Amex account been hacked for the second time in 2 months.

sausage_time

CPA discussion:

https://www.moneysavingexpert.com/banking/recurring-payments

DullGreyGuy

B0bbyEwing said:

born_again said:

B0bbyEwing said:

born_again said:

Cards do not get hacked.
Details get compromised.

Ok fair enough I used the wrong term but at least you knew what I meant

DullGreyGuy said:

Not an Android user so not aware of exactly how the app stores work in their environment but I would assume Android has a concept of "Family" of users as Apple does? Have you checked with whoever you've linked your account to to see if anyone has subscribed to Canva? Have you sold/given away a device and not cleared it properly? Again with Apple you can see all devices associated with your account. 

Can confirm it's nothing like this. No devices, nobody has used my physical card so on & so forth. Absolutely 100% not.


The Amex fraud dept mentioned a £1/$1 payment in October. I'm not sure if it was to this Canva or not because like I said, the guys accent was difficult to understand. 
The only thing I can assume is that it was to Canva but then this makes no sense to me....

They said recurring payments (so what's going on with this Canva situation) don't trigger the SecureKey protection, yet there's no previous transaction for Canva. The guy in the fraud dept mentioned this £1/$1 so he sees it on his end but it doesn't show on my end, which tells me it was declined for attempted fraud reasons. 
Yet I guess it can't have been declined because there's quite clearly a recurring payment in place.
So if there's a recurring payment in place, the £1/$1 he mentioned should show for me ... yet doesn't. 


Some will say forget it & move on but for me there's nothing wrong with trying to have a better understanding of the situation.
At least it seems like it'll get rectified. 

As said previously. CPA do not require 2FA (secure Key)
Same with $1 could have been a check on card details,. As declined you would never see it. But they could still put the larger payment through.

Given you were refunded previously & card replaced. A CPA can transfer to the new card as card regulations allow retailers to request new card details for a CPA.
Where fraud is involved on a CPA payment. A block is supposed to be placed on that retailer being able to do this. But often seems to get missed or forgotten about by person dealing with fraud.

You'll have to forgive me here but I don't get it.

I'll assume that CPA is some code for recurring payment. If it's not then I'm off to a bad start straight away.

So my understanding off what the Amex guy said is that recurring payments don't trigger SecureKey protection, which is fine, but wouldn't the initial one trigger it (and it just be the subsequent ones that don't)? That would make sense to me because if that wasn't to be the case & if it was just to simply mark every payment as recurring to bypass this SecureKey protection then that just sounds like very weak security to me - so I think it surely can't be that.

So going with the idea that the first one triggers the SecureKey Protection but subsequent payments don't then how on earth does a blocked payment count as the first payment? Surely it should only be cleared payments?

Or does it complicate further when the first payment (of £1/$1 in this case) is different to subsequent payments ($15.00USD/mo)?

CPA = Continuous Payment Authority

It's been a while since I did anything to do with card payments but certainly when I did a piece of work around them all card security was optional. Technically a retailer doesn't even need to do the normal two step of authorisation and collection but can skip the first and go straight to the second. However, the fees the merchant are charged for taking a payment by card is impacted by the level of security and so by implementing things like 3D Secure they pay less fees and, presumably, have less fraud. The lower the checks they do the more liable they are for fraud too. 

My work was done from the merchant side rather than the bank, so certainly you are supposed to do a single transaction using the standard protocols and then subsequent CPA transactions go through slightly differently. I've no idea what, if any, checks are done to ensure the CPA is following another transaction, 

CPA was intended to be the equivalent to DD in the card world but its very much a poor relation and many staff in banks dont appear to know or understand it properly. To make the CPA system more robust they introduced the "card updater" service which a merchant is supposed to use before attempting a CPA payment (again often no legal ramifications if they dont but there are financial ones). The service is supposed to give one of three results - 1) Proceed with the number 2) Proceed but here's a new number and 3) Dont proceed & reason code. The idea being that you can cancel your card due to fraud or you lost it etc but you then dont find your car insurance cancelled in 6 months time when it auto-renews and you have forgotten to give them the new number. 

B0bbyEwing

born_again said:

B0bbyEwing said:

born_again said:

B0bbyEwing said:

born_again said:

Cards do not get hacked.
Details get compromised.

Ok fair enough I used the wrong term but at least you knew what I meant

DullGreyGuy said:

Not an Android user so not aware of exactly how the app stores work in their environment but I would assume Android has a concept of "Family" of users as Apple does? Have you checked with whoever you've linked your account to to see if anyone has subscribed to Canva? Have you sold/given away a device and not cleared it properly? Again with Apple you can see all devices associated with your account. 

Can confirm it's nothing like this. No devices, nobody has used my physical card so on & so forth. Absolutely 100% not.


The Amex fraud dept mentioned a £1/$1 payment in October. I'm not sure if it was to this Canva or not because like I said, the guys accent was difficult to understand. 
The only thing I can assume is that it was to Canva but then this makes no sense to me....

They said recurring payments (so what's going on with this Canva situation) don't trigger the SecureKey protection, yet there's no previous transaction for Canva. The guy in the fraud dept mentioned this £1/$1 so he sees it on his end but it doesn't show on my end, which tells me it was declined for attempted fraud reasons. 
Yet I guess it can't have been declined because there's quite clearly a recurring payment in place.
So if there's a recurring payment in place, the £1/$1 he mentioned should show for me ... yet doesn't. 


Some will say forget it & move on but for me there's nothing wrong with trying to have a better understanding of the situation.
At least it seems like it'll get rectified. 

As said previously. CPA do not require 2FA (secure Key)
Same with $1 could have been a check on card details,. As declined you would never see it. But they could still put the larger payment through.

Given you were refunded previously & card replaced. A CPA can transfer to the new card as card regulations allow retailers to request new card details for a CPA.
Where fraud is involved on a CPA payment. A block is supposed to be placed on that retailer being able to do this. But often seems to get missed or forgotten about by person dealing with fraud.

You'll have to forgive me here but I don't get it.

I'll assume that CPA is some code for recurring payment. If it's not then I'm off to a bad start straight away.

So my understanding off what the Amex guy said is that recurring payments don't trigger SecureKey protection, which is fine, but wouldn't the initial one trigger it (and it just be the subsequent ones that don't)? That would make sense to me because if that wasn't to be the case & if it was just to simply mark every payment as recurring to bypass this SecureKey protection then that just sounds like very weak security to me - so I think it surely can't be that.

So going with the idea that the first one triggers the SecureKey Protection but subsequent payments don't then how on earth does a blocked payment count as the first payment? Surely it should only be cleared payments?

Or does it complicate further when the first payment (of £1/$1 in this case) is different to subsequent payments ($15.00USD/mo)?

Off to a good start 👍

2FA or secure key does not trigger on every transaction. Depends on the retailer in may ways. 

Then that is absolutely horrendous security. If you enable something like this on your account then in my case a dummy failed test transaction shouldn't qualify as marking a payment recurring. That just sounds so poorly done!

Out of curiosity, would any of this have been any different if it was my debit card that had been done rather than my credit card?

I contacted Amex, told them what happened & they were just like oh so you don't recognise it then? No. Ok here's your money back then. I know they can't have just taken my word for it but it's like they did, I could've been lying. I'm sure they did checks on this though & it passed as being fraud, obviously. 

But made me wonder whether it'd be any different had it been a debit card.

born_again

B0bbyEwing said:

Then that is absolutely horrendous security. If you enable something like this on your account then in my case a dummy failed test transaction shouldn't qualify as marking a payment recurring. That just sounds so poorly done!

Out of curiosity, would any of this have been any different if it was my debit card that had been done rather than my credit card?

I contacted Amex, told them what happened & they were just like oh so you don't recognise it then? No. Ok here's your money back then. I know they can't have just taken my word for it but it's like they did, I could've been lying. I'm sure they did checks on this though & it passed as being fraud, obviously. 

But made me wonder whether it'd be any different had it been a debit card.

No exactly the same.
This is how card regulations work for this payment method.

CPA can & do come through on expired & cancelled cards, due to the fact they do not go for authorisation. As they are the card version of a DD.
So until they are cancelled at either end, then they will continue.

B0bbyEwing

born_again said:

B0bbyEwing said:

Then that is absolutely horrendous security. If you enable something like this on your account then in my case a dummy failed test transaction shouldn't qualify as marking a payment recurring. That just sounds so poorly done!

Out of curiosity, would any of this have been any different if it was my debit card that had been done rather than my credit card?

I contacted Amex, told them what happened & they were just like oh so you don't recognise it then? No. Ok here's your money back then. I know they can't have just taken my word for it but it's like they did, I could've been lying. I'm sure they did checks on this though & it passed as being fraud, obviously. 

But made me wonder whether it'd be any different had it been a debit card.

No exactly the same.
This is how card regulations work for this payment method.

CPA can & do come through on expired & cancelled cards, due to the fact they do not go for authorisation. As they are the card version of a DD.
So until they are cancelled at either end, then they will continue.

I was meaning more from a chances of getting my money back (& would it have been as easy as it has been for me) POV rather than a would the payment have been taken without challenge POV.

DullGreyGuy

B0bbyEwing said:

born_again said:

B0bbyEwing said:

born_again said:

B0bbyEwing said:

born_again said:

Cards do not get hacked.
Details get compromised.

Ok fair enough I used the wrong term but at least you knew what I meant

DullGreyGuy said:

Not an Android user so not aware of exactly how the app stores work in their environment but I would assume Android has a concept of "Family" of users as Apple does? Have you checked with whoever you've linked your account to to see if anyone has subscribed to Canva? Have you sold/given away a device and not cleared it properly? Again with Apple you can see all devices associated with your account. 

Can confirm it's nothing like this. No devices, nobody has used my physical card so on & so forth. Absolutely 100% not.


The Amex fraud dept mentioned a £1/$1 payment in October. I'm not sure if it was to this Canva or not because like I said, the guys accent was difficult to understand. 
The only thing I can assume is that it was to Canva but then this makes no sense to me....

They said recurring payments (so what's going on with this Canva situation) don't trigger the SecureKey protection, yet there's no previous transaction for Canva. The guy in the fraud dept mentioned this £1/$1 so he sees it on his end but it doesn't show on my end, which tells me it was declined for attempted fraud reasons. 
Yet I guess it can't have been declined because there's quite clearly a recurring payment in place.
So if there's a recurring payment in place, the £1/$1 he mentioned should show for me ... yet doesn't. 


Some will say forget it & move on but for me there's nothing wrong with trying to have a better understanding of the situation.
At least it seems like it'll get rectified. 

As said previously. CPA do not require 2FA (secure Key)
Same with $1 could have been a check on card details,. As declined you would never see it. But they could still put the larger payment through.

Given you were refunded previously & card replaced. A CPA can transfer to the new card as card regulations allow retailers to request new card details for a CPA.
Where fraud is involved on a CPA payment. A block is supposed to be placed on that retailer being able to do this. But often seems to get missed or forgotten about by person dealing with fraud.

You'll have to forgive me here but I don't get it.

I'll assume that CPA is some code for recurring payment. If it's not then I'm off to a bad start straight away.

So my understanding off what the Amex guy said is that recurring payments don't trigger SecureKey protection, which is fine, but wouldn't the initial one trigger it (and it just be the subsequent ones that don't)? That would make sense to me because if that wasn't to be the case & if it was just to simply mark every payment as recurring to bypass this SecureKey protection then that just sounds like very weak security to me - so I think it surely can't be that.

So going with the idea that the first one triggers the SecureKey Protection but subsequent payments don't then how on earth does a blocked payment count as the first payment? Surely it should only be cleared payments?

Or does it complicate further when the first payment (of £1/$1 in this case) is different to subsequent payments ($15.00USD/mo)?

Off to a good start 👍

2FA or secure key does not trigger on every transaction. Depends on the retailer in may ways. 

Then that is absolutely horrendous security. If you enable something like this on your account then in my case a dummy failed test transaction shouldn't qualify as marking a payment recurring. That just sounds so poorly done!

Out of curiosity, would any of this have been any different if it was my debit card that had been done rather than my credit card?

I contacted Amex, told them what happened & they were just like oh so you don't recognise it then? No. Ok here's your money back then. I know they can't have just taken my word for it but it's like they did, I could've been lying. I'm sure they did checks on this though & it passed as being fraud, obviously. 

But made me wonder whether it'd be any different had it been a debit card.

There will always be a balance between making card payments secure, card payment systems (particularly for cardholder not present) and the flexibility to use your card anywhere. 

In a shop its fairly easy, Visa/Government comes up with new rules, gives companies 18 months to abide by them and the manufacturers of card machines, of which there arent that many, either do a software update or manufacture new machines. Some merchants get them for free as they lease them, others have to buy replacements but it's a fairly standalone device. 

Cardholder not present (eg websites, mail order etc) often arent using an off the shelf machine but have written their own code to interface with banking APIs and other data exchange mechanisms. Payment software can be linked to various other software (eg with one client that does telesales the call recording stops when the user's cursor goes into card fields). To change these isn't c20 companies updating some hardware but hundreds of thousands of companies needing to reprogramme multiple bits of software, test them etc. 

As such most changes are optional, you get a discount on your fees if you choose to implement them. The alternative is you make it mandatory, then companies cannot, or choose not to implement it means you suddenly cannot use Visa at Amazon or your Car insurance is cancelled because your insurer has lost the ability to use CPA with your bank. 


The government creates some legislation but normally it's not very prescriptive. The card networks like Visa, Mastercard and AmEx decide how to implement it and come up with some of their own ideas. Many of the rules apply equally to debit and credit cards. The only slight difference, had it been a debit card, is that it wouldn't have been an AmEx card as they dont offer any debit cards in the UK so it would have been Visa or Mastercard. Each network has slightly different rules etc. 

danco

There is one other posibility. A fairly common way of firms getting money that they are legally entitled to but not morally.

If you take out a free trial to something, or a cheap trial, the terms and conditions may say that unless you explicitly cancel then they, or an associated company, will regard you as having subscribed.

Happens a lot, and people often don't notice.