Scammers Exploit ‘Convenient’ Feature of Credit Cards and Drain Accounts Even After They’re Canceled

Reports are surfacing that even after a person cancels their credit card, cybercriminals can still steal their account if The card issuer uses a security feature called “automatic updates” – a feature that most major credit card issuers use in some form or another.

If you get a replacement card due to fraudulent charges, the feature will transfer all recurring charges from the old card to the new card so there is no interruption in service.

But thieves can get their hands on these card numbers. How? As usual: mainly via the Dark Web, card numbers that were previously acquired through phishing, skimming devices or security breaches.

It’s a game that has even caught payment processing professionals off guard. “As a consumer, I had never heard of it before. I’ve been in payments for 10 years and I had never heard of it,” said Ray Zak, CEO of Simplepay.

If someone in the credit card industry didn’t know about it, you can bet most consumers don’t either.

You ask: “But how?”

Wondering how a thief can reuse an old card that has been replaced? It is true that when a credit card is canceled and replaced, the old card is deactivated and cannot be used for new transactions. However, the danger lies in this automatic update feature, which transfers the new card information to the merchants where the old card information was stored.

All they do is pass these credentials around to different merchants, in the hopes that a transaction will be approved.

The thief gets away with it

Benzinga’s Alison Plaut says consumers have been seeing extra charges on their credit card statements from names they know and trust, like Hulu, Xbox or Uber.

But because people tend to quickly scan their credit card statements, they may miss these charges or assume that a family member is using the service and charging them to their card (for example, a child with an Xbox subscription). And if these seemingly innocent charges aren’t caught and reported, they can continue to add up.

You’d be right to assume that if your credit card statement shows a charge to “Hulu,” the money would actually go to Hulu. But that’s where the thief gets smarter.

The thief does not directly receive the money from such a transaction. Instead, he benefits indirectly through various schemes such as reselling access to the consumer’s Hulu account on the Dark Web, using the service itself, or providing it to others in exchange for money that he then uses to purchase things legally.

How to get out of this mess

The biggest problem with this game, Plaut said, is that there is no easy way out for the consumer. She noted that one consumer thought he could outwit these thieves by having Bank of America send him a new credit card every few months for years to avoid fraudulent Uber charges. But the automatic updates kept the fraud going.

If this happens, there are two things you can do. The first is to dispute the charge and stop the company from charging your credit card. However, this can be complicated. If you have multiple credit cards, you can always change the charge to a different one, but this will only last until another thief comes along and tries to pull the same trick.

The other solution is to turn off the automatic update feature. If you want to do this, here are the general steps to follow:

Identify the service: Determine if your card issuer participates in the Visa Account Updater (VAU) program or the Mastercard Automatic Billing Updater (ABU) program. You can usually find this information on your issuer’s website or by contacting their customer service department.

Contact your transmitter:Turn over your credit card and find the customer service number. Then, call them or go to their website to find out how to unsubscribe from the specific service. Some issuers make it easy with online forms, but you’ll have to search for them.

Do whatever they tell you to do:At this point, you need to be very careful. Follow the instructions suggested by your card issuer. They know where the potholes are and by going around one, a scammer can still manage to sneak in.

Check, check, check:After opting out, call your card issuer again and simply confirm that automatic updates have been turned off for your card.

But, remember this little thing

Disabling automatic updates can mess things up a bit if there are recurring charges in the pipeline, resulting in declined transactions.

To avoid this hassle, make sure to update your card information manually (not over the phone) with any company you make recurring payments with. And take a screenshot of it too, as you may need proof in case something goes wrong.