My wife and I keep getting our debit cards stolen online. We notice the charges and are able to dispute them and cancel our cards, but it sure is annoying.

We don’t put our card information on suspicious websites. They’re on well known websites like amazon and Facebook.

We ran out emails through a data breach checker and it found nothing.

I don’t think there’s any malware on our devices.

Any idea what could be happening and how to prevent it?

  • CriticalMiss@lemmy.world
    link
    fedilink
    English
    arrow-up
    96
    arrow-down
    3
    ·
    1 year ago

    Something tells me you’re keylogged if you keep cancelling, ordering new ones and getting pwned within days of the new card arriving. Format your computers. Use more open source tools whose code you can audit. Firefox instead of Chrome, no sketchy extensions like Honey and cash back stuff. If you pirate stuff, try to do it from verified sources.

    • db2@lemmy.one
      link
      fedilink
      English
      arrow-up
      79
      ·
      1 year ago

      whose code you can audit

      More like whose code is audited by someone or someones you choose to trust. Let’s be honest here, average Joe isn’t auditing shit.

      • gendulf@lemmy.world
        link
        fedilink
        English
        arrow-up
        10
        ·
        1 year ago

        You mean you don’t read the billions of lines of code contained in all of the open source apps that you use? Shame, shame… :)

    • Snowman44@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      12
      ·
      1 year ago

      It happens within months, not days. I don’t use honey and I don’t pirate. I use both chrome and Firefox, but maybe I should stick to Firefox.

        • generalEdo@lemmy.world
          link
          fedilink
          English
          arrow-up
          20
          arrow-down
          2
          ·
          1 year ago

          I cannot agree with this more. It maybe a PITA to have to enter each time but the peace of mind is worth it. Also, if you use a password Manger, which you you should be, do not keep the cars stored in there either.

      • Hogger85b@kbin.social
        link
        fedilink
        arrow-up
        13
        ·
        1 year ago

        Is there a particular (probably online) shop or service you go back to?

        Two times it happened to me one was a local gas station running a skimmer the other was an online hotel comparison site that turned out to be dodgy.

        First was in local paper and caught a few of us out…the second my bank actually contacted me about saying it was dodgy

    • Snowman44@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      21
      ·
      1 year ago

      Running a virus scan wouldn’t be enough? I’d rather not factory reset everything.

        • RagingNerdoholic@lemmy.ca
          link
          fedilink
          English
          arrow-up
          24
          arrow-down
          2
          ·
          1 year ago

          To be fair, factory resets are a huge pain in the ass. Might as well try other things before busting out the nuclear option.

          • nous@programming.dev
            link
            fedilink
            English
            arrow-up
            9
            ·
            1 year ago

            Once you suspect a device is infected the only good option is the nuclear option. Anything else will not be guaranteed to 100% remove it, or really, anywhere near close to that, or even detect everything wrong in the first place or after attempted removal. And with a month long period between attacks that is a long time to wait and see to see if any other option might work.

              • RagingNerdoholic@lemmy.ca
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                Absolutely. Use an efficient disk imager that can take incremental snapshots and you can keep backups for months or years without needing a ton of storage.

            • RagingNerdoholic@lemmy.ca
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              1
              ·
              edit-2
              1 year ago

              True, but I would confirm a device is compromised before nuking the OS, not just do it willy-nilly because maybe it could be. A better way to phrase what OP is asking is: what are some ways to troubleshoot this without making a ton of potentially unnecessary work for myself?

              …to which I would say, run a netstat on any systems that you can, check those IP’s against WHOIS and/or traceroute. Anything that traces to Eastern Europe, Russia, China, most of SEA is a red flag. Dig a little deeper with Wireshark or Glasswire to inspect some actual packets for suspicious content. I think there’s a network logger that can trace the process using a given connection, but the name eludes me).

              Find your smoking gun, then torch the OS.

          • phx@lemmy.ca
            link
            fedilink
            English
            arrow-up
            5
            ·
            1 year ago

            Less of a pain in the ass than using a compromised device and having your payment card info stolen repeatedly?

            • RagingNerdoholic@lemmy.ca
              link
              fedilink
              English
              arrow-up
              3
              ·
              1 year ago

              If it ends up not being the culprit, kinda yeah. I’m just saying, try some less disruptive troubleshooting first.

      • Zron@lemmy.world
        link
        fedilink
        English
        arrow-up
        28
        ·
        1 year ago

        A virus scan can only scan for something it knows. If you have something new or esoteric on your device, the scanner may not pick it up.

        If you’re not using a reputable antivirus, also consider that the database is wildly out of date at best, or the “antivirus” is malicious on its own.

      • Runel0rd@kbin.social
        link
        fedilink
        arrow-up
        12
        arrow-down
        1
        ·
        1 year ago

        Are you trying to fix the issue or have this repeat? Start listening to the genuine advice being offered

      • NooNz@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        7
        ·
        edit-2
        1 year ago

        No, it won’t. If you value that situation enough to post here, you should also listen to the advices you’re given.

        If you have an antivirus running and you’re still being pwnd, a scan won’t change anything.

        Format everything, computers, phones, everything with an Internet connection really. Yes, it’s a pain, but also yes, it’s necessary.

        Do it

      • randomguy2323@lemmy.kevitprojects.com
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        Its not enough , why do you think you card is being used again and again? You don’t have backups of your data? A reset should be done every now and then to keep everything tidy.

      • graphite@lemmy.world
        link
        fedilink
        English
        arrow-up
        7
        arrow-down
        5
        ·
        edit-2
        1 year ago

        Running a virus scan wouldn’t be enough

        No, those can be bypassed. If your kernel is what’s infected, then it’s probably not going to find anything either.

        Scanners are useful, but what they can look for is limited.

      • JakenVeina@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        It’s not like virus scanning is useless, but it varies depending on which scanning seevice you’re using, and none of them are foolproof. The fact that you’re still getting compromised suggests that your scanner(s) might be missing something.

  • OpenStars@kbin.social
    link
    fedilink
    arrow-up
    35
    arrow-down
    1
    ·
    1 year ago

    For one thing, stop using debit cards on the internet. Credit cards do not take the money out of your account first, thus offering you an additional layer of protection, and many like Discover in the USA are known for offering $0 liability for unauthorized purchases. They can be more of a hassle to use like they may call your mobile number to check on a suspicious purchase, but at this point it seems you want that level of paranoia. Don’t miss a rent (or any important) payment bc you have nothing left in your debit account to work with! (Even if it is added back quickly, will it be handled quickly enough?)

    • muddybulldog@mayheminc.win
      link
      fedilink
      English
      arrow-up
      13
      ·
      1 year ago

      Supporting your point of using a credit card over debit. In the US there’s limited liability for a stolen physical card (up to $50) which most of the big card issuers waive to zero. If your physical card is still in your possession (fraud due to breach, skimmers, etc) there’s zero liability, by law.

      Any no-fee credit card is better than using debit as long as you use it “in lieu of cash” and pay off the bill every month. My debit cards live in my safe rather than my wallet. They sit there only for the rare occasion I absolutely need to take out cash for something, which is very rare these days.

  • LedgeDrop@lemm.ee
    link
    fedilink
    English
    arrow-up
    23
    ·
    1 year ago

    As others have mentioned use a credit card instead of debit.

    But if you need/want to use a debit card, then take a look at services like Revolut or Wise (non-referal links included).

    Both provide you with debit cards that you can enable/disable instantly within their app. Revolut gives you “virtual cards” which can be used for online subscription, so you can create a dedicated virtual card for each subscription (minimizing the impact if/when one of your cards is leaked). Revolut also has “one time use cards”, so a new debit card number for a single purchase. In practice, more and more vendors are disallowing “one time use cards”, but you can create a similar effect with the virtual cards.

    Both platforms also allow you to set up dedicated (monthly) spending limits on either the physical or virtual cards. So you can limit your exposure that way too.

    • JakenVeina@lemm.ee
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      On top of just being a good idea in general, this could help OP figure out how their cards are getting stolen. Use a unique card number for each different service, and you can tell which service is compromised, either in your use of it, or in the service itself.

  • RedditWanderer@lemmy.world
    link
    fedilink
    English
    arrow-up
    20
    ·
    1 year ago

    A shop you both go to has a machine with a fake overlay swiping your info. You can find online how to spot those. I doubt it’s happening online.

  • cerevant@lemmy.world
    link
    fedilink
    English
    arrow-up
    16
    ·
    edit-2
    1 year ago

    As noted elsewhere, do everything you can to avoid handing your card to anyone.

    Use tap to pay wherever possible, then chip - neither of those methods give the card number to the merchant. Do not swipe unless you absolutely have to, and then inspect what you are swiping to make sure nothing is attached to the card reader.

    For online purchases, do everything you can to avoid giving your card number to anyone - use ApplePay / GooglePay / Amazon Pay / PayPal etc. wherever possible. These can be used to put charges on your card without giving your card # to the merchant. These are one-time authorizations (unless you explicitly identify it as a subscription / recurring charge), so they can’t reuse the transaction token they get.

  • Cyber Yuki@lemmy.world
    link
    fedilink
    English
    arrow-up
    16
    ·
    edit-2
    1 year ago

    Credit and debit cards are not as secure as banks pretend them to be. Chips can be cloned with a cheap device sold in the black market (this is known as “skimming”). PINs can be easily stolen simply by eavesdropping.

    My personal opinion: A business you frequent has been constantly skimming credit and debit cards. If you give your card to any salesperson and lose sight of it, the probability of it getting skimmed is pretty high.

    NEVER give out your card. Ask for the salespeople to give you the terminal and scan it yourself.

    Other than that, change your passwords, and NEVER reuse them.

