I just spent an hour and a half on the phone with Capital One. I had a credit card transaction for uber one ($9.99) on my account. This is NOT my Uber account, and it is a fraudulent charge. Two additional transactions were declined by capital one for uber eats purchases.
I had just gotten a new physical card within the last two weeks. My previous card was cancelled because I wasn't using virtual card numbers yet, and someone racked up a pretty hefty Instacart bill. I've only physically used my new card in 3 places, and I've NEVER used it online. The chances of it being hacked are pretty slim. Capital One sees the Uber One subscription as a recurring service. This is where I learned about their automatic biller update feature. I'm told that because of this, merchants like Uber are allowed to request my new card number for user convenience when a card is replaced. Because I had setup a number of virtual cards with my new card, I asked what virtual card was used. They gave me the last 4 of the virtual card used, and it wasn't one that I had setup myself, and didn't even show up on the website. They told me it was a token setup by Uber. I don't know for sure they received my card number through this service, but it really sounds like it. My previous card was cancelled well before the charge, but maybe they had a trial account setup, and didn't use it until the card had been cancelled. Sounds like a repeatable way for someone with a hacked card to use it for instacart, the card gets cancelled, Uber renews the card, then they can use it again for uber eats. I understand convenience, but this sure seems like a major security flaw enabled by default.
I'm trying to contact Uber, but I have little hope of their customer service being useful. If my new physical card number was actually used, then I would need to look at the 3 local vendors for having card skimmers, or maybe someone scanned the RFID chip.
If my old card number was used(Maybe for a trial) that would mean that my new card number was not actually stolen, but it was automatically pulled by uber when I got my new card. I've cancelled auto biller update on my account, so it's probably not a persistent threat, but I'm wondering if anyone else has more insight on this? If nothing else. Credit card users beware.
automatic biller update – exploited?
byu/sanchezeldorado inCreditCards
Posted by sanchezeldorado
1 Comment
Credit card numbers can be guessed. RFID scanning is not a risk, