CBA Debit Card Starting with 521729 Hacked - $1200 Stolen

outlander on 06/06/2025 - 13:16
Last edited 15/06/2025 - 10:38 by 1 other user

Got a notification last Sunday for some strange transactions on my commonwealth bank account.

It's not an account I use all that often, but it does have a little bit of money that gets moved around to other accounts each month to avoid the account keeping fees.

They made 4 transactions at a place called Charleys Philly Steaks, which near I can tell is like a Subway joint. Don't know how they were able to buy $900 worth of food there?

Anyway, I reported it and cancelled the card, but because it was a debit card the money doesn't get returned until they go through their process. We'll see how long that takes

There's no easy target to blame for how the details got out. Only place I used it at that wasn't a huge retailer was Boost, when they were doing those free sims. So at the moment I'm working on the assumption that they guessed the card number

15 June - UPDATE- Money Returned

Financial Debit Card

Related Stores

Commonwealth Bank
Commonwealth Bank

Comments

  • CodeXD on 06/06/2025 - 13:18
    +86

    How is it relevant to post the first 6 digits of the debit card tho?

    • gaz3342 on 06/06/2025 - 13:19
      +70

      In case the thief reads this post and says "ah yes that was me, caught me red handed!"

      • 87percent on 06/06/2025 - 13:26
        +8

        I feel so guilty that I’ve been shamed, I will return the money and think about how I’ve been living my life

        • SarcasticEmu on 08/06/2025 - 16:05
          +1

          I must confessed this was mine.

          Please give me your PayPal account along with password and ID to ensure I'm giving $2000 it back to the right person.

      • OMGJL on 06/06/2025 - 14:00
        +21

        I'll help you run the math.
        physical store — CVC typically isn't needed.
        first 6 digit is generic - that leave with 9 digit of credit card number + 1 digit of checksum.

        9 digits = 10^9 = 1,000,000,000 possibilities.
        But not all 15-digit sequences pass the Luhn check. Roughly 1 in 10 combinations pass Luhn (since Luhn checksum is mod 10).

        Hence, valid card number combinations ≈ 10^9 / 10 = 100,000,000

        and 12 months per year, the card usually have ~5 years of expiry. 60 total combination.
        6*10^9 = 6,000,000,000 combination to try, to get your card.

        depends on how many card have prefix of this 6 digit, the chance of they got one real card number, is about 1/1000.
        I am sure their EFTPOS machine will be blocked before they find any good card.

        • askbargain on 06/06/2025 - 15:42
          +6

          Card numbers are not entirely random. There’s a sequential element to them.

          • Oztx on 09/06/2025 - 09:49

            @askbargain: They are not exactly sequential, they have a kind of checksum inside them (i.e. the sum of all or some of the numbers is predetermined and can be checked)

        • welcomeUniverseWorld on 06/06/2025 - 17:43
          -2

          Are you a math professor or a math teacher?

        • cenakhoa on 06/06/2025 - 23:12
          +1

          @OMGJL: for the part "6,000,000,000 combination to try, to get your card", it should get other combinations along the way.

        • barcer on 07/06/2025 - 09:51
          +2

          CVC generally is needed for a card not present transaction, even in a physical store.

        • bawdygeorge on 08/06/2025 - 08:17
          +1

          *maths

      • CodeXD on 06/06/2025 - 14:03
        +15

        If my card gets hacked aint no way in hell am I going to google ANY part of my card number…

        • barcer on 07/06/2025 - 09:53
          +5

          Lol, the first few digits of the card are nothing but the card scheme and bank identifier. First digit (4 = Visa, 2/5 = MasterCard, 3 = Amex, etc) and the next 5 digits are the bank/other financial institution indentifier.

          • CodeXD on 07/06/2025 - 10:27

            @barcer: But is anyone going to google the card number when they get hacked? Is it common knowledge that the first 6 digit is the BIN number?

            • thecloudking on 07/06/2025 - 12:27
              +3

              @CodeXD: Yes, quite common. That's why on some websites when you start typing your card number it can auto select VISA/Mastercard/AMEX etc.

              I work in a call center that's fully PCI compliant and we tokenize the card but can see first 6 of every card, previous company I worked in could see first 6 and last 4.

          • Cheap Gamer on 07/06/2025 - 19:03
            +1

            @barcer: Correctamundo! Known as the Issuer / Bank Identification Number (IIN / BIN).

            https://bincheck.io/details/521729

        • DogGunn on 09/06/2025 - 13:18
          +1

          You can post the first four to six digits without any problem.

          Everyone who has the same banking product as you will have the same first digits.

      • Zonty on 07/06/2025 - 00:21

        Attackers use devices that support near-field communication to record unencrypted data from the card's RFID chip, I believe your card was not secured enough. They simply can walk by with this device and can get details

        Also online shopping giving card details which can be stolen if Their security not strong enough. I am starting using PayPal now.
        I had same situation before, lucky was credit card so they had to credit back as it was not my money they stole. Only $270 recover so far out of $800.

        • Trekky on 07/06/2025 - 10:01

          I've always thought this was the case. I've had my card/s hacked more than once (a work credit card and 2 personal credit cards).

          Since I started using RFID sleeves with all my cards, no hacks and it's been at least 5 years now. I see people with their cards in their phone case and often wonder if they ever get hacked?

        • lgacb08 on 07/06/2025 - 10:12
          +2

          Mate, hacking card by rfid is pretty much fruitless because the onus will be at the merchant to prove the transaction is legitimate so you can pretty bluff your way out to get the money back. Cvc is never transferred through rfid or magnetic stripe and the bank can always pin down the terminal taking the transaction.
          I'd rather give as little money as possible to the middle man and get rid of PayPal altogether because of their unconscionable conducts. visa/mastercard is too much of a middleman between you and the bank already.

    • tinnybastard on 07/06/2025 - 09:29

      Click bait.

  • Shoocat on 06/06/2025 - 13:20
    +9

    Was there a question you had, or you just wanted to alert people to the fact that these businesses may be a concern?

    • outlander on 06/06/2025 - 13:26
      +1

      Just raising awareness. It gives people a chance to say 'that happened to me too recently', which allows for patterns to be recognized

      Because I basically never used the card, it's an important data point

      • skid on 06/06/2025 - 15:00
        +5

        Two other ozb experienced the same in 2021. Then there was another one whose CBA card was used to pay for streaming.

        I also personally know of someone who has never used their CBA card and yet it was compromised.

        • Vancomycin 1000mg on 07/06/2025 - 06:02

          Had the same happened to me.

          2x transactions in the US. One was like <$1. And the a few minutes later $56.

          Got notifications on my CBA app and immediately cancelled the card.

          Got refund a week later.

        • macdaddyjordan on 07/06/2025 - 20:06

          same thing happened to my mum, she mainly uses cash and doesn;t even know how to operate an ATM, and doesn't use her commbank mastercard debit anywhere online, yet somehow last week someone in the US used her card to pay for a Amazon item for $180USD. CBA flagged it as suspicious transaction and returned the money to her within 48 hours after we disputed the transaction.

          Perhaps theres a commbank breach that they not telling us.

        • Jackolantern28 on 08/06/2025 - 22:51

          I had it happen to me in 2023 AND 2024. So had my card replaced twice. I use my card as anyone else would, and don't offer it's details so was probably the random card generation hacking. First time someone spent $6000+ but it was returned very quickly, along with $4000 failed transactions that never went through that the CBA staff showed me. Second dime someone did some grocery shopping in the USA lol.

          Pain in the ass twice as it screws up your statements.

      • ProlapsedHeinous on 07/06/2025 - 11:02
        +2

        I've had many fraud transactions and had to get a new card many times. These days I keep recurring charges on a separate card as to avoid having to update everything

      • drddrcjl on 07/06/2025 - 23:05

        This happened to me as well, was westpac for me. The process of reporting it and getting the refund was easy but not quick.

    • supersabroso on 07/06/2025 - 08:23

      This is very chill as you can just get Comm bank to refund the money. They'll also file a police report, problem solved. This is why you don't keep your money under your bed at home.

      • ripprind on 07/06/2025 - 08:54
        +2

        they dont always give your money back.
        My GF lost aroumd $3000 on our trip to Europe when overnight expenses in Singapore started racking up.
        Although we were in Europe. CBA claimed we must have given details to someone to set up tap and pay (she has never used tap an pay in her life, hates technology) and wouldn't reimburse.

      • OzzyOzbourne on 07/06/2025 - 23:42

        In. My experience multiple times, it takes weeks to refund the money, they offer no explanation and no police report.

    • SarcasticEmu on 08/06/2025 - 16:08

      I have been abducted. I am fine now,|but I may not be for loring.

  • MS Paint on 06/06/2025 - 13:21
    +2

    You confused ozbargain with www.deardiary.com.au

  • jv on 06/06/2025 - 13:43

    Good luck… CBA are a pain to deal with.

  • MrThing on 06/06/2025 - 13:51
    +10

    working on the assumption that they guessed the card number

    guessed the 16 digit card number & the expiration date (and maybe even the CCV)……..yer nah

  • stuffandthat on 06/06/2025 - 13:52
    +7

    I find this interesting. I wonder if they purchased $900 worth of food, or if an employee charged your card then refunded to their own card.

  • skid on 06/06/2025 - 13:54
    +4

    Talking out of my a… I really think there is some long running CBA debit card hack, no fault of the card owner.

    • Protractor on 06/06/2025 - 14:43
      +3

      Inside job would be more likely. I mean somebody originally mails them from the source bank or issuer location. Then there's the 'ultra safe' APost transit period.
      Once activated…..???

      • brainfart on 06/06/2025 - 21:08
        +2

        Happened to us exactly the same thing to my wife's newly issued debit card. The fraudster was able to use master card without being activated at the local tobacco store for multiple transactions worth more than $600.took a lot of effort and time to get money back from CBA

        • Protractor on 06/06/2025 - 21:10
          +4

          I reckon the fact that credit cards and passports are sent unprotected via APost is a joke. Our CBA card was scammed in another state too. It was never exposed after it was received to any risk laden situation, other than the CBA.Go figure.

          • rando88 on 06/06/2025 - 23:46

            @Protractor: Passports are signature only, drivers license and other docs are not.

            • Protractor on 07/06/2025 - 09:54

              @rando88: Passports: Yeah true, but there's also a lot of unknowns between dispatch & arrival.My point is AP should have better systems (and reputation), and I consider the transit process of important docs,cards etc, to be a massive vulnerability,(still).

  • GordonD on 06/06/2025 - 14:11
    +3

    First 6 digits is the IIN. Issuer Identification Number. 521729 simply tells you its a Mastercard debit card issued by CBA.

    • MS Paint on 06/06/2025 - 14:33
      -1

      I thought the numbers sounded familiar. It's exactly the same as mine. Oh no. Does that mean I'm going to be hacked? FFS.

      • elgrande on 06/06/2025 - 15:45
        +3

        You should have cropped out the remaining digits from that screenshot - can see the full number when scrolling right.

        • Click_It on 07/06/2025 - 01:40
          +2

          Shh, I was hoping to get another tanker of free fuel tomorrow.

      • Baysew on 06/06/2025 - 16:42

        Yes it was hacked just for some petrol, you probably didn't notice until transaction duplicated 130 times.

  • [Deactivated] on 06/06/2025 - 15:05
    -1

    to avoid the account keeping fees.

