AMEX Reward Pts Hacked

[Cruiser Elite]

I have had 4 fraudulent transactions on my AMEX Biz Plat Account over last 5 days totaling a bit over 3.1mil pts through 4 transactions on David Jones online - DJ ShopWPts.

Amex fraud team investigated first transaction 31/08 for 320K pts and advised on 01/09 that they could see I did not effect transaction so pts would be reinstated and I should change login and password details immediately which I did.

But again on 02/09 another 3 transactions via same vendor executed totaling a bit over 2.8mil pts. Fraud team are investigating again - never a dull moment huh?

 

[Daver6]

I have had 4 fraudulent transactions on my AMEX Biz Plat Account over last 5 days totaling a bit over 3.1mil pts through 4 transactions on David Jones online - DJ ShopWPts.

Amex fraud team investigated first transaction 31/08 for 320K pts and advised on 01/09 that they could see I did not effect transaction so pts would be reinstated and I should change login and password details immediately which I did.

But again on 02/09 another 3 transactions via same vendor executed totaling a bit over 2.8mil pts. Fraud team are investigating again - never a dull moment huh?

So AFTER you changed passwords there was more fraudulent activity on your account? If that's the case, I'd be very concerned that your computer has a key logger installed or is otherwise compromised. Alternatively, if you're using a password manager, your master password may have been compromised.

 

[SYD]

I have had 4 fraudulent transactions on my AMEX Biz Plat Account over last 5 days totaling a bit over 3.1mil pts through 4 transactions on David Jones online - DJ ShopWPts.

Amex fraud team investigated first transaction 31/08 for 320K pts and advised on 01/09 that they could see I did not effect transaction so pts would be reinstated and I should change login and password details immediately which I did.

But again on 02/09 another 3 transactions via same vendor executed totaling a bit over 2.8mil pts. Fraud team are investigating again - never a dull moment huh?

How is that even possible in this day and age without some 2FA authentication process and/or alert….?

 

[Cruiser Elite]

AMEX fraud team are investigating - certainly no prob on our end on any of our computers that we can ascertain - AMEX admitted first transaction was clearly not from me so stated pts will be refunded - I know nothing more ATPIT

 

[Daver6]

How is that even possible in this day and age without some 2FA authentication process and/or alert….?

So true. I don't know of any banks/financial institutions in Australia that even use TOTP, which is just crazy!

 

[foggy]

I didnt know there was a "shop with amex points" option. Had to look how they were able to hack your points without the gift card going to your email or posted to your registered address.. but it seems all they need is your David Jones login, as your card details and the "shop with amex points" option is saved there. So nothing to do with your AmEx login or having AmEx card details. Its all to do with David Jones.

 

[Cruiser Elite]

I don’t have a David Jones card or account so that would be a tad difficult

 

[NM]

I don’t have a David Jones card or account so that would be a tad difficult

Sounds like the hacker may have created one on your behalf. So very "kind" of them to be proactive in doing so

 

[TheRealTMA]

So true. I don't know of any banks/financial institutions in Australia that even use TOTP, which is just crazy!

Really annoys me. Banks and cc companies don’t really care about cc fraud since “they” don’t lose, they bill the merchant for the fraud up to 90 days after transaction then charge a refund fee on top As if the merchant as responsible for the fraud. If banks and CC companies were liable, they would have solved the issue a long time ago.

 

[Daver6]

Really annoys me. Banks and cc companies don’t really care about cc fraud since “they” don’t lose, they bill the merchant for the fraud up to 90 days after transaction then charge a refund fee on top As if the merchant as responsible for the fraud. If banks and CC companies were liable, they would have solved the issue a long time ago.

I actually suspect it's also because they don't want to have to invest in helping everyone install an authenticator app and explain to folks how it works. Can you just imagine the difficulties this will pose to less tech savvy Australians?

 

[TheRealTMA]

I actually suspect it's also because they don't want to have to invest in helping everyone install an authenticator app and explain to folks how it works. Can you just imagine the difficulties this will pose to less tech savvy Australians?

