How easy is it to actually track another person's credit card?

Question

In movies and in fiction, government agents, mom's basement hackers, evil villains, etc. often are able in minutes to tell stuff like "twenty minutes ago she rented a boat in Snow Hill" or "he bought two chicken lettuce sandwiches in Subway at Waverley rail station".

In fact, is it even possible in real time to connect to various payment networks? Also, will not the transaction only say '£88.50 at McGregor Inc., Snow Hill'?

What if he has cards under different names? What is actually tracked? I have a card J Smith, another one Jane Smith, third Mrs J K Smith and amex Dr Jane Knutt Smith. The first two have the billing address at my parents.

At all times, the government is aware of everything about you, so much so that they see that you have spaghetti sauce on your T shirt. Go change it. — Bob Baerker, Nov 29 '20 at 23:55
@BobBaerker Actually, it was tagliatelle sauce, but I've changed it now. — TripeHound, Nov 30 '20 at 10:46
I’m voting to close this question because this is not a question about Personal Finance, but about law enforcement — Joe, Nov 30 '20 at 18:57
A classic film example of this trope is Enemy of the State. Knowing the products bought from a transaction could be as simple as requesting the video files from the security camera at the shop in question, and observing which products the suspect picks up and pays for. — Aaron F, Nov 30 '20 at 19:11
Related: How do credit card companies know what type of business I'm paying for? discusses some of the data fields - in particular access to L3 data would be of interest — Chris H, Dec 01 '20 at 10:53
I'd also would like to mention that even if the card report doesn't have a detailed list of what was ought, it doesn't mean it's not tracked somewhere. I now of at least one such system that allows to lookup the "digital" version of your cheque online and one could theoretically imagine some ways to connect that data to the real person. — Dan M., Dec 01 '20 at 16:29
Also in movies and television, when a hacker is using a command line on a computer, inevitably there will be a big popup that appears on the screen that says "Downloading..." or "Copying Files...". — TTT, Dec 01 '20 at 19:01

Acccumulation · Answer 1 · 2020-12-01T18:48:54.460

33

There are several questions here.

Is it possible to connect to a payment network in real time?
Well, yeah, that's pretty much part of the definition of a payment network. In a standard transaction, a merchant connects to the network in real time when it processes a purchase. That real time connection is the main value of a network to the merchant and one of the main justifications interchange: if the transaction is authorized by the issuer, the issuer generally (at least for in-person, chip transaction) has the main liability for fraudulent transactions. The merchant is free to take transactions without real-time authorization, but there's generally some loss of protection for fraud. One use case for this is on-ship commissaries; the ship might not be able to connect with the network, but fraud isn't much of a worry.

Can a hacker read transaction information?
There's no way to say for certain that there are no unknown vulnerabilities. Obviously if there were generally known methods, they would be patched. And the real-time databases have an especially large amount of security.

Do the networks know what you bought?
No, the networks know the card number, merchant, time, and amount, but the standard transaction message doesn't have field for items purchased. If the merchant is itemizing the purchase, they are either using fields that allow custom entries or communicating through a method other than standard transaction messages. And of course if the merchant has limited number of products, then someone with access to the transaction amount might be able figure out what was bought. For instance, if someone spends less than two dollars at a gas station, they likely bought something from the attached convenience store rather than buying gas, and theoretically one could get a list of all the items with that exact price.

edited Dec 01 '20 at 18:48

answered Nov 30 '20 at 07:26

Acccumulation

10,331
19
45

1

Is it possible to connect in real time to get very very recent historical data even not statemented yet data? And to various networks (visa, mc, union pay, amex, others) – user2299523 Nov 30 '20 at 12:42
3

"but the merchant doesn't send an invoice" -- yet. I know there was some pilot programs to do exactly this to aggregate info for advertisement. Something like Facebook is doing online. Creepy, isnt it? (That was few year ago, before GDPR, i have no idea if this is still possible today, but thanks god - probably not.) – Jan 'splite' K. Nov 30 '20 at 12:53
5

