“Within 2 hours of each transaction, we each received fraud alerts from our banks”

Columns

by Prince Of Petworth January 9, 2017 at 9:45 am 69 Comments

giant
3rd and H St, NE

“Dear PoPville,

Heads up-my friend and I each used our credit cards today to buy groceries at the H Street Giant. Within 2 hours of each transaction, we each received fraud alerts from our banks. My friend’s card was only fraudulently charged about $10, but someone made about $1600 worth of purchases on mine. Most charges were at the same Giant and all were made very shortly after our original purchases. Thankfully, our banks reversed these charges. I called the Giant to alert them of the situation, was told the manager wasn’t on site, and never received a call back. I’m sure it’s not a huge issue since banks are so vigilant these days, but I wanted to make you aware, just in case. FYI-both of the stolen cards were originally paid with a chip, not a swipe. Everyone who shopped at Giant today [this weekend] check your online banking!”

JohnH

Did you use the chip reader or swipe?
- JohnH
  
  ABORT that question! I see now. Huh I would think that’d be hard to do with the chip….and it would also mean you used the same check out thing (if a credit card reader was compromised).
Daryl T

This the issue with the Chip.
Banks are leading consumers to believe this is the most safe and efficient method when completing card transactions. This couldn’t be the furthest thing from the truth.

Yes, it prevents someone from duplicating the card, but it does not stop tech thieves who are using the NFC feature that the chip is based on. Someone likely walked the store with an NFC reader and swiped your card info while standing right next to you.

-Former NSA Analyst
- dc_anon
  
  The credit card chips aren’t NFC, that’s only apple/android pay. They require a physical connection to work.
  - Daryl T
    
    This is incorrect.
    The chips do emit an NFC field.
    
    If you are or know and DoD employed person, We have the ability to find people solely based on the that chip. It is powered, and emits a field.
    - Anon5
      
      NFC chips in credit cards are passive. There is no power source in a NFC-enabled credit card.
      
      At the moment only a few US banks issue NFC-enabled cards.
- Anon5
  
  I thought most US-issued credit cards (even chip ones) don’t support NFC yet. I have two Chase VISA cards and I’m pretty sure neither one supports NFC. Certainly neither has the VISA NFC logo on the back.
  - Daryl T
    
    Think about it this way. Your able to use Google, Samsung, Apple pay on POS devices that were developed almost 10 years ago. There is an NFC device in it already right?
    
    The chip in your card may not be an open NFC chip, meaning communicates with POS devices and such, however, someone using an NFC reader hacking your card is an entirely different thing. Being as though your chip is under power, it emits a field, regardless.
    - Anon5
      
      Most U.S. credit cards don’t even have an NFC chip. If you have a Chase or CapitalONE card you’re in the clear since they don’t offer NFC cards. The following banks are the only ones currently offering NFC cards in the United States (or at least they used to, many have been discontinued):
      
      Amegy Bank
      Arvest Bank
      BB&T
      First Internet Bank of Indiana
      INOVA FCU
      JM Associates Federal Credit Union
      PNC Bank
      SunTrust
      Zions Bank
      - Anon5
        
        NB: That’s for Visa cards, not Mastercard or AMEX.
    - Bob
      
      Daryl, you have no idea what you’re talking about. Yes iOS and Android devices are running operating systems originally developed ~10 years ago (although basically totally different at this point) but iPhones only got an NFC chip for Apple Pay 2 years ago when the iPhone 6 debuted. The first Android phone with NFC was the original Google Nexus, which came out in 2010. Like Anon5 below, most US cards don’t have an active NFC chip, and the standard for the chip reader is that it uses a non-powered chip. Take it from someone that works in the payment processing side of a bank that actually uses this technology.
      
      Yes, it is very easy to read an active NFC chip wirelessly, but you need contact on a passive chip like the ones in all but a few credit cards.
      - Daryl T
        
        I said nothing about IOS or Android running their OS from years ago. I said POS (Point of Sale) devices that have been developed 10 years ago. In other words, you go to a merchant that is using a stand alone card swipe machine from 10 years ago, that device is compatible with NFC devices.
        
        In other words, them saying the chip in your card is not NFC ready or active is a lie. What they are really saying, is we have not implemented the program to use your chip and NFC widespread just yet.
        
