Frauded! US Bank Mastercard Gift Cards Hacked and Drained

Variable Load Mastercard

 

Update: A Happy ending, two new cards arrived 8/20.  When I activated both I was charged $5.95, but a quick phone call got the two $5.95 activation charges reversed.

I hadn’t planned on back to back cautionary tales, but the luck of the draw has me writing this post today.  A few weeks ago I wrote a post about how variable load Mastercards were being sold for a discount at some Safeway branded stores.  In addition I mentioned that these cards were earning Fuel rewards.  As a test for that post I bought two Mastercards at my local Vons, and detailed this purchase in the above post.

Yesterday I went to liquidate the exact two cards I bought as test cards. I called to set the PIN, and was told that my balance was $207 on each card.  This struck me as very odd, so I logged in online and saw that the card had been used yesterday morning:

Frauded

The second card also had a similarly vague $41 charge or so to a company that allegedly sells stickers. In reality these are likely shell companies which are just used to process CC’s.  My card numbers had somehow been compromised and the cards would likely have been drained clean in the next few days.

High Level Fraud

These two cards sat in my safe deposit box for two weeks. I took them out this morning, planning to use them up and file them away. They were never used, and were stored shortly after purchase. 

The standard fraud on these US bank Mastercards has typically been the false activation scam. A thief will place a sticker with a different barcode over the activation barcode on the back of the card. This sticker will actually be the barcode of a card the scammer has in their possession. The cashier scans the false activation barcode and the scammer’s gift card is loaded instead of yours. By the time you realize your card hasn’t been activated they’ve drained the funds and you’re left having to sort it all out.

Recently there’ve been more cases like mine–the card is not tampered with at all, yet it is somehow compromised after purchase. I’m chalking mine up to sheer volume–when you interact with enough cards you’ll eventually have something like this happen.  However it didn’t help that I held these two cards for so long after purchase.  It is always best to liquidate as soon after purchase as possible. Fees can be assessed, fraud can happen, and the likelihood of you losing a card are all reasons why liquidation should occur as soon as possible.

In this case I called US Bank and was instructed how to walk through getting a replacement of each card.  The process isn’t too much  trouble–I have to fax copies of the cards, along with the receipt and a statement about the fraud.  I’ll be issued new cards and the fee to replace the cards will be waived.

Good Habits Die Hard

What if I don’t have a copy of the receipt? The phone agent had originally suggested that I return to where I bought the card and ask for a reprint of the receipt.  At a major store you should be able to do so–but you’ll need to remember the date and time of the purchase, again something you should be tracking. I was able to access a photo of the receipt on my phone while I was talking with the agent and going over the fraud filing.  I take receipt photos in the car in case I misplace hard copy receipts.

Purchase date and time can be obtained in the Milenomics Purchase Tracking system we went over last month.  I know it seems like a waste of time to collect so much information, but an example like this fraud shows that when you need it you’ll be glad you have it. Some readers have said they place the full card number in their tracking sheet–in case of a lost or stolen card having the full card number could be the difference between getting your cash back and being out hundreds.

In the end I’m out about 15 minutes of my time ($6.25), but I’m just glad I caught this and had the right record keeping to turn a potential $500 loss into a $6.25 loss.

About the author

- Written by Sam Simon. All ideas are my own, but I encourage you to see my point of view and I promise I'll try to do the same. Connect with me on Twitter @Milenomics.

Comments

  1. Thanks for sharing the details.

    I do not yet use your spreadsheets, but I keep every receipt and the packaging from every GC and prepaid I buy in folders separated by month. (I wrap the receipt around the packaging and affix it with tape or a staple.) I don’t do a huge volume so it would be hard for me to misplace GCs or prepaids, but I could lose them if my purse was stolen, or I too could be the subject of fraud.

    I recently saw a tweet from someone I met at the CharlotteDO who stumbled on unused GCs in a drawer. Others who I also met at the DO tweeted back that they’d found unused cardboard prepaids in the recycling bin and unused GCs in the glove compartment of the car. Someone else at the DO reported his small child was discovered playing with an unused VR. Maybe with the volume they do, this is not surprising. But to me it is just evidence that we each must develop a system to prevent such occurrences.

    Your fraud experience and the difficulty of resurrecting all the needed paperwork is more evidence. Glad you could recover without too much wasted time and effort.

    Makes me think the $300 Amex GC I’ve been carrying around ought to be drained soon! Or at least used!

