Identity Theft...

Are you absolutely certain that this happened through something on the internet?
There's a whole load of ways people can get your details now, oddly enough I was watching a program earlier about the methods people use.

There are card readers that can be attached to ATM's which read your card and can capture your PIN when you use the machine. They used to be easily spottable but they're smaller now and sometimes people don't notice. Always check the machine you're using, if there's any weird looking bumps, bits that stick out, seemingly extra pieces to the place where you insert the card or anything suspicious at all. Don't use it.

If you ever pay for anything in a store or restaurant, it's recommened that you keep your card in your sight all the time as there are also small, portable card readers people can get. In the show, they demonstrated it with a girl dressed up as a waitress, she took the card from a guy then pretended to drop it. The camera zoomed in to show what she did next; she bent down and it looked like she wiped the card on her pant leg to clean it off. She then smiles, apologises and hands the card back to the guy.
She had a card reader attached to her ankle by a band and she swiped his card through it in only a couple of seconds, then she watched over his shoulder as he input his PIN on the genuine reader she was holding. He thanked her for the service and even gave her a generous tip.
They explained to him what had happened when he got up to leave, he was absolutely stunned and obviously really shocked that something like that could happen in a nice restaurant, situated in an upmarket area.

The above methods are more commonly used for card duping as they get the PIN as well, making it possible for them to clean an account out easily.
If you've ever ordered anything over the phone that needed to be delivered to your house and you paid by card, that's basically all the details anyone would need for getting stuff online at your expense. I know it's tempting to think "fuck you for your lax security internet" but it could be equally as likely that it happened elsewhere. So think really carefully and make a list of the times you've used your card and if the place you used it would have access to your address.

Your first course of action is to cancel the card and report what's happened to your bank, they'll investigate and will most likely refund you for whatever you lost from your account as it's easy for them to take someone to court, recover their funds that way and add on a load of extra expenses they can charge against the perp. That way, they get a little extra profit.

If you want to play P.I. while your bank is doing that, there's a few things you can do.
You're obviously aware that someone's been using the card online so you should have paper or online bank statements which should show a transaction ID or reference number for the transaction, sometimes they'll tell you the name of the online store or the website.

If you have the website, scroll down.

If you only have a transaction ID or reference, ring your bank and ask for all the details associated with that number. They should be able to give you a website, company name or the details of whichever online payment processing method was used. From that, you should be able to get to the online store or particular website.

If you've got those details, ring up their customer services and you then have two choices.
One is sneaky and the other is total honesty. Up to you which you go for.

1) Ask them why your purchase hasn't arrived yet. You can tell them the date that the money was removed from your account, the amount that "you" spent and confirm your card details if they ask for them. Once you've proven that you're "you", ask if they can comfirm the shipping address given at the time of the purchase
If you're lucky, they'll simply read you the address that they have on file without any questions.
If you're not lucky, they'll ask you to give it to them first. Give them the address the card is registered to and if they tell you it's not the same, ask which address they have as you might have automatically entered your unversity/rented accomodation address without thinking.
Hopefully and depending on your bluffing skills, you'll get the address you want, it'll be a home address and not a drop box or something similar.

2) Explain your situation honestly. They might give you the details and an address if you talk to someone incredibly sympathetic who doesn't mind losing their job but this is highly unlikely.
I'm not exactly sure on the Data Protection laws where you are but hypothetically, if they give you the details and you use them to trace down whoever used your card and then beat the crap out of them. The person who gave you the details and the company they work for would be liable for giving you the address.

If you do manage to get an address and it's a home address, don't even consider going round there and I seriously mean that. There is absolutely no point whatsoever. You know nothing about the person who used your details and although you want to satisfy your curiosity (which is understandable) it's probably a good thing that you don't know them, you don't want to do anything that could get you into trouble.

They could be a chance opportunist, not really a genuine bad guy but someone who's aware that you're likely to get refunded for your money and that this faceless crime probably hasn't caused you much distress other than worrying about how your details were taken.
They might be some poor bastard who is heavily in debt, working a shitty job that doesn't pay much. Has a truckoad of bills to pay, couldn't resist the temptation to get themselves something at the expense of a someone they have no connection to and they live with their aging and disabled Mother.
Or they could be a sociopathic nutjob with a massive gun collection and a load of professional criminal associates who also happen to be Yakuza.

I know you're pissed at the moment and you're right to be so but usually, when this kind of thing happens. It will be investigated by the bank's fraud department, they'll pass the details of the case on to wherever is necessary and all you will be told officially is that the matter was resolved and any money taken fraudulently from your account will be refunded.
Discovering the perp's details for yourself gives you some control over this situation, it's a challenge and it can be strangely fun but if you do discover anything don't take it any further than writing it all up, printing it out and sending copies to the police and your bank.

They can act legally on that information to bring whoever did this to justice.
You can't.
Unless you're Batman.

So, think about this carefully, write down anything useful you remember that might help you figure it out but remember that even if you get your money back, you may never find out who did this and why. It's a shitty thing to happen and it's definitely wrong but it's not the worst thing imaginable.

With regard to internet security. Always make sure your virus scanning and firewall software are up to date. Some shit can disable auto-updating so every week, use the manual update option if there is one. Check the filesizes and dates on the update and you should be able to work out if your software is updating correctly. If there's not a manual update option, visit the official website for that software and manually download any new updates.

Basic thing but I've nearly been caught out by this, if you make an online transaction or you need to enter sensitive or personal details on a website, always check that the web address in the address bar starts with https:// and that there's a padlock symbol next to your browser load bar.
Check every time and on every page.

I don't know which browser you're using but nearly all the main ones, Google Chrome, Firefox, IE,
(not sure about others, they're the ones I use) have built in phishing and malware protection and should warn you if you visit a site that's potentially dangerous. Double check your browser security settings and make sure they're all good and correct.
Also, check any stored cookies/Active X installs that you have and where they came from.

Make sure you're the only one using a computer that has your personal or banking details stored. Family may not steal from you but they can download stupid things and compromise your security without meaning to. If you ever write down web passwords, do it on paper and don't use textfiles and be extremely careful if you ever use the "remember username/password" browser options.

Last thing. If you ever, even for a second, think that a website is dodgy in some way.
Google it. If it's a scam, fraudulent or malware infested website the chances are that someone else has already discovered it and they've put the details up online.

I can't think of much else that'd be useful offhand but this site gives you a run down and basic advice on internet security.

Good luck with getting this all sorted out, I sincerely hope you get refunded and some closure.

Identity Theft...

Completed

Ongoing

Upcoming