        So my claim stands. You having an chip in your card only protects you from card cloning, it does not protect your from NFC hackers. If you need me to walk you through the process of how this works, I can do that.
      - anon
        
        You can’t use NFC devices on old POS card readers. Samsung has a payment system that emits a magnetic field that mimics the stripe on a credit card; you can use that on old devices. That is a different (and far, far less secure) system than NFC or chipped cards (since the magnetic field is essentially an open-air unencrypted broadcast of your card info; then again, so is the number embossed right there on the front of your card).
        .
        Daryl T, dunno what your deal is. But you’re all kinds of misinformed.
DCJoe

One of the many reasons the decision in the US to not go with Chip + PIN, but just Chip + Signature, is moronic. Would reduce this type of fraud immensely.
- Hill Denizen
  
  I seriously don’t understand. Other countries have been doing this for decades. We’re not talking new technology here. Also, I don’t understand why our chip readers are slow as molasses. When I lived in Europe over a decade ago, the machines were just as quick as the swipe readers and had the added benefit of being processed on a handheld device so your card never left your sight in restaurants and such. If you’re going to upgrade, just go all the way.
  - textdoc
    
    European countries also tend to make laws/regulations in favor of the consumer, whereas in the U.S. they tend to favor industry/big business.
    - facts
      
      Except that you are never liable for charges made when incidents like this happen; the banks are. But I guess that doesn’t comport with your liberal bias.
      - Jonathan
        
        The bank is not liable, the merchant/store is.
Hookdntx

Follow up question, was this in a self checkout lane or with a cashier?
- caitlynrose
  
  OP here-that’s the thing! Mine was self checkout, my friend went through a checkout with a cashier.
  - Tsar of Truxton
    
    See Daryl T’s comment above. Someone likely had a NFC reader in the store. They just need to get near you.
    - caitlynrose
      
      Thanks! The more troublesome part for us is that we each made our purchases at different times of the day. I went shopping in the morning around 10, and she went around 2:30 pm. If the NFC reader theory holds true, it sounds like it could be an inside job. I don’t want to think that about the workers, who are all pretty great.
    - WannabeDetective
      
      There is an issue that Giant allowed $1600 of expenditure on a stolen card in there store…. and how was that done “very shortly after the original purchases?” Does that tell us anything about how the card was stolen? (i.e support the NFC theory?)
      - caitlynrose
        
        Agreed, and I’m not sure if it tells us how the card was stolen. For clarification, I checked out at 10:55 am and I received a fraud alert from my bank at 1:14 pm. I don’t have the exact time for my friend’s purchase, but she checked out sometime between 2:30-3:30 pm and received a fraud alert from her bank around 5:30-6 pm.
      - JohnH
        
        Why is it an issue that Giant “allowed” the purchase? It’s not like Giant knowingly knew it was a stolen credit card. There is no verification process in place (i.e. in Europe you still have to enter a 4 digit pin). This wasn’t someone’s actual card stolen and used (so asking to see an ID doesn’t matter) – a cashier at Giant would not know the name of the person the card is associated with.
        .
        Although now that I think about it – I would have a hard time spending $1600 at a Giant unless I bought 8 shopping carts worth of food. Unless you bought a lot of allergy medicine?
      - Sara
        
        I wouldn’t be surprised if they bought $1600 of gift cards or something similar. I recently learned that buying Visa gift cards is one of the most effective ways that thieves use stolen bank cards or checks before their owners report them stolen.
    - Anon5
      
      Except only a few U.S. credit cards have the NFC feature. More likely that the system was hacked in-store.
Anon

Thanks so much for sharing this. I’ve had issues with the giant before (not fraud issues, more that the place is just terrible). You can contact the head office if you email, and then they get in touch with the store. It’s way more effective. This is super important in this instance that someone calls you back!
- caitlynrose
  
  Thanks! I’ll definitely contact the head office.
  - Emmanuel
    
    Consider using Apple/Android/Samsung Pay in the future – Giant have it. Contrary to other commenters, your chip card does NOT have NFC unless explicitly marked as so.
- Mojotron
  
  it’s a 7-11 masquerading as a grocery store.
Go to HT instead

This Giant is a complete shithole. It was nice for about a week after it was open. My fiance and I have been ripped off for about a grand at this same store, for this same thing. I am convinced someone who works there is behind this / allowing it to happen.

