"Say you’ve had an Amazon account for 10 years, and over that period you’ve added five or six different payment options to your account. Those cards, even if they’re expired, can be used against you if your account gets compromised."
"If a merchant (like Amazon, for instance) has an arrangement with a card issuer (like American Express) and agrees to take on the risk, “they can have a green light to run cards that are no longer technically considered valid,” Howard explained.
This article leaves me with more questions than answers.
1. How did the scammers access my old data in the first place? If they have my account information (which is implied if they know my street address and shipment tracking information), I have much bigger problems to worry about than expired numbers. There's no discussion in the article whatever about the original exploit and vulnerability in the system, or what's being done to address that. To be fair, Amazon and American Express were both mum on the matter, which makes me think this issue isn't quite so widespread as we are to believe, and these may be cases of people with weak/shared passwords or other similar please-hack-me-now dumbery.
1b. If the scammers do have access to my account, why aren't they just going after the active cards known to work (or my gift card balance)? It feels like the "test" shipments are the goal rather than a step in the process. After all, if I have your Amazon account, I could either:
- just buy what I wanted with your gift balance and/or active card and ship it to wherever I wanted it to go, or
- play with expired cards, find a test vendor to buy some meaningless products from, ship them to a place where in all likelihood I then need to coordinate with (aka pay) someone to porch pirate their home, and plan said shipment such that it's going to arrive when said person is least likely to be home, which also means I need to know something about that person or just hope for the best. After all that, then I will buy what I wanted and ship it to wherever I wanted it to go.
2. This scam seems narrowly vulnerable to a few specific banks and retailers, and it seems that it's only going to affect active but expired card data. That is, I've had a card for 10 years and put in the number and CCV/etc 8 years ago, but since received new cards with later expiration dates. This is the only case where the card number would a) not change and b) still be linked to an open account. Any closed cards would/should not work, and if they do, that's the bank's problem. With all that said, as per number 1 above, just how widespread is this problem?
2b. As the numbers themselves are still valid, they should still be tripping the same alerts/alarms as an active card such as an app popup or text notification when an online/nonswipe sale occurred. If they do, then shame on the customer for not setting up security alerts for their card properly; if they don't, shame on the bank for a loophole that allows a valid card number to be used with no alerting. This isn't even mentioned in the article, but yeah let's buy a creepy smart doorbell?
3. With all of the above, really just how widespread is this scam? Are millions at risk or just people named Chris who live in Connecticut who also have expired cards on their Amazon profile?
Finally... “So many people never open their statements, or they don’t look at their electronic statements,” ... Lord Helmet was right, Evil will always triumph because good is dumb.
It amazes how many people don't look at their statements for basically anything. When I worked at Comcast, it blew me away how many people were calling because their bill went up 6 months ago and they were just realizing it.
I check all of my accounts frequently. Every charge is set to notify me when available (not an option on my PayPal Cashback which is why it's on the chopping block this year) and while I don't really look at my statements, I do scrutinize my list of charges to the max.
People who don't watch their accounts deserve the fraud. There's no excuse for not keeping tabs on your finances.