credit card scam on property?

[Collin WK]

Many stories are coming out of disney parks about credit cards being used to rack up charges for items the guests are not using it and I believe I've witnessed this first hand. Disney is aware of it, but can do very little about it. Often it is not cast members who steel the information (as many people blame) and drain accounts but rather other guests.

Last time I was in magic kingdom we saw a man with what looked like a camera phone but was not when you looked closely as we did because he appeared to be taking pictures of random people.

After we saw him take pictures of people he did not know for 15 minutes he walked over to a backpack by a family and pulled out a box and attached this box to the "phone" device and proceeded to do this repeatedly, especially near food counters.

My best guest is he's there everyday and uses these images to zoom in and steel many credit card numbers and security codes off of the cards he gets glimpses of with an enhanced camera type device.

We informed a cast member and they went and got management to watch him and then they called security but they also mentioned to us that this was not the first time in this area such things had been reported and they were aware of the scenario, but until they had proof they could not take action legally on the individual who claimed he did not speak English then would go talk to his friends in perfect English. If your in the area of outdoor places where this could occur try to cover you credit card and not wave it around especially when using the touch machines at counter service locations, many people reveal there entire card by holding only the edges of their cards while using the touch pads used a majority of the time for magic bands

are any of you who are involved with the dis unplugged or are in the parks often noticing his also?

we may need to be more careful in the parks then we think

 

[Kimberle]

In today's society, you have to always think that someone is going to "steal" your info. Also, when entering a security number into a pinpad, always cover your hand so "they" can't determine what numbers you are keying.

 

[Syndrome]

Our past two trips to WDW this year (once in June, and once in August) , we have had credit cards compromised BOTH times ! Scary !
We are leaving today for our third trip this year and have now learned to be especially careful ! I am to the point of using MB's for everything, and our credit cards stay locked away in a safe place unless absolutely needed !

 

[OKW Lover]

Our past two trips to WDW this year (once in June, and once in August) , we have had credit cards compromised BOTH times ! Scary !
We are leaving today for our third trip this year and have now learned to be especially careful ! I am to the point of using MB's for everything, and our credit cards stay locked away in a safe place unless absolutely needed !

Were your cards compromised at WDW locations? Or off property?

 

[doconeill]

Of course, in theory the magicbands can be duplicated, but they still need both the band and the PIN to make purchases.

It does seem ironic that after all the discussion over magicbands and security, it's still our old-fashioned credit cards, that still bear easy to read embossed number for no modern practical reason any longer, are the weak point.

Newer technologies such as Google Wallet and Apple Pay have the potential for better security in this particular regard, but there are other potential concerns.

I actually think American Express cards are weaker in this regard, as the CVV code is printed on the front of the card easy to read, instead of on the back in the signature box where it was dot-printed. If you need to use the CVV code, you need to see BOTH sides of the card, and one of them pretty close up.

Of course, the banks keep dragging their feet on moving to chip-and-pin style technology.

Solution: PAY CASH!

 

[disneyholic family]

Of course, in theory the magicbands can be duplicated, but they still need both the band and the PIN to make purchases.

It does seem ironic that after all the discussion over magicbands and security, it's still our old-fashioned credit cards, that still bear easy to read embossed number for no modern practical reason any longer, are the weak point.

Newer technologies such as Google Wallet and Apple Pay have the potential for better security in this particular regard, but there are other potential concerns.

I actually think American Express cards are weaker in this regard, as the CVV code is printed on the front of the card easy to read, instead of on the back in the signature box where it was dot-printed. If you need to use the CVV code, you need to see BOTH sides of the card, and one of them pretty close up.

Of course, the banks keep dragging their feet on moving to chip-and-pin style technology.

