Advice Request How to find out how my credit card details were stolen?

[ethereal1]

Today I found out that my credit card details were stolen and that someone tries to pay 300 ILS(87$) using my credit card. I canceled my credit card and I might be able
to cancel the transaction of money but I am more worried about how my credit card details were stolen in the first place.

It is possible that someone hacked into my computer and/or installed some spyware to steal my credit card details?.
I have ESET smart security and interactive firewall rules and every time something new tries to connect to somewhere I get a notification that ask me if I want to allow it or not and I can also see the reputation of things that runs in my PC. I even used ESET Sysinspector today and the result are similar to what they were in the previous scans(the last one was 3 months ago and the first was in august 2019) and from what I understood the results I get are totally normal.

I recently used this website to pay(https://secure-checkout-page.com/) for something, the website itself don't work but when I click on checkout on one of the websites I used to buy something from it works fine and I get to one of the pages of the secure-checkout-page.com site..
It is possible that someone hacked the website and stole credit cards information from it?.

I checked another website(Pharmasepa the website is in hebrew) I used to try and buy something(I entered my credit card details but there was no charge because the site owner couldn't send me the product because of COVID-19)
and found out that the checkout page isn't secure (but it was secure several months ago) I probably entered my credit card details while it without noticing that the connection is no longer encrypted..
There are other flaws in the pharmasepa.co.il security?.

 

[Digmor Crusher]

Its more than likely that your info was leaked from a website, somewhere you bought something online, highly unlikely you were hacked especially if you are using Eset.

 

[brigantes]

It is possible that someone hacked into my computer and/or installed some spyware to steal my credit card details?.

Possible, but extremely unlikely. Your local system is the least likely to be compromised when it comes to credit card data theft.

It is possible that someone hacked the website and stole credit cards information from it?.

Much more probable than your local system was compromised. Remember, your credit card data is sent through a chain of systems (web-facing application server, backend data server, third party processor), all of which could have been hacked.

None of your questions can be definitively answered unless a forensic analysis is performed. Even after an investigation no answer might be found.

 

[SumTingWong]

No one knows. It can be three things either the website you provided the info got compromised or your system got compromised or you provided the phishing website with your info. Since your credit card info got compromise, then it is possible your identity got compromised too. You should consult with your bank and put some kind of freeze onto your credit card. In addition, you want to invest an identity theft service.

 

[South Park]

Brian Krebs has a good write-up on this: How Was Your Credit Card Stolen? — Krebs on Security

 

[Fuzzy_Bunny]

Website must be HTTPS when you buy online otherwise you risk all your data.

 

[SumTingWong]

Website must be HTTPS when you buy online otherwise you risk all your data.

Phising sites also use HTTPS as well. HTTPS is kinda useless if the website got compromised.

 

[Dave Russo]

Twice in about10 years,my Bank debit card # was stolen, once Paypal was hacked(though they never admitted it)I was stupid and fell for the Paypal scam,the other 2 the Bank closed down my account and I lost nothing,the problem there was they didnt even call ,I only found out after trying to use my debit card and having it not work

 

[TairikuOkami]

Brian Krebs has a good write-up on this: How Was Your Credit Card Stolen? — Krebs on Security

Also Extensions - not necessarily fake, simply taking advantage of the user - in addition to that, storing card in the browser, making it more vulnerable.

Over 100 Malicious Google Chrome Extensions Found Spying On Users

Once again, cybercriminals have stealthily preyed on millions of Google users. Reportedly, Google removed numerous malicious Chrome extensions after researchers found them stealing users’ data. Malicious Google Chrome Extensions Researchers from the Awake Security Threat Research Team

latesthackingnews.com

On top of that, contactless card can be stolen anytime anywhere. I have recently found out, you can buy RFID blocking card, instead of an expensive wallet.



But there are way simpler ways, like a cheap camera installed on a lamp near the POS terminal or in a shop. When you handle your card, you swing it around several times making all details visible. I pay by card trying to keep it covered by hand and I have also scratched out my CVV number.

In addition, you want to invest an identity theft service.