Payments are not necessarily sent in real time, there are two parts in a payment, authorisation (real-time) and processing (often delayed in nightly batches, or at the time of shipping or checkout rather than when the card was actually used). Authorization is optional, though nowadays it becomes quite rare not to do it (except when completely offline). Also, some networks will actually receive detailed information of the goods/services purchased from some merchants, this is used mostly for business expenses. – jcaron Nov 30 '20 at 14:31
14

Regarding your last point, I know that my Amazon payment cars lists on the statements which items were bought (granted not a generic credit card, but still). My American Express card also shows specific items, but only for some merchants. So I think while your point is true on many cases, it's not a general truth. Some card issuers and merchants may have special arrangements. – Najel Nov 30 '20 at 15:19
5

Also, on your last point, the terminal ID can sometimes give a good indication of the type of product purchased, if not the specific product. An example: gasoline purchased at the pump. – Xcali Nov 30 '20 at 19:18
1

This answer is...less than accurate on all counts. Just because you swiped your credit card does not mean you are connected to any sort of "real-time network." High-volume vendors (Target, Walmart) usually are, yes, but smaller ones (esp those operating out of satellite/remote locations with limited bandwidth) often cache transactions and upload them in batches after-hours. Consider why global commerce does not grind to a halt when internet outages occur, or why charges sometimes go through days late. Best way to get realtime/transaction data? Hijack the mark's Apple/Google Pay account. – Ivan Dec 01 '20 at 02:16
3

@Ivan I have actually stumbled upon vendors who would not let me pay with a card because of Internet outage a lot of times. So it is actually a thing. Also if they were cached it may pose a problem with durability. What if cached transactions are lost due to device breaking? Most of time when I buy something my account is immediately updated. – Gherman Dec 01 '20 at 08:45
1

@Gherman Note that sometimes, especially in some countries, "the internet doesn't work" really means "I'd prefer you to pay cash because I don't want to pay the CC fee or because I want to do some tax dodging shenanigans". – Federico Poloni Dec 01 '20 at 11:23
2

@FedericoPoloni: I've had it happen in a national supermarket chain in Israel, with more than one hundred Euros of groceries already bagged. The cashier was adamant that the charge could not go through, only by insisting to speak to a manager could I complete the purchase. And so far as I know, other cashiers at other lanes were having the same arguments with their customers. I don't know if others were resolved after I paid and left. Technically possible does not mean that the employee knows how to do it. – dotancohen Dec 01 '20 at 12:56
Here in Finland, most cards people use are direct debit cards with electronic verification, and they actually do stop working if the payment network connection breaks. But it happens pretty rarely. – jpa Dec 01 '20 at 13:03
2

"Offline" payments (where it is not authorized in realtime - for any reason, not just network outages) are allowed in most countries, but the requirements around them differ, and not every point-of-sale is capable of it. It's also somewhat up to the merchant - if they can't get a real-time authorization, they take the (admittedly small) risk that the transaction may not actually be valid. Debit transactions are generally on the "not allowed offline at all" list, but many debit cards can also be run as credit. So everyone in this thread is right. – Bobson Dec 01 '20 at 14:23
I'm aware of certain programs where you could link your card and get automatic cashback for certain items (e.g. for buying a Z-brand juice), so it's certainly possible to itemize your purchases, even if not mandatory/not always done/locale dependent. – Dan M. Dec 01 '20 at 16:31
@DanM. Cashback from the merchant or the issuing bank? – Acccumulation Dec 01 '20 at 18:29
@Gherman: Ivan isn’t denying that plenty of vendors use a real-time connection — he’s pointing out that there are also plenty who don’t, and it isn’t compulsory. Which is more widespread may depend on where you live. – Peter LeFanu Lumsdaine Dec 01 '20 at 18:39
@Gherman It's certainly possible for CC processing to be interrupted due to outage--it happens to my corner liquor store all the time--but they're using Stripe or some other third-party abstraction which requires a constant internet connection for its own sake (these options are new to the game). Last I saw the entire payment network still runs on rusty Big Iron so there is always some amount of clientside buffering, even with the high-volume vendors. Risk of loss of cached transactions is accounted for by contractual negotiation and insurance. https://money.stackexchange.com/a/39176/37686 – Ivan Dec 01 '20 at 20:16
@Ivan Just when are there "internet outages"? Other than in remote places? An ISP or web service going down is not the same thing as the internet going down. Also, VISA is older than the internet. And there was a major disruption of payment processing in Europe in June 2019. – Acccumulation Dec 01 '20 at 20:24
3