    Guess that's CBA's counter measure

  • Ponsonby on 06/06/2025 - 15:18
    +1

    Our CBA Mastercard was hacked in 2021 - likely to have been leaked from a florist to whom we gave card details over the phone. All money was returned - it was a lengthy process involving time on the phone and a long visit to a branch. Use Paypal for such transactions now.

  • cordsplace on 06/06/2025 - 15:39
    +1

    Had the same issue a couple of years ago. I found 3 transactions made in Arizona totalling nearly $2,000!! I contacted CBA who cancelled my card and 2/3 weeks later all the transactions had been refunded. It is still a mystery to me as to how those details got into the hands of people in Arizona. I am so careful in every way. The CBA were great and very professional.

  • c64 on 06/06/2025 - 15:58
    +6

    the lesson to be learnt is you don't leaving wads of money sitting in a transaction account linked to a card

    • gromit on 07/06/2025 - 07:50
      +2

      lesson to be learnt is debit cards are something to lock in a draw and never use. Why would anyone risk their own money when they can risk the banks with a credit card.

  • Maneki Angel Fund on 06/06/2025 - 16:39
    -3

    The only time I have ever lost funds was when CBA issued me a card with an easily guessed CVC.

    Literally the CVC that was printed on the card was 101. They only managed to take <$100. The first transaction was somewhere in Ireland for ~$3 and then a Grab ride in the Phillipines…

    I have no idea why their system did not stop it.

    Were all four of the transactions at the same place or was there a random initial spend somewhere else?

    • Munki on 06/06/2025 - 21:31
      +1

      They need ANZ's falcon!

      • bigbadboogieman on 07/06/2025 - 07:41
        +1

        Thanks for not saying Crowd Strike Falcon.
        Last year's incident still raw.

  • Downvoter on 06/06/2025 - 16:59
    +1

    Same thing happened to my partner at same place for a similar amount.

    • outlander on 06/06/2025 - 19:01

      For real? Was this recently?

      • Downvoter on 06/06/2025 - 19:02
        +1

        Yep probably about a month ago. Also with CBA. The money never came out of the account because it was still pending.

        • outlander on 06/06/2025 - 19:35

          Did they have security turned on too?

          Mine was quite weird, because the transaction was put through like 5 times. CBA blocked it the first 3, then allowed it the last two. It also happened at 6am their time, but the place doesn't open until 11?

          Lot of weird things about it.

  • Protractor on 06/06/2025 - 17:13
    -1

    Seems to be (anecdotally) a very CBA centric problem

    • SolitaryMan on 08/06/2025 - 10:29
      +1

      Strange that, when it’s the largest bank with the most customers 🙄

      • Protractor on 08/06/2025 - 10:30
        -2

        No, what's strange is that with all that profit ,CBA seems to prefer exposing customers to crooks, rather than fixing the leaks.

  • Nitrollparty on 06/06/2025 - 18:08

    last time i refinanced, i had to open a debit acc, as i wasnt going to use it. it never saw the light of day. i cut it up the day i got it and never made online purchase… that account still got hacked lol.. this was with westpac

    • Save 50 Cent on 07/06/2025 - 08:24

      I also had to get a debit card i didn’t need when i refinanced but i ‘temporarily locked’ the card before i destroyed it. Hopefully that would stop hackers.

  • holdenmg on 06/06/2025 - 18:13
    +1

    Lots of Banks allow you to put a temporary limit on daily withdrawals or even turn the Card "off" via their Phone App.

    Maybe dial the amount back until you need it.

  • localhost on 06/06/2025 - 20:51
    +1

    DON'T keep money in any Debit card, especially if you are using bank applications.
    If you want to withdraw cash - transfer money before going to ATM via the app. Or use cardless withdrawal.

    For everything else (normal or online shopping) use credit card + paypal.

    • SlickMick on 07/06/2025 - 08:58
      +3

      This is starting to get worrying when the security measure is ensure the account is empty.
      They give debit cards on offset accounts.