    1. Just a word of advice. “NEVER” buy a U.S. Bank Gift Card. If you don’t use a U.S. Bank gift card immediately, they will drain every cent of the money, with their so-called “fees”, and they do so by changing their user agreements. I had a card that was given me in 2010, but it had been misplaced, and when I found it in January 2015, the expiration date was 1/15, so it was good through January, but when I tried to use it, the balance was zero. In 2013, they changed their rules and took all the money leaving a “0” balance, even though the card had an expiration date of 2015.

  2. Same thing happened to me last year; 6 cards were compromised and it took me about 4 months to resolve the issue.

    1. Simon, Quick question: Were any fraud charges got through one of your cards? If so, were you able to get reimbursed from US Bank? Thank you for advise. I am going through this right now and it is not fun.

  3. I too was hacked recently. I’m in the resolution process. How long does this take? Will I receive the initial card value load minus the replacement fee?

    1. De: I don’t know the total time for the resolution process, I’ll update this post as I go along. I’m faxing documents today, and expect it to take a few weeks. Simon’s comment above said it took 4 months(!) in his case. Best of luck–and push back against paying any type of fee for a replacement, this is fraud, not a lost card.

  4. In a slightly different process right now.

    I had a card that never activated. Bought at Walgreen’s, went to use it (read: liquidate it), nothing. Checked online at vanillagift.com, nothing, can’t even bring the card up. Money is out of the AGC, it just never transferred to the VGC.

    Called InComm and I’m going thru the process. I still had all the receipts and package and everything, so that was good.

    Like you said though, do enough volume and something like this will happen. I’ve run thru 66k in VGC this year so I was probably due. (I’m aware this isn’t MASSIVE volume, calm everyone’s ego).

  5. The CVV2 number on the back of the card is nowhere near long enough to deal with brute force attacks on large numbers of cards. Trying 5 different CVV2 codes on each of 100K cards should net you 500 cards to drain. Zombie networks can distribute this attack over many thousands of computers, making this a lucrative side business for them. My guess is that they are quietly draining tens of thousands of gift cards though hundreds of fake merchants at any one time

    For me, it’s all about how fast I can close the loop. I don’t buy VGC until I know I can liquidate immediately afterwards. I head out about 10 am, when traffic is light and no one is out yet, make a few stops, then head directly to the WM for BP, MO and bird feeding. Everything gets cashed out in 60 minutes or less.

    1. El Ingeniero: I tend to agree this was a brute force hack. The numbers of the two cards were identical except for the last 4 digits. Given the fact that cards numbers need to follow a pattern the possible combinations between the two card numbers were just +/-500. Add in very poor CVV2 codes and you have the making of an easy to crack money factory for an overseas group. 🙁

      Your advice about closing the loop as fast as possible is the best protection, you’ll have the cash off the card before the crooks even try to steal it.

      1. If I could cash out 1 second after purchase, I would be all over that. 🙂

        But if all of us cashed out after 1 second, someone would figure out how to hack that too. 🙁

  6. Sorry to hear about that happening to you. I must say your photo taking of receipts is so very smart. I keep the receipts until everything is cleared off, but some things clear more quickly than others and I’m certain I’ve mixed up receipts along the way.

  7. I’ve had the exact same problem recently. But never had it with Visa gift cards. Seems too coincidental to me, what do you think?

    1. There’s going to be an element of fraud in any system–Visa or MC there’s always someone trying to steal our cash! 🙁

    2. I just had this happen to me with a Visa GC. When I changed my PIN, my balance was $495 instead of the $500 I loaded. When I checked the transactions, there was a $5 walmart charge in MN. I bought the card in CA. The charge occurred within 24 hours of my GC purchase.

  8. sorry for off topic. My American Express for Target got drained. If you use AE for Target to load at Target stores, greater chance your AE for Target got compromised. I got drained about 4 months after Target incident.

    1. RNP: No need to be sorry–I appreciate the info. Others have used this post for information on fraud with Different prepaid cards. How did the Amex for Target card fraud work out? Were they able to handle it easily? I’m interested in more information with respect to the resolution of your fraud incident.

      1. In the middle of the exact same thing right now with 2 US Bank Visa cards purchased at Kroger. My cards were sealed and the flap over the bar code was intact. Mine were of the variable load variety and the last 4 digits of the cards were very close to each other. US Bank has dragged their feet through the process i.e. stating they did not receive my fax multiple times. When I called to report the fraud they took all my information and stated that they would send me an affidavit to sign stating that I did not make any of the charges. They send the affidavit to someone else at another address (the perpetrator?). I still have not received the replacement cards and the process was started in early May.

        1. Mark: Ugh… I’ll update my process here on the blog, and hope it runs smoother than yours. Interestingly my two cards had identical first 12 and incredibly close last 4 digits as well.

