Groupon account credit card misuse

Archived From: Finance
  • Page :
  • 1
  • Text Only
Voting History
rated:
Yesterday I recd a call from the fraud department of my credit card about some dubious activities on one of my virtual card number. I did not authorize them and requested to know which vendors was. It has since been confirmed that it was the same virtual card # which I had used for a Groupon deal recently. I tried to call Groupon but they are closed for the weekend. Considering that it is a big company, I expected better security. Luckily it was a disposable virtual card # and hence the damage was contained [none to me].

Surprisingly my credit card company wanted to confirm from me whether I have authorized these payments considering they know that virtual card #'s by design can be used only once [Groupon had already charged initially] and I see it on my cc statement.

Does any body knows how Groupon handles the cc-info? Do they charge themselves and forward the payments to the vendor or they pass on the cc-info to the vendor directly and it is the vendor who then controls the cc info? This Groupon deal was for dental cleaning services. If the breach happened at the dental cleaning services, I am afraid to even use the Groupon deal as this is medical procedure and the dental cleaning people may demand SSN [medical office usually do].

Please advise.

-JB

Member Summary
Most Recent Posts
In many cases, even if the signup form itself appears on an insecure page, the submission goes to a secure location. If ... (more)

scripta (Jul. 15, 2013 @ 11:46a) |

Group.on rejected my order without reason, telling me contact security. Obviously I'm not interested in bending over ba... (more)

bonghead (Jul. 28, 2013 @ 9:42a) |

Probably an inside job with some unethical employees in billing.

calisoldier83 (Jul. 28, 2013 @ 10:04a) |

  • Also categorized in:

Please clarify, which merchant tried to make a fraudulent charge?

If you say Groupon, then I believe the error is on you. You said you used the virtual # at Groupon earlier. That number was probably saved in your account, then, when you went to purchase another Groupon, you allowed the default card to be charged, the virtual #.

If a different merchant tried to charge the card, that's a different story.

Edit: No, Groupon does not provide your CC# to the merchant.

Groupon does not pass the CC info to the vendor.

I had purchased 4 Groupon deals recently. All of them used different virtual card #s as virtual card are single use only. some body has used one of the virtual cc # used earlier for a Groupon deal. That person tried to buy stuff from WalMart.com and another company.

BrodyInsurance said:   Groupon does not pass the CC info to the vendor.

Does it mean that the breach happend at the Groupon level?

Why do you suspect there was a breach rather than someone randomly using credit card numbers?

Has that been the only credit card you have used on your computer recently? You could have a trojan infection recently that stole it. Of course the thief doesn't know it was one time use only, all they see is credit card information.

BondGamer said:   Has that been the only credit card you have used on your computer recently? You could have a trojan infection recently that stole it. Of course the thief doesn't know it was one time use only, all they see is credit card information.

Most unlikely though. The computer is running legal copy of Win 7, is fully updated with all service packs etc, has an updated Norton anti-virus, Zone Alarm & Malawarebytes real time scanning. I do not visit any objectionable site. The browser [Firefox] is always running the current version.

Bizatch said:   Why do you suspect there was a breach rather than someone randomly using credit card numbers?
It is my understanding that to use some body else's credit card you should know full name, billing address, cc #, expiry date as well as 3-digit security code. How can all be guessed by some body else?

JB137 said:   Bizatch said:   Why do you suspect there was a breach rather than someone randomly using credit card numbers?
It is my understanding that to use some body else's credit card you should know full name, billing address, cc #, expiry date as well as 3-digit security code. How can all be guessed by some body else?

Your understanding is wrong. Very few merchant transactions require all that to match, typically the card number and expiration date is good enough. I have stuff shipped to my sister's all the time, and just list her address as the billing address - it's alot easier, since merchants are more likely to flip out about the billing and shipping addresses not matching on the order itself.

And you do realize that Citi virtual account numbers are not inherently one-time-use. Once used at a merchant they typically cant be used anywhere else, but can continue to be charged up to the credit limit you specified when creating it.