Level 3 credit card data includes line item data. Any merchant that reports level 3 data is telling Visa or Mastercard what you bought. – user2357112 Dec 01 '20 at 20:42
@Gherman in that case you could request that they process it manually, they should have the appropriate forms stored somewhere. Highly unlikely the above-mentioned supermarket cashiers would be trained for that, though. In that case, it may be simpler to get them let you go and come to pay the next day. I think they could be fined for not accepting credit cards when they offer it (although I don't know who would be liable for that if the network is down). – Ángel Dec 01 '20 at 23:44
@Acccumulation 3rd-party (although it can be a bank sometimes). – Dan M. Dec 02 '20 at 11:15
2

"but the standard transaction message doesn't have field for items purchased. If the merchant is itemizing the purchase, they are either using fields that allow custom entries or communicating through a method other than standard transaction messages." I don't know where you got that information, but it's not true. This information is often optional in the authorization request messages, but it's nothing non-standard. Often, providing it qualifies the transaction for better processing rates. – Daniel Dec 02 '20 at 14:17
1

And you're missing the most easiest and most obvious way of getting this information, especially for "government agents": simply asking the issuing bank. The issuer has the record of all the transactions that have been performed with the card and can be compelled by law to provide that information to law enforcement. – Daniel Dec 02 '20 at 14:18
1

I'm going to echo @Daniel and a couple of the others here on that last point; I've worked with merchant interfaces in code, and it absolutely had itemization fields. There's actually quite a bit of information available (including tax codes and SKUs). These fields are completely optional, so are not getting set in all cases (and, depending on the communication between the register and the credit card terminal, may not be available to the processing terminal in the first place). – Clockwork-Muse Dec 02 '20 at 16:47
@Daniel The issuing bank doesn't have any more information than the network. Unless it's an on-us transaction, any information going to the issuing bank is going to the network first. – Acccumulation Dec 02 '20 at 22:21
@Acccumulation agreed. Either the issuer or the network would work (although I think on-us processing is fairly common). – Daniel Dec 03 '20 at 12:44

score 12 · Answer 2 · answered Nov 30 '20 at 00:44

12

Government agents, Mom's basement hackers, evil villains etc. have hacked into your PC/phone and so know your CC numbers, and so which banks (or AMEX, if you have a charge card) to hack into.

You're right that the transaction only say '£88.50 at McGregor Inc., Snow Hill' (technically it might just be a "hold" on your card for that amount), but -- given enough other information -- they might be able to infer that you rented a boat at McGregor Inc in Snow Hill, because that's what McGregor Inc in Snow Hill does: rent boats.