Indeed, most banks cover an attempted card misuse, if reported within 48 hours. But identity protection covers legal obligations, way more expensive.
I am lucky to pay only $1 per month and I am protected up to $2500 per every reported incident, where any of my personal info would be falsely used.
It can take months to recover from an identity theft, but a permanent record might stay, so the person might have a hard time getting a loan or a job.

 

[South Park]

I've had one credit card stolen twice in 5 years, probably due to payment processor hacks. Another was stolen years before I used the internet. In each case, the bank notified me before the statement was sent, and I was reimbursed every time. All of the criminals made small charges to test the card before making larger charges. Two of the fraudulent transactions were the creation of fake dating profiles at match[.]com even though I have never visited or used any such website. At the time, I assumed my PC had been hacked, so I spent hours scanning it with multiple AV products but found no malware.

Interestingly, one case happened 3 days after I filed a fraud alert because of stolen physical mail from my mailbox. Now I receive all financial statements electronically and try to minimize junk mail which could be harvested for personal information.

 

[Vitali Ortzi]

Skimmers are everywhere so you can't find the source .
Hardening every aspect of your personal security might prevent future attacks

 

[codswollip]

Spend some time logging into sites where you made CC purchases to see if they've "saved" your card info "for your convenience", and delete those records. Trust no site other than your CC provider.

If you've set up "autopay" with your CC for your bills, see if there is an eBill option that doesn't require storing your CC data.

Reduce your exposure.

Same with security questions. Never answer them honestly, but keep a record of what you entered. For example, when they ask for your birth city enter "Uterus" ... or your favorite dessert "Possum" (O darn, that IS my favorite dessert).

 

[brigantes]

OP is in Israel if anyone had bothered to look. 300 ILS = 300 Shekels.

Why does everyone assume English posters are American ?

The most prudent and safest online purchases are made using either gift cards or by using an isolated bank account that you have to physically make cash deposits into it to fund it for purchases. The balance should always be near $0 until such time that you need to make a purchase.

Also Extensions - not necessarily fake, simply taking advantage of the user - in addition to that, storing card in the browser, making it more vulnerable.

Over 100 Malicious Google Chrome Extensions Found Spying On Users

Once again, cybercriminals have stealthily preyed on millions of Google users. Reportedly, Google removed numerous malicious Chrome extensions after researchers found them stealing users’ data. Malicious Google Chrome Extensions Researchers from the Awake Security Threat Research Team

latesthackingnews.com

On top of that, contactless card can be stolen anytime anywhere. I have recently found out, you can buy RFID blocking card, instead of an expensive wallet.

Indeed, most banks cover an attempted card misuse, if reported within 48 hours.

Many people are ignorant of what this protection really is. Most people believe this to be true, but it isn't provided by the bank or institution that issued the card. It is MasterCard, VISA, AMEX or others that provide the actual "card benefit," but all of it is at their own discretion according to their own rules. The higher the dollar amount lost, the greater the likelihood that they will place a heavy burden of proof onto the cardholder. For example, if you report a 50,000 Euro fraudulent transaction, they are going to demand a police investigation. If the police turn up zero evidence that it was fraudulent, then they are going to reverse the transaction and put it back onto the cardholder. Let's say that the fraud was perpetrated in a country in which your police can get no assistance from the authorities in that country, and an explanation is demanded by the bank. If an explanation from the "fraudulent" party sounds legit, then they are going to side with the fraudsters and you are going to be charged 50,000 Euros. It happens every day. These anti-fraud protections are not automatic and they sure are not guaranteed.

Hardening every aspect of your personal security might prevent future attacks

You cannot harden that which you do not own nor have any control over. A person's data is spread across countless systems across the world. No amount of hardening by the person shall prevent data theft from those systems.

 

[CMLew]

I have change my card 5th time. It's common ur card details get stolen. I have a most recent encounter. Went to Bali and use the card for the first time inside the airport to buy lunch and that is the only time I use it. End up bill coming I saw there's another $500 charged to my card. Hence I know the shop is likely compromising my details.