JB137 said:   BondGamer said:   Has that been the only credit card you have used on your computer recently? You could have a trojan infection recently that stole it. Of course the thief doesn't know it was one time use only, all they see is credit card information.

Most unlikely though. The computer is running legal copy of Win 7, is fully updated with all service packs etc, has an updated Norton anti-virus, Zone Alarm & Malawarebytes real time scanning. I do not visit any objectionable site. The browser [Firefox] is always running the current version.

There are 3 modes of attack if you both generated/used the credit card on the same computer.

1) Your Computer
2) Groupon
3) Credit Card Processing

Your computer is the most likely cause by miles.

Also, Norton and ZoneAlarm are among the weakest options for Anti-Virus/Firewall. Malwarebytes is good for scanning though.

BondGamer said:   JB137 said:   BondGamer said:   Has that been the only credit card you have used on your computer recently? You could have a trojan infection recently that stole it. Of course the thief doesn't know it was one time use only, all they see is credit card information.

Most unlikely though. The computer is running legal copy of Win 7, is fully updated with all service packs etc, has an updated Norton anti-virus, Zone Alarm & Malawarebytes real time scanning. I do not visit any objectionable site. The browser [Firefox] is always running the current version.

There are 3 modes of attack if you both generated/used the credit card on the same computer.

1) Your Computer
2) Groupon
3) Credit Card Processing

Your computer is the most likely cause by miles.

Also, Norton and ZoneAlarm are among the weakest options for Anti-Virus/Firewall. Malwarebytes is good for scanning though.

Well, technically Citi would be possibility #4. And there's always random number generators and lucky guesses - a few years back a fraudulant charge appeared on one of my BofA biz cards, the card had never left my desk drawer since being received and had never been used for so much as a single purchase anywhere.

JB137 said:   BondGamer said:   Has that been the only credit card you have used on your computer recently? You could have a trojan infection recently that stole it. Of course the thief doesn't know it was one time use only, all they see is credit card information.

Most unlikely though. The computer is running legal copy of Win 7, is fully updated with all service packs etc, has an updated Norton anti-virus, Zone Alarm & Malawarebytes real time scanning. I do not visit any objectionable site. The browser [Firefox] is always running the current version.
I found the problem. You have the Norton virus.

Seriously with firefox and ZoneAlarm it's extremely unlikely that you'll get anything, unless you're downloading warez from unreliable sources. Properly configured ZoneAlarm (Program Control at medium or high) will tell you if something unknown (trojan/downloader) tries to get out. Real-time scanning is unnecessary.

BondGamer said:   Your computer is the most likely cause by miles.

Also, Norton and ZoneAlarm are among the weakest options for Anti-Virus/Firewall. Malwarebytes is good for scanning though.
While I agree that Norton is crap, I'm gonna need to ask for some evidence of ZoneAlarm being anything but the only option for proper defense. I've been using it since version 3 (I wanna say more than a decade), and I have no other a/v loaded for real-time scnaning. I only have a/v installed for infrequent upon-request scans.

Don't assume the CC fraud's point of attack was the OP's PC. Breaches happen every day, all day and we don't hear about them because the companies involved don't like to have egg on their face. For every 10 stories you hear about in a month, there are 100 cases (my own conservative estimate) that never get made public. I work in the security field and I hear about it all the time, usually well after the fact and only when the company had its hand forced. You rarely hear about the actual CC companies having a breach (it does happen though). 9 times out of 10 it's someone downstream. Find out whoever is processing payments for Groupon...they are your most likely suspect.

Legally speaking, the dental office can't ask for your SSN. Vey few agencies actually have the legal right to request and hold your SSN and they are held to very strict laws governing storage/security and useage. IRS, Social Security Administration and student finanical aid spring to the mind quickly. Banks and financial instutitions are another, for obvious reasons. Hospitals, MD offices/dental offices do not have my SSN. If asked by the receptioninist, I simply state "i do not give out my SSN". S/He can't make you.