      • localhost on 07/06/2025 - 16:11
        +1

        You can have more than one offset account. We are using it that way - primary account with debit card is empty (just $1-2 to keep it open) and secondary offset is full.
        Sometimes simple things are better.

  • John Kimble on 06/06/2025 - 20:54

    Can't you lock the card in the app?

    • kaleidoscope on 06/06/2025 - 21:20
      +2

      Had fraudulent transaction on my debit card from canada despite having international transactions disabled 🤷‍♂️. They later refunded the amount. Commonweth bank service is total bs to me

      • outlander on 07/06/2025 - 09:18
        +1

        Same here. It was locked, somehow it didn't matter. Funny because every time I buy something with it I have to put in the code they send me via sms, yet the cc thieves seem to have no problems there. They just keep putting through the transaction until one goes through.
        Dumb system

        • kaleidoscope on 07/06/2025 - 10:11
          +1

          Yup same. I didnt get any notification for transaction or 2fa code prompt. Only noticed it month later when downloading cav for bas 🤷‍♂️

  • Cave Fire on 06/06/2025 - 21:16
    -2

    happened to elderly parents as well. someone phoned and added their details to a "virtual" bank card linked to their payment method. got them to relay there security codes as well. a week later started getting multiple $100 transactions in Sydney. So probably the scammers mates letting them withdraw money from businesses and they rinse and repeat. in the end, a bank rep denied a claim, which seemed wild to me. this was due to "scam not fraud rule they have.

    • GS9891 on 07/06/2025 - 10:53
      +4

      bank rep denied a claim, which seemed wild to me

      Seems perfectly fair in that case, if someone literally hands over their details/security codes it's hardly the bank's fault.

      • Cave Fire on 07/06/2025 - 13:44
        -2

        don't think any loss was incurred. other factors I don't want to disclose here

  • mousie on 06/06/2025 - 21:37
    +1

    Just complain to afca and let their (Cbas) idr process sort it out.

    They are publicly advertising their best in class fraud detection technologies… Hmm

  • qtr pounder on 06/06/2025 - 22:04
    +2

    account keeping fees.

    Lol wut? Is it 1999? Change banks!

  • MM93 on 06/06/2025 - 23:14
    -5

    Tell these thoughts to your mental health professional. Why are you here?

  • squaredonut on 06/06/2025 - 23:19
    +3

    This happened to me once a couple of years ago, was also a debit card and also CBA.

    By any chance do you know if the card you had on you was about expire within a couple of months?

    That was the case for me. My debit card wasn't frequently used. The new one was sent to me as the existing was about to expire, I had no notification or anything so it wasn't something I was actively looking out for.

    My existing debit card has never ever been used a single time outside at stores nor online, as the card was just part of the account I had, so I was certain no one stole the details through leaked means.

    So when I called CBA they said, oh did you use your new card to make these transactions?

    I said what new card?

    They knew immediately someone must have stolen the mail and activated it.

    I asked them how did they activate it, don't they need to run through verifications. Proceeded yap on about how they can't reveal and how their systems are secure. I said it's clearly broken…

    • Protractor on 06/06/2025 - 23:23
      +1

      This shit is moving beyond coincidence.

    • outlander on 07/06/2025 - 09:25

      No, this was only a year old, but it was a reissue of an existing card so same number.

      Proceeded yap on about how they can't reveal and how their systems are secure

      Typical isn't it? All the 'privacy laws' and 'trade secret' shit seems to only serve to hide incompetence from scrutiny

      It's fortunate it happened to me, I can live without the money for a month. If it happened to someone who really needed it, like a person getting ready to pay their rent this could have really screwed them over

  • Zippy135 on 07/06/2025 - 00:24
    +4

    Frank Abagnale Jnr says to always pay with a credit card and not a debit card. If you get compromised, it’s the banks money not yours.

    If you must use a debit card, keep only $100 in there and transfer additional funds into it only when needed.

  • mitty on 07/06/2025 - 06:50
    +1

    Personally I would not have more than a few hundred bucks in an account attached to a debit card. Keep the bulk of your money somewhere else that's not publically accessible. Just transfer in a few hundred bucks as you need it. that way if someone does brute force/whatever your card number, there's less risk of them getting away with much cash, even if you'll eventually get it back via the fraud process.

    • outlander on 07/06/2025 - 09:33
      -1

      Nice idea, if you knew in advance.

      Personally having a bit of cash in multiple bank accounts has really helped me out. Like when shopback suddenly decided to have a 20% cashback for ebay, but only through westpac. On a Saturday

      So every strategy has it's potential rewards and it's foreseeable risks. In this case I'm banking on getting the money back, so it shouldn't cost me anything, but we'll see

      • txb on 07/06/2025 - 16:53

        Pay ID/ Osko or Beem dont work on Saturdays now?

  • bashar20 on 07/06/2025 - 07:27
    +2

    I had a similar issue with my cba debit card 4 yrs ago. Card Rarely used.
    Had 4 monthly charges of prime and one two purchases less then $100.

    Amazon would not share any details of the account using my card. They refunded the monthly charges but not the purchases. Cba refunded the rest.

  • TilacVIP on 07/06/2025 - 08:03
    +4

    How about a CBA debit card that was issued & never ever used, then it gets hacked somehow, with a purchase made in the USA. When asked how this could have happened, they gave us some generic excuses about how sophisticated the scammers are getting. WTF?

    Refunded the money, but 2 weeks later, without notice, reversed the refund, & when queried, they claimed the Merchant advised it was a legit purchase. My response was not pleasant. Long story, got the money back

    CBA is probably the worst bank to do your banking with.

    • outlander on 07/06/2025 - 09:30

      That freakin sucks. It's like they gave you the refund to make you think you were safe, and then when you had moved on they took it back. That's worse than not giving it to you to start with imo

      I've heard the politicians are putting focus on the banks, and are looking at making them legally responsible for fraud. At the same time, I'm seeing more of those crazy stupid stories in the news, of "My grandpa withdrew his life savings and sent it to someone in Zimbabwe claiming to be a 25yr old women in love with him. The bank warned him it was a scam, but he was determined to do it. Now he's trying to get the bank to pay for it"

      Coincidence?

      • tenpercent on 07/06/2025 - 10:02
        -3

        making them legally responsible for fraud

        Is just a ruse to give the banks an excuse to make Digital ID mandatory without the government openly forcing you to get it. But if you want to keep your bank accounts open you'll have to get it. Totally doesn't sound like any other "as mandatory as possible" but we're totally not forcing you to get it thing that has happened in recent memory. There may also be an element of bank issued digital currency on the blockchain and/or CBDC thrown into the narrative too.

        I'm seeing more of those crazy stupid stories in the news, …Coincidence?

        No it's not a coincidence. The same organisations who own the banks own the mass media outlets too. It's just part of the theatre to convince you that what's coming next (mandatory Digital ID to keep your bank accounts) is necessary.

        But it's not necessary. There's been stupid people who are stupid with their own money for eons. And there's been thieves for eons. People were scammed / stolen from before banks existed. People were scammed / stolen from when it was all cheque books and over the counter bank transactions. People have been scammed / stolen from since credit cards were invented. People are still scammed / stolen from with internet transactions. And people will still be scammed / stolen from with Digital ID linked to their money.

    • tenpercent on 07/06/2025 - 09:52

      CBA is probably the worst bank to do your banking with.

      In general I agree.

      But I had a similar experience to you and OP about 5 years ago and CBA were pretty good at refunding the money to me. The transaction took place on the other side of the country and I could prove I was never in the State it took place. It was also spent at fast food place, Subway from memory.

Login or Join to leave a comment
Login Join