We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

Amex account been hacked for the second time in 2 months.

Options
I'm actually curious as to how this even happens. 

A couple months ago someone hacked my Amex card & used my details to subscribe to ChatGPT. I have 2 additional card holders (2 family members) but it was MY card details that had been used, not theirs.
I brought this up on another forum on this board and the best I got was not the suggestion but the insistence that it must surely have been my wife. Couldn't be any other possibility apparently.

Thankfully Amex weren't so judging & agreed it was fraudulent & gave me a refund. They also issued new cards for all and Safe Key/2FA was turned ON.

FFWD to yesterday & I spot another bogus transaction to something called Canva. Never heard of it in my life and once again it is MY card details that have been used.

Contacted Amex who this time suggested I phone this fraud squad number. I asked about SafeKey protection & how was this bypassed and they said recurring (which this is) memberships/payments don't need it.

I understand that I told them but that then must mean there's a previous payment to start it all off. So can you tell me when that was please?
Their response - sorry we can't, there's no other previous payment on your account.

And there's also nothing from Canva in my emails on the date in question or indeed any date.

I contacted Canva also and fair play to them they responded quite quickly:

We've successfully located a Canva account ############### associated with the same transaction details under the email address m•i•o•i•a•sv•9•0•6•8k9@c•a•m•o•o•.•s. We've intentionally concealed the email address for security reasons



.


I don't even know what email provider that is likely to be. 

So fairly fresh cards (only 2 month old), SecureKey turned on. How does this even happen?


My Amex card IS loaded to my Google payments. I don't know if this could be a weak link but then why is it always the Amex & not any of the other cards loaded to Google?


I'd like to get a better understanding of how this happens so that I can then try and prevent it from happening again because as it stands as soon as I get this sorted I'll have to shut my credit card down as I can't keep doing this every few months.

«1

Comments

  • There is no evidence that your Amex account has been hacked, which would be very difficult with 2FA in place. The most likely explanation is that the card details have been copied. Do you use the card physically (shop/garage etc) where the card leaves your sight?
  • B0bbyEwing
    B0bbyEwing Posts: 1,581 Forumite
    1,000 Posts Third Anniversary Name Dropper
    edited 13 December 2024 at 1:26PM
    There is no evidence that your Amex account has been hacked, which would be very difficult with 2FA in place. The most likely explanation is that the card details have been copied. Do you use the card physically (shop/garage etc) where the card leaves your sight?
    No, I'm one of those annoying people to the cash is king crowd who pay for everything via their phone. :)

    I'm just off the phone to the fraud dept. They're going to look in to it. I did ask how this has happened twice in 2 months on 2 different cards because that is quite worrying & basically tells me it's in my interest to close this account down.
    Unfortunately the person on the other end had an accent which made them quite difficult to understand. I think they said a payment was made with the old card which then transfers to the new card but this alleged payment wasn't showing on my statement so I don't really know.

    Also if there's no evidence the card has been hacked then are you suggesting that I made these payments & then forgot that I made them?
  • born_again
    born_again Posts: 20,476 Forumite
    10,000 Posts Fifth Anniversary Name Dropper
    Cards do not get hacked.
    Details get compromised.
    Every time you use your card ANYWHERE there is a chance someone will take the details & either sell them on or use them.

    Given the mention that it was a payment on old card, then your new card is safe. Old card transactions get passed to new account. Could also be that it is a continuous payment authority which do get passed over as well. 

    Sadly it is life, & nothing you can do about it. Just carry on as normal & forget about it.
    Life in the slow lane
  • DullGreyGuy
    DullGreyGuy Posts: 18,613 Forumite
    10,000 Posts Second Anniversary Name Dropper
    Not an Android user so not aware of exactly how the app stores work in their environment but I would assume Android has a concept of "Family" of users as Apple does? Have you checked with whoever you've linked your account to to see if anyone has subscribed to Canva? Have you sold/given away a device and not cleared it properly? Again with Apple you can see all devices associated with your account. 

    With Apple at least subscriptions are initially paid to Apple and then distributed out to app developers. The default is for the Family Lead to pay for all subscriptions. Different apps dont require secondary authentications because it's a reoccurring payment to Apple. With reoccurring payments they yet your new card number when the old ones are cancelled. 

    Could be totally the wrong tree if Android operates differently but certainly would be checking subscriptions if I were you. With Apple the family Lead can see all the subscriptions under different users/members. 
  • born_again
    born_again Posts: 20,476 Forumite
    10,000 Posts Fifth Anniversary Name Dropper
    To echo the above.
    CPA do not require 2FA
    Life in the slow lane
  • B0bbyEwing
    B0bbyEwing Posts: 1,581 Forumite
    1,000 Posts Third Anniversary Name Dropper
    Cards do not get hacked.
    Details get compromised.

