Eight credit cards stolen from my macbook pro and iphone

It sounds like someone has hacked into your Online accounts and not your phone or computer. Try changing the passwords you use for these online stores. Make sure it is only your current email address that gets notified of the password change.

It's definitely possible that you could have a keylogger on your Mac. If it got there via some known malware, decent anti-virus software ought to at least find traces of the malware it "rode in on." I think this is unlikely, but it is nonetheless possible. Unfortunately, there's no anti-virus software that can guarantee detection of a keylogger. If you suspect that you have one, the only option that can guarantee removal is erasing your hard drive and reinstalling the system and all your apps from scratch. See:

How to reinstall Mac OS X from scratch

As far as the iPhone is concerned, there's no known malware capable of infecting it if it hasn't been jailbroken. So, unless you have jailbroken it, or unless someone malicious and very technically proficient has had unsupervised physical access to your phone, a keylogger or other spyware on your phone is entirely out of the question.

You say that the networks that you are using are secure... but you should be aware that many wireless routers have been found to have serious security vulnerabilities lately, with large numbers succumbing to hacks and malware recently. It's entirely possible that someone is intercepting your internet activities, even though your wireless network is secure... for example, by simply hacking the router to redirect you to lookalike phishing sites when you go to buy something. You'd be wise to reset your router to factory settings, update the router's firmware and then set it back up again from scratch. Contact the manufacturer of the router to find out more about how to secure that particular model against attacks.

You should also change the password of any online accounts you have used these credit cards with. Those accounts might have been hacked, in which case your computer and your router would not need to be involved in any way.

Piper9132 wrote:

So the cards have been stolen over my home wifi and also while using my university's wireless (which is a password protected wifi that requires installation of a client on your device and computer to access it at all)... so I think the chances of it happening over my wifi is unlikely.

I would generally agree as long as you are using a strong WPA-2 password protected home Wi-Fi and I assume the university is using some sort of VPN network access software. There was a flaw in Mavericks versions prior to 10.9.2 that would have allowed a so-called Man In The Middle attack if they were somehow able to penetrate your network and divert you to a fake Amazon site, but there do not seem to have been reports of anybody actually accomplishing that yet. A few people alleged that this flaw could be exploited without being on your network, but it was fixed before anybody could demonstrate such a thing.

Is there anything you guys have come across recently that acts like this or something to look for on the computer files?

Not really and we watch for things like this on a daily basis. The malware that we know about has been used in the past for purely political purposes against small activist groups and takes advantage of vulnerabilities in old software that had not been upgraded. Everything else would seem to be commercial or hack software that is used for legitimate purposes (e.g. parental control) where physical access to the computer or approved shared access over the network exists.

The only software that claims to be good at detecting "spyware" is MacScan from SecureMac, but it's well known for identifying "false positives" so make certain anything it claims to have found is not something you need. It also does a lousy job of detecting even the limited amount of other types of malware it looks for.

I am just worried that it may be still living in one of my folders that I pulled off the computer before the erase. I really dont want to lose all my data from the last three years, but I also am scared to use my computer for anything!

As long as it was only data then there isn't any way for anything to start or run on a fresh system. Can you give us an idea of what all you copied back? Did it include your user Library, for instance?

on my computer, I have used the cards on websites which do not require a log in to make a purchase and the card numbers are stolen there too, so that cannot add up for the computer...

If you aren't using SSL (indicted in various ways on your browser, but the URL would start with "https" then it is possible for anybody between you and that site to harvest your data, but it is difficult to imagine that such methods would be in use with the tremendous amount of data flowing over the Internet all the time and focusing on just your Credit Card information would seem to require a lot of storage and computer power to accomplish. As I said before, leading you to a fake site is the preferred method of doing things like this and if it was fake I doubt that they would go to the trouble of making sure you got what you ordered, assuming that has been the case.

As Thomas mentioned, routers are being hacked every day, much more than any of us know about. One individual or organization now has over 300,000 routers working part time for them. Airport Base Stations have so far not been found to be vulnerable, but many big name manufacturers are scrambling now to patch their firmware, including LinkSys (Cisco), D-Link and several other minor brands. If you think that could be a problem we can work with you on that.

Re: (1) I don't see how you could have copied anything back that could act as a Keylogger or anything like it, so if something on your computer is causing this now then it would have to have been added since your fresh install.

