onesocalkid

My CSP was hit earlier, but we also have a business card with a California bank. No less than 20-25 staff had their cards compromised. I am thinking it's either an inside job (employee at CC maker/acccess to data) or that somehow they are being skimmed (chip??) on the way out. In most of those cases, the cards were already dead upon arrival and all had been newly made cards.

rrgg

It's funny that you say that. Chase sent a new Ink MC because my old one had no chip. When I called to confirm receipt the rep wanted me to talk to security and the card had already been compromised. So skimming on the way out (or somehow collecting card info on its way out) fits with your hypothesis.

manneca

I think it's the cc maker. I've had my Cap One and my CSP and Chase United card both compromised just after I received a new card. In all cases, fraud caught it immediately.

Jenesequoia

Lurker, registered when I found this thread.

Have several Chase cards in household, no problems, but CSP got hacked four times this year. The final replacement card, about three weeks ago, lasted three days before it got hacked again. One fast food chain transaction, never typed online, etc. I finally gave up and closed the account. Now I see it seems to be a widespread problem.

Edit to add more info: the first fraudulent charge was a "Harry and David" order. After that, several of them were $1.00 auth attempts from weird vendors, e.g. a Stein Mart location in another state, or obvious "Square" POS systems with un-Google-able business names. ("Nelson's Buns". Street food or a porn site? Your guess is as good as mine!). I think I got a few fraud texts, but they didn't catch all of them.

To keep this from being a strictly "me too" post ... The account was opened in early 2013. If I wait for them to close this leak (I guess when this thread stops being bumped?, heh) and then reapply, am I correct to assume I'll be eligible for a new sign up bonus?

Edited to answer my own question: chase approved me tonight for a new CSP, via a bonus landing page. I'll call them next week to verify I do qualify for the bonus program and waived AF.

blaz

I think it is someone simply guessing credit card numbers. Numbers are issued in blocks and the algorithm to calculate the checksum is well known, so it is fairly easy to generate a valid credit card number.

The difficult part is guessing the expiration date and the CVV. The fact that Chase is usually catching those transactions is likely because the fraudster doesn't have the correct CVV or expiration date. They conduct a couple of small test charges. Of course some merchants (like Amazon!) don't even check the CVV, so you only need the expiration date.

The reason why Chase is hit so often is also simple: they issue a lot of cards, so they have a large block of credit card numbers. The probability that someone guesses a Chase number is thus higher than for other issuers.

viag8

I just opened a CSP and a Freedom card. I received the the Freedom card first, and when I tried to activate it I got forwarded to the fraud department, who said a charge had been attempted on this card with some wrong information, and they had to cancel it and send a new one.

I still have not received the new Freedom card and already got again a call from Chase fraud to confirm declined transactions on the new, unactivated card that's still in the mail. Again a new card was issued. They said most likely the thieves were using automatic number generators.

When I received the CSP, I used it a couple of times, until I received a call from the fraud department, alerting me of fradulent transactions. They cancelled the card and sent a new one.

This seems too much, all in a 3-week timespan. I've never had this happen with other banks.

Jenesequoia

Update to my post a few posts above: The fact that I was eligible again for the signup bonus was too tempting; I applied again (as mentioned) and was re-approved. I called this morning and confirmed my new account is part of the 50k/$4000 spend program.

I have a completely irrational/superstitious hope that a whole new account might mean I can spend a little time off the hack-go-round, but based on theories of how this is happening, seems unlikely. I'm not going to bother adding the card to recurring minor payments/Apple Pay/etc, and not going to bother trying to get the significant other to adopt the new card, as he has far less patience for this than I do (and he was surprised I bothered re-applying).

Additional data points: this hasn't happened to any of my other Chase accounts, including a long-standing Amazon card, a six-month-old Southwest card, nor a long-standing Freedom (which has been being utilized in identical patterns to the oft-compromised CSP, although I doubt I have to convince anyone in this thread that the hacks aren't happening on the 'user' end). Nor have any of SO's Chase accounts been compromised.

ElDie

Jenesequoia, could you elaborate on how you got a 2nd bonus? Seem to me you were not eligible.
Thanks

Happy

Got a Chase Fraud Alert email on a declined charge attempted on husband's Marriott Biz Card that has not been used since Sept and not even ever left home since then. Someone tried to buy $600 worth of merchandises from a merchant called Tunertool.

Charge was declined hence not even showing as pending. Called Chase fraud dept in Cebu Philippines endured 10 min wait to finally got a rep who took 4 tries to get the card number correct. After 5 or 6 security questions (the usual DOB, last 4 of SSN, Security Word, Address at application, and a phony question that has no answer, plus one I dont remember now), she finally was satisfied and shut down the existing card. Replacement card will arrive next week. Husband was very frustrated dealing with the Filipina rep when she asked the card number repeatedly because she somehow did not get it right so could not pull up the account.

Last 2 compromises on UA Explorer cards were also on cards not used for ages before the fraudulent charge attempts, fwiw.

United747

My Ritz card was compromised last week. I rarely use the card but got a fraud email for ~$300 used at a Dubai based travel agency, charge was approved. I also checked activity online and there was a ~$1.50 charge at a CA electronics store. Called into JPM and answered security questions and got the charges reversed and new card in my hand the next day.

I have no clue where it was taken from. I have used it about 10 times in person and either at the AAdmirals club or a Marriott. I also have it on auto bill for the newspaper and At&t.

solewalker

Well, two weeks ago, my United MileagePlus got compromised, and today, I noticed a fraudulent charge on my IHG. Fun times.

solewalker

I called up Chase, and asked the CS. She mentioned that for my IHG card, the person probably guessed my number and expiration date, because the security code and address were wrong.

United747

Did they let that charge go through with wrong security code? Kinda defeats the purpose.

solewalker

Yep, they did let the charge go through.

corncob

I read this thread the day before charges started appearing on my CSP. 3 x $800 to London Drugs in British Columbia (all different store numbers) and other miscellaneous charges. It seems like they've found places where they can use the card numbers without the address and security code verifications. All charges were approved and showed up in my pending transactions. No idea if they guessed the number or pulled it from somewhere.