Sequencing fraud on 9 CIBC Visa cards like 'Groundhog Day' for Ottawa man
Fraudsters have technology to compromise both card numbers and 3-digit security codes, expert says
Alex Pavlovic has been living what he calls "a Groundhog Day with the bank," after his CIBC Visa card was compromised and cancelled nine times in just a few months — sometimes before Pavlovic could activate or use it — and no one could explain why.
The problems started in late October when Pavlovic, from Ottawa, was on a business trip to Toronto.
Pavlovic says he used his CIBC Aeroplan Infinite Visa credit card at a CIBC banking machine and at a gas station.
"Ever since that moment … I started getting replacement cards from CIBC. I have a collection of 10 cards right now," he told Go Public.
"In some cases I've been able to use them for a day or two, in some cases for a couple of hours, and in some cases, I haven't been able to use them at all, because by the time I would get them, they would always be — as the bank calls it — compromised or hacked."
Pavlovic says the bank seemed as confused as he was. With some of the cards, there were fraudulent charges which he was told were made online, and for others, he says he received no explanation.
He questioned customer service, CIBC's fraud department and his local branch, trying to figure out how this could happen over and over again.
"Only once was I told that this is what they call sequencing fraud," says Pavlovic.
"It seems somehow the hacking team or the hackers have been able to get a hold of banking 'enigma' code so they're able to generate the exact same sequence of the card that I would be receiving in the mail."
Cards hacked even after hand delivery
Equally as frustrating, he says, it seems the bank's efforts to keep the cards out of the wrong hands kept failing.
"For the last couple of cards, I would get the card from the branch office so the card would be physically delivered — not even by a courier service to the branch office. I would be picking the card from a branch manager and still the card would be compromised."
For example, Pavlovic says, his seventh replacement card was activated but never used; the numbers on the card were never told to anyone, written down or entered into any electronic device.
Yet, in less than 24 hours, that card was also compromised.
His eighth replacement card, sent by courier, was compromised before he even received it, and before it was activated.
Pavlovic says CIBC assured him his ninth replacement card would work. That card was hand-delivered by a bank manager to Pavlovic's house.
"The pleasure of having the card, and thinking I could rely on it, lasted less than five hours. I did one transaction with it."
"I came home, and ... boom! Here goes the usual CIBC "fraud trinity" — the call, the text message, the email. 'Please call our fraud department.' Card nine was 'compromised.'"
Pavlovic describes himself as tech-savvy and security conscious. He says he took his own steps to try to eliminate the possibility of online hacking, including reinstalling operating systems and software on his computers. That didn't help either.
Go Public got the answers Pavlovic was looking for — CIBC confirms this was a rare case of sequencing fraud.
It says Pavlovic's credit card number and expiry date had been "determined by potential fraudsters," and even though the risk of fraud was very low, it kept cancelling Pavlovic's Visa cards "out of an abundance of caution."
What is sequencing fraud?
Sequencing fraud allows scammers to figure out card credit numbers even before the bank can issue a new card.
The Canadian Bankers Association tells Go Public it doesn't have specific numbers on sequencing fraud, but it does track credit card fraud overall.
The most recent numbers show scammers made a total of $465,135,009 worth of fraudulent charges on Canadian credit cards in 2013, and fraud seems to be increasing year over year.
Sound impossible? Not really, according to Urs Hengartner, a security expert and professor of computer science at the University of Waterloo.
Go Public asked him to crunch the numbers for us.
Hengartner points out the CIBC Aeroplan Infinite Visa uses the same eight numbers at the beginning of every card issued as a bank identifier, as do most Canadian credit cards.
He says that means there are only a certain number of possible combinations for the remaining eight digits, and the fraudsters have figured that out.
Since the first eight numbers will always be the same, he says, there are 10 million possible combinations for the other numbers, and a computer can enumerate those in seconds.
"Anything is possible … the space is very large but it's not overly large. So yes, you can figure out somebody's number," he told Go Public.
"But you also need additional information to be useful — you need the PIN, you need the address, you need the three digits on the back of the card."
3-digit security code compromised
But Brian Krebs, a former Washington Post reporter who now covers cybercrime for a variety of U.S. publications, says the three-digit security code is no longer a barrier.
Krebs tells Go Public that fraudsters now have the technology to figure out the three-digit security number on the back of cards.
And if fraudulent purchases are made online — as in Pavlovic's case — no PIN is needed.
Pavlovic says the bank has assured him it has finally fixed the problem by blocking purchases from certain websites. So far, it seems to be working, but Pavlovic remains skeptical.
"The most frustrating experience was when someone tells you, 'Don't worry, we put a fix, you can continue to use the card … and minutes later you get a call from the fraud department."
Since our inquiries, CIBC says it has changed the way it operates. It has also made a deal with Pavlovic, hoping he'll keep his business with the bank.
Submit your story ideas:
Go Public is an investigative news segment on CBC-TV, radio and the web.
We tell your stories and hold the powers that be accountable.
We want to hear from people across the country with stories they want to make public.
Submit your story ideas to Kathy Tomlinson at Go Public.
Follow @CBCGoPublic on Twitter.