Two Card Details Leaked and Used within 3 Weeks of Each Other, Physical Cards Stay Home

So a few weeks ago I was at my dads and we were talking about cash vs card for transacting.
I was on the side of card as you have more traceability of your spending and transaction and the responsibility falls on the bank.
unbeknownst to me, as this convo was happening my card details have been leaked online.
I went to woolies with $1000 in my account only to have my $5 transaction declined, paid with another card in my digital wallet after checking my account and was shocked to see ~$1000 stolen from me, got home, checked my wallet, all my cards are there, none missing, called bank and reported the issue

Today, another card, same issue, got a text about a transaction, after shopping also at woolies, checked, same thing, unauthorised transaction and card is here at home.

I work in IT security, so don't have social media, don't have my CVC's written down, have MFA for everything possible etc and barely use my card anywhere special, both digital cards only used at Woolies / Coles / amazon / uber eats and Qkr App to order school lunch for son.

Both cards have been registered with Qkr recently and that seems where I think the issue lies.

is there anyway to find out

Comments

  • +2

    At least with card you can get your money back. Inconvenient but worth it

    • +2

      At least with your cash they have to physically get their hands on it. :)

  • +24

    Your dad skimmed your card when you went to the fridge

  • +2

    Send bikies to qkr

  • +1

    The QKR app could be the culprit. If you wanted to test it out by process of elimination, set up a VCC with a small amount on it.

  • +9

    I work in IT security, so don't have social media,

    I know someone that works in IT security and they do have social media. Ironically, their card details have never been compromised. Create a tiktok account immediately for your account safety.

    • I thought this kinda of issues we actually reached out to an IT security, the IT security reached out to OZB instead.

  • +2

    Both cards have been registered with Qkr recently and that seems where I think the issue lies.

    Careful pointing the fingers….. You don't really know who leaked your data.

  • Yeah this is why you should semi regularly cancel your cards

    • +1

      Every 3 months for me.
      mainly so I can recycle dinner box special offers

    • +2

      No need to cancel my cards. Just disable features of online payment and overseas payment in the bank app settings. I enable online payment only when I want to shop online. Even if someone skimmed and duplicated my cards, nobody can use my card details for online shopping or in-store overseas.

  • +2

    You should report this to the AFP/cyber.gov.au
    Èven if you don’t know the full details you might send them something that helps another person in a similar situation. This is a pretty unusual case. Not one but BOTH of your cards. If you are authorising through Apple Pay your full details shouldn’t be given. Has anyone else gotten access to your cards recently? Or could someone have had access to your wallet? Where were the $1000 worth of charges made?

  • I only use cards that have the app telling me every charge that goes out.
    Not worth saving cents compromise financial integrity.
    To keep track I still have around 10 cards locked up in a safe.
    Apple pay seems safer than Google pay. Pain having to ring them banks to authorise it.

    • +3

      Both Apple Pay and Google Wallet are good because they change the card numbers. Merchants cannot see your real card numbers. Actually safer than using your physical card to shop in-store or online.

      • I used to be able to hand my Samsung device to trusted friends to tap and pay. With Apple face id so far has appeared the safest, worth waiting an extra second for.

        • Now android phones need to be unlocked to use Google Wallet (no more Google Pay). That means using my fingerprint or pin or pattern to unlock my phone to pay with Google Wallet.

          • @neoleo: yep, quick to set an extra pattern for friends but Apple is more strict.

            • @payless69: Face ID is actually less secure and can be manipulated (in the news). I don't use face unlock in my android phone. So, don't know if I can use face unlock for Google Wallet.

              • @neoleo: I use face to unlock my Android phone for convenience (sometimes fingerprint recognition can be finicky - esp with wet/ cold hands) but google wallet only accepts fingerprints.

  • +1

    I can't even trust Amazon to get my payments right. I recommend have a few accounts with less than $200, and keep anything else in a HISA (High Interest Savings Account) account (like ubank 5.5% P.A. for extra moneys) with no card.

    If you need to spend more, transfer the money in just before the transaction. For any online transactions just use a temporary, on use card like is available from Revolut or have a card which is always empty and put money in before a transaction.

    I have a dedicated account just for amazon transactions since they've overcharged me a few too many times. It's always near empty.

    My money is safe in my HISA until I need it.

    • Just need to disable online payment or even disable/put on hold temporarily. Only enable online payment feature and overseas payment feature when you need. Some banks have these features like Up bank, NAB, even Wise (previously Transferwise, not a bank technically).

      Up bank and Wise also have virtual card feature. I can have 3 virtual cards in Wise and can change to new virtual card with different numbers of course if I want.

      • I could disable online purchases, but that doesn't prevent an overcharge. Most of my problems with amazon were them telling me something was on sale and would cost me, for example, $5, then finding I was charged $16. If I only have $6 in my account, they can't take much more. It's much better than the refund and fix through support.

  • +5

    OP works in IT security but still don't know how to secure cards even if card details stolen? The answer is disable your cards or put on hold temporarily. Only enable the card that you want to use when online shopping for example. Certain banks cannot disable online payment, only put on hold/disable entire card temporarily.

    I disabled some of my cards for online payments in the bank apps setting. Certain banks have feature to disable card for online payment, gambling, local only or also overseas payment. I have Up bank that can disable online and overseas payment (neobank, no branches and has virtual card too). Very useful ;-) NAB app can disable card for online payment and overseas use in the setting too. Wise (Transferwise previously) can also disable card in their app and virtual cards are available too. Other bank cards like Ing bank or St. George Bank don't have this feature to disable online payment only or virtual card.

    Features like turn off/disable online payment and overseas payment should be basic features in every bank. Imagine your card details were skimmed or stolen and someone duplicated your card overseas. But you remember that you have disabled overseas payment and online payment features, so the card number cannot be used for in-store or online payment. Only enable online payment or overseas payment when you need.

  • I know how to secure my stuff.
    But to disable online payments and to enable them when i need to use seem a bit unnecessary as I am not the one leaking this data. I do not share my devices, my payments etc. Nothing is known by anyone, nothing is written down. This is a case of a third party who I have transacted with leaking my details.

    We will see what happens.

  • +3

    Switch on notifications for your bank as well. It won't stop the fraud, but at least you'll be notified immediately.

  • +1

    No man made is perfect 100%, even security. If not by you, the merchant or third party payment processor could leak or get their data breached. Most people don't do online shopping everyday … So, only enable online payment when needed should be good for many people unless certain old people that don't know how to use bank app/website.

    Long time ago there was a case in my country related with The Body Shop retailer where certain people with Platinum credit cards got their cards skimmed in-store … No guarantee that big companies can be safe from any attacks related with security especially company's data security, customer data, etc.

    Using Google Wallet or Apple Pay is better than using real card numbers straightaway in-store or online (yes, I can pay online with Google Pay/Wallet in certain websites). At least Apple Pay and Google Wallet change card numbers for any transactions, so merchants don't know our real card numbers. Using PayPal and Stripe is another option. Also virtual card like in Upbank or Wise etc. is good option too.

  • My parent and brother use their physical cards only, no digital pay and online shopping and they got skimmed. I use mostly Samsung pay and the last time I got skimmed was over 5 years ago. Been trying to get them to use digital pay but they refuse. Do you use your card physically?

Login or Join to leave a comment