Earlier this year, I purchased a single item from a small webshop. Since I use Privacy.com, I generated a unique virtual card number for this single transaction and then immediately closed the card after it completed.
About a month ago, an eBay fraudster was able to retrieve this card info from ~somewhere~ given just my legal name, and attempted to run a bunch of $1,000+ charges on it. Luckily, the card had already long been closed, so all that happened was a one-hour investigation from me, and some due diligence (reporting the incident to eBay, etc).
The only way this card info could have existed anywhere for purchase (presumably, assuming they used some "legal name to card number" service) is if it had been skimmed from that one singular purchase from the small webshop.
Whoever skimmed it didn't use it or touch it whatsoever, all they did is upload it associated with my legal name. Then, months later, the eBay fraudster used my legal name to locate those card details in order to attempt to run those charges.
If my computer or browser had been compromised, the fraudster would've had far more cards to try. Same for if Privacy had been compromised. I'm sure it was something about the webshop or their payment processor, so I reported this to them.
They basically replied back that they are very secure (they cited their payment processor, Paysafe, and a service called Sucuri that supposedly verifies hashes all of their server-side files) and that none of their other customers have complained so it must be my issue. So far, they've claimed:
- a keylogger on my computer
- a compromise of my bank
- a compromise of Privacy
> Whatever happened to your virtual card is not a result from making a purchase on our website as we have hopefully demonstrated. Considering all the info you provided, plus all of our own data and research, our best educated guess is that privacy.com is the source of your data breach. They are also the only ones with a complete data set on you, including all your credit card info, virtual and physical.
This does not make any sense, as Privacy has total access to everything, if they had been compromised then the hacker could have leaked far more than one random card, and the fraudster could have kept trying numbers until one worked. But they couldn't.
I'm certain that there was a data breach here but they're not taking it seriously. What can I do about this?
Here is their latest response in the chain:
> Thanks for the detailed info. Yes, Paysafe is the credit card processor. Interesting that even though your transaction took place in January, your fraudulent orders all occurred on just one day, April 30 and only a few minutes apart. If that card number was skimmed, you would be seeing daily fraudulent transactions. Your card also shows as "closed at time of transaction", wouldn't that make the card unusable? If so, why was privacy.com still allowing transactions on it?
> We have used Paysafe for 10+ years without a single fraud incident, so pretty confident their systems are very secure. They have continuous 3rd party testing and scanning and their systems also need to pass PCI DSS v4.0 security audits.
> Again, our website payment entry info can't be skimmed since no data entry occurs on our website. 1000's of credit card transactions have been processed since your order without a single payment complaint. Many years ago we had a different website that got compromised and trust us, we received tons of complaints literally starting an hour after malware was detected. If our site was compromised in any way, we would be getting a constant stream of complaints.
> Did a quick Google search on data breaches at privacy.com and there are tons of reported incidents. Here is a link to the first Google search result:
https://news.ycombinator.com/item?id=33068114
There are many more as well, don't think privacy.com is as secure as you might think.
> We also use the highly awarded Sucuri security service which scans all website files continuously for any changes in a files SHA signature. As soon as a file gets changed or added, a chain of security checks take place to authenticate the changed file. No way for any malware to sneak in un-noticed.
> Whatever happened to your virtual card is not a result from making a purchase on our website as we have hopefully demonstrated. Considering all the info you provided, plus all of our own data and research, our best educated guess is that privacy.com is the source of your data breach. They are also the only ones with a complete data set on you, including all your credit card info, virtual and physical.
> - a keylogger on my computer
Or rogue browser extension taking screenshots when a user visits a shopping checkout page. (I know that's also just a theory.)