The automaker does not believe sensitive information is involved in Canada.
I guess it's just coincidence within an hour of reading about this I got a phone call claiming to be from my Canadian VW dealer looking to refund an amount they overcharged on labor the last time I had my car in. It was the most convincing scam attempt I've ever encountered.
Caller ID matched the correct, local number for the dealer. The guy sounded enough like the service rep I dealt with the last few times to fool me, and knew to go by his nickname instead of the full name found on the invoice and email signatures. He sounded authentically embarrassed, and spoke with the right amount of "um's" and "ah's" you'd expect from a service guy.
They knew exactly when I had my car in. The work had been complex and there were a number of billing adjustments made at the time, so I wasn't too surprised. I even thanked him for his honesty for correcting it. Saying they didn't have my credit card on file, he offered to either leave the amount on file as a credit or take my card number to refund it immediately. He wasn't very pushy about which to choose, and to be honest it wasn't until he asked for my expiry date that I got more suspicious.
Funny part is at one point I asked if he'd heard about the hack. It clearly caught him off guard, and after a long pause he was like "No... there's been no official word on that yet".
I called the dealership right afterward, and the receptionist said she hadn't heard about it either and acted as if it would be totally normal for him to collect my credit card information (oops). Still wary, I reached out to him by email - and got confirmation it wasn't him, and that they're working with law enforcement.
Obviously I canceled my card. I can't help but wonder if the hackers might have gotten away with it had they gained control of their email as well. I can't imagine how many people are falling victim to this scam as you read this, and wonder if other dealerships are being similarly targeted. VW really has to step up their messaging.
More likely in this case the individual dealer was compromised. It’s been a few years and I doubt much has changed but smaller to mid sized dealer IT networks are an an absolute dumpster fire. No one at the dealer wants to put money into something that isn’t directly adding to profit. Plus the computer skills of the average employee are at the bottom of the barrel.
Plus traditional OEMs are locked in waterproof contracts with dealers that pretty much prohibits any integration/optimisation of systems, changes of sales processes etc. With most OEMs now going the direct sales way, there are lot more of these tussles to come. One of the reasons why Tesla is able to scale so fast (and of course they’re a much more nimble OEM)
> One thing I cant stop thinking about is... aren‘t credit cards incredibly insecure?
Yes but by and large the fraud isn’t your burden, it’s the banks. So you can push the onus of security on them. Getting a new card to replace your compromised one is quick and easy, and you can do things like lock the card from use from banking mobile apps.
The banks also do some analysis for fraud prevention. If you spent $5 in Ohio and an hour later in Mumbai they’d know it’s fraud b/c you can’t travel there that fast. Or if you never buy jewelry and try to buy some your card may be declined even if it’s a legit purchase.
But overall specifically in the case of credit cards I’ve found that I just don’t care about the security and it’s up to the issuing institution to figure out. Debit cards on the other hand are much more sensitive because it may take time to get cash back and you may have to fight the bank a little bit to prove you didn’t make a withdrawal. Meanwhile maybe you miss a car payment because your account was emptied.
Long story short, always always always* use a credit card for day-to-day purchases, if not for the cash back or points but for the security as well.
* obviously there are times where using a debit card makes sense but they are rare and specific.
Up until the very end I figured you missed out on a legit credit. Pretty impressive if they were that convincing. It’s not easy for fly-by-night hackers to makes calls like that and sound remotely convincing. They are putting in some effort.
Receptionists at car dealerships rotate more often than toilet paper. The only ones that might have an idea of anything going on at a car dealership is the service manager, sales manager, and owner. Even then it’s a crapshoot.
Yes, credit cards are insecure. But it's also relatively easy to do a chargeback.
> Or do I have a logic error in my thinking and all payment systems will always have attack vectors similar to stealing a number?
