I have (ironically, you might say) spent the last 15 years working in the PCI (Payment Card Industry) security sector for my day job (the UE4 stuff is new for me), so I’m quite aware of the attack vectors. I can rule out some speculations.
- The card was not RFID equipped, so your RFID reader attack isn’t going to work, no matter the proximity. There was no wireless component to this card.
- I never used the card at a physical store, so there was no possibility of skimming by a waitress, etc.
- Never having brought the card out into public also negates the possibility of shoulder surfing or other optical compromises (unless it was at my house).
- If my computer (a Mac, by the way) had been infected by malware, then I would have expected other compromises with the other cards I use much more often online (I do purchases for my night job, my day job, as well as lots of Christmas shopping online). It seems unlikely that my least-used card would have been my only problem if I had been compromised locally. Not impossible, just unlikely. It’s also unlikely that I have malware at all given my non-risky habits (being boring pays off security-wise), my platform (OS X), and the fact that I’m the guy that helps other people secure their networks, servers, workstations, and devices. It would certainly be a fun twist if it turned out to be local malware, though. Never say never.
I don’t disagree that it’s still likely that the card was compromised from some other attack vector other than a back-end hack of the Unreal Marketplace store. It could have been the furniture store, a disgruntled relative snooping at my home, a compromise at Amazon (small-scale compromises by privileged employees are always possible…), or something else I haven’t even thought of.
BUT, as one of the only 3 places I used the card before it was compromised (the purchase at Apple was after the compromise), I really want to bring this to Unreal’s attention. If other Marketplace patrons also experienced compromises after purchases around the same date, then Unreal will want to take quick action. If it’s just me, then it probably isn’t anything that the Unreal folks need to worry about.
Oh, and of course I’m alerting the furniture place as well. Same thing goes for them. If a whole bunch of their customers have the same problem, well…
I don’t know what I would do to alert Amazon. That seems a lot like trying to find the doorbell on the death star…
I may never find out just how it happened. We’ll have to see.
@SaxonRah: By the way, what’s a “Victory Contributor”?