Solution: PAY CASH!

on the other hand, AMEX is very easy to deal with if there are charges on your card that you didn't make.
In my experience, much much much much much easier than visa or mastercard

 

[New England Eeyore]

On our last pre-MagicBand trip, my CC was compromised at either Splitsville or House of Blues. (The only 2 places I didn't charge it to the room.) My CC company (Visa) noticed the fraudulent charge before I did and it was easily handled but it's always a bit of a nuisance. Because of this, I love the MagicBands and the extra security they offer. In fact, my server at the House of Blues on my most recent trip tried (very aggressively and inappropriately) to convince me to give him my CC instead of my MagicBand because it would be "easier" for him to key in. I flatly refused and was 1 more protest away from to ask for a manager when he finally gave in with much grumbling.

 

[truck1]

Many stories are coming out of disney parks about credit cards being used to rack up charges for items the guests are not using it and I believe I've witnessed this first hand. Disney is aware of it, but can do very little about it. Often it is not cast members who steel the information (as many people blame) and drain accounts but rather other guests.

Last time I was in magic kingdom we saw a man with what looked like a camera phone but was not when you looked closely as we did because he appeared to be taking pictures of random people.

After we saw him take pictures of people he did not know for 15 minutes he walked over to a backpack by a family and pulled out a box and attached this box to the "phone" device and proceeded to do this repeatedly, especially near food counters.

My best guest is he's there everyday and uses these images to zoom in and steel many credit card numbers and security codes off of the cards he gets glimpses of with an enhanced camera type device.

We informed a cast member and they went and got management to watch him and then they called security but they also mentioned to us that this was not the first time in this area such things had been reported and they were aware of the scenario, but until they had proof they could not take action legally on the individual who claimed he did not speak English then would go talk to his friends in perfect English. If your in the area of outdoor places where this could occur try to cover you credit card and not wave it around especially when using the touch machines at counter service locations, many people reveal there entire card by holding only the edges of their cards while using the touch pads used a majority of the time for magic bands

are any of you who are involved with the dis unplugged or are in the parks often noticing his also?

we may need to be more careful in the parks then we think

I haven't noticed this but Im definitely going to look harder now that you mention it. What I was thinkning is could he have a reader that reads the barcodes from cards? Ive seen something recently where a identity thief just has to be nearby and can get the info off the card without actually seeing it.


http://www.forbes.com/sites/andygre...ards-can-be-read-through-clothes-and-wallets/

http://www.komonews.com/news/local/...chnology-to-steal-credit-cards-208613001.html

 

[doconeill]

I haven't noticed this but Im definitely going to look harder now that you mention it. What I was thinkning is could he have a reader that reads the barcodes from cards? Ive seen something recently where a identity thief just has to be nearby and can get the info off the card without actually seeing it.

There aren't barcodes on credit cards. Barcode readers in general need to be relatively close as barcodes require a good enough resolution to be read.

In the case of credit cards, all you need is the numbers and expiration - often quite visible on the card because they are not only embossed on it (for the really old school carbon-paper swipe machines used to take an imprint, which I haven't seen in about a decade), but also highlighted often in gold or silver. A close picture could easily show those numbers.

Then you just need a card embosser and good enough fake cardstock, and program the magnetic stripe to be read. Then take that card to a retailer that you know doesn't use the CVV code (I've noticed a few do, although it's not generally required when purchasing in person), make a purchase, and walk away.

CVV codes are primarily meant for "card not present" transactions - i.e. when the merchant does not see/handle/scan the actual card.

 

[jodiey]

I was just notified today that someone tried to use my credit card! I was in Disney last month.

 

[truck1]

There aren't barcodes on credit cards. Barcode readers in general need to be relatively close as barcodes require a good enough resolution to be read.

In the case of credit cards, all you need is the numbers and expiration - often quite visible on the card because they are not only embossed on it (for the really old school carbon-paper swipe machines used to take an imprint, which I haven't seen in about a decade), but also highlighted often in gold or silver. A close picture could easily show those numbers.

Then you just need a card embosser and good enough fake cardstock, and program the magnetic stripe to be read. Then take that card to a retailer that you know doesn't use the CVV code (I've noticed a few do, although it's not generally required when purchasing in person), make a purchase, and walk away.

CVV codes are primarily meant for "card not present" transactions - i.e. when the merchant does not see/handle/scan the actual card.