In the end, remember that dental cleaning is a transaction. You pay for a service. Would you give SSN to a dry cleaner or home cleaning service?

amiturv said:   Legally speaking, the dental office can't ask for your SSN. Vey few agencies actually have the legal right to request and hold your SSN and they are held to very strict laws governing storage/security and useage. IRS, Social Security Administration and student finanical aid spring to the mind quickly. Banks and financial instutitions are another, for obvious reasons. Hospitals, MD offices/dental offices do not have my SSN. If asked by the receptioninist, I simply state "i do not give out my SSN". S/He can't make you.

In the end, remember that dental cleaning is a transaction. You pay for a service. Would you give SSN to a dry cleaner or home cleaning service?


Same here, never gave me SSN to medical providers especially if I have an insurance. I simply leave it blank and never asked for it twice.

You're not the only one with Groupon purchases that ended up in unauthorized charges. My bank verified it was related to Groupon by the transaction codes that came in to the bank. I'm not sure whether it is a result of a security breach within Groupon or the method they process payments, but it did happen and 2 times in the same month, 2 different debit cards of mine, and on 2 different computers used to place the orders.

I also had my credit card information stolen the day after I purchased a Groupon deal for the first time; through the Groupon iPhone app.

Myself and about 4 buddies all bought the same deal on Groupon, then about 3-4 days later were all contacted by our credit card issuer asking us if we had made additional charges.

All of the additional charges were fraudulent.

I have to say that it was one heck of a coincidence that it happened to all of us right after we used Groupon. Especially since we all bought the same item, and had not used our cards in the recent past.

chocula said:   
I have to say that it was one heck of a coincidence that it happened to all of us right after we used Groupon. Especially since we all bought the same item, and had not used our cards in the recent past.


...unless you all used the same computer or home network.

Here is another great example of the daily credit card info theft that happens all over the world. Your info will never be 100% safe, if you actually want to use it out in the world. Deal with it.

taxmantoo said:   chocula said:   
I have to say that it was one heck of a coincidence that it happened to all of us right after we used Groupon. Especially since we all bought the same item, and had not used our cards in the recent past.


...unless you all used the same computer or home network.


Did it at a large company and we all used different computers.

Crazytree said:   Here is another great example of the daily credit card info theft that happens all over the world. Your info will never be 100% safe, if you actually want to use it out in the world. Deal with it.

It sounds like somebody in the Groupon payment chain needs to deal with improving their data security. Information may not be 100% safe, but that doesn't excuse problems. When there are multiple problems with purchases through your system, action is needed.

JB137 said:   Yesterday I recd a call from the fraud department of my credit card about some dubious activities on one of my virtual card number. I did not authorize them and requested to know which vendors was. It has since been confirmed that it was the same virtual card # which I had used for a Groupon deal recently. I tried to call Groupon but they are closed for the weekend. Considering that it is a big company, I expected better security. Luckily it was a disposable virtual card # and hence the damage was contained [none to me].

Surprisingly my credit card company wanted to confirm from me whether I have authorized these payments considering they know that virtual card #'s by design can be used only once [Groupon had already charged initially] and I see it on my cc statement.
-JB


The virtual credit card implementations vary between credit card issuers. (BoA/FIA, Citibank, and Discover all license the Orbiscom system in the USA. BoA used to allow multiple merchants to charge the number up to the credit limit, although I've heard they now only accept a single merchant. On the other hand, I've had attempted purchases with CLOSED one time numbers eventually go through after being rejected multiple times (BoA).

