Paul's Comments

I have had a problem involving use of someone else's credit card over the Internet. I want to post this because I want to advise people of a potential problem and/or risk and perhaps ask if someone else noticed this, or, in the alternative, make it known what happened so that people can be aware of it. Or maybe someone can tell me how this happened.

Another roommate who stays at the house I rent a room in uses my computer to handle his business, basically for surfing the net and such. If I'm at the computer I'm willing to help him find things or enter details. On occasion, typically for his customers he will book airline tickets, and he uses one specific credit card for that purpose. On occasion he's had me enter his information into the computer.

I do not know, and have never saved or captured his credit card information (I have my own cards). Well, what is wierd is, there were two things I ordered which were charged to his card number. I haven't the slightest idea how. The last 4 digits of both cards are different, the issuers are not the same (the credit card I use belongs to a family member and is a major East-Coast bank, his has his name and is some bank in the Midwest), and as I don't even know his number there's no way I could have used it intentionally.

My ATM card is on the Visa network from a third bank different from either of the two others, and if I hit a website that refused debit cards, I have a regular credit card which is issued to a family member, so I did not need to use someone else's card. And if I did need a credit card and did not have one around, I would have asked him first if I didn't have a credit card available.

I use Netscape version 7.2 "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)" on a Windows XP machine with Service Pack 2 for browsing because I do not trust Internet Explorer and its security holes. I have a hardware firewall between this computer and the Internet, so I can't argue some hacker broke in and switched one of my charges to his credit card. (Which is ridiculous to say the least.)

The only possible answer I can think of is that on one of the form fields used by one of the airline websites, is using the same field name as the two companies I ordered things from, and somehow they are capturing the same values from each other. (One was Vista Print, where I ordered two rubber stamps, and the other was AAA where I ordered a membership. I think the tickets he ordered were from Southwest Airlines.)

When I placed his legitimate order on Southwest, I typed in his number as he read it to me. I did not copy the number into the clipboard or otherwise save the number. Later when he saw his bill for two items he did not recognize and asked me about it, I discovered that the purchases he has on his bill exactly match the two I made, but should have gone on my credit card number. And I haven't the slightest idea how.

I went to Vistaprint's website, and tried a fake transaction. When I got to the payment page, where it asks for credit card number, the field is blank. I double-clicked on the credit card number field, and the previous value came up, with the correct card number (the one I would have used).

I don't know his number, didn't save it and did not attempt to use it. I couldn't have used his card number by mistake by typing in off of it if, I had, say, found it on the desk because he left it behind and I mistook it for one of the credit cards someone in my family has (first, the name would have been wrong and even if I didn't notice that, I would have spotted the credit cards as being wrong because I do not and have never used his bank.) But somehow I did use his card number and I haven't the slightest idea how. The only possible explanation I have is that some how form fields used on three different web sites are somehow cross-collecting information by pre-populating them, or something.

The two transactions together come to less than $90, so it wasn't a huge issue, but it frightens me because I haven't the slightest idea how it happened or how I could have prevented it.

The solution I am going to use is that if I ever do anything for him that involves ordering something, I will use Internet Explorer (for accessing a specific known and trusted website, it is okay), and I will not use Netscape for anything he's using, as I only use Netscape for anything I order. The only possible answer I can come up with is some form of cross-website contamination, which I do not believe could happen if I'm not using the same browser for any of his transactions, so I think this will solve the problem. I've also suggested he get his bank to issue him a new card with a different number.

This kind of thing scares me; if it wasn't for the fact he was understanding about it, I could technically have been looking at charges for credit card fraud! The thing that bothers me most is that I'll be damned if I can figure out how the hell this happened.