I also couldn’t get any answers from them when I tried.
- Logan
  
  Lots of bad info here. EMV Chip cards cannot be scanned by a NFC reader. They need physical contact to work. But some cards do also have NFC capabilities.
  - Go to HT instead
    
    I don’t claim to know why it happened or how it happened, only that I experienced the same issue as OP, but months earlier, and at the same store.
  - Bob
    
    Agreed, Logan, lots of bad info from Daryl here about how the EMV chip cards work. since they require contact and power to do anything.
    - Daryl T
      
      here is a link to confirm my perspective. I am a 7 year Army Vet, I have worked for DHS and the NSA. I am telling you this because I know it as an absolute Fact!
      Just like there was a project to figure out how to get chips into paper money, see that holographic band on the bigger bills, what do you think that is?!
      
      http://www.forbes.com/sites/andygreenberg/2012/07/27/hacker-demos-android-app-that-can-read-and-use-a-credit-card-thats-still-in-your-wallet/#680b588b13a8
      - Logan
        
        Just so you know- Daryl is either uniformed or FOS.
        
        That article is not about chip cards – it’s about the contactless cards, the ones with the little wifi signal on it.
        
        You don’t have to worry about thieves walking by and stealing your chip info. Something else is going on at this Giant.
      - Anonymous
        
        Logan, I actually suspect that Daryl knows what he’s talking about and is just doing a really terrible job of explaining it (no offense, Daryl).
      - Bob
        
        Daryl, the holographic band in paper money is no sort of chip, it’s an anti-counterfeiting measure that works because it’s harder for a counterfeiter to put a piece of plastic into their fake money.
  - Daryl T
    
    As I said an in earlier post, this is simply not the case. These chips are under power and do emit a field.
    - Emmanuel
      
      Incorrect. Unless specifically marked as having NFC, it cannot be read by an NFC reader.
- Frustrated by Fraud
  
  My CC card was used fradulently after shopping at this store two weeks ago, and then my wife had the same problem last week! After hearing all of this, I am wondering if this is where our CC security was breached.
Hstreeter

FBI or USSS might have a big interest in this if its with any volume. Call MPD or submit a tip to the FBi
Marty

what does one purchase at a grocery store for $1600 that isn’t somewhat obvious? I suppose gift cards? Otherwise, that’s a lot of laundry detergent to haul home.
- JohnH
  
  Tide IS street currency after all! I was thinking the same – I forgot about the gift cards, that’d be easy to rack up a high amount in.
  - Tsar of Truxton
    
    I think purchasing 1600 in giftcards would (should?) raise a few eyebrows. Expensive wine could get you there pretty easy as well, but the same problem applies. When I was a kid, I worked as a cashier at a grocery store in the burbs, and it wasn’t uncommon to see someone pull 2 full shopping carts through, but I can’t think of a bill that approached anything near that amount (maybe like 500-600 max, but things were cheaper then).
  - JohnH
    
    I know some people that buy gift cards like crazy. $1600 is a lot, but unless a store has a policy that an amount of X need to be confirmed by a supervisor, not sure why eyebrows would be raised. Buying 8 $200 gift cards wouldn’t look weird until the total price came up. Buying 80 $20 gift cards would look a bit weird.
- PetlessInPetworth
  
  Gift cards and alcohol, maybe?
- TJ
  
  My bank has in the past flagged legit grocery store transactions for far less than that amount. I’m set up to confirm suspect transactions by text, which has saved me headaches more than once, and have been able to get a large grocery store bill paid through a modest two step process. Must be something about grocery store fraud…the very first time someone stole our card info and used it was for a large grocery store bill in PG County some 15 years ago.
  - Emmanuel
    
    Capital One once flagged $1.49 at Giant because I bypassed PIN due to not needing any cashback. I used Apple Pay, so I don’t understand their rationale.
- Beth b
  
  Cigarettes which they resell.
  
  That was what someone bought when my purse was stolen a few years ago
Ally

Same thing happened to me last week, and the only new store I’d used was Amazon Now (the Amazon 2-hour delivery service). Their warehouse is in Richmond, VA. The fraudulent charges run up on my debit card (still in my possession, so they must have somehow stolen the number and made a new card) were made at a Waffle House and a gas station, also in Richmond, VA. Seems like too much of a coincidence. So, if anyone has recently started using Amazon Now, you may want to check your bank statements as well. Luckily, they ran up less than $100 on mine.
- JohnH
  
  Gas stations are VERY common to have your card duplicated. It’s a big problem for gas stations – the best recommendation is to use pumps that face the cashier/closer to the store as the people who install the card readers are more likely to do so out of sight with pumps harder for attendants to see.
Lyndsey

I shop here regularly so I’m reviewing my statements – question: did the fraudulent charges look like they came from Giant? Can you give any details about what they looked like?
- caitlynrose
  
