gilwyll fawniah devydd

0 views

Skip to first unread message

Elva Stuller

unread,

Aug 2, 2024, 4:43:07 AM8/2/24

to lgatekchettio

Reviewing my bank statements, I noticed that I several months earlier had been charged about 13 GBP by Netflix on my credit card, but only for one single payment (not recurring). I knew that the payment could not have been made by me, so I contacted Netflix who suspended the account it was connected to, as well as reimbursed me the money. What keeps bugging me though is how this actually happened.

Secondly, this particular credit card I only use for purchases in offline stores and I have never used it in any dodgy places or countries. I therefore do not see how my information could even have been stolen in the first place.

What I am wondering is if it is practically possible that someone could have used my credit card by accident, due to similar numbers? Given that the first part of the credit card number is not random, the number of different card numbers are significantly less than one could assume, given the full 16 digits. There are still hundreds of millions of combination, and on top of this there are different validity dates as well, but, on the other hand, there's a vast amount of credit card purchases being done all the time, making it probable that an improbable event actually happens every now and then...

Let's start with the check digit, the last digit in your credit card number. It is calculated on a public formula, and many web pages have simple Javascripts to check (locally, no need for network) whether the card number checksums. It would be easy enough to increment the rest of the number and come up with any number of valid 16-digit credit card numbers, many associated with real accounts.

And the charge will be refused unless all of these reasonably match up. CVV2 is used for exactly what it says on the tin, proof you do have the card in your hand. But so are the other figures.

Could they accidentally exchange two digits 2 spaces apart on the card, giving the same check digit? Sure. Could they accidentally have the same expiry? Maybe. Could they also fatfinger their CVV instead of yours? No. Could they also fatfinger their ZIP code? No. Could they also fatfinger their last name? Not without a Ouija board.

Now, Netflix may have a deal where they don't need to ask for ZIP. In which case, a $9/hr clerk who handled your card physically could sign up with info they cribbed off the card. Or, you could be in a small town where the ZIP is pretty guessable. That is most likely how this happened, a simple, F2F petty crime.

Credit Card numbers are not used consecutively, but have check-sum style protection built in.
What that means is that a random number has a very small chance to constitute a valid number, and a simple digit-switching will result in an invalid number.

It's not really enough grounds to accuse anyone, but such transactions (completely valid, small but unexplainable) sometimes are made with the legitimate card by someone other than the cardowner, often someone the cardowner knows - for example, a child, or a buddy during consumption of drinking/pot/whatever. It may be "oh, I really want this, I need to borrow a bit from Bjorn - he's busy but he probably won't mind", or it may be more sinister, e.g. I've seen people disputing chip-present ATM withdrawals (so very unlikely to have a cloned card), claiming that the card was always with them, but recognizing a family member when shown the ATM video.

Offline use doesn't necessarily add to safety, there's always a chance for your numbers to be lifted by anyone handling your card. This seems more likely than someone generating card numbers or an accidental typo, but either of those are also possible.

A typo would be quite rare because they'd have to typo at least two of the numbers and have them still pass the checksum (Luhn algorithm or other) and the security code (CVV) would still have to match (pretty sure Netflix uses CVV code).

Generating numbers is also possible, the rules aren't too complex, but there are many possibilities as you mention. It could be that they used Netflix as their validity check for generated numbers before trying them on profitable purchases, but I'd imagine there are easier options as you can only try so many numbers before websites will get fussy, especially major websites like Netflix. From my brief research it sounds like it's much easier to obtain actual card numbers than to generate them, so I'd likely put this one in the plausible but not probable category.

To me, the single usage to Netflix feels amateurish or accidental. The typical fraudulent charge would be for something easily converted to cash, like gift cards or something tangible. So my money is on an inexperienced, dim-witted fraudster that had access to your card at some point, but we're all just left to guess/wonder.

this particular credit card I only use for purchases in offline stores and I have never used it in any dodgy places or countries. I therefore do not see how my information could even have been stolen in the first place.

Data can be stolen from stores where you pay offline, too. From the simple use of skimmers, to vendor compromises. See for instance the famous Target breach four years ago, the recently disclosed compromise at Marriott hotels, or the recent issue at NEXTEP clients.

With card breaches, the thieves often have much more card numbers than those they can abuse (either directly or by those that buy them chunks of cards). Also note that stolen credit card details lose value from day to day, and too many cards make the breach easier to be found.

In this case, the NetFlix charge may have been simply a transaction to verify that the stolen credit card data was valid. Other ways crooks use for this are making small donations to well-known non-profits.

The fact that you only found an unauthorized transaction doesn't mean there wouldn't be more in the future. Plus, your credit card contract probably obligates you to promptly notify them of any misuse of your card.

We are not Netflix members, and I don't remember signing up for a membership, so I called my CC folks and retrieved a phone number associated with that transaction, then called up Netflix at that number.

I asked her what a Netflix transaction normally appears as on a member's CC statement, because "NETFLIX NONE" seemed like a strange phrase. I googled "NETFLIX NONE" and couldn't find anything relevant.

Never seen a specific city listed in ours - yours does seem weird. What did Netflix say when you told them what the transaction said? (I mean, did they say, ours wouldn't say that, or ours might say that?)

We had a similar thing with "Apple iTunes". I kept yelling (figuratively) at the kids for buying songs without asking and they swore up and down they didn't. Frankly, it was too much effort to try and figure out who was telling the truth for a few $.99 charges here and there. With the occasional $2.99 charge thrown in it added up to $92 over the course of 15 months or so. I finally got fed up and called the CC company and determined that it was fraud.

I have heard somewhere, that the identity thieves will usually start off with smaller amounts as stated above to make sure the info they have is valid and the card works. Eventually, they try to get larger amounts.

Definitely sounds fishy. I would do what you already planned. Everytime I have something weird happen with my card I cancel and order a new one with different number. Its worth the 30min of updating varias things with a new card number versus taking the chance of having a large number of bogus charges popping up.

Absolutely, shut down that cc # and get a new one. Best to keep the bank liable for all fraud charges and keep yourself in the clear. Low charges are a way to test a card and then WHAM, you get a $1000 phone bill from London. Happened to me.

I have a credit card that I only use for internet purchases. Today, I got the email/call from my bank telling me that they are sending me a new one. Seems someone tested it at a hotel in PA for $8.75 this morning. This is why I have a dedicated cc for use on-line.

That is exactly how it worked on our cc. We had a couple netflix charges, we called and had them taken off, but a month or two later we had a bill for a hotel in Spain. I would call and cancel ASAP. Within a year of that happening, our checking account was hacked. Someone was able to electronically cash a check from our account. That really sucked, so keep an eye on everything. Not sure if the 2 were connected, but I would keep a close eye on everything.

As it happens, my credit card was in fact compromised back in January; there were a few fraudulent charges, but AmEx reversed them and overnighted me a new card, and the whole matter was over and done with. the new credit card number is only about a month old.

My bill on my credit card statement reads "Netflix None" Los Gatos, and has for a long time. In Quicken it downloads as "Netflix" but under the memo each month is a series of numbers followed by the word "NONE." I have not noticed any odd charges on any of my accounts...I check them two or three times a week after having various cards compromised over the years. I dunno what the "NONE" means, but I don't think it's a problem.

Last February I gave my uncle a year's subscription to Netflix as a birthday present and I paid it in full. Today he called me and said his Netflix wouldn't work because there was a problem with the credit card on file. About a month ago I had my cc company reissue the card because of a suspected fraud issue. I found out today that you need a valid cc # on file with Netflix because they test it every month - even if the account is prepaid. That doesn't seem right that they can force you to do that but I'm sure at some point in signing up I clicked "accept" to three pages of terms and conditions.

I was informed by Apple and Netflix that my Netflix, which is billed through Itunes, would not go through because I needed to update my credit card info. I did this in early May when I received my new card.