As mentioned in the post below, we knew the bank admitted error, in that for whatever reason, they never closed the old card, so that was part of the problem - but we couldn't figure out how the thief was still able to do this without the CVC code on the back of an expired card.
They surmised it was local because "skimmers" do need the physical card to go into a card reader physically with their skimmer attached to it.
"Skimmers" that do this almost never use the card immediately to avoid suspicion, and often during the holidays, when banking is more limited, so the actual skimming was likely done months ago.
The reason they were able to drain my bank account is that Venmo does not request the CVC code on the back of the card, does not verify your identity, does not require full financial institution information, and does not possess bank-level security systems on their platform (though they state they do, but have been sued repeatedly over this claim, I learned today).
That just left how it was able to go through despite being expired.
Then, because they didn't close the old card, not only did they send me a new one as requested in June, but they also sent a replacement card for the old one in August, as the old one was due to expire.
When we received this, my husband saw it on the counter and erroneously thought I'd ordered a second new card for his use for errands, and put it in his wallet - my fault, I didn't put it away immediately/tell him what it was.
(This is the card I mentioned having in my desk, which I noticed among his cards a few weeks ago and told him it was expired and let me just put it away so as not to accidently try to use it, with him forgetting the reason he put it there to begin with was he thought it was a second card I'd ordered.)
Thus, it was this card that was "skimmed."
The security team member gave us a few extra security tips to avoid being "skimmed":
1) Carry your card in an RFID-safe wallet. Some skimmers use a handheld magnetic reader and wand, reading it right from your purse or pocket, without ever laying a hand on your card. RFID-safe wallets have a barrier material that disallows the magnetic strip to be read by skimmers.2) If using a card reader at the store, gas station, etc., if not locked down (which many stores have already done) shake it a little bit, before you put your card in - no matter how sophisticated the skimmer is, attached likely while the clerk was busy, it should fall off.3) If using your card at a gas pump, always use the pump closest to the cashier - skimmers are less likely to have time to attach those there, because the cashier can see what they're doing more easily.
Otherwise, it's been reported to the FBI and it is still their jurisdiction, because the actual unauthorized funds-transfer/crime was committed via the internet/phone app.
I don't know about y'all, but I'm just about over using on the internet much at all anymore - because there's more BS than ever, but it's still just as lawless as it ever was, decades later - and no one has any intention of fixing these problems, because these problems benefit power abusers the most - the internet continues to enable the worst kind of people, ruining it for everybody else!
Hello, 2021 - and Happy New Year!