Ottawa Man’s Credit Card Compromised 9 Times in Mysterious “Sequencing Fraud”

28 April 2015

Since last October, Ottawa resident Alex Pavlovic has had his Canadian Imperial Bank of Commerce (CIBC) credit card compromised and replaced nine separate times. A few times, Pavlovic’s new card was cancelled before he even had a chance to use it due to fraudulent activity.

Pavlovic told the CBC that his experience has felt like “a Groundhog Day with the bank”, referring to the 1993 Bill Murray movie in which the hero relives the same day over and over again. He says the problems started after he visited Toronto on a business trip, where he used his card at a CIBC ATM and a gas station.

Ordinarily, this might have suggested that a card skimmer was present at one of these terminals and scammers got ahold of his credit card number that way. However, this doesn’t explain the other eight times Pavlovic’s card has been compromised and cancelled. When Pavlovic asked CIBC customer service what they thought might be going on with his card, they gave him an unusual answer: He may have become a victim of “sequencing fraud”, a rare form of credit card fraud where hackers gain access to the code used by a bank to generate credit card numbers. Somehow, getting ahold of that first credit card number had allowed the fraudsters to continue to generate cards with the same numbers as the replacement cards Pavlovic was receiving from the bank.

Pavlovic was especially frustrated by this situation because he considers himself security-conscious and has been vigilant about protecting his information online. After the first few cancelled cards, he even went to the branch office to pick up the new card by hand rather than risking leaving it in his mailbox, but even this failed to prevent the card from being compromised.

About his nine replacement cards, Pavlovic told the CBC, “In some cases I’ve been able to use them for a day or two, in some cases for a couple of hours, and in some cases, I haven’t been able to use them at all, because by the time I would get them, they would always be — as the bank calls it — compromised or hacked.”

According to Professor Urs Hengartner of the University of Waterloo’s computer science department, the idea of sequencing fraud isn’t as far-fetched as it might seem. Each card issued by a certain bank contains the same first eight digits to serve as a bank identifier, and in Pavlovic’s case, fraudsters seem to have figured out a method of determining the last eight digits of each card he’s scheduled to receive. Hengartner emphasizes that even if fraudsters are able to determine a credit card number, they will still need the billing address and the security code to use the card, which Pavlovic’s scammers may have captured with a skimming machine.

According to Pavlovic, the CIBC has told him they believe they have fixed the problem by blocking purchases from several websites, but he is unsure that this will solve the root problem. He was also promised that his ninth replacement card would be the last, and it was compromised five hours after he received it.

“The pleasure of having the card, and thinking I could rely on it, lasted less than five hours. I did one transaction with it. I came home, and … boom! Here goes the usual CIBC “fraud trinity” — the call, the text message, the email. ‘Please call our fraud department.’ Card nine was ‘compromised,'” Pavlovic told the CBC.