| ▲ | julienchastang 3 hours ago |
| Related story and wondering if the OP may have been chasing red herrings. I recently noticed an unauthorized charge for a small amount on my credit card (something about FB/Meta). Likely someone probing the card to see if anyone would notice. I called the CC company, had them removed the charge, canceled the card and had them send me a new card (5-7 business days). With the brand new unused card (new CC number, new expiration date, new CVV), the fraudulent payments resumed (again FB/Meta). How is this possible? The reason: digital wallets. Your credit card number, etc. transfers via digital wallets even when you cancel the card. I again called the credit card company and this time, told them to cancel all the digital wallets (there were 99 of them!). There is no way to do this online. You have to speak to a human in a call center. You then have to sit through a lecture about how all your renewing payments are going to reset and you will have to re-establish them will all merchants. "Yes, I understand that. Please cancel the card and all digital wallets!" Then you have to hold for twenty minutes (why? what are they doing? manually canceling all the digital wallets?). The lesson I learned here is that canceling your credit card may not be what you think. Also recurring payments must be incredibly lucrative and canceling them must amount to a big loss in revenue. (Edited for grammar.) |
|
| ▲ | cj 3 hours ago | parent | next [-] |
| I’m not sure about “digital wallets”, but the concept of updating credit card details after a new card is issued does exist, and it’s a service offered by credit card companies. Blog post from Stripe: https://stripe.com/resources/more/what-is-a-card-account-upd... |
| |
| ▲ | resonantjacket5 2 hours ago | parent | next [-] | | it's called automatic billing updaters. like Visa: Visa Account Updater (VAU) https://developer.visa.com/capabilities/vau
Mastercard: Automatic Billing Updater (ABU) it worked fine for sometime, but the problem is that now the stolen credentials are being refreshed now as well. | | |
| ▲ | lxgr 2 hours ago | parent [-] | | Ideally, the issuer is able to investigate what type of fraud exactly happened on the card, and in case of a suspected compromised card number they can choose to simply not perform account updates or carry over tokens to the new card. Practically, it's of course not that simple or clear-cut. As most things in payments, this too is a trade-off of cardholder inconvenience, support effort, fraud losses etc. |
| |
| ▲ | SkiFire13 3 hours ago | parent | prev | next [-] | | There are also "network tokens" that allow you to skip this step and instead remain linked to the new credit card when it changes. | | |
| ▲ | thechao 2 hours ago | parent | next [-] | | I discovered this "quirk" when the local ice rink started charging me for dozens of charges — I was watching them come in. There were two "child2 thechao"s (insert crazy common name); and ... they just picked one and started charging. They didn't want to reverse the charges because the mom of child2 didn't want to pay. | |
| ▲ | Denvercoder9 3 hours ago | parent | prev | next [-] | | Indeed, I suspect that's what went on here. I don't think there even exist 99 providers of what's customary called a digital wallet (e.g. Apple/Google Pay), and there's no definitely no single person that uses 99 of them. It's bad service from GP's card company though, with network tokens they should be able to see which specific token was abused, and revoke just that one. | |
| ▲ | cogogo 2 hours ago | parent | prev [-] | | Interesting. I recently cancelled and reordered a card and I have still been able to make purchases via Amazon without ever making an update. In this case I am happy about it because I am lazy but had no idea how it was working. Presume this is what is going on. |
| |
| ▲ | rconti 2 hours ago | parent | prev | next [-] | | Yep. I've been able to use the "wrong" (but still valid) expiration date on my AmEx for a long time. I've had other credit cards where the autopay info was never updated and it just kept working for at least 6 months. | | |
| ▲ | Marsymars 26 minutes ago | parent | next [-] | | Funny, the Amex on my Pixel Watch stopped working only a couple weeks after the physical card expiry. It was quite confusing, because a) I received a replacement physical card several months before the card expiry, so by the time my watch stopped working I'd entirely forgotten about it, b) there's no indication anywhere in the Android/Wear OS of what the expiry date is or that it might be expired and c) there's no indication at the point of sale that the virtual card is expired, simply a generic "Declined" message. | |
| ▲ | Denvercoder9 2 hours ago | parent | prev | next [-] | | Account Updater functionality isn't necessarily even involved there. In the end whether to accept a transaction is up to the issuer, and quite often they'll keep accepting recurring transactions on otherwise outdated card information. | |