    Ok fair enough I used the wrong term but at least you knew what I meant :)

    Not an Android user so not aware of exactly how the app stores work in their environment but I would assume Android has a concept of "Family" of users as Apple does? Have you checked with whoever you've linked your account to to see if anyone has subscribed to Canva? Have you sold/given away a device and not cleared it properly? Again with Apple you can see all devices associated with your account. 

    Can confirm it's nothing like this. No devices, nobody has used my physical card so on & so forth. Absolutely 100% not.


    The Amex fraud dept mentioned a £1/$1 payment in October. I'm not sure if it was to this Canva or not because like I said, the guys accent was difficult to understand. 
    The only thing I can assume is that it was to Canva but then this makes no sense to me....

    They said recurring payments (so what's going on with this Canva situation) don't trigger the SecureKey protection, yet there's no previous transaction for Canva. The guy in the fraud dept mentioned this £1/$1 so he sees it on his end but it doesn't show on my end, which tells me it was declined for attempted fraud reasons. 
    Yet I guess it can't have been declined because there's quite clearly a recurring payment in place.
    So if there's a recurring payment in place, the £1/$1 he mentioned should show for me ... yet doesn't. 


    Some will say forget it & move on but for me there's nothing wrong with trying to have a better understanding of the situation.
    At least it seems like it'll get rectified. 
  • born_again
    born_again Posts: 20,476 Forumite
    10,000 Posts Fifth Anniversary Name Dropper
    Cards do not get hacked.
    Details get compromised.

    Ok fair enough I used the wrong term but at least you knew what I meant :)

    Not an Android user so not aware of exactly how the app stores work in their environment but I would assume Android has a concept of "Family" of users as Apple does? Have you checked with whoever you've linked your account to to see if anyone has subscribed to Canva? Have you sold/given away a device and not cleared it properly? Again with Apple you can see all devices associated with your account. 

    Can confirm it's nothing like this. No devices, nobody has used my physical card so on & so forth. Absolutely 100% not.


    The Amex fraud dept mentioned a £1/$1 payment in October. I'm not sure if it was to this Canva or not because like I said, the guys accent was difficult to understand. 
    The only thing I can assume is that it was to Canva but then this makes no sense to me....

    They said recurring payments (so what's going on with this Canva situation) don't trigger the SecureKey protection, yet there's no previous transaction for Canva. The guy in the fraud dept mentioned this £1/$1 so he sees it on his end but it doesn't show on my end, which tells me it was declined for attempted fraud reasons. 
    Yet I guess it can't have been declined because there's quite clearly a recurring payment in place.
    So if there's a recurring payment in place, the £1/$1 he mentioned should show for me ... yet doesn't. 


    Some will say forget it & move on but for me there's nothing wrong with trying to have a better understanding of the situation.
    At least it seems like it'll get rectified. 
    As said previously. CPA do not require 2FA (secure Key)
    Same with $1 could have been a check on card details,. As declined you would never see it. But they could still put the larger payment through.

    Given you were refunded previously & card replaced. A CPA can transfer to the new card as card regulations allow retailers to request new card details for a CPA.
    Where fraud is involved on a CPA payment. A block is supposed to be placed on that retailer being able to do this. But often seems to get missed or forgotten about by person dealing with fraud.

    Life in the slow lane
  • potts8
    potts8 Posts: 64 Forumite
    Part of the Furniture 10 Posts Name Dropper Combo Breaker
    Just adding I've also had some fraudulent activity on my Amex card yesterday.
    This surprised as I very rarely use it, it hadn't been used for months and by some co-incidence I contacted their customer services midday(considered changing to a reward card) and by that evening it was being used fraudulently. The contact to them was purely via their live chat online.

    That evening I had an email for $1 paypal attempt using safekey which was blocked successfully.
    As I was on the phone to them to find out what was going on 2 more transactions came through successful for paypal, both under $10.

    Anecdotal evidence around the web seems to point to some issues at Amex and I read about a recent breach this year.



  • B0bbyEwing
    B0bbyEwing Posts: 1,581 Forumite
    1,000 Posts Third Anniversary Name Dropper
    Cards do not get hacked.
    Details get compromised.

    Ok fair enough I used the wrong term but at least you knew what I meant :)

    Not an Android user so not aware of exactly how the app stores work in their environment but I would assume Android has a concept of "Family" of users as Apple does? Have you checked with whoever you've linked your account to to see if anyone has subscribed to Canva? Have you sold/given away a device and not cleared it properly? Again with Apple you can see all devices associated with your account. 

    Can confirm it's nothing like this. No devices, nobody has used my physical card so on & so forth. Absolutely 100% not.


    The Amex fraud dept mentioned a £1/$1 payment in October. I'm not sure if it was to this Canva or not because like I said, the guys accent was difficult to understand. 
    The only thing I can assume is that it was to Canva but then this makes no sense to me....

    They said recurring payments (so what's going on with this Canva situation) don't trigger the SecureKey protection, yet there's no previous transaction for Canva. The guy in the fraud dept mentioned this £1/$1 so he sees it on his end but it doesn't show on my end, which tells me it was declined for attempted fraud reasons. 
    Yet I guess it can't have been declined because there's quite clearly a recurring payment in place.
    So if there's a recurring payment in place, the £1/$1 he mentioned should show for me ... yet doesn't. 


    Some will say forget it & move on but for me there's nothing wrong with trying to have a better understanding of the situation.
    At least it seems like it'll get rectified. 
    As said previously. CPA do not require 2FA (secure Key)
    Same with $1 could have been a check on card details,. As declined you would never see it. But they could still put the larger payment through.

    Given you were refunded previously & card replaced. A CPA can transfer to the new card as card regulations allow retailers to request new card details for a CPA.
    Where fraud is involved on a CPA payment. A block is supposed to be placed on that retailer being able to do this. But often seems to get missed or forgotten about by person dealing with fraud.

    You'll have to forgive me here but I don't get it.

    I'll assume that CPA is some code for recurring payment. If it's not then I'm off to a bad start straight away.

    So my understanding off what the Amex guy said is that recurring payments don't trigger SecureKey protection, which is fine, but wouldn't the initial one trigger it (and it just be the subsequent ones that don't)? That would make sense to me because if that wasn't to be the case & if it was just to simply mark every payment as recurring to bypass this SecureKey protection then that just sounds like very weak security to me - so I think it surely can't be that.

    So going with the idea that the first one triggers the SecureKey Protection but subsequent payments don't then how on earth does a blocked payment count as the first payment? Surely it should only be cleared payments?

    Or does it complicate further when the first payment (of £1/$1 in this case) is different to subsequent payments ($15.00USD/mo)?
  • born_again
    born_again Posts: 20,476 Forumite
    10,000 Posts Fifth Anniversary Name Dropper
    Cards do not get hacked.
    Details get compromised.

    Ok fair enough I used the wrong term but at least you knew what I meant :)

    Not an Android user so not aware of exactly how the app stores work in their environment but I would assume Android has a concept of "Family" of users as Apple does? Have you checked with whoever you've linked your account to to see if anyone has subscribed to Canva? Have you sold/given away a device and not cleared it properly? Again with Apple you can see all devices associated with your account. 

    Can confirm it's nothing like this. No devices, nobody has used my physical card so on & so forth. Absolutely 100% not.


    The Amex fraud dept mentioned a £1/$1 payment in October. I'm not sure if it was to this Canva or not because like I said, the guys accent was difficult to understand. 
    The only thing I can assume is that it was to Canva but then this makes no sense to me....

    They said recurring payments (so what's going on with this Canva situation) don't trigger the SecureKey protection, yet there's no previous transaction for Canva. The guy in the fraud dept mentioned this £1/$1 so he sees it on his end but it doesn't show on my end, which tells me it was declined for attempted fraud reasons. 
    Yet I guess it can't have been declined because there's quite clearly a recurring payment in place.
    So if there's a recurring payment in place, the £1/$1 he mentioned should show for me ... yet doesn't. 


    Some will say forget it & move on but for me there's nothing wrong with trying to have a better understanding of the situation.
    At least it seems like it'll get rectified. 
    As said previously. CPA do not require 2FA (secure Key)
    Same with $1 could have been a check on card details,. As declined you would never see it. But they could still put the larger payment through.

    Given you were refunded previously & card replaced. A CPA can transfer to the new card as card regulations allow retailers to request new card details for a CPA.
    Where fraud is involved on a CPA payment. A block is supposed to be placed on that retailer being able to do this. But often seems to get missed or forgotten about by person dealing with fraud.

    You'll have to forgive me here but I don't get it.

    I'll assume that CPA is some code for recurring payment. If it's not then I'm off to a bad start straight away.

    So my understanding off what the Amex guy said is that recurring payments don't trigger SecureKey protection, which is fine, but wouldn't the initial one trigger it (and it just be the subsequent ones that don't)? That would make sense to me because if that wasn't to be the case & if it was just to simply mark every payment as recurring to bypass this SecureKey protection then that just sounds like very weak security to me - so I think it surely can't be that.

    So going with the idea that the first one triggers the SecureKey Protection but subsequent payments don't then how on earth does a blocked payment count as the first payment? Surely it should only be cleared payments?

    Or does it complicate further when the first payment (of £1/$1 in this case) is different to subsequent payments ($15.00USD/mo)?
    Off to a good start 👍

    2FA or secure key does not trigger on every transaction. Depends on the retailer in may ways. 
    Life in the slow lane
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 351K Banking & Borrowing
  • 253.1K Reduce Debt & Boost Income
  • 453.6K Spending & Discounts
  • 244K Work, Benefits & Business
  • 599K Mortgages, Homes & Bills
  • 176.9K Life & Family
  • 257.4K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.