Capital One Compromise and Cardholder Fraud Education

It was announced in the media that a hacker gained access to more than 100 million Capital One customers’ accounts and credit card applications earlier this year. At this point in time, Capital One is saying that the vulnerability has been fixed and that it is “unlikely that the information was used for fraud or disseminated by this individual.” However, the company is still investigating. It was also noted that “no credit card account numbers or log-in credentials were compromised and that over 99% of Social Security numbers were not compromised.” 

Although only Capital One customers are impacted by this breach, we consider this is the perfect opportunity to remind everyone of how stolen cardholder information is used to commit fraud.

Fraudsters have become increasingly adept at getting cardholders to share the information they need to commit fraud by posing as financial institution call center agents, or by sending text messages that look like they are coming from your institution, warning of suspicious transaction activities. They are also known to call in to call centers posing as cardholders requesting changes to card information and parameters. 

The fraudsters do this by using information stolen through data breaches at health insurance providers, reward program providers, credit bureaus, merchant terminals, and social media sites, as well as through malware programs deployed on personal computers, to mention just a few. Stolen personally identifiable information (PII) is combined with stolen card information, resulting in sufficient information to create profiles that fraudsters can use to position themselves as the actual cardholders. 

The following points can help you avoid compromising your personal information: 

• The only way CSE will contact a Member regarding fraud is through a phone call from (877).253.8964 warning you of suspicious activity on your card. The first attempt is by an automated system asking you to verify a list of transactions. If the Member does not answer it will leave a voicemail with a Case ID number. If you are uncertain about questions being asked or the call itself, please hang up and call us directly at 477.2000. If a call is received by the cardholder, claiming to be our Call Center and asking to verify transactions, no information should have to be provided by the cardholder other than their zip code, and a ‘yes’ or ‘no’ to the transaction provided.

• If you are set up to receive a text alert from us through Online Banking, it will always be from a 5-digit number and NOT a 10-digit number resembling a phone number. A valid notification will never include a link to be clicked. Never click on a link in a text message that is supposedly from us.

• We will NEVER ask you for your PIN or the 3-digit security code on the back of your card. Don’t give them out to anyone, no matter what they say. Hang up and call us directly. Fraudsters will often ask cardholders to verify fake transactions. When the cardholder says no, they did not perform those transactions, the fraudster then says that their card will be blocked, a new card will be issued, and that they need the card’s PIN to put it on the new card. Many people believe this and provide their PIN. The 3-digit CV2 code on the back of the card will allow a fraudster to conduct card-not-present transactions. 

• Regularly check your account online to see if there are any suspicious transactions that have occurred, but especially If you are unsure about a call or text message you’ve received. If anything looks amiss, call us directly for assistance. 

• If you have received a voice- or a text-message from us and are unsure about responding to it, call us directly for assistance. 

For more information on how to avoid fraud, please contact a CSE Representative at 477.2000

Source: Fiserv Inc. (2019) Capital One Compromise and Cardholder Fraud Education [PDF file].