When a Security Nerd’s card gets stolen

Categories: Attacks, Lessons

I say it often, and I mean it everytime. Be careful what you click on. Ok, so how the heck did my card get details get stolen and used for online gambling?

It was a Wednesday morning. Up early as ever and had a need to buy some trophies for our charity hill climb event for Barnardos. I used a reasonably local online trophy vendor to purchase a number of event trophies using our company card. I did my usual checks:

  • green padlock in top left
  • details on the certificate match what I am expecting
  • no malicious javascript on the site
  • site is A+ for the SSL implementation and A for the security headers

All should be good right?

At his point I should point out our company card is very rarely used and this was the only time the card was used in November.

At just after 6pm in the evening I got a text message from the bank asking to confirm a number of suspicious transactions. The next twenty minutes confirmed what I always thought of the banks fraud systems, it is way too old for modern times. Here are the suspect transactions:

  • Toll booth payment in Dublin
  • Toll booth payment in London 10 minutes later
  • 6 payments to online gambling sites
  • Flower delivery

Wait, what, that last one is bizzare. I asked for the merchant details in order to eliminate any of the other staff using the card to send flowers. The fraud team person confirmed the name and address of the flower shop which is two streets from the trophy shop. I have never subscribed to coincidence.

I ask the fruad team person to cancel my card and ask if there are any fraud signs on our other company cards. I ask for them to be blocked as a matter or precaution. We can always get new cards the following day anyway.

So, do we get our money back? No was the answer. You see, because the card was used for online gambling, the bank automatically suspect the card holder has done it and is then reporting fraud to get the stake back. Aside from being complete b****x, it is a dumb stratgey for a bank.

The very next day, over a cup of coffee, I am sitting in the branch talking to the assistant business manager. Within 20 minutes everything is sorted and the money is refund.


The main lesson here is that even if you are very careful, you can get hit. It happens to us all but as long as you careful, it just wont happen very often. When it does, remember that politely and firmly inform the fraud team operator to cancel the card and test your card after twenty minutes to make sure it has been. (I found out 4 hours later they hadnt cancelled it!)

If the outcome of the call isnt to your satisfaction, go into your branch and speak to the manager. Every bank branch has a local manager and most of the time they are super helpful.

If it still doesnt work out, get in touch with Action Fraud and fill out a report. Make sure you have a crime reference number and file a complaint with the bank in writing.

Stay safe out there and Merry Christmas.