Happy

The owner of Redwood Gymnastic sent me a short email, asking for transaction authorization number as she claimed that is the only way they can find it. In her brief email she did not say who she was, but when I googled her name I found out she is the co-owner of the outfit. The couple also own another gymnastic center in San Francisco Bay Area, fwiw.

I returned her email but never heard back from her despite she said she would worked on it when she got to office last night.

A Chase rep from Elgin, IL called this afternoon. He told me they contacted the merchant and the merchant told Chase that the charge was "mis-entered" when someone called in to pay for his statement. Apparently the security measure at the merchant is at very low level - they did not use the security code for example.

However Chase rep could not explain why with the name of the card holder being different, probably different expiration date, and obviously different billing address, the charge would still go through.

The only thing he could say is, it is not a card swipe type transaction.

This is a rude awakening - because in this case everything that is supposedly to tie the card number to the right holder is either missing in the submission of charge, or mismatching with what the Chase file said, yet a charge can still go through!

The Chase rep offered to UPS the replacement cards to us but I told him no need to. We can just wait for it to come in the mail. I verified with him about the "Claim Material" which he said should come earlier than the 14 business days. In any case, he gave me his full name and phone number (not a toll free) in case I need to call him back.

Hi5z

I wouldn't take this incident lightly. If my credit card has any unauthorized charge on it, I would call cc company immediately to cancel the card. Yes they will ask question but that should be after they close your card. After that, the 2nd thing you should do is to file an official police report for Petit Larceny if charges are below $1000 and identity theft. Credit card company don't really have as much privilage as the cops. As least cops have authority to obtain any information from the cc, the gym, any surveillance camera footage. cc company can have the same but only if the gym cooperates. If you don't file a report and cc company hit a dead end, then your information is out there somewhere in the hands of someone waiting to do it again and next time you may not be so lucky. Imagine your credit score dropped to 500 and you are about to apply a mortgage or a new car..

Happy

New cards arrived on Monday.

A woman from Chase, based in Tempe, AZ, also called to inform me Chase would not send us the Affidavit Form because Chase is able to charge back the Merchant. The transaction was not a card swipe but a phoned-in card payment - Chase did not know exactly how it happened that the card number submitted for charge by the merchant was the same as ours. The merchant has nearly 0 security measure, therefore such mistake is not caught and the charge has gone through smoothly - until we discovered we are hit by an unauthorized charge... Based on the nature of this charge, Chase does not consider it a fraudulent charge therefore no form is required.

As far as Chase is concerned, the case is closed. She said there would not be a written confirmation from Chase regarding case closure. I asked her to send me a letter regardless. She put me on hold said she needed to check the language on the standard letter first. Then she came back and informed me she had arranged a letter to be sent in 7 to 10 business days. I would do a secured email if no closure letter is received after that time frame.

The Gymnastic Center's co-founder never reply my 2nd email after she requested the authorization number for the charge in order to do an investigation. It strikes me the operation(s) are not very organized and not well-run administration-wise. The co-founder also is lack of common courtesy. I can understand she can be busy with 2 Gymnastic centers (one in San Francisco area and one in Petaluma, where the wrong charge occurred), she could have been a bit more polite and considerate when she first returned my email informing the merchant about the wrong charge. Instead she sounded quite arrogant as if I have annoyed her.

Flyer737

FYI, the Princess Cruise offices are in California. Maybe that is the source of the breach.

Happy

Dont think so. The payment was submitted by our cruise agent via the secured Princess site which the travel agents use to make booking / payment etc. Besides the payment was made 9 months ago.

Chase informed me it is able to charge back the merchant because it is not a point of sale transaction - it is a transaction submitted by the merchant without the card being swiped. The merchant claimed it was a transposed number with a phoned-in payment...

Chase now no longer considers this being fraudulent charge because Chase successfully charges back. The rep told me Chase will not send me the "Claim Material" because it is no longer needed due to the charge back. Case is now closed.

jbalmuth

I wonder how often a transposed numbers with a phoned-in payments occur....?

I've often dictated my 15 or 16 digit credit card number over the phone ---- i.e. when making a hotel reservation --- and I can certainly understand how mistakes can occur either by the person reading the number or by the person writing it down. In some ways, it's odd to not have this common practise be a routine source of mispostings. Maybe the Chase folks see this hundreds/thousands of times a day....?

Happy

Apparently it is more common than we would have thought. When I first called in to report the unauthorized / unrecognized charge, the rep wanted us to keep the same card and simply put the card on Watch List but we insisted to have the card replaced. I believe the "keep the card" approach is based on the nature of the transaction the rep saw from Chase system - if it is a point of sale when both our cards are in our possession, no question this is a charge made by a cloned card. If it is a charge submitted by merchant via other method(s), not swiping the card, there is the possibility of transposing numbers.

The scary thing is, there are ways to submit charges WITHOUT any verification of cardholder's name, billing address, even expiration date does not need to be exact as long as it falls in the valid period - the charge CAN and WILL go through. I guess this is something most folks including us, would never think it can happen when name, billing address and expiration date all do not match - but just the card number alone, the charge can still go through.

Counsellor

Just saw this.

It was almost certainly not a transposed number. Credit cards (so I'm told) have the last digit as a "check digit" that is determined by a complicated formula based on the other digits in the card number, and their placement/order.

This is to guard against just such a transposition. In other words, if the digits are transposed, the check digit wouldn't be the same, and so the number should have been rejected as not a valid credit card number from that issuer. The fact that it was not rejected (and was indeed a valid number -- yours) argues strongly against a mere transposition.

jbalmuth

Could you please provide a reliable source for the "check digit" info?

When you request additional AMEX cards for family members etc. the new cards come with the same first 13 digits as the original, and only the 2 final digits change. For example, on one of my AMEX accounts, my card ends 05, my wife's ends with 13, my mother in law's with 47, and my brother in law's with 39. That these final digits (5,3,7,and 9, or 05, 13, 47, and 39) could all be accurate "check digits" for the preceeding identical 13 digits is pretty unintuitive...

lifescool

I better look into my united card through chase....thanks for altering us on the forun

mia

I believe the reference is to the Luhn algorithm

jbalmuth

Following up on my AMEX example, each of the 4 cards fulfills the Luhn algorithm. Thanks for sharing!^

lifescool

Transactions seems to be all in order so far - keeping my eyes open for something out of the ordinary.

nrr

I had a credit card which was compromised by (1) logging into my on-line account and changing my address, (2) a few $2 charges were placed--as a test run, (3) a charge to NEWEGG Computer, for an item to be shipped to the "new" address, surprisingly, the charge was for <$300. I monitor my accounts regularly and caught the fraudulent charges (the same day).
I'm not sure how they got my password.

Happy

That is my first thought - how could someone get your password?

Unless you have logged in your account from a public computer and that public computer is compromised to begin with.