• Go to page :
  • 1 2
  • Text Only
Voting History
rated:
So, my Discover card was compromised. But, this was weird, never heard of anything like this before. I woke up this morning to find an email from Discover changing my email address had been updated. I called Discover and they were quite unhelpful, but after spending 2.5 hours on the phone I finally pieced together some of the story:

Sometime this morning (time withheld) a small charge of 48 cents was placed with a website that sound like greatgoogallywoogally.com (I didn't catch the exact name)
Shortly later my online account was "re-registered" to another email address (which was my address with a couple numbers added to the end -- prior to the @ sign)
At some point after that someone used my accumulated Discover CashBack to purchase Land's End E-Certificates.

Now for the particularly odd part: According to the last person I talked to at Discover (@ Websupport, who was the only useful person, oddly enough), whoever it was failed to answer my security questions. When I asked how did they change my email address if they didn't correctly answer the security questions she responded: "They shouldn't have been able to, I have no explanation." She also claimed that no one logged into the account since the account was re-registered. So I asked how could someone redeem my CashBack if they never logged in. She responded: "They shouldn't have been able to, I have no explanation."

She did mention that she had seen a couple people have the same problem over the past 2 or 3 weeks (email updated to their email address plus a few numbers and then buying Land's End E-Certificates).

I'm not sure what to make of this. I'd like to know how much of my information was compromised. In theory, whoever did it clearly had my card #, expiration date, and email address. They probably now have access to my physical address. In order to re-register the account they need the last 4 of my SS# and my date of birth, but its not clear they actually needed that since they didn't have the security question answers and they they were still able to re-register.

Member Summary
Most Recent Posts
OP, care to comment?

EugeneV (Jun. 03, 2013 @ 3:33p) |

I just found this thread and I can't believe this is still happening to Discover customers. I had my moneyback compromi... (more)

redking (Jun. 06, 2013 @ 1:46p) |

Its an inside job just like with the WalMart accounts and either company doesn't seem to want to take any responsibility... (more)

newbietx (Aug. 13, 2013 @ 8:23a) |

  • Also categorized in:
Thanks for visiting FatWallet.com. Join for free to remove this ad.

This is just a guess so I am not sure if that is actually what happen or not.

Did you logged into your discover account recently? It can be something called cross-site request forgery.

What it does is if you log into your discover account on one browser tab, but also go to a malicious site on another tab with the same browser at the same time, the other site's web page can has some JavaScript code that would be executed on your browser, which send a request to Discover site asking for rename your email or purchase gift card. If Discover card server is not smart enough, it would think you are logged in and the request is from you.

I assume Discover card server should have some security check to prevent this cross-site request forgery (for example, put some encrypted hash key in the web form hidden field and check that hash code before process further), but you never know.

So every time you are log into your bank, credit card account web sites, don't go to the porn site at the same time.

Added 5/14/2013:

Actually, I just logged into my discover card site, hit the edit contact information button, and view the source, I see a hidden field on the form that has something like this

<!-- code added for CSRF-->
<input type="hidden" name="org.apache.struts.taglib.html.TOKEN" value="bf3eb8e4steccared1d2dbf4932675c0c6" >

And the value change if you cancel it and try to edit you contact again, so they must have added this code to prevent Cross-Site Request Forgery (they even mention CSRF). So I think discover already put something there to prevent this happen. Still, as I say, as a precaution, when you log into your bank or credit card account, be careful if you visit the other site at the same time.

Zeno, I had not logged into my Discover card account for a while. Also, this doesn't explain why they were able to change my email address despite failing the security questions which are supposed to prevent exactly that. Additionally, if they were after my CashBack (which I'm guessing they sold or planned to sell the e-certificate for, probably worth a lot more than a stolen credit card number) and they had direct access into my online account, why bother with the test charge.

When I made a large purchase at WalMart.com with my Discover card, Discover immediately flagged it as fraud and canceled my order. If I had been purchasing a hot deal, then I would have been pissed. The rep at the Fraud Dept said they have had a lot of cards compromised recently and used at WalMart. /shrugs/

I've also had Discover call me about large purchases on more than one occasion.

I have always been disappointed with Discover's password capabilities. Just numbers and letters. Same with AMEX though I guess.

Are they fixing your CashBack issue though? I guess that is what counts in the end.

The CashBack issue kind of annoys me, because I spoke to people for almost 2 hours before I talked to the person at WebSupport who said: "Yeah, I've seen that before, they usually buy Land's End E-Certificates" and then checked and found that in fact they had. She promised she'd get it taken care of added to the fraud complaint and that I would get it back. Had she not checked, I may have gotten the CashBack back, but it would be a huge fight. She said I should get it back since it was amended to fraud complaint.

What bothers me is how this was done. If a WalMart account were compromised and they got my email address and card number, fine... No biggie... But if they compromised my computer and have a keystroke logger, or know my SS# and birthdate (which isn't going to have come from WalMart), or figure out my username and password, or if they are an insider in Discover its a much bigger deal.

Do you have any reason to think your computer was compromised other than this? I would assume someone just hacked your password or similar.

To be safe you should change the passwords for your other financial accounts and you can put a fraud lock on your credit reports.

I do not think its likely they hacked my password since they "re-registered" my account, and the only reason to do that would be if they didn't know my password. Also, my password isn't readily guessable, so I think its unlikely someone could have simply guessed it without A) compromising other things and B) making multiple guesses. Of course they don't seem to have records.

Sounds almost like an inside job. The small charge to an website is a common tactic to see if a randomly generated # would work but how did they change your email address and redeemed your CashBack?

hpmax said:   I do not think its likely they hacked my password since they "re-registered" my account, and the only reason to do that would be if they didn't know my password. Also, my password isn't readily guessable, so I think its unlikely someone could have simply guessed it without A) compromising other things and B) making multiple guesses. Of course they don't seem to have records.

People don't 'guess' your password. They can have a computer figure it out through brute force running every single possible combination or similar tricks. A short password takes literally seconds for a computer to figure out.


If you think they don't know your password then why do you think they compromised your computer?

Zeenuts, I know the small charge trick, but I don't see why they bothered. If they were after my CashBack, why bother with the test charge -- especially if they had additional information on me to get into my account (like my email address and possibly my SS# and date of birth)... The idea of it being an inside job hasn't escaped me. Why place a small charge if it was an inside job (perhaps to try to make it look like ordinary fraud, so you won't think about the certificates?)

jerosen, because I do not have faith in what Discover has told me. I really have no idea. I also do not see how they could easily brute force every single possible combination. The search space of my password is probably on the order of 10 quadrillion combinations. Even if you could knock them out at a billion per second, it'd still take nearly 4 months. That type of computer power doesn't come cheap and no one is going to waste 4 months of it to get a couple hundred dollars of CashBack rewards. But even if they had the computational hardware to do this, the question is how did get they get the stored passwords to begin with? They certainly aren't making a billion inquiries a second over the Internet for 4 months straight, not only couldn't Discover's computers keep up with it, but they'd lock out the account and your IP address way before you found it, so they would have to have gotten the stored (and presumably encrypted) passwords directly from Discover, in which case Discover has a serious security breach.

The reason I posted this was A) to let people know that people were breaking into accounts to steal CashBack in the form of Land's End E-Certificates (something I had never heard of before), and B) I thought the circumstances where Discover had no explanation as to how my account was compromised, while claiming they didn't know my security questions or have any records of the actual login which allowed them to get the gift certificates were quite unusual.

The same thing happened to me on April 29th. I received an email notification that my email address at Discover had been changed. I contacted Discover immediately and had them shut my card down. I also discovered that my CashBack had been redeemed for Landís End e-gift cards There was no small test charge in my situation. Discover cs reps were not surprised that this happened and one admitted that I wasn't the only person this had happened to. The userid and password I had were both randomly generated 16 and 10 character alpha/numeric sequences and I use "salted" answers to my security questions. Discover either doesn't know or won't tell me what actually happened. I ran several scans of my computer with different anti-virus programs looking for viruses, rootkits, keyloggers, etc. and nothing showed up. I then changed all my critical passwords and registered a Fraud Alert with Experian which is good for 90 days. Experian also passed the alert to Equifax and TransUnion. I will take zeno's advice from now on and run only one browser session when visiting critical sites. Is it time to dump the Discover Card? Potential risk of identity theft is not worth a few CashBack $'s.

My guess would have been a breach like LivingSocial had where logins and/or passwords were taken from that site. Then those were used to try to get on other popular sites hoping people used the same combinations.

I would bet that someone called into the customer service number and a CSR decided to "help" out a customer who could not remember their questions. Someone did that to my citi administered credit card, changed my address and ordered a bunch of crap from WalMart.

Lotsa problems with DI card and identity theft, mine had to be flagged for bad small charge; second time in a year; notice was sent by e-mail to my spam filter which means multiple mailings.

Type74, I'm relatively confident that Zeno's advice was not valid in my case. Although its always possible that something like that happened, I haven't logged into Discover in at least two weeks. There's no way that any cookies they gave me would still have been valid at the time the email address was changed. Clearly Discover has a problem.

It's hard for me to believe that at this point, with the exact same thing happening repeatedly that they don't have any clue what is being compromised. Perhaps they don't want to say. I wouldn't be surprised if the people I've been talking to on the phone don't know though.

maddybeagle, if they could "guess" my username and password why would they have re-registered the account and drawn attention to themselves. If they could have gotten access without changing the email address they would've, I would have been none the wiser had they done that.

chibimike, they are claiming they have not received any phone calls about my accounts. I'm also not sure that the people on the phone have access to that information. Also, neither your explanation or maddybeagle's explanation would indicate why they were able to re-register the account after it was locked out for failing to answer the security questions properly OR how they were able to redeem CashBack without appearing to have logged in at any time.

hpmax, I would agree that it looks like Discover has a problem at least I hope it's them and not me. After this happened I found, and posted to, another Forum that talks about stolen CashBack from both Discover and Visa. I just checked that forum and someone else reported their Discover CashBack was stolen yesterday, 5-13-13. Looks like this issue has been going on for 12-16 months. I've had my Discover card re-issued a couple of times due to fraudulent use but have never had anybody gain access to my online account (if that's what actually happened as Discover has been pretty tight-lipped about any details). Truly disconcerting.

hpmax, I had the exact scenario happened to my Discover card last month. Actually, at first I got an email to confirm that I used my Cash Back reward to claim a Land's End e-certificate. A week later I got a series of email saying that I have changed my communication preference for my online account, new card design requested and money messenger payment sent and claimed! I was still able to logon to my Discover card online account the day that I got all those emails and found out indeed all those things had happened. Someone was able to changed and disabled most of my email communication preferences, requested a new card and also sent money from my Discover account to an email address that I do not recognized. I called Discover Customer Service immediately that day and reported my account has been compromised. Discover took my complain and immediately closed my existing account and transferred my balance to a new account. They also ordered a new card for the new account for me and disabled the online account. I got my new card within 10 business days and I had to re-register online access to my account. Discover told me I will not have to responsible for any suspicious charges and they will also reimburse the Cash Back they took.

I still don't understand how my Discover card and/or the online account got compromised in the first place as I rarely use the Discover Card. Since the incident, I keep checking my other credit and bank accounts to make sure there is no suspicious activities. I also check my credit report and activity through Myfico.com every few days to make sure there is nothing unusual there.

ARMAGA, sounds like they did a little more damage in your case. I too was still able to sign into my online account but they only got my CashBack and changed my email address. I assume the address was changed so the e-certificate could be sent directly to them. I was wondering why they didn't make more changes but it sounds like they did in your case. They're either getting smarter or maybe I just caught mine in time (4 hours after my first email notification). Without that initial notification it's hard to say how much damage would have been done. I have alerts set for all my credit cards and any other online accounts when possible. My Chase cards have an alert systems that lets you set your purchase threshold for notifications at $0 whereas the Discover minimum is $200. For what it's worth, the cs reps claimed that SSN's are not accessible through their online site and that whoever was in my account could not see the answers to my security questions, but who knows? I have received no followup from their fraud department and it has been two weeks since the breach. I will be contacting them later today to see if they will share any details of their investigation with me.
hpmax, do you think adding, Stolen CashBack to your posting title would draw a little more FW attention to this issue? Just a thought.

hpmax said:   

maddybeagle, if they could "guess" my username and password why would they have re-registered the account and drawn attention to themselves. If they could have gotten access without changing the email address they would've, I would have been none the wiser had they done that.


Not suggesting they "guessed". I am suggesting that people are using the same or similar logins for multiple sites....Another site gets hacked and the hackers take the stolen login information and go to a DIFFERENT popular site hoping people used the SAME information so they don't have to guess.

Also, the changing of the email address is necessary to have the e-gift cards emailed to THEM.

In any event, Discover should make this right and put more security in place if they insist on providing e-gift cards. Not even sure whey they haven't already removed them if there are multiple reports of this activity.

BTW, if you were on the phone for 2.5 hours, you are on there too long. Report the fraud in a concise manner: I did not make changes to my account including changing of the email address. I did not order the e-gift cards and request that you invalidate the codes and issue me a refund of the points. Follow-up with a letter.

ZenNUTS said:   Sounds almost like an inside job. The small charge to an website is a common tactic to see if a randomly generated # would work but how did they change your email address and redeemed your CashBack?

Based on my experience with Discover fraud, I have to agree with ZenNUTS. In that post, I believe SIS hit the nail on the head when he said "Both cellphone company employees and bank employees are notorious for stealing identities, esp when they hire young ghetto kids"

Was your password the same as your LivingSocial password? If so, sounds like they may have started to crack the hashes.

Paul, I don't think I have any other accounts with the same password.

Maddy, If they changed the email address to receive the certificates, that implies that most likely they did not have access to my email -- although they may have also thought a single email saying my email address was updated would be less conspicuous than 4 emails with Land's End gift certificate codes. Oddly, the new email address was a hotmail account, and according to hotmail wasn't valid. Maybe they had deleted the account by the time I checked. I don't know. I was on the phone for 2.5 hours because I was trying to collect information from them on what happened so I could try to understand what the extent of the compromise was (the actual report of fraud took only a few minutes). Also, the CashBack theft (which was the real damage) wasn't mentioned until the fourth or fifth person I talked to. Had that not been added to the fraud claim, its very possible that this would not get as much attention and I would not have received the CashBack back. So, yes, being on the phone for 2.5 hours was necessary, even if it should not have been.

Type74, the "other person" is me.

The good thing I'm hearing from this is that it appears that the problems are confined to Discover. Which means that this seems to be issues with Discover's security protocols, or an inside job and is not actually a direct compromise of my identity leading to additional fraud. I think the concept of a young ghetto kid doing this is somewhat unlikely though. It's hard for me to imagine that they just give full access to all their databases to all employees. They can't be foolish enough to think all of their employees are trustworthy. I'm sure if this was an inside job (which I suspect there is a decent chance of, and even the last person I spoke with at Discover admitted that wasn't an unreasonable assumption), whoever it was still had to find a way to breach their security. I suspect there is some level of sophistication present. Also, if this has been going on for a year, and Discover hasn't figured out who it was (assuming its one person), or how its being done, that seemed to indicate either that Discover is incompetent (and its probably costing them money) or that whoever is doing this is covering their tracks well.

I don't know that I even have a Living Social account. However, even if they did figure out my password, if Discover is telling me the truth there is more to it than that. If they failed to answer my security questions (as Discover claimed, and it seems unlikely they'd have known them had they only had access to the password from some place like Living Social), how were they able to change my email address? I'd think they'd need the security questions to log in as me. In order to re-register they'd need my SS# (no way I'd provide that to Living Social) and date of birth (which I'm sure I would have lied about if I did provide to them). They also claimed there was no record of them logging in to redeem the CashBack, even though they clearly had to, which implies they have some way to bypass Discover's security.

Sounds like the Lands End people are involved somehow.

heyeaglefn said:   Sounds like the Lands End people are involved somehow.

Probably not. Lands End GC's are easily convertible into real $, that's most likely why they're being bought as opposed to an Applebee's or TJ Maxx GC.

How do you convert the Land's End gift card into cash?

ZenNUTS said:   Sounds almost like an inside job. The small charge to an website is a common tactic to see if a randomly generated # would work but how did they change your email address and redeemed your CashBack?

I think a lot of the credit card fraud is actually inside jobs. Not in terms of a percentage of bad guys but in terms of the number of compromised accounts as the bad guys get so many more this way.

I've had a card compromised that was *NEVER* used.

LJRand said:   How do you convert the Land's End gift card into cash?

Use them at Kmart to buy BP Gas, or eBay Giftcards.

Thanks - I did not know that Kmart took Land's Ends gift cards.

This site is full of similar comments about the Discover card stolen rewards situation:
http://www.consumerismcommentary.com/cash-back-rewards-stolen/

They mention the same pattern regarding Lands End gift cards.

Type74 said:   The same thing happened to me on April 29th. I received an email notification that my email address at Discover had been changed. I contacted Discover immediately and had them shut my card down. I also discovered that my CashBack had been redeemed for Landís End e-gift cards There was no small test charge in my situation. Discover cs reps were not surprised that this happened and one admitted that I wasn't the only person this had happened to. The userid and password I had were both randomly generated 16 and 10 character alpha/numeric sequences and I use "salted" answers to my security questions. Discover either doesn't know or won't tell me what actually happened. I ran several scans of my computer with different anti-virus programs looking for viruses, rootkits, keyloggers, etc. and nothing showed up. I then changed all my critical passwords and registered a Fraud Alert with Experian which is good for 90 days. Experian also passed the alert to Equifax and TransUnion. I will take zeno's advice from now on and run only one browser session when visiting critical sites. Is it time to dump the Discover Card? Potential risk of identity theft is not worth a few CashBack $'s.

I doubt they cracked a 16 character key to net Discover CB. There is some other flaw in their website.

I didn't know you could buy BP gas with them. If there's a significant ratio, maybe that's a good reward to choose. The Websupport person said she thought there was something nefarious with Land's End but didn't know what. However, I suspect BradisBrad is right that they are simply easy to monetize and can be delivered over email and hence they may be able to make off with the loot very quickly compared to any other scheme since speed is critical here. I also doubt they cracked a key. Cracking passwords is generally speaking expensive, and how much do you think the average person has in Cash Back at any given time. Put it this way, you are probably better off, on average mining bit coins. I suspect they are exploiting some sort of vulnerability, either from the inside or outside of Discover.

My only real question is, given the vulnerability, what "non-public" information do they need to exploit it and at the end what sort of non-public information have they gained.

Simple, somebody is rotten at Discover.

zeno said:   So every time you are log into your bank, credit card account web sites, don't go to the porn site at the same time.
!!!

Same thing happened to me, months ago. It was right after they ran one of those targeted promos where you earn a bunch of points after spending pre-set monthly amounts. It was a pain having to get a whole new card and change my login information. They also used it for Lands End cards. I believe that it was an inside job (the account was otherwise uncompromised). My takeaway from the whole experience is to not leave too many rewards points on the table waiting for a good redemption offer. I'll never let it go that high again.

well instead of letting this happen again, they should track the address of where purchases made with those egiftcards are sent.

About a year ago I had someone change my phone number and home address for my Chase Visa account without answering any security questions. I posted my experience in this forum also, to recap I had $13k in charges and another $7k pending, and since my email and phone numbers were changed, I received no calls or emails about the fraudulent charges. I caught the charges because I do a check on my accounts every couple days to catch events like this.

How the crooks did it was first, steal my card info from I believe a Mcdonald's drive-thru, then they called Chase and pretended to be a credit repair company that I had hired and they will now be making payments on my behalf. The Chase rep WITHOUT asking ANY security questions went ahead and changed my email and phone number. Chase removed the charges from my account. They did not redeem any points though.

So glad I checked this thread (I haven't been checking in too often recently ...)

I checked my Discover account and found that $280 had been redeemed for Land's End e-certificates in February (right about the time that I logged in to the Discover website to request a CLI). I'm gonna guess that I might have had something malicious open in another browser window, although I do find that I was vulnerable to the LivingSocial hack (same password ... thought I had since revised all passwords to something unique, but must have overlooked Discover Card).

Will call in first thing in the morning to file a fraud claim!

Skipping 19 Messages...
Its an inside job just like with the WalMart accounts and either company doesn't seem to want to take any responsibility! I highly doubt so many computers became vulnerable in such a short time. Their DB got hit!



Disclaimer: By providing links to other sites, FatWallet.com does not guarantee, approve or endorse the information or products available at these sites, nor does a link indicate any association with or endorsement by the linked site to FatWallet.com.

Thanks for visiting FatWallet.com. Join for free to remove this ad.

TRUSTe online privacy certification

While FatWallet makes every effort to post correct information, offers are subject to change without notice.
Some exclusions may apply based upon merchant policies.
© 1999-2014

It's time for an upgrade!

After a decade on our current platform, we're upgrading our plumbing. The site will be down for a few hours starting at 12:00AM CST (Midnight) tonight.

At FatWallet we strive to bring you the best coupons, deals and Cash Back. So please come back and check us out.