Android Market and Credit Card Fraud

[pmas]

Just a little "heads up" to all.:
I have a credit card specifically for the market. It is not used anywhere else and never was. I have paid for several apps. I have had my Dorid for only a month.
I received a call from my credit card company's fraud department. They asked me about several charges to my card that were placed on Jan. 15/16. They were all internet based transactions, and they were not mine. Luckily, I am not responsible for the several hundred dollars in fraudulent charges, but it is quite an inconvenience.
My advice is simple:just be aware that the apps and developers in market are not controlled or screened. Though the market is full of respectable devs, there are scammers/criminals as there are everywhere these days.
Use caution.

 

[olilan]

How do you think app developers got hold of you card details? Didn't you pay through Google Checkout?

 

[nerdbox08]

I have to agree with olilan; did you consider the number might have been a random generator? those do exist.

 

[pmas]

Sure anything is possible. I just find it suspect that this has happened at all, since this card has only been used through google checkout.
More likely than a random generator, is the fact that many apps ask for (and receive) certain permissions upon install that could lead to personal information being sent to the dev.
I am not looking for a reason why..I am simply telling my story. Many other victims around the internet are questioning permissions needed for certain apps.
Further, if you search some other forums such as http://www.droidforums.net/forum/, you will see there are several prior occurrences of this exact problem. Many are saying it happened after UK transactions. I have purchased a few apps from UK devs, but heck, who knows?

 

[olilan]

There's no way for an app to get hold of your Google Checkout payment details unless you type them into the app. None of the permissions would let them do that.

 

[moviemogul]

Can one use paypal for app purchases?

 

[pmas]

There's no way for an app to get hold of your Google Checkout payment details unless you type them into the app. None of the permissions would let them do that.

OK. We will never know just how it happened. I just want everyone to know that this happened and to be aware and cautious since apparently this is quite common on the android market in the past week. Somehow, someway, it's happening. I have received non-stop messages all day from people experiencing the same thing. Some theorize it's based on the attack on google from last week.

 

[ERDude]

Thanks for the heads up. I've used Google checkout almost since day one and never had a problem. One never knows whether the apps in the market are logging keystrokes or not.

Remember this little hiccup in Google's app screening, oh right there is no screening.

Google Pulls Fraudulant Banking Apps From Market | DroidTalk

 

[Fraud Victim]

None of you guys know what is "possible" and "not possible." "Such and such won't let them do this" ... and just how do you know exactly what the person used to commit the fraud? pmas is simply sharing info to help others. I have a similar story.

I have had my Android phone for only a month now. I have had to enter my card info only once and that was into the phone when i first turned it on and set it up. The card info has then been linked to my googlecheckout account.

Welp. Google checkout was used to charge me for $300 in digital goods. This is actually using my GOOGLE account. I looked into it further and saw that someone else's device is actually linked to my google account. How? I do not know, but this is probably how purchases are being made via googlecheckout in my name.

I emailed google, they basically blamed me for leaking password info which I would never do, told me how to create a "good" password and said have a nice day. They gave me no option to delete the unknown device from my account. If someone can do this to my account, they can do it to anyone's account... and google gives no one access to editing devices (phones) linked to one's google account. So basically... they're letting fraud happen. I don't even have control over who links to my account info. That's just plain ed.

Good thing is.. the person's MEID shows up on my dashboard.

I filed claims with IC3. Hoping for a resolve.

 

[true911]

Since everything about Android Market is anonymous, how do I get help if I have a situation?

I have a device associated with my account that is not mine. It's not an old device; it's listed on T-Mobile which I've never used.

How do I report it and get help? This could be an attack vector for making purchases if I were compromised, for example.