I received a fraud alert from Chase yesterday. I replaced a lost credit card about three weeks ago, so Chase sent me a new card with a new card number. Yesterday, someone charged 26 mobile game apps to my new card. Most of the charges were for $9.99. A few were for $19.99. The games were purchased from a game developer called GLU Mobile, through the Google Play store, so the downloads went to a phone.
Anyway, Chase is sending me a replacement card.
This is frustrating because I update MalwareBytes and AVG daily and scan daily with both. No malware has at been detected on my computer at any time. I transact no business outside our home connection or my private office internet connection where my account is unshared. I always have a vpn turned on, except sometimes to watch a movie on Netflix because Netflix tends to reject VPNs, even if they use a US ip.
I use two-factor authentication for every on line account that offers it, including Google accounts. The purchase did not go through my google play account. I checked. So the user somehow got the card number, the security code and perhaps the associated info to pay and download the games to their phone.
It's possible that a store terminal where I used the card was hacked. Our dry cleaners still has us slide cards because they're not chip ready. That makes me wonder if they aren't scrupulous about security in general. Sometimes merchants have weak passcodes for their terminals and hackers can steal their customers' info. I wouldn't know where to start to figure out if that's how my info was grabbed, but we're going to start paying cash only at the cleaners, and I'll suggest that they upgrade now.
Ruling out other possibilities, I don't recall that the new credit card came in an envelope that appeared to have been tampered with in any way.
I wonder if Chase itself has been hacked, or if Amazon, Netflix or some other site that had my payment info was back-door hacked. Even if a hacker could log in to my accounts, the front doors to the acounts don't actually display the card number or security code, so they'd have to gain access to card info in some other way. If Chase or some other entity that has my info was hacked, they'll never say. Generally, we only learn about if it's in the news. Yahoo hid knowledge of a 1/2 billion hacked accounts for months after they knew about it.
Anyway, I'd really like to know what to do avoid a repeat with the replacement card.