Authenticators can have issues I agree. ( Qantas one just doesn't work on Google authentication.) But, just the simple sms authenticated code would be a start if users wanted it, But from a merchant point of view, the whole system sucks, then they hit us with an extra charge because of their own incompetence. Nothing we can do about it. Very frustrating.

 

[Michael.B]

So true. I don't know of any banks/financial institutions in Australia that even use TOTP, which is just crazy!

Macquarie does

 

[WeeWillyWonka]

Banks and cc companies don’t really care about cc fraud since “they” don’t lose, they bill the merchant for the fraud up to 90 days after transaction then charge a refund fee on top As if the merchant as responsible for the fraud. If banks and CC companies were liable, they would have solved the issue a long time ago.

Hasn't England introduced new fraud laws that require CC companies to reimburse victims? Can only hope it catches on quickly down under if that's the case.

 

[Cynicor]

Cruiser, I’d be checking out the DJs angle just in case.

 

[TheRealTMA]

Hasn't England introduced new fraud laws that require CC companies to reimburse victims? Can only hope it catches on quickly down under if that's the case.

The card holder generally gets refunded. The victims of the fraud are the merchants who are hit with charges and chargebacks by the bank and CC companies.

 

[elanshin]

The card holder generally gets refunded. The victims of the fraud are the merchants who are hit with charges and chargebacks by the bank and CC companies.

Not if you're now protected by things like 3DS 2.0 or other advanced fraud detection features from gateways as a merchant. Had a recent fraud investigation contact our business, but they can't initiate chargebacks because the payment was secured with 3DS challenge being successful.

They claimed it was a personal fraud (aka someone close to the holder) but because 3DS was successful, bank couldn't do anything. In that case the bank eats the cost if the holder can prove it's a fraudulent charge.

 

[kyle]

Not if you're now protected by things like 3DS 2.0 or other advanced fraud detection features from gateways as a merchant. Had a recent fraud investigation contact our business, but they can't initiate chargebacks because the payment was secured with 3DS challenge being successful.

They claimed it was a personal fraud (aka someone close to the holder) but because 3DS was successful, bank couldn't do anything. In that case the bank eats the cost if the holder can prove it's a fraudulent charge.

But 3DS is not going to work for a points redemption unfortunately

 

[TheRealTMA]

Not if you're now protected by things like 3DS 2.0 or other advanced fraud detection features from gateways as a merchant. Had a recent fraud investigation contact our business, but they can't initiate chargebacks because the payment was secured with 3DS challenge being successful.

They claimed it was a personal fraud (aka someone close to the holder) but because 3DS was successful, bank couldn't do anything. In that case the bank eats the cost if the holder can prove it's a fraudulent charge.

Maybe. But we get hit by chargeback when the user buys product using PayPal who have extensive checking, despite us having user's ip address and other details.

 

[Viridis]

Macquarie does

Soo does HSBC

 

[Cruiser Elite]

So here is first fraudulent transaction on Nov 29:

When I logged in on Aug 30 and saw this I imm contacted AMEX and alerted them. After a considerable time on phone with first agent I was finally put through to fraud team who requested I imm change Login and Password details which I did. A subsequent call back on Sep 1 from fraud team advised me they were still investigating but pts would be returned to my account.

I logged in on Sep 3 and saw this:

I imm called AMEX and asked to be put through to fraud team - no you cannot do it that way you must waste 10 to 15 mins and explain whole scenario again to agent who then looks at it and after they are satisfied they put you through to fraud team. I finally get to talk to fraud team and they seriously sounded surprised this had happened again.

They were non committal and said they would investigate. A subsequent call back from first agent from 2nd call requested I again change Password to account - not Login again just Password which I did. I have followed up with another call yesterday Sep 7 and agent I spoke to said fraud team are still investigating. I told agent I want a full explanation in writing from fraud team as how these events could actually occu.

No points have been returned ATPIT - as to reason how this could happen I wait with bated breath