinking about how to use the travel hacking stuff has me also thinking that buying a few of the Visa debit cards would be a good way to shop online, or any place that I worry about hacking.  If 'they' hack a temporary debit card it only has whatever amount I put on it when I bought it.  If a site is hacked, none of my actual accounts are exposed.  I still end up getting the points on my rewards card.  It is only exposed at the Office Depot or wherever I buy the temporary debit card.

[m8547]

Can't discount the possibility of malware, because WTF are you doing running an OS that hasn't gotten security updates in two years and has countless unpatched vulnerabilities!? That said... POODLE. It was probably a MITM crypto attack and OP was probably either on open, public, or WEP/WPA secured WiFi when doing one of those three transactions. That, or his router is also ancient and has been rooted itself due to unpatched and exploited vulnerabilities, which also isn't outside the realm of possibility with someone using an OS two years past it's sell by date.

I can rule out Poodle because Google Chrome dropped support for SSL 3.0 at the beginning of the year, and I've only had the card for a few months. I keep Chrome up to date, at least.

[johnny847]

Thinking about how to use the travel hacking stuff has me also thinking that buying a few of the Visa debit cards would be a good way to shop online, or any place that I worry about hacking.  If 'they' hack a temporary debit card it only has whatever amount I put on it when I bought it.  If a site is hacked, none of my actual accounts are exposed.  I still end up getting the points on my rewards card.  It is only exposed at the Office Depot or wherever I buy the temporary debit card.

This is solved by eyem's suggestion

I use one time use numbers when shopping online, don't trust other side to keep my numbers safe...

However, only a few banks provide these. I know BoA does, and perhaps Citi, I don't quite remember.
But basically you can get temporary numbers for your cc that is only valid for a certain number of months and a certain dollar mount, both of your choosing.

[Thegoblinchief]

And sometimes they--literally--just try numbers, and no one was hacked, you were just randomly hit on.

Don't stress about it.

+1

IF the charge even clears, dispute it. I've seen fraudulent charges occasionally show up in my pending charges and never make it onto the statement. Chill the fuck down. I've never seen something escalate from 'huh, wierd' to 'tinfoil hat' that fast.

[Left]

are you sure it was even a real charge?

I ask because I notice odd $200 charges when I fill up gas, I called CC company about it when I saw it and found out that because the gas pump doesn't know how much you're going to actually put in, some of them will "charge" up to the max ($200 at this station) and once it stops, it will clear the charge and charge the correct amount. It is essentially putting a hold on the credit card until it finds out how much you actually fill up on. Sometimes it takes a few days to clear the hold which is why I saw it.

but I thought that a personal computer being hacked and getting the info stolen was the least likely possibility... I mean they have to actually "find" you first... then know what site that you use. If you never use paypal or something, they would have wasted efforts...

The more likely point of theft would be the person/company you are giving CC info to on other end when buying online. Nothing you can do about it, not your system.

and not all companies use the same name as their store name for billing purposes... the burger king doesn't charge credit card with burger king name, it uses some off "xyz billing co" name. I didn't know it was burger king until it happened a few times (yeah, I brushed off "unknown" charges...). Really I just remembered how much I spent and it matched, and I didn't use card for anything else. I told CC company it might be a fraud and they tracked it down to BK for me.

[enki]

You all seem to take credit card security way too hard. I'd rather spend my day doing Productive Things. That said I did finally suffer stolen card information in October. I punched myself because the day it happened the bank tried to call (using an old number) and didn't get through. One transaction actually went through, three others were stopped by the system. I called the bank the following morning after my card was declined. They emailed me the forms to dispute a fraudulent charge and I shot the reply back on the same day. The whole phone process took about 15 minutes while I drove to my job site. The next day (Saturday) I had my bank print a new card which took about 5 minutes. The fraudulent charge was reversed within 7 days and my life continued as normal. Most likely the information was stolen at a restaurant since a couple people I worked there with also suffered similar issues.

• The system works.
• I spent about 20 minutes of my life dealing with it.
• I should actually carry some cash, especially on days I run out of the house without packing a lunch.
• Gas station points earned filling my work truck buy passable food.