As an aside, maybe I just read and watch "better sorts" of fiction, but I don't recall things like "twenty minutes ago she rented a boat in Snow Hill" being a plot point. It's always, "his card was used at McGregor Inc. in Snow Hill; the amount was £88.50."

answered Nov 30 '20 at 00:44

RonJohn

50,666
10
106
170

RonJohn, this is a complete non-sequitor, but how do you say £88.50 out loud? (as in I would say 88 dollars and 50 cents, in America, or eighty eight fitty) – CGCampbell Dec 01 '20 at 17:46
4

"Eighty-eight pound fifty" would be a colloquial way to state this – Dancrumb Dec 01 '20 at 17:52
@CGCampbell when replying to someone, an @ is required in front of the name. Otherwise, SE does not know to send a message to my inbox. – RonJohn Dec 01 '20 at 18:02
@RonJohn I could not do so, as you had not used a comment. Now that you have, I could. And thanks Dancrumb. – CGCampbell Dec 01 '20 at 18:05
@CGCampbell good point. You'd think that comment would have appeared in my inbox. but it wasn't. – RonJohn Dec 01 '20 at 18:07
Usually, it still appears in your inbox if it's a comment on a post you have authored, although indeed, you won't get the @ prompt. – Sean Duggan Dec 01 '20 at 22:25
If it is the police, once they have identified the merchant, they can probably call them and get a copy of the ticket. – Florian F Dec 02 '20 at 10:23

score 10 · Answer 3 · answered Nov 30 '20 at 20:26

10

Depending on the merchant, yes, it is possible to see what items were purchased. Credit card payments can have 3 levels of data sent from the merchant to the processor. If the merchant sends Level 3 data, it will include things like the line items on the purchase.

As far as being able to track purchases in real time, governments could get court orders for the payment processors to share any data they have on particular accounts, and larger processors would probably get enough of these requests to have infrastructure to share this data quickly.

answered Nov 30 '20 at 20:26

djheini

101
2

1

Or law enforcement can just buy the tracking data from the payment processors, like Google seemingly does. https://epic.org/privacy/google/purchase-tracking/default.html – Nemo Dec 01 '20 at 00:08
1

@nemo that's a good point - you could make an answer out of that. I believe trading data like that is legal in some countries but not all. – Robyn Dec 01 '20 at 05:27

score 7 · Answer 4 · answered Nov 30 '20 at 11:40

CC transactions usually have Merchant Category Codes attached; e.g. "4457 Boat Leases and Boat Rentals". A MCC is a 4-digit code that provides an approximate description of the type of expense.

Connecting to the payment networks in real-time is definitely possible; most transactions nowadays are online.

How the hacker determines which card numbers to track is up to the hacker. The hacker would not track "Dr Jane Knutt Smith" directly. Instead, the hacker would need to find card numbers, possibly of different CC companies, and then try to track those. Finding these numbers is not an exact science.

score 5 · Answer 5 · answered Dec 01 '20 at 17:22

In movies and in fiction

That's where dramatization and fiction come into action. It reminds me the scene in Ron Howard's Inferno where Mr. Langdon's rental car is tracked real time.

That. Is. Drama.

In the real world (the "online world" is more real than we percieve), you should be aware that everything we do leaves traces. Traces that can be "traced back" using proper software. Real time is another thing.

There are multiple traces that you have done a transaction '£88.50 at McGregor Inc., Snow Hill'. Especially at the bank issuing the credit card. We are now discussing whether it's possible or not to link those traces real time and who could.

In the financial world, there is not a single central database of transactions, but a multitude of entities have separate databases that don't all talk with the same interface, nor with a central authority, not real time. Even if the "three sisters" VISA MC and AMEX have a single huge database of transactions, they are three databases and you should be able to link these three. They are not banks, they provide routing to issuing banks, which provide authorization and settlement for transactions.

Both ACME Bank (issuing bank) and McGregor Inc. (merchant, who owns a CRM software) have this record. Double linking all banks or merchants all around a country is not possible. And let's see why.

Banks and regulators

In a number of countries, especially in EU (please add comments for US) banks are required to periodically report to Government agencies (e.g. IRS) about their customer and transactions. But 1) reports are aggregated and 2) they are periodic.

It means that there won't be a single State database where you can find J. Smith purchased £88.50 at McGregor Inc.. And you (law enforcement) can access data only on a monthly/quarterly/yearly basis.