| ▲ | kay_o an hour ago | parent | prev [-] | | You can run a charge with only the card number if you have sufficient trust. Each additional piece you add reduces liability and transaction fees (add exp, add cvc, add 3ds, ...) |
| |
| ▲ | cft 2 hours ago | parent | prev [-] | | I also noticed that my Google Wallet cards no longer have expiration dates- when a card expires and they issue a new one, the Wallet card works without any intervention on my part | | |
| ▲ | Marsymars 24 minutes ago | parent | next [-] | | That's very much contrary to my experience just a couple months ago that I detailed in another post: https://news.ycombinator.com/item?id=47981956 | |
| ▲ | lxgr an hour ago | parent | prev [-] | | Wallets usually don't store the card information directly anyway, but only a token, which can be re-associated with new underlying card details when the card is replaced. The token itself does also have an expiry date (it's a mandatory field in most protocols), but that can be updated as well, I believe. |
|
|
|
| ▲ | 8note 9 minutes ago | parent | prev | next [-] |
| if it was a 0 or 1 dollar auth, its likely a fraud check done by said company to make sure you still exist. one or more of those digital wallets are some subscription supporting thing, and if that auth failed or had an address mismatch or wrong kind of card, they will disable your account until you update your card. |
|
| ▲ | thomk 2 hours ago | parent | prev | next [-] |
| Check out privacy.com, you can make your own cards. One per service if you want. |
| |
| ▲ | at-fates-hands an hour ago | parent [-] | | Been doing this for a while now for ebay and other stuff. I'm always shocked at how many people have no idea this exists. |
|
|
| ▲ | pxeboot 2 hours ago | parent | prev | next [-] |
| > I again called the credit card company and this time, told them to cancel all the digital wallets (there were 99 of them!). There is no way to do this online. This is highly dependent on your bank. For example, Bank of America lets you view and delete any cards that have been added to a digital wallet right on their website. |
| |
| ▲ | Marsymars 19 minutes ago | parent | next [-] | | Half of my cards can't even be added to non-iPhone devices without a verification phone call to some poor support agent who's never heard of a "Pixel Watch", has no idea what the workflow is on his end to manually verify cards being added, and just wants me to "use the iPhone app to verify". Heaven forbid if I try to add a card to an Apple Wallet on a Mac where no iOS or Android app exists. | |
| ▲ | lxgr an hour ago | parent | prev [-] | | Only digital wallets, or also any merchant that saved the card using a token? The latter is getting more and more common, but usually happens transparently to the cardholder. Theoretically, it would allow a pretty neat feature of being able to manage all merchants that have a copy of the card in the banking app and revoke said copies – but since token use is not mandatory, that would be fairly confusing, so I haven't seen this yet as far as I remember. FWIW, India has taken a pretty radical step towards that future at a regulatory level by effectively mandating merchants to no longer store the underlying card number and use tokens instead. I suspect that such an interface would be more common there, but I don't have any personal experience. |
|
|
| ▲ | ph1lw an hour ago | parent | prev | next [-] |
| Same here, had a 200 EUR charge from Meta / FB - still waiting for my new card. |
|
| ▲ | kodbraker 3 hours ago | parent | prev | next [-] |
| For my case, it was almost certain. As it happened single day, the card i use was a virtual card only used in couple big ecommerce websites etc. If it was leaked somewhere else, i think they wouldn't bother logging in some unrelated account of mine in an ecommerce website. |
|
| ▲ | tety 3 hours ago | parent | prev [-] |
| Digital wallets as in Apple/Google Pay? I had a similar thing happen and I am wondering what did you make of this double charge, what did the attackers do in your opinion? |
| |
| ▲ | resonantjacket5 2 hours ago | parent [-] | | no it's like a continuation of your credit card for recurring payments. It's called Automatic Billing Updater (ABU) the idea is that if you ask for a new credit card after being stolen, your say utility providers or other like netflix subscriptions can seamlessly switch over to the new credit card number. it worked fine for a while, but of course the problem is that afterwards the stolen credit card credentials started to be refreshed as well. (used ai to fetch the list below). Visa: Visa Account Updater (VAU)
Mastercard: Automatic Billing Updater (ABU)
American Express: Cardrefresher
General: Recurring Payment Tokenization |
|
