LycaMobile Users: Had card fraud/attempted card fraud recently?

xzsh29

I signed up for a LycaMobile plan in March 2024, I used a virtual card created exclusively for LycaMobile and even named it Lyca, cancelling it after my purchase. While travelling this week, Monzo alerted me that a company, Hamilton Hardly Publish, had performed an active card check on the card. Followed the next morning by another company, World Market Ecomm.

I'm not the only person who had a card compromised, where that card was exclusively used at LycaMobile, see x.com link below

I posted on a forum related to mobile deals, the Monzo community forum and looked on Twitter since I highly suspected LycaMobile had been breached again - including the leak of card details this time. I quickly found other Lyca Users who were seeing attempted charges from other USA based merchants, the same ones as mentioned above and some more like Strong Marriage Now, Frenchies & More

Lyca claim they only store the card number (encrypted) and expiry date, and Monzo confirmed the attempted transactions were only made with the card number and expiry date.

I can't post the relevant links I had here, but to find them you can look for:
Lyca Mobile: Blatantly Compromised on the ISPReview Forum
Look at @tameraktas's thread with LycaMobile on X/Twitter.com

See the "LycaMobile Users: Had card fraud or attempted card fraud recently?" thread on the UKPersonalFinance subreddit

Despite the above, LycaMobile claimed they hadn't had any direct customer complaints. I emailed their fraud and complaints email on the 14th & 15th, as did many other ISPReview commenters, including complaints directly to the ICO. Lyca responded directly and publicly to a complaint on X on the 13th.

I'm wondering since this forum is likely to hold some people who signed up to Lyca's amazing deals at some point, if you've been seeing attempted fraudlent transactions including the following merchants?
Hamilton Hardly Publish
World Market Ecomm
Strong Marriage Now
Pontoon Specialists
Frenchies And More/Frenchies & More
SoDick Inc

datz

Like you, I have a virtual card (Revolut in my case) assigned soley to Lyca. I have also had card verification checks attempted (no charges yet).

12th: Frenchies & More

14th: Kris's Kustoms

I have temporarily frozen the virtual card after the first verfication check, so the second check two days later automatically failed. Maybe that will be enough to dissuade them from further attempts. I just need to remember to unfreeze it before the next Lyca payment is due, and then I'll recreate a new virtual card for the next 6 month Lyca promotional deal that I take out.

Anyway, my general approach... always provide companies with the least amount of genuine personal data that I can get away with (for these very reasons). Some companies do need more (or all, for example, financial) to be able to provide their services, some important accounts I want secured against my real identity - but then there are many entities that I might engage with that need very little, or none, of my actual data (just remember to make a note of what is given).

In the case of Lyca, I am not that concerned - I used a fictional name and address (eSIM so delivery not needed), use a virtual card (fictional card holder name). The virtual card has a low monthly spend limit so that Lyca can never charge me anything but the promotional rate (which I suppose helps in cases like this too). For context, my use case for Lyca is as a secondary SIM/service to use for outbound calls/texts and data - My main number is kept on a seperate (negligible cost) SIM with one of the 'big 4'. This means I never PAC my actual number around (so it can't be held hostage or lost), and I treat Lyca/Lebera/etc as completely disposable once their promotional periods run out.

sheffieldeagle

I've also had the same. I was going to start a thread but glad someone has. My bank alerted me to the attempt and card was cancelled.

Cheers

xzsh29

Just to update, LycaMobile are not replying to anybodies emails

According to reddit posts they are refusing to investigate any further when you get them on the phone, they reply on Trustpilot saying they are, ask for more details and never reply

MSE_James

Hi all

Colleagues in our News team put the concerns raised in this thread to Lyca, and this is what they told us:

Our security team is investigating the matter urgently. Our payment processes are PCI-DSS compliant and appropriately audited, so we are confident that they are robust.

We are also confident this has nothing to do with last year’s systems cyber attack as no financial data was lost as a result, and the affected systems were isolated and completely rebuilt.

Our customers are our top priority. We recommend anyone affected also speaks with their card provider to have the issue investigated as soon as possible. 

We're continuing to keep an eye on the situation - if anyone's had a similar experience to the posters above, please do let us know in this thread.

Grievingpanda

I've checked my Barclaycard statement having ordered a Lyca mobile sim at the end of April. I have a £0 pending transaction from Pontoon Specialists. Definitely not a transaction I recognise.

I guess I'll need to contact Barclaycard and cancel my contract with Lyca!

flaneurs_lobster

Just from the few cases detailed on here Lyca are bang to rights.

xzsh29

MSE_James said:

Hi all

Colleagues in our News team put the concerns raised in this thread to Lyca, and this is what they told us:

Our security team is investigating the matter urgently. Our payment processes are PCI-DSS compliant and appropriately audited, so we are confident that they are robust.

We are also confident this has nothing to do with last year’s systems cyber attack as no financial data was lost as a result, and the affected systems were isolated and completely rebuilt.

Our customers are our top priority. We recommend anyone affected also speaks with their card provider to have the issue investigated as soon as possible. 

We're continuing to keep an eye on the situation - if anyone's had a similar experience to the posters above, please do let us know in this thread.

I can't post links to them, but there are many other experiences posted elsewhere both on ISPReview and Reddit, Lyca also gave the exact same response they did to your news team to ISPReview

SlushPuppy24

My bank flagged a transaction today at 1.30pm for £0 at PONTOON SPECIALISTS. I too am with Lycamobile.

flaneurs_lobster

Why are the dodgy (attempted) card transactions all card verifications/£0 debits? Wouldn't a proper theft attempt just try to pull a few hundred quid before someone noticed?

xzsh29

flaneurs_lobster said:

Why are the dodgy (attempted) card transactions all card verifications/£0 debits? Wouldn't a proper theft attempt just try to pull a few hundred quid before someone noticed?

They are being validated first