Klaus Zimmermann's Corner

Have I been swiped?

So I was going through the expense list of a credit card which I almost don't use to pay the amount and noticed something that in the listing: among the legitimate transactions that I made, some "cancelled" transactions were also showing up. They were minor transactions, less than $25 in cost, held in a city a few hundred km away from my place, and because they were cancelled, I was correctly not charged for them.

Looking for more information about what this "cancelled" status meant, I realized that the reason it became cancelled was that whoever ran the card got the CVV number wrong. Furthermore, it was strange that whoever did this didn't (apparently) try it out in other common online stores, and apparently after two fruitless tries the last being two weeks ago, he or she just apparently gave up and never tried again for the rest of the month.

So, what just happened here? Did someone steal my card's numbers but was too stupid to get all of the information right?

Perhaps I need to explain one thing here: this "card" is not a real, in sense of physical, card. I got hold of one of those "ultra-high-tech" fintech-backed credit cards whose existence is only in the digital realm: this fee-less card exists as mere numbers in a phone app, but you can do real-world in-store payments with it via NFC in your phone (which I never enable). This means that I never do any physical payments with it, and no store could have "skimmed" it. But I did use it for a few rather large purchases online, such as plane tickets.

The airlines and stores in which I used that card do not report any data breaches (at least not in the tech news sites I use), so I think the possibility of a leak is low. Could it've been this fintech providing me the card was hacked instead? They don't appears in any leak news either.

The next thing for me to do here is obvious: cancel this card and get a new one. Which is even more a no-brainer than with a physical one because as this card lives as just the numbers, the re-issue of it is immediate and I don't even have to wait for the mail. But still, the questions remain for me. What just happened here? How could've someone skimmed me if the platforms online didn't get hacked (or so are saying)? Could it be that some "insider" inside the fintech issuing the card broke bad and sold the numbers?

Perhaps I'm downplaying the capacity of people to obtain this data in a silent way, or maybe even my phone's app is defective / insecure and can leak stuff. But still it makes me wonder at how it happened. Maybe I'll never know?