Chalk us up charged May 8th, this AM May 11 cc company called with thousands of charges....cc had ONLY been used at Groupon for quite some time an Groupon STORED that card without permission - I just removed it and we are DONE with Groupon!

yesterday someone somehow got into my Groupon Account, changed the email address and the name on the account but left my credit card as the funding source. They promptly ordered a Dell Laptop to be shipped to their address in Arkansas. I live in California. I called Groupon, the guy on the other end saw what was happening and was able to kill the transaction since it had happened an hour previous. The $500 charge is still pending on my bank statement. Groupon needs to tighten things up. It looks like it's really easy to hijack anyone's Groupon account. I had them shut down the account.... I'm done with Groupon...! What a crappy company. As of this moment I have no email from them even verifying that ANYTHING happened... Wasted 2 hours of my time talking on phone with the bank and Groupon..... which generally sucks.

lefty9 said:   yesterday someone somehow got into my Groupon Account, changed the email address and the name on the account but left my credit card as the funding source. They promptly ordered a Dell Laptop to be shipped to their address in Arkansas. I live in California. I called Groupon, the guy on the other end saw what was happening and was able to kill the transaction since it had happened an hour previous. The $500 charge is still pending on my bank statement. Groupon needs to tighten things up. It looks like it's really easy to hijack anyone's Groupon account. I had them shut down the account.... I'm done with Groupon...! What a crappy company. As of this moment I have no email from them even verifying that ANYTHING happened... Wasted 2 hours of my time talking on phone with the bank and Groupon..... which generally sucks.

If Groupon didn't notify you, how did you find out? Did you just happen to check your credit card acct online? It was fortunate that you caught it so quickly. You have a name and adress... have considered reporting it to the Arkansas police?

I saw a Groupon email "congratulating" me on my new laptop computer purchase. Then checked my bank statement and there it was as a pending charge. I was lucky I saw this yesterday morning and it sounds like Groupon handled it although I'll believe it when I see it.
Yes, I'd like the person prosecuted... waiting to hear from Groupons "fraud dept."

lefty9 said:   I saw a Groupon email "congratulating" me on my new laptop computer purchase. Then checked by bank statement and there it was as a pending charge. I was lucky I saw this yesterday morning and it sounds like Groupon handled it although I'll believe it when I see it.
Yes, I'd like the person prosecuted... waiting to hear from Groupons "fraud dept."


Thanks for the heads up/details, and good luck.

The same happened to me> I purchased a online excel course for 190.00 and 9,362.58 disappeared from my credit card

This just happened to me last night. Received a "congratulations" e-mail from Groupon about my new Dell purchase. Then got a "large transaction has posted to your account" from my cfredit card. Trying to log on to Groupon, and it won't let me, my account's been de-activated and replaced with someone else's e-mail. I called Groupon to notify them, and they were less than helpful so far. The lady on the phone told me to "calm down". Bye bye, Groupon. I used it many times, but I will be done now.

I saw some tempting offers from Groupon, but when I opened https://www.groupon.com/ to sign up, I was redirected to a non-SSL page and thought better of it. I notice that the HTTPS Everywhere add-on is supposed to work with the site.

filmy said:   I saw some tempting offers from Groupon, but when I opened https://www.groupon.com/ to sign up, I was redirected to a non-SSL page and thought better of it. I notice that the HTTPS Everywhere add-on is supposed to work with the site.In many cases, even if the signup form itself appears on an insecure page, the submission goes to a secure location. If you hadn't messed with your browser settings, it will always warn you about submitting data to a non-secure location. If you don't get a warning, the submission is secure.

Group.on rejected my order without reason, telling me contact security. Obviously I'm not interested in bending over backwards to correct it (they're supposed to work for me, not the other way around). When a vendor has overly sensitive security controls giving false-positives to legit shoppers, time to walk.

Then after denying the order group.on immediately started spamming the email address I gave them -- the one they deny orders to. Consequently group.on qualifies for my boycott list.

Probably an inside job with some unethical employees in billing.



Disclaimer: By providing links to other sites, FatWallet.com does not guarantee, approve or endorse the information or products available at these sites, nor does a link indicate any association with or endorsement by the linked site to FatWallet.com.

Thanks for visiting FatWallet.com. Join for free to remove this ad.

TRUSTe online privacy certification

While FatWallet makes every effort to post correct information, offers are subject to change without notice.
Some exclusions may apply based upon merchant policies.
© 1999-2014