This because the privacy rules pose strong limits on what the self State.

The interesting part is that regulations are public and open, so before one claims "banks have a realtime link with MI-5", they would have to prove such a statement by linking appropriate regulations and practices.

About police/intelligence investigations

No law prohibits Law Enforcement and intelligence agencies to collect customer data on grounds of investigation. In EU at least, Law Enforcement can collect all information, including bank statements, on an individual basis. But that requires enquiring the Bank or the Merchant, which prevents realtime monitoring.

So that is where dramatization comes.

Oh, by the way, real world Law Enforcement require a warrant to obtain customer transactions. A warrant is issued in elapsed-seconds when watching a film, but can take much more time in the real world.

What it takes

In order to monitor one's transaction, authorities would have to establish a real time information link with all the appropriate parties. For example a web service. A common interface to inquire all financial transactions in real time.

There are so many banks all around the world that if such a direct link existed secretly, there would be too many IT people involved in holding this secret.

I mean: either it exists, and is found online, a publicly accessible technical regulation from your Government, or it's a fake news. Reminds me that if Moon landing was a conspiracy, thousands of people should have been corrupted.

About different cards

They can likely be linked to you, simply by matching a unique identifier like you social security number, or tax identifier, as issued by the Government. Banks are required to verify, record and report the identity of their customers.

Note that I have been working for years in the RegTech industry. The Government could know how many cards (and where) you own, but not their PAN code.

About hackers

Almost impossible. Impossible because banks have very sophisticated security systems, obey to strong privacy and security standards, and have plenties of people paid with a lot of money to protect their core systems.

Almost because sometimes, rarely, some bank gets hacked. But hacks don't last forever, and is for a single bank.

China apart

China is a different story. Chinese government is working hard to implement technology that allows to monitor society realtime, with obvious ethical, security and privacy implications which mark the strong cultural differences with Western society.

I have record (source: news) that Chinese government used big data from cell phone networks, face-scan cameras and AliPay payment network to track individuals suspected to have been in contact with COVID-19 patients. None of my sources mentioned real time, though Chinese Government and technology firms are working towards that.

"It reminds me the scene in Ron Howard's Inferno where Mr. Langdon's rental car is tracked real time. That. Is. Drama." One word: OnStar. IOW, tracking a rental car in real time has been feasible for about 15 years. They sell for less than $30 on Amazon: https://smile.amazon.com/Real-Time-GPS-Tracker/s?k=Real+Time+GPS+Tracker — RonJohn, Dec 01 '20 at 18:21
Sorry, but that is not the point. All car sharing vehicles have GPS.I can track my own car with a GPS too. But that doesn't mean there is a "big control room" where any vehicle can be tracked by just typing the license number, the owner name, etc. If the OP is a "person of interest" it takes time and bureaucracy to set tracking. That is the point of my answer — usr-local-ΕΨΗΕΛΩΝ, Dec 01 '20 at 21:18
Ignoring that giant control rooms are passe' in the networked world, OnStar has such a "giant control room" for all GM vehicles, and the big rental car companies also have them. For the Dept of Homeland Security to have silent agreements with the big rental companies is perfectly feasible. — RonJohn, Dec 01 '20 at 21:24
And there's no "time and bureaucracy to set tracking" when the rental companies already installed tracking hardware. — RonJohn, Dec 01 '20 at 21:25
For the Dept of Homeland Security to have silent agreements with the big rental companies is perfectly feasible. Like it's perfectly feasible for NASA to pretend to have landed on the Moon? DoH needs to sign agreements with all rental companies and keep them secret. I'm not saying this is false. I am saying gthat I am skeptic — usr-local-ΕΨΗΕΛΩΝ, Dec 01 '20 at 21:50

Daniel · Answer 6 · 2020-12-02T14:51:25.003

My full-time employment is writing software that processes credit card transactions, so I am familiar with this topic. I'll address the easiest part of your question first:

Stealing Data

Government Agents

There is a clear difference between "government agents" and "mom's basement hackers, evil villains, etc." The former have a very simple way of getting this information: by demanding it from the card's issuing bank. The issuing bank has a record of all the transactions on the credit card and governments can generally compel them to provide information to law enforcement. Whenever a police character in a crime drama says that the suspect's credit card records were checked, this is what I have always assumed they were doing. In the fictional worlds where these stories take place, it's possible that the evil villain has sufficient leverage over the issuing bank that he could also compel them to provide the information. In real-life, this is less likely.

Other hackers

For a real life hacker to steal this information would be much more difficult. Once the transaction data gets from the merchant to the acquiring bank, the transaction messages are generally transmitted over dedicated fiber rather than the internet. At the very least, communicating parties are joined by a VPN with network-level encryption of data. This would make it nearly impossible for a hacker to steal this information in transit. The most vulnerable place for a hacker to compromise would be the merchant's WiFi network. Having done this, our evil villain could perform a MITM attack to steal transaction data before it gets out the door (so to speak) to the acquirer. This wouldn't allow him to see all the transactions performed by a particular credit card in a given time period, but if he has a hunch about where the protagonist is going to go, it would allow him to confirm that it happened, potentially in real time.

Transaction Contents

As for whether it's possible to know exactly what our hero purchased in the store, the answer is "likely yes". Itemization data can be provided as part of standard payment transaction messages. This, along with some other data, is typically called something like "Level III" data (although the name used for it varies). Level III data is typically not required; however, providing it can often result in lower processing fees for the transaction. Therefore, many payment transactions do have itemization data attached to them.

Finding your credit cards

For someone to know which credit cards to track, they'll need more information than just your name. If they know the target's social security number, their credit report will have some basic information about their credit accounts. For a government actor, the process for getting a person's transaction information would involve looking at the subject's credit report to find with which banks they've opened credit accounts, then go to those banks and demand the information. For a normal hacker, even the list of our hero's credit card accounts from their credit report probably wouldn't be that helpful because, as I mentioned earlier, the issuing bank won't just hand over the transaction details.

Counter · Answer 7 · 2020-12-02T15:38:29.543

Programmer here. I work with code that integrates sites and payment terminals with payment solutions, so I know what information is sent to and from various integrators (not just between the vendor and the credit card issuer and bank). I can tell you that barring zero-day exploits, every system involved is secure enough.

People, on the other hand, are not.

mom's basement hackers, evil villains, etc. often are able in minutes to tell stuff like "twenty minutes ago she rented a boat in Snow Hill" or "he bought two chicken lettuce sandwiches in Subway at Waverley rail station".

Mom's basement hacker (henceforth MBH) may have tricked your spouse into installing some software like TeamViewer into your computer (usually as part of a refund scam). From there MBH can get a lot of data on you.

A bit more social engineering and now MBH has access to your Apple account, so they can see that you are paying for Uber Eats with your credit card through Apple Pay. They may also have stolen some site credentials while at it, so they can now log into Uber Eats and see your order history. Yep, two oven roasted chicken combos, using some specific coupon, to be delivered to your mistress's place.

In fact, is it even possible in real time to connect to various payment networks? Also, will not the transaction only say '£88.50 at McGregor Inc., Snow Hill'?

You are right that transactions will show very limited info. If all you have is the banking or credit card data, you can see when purchases are done and for what value, and who the merchant is, but you don't get specific order data.

You can infer things, though. If someone is buying from a site with a small number of products available, and if the prices for each product are very different, you can kinda figure out what the person is buying.

This is as far as MBH goes if all they have is access to your bank account and maybe some site accounts. Supposing they have the credentials for a store's admin credentials, so that they can see all order data, they can track your purchasing habits without needing to know anything about your credit cards - orders have product data, and billing and shipping addresses that are separate from credit card data.