(2) Based on the expert information we received last weekend concerning the nature of MITM attacks, it was limited to an individual being on your local network and presenting you with fake certificates in response to an attempt to use log onto a secure site using SSL in Safari or another browser that uses WebKit. Neither Firefox nor Chrome use WebKit. It is widely believed that other applications that use WebKit or Apple Secure Transport for certificate validation could also be attacked. That includes applications listed here. But from your description, I doubt that any of these were involved. It was never proven that the MITM could exist outside of your local network or that an attack different from what I described could take place.

You've hinted at this, but just to be certain...you do not have any credit cards stored with any company for periodic use to pay utility bills, iTunes purchases, that sort of thing, correct? I ask because that is the primary source for stolen credit cards today. Some of the iTunes store thefts have been explained, but most have not and Apple has never reported a compromise in that area, yet they continue to occur.

(3) You would need to change the settings on your TWC box to bridge mode (effectively disabling the router function). I'm sure you can find the manual at the manufacturers web site and use your browser or management software to log on and change it, if TWC hasn't changed the default password. If they have then you would have to call and ask them to put it in bridge mode or give you a cable modem only box.

If you suspect your router has been compromised you should be able to clear it by disconnecting the power and reset it to factory settings. Then you should ascertain whether it has been updated with the latest firmware, WAN configuration has been disabled and the default password has been changed. Again, that may not be acceptable to TWC, so you will either have to trust that they are properly maintaining it or convince them to let you do your own routing.

You didn't respond concerning WPA-2 security on the Wi-Fi. That's essential as both WEP and WPA are barely any better than having an open network as commonly available tools take only a few minutes to break the password.

I know there are police departments that have highly trained forensic analysts to deal with these things, but I'm guessing most have not yet made that investment. I have a relative in Ohio who has spent most of his life in that business and participates in nation-wide training courses. What I don't know is if their workload would allow these experts to spend much time with petty theft cases. It would seem that Credit Card fraud is a huge problem in most countries these days and it adds up to lots of money. Some of what's needed is obvious, but I think there's a lot we still don't know.

One more thing I keep forgetting to mention.

The last time I had a CC stolen, Chase told me that it appeared the gang had my basic information and used a number generator to keep trying to find a card number that worked with my name. The first six numbers identify the bank and don't change, so they just need to spin out the last ten digits once they have an old card number (for VISA & MC). There isn't much I can do about that sort of attack, but it seems to me that the Card issuers could do lots more. Chase was sharp enough to catch and refuse the charge immediately, then sent a new card the next business day, but I still had to spend a bunch of time changing things at my end.

If the facts are as you've stated, the chance that malware or a software keylogger is involved is practically nil. A hardware keylogger is not out of the question, but very unlikely.

Could anyone else have regular physical access to your devices?

Are you using the same password for more than one account?

Are you using common words or names as passwords?

Are you giving truthful answers to security questions, such as "What is your mother's maiden name?"

Are you a customer of any of the businesses that have recently had a network security breach, such as Target?

Since your machine was erased, and because of what you say was copied onto the new system from backups, this isn't malware. That can be said about as definitively as is possible.

Of course, if someone malicious has regular physical access to your devices, anything is possible. If you believe that is the case, you will need to erase the system again, and once it's back up and running, be sure to enable FileVault on the system, and make sure your user password is strong and unguessable (ie, not some predictable variation of your dog's name or your birthday or something like that).

Now, it's very difficult to know exactly when and from where a card number was stolen, so I'm curious how you can say that some of your cards were stolen on the university network and some on your home network. If you have certain cards that are never used anywhere but on the university network, and other cards that are never used anywhere but on your home network, then it's unlikely the cause is a network compromise. If that's not the case, though, the cards could be getting stolen all while on your home network. That router could be compromised, and you haven't said anything about resetting the router as I recommended.

Also, note that unless you're only using these cards online, you can't know that they're being stolen online. If you have used them at some local business - say, a local coffee shop - it's far more likely that there's a person working there who is stealing card numbers regularly, or their systems have been compromised by a hacker.

I am just so frustrated that no one at the Apple store is taking this seriously or at least pretending to help...

But they have helped. You said that they erased your system for you. After having done that, it would not be at all surprising for them to treat your continuing claims of having a keylogger installed with skepticism. They cannot help you any further at this point.