If you have a secret number, that secret number can be stolen, whether by hacking your computer or beating you with an alkathene pipe. A secret key for a bitcoin wallet is fundamentally no different to a credit card number, it's just a larger number. The key difference though is that with a credit card, when my secret number is no longer secret, I can repudiate any transactions with a chargeback, and recover my lost funds (technically, the bank is writing off my debt, but same same).
I've said this before, but at this point I think the better solution is to just assume name, phone, email, address, DoB, social security number and drivers license number are fully public, because they pretty much already are.
Then, from, that perspective, companies shouldn't treat that information as individually identifiable because it's likely already public.
I'm not disagreeing with you that I wish this information weren't public, but the fact of the matter is that it is public, and breaches are possible even if you have no relationship with company that was breached (see Equifax).
So all I'm advocating is that we accept the reality of the situation and start requiring more stringent forms of identification.
I work for an automotive vendor and this kind of thing keeps me up at night. The automotive vendor space is... lacking in technology. It's amazing what little thing we can do from a technological standpoint that impresses the OEMs.
Also, the way most of these vendor relationships work is that the provider collects data, passes it on to the dealership and program management company (third party that OEMs hire to handle the vendor relationships) who then passes it to the OEM itself. Often there are 3-4 copies of your data.
SSNs _are_ a surprise though. That's usually exclusively for credit approvals and every vendor I've ever worked with takes stuff seriously.
> The sensitive data was comprised of driver license numbers in more than 95% of cases. A small number of records included additional data like dates of birth, Social Security numbers and account numbers.
Wow so only that. My gosh, why is that information in a 3rd party vendor's db at all?!
New Fullz (real people's IDs) for sale. Finally a way to cash out your illicitly earned crypto.
Make a new Coinbase account in someone else's name, and a new brokerage account in their name too. They'll never know! Access via remote desktop from a compromised computer near their zip code, check the markets those are everywhere too! That person will never know either! You can buy your favorite penny stock with the funds in their name and be seen as a having a good trading year in your own real identity and clean funds.
Not advocating anything, this is what happens all day every day.
you missed the part where you make another account in someone else's name because you had bought their ID
the IRS and DOJ will go knocking on their door and parade them around, writing "no matter what assets you trade, you can't hide and our financial system is immune from illicit funds"
With a paper trail a mile wide leading to the wrong door: sure. 'Your account' is their account. By the time the money hits a real account in control of the perp it will be offshore for sure.
In the US, the DMVs of many (all?) states sell the data they have on you to 3rd parties without you having a say in it. So there's no telling how many DBs have copies of your data stored.
I guess it's just coincidence within an hour of reading about this I got a phone call claiming to be from my Canadian VW dealer looking to refund an amount they overcharged on labor the last time I had my car in. It was the most convincing scam attempt I've ever encountered.
Caller ID matched the correct, local number for the dealer. The guy sounded enough like the service rep I dealt with the last few times to fool me, and knew to go by his nickname instead of the full name found on the invoice and email signatures. He sounded authentically embarrassed, and spoke with the right amount of "um's" and "ah's" you'd expect from a service guy.
They knew exactly when I had my car in. The work had been complex and there were a number of billing adjustments made at the time, so I wasn't too surprised. I even thanked him for his honesty for correcting it. Saying they didn't have my credit card on file, he offered to either leave the amount on file as a credit or take my card number to refund it immediately. He wasn't very pushy about which to choose, and to be honest it wasn't until he asked for my expiry date that I got more suspicious.
Funny part is at one point I asked if he'd heard about the hack. It clearly caught him off guard, and after a long pause he was like "No... there's been no official word on that yet".
I called the dealership right afterward, and the receptionist said she hadn't heard about it either and acted as if it would be totally normal for him to collect my credit card information (oops). Still wary, I reached out to him by email - and got confirmation it wasn't him, and that they're working with law enforcement.
Obviously I canceled my card. I can't help but wonder if the hackers might have gotten away with it had they gained control of their email as well. I can't imagine how many people are falling victim to this scam as you read this, and wonder if other dealerships are being similarly targeted. VW really has to step up their messaging.