    EDIT: As others have said, NEVER EVER use your debit cards on the internet. Ask if your credit card company provides virtual credit cards (which require you to use a phone app to authorize every transaction). If not, choose another company.

  • digger@latte.isnot.coffee
    link
    fedilink
    English
    arrow-up
    14
    ·
    1 year ago

    Have you used these cards in public? Your information could have been picked up by card skimmer.

    At least where I live, it’s very common to hand payment cards over to wait staff at restaurants. I had my card information compromised during a visit to Boston several years ago.

    • Snowman44@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      3
      ·
      1 year ago

      Our last card was stolen by someone in great Britain. We’re in the USA. I don’t think they’re being stolen by someone locally unless our information is being sold on the dark web.

      • topinambour_rex@lemmy.world
        link
        fedilink
        English
        arrow-up
        24
        ·
        1 year ago

        The card thief won’t use it, they will sell them to someone else. Which will certainly sell it to another person.

      • brygphilomena@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        Credit card numbers go for something as low as a few bucks a number. I think last time I was rolling around the dark net markets they were $4.

        It’s quick and easy to steal. They collect a bunch and sell them and the other people take the risk of using them.

  • demesisx@infosec.pub
    link
    fedilink
    English
    arrow-up
    15
    arrow-down
    1
    ·
    1 year ago

    A lot of other good comments here but I would also recommend not swiping your card at ANY machine. I had my debit card # lifted several times before I finally decided to only use something secure like ApplePay (at the gas pump particularly). Apple Pay changes the card number every single time it’s used. So, it can at least pinpoint the exact moment it was stolen if it somehow did give up your info. I’ve never had to worry about my card number getting stolen since I made that change.

        • AbstractLinguist@lemmy.world
          link
          fedilink
          English
          arrow-up
          10
          arrow-down
          25
          ·
          1 year ago

          And it’s even better than you described. The one time token isn’t a new card number, it’s not a card number at all. It’s basically Apple saying “yep this is legit” to the other computer, and then the two banking systems do their money transfer on the back end.

          Even if someone could intercept it and decrypt it, it would be completely useless because that’s just not a thing.

          Pretty sure Google does basically the same thing. Never used it though.

  • dolla@lemmy.world
    link
    fedilink
    English
    arrow-up
    13
    ·
    1 year ago

    What’s your wifi situation like? Is your network secure? Are you often using a shared or public network? Perhaps it’s time to change your wifi password or look into a vpn if you are often using public networks. This is all on top of the usual changing your passwords, setting up two factor authentication (not via sms, use an Authenticator app) etc. you could also consider a service like Privacy (card number generators with limits or one time use)

  • MdRuckus @lemmy.world
    link
    fedilink
    English
    arrow-up
    12
    ·
    1 year ago

    You said you use your credit card on Facebook and you’re not sure why it’s getting stolen …🙄🤔

  • dan1101@lemmy.world
    link
    fedilink
    English
    arrow-up
    10
    ·
    1 year ago

    Look for common patterns, are there places you both regularly use your cards? Look at those places. Sometimes even your bank can be compromised.

  • TenderfootGungi@lemmy.world
    link
    fedilink
    English
    arrow-up
    9
    arrow-down
    1
    ·
    1 year ago

    If you are financially able, use a credit card instead of a debit card. I do realize that only makes sense if you are able to pay it off every month, and when we were younger that was impossible. But maybe get one to only use online?

  • JesterRaiin@lemmy.world
    link
    fedilink
    English
    arrow-up
    7
    ·
    edit-2
    1 year ago

    Interesting.

    Does it concern the cards from the same bank? I’ve read about some banks actually abusing their own clients and meddling with their money…

      • _wintermute@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        1
        ·
        edit-2
        1 year ago

        Not likely but could be that the bank is compromised. Not that it makes much difference, but is it a major bank? Do you have cards from other banks that don’t get stolen regularly? Do you use a specific local atm regularly? Always tug on the card scanners at ATMs and gas pumps to ensure a skimmer isn’t being used. If there is a skimmer you will likely be able to pull it off or it will wiggle in a strange way, letting you know it’s not “stock”

      • JesterRaiin@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        Could you try and set up a test account in different bank and check whether the problems spread onto the new card too?

        • Snowman44@lemmy.worldOP
          link
          fedilink
          English
          arrow-up
          5
          ·
          1 year ago

          I have a credit card too, but I don’t use it as much. It’s from a credit union, not my bank. I don’t remember it ever getting stolen.

          • JesterRaiin@lemmy.world
            link
            fedilink
            English
            arrow-up
            4
            ·
            1 year ago

            I think we may be on the correct track, sir. I’d encourage you to try out different bank, if it’s not much of a hassle.

            There’s an additional possible test - you may want to ask people that you and your wife know about, who have cards in the same bank, whether they’ve ever found some puzzling stuff about their financial history there.

    • anlumo@feddit.de
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      I’ve read about some banks actually abusing their own clients and meddling with their money…

      Might also be an employee there making a few bucks on the side…