Yes, the headline is clickbait. However, it is also accurate.
So I had some fraudulent charges on my MasterCard back in June. That did not unduly alarm me. I knew I needed to call my card issuer and disput the charges. I did so and they reversed them, cancelled the card, and issued a new one. All was well with the world. This is what should happen, after all. Alas….
TL;DR: Cancelling a card and getting a replacement after a fraudulent doesn’t necessarily stop the fraudulent charges due to some fuckwit at MasterCard thinking that “force billing” (allowing a merchant to obtain the new card number) is a good idea. My conclusion: “force billing” should be illegal.
First, some background. There were two fraudulent charges. One was to some contractor and one was to a reasonably reputable organization, neither of whom I will name specifically. Let’s call the second one S. While the contractor may be seriously annoyed by the chargeback on the multi-hundred dollar charge, hopefully it was just a deposit on a job and they could fire their con artist customer. However that goes down, it is no longer my problem. S, on the other hand, is more problematic.
Fast forward a little more than a month from the original fraudulent charges. I see, exactly one month to the day later, another charge from S, this time against the replacement card number. Now I am alarmed. How did the fraudster get my new card number‽ And in less than one month‽
Well, on the theory that S was as much a victim as I am, I called them and talked to their people. I have to say, the representative I got was very understanding and did everything he could, including getting help from a more experienced representative, to investigate. It turns out someone had opened up an account using my credit card number (the old one) and subscribed to a service. This is what I suspected, and it does make S a victim as well. They told me that they cancelled the account but that I should contact my card issuer as well. I was going to do that anyway, of course. All in all, I can’t really fault S in all of this. (And, given who S actually is, their response is actually exactly what I would have expected.) Of course, this still did not explain how they ended up with my new card number for the second charge in July. Also, the 15 minute hold time was annoying.
So next, I called my card issuer. After the usual spiel about the call being recorded, I got a person right away. After a brief conversation, he transferred the call to the fraud department and I talked to a lady for a while. Alas, I let my frustration get the better of me when she was seemingly insinuating that I was the one perpetrating the fraud and I shouted at her. I think that got her attention and she started listening at that point and looking for an actual solution. I did apologize for the shouting, though. You really shouldn’t do that.
Anyway, the eventual result of the conversation was that the transaction would be reversed and the card cancelled and replaced (again!). That was the outcome I expected. I don’t like it, of course, but what else can they do? What I didn’t expect was the answer to my question about how S got the new card number.
It turns out that a merchant can, and this is the term used by the fraud representative at my card issuer, “force bill” a charge. That actually means they can obtain your new card number. Yes. You read that right. A merchant can obtain your new card number after your previous card was cancelled due to fraudulent charges from that merchant. The representative at my card issuer said this is a MasterCard policy and not something they have control over. That sounds like passing the buck, but it does make sense in this case. They have to abide by the policies of the MasterCard organization if they want to issue MasterCards, after all.
I suspect the policy exists to ease the burden of updating card details for ongoing subscriptions when cards expire on their usual schedule. That is, to allow merchants to get paid even if the customer forgets to update their card details. In that situation, there is no fraud, obviously.
However, suppose a bad actor, let’s call him F, signs up for a subscription with recurring billing. F provides all the card details for a credit card and the initial transaction succeeds. Alas, the card details provided do not belong to F. The cardholder subsequently notices and has the charge reversed. F, however, signed up with a subscription with the correct card details. Now the merchant might not associate the chargeback with the account and then just proceed to bill again on the next billing cycle. That comes back “card cancelled” so they initiate the “force billing” process to get the new card number. This will work because F provided the correct details the first time or the original transaction would have failed. Thus, F can continue to have his subscription across any number of card cancellations until the merchant notices the large number of chargebacks or their bank flags it.
Basically, in the scenario just described, MasterCard themselves are enabling the ongoing fraud.
Now, can “force billing” be implemented in a way that doesn’t trip on that scenario? Sure. Simply record the fact that a card was cancelled due to fraud and do not allow force billing to succeed in that case. That is, do not allow merchants to obtain the new card number if the old card number was cancelled due to fraudulent charges. That would stop this type of problem in its tracks.
That said, the whole force billing thing reeks of fraud on its own. The real solution is to make the practice of allowing merchants to obtain the new card number illegal. There is no valid business need for it. Simply do what most merchants already do and simply let the transaction fail and then notify the customer and ask them for updated billing information.
Back to my specific case. S fell victim to some F. I had the charge reversed which should have shown up as a chargeback for S. S obviously failed to do anything with the chargeback, which is a failure on S’s part. Then, the next monthly charge fails, S does the force billing thing, gets the new card information, and gets a charge through. It may be that S hasn’t actually received the chargeback details yet and, thus, hasn’t been able to act on them. However, a card coming back cancelled but with an expiry date that is well in the future, should trigger an investigation by a human before enabling the force billing process. So, S’s procedures are problematic, though likely not significantly costly to them.
Anyway, to sum up, it’s likely a “force billing” situation for the second charge rather than the card number being skimmed or otherwise obtained fraudulently. That is something of a relief given that it would have pointed the finger at big guys like Google or Amazon leaking the card number. Not impossible, of course, but unlikely, especially in the space of three weeks or so.
Basically, in my no so humble opinion, MasterCard themselves are complicit in this particular fraud and I wonder how many people are in the same boat as I am here. I have no relationship with S. Thus, there is no way for me to “cancel my account at S” (which is what triggered the shouting at the fraud representative at my card issuer).
Anyway, let’s call that “end of rant”.