  Hi, OP here-I can see all the fraudulent charges on my statement, and all were from the Giant on H Street (where I regularly shop). Now that I’ve double checked, it actually looks like the first charge for over $1000 was on Friday, Jan 6 – so they must have had my information for a few days before making the second and third purchases which brought the total up to $1600. My friend just confirmed that she had one additional charge from that Giant, one charge at a fast food place, and one at a nearby Hilton, all within a very short amount of time.
  - JohnH
    
    Rotisserie chicken + hotel = dream night.
1301

Huh. My CC information was stolen sometime Saturday morning, and I’m not sure where/how. They racked up over a grand, but my bank caught it and is reversing it all. A TON of small charges on Lyft, and big ones at Lowes and Walmart.com. Card is cancelled, all is fixed, but it was still a little unnerving. I only shopped at the Rosslyn Target on Friday night, and used a checkbook Saturday during the day.
- JohnH
  
  Using Lyft with stolen credit card information is risky business – unless that person used a complete fake name, email address, etc.
lisavfr

Good reading on this subject: http://krebsonsecurity.com/2015/01/how-was-your-credit-card-stolen/
L on Q

My CC info was recently stolen and fraudulently used last Wednesday at a Safeway all the way across DC. That combined with the post, and reading this thread is making me super paranoid to even carry my cards around now…
- JohnH
  
  It’s not necessarily the location it was used that’s the problem. As mentioned above, gas stations are very common places to have your card info duplicated. People don’t necessarily use the card at the same place as its duplicated (as you can see, you won’t know it’s been duplicated until its actually used – which means they have time to go elsewhere).
  - L on Q
    
    That’s what I mean… it seems every location is vulnerable. Hence the paranoia…
anon2017

I was there last night, and just received a call alerting me of a $500 suspicious purchase. I used a chip enabled card at one of the self-checkout lanes btw.
Daryl T

This is for everyone to read. If you have a card in your CC/Debit Card, you can fall victim to this practice. It is not hard to do at all. Your bank and any institution will tell you that your chip does not have RFID, that it is not powered, this simply is not true.
All this means is the program has not yet been instituted to allow you to use the tech with vendors. The chip in your card is in fact under power, and does emit a field.

http://www.forbes.com/sites/andygreenberg/2012/07/27/hacker-demos-android-app-that-can-read-and-use-a-credit-card-thats-still-in-your-wallet/#680b588b13a8
- JoDa
  
  Once again, that article only address cards that have contactless payment technology. There’s a little wifi symbol on the back of them. It’s obvious if your card has this capability. Most cards don’t. One of mine that used to no longer does (just checked because I thought I had the one…not anymore!). Why? They were a security risk that most people didn’t use for the intended purpose. Even those cards that use RFID aren’t “powered.” Active RFID is expensive. Passive RFID is inexpensive and easy enough to use. Susceptible to compromise with a cheap, powered reader? Yes, but you’re not “emitting a signal” from the RFID tags you do carry (like your SmartTrip card).
  .
  It’s not even possible to use RFID with some cards. My CSP blocks RFID signals by virtue of being made of steel (even tin foil will block RFID…which is why EZPass says to wrap your transmitter in tin foil if you don’t want to use it for some reason). If I put my SmartTrip against the CSP and try to swipe it, my SmartTrip won’t work. If your credit card was emitting an RFID signal, it would mess up your SmartTrip if you held your card against your SmartTrip and then tried to use it (trust me, I’ve accidentally tried to swipe my SmartTrip with my Zipcard in my hand, like if I return a Zipcar and rush to grab the bus home…NO DICE). A low-budget way to confirm your credit card doesn’t have RFID…hold it against your SmartTrip and try to swipe. If your card isn’t steel and your SmartTrip works, there’s no RFID in your CC.
Kincaid

I left my wallet at this same Giant and they held it for me with cash and cards intact/unused. Sorry to hear this!!
anon

Chip cards generate a token that is then active for a period of time to authorize purchases. Sounds like this Giant’s system might have been compromised and someone’s skimming tokens off these transactions and then using them within the authorization period.
.
https://www.engadget.com/2016/08/11/chip-and-pin-card-hacking/
stegman

!!! I also received a fraud alert when someone used my credit card number to buy $500 of goods there right around Christmas. I had to cancel the card and get a new one.
late to the party

perhaps this is what transpired to the OP and her friend

http://money.cnn.com/2016/08/03/technology/credit-card-chips-flaw/

Subscribe to our mailing list