Sorry. I didn't mean Barcode literally. I meant the signal that some cards are now sending out.

 

[doconeill]

Sorry. I didn't mean Barcode literally. I meant the signal that some cards are now sending out.

Ah...you mean the RFID codes...

Readers Digest version...

Passive RFID, like the ones used in the RFID ticket media and MagicBands for admission into a park, purchases, etc. require that the device be placed in a magnetic field of sufficient power to "power up" the chip and have it send the ID it has. And then there needs to be a receiver.

It is _possible_ to read them from a distance. But you wouldn't do it with your typical smartphone. I can read my MB, but only if I put it right up to it.

And then, all you get is the ID number of the band. You don't get any credit card or personal info. At best, you could duplicate it into another device, but you'd still need a PIN for purchases. A lot of effort/expense for something not of great value compared to an actual credit card.

Some credit cards also have passive RFID. This is more of a concern, but they are supposed to use a somewhat more secure system. I'm not sure how good it is.

The active RFID part, which sends out a low-power signal, is used for different purposes and has a different ID. About all we know that does is allow you to end up in someone else's pictures.

 

[sayhello]

Some credit cards also have passive RFID. This is more of a concern, but they are supposed to use a somewhat more secure system. I'm not sure how good it is.

My understanding is that the ID that comes from the "passive" RFIDs in credit cards uses some sort of rotational randomized ID, so that the same credentials are never used twice. So picking up the credentials transmitted for one transaction really gives you nothing, because you can't re-use it. I have no idea how that works, but that's what I've been told by someone who worked on one such system.

Sayhello

 

[doconeill]

My understanding is that the ID that comes from the "passive" RFIDs in credit cards uses some sort of rotational randomized ID, so that the same credentials are never used twice. So picking up the credentials transmitted for one transaction really gives you nothing, because you can't re-use it. I have no idea how that works, but that's what I've been told by someone who worked on one such system.

Sayhello

I know there were a lot of claims of encryption early on, but it was proved that it was easy enough to extract at least the card number and expiration date with a cheap RFID reader.

More recently, the cards issue an additional code that is pre-programmed, one-time-use codes. But even they aren't a solution - they just make it more difficult. In theory, I can get your card to give me a series of codes if I can get close enough to it (and "close enough" depends on the power I have), and then I can rush out and use those codes before you do. When you go to use yours, it would be rejected because the code was already used.

The biggest protection they really have right now is that they limit the amount of transactions you can use with it, typically $50, although I think some will allow more but require a signature.

PINs can make it more secure (unless someone is scanning and watching a transaction taking place), but less convenient, and since it's all about spending money here in the US, they don't require PINs.

Disney tried to do a "$50 without PIN" limit in the parks, but there was a lot of discussion online when they started and opted for a PIN on all transactions.

I prefer the idea of the contact-chip implementations that are more widespread in Europe and Canada. It can't be read at a distance, so it would inherently be more secure, and can still have the single-transaction advantages as well. Add a PIN on top of that, and its even more secure.

But interestingly, while driving through Canada recently, we had a rest stop and in the store when I had to hand over my card because it didn't have the chip, I said to the clerk about wishing the US would move faster...but she indicated it's been nothing but a problem - I didn't have time to ask why.

The US is moving to contact-chip cards, but slowly. The Payment Card Industry has basically mandated that all vendors be able to accept chipped cards by next year by placing the burden of liability for fraudulent charges on them IF an account number is used that belongs to a chipped card, and they didn't process a chipped transaction because they didn't have the equipment. But on the flip side, the banks seem reluctant to issue cards with chips yet because they cost more. I had three credit cards renew in the past year, none of which have contact chips (and one, which had a contactless chip but was renewed without the chip without any explanation). I just got one more this month, and this one finally has a chip.

I just haven't seen any chip terminals yet.

And strangely, the US is also not moving to "chip-and-PIN" like the rest of the world, but just "chip-and-signature". I'm not sure why as I don't see signatures as any sort of protection these days.