CBA Debit Card Starting with 521729 Hacked - $1200 Stolen

outlander on 06/06/2025 - 13:16
Last edited 15/06/2025 - 10:38 by 1 other user

Got a notification last Sunday for some strange transactions on my commonwealth bank account.

It's not an account I use all that often, but it does have a little bit of money that gets moved around to other accounts each month to avoid the account keeping fees.

They made 4 transactions at a place called Charleys Philly Steaks, which near I can tell is like a Subway joint. Don't know how they were able to buy $900 worth of food there?

Anyway, I reported it and cancelled the card, but because it was a debit card the money doesn't get returned until they go through their process. We'll see how long that takes

There's no easy target to blame for how the details got out. Only place I used it at that wasn't a huge retailer was Boost, when they were doing those free sims. So at the moment I'm working on the assumption that they guessed the card number

15 June - UPDATE- Money Returned

Financial Debit Card

Related Stores

Commonwealth Bank
Commonwealth Bank

Comments

      • TilacVIP on 08/06/2025 - 08:51

        They really pissed me off when they reversed the money without notice. I only found out 10 days later, but when pressed to provide information, they claimed the Merchant has said the purchase was legit, meaning they sided with them. FWIW, it was for an amount of $125 USD / $193 AUD

        I asked for full details (sale description, location, addresses, deliveries etc), failing that, I gave them a 5 day ultermatium to have the money re-credited or I take this down a different channel.

        Had the money in my account the next day.

        What really pissed me off was the way this was handled. Lets just say, there are a dozen Banks I would consider above Commbank

    • fefris on 09/06/2025 - 15:40

      had the same thing, a debit card that i had never used. Money back day after the transaction "cleared"

      Have had various cards have this happen over the years with CBA, never had an issue with getting a refund

  • 1Kenobi on 07/06/2025 - 08:31

    Cba cards get hacked in Canada quite often
    Was that where they used it?

    • outlander on 07/06/2025 - 09:13

      Nah America. Houston to be precise. But a lot of the details don't match up, so I'm thinking it's possible they hacked a terminal or spoofed the details somehow. In that case they could be from anywhere

      • GachaGamer on 07/06/2025 - 11:57
        +1

        It's a somewhat common occurrence unfortunately, the resolution however is fairly quick. Had a similar situation about 2 months ago with someone using my card to purchase from a pharmacy in America. Immediately disputed the transaction, which prompted for the card to be locked and replaced. CBA will then have to wait for the transaction to process before they can take action. Only thing you need to note is if there's any international transaction fee, since the transaction was for $1200, i'd assume that it would not be an insignificant amount, and if you don't hound CBA for that to also be refunded then they'll try to make you eat it (like they did for me).

  • Protractor on 07/06/2025 - 09:59

    Safe to say CBA card security has a massive issue. The common circumstances & MO seems almost built in.

  • Lockieasy on 07/06/2025 - 12:51
    +1

    This happened to me a couple years ago. Was travelling in the UK and I got a notification on my phone that my CBA card made a transaction at a phone store in Venezuela…

    Quickly locked my card in the Commbank app and went through the appeals process but they refused to refund the lost money because my PIN was used?

    I had used a Commbank ATM a few weeks earlier to withdraw some cash so I can only assume my card was skimmed & handstrokes were recorded (though I always make an effort to cover my hand). Or there are some other hacks I'm unaware of.

    Ended up losing like $150 but could be worse I guess.

  • NapleSynrip on 07/06/2025 - 13:14
    +3

    I've had 2 members of my family mention that their CBA card details were used to make purchases in the USA within the last 2 months.

    One was a debit card and the other was a credit card.

    Luckily they both got their money back pretty quickly, and the purchases were only around $150 each.

    Might be something going on with commbank

    • Protractor on 07/06/2025 - 13:18

      This thread indicates it, that's for sure.

    • macdaddyjordan on 08/06/2025 - 14:34

      yes same thing happened to my mums cba mastercard debit, was used for an amazon purchase a couple weeks back, there is definitely something going on at cba, my guess is a data breach and afraid to admit to it

  • junet on 07/06/2025 - 13:19

    Same happened to me in April, CBA debit card never used anywhere for a CDIA account. Never usually have money in that account, transferred it over for a share trade and a few hours later a transaction from Rite Aid in USA.

    Luckily I noticed it as this CBA account doesn't provide app notifications when transaction is made. Had to block the card and reorder a new one. Lodged a dispute and transaction was pending for a week then disappeared. A letter followed saying the dispute was finalised.

    You can block your debit card from overseas transactions & just block the card permanently if you don't use it like I ended up doing. Something is wrong with CBA, on reddit others had transactions from Riteaid too.

  • Protractor on 07/06/2025 - 14:02
    +1

    Something is wrong with CBA

    Have not seen anything to the contrary in this thread.

  • Ruff on 07/06/2025 - 14:32
    +1

    This happened to me as well. Card that is almost never used had an Amazon prime subscription billed to it. They ended up replacing it and refunding the amount, but something seems suspicious about CBA.

  • GreyChris on 07/06/2025 - 15:11

    Shouldn't be a problem it happens. For future with commbank app via card settings you can disable basically every function (paywave, online payments, international) and enable them only when you use them. That way the numbers are cards are completely useless until you allow it temporarily.

  • Marty156 on 07/06/2025 - 15:43

    Brand new credit card from 28 Degrees (many years ago)
    Sat in the drawer unused for about 3 years.
    Suddenly there are illegal transactions on it.

    Question, how is this possible?
    Guess or force try all number combinations?

    • tenpercent on 07/06/2025 - 15:51

      Your guess is as good as mine, but not as good as the fraudsters' who cracked the numbers and date combo on your card.

  • drprox on 07/06/2025 - 19:25
    -4

    What's the post about? Just get used to it. I had my Citibank lifted for like the 6th time a few weeks back both my card and wife's and they "stole" 6k but I got it all back. It's he best reason to use a credit card vs a debit card.

  • loopy18 on 07/06/2025 - 20:21
    +4

    similar happened to my cba debit card about 2 weeks ago. apparently, there were 8 or so overseas attempts on my card (total $3k to $4k) and 5 ended up showing on my account as pending. Of the 5 pending, the bank after a few days confirmed only 1 transaction cleared worth sub $100 and bank refunded this one. the interesting part was my balance was $0 at the time these attempts were made so not sure why even this one went through. just follow up with bank and hopefully all resolves for you.

  • OzzyOzbourne on 07/06/2025 - 23:49
    +2

    I've almost had enough of commbank. I don't use my card on the internet, yet I've had at least 3 occasions (in recent memory) of my card being used overseas in countries I've not been to, to purchase stuff in store and sometimes within weeks of getting a new card. These fraudulent transactions were not even flagged even though I was using the same card here in Australia on the same day.
    Fortunately I check my account often and spotted them quickly. Even though still pending, commbank refused to stop the payments, then I had to wait weeks while they contact the overseas business to try to get the money back and when it's finally refunded they refuse to give any explanation.
    Yet when I want to transfer money to someone, they keep it for 2 days for "security purposes", this includes trying to pay a house deposit which I told them about (as I had to increase the max transfer amount) which they delayed by 2 days.
    Been with them 15 years, but fed up with them.

    • tenpercent on 08/06/2025 - 12:03
      -3

      they keep it for 2 days for "security purposes"

      They hold it to earn free interest on it.

      I told them about a large transaction I was going to make and I even made a $1 transfer first a week in advance to ensure it ended up in the correct account. After confirming the money went to the correct account, I then made the large transaction and they held it for "security purposes". Spent another hour on the phone being redirected and put on hold and had to re-explain the transaction again. I had already successfully increased my daily transfer limits too.
      Any excuse will do with them to frustrate their customers.

  • Cluster on 08/06/2025 - 07:34
    +1

    It's a good reason to never use a debit card for purchases apart from the point of sale.

    Credit card is compromised. It's not your money. File a complaint.

    Debit card is compromised. It is your money. You now have to chase the bank to get it back.

  • Organicmilk on 08/06/2025 - 10:47

    this happened to me recently (commonwealth bank customer) - $600 was spent at a discount grocery store and drug store in california. Reported it, cancelled it and money was refunded after like 2 weeks. I thought it would have been flagged immediately as it's an overseas local transaction, but they spent $6 dollars first somewhere else making sure it worked before they did the big purchase…

  • Protractor on 08/06/2025 - 11:56
    +1

    Maybe they can't afford to make security changes?
    CBA Battling

    In its latest results, Commonwealth Bank made $9.48 billion after tax, while Westpac made $7 billion, NAB made $6.96 billion and ANZ made $6.53 billion.
    Kevin Doodney, an Australian housing futurist at the High Yield Property Group, told news.com.au in April that “the big four Australian banks make up four of the eight most profitable banks in the world”.
    “They are making that money from a population of just 27 million people. There’s 8 billion people out there, for Christ’s sake.
    “What the Australian public needs to ask is, how on Earth can that be possible? Because, I think the Australian people are going to look at that and go, nah, that’s not possible.”

  • ectogammat on 08/06/2025 - 20:17
    +2

    I’m with a different bank and something similar happened to me. I never got an explanation and when I did my own reading, it may have been a BIN attack. I don’t know much about it but it seems like sometimes despite exercising extreme care, you could still face this issue if your card number and CVC were guessed correctly. These days I keep very little money in my everyday accounts and also disabled the overseas spending feature until I actually travel overseas.

    • Protractor on 08/06/2025 - 21:06
      +1

      If you are an employee of any company in the chain of custody of credit cards through the mail system, you already have access to new cards traversing the mail,(CVC and card number- tick) if you are so inclined.From there, who knows how hard or easy it is.

  • iamtheroot on 08/06/2025 - 22:20

    Last month same happened to me and we lost 9K in two transactions happened 30 mins apart. Luckily we were able to block cards via app before anything further happened. Raised dispute and CBA reverted all amount after the transactions processed.

  • Oztx on 09/06/2025 - 09:54

    A good "secure" measure to have to avoid this kind of thing:
    - Never have big amount in debit cards (ideally, never have cards linked to any debit account). If you do, ensure its always minimum for only the amount you use.
    - For all large amounts, put them in Savings accounts that are NOT linked to any cards.
    - For spending, just use a Credit Card (i.e. use the bank's money). Easier to claim back if any fraud happens.

  • Alexxx on 10/06/2025 - 07:22
    +2

    If you keep your card secure then it was probably a "BIN Attack".

    Lots of online articles about it but basically the first 6 digits of a card are unique to a bank so scammers only need to guess the rest of the numbers.
    They find an online merchant then have a script run through number combinations with small transactions.
    As soon as one of the card combinations works they make larger transactions or store the card details hoping the card owner doesn't notice the small transaction.
    Not much you can do to stop it other than locking your card whenever you aren't using it which isn't very convenient if you have direct debit set up.

    https://www.abc.net.au/news/2023-12-14/cybercriminals-steali…

    • mousie on 10/06/2025 - 18:27

      Yes a CBA insider told me exactly this, too at a security conference.

    • Maneki Angel Fund on 11/06/2025 - 14:04

      Yeah, that could go a long way to explain why the easier to guess CVCs are usually hit first.

  • Maneki Angel Fund on 11/06/2025 - 14:09
    +2

    I read the OP's post again.

    By the way, if you wanted to know, that particular Steakhouse sells gift cards too.

    It did not need to be someone dining in on that day. It is likely those cards are being offloaded to other parties now.

    Furthermore, were there any other transactions that took place before those 4 transactions at the steakhouse? Usually there is a test spend elsewhere, if there isn't then it kind of looks suspicious and would be more likely it is not a BIN attack, but some other attack channel where the CC details were leaked.

    This could include any of the 0days which have been affecting Chrome in the past week or so that were only recently patched.

    There was literally a 0day affecting Youtube as far as I was aware.

  • outlander on 15/06/2025 - 10:38
    +2

    Update: CBA sent me an email. It said that the big transactions hadn't gone through, which is weird because they had lost their pending status. Now, they have been wiped from the record and there's no trace of them but the money is back in the account.

    The smaller transaction did go through, but they have credited me with the same amount (for both the transaction and the international fee). So it seems like I'm back to whole, but I'll check again in 2 weeks to make sure they don't reverse it

Login or Join to leave a comment
Login Join