          1. Well I received 2 cards as replacements. These shysters charged a $5.95 activation fee to each of the new cards. One card had the entire original value (minus the new activation fee) as the fraud was caught while the charges were still in the pending stage. The other replacement card had only $43.?? of the original $500 load. They are saying that the dispute process is ongoing for that card. I caught the fraudulent charges 2-3 days after they were made on that card. I am very seriously considering filing a chargeback with Amex against Kroger as I am not really confident that US Bank is going to make this right.

            1. Mark, I am in the same situation as you are, but I caught the fraudulent charge 1 day after they made on the card. Were you able to get that portion of you money reimburse from US Bank? I am curious if I will get my money back on that fraudulent card that got through. I appreciate any feedback you give me. Thanks…

  9. Could you provide the us bank number? We had the same thing happen and incomm was useless. They said that a pin transaction had drained the card.

    1. Jack: I called the number on the back of the card; 866-952-5653 and said I wanted to dispute a charge. They took it from there.

  10. I finally got my money back after a multitude of phone calls and faxes (for information I had already faxed) to us bank. Wow. I’m hoping this is a one off, but sure makes me reconsider the whole Gc churning aspect of ms.

  11. This is just happen to me recently as well. I have 4 cards with 500 each. One charge went through on one of the card. Not good. Other 3 cards have pending charge on it. All 4 cards are now cancelled. Hopefully, no other charges go through. In process of getting the money back. After reading this blog, it will be a long haul. Is there any other numbers beside 866-952-5653 to get status update when you call? I got their fax numbers and their Dispute department numbers. Thanks for your helps.

    1. Steven: I recently (last week) got the two replacement cards back in the mail. I called once for a status update, but eventually just waited it out. When I activated the cards I was charged $5.95, but I called in and that was reversed. There’s no way to activate and not be charged, so when you get replacements know that you’ll have to call in again and ask for a manual reversal.

  12. Has anyone had a fraud charge went through on the card? Will you be able to get that portion of your money back? or it is a totally lost… Thanks!

  13. I guess I’m one of the unfortunate ones. I received a $300 GC as a gift from my father’s friend. After two months thinking the fund would always be there, I tried to buy something with the card yesterday online. Knowing that I have to register the card first at mygiftcardsite.com, I did that. When I got to see the balance, it says $17ish left. Two online transactions at Travelocity… Unbelievable. So I called 866-952-5653, and a really really professional (not) lady said your card is compromised call this number 414-341-7000 and you need your receipt.

    I don’t have a receipt because it was truly a “gift” card! And in some cultures, it would be much more than impolite to ask the original gift sender for the receipt of a gift… I guess I just don’t deserve this $300 in my life.

    Well, despite my desperation, I did call that number, and it was an invalid number, telling me that I can try 414-341-(3)000 if I want to reach FIS. Wut, I thought I was dealing with US bank… Whether the lady gave me the proper number is beyond me and at this point I’m quite giving up already because it looks like you will absolutely need your receipt (from reading you guys’ posts).

    I hope I gave up this $300 in exchange for some kind of fortune in the future.

      1. Thanks for your reply, and sorry for my late reply. I did find the correct number to fax all the required information (except for the receipt). It’s been almost two weeks and I still have not heard anything back. I guess it implies no luck then. I will shortly send you an email and I will make sure to raise this issue to anyone that you think will make a difference.

        Thanks again!

    1. “I don’t have a receipt because it was truly a “gift” card! And in some cultures, it would be much more than impolite to ask the original gift sender for the receipt of a gift… I guess I just don’t deserve this $300 in my life.”

      I can understand your reluctance, but I would think that in an ‘old school’ culture, fraud would be a very serious issue. I would tell the person who gave you the gift what happened, and offer to return the card to him (her?) so he can take up the matter himself.

      Make it clear that it’s not about the money, but the principle. (Since you seem to have resigned yourself to losing the money anyway, this is actually true.)

      Of course, he might offer you the receipt instead, but that’s his decision.

  14. Thank you for posting this. Purchased a $500 gift card yesterday that had a barcode over the original one. Didn’t know where to turn until I found this thread. Just faxed my info to US bank.

  15. I’m in same situation, fraud on $500.00 card $89.78. Reported it to us bank they told me to fax info to 1’414-371-6679 but when I do it doesn’t go through, anyone have another number?

  16. I am out of $500 because my card was used back in Sept, when I tried to make a purchase I was drained about $480 in another state! It’s March 2017 after multiple faxes, calls, and mail I’ve been told “the case was not to your favor I’m sorry it’s closed” the bank closed the card back in January 2017 but after sending my name, number, email, fax, blood sample I couldn’t get a notification of what was going on?!

Leave a Reply to Steven Cancel reply

Your email address will not be published. Required fields are marked *