Two weeks ago on Saturday morning I got a push notification on my phone from American Express that a potential fraudulent use of my card had been attempted and denied 14 seconds earlier. I had loaded the phone app just to try it out and I think I had used it once, so it was a mild surprise to see the notification. I was just reading it and thinking about the 14 second part when the phone rang – Amex security. Someone had tried to use the card at a truck stop type place in Georgia (I’m in Orlando). I had my card and it had not been out of my possession, telling me that there had been a breach somewhere. They cancelled the card, offered to overnight me a new one with chip and pin, and emailed me a list of merchants that appeared to have recurring transactions so I could update my payment information with them. First class service.
14 seconds. Given that they analyzed the transaction and denied it at point of sale it’s hard for me to complain about 14 taking seconds to notify me. In terms of rules and/or machine learning I’d guess it wasn’t a hard catch, it was a charge 500 miles from my last location at a location I had never used before. I’d like to see a presentation on how they do it, at a high level. Much like time boxing the generation of a query plan, they can only spend x time checking before they return an ok or not to the point of sale.
I’m curious if/when I’ll find out the source. My guess is that it was a skimmer because they duplicated the card and that required the magnetic track data. It’s a lot less likely it was a hack of a merchant system because they would not have the track data stored (assuming they follow PCI), but it could have been a POS hack along the lines of Target. Seems like it wouldn’t take long to figure out either way unless it was really a one off hack and that’s not likely.
So far I’ve used the card at a handful of places and not one has used chip/pin. Remains to be see how effective it will be. I’m for doing the things we can do.
It cost me 5 minutes for the call and a little time thinking about it because I’m curious, but no real impact. It’s the big reason I have cards from each of the major card issuers, I don’t want to have something like this happen while I’m traveling and have to worry about waiting on a replacement.