When Natalie Hodge turned on her television and found her Netflix account's settings had changed to Spanish, she suspected something was wrong.

Key points: One woman's Uber account is used worldwide in multiple transactions costing close to $1,500

One woman's Uber account is used worldwide in multiple transactions costing close to $1,500 Card-not-present fraud accounts for 85 per cent of card fraud in Australia

Card-not-present fraud accounts for 85 per cent of card fraud in Australia An expert recommends the tokenisation of card details for recurring payments

She had earlier noticed a dodgy log-in attempt to her Facebook account from the United States, but it was her Uber account that was about to take the biggest hit.

"Early in the morning I received an automatic text message from the Commonwealth Bank asking if a transaction in Los Angeles was me," she said.

"A couple of hours later I received a similar message from my PayPal account, saying someone is trying to process an order in San Francisco."

Over the next four hours, Uber transactions were also made in Texas, Vancouver and London, as Ms Hodge — who lives in Townsville — scrambled to cancel her cards and contact the rideshare company.

"They were taking far too long to get back to me and the money just kept coming out of the accounts."

Natalie Hodge and her partner Jacob had just moved to Townsville when the fraud occurred. ( Supplied: Natalie Hodge )

She eventually reached Uber via Facebook, but not before more than $1,000 was spent using her personal account and about $300 from her employer's card that was connected for business travel.

Even her partner's parents were stung because they had used their card to order takeaway through Ms Hodge's Uber Eats account.

Ms Hodge said she believed her details had been sold on the so-called dark web.

"All those [affected] accounts I've accessed on my phone ... I think that somehow there's been something that's gotten onto my phone, but I don't know what it is.

"I don't click on random links or anything like that — I'm not someone who responds to those."

An Uber spokeswoman said Ms Hodge's account was compromised as a result of what security professionals call "credential stuffing".

"If you're reusing the same password on multiple services or accounts, it's easy for someone to login to each of those accounts if your password is ever compromised," she said.

Ms Hodge was reimbursed, but experts warned that things could have been much worse had her card details with Uber and Netflix not been encrypted or "tokenised".

All parts of the electronic payment system can play a role in reducing card fraud. ( Supplied: Accenture )

Cybercrime economy

Cybercrime expert Alex Tilley, who has worked for casinos, banks and the Australian Federal Police, said there had been a veritable "explosion" in stolen card details being distributed online.

He said tested and verified card details with high balances could be sold online for $US10 to $US20 in what was known as the card-not-present (CNP) trade.

"People have been lifting card details forever, but with the current ease of flicking stuff around online ... it's blown up and become really bad," Mr Tilley said.

There are myriad credit card "dump sites" that sell details of people whose information has been compromised worldwide, often in large-scale company data breaches, including from hotel chains and travel sites.

"But it's not just about getting the card, it's getting the knowledge on how to use it and make some cash before it gets shut down," Mr Tilley said.

Many dump vendors include instructions on how to use the cards and avoid detection, while some include automated vending carts (AVCs) to sell specific card details — a user-friendly system that resembles the online shopping carts offered by legitimate retailers.

Advice for online transactions Look out for the padlock in the URL and the https — it indicates protection against digital eavesdropping

Look out for the padlock in the URL and the https — it indicates protection against digital eavesdropping If a site says "not secure" or doesn't have the padlock, you really shouldn't be entering your payment details there

If a site says "not secure" or doesn't have the padlock, you really shouldn't be entering your payment details there It's fine if the website itself isn't https but the payment method is Source: AusPayNet

Token effort

Of the $565 million spent in fraudulent card usage during the 2017-18 financial year, 85 per cent ($478 million) was linked to the CNP trade, according to the Australian Payments Network.

AusPayNet chief executive Andrew White attributed this prevalence to increasing security measures against card-present fraud at the point of sale and ATMs that had driven criminals online instead.

He said AusPayNet consequently encouraged the "tokenisation" of card data.

This meant that after someone joined a service with a recurring payment and was verified, the cardholder's details were no longer retained and were instead represented by randomly created numbers, called a token.

"That token can be used in the same way as the card, but if you are breached in terms of your data, the data is worthless," Mr White said.

He said Netflix and Spotify were examples of services that already used tokens.

Whole-of-industry problem

Mr White said he encouraged banks and merchants to remain vigilant.

"[Criminals] test merchant and retailer capability [with stolen card details] essentially by putting $1 transactions through," he said.

"Quite often those $1 transactions can be early indicators or lead indicators of fraud because your defences are being tested."

The solution, he said, was for all parts of the electronic payment "eco-system" to play a role in reducing card fraud, including merchants being more aware of strange activity.

Warning signs could include multiple purchases being made across several cities, as in Ms Hodge's case, or a transaction that appeared out of the ordinary from a customer's regular activity.

"If you suddenly buy 10 laptops in Thailand, for example, that would stick out like a sore thumb and should kick through to a risk trigger," Mr White said.

He added that stronger authentication also helped reduce CNP fraud, such as using biometrics (facial recognition or thumbprints) or two-step authentication via text messages or apps.

A more precautionary approach

Ms Hodge said she had now set up two-step verification for all her accounts.

"For most of these apps, two-step authentication is something that's relatively new," she said.

"Unless you go into your settings and look for it, people wouldn't know about it."

The Uber spokeswoman said the service encrypted card data after it was entered so financial information could not be stolen and used off the platform.

She said it also offered a two-factor authentication service and sent notifications if an account was accessed through a new device.