wwu123

Anyone have an experience with credit card fraud after using one for an inflight purchase? I haven't used my Mileage Plus Explorer card much lately, in the past three weeks my only use was for a Buy on Board food purchase on a recent trip. Two weeks after, not only had the onboard transaction and receipt NOT posted on my Chase account nor the United inflight receipt site, but Chase contacted me about $500 in fraudulent purchases at TJ Maxx.

I work in the IT security arena, and I'm a little concerned about the lack of realtime transaction processing, and how and where the credit card numbers are being stored either in the inflight devices or back on the ground, between the time of the purchase and when they get around to processing it. It sure seems like too much of a strong coincidence that the onboard purchase never was recorded, and the fraud occurred shortly thereafter...

Chase has cancelled that card since the info was compromised, and is issuing a new one, but I'm still thinking to cancel my Explorer card outright that just came up for renewal. Funny that it's one of the new chip-and-sign cards, although I realize the chip does nothing for fraudulent online purchases.

transportprof

Well, on the bright side, it sounds like you got a free onboard meal out of this experience, at any rate.

TA

People have reported inflight meal purchases posting up to several weeks after the flight, so there is definitely a known lag.... But aside from that I don't believe others here have reported any notable correlation with inflight purchases and subsequent CC fraud, and I'm not sure what mechanism would cause the inflight purchase to lead to separate fraud.

nevansm

I believe that with the new HHD platform + ubiquitous wifi that RT transactions have started to be rolled out. Got a push notificatiom from Amex just a minute or two after a BOB transaction last week (on plane with WiFi and I connected to it).

Wayside

As you're a 1K I hope it wasn't your first meal or drink since those should be complimentary anyway.

notquiteaff

The charges for the inflight purchase may still get posted.

http://www.flyertalk.com/forum/unite...dit-cards.html

Bowgie

It is possible your cc was skimmed months ago, and it took that long for thieves to resell it to someone who wanting to do a fraudulent purchase.

transportprof

But would the charges still go through, even if the credit card was cancelled?

mrswirl

Likely just a coincidence as in-flight purchases are processed in batch mode after the plane lands and there isn't any human intervention involved. The card readers the FA use store the transactions (encrypted) in memory and are synchd up once on the ground.

The fact that Chase reported fraud on your account right after you used your card is probably just coincidental and fraudsters already had your account previously (either by random chance or other skimming activities) and your number was probably sold as part of a larger batch of stolen numbers.

Most people don't realize that batch processing and settlement is still widely in use today - in fact it's the original method going back to the early days of paper receipts and knuckle-buster card readers (cha-chunk!). We're just so used to real time authorization that we don't see what really happens in the back office.

Credit card fraud is like food poisoning... everyone swears it was the dodgy Indian food they had for lunch that made them sick when in reality it was the kale salad they don't remember eating 2 days prior.

Weatherboy

Earlier this year, I had 2 flights I purchased UA WiFi on, each time using a credit card I have never used before. Both times, fraudulent activity appeared up on the card.

I'm glad the payment process to get inflight Wifi has changed, but I think there's more than coincidence that there's fraudulent activity on not just 1 card, but 2, after buying only United Wifi on them.

mehitabel

Whoa - I had almost exactly the same experience, also with a Chase MP card - but it never occurred to me that an in-flight purchase might be the culprit until I read your post and re-checked my transaction dates.

I also rarely use my card for non-protected (eg, Apple Pay/Paypal/Amazon Pay) transactions. I did use it for a Buy on Board meal purchase and a few weeks later was contacted by Chase regarding a fraudulent Lowe's charge. We subsequently found several other fraudulent transactions on the same date. I also immediately canceled the card and had a new one reissued, but was scratching my head trying to figure out when the theft might have occurred. I narrowed it down to two unlikely candidates. It's unsettling to think a United purchase might have been the security breach.

Footnote: In my case, the in-flight charge did post to my account in a typical time frame.

gengar

In short, typically yes.

morelegroom

Yes and no . The transaction date not the posting date is what allows it to flow through to the new number.

We have seen an uptick in Virtually instantaneous identity theft. We had a case where the card number was misused within one day of the card being received and authenticated.

BearX220

I do a little executive communications consulting in the cybersecurity sphere, so understanding the vulnerabilities / attack vectors in these kinds of systems is part of my job although I am not a technologist per se. All I can say is, your concern about wireless transaction systems is very well justified, whether or not they feature batching. Process design rarely includes security from the word go -- it's an afterthought. Nor is security a top-of-mind concern in most organizations of this nature, even to this day.

wwu123

Thanks for everyone's comments, in general I would view the timing as coincidence and agree more than likely that my card info was skimmed a while ago. That's why I was querying if others had similar experience or not, some have but not enough to say that those weren't coincidence either.

What really raised my suspiciion was that the transaction appeared missing too - which could happen if a portable card reader device is storing both the credit card info and the transaction itself, and walked away with someone. But above clarifies that the system is encrypted and synced automatically, which would make it harder to extract the data from the reader.

And if the transaction is not missing, but just taking a long time to be processed as appears to be typical for onboard purchases, then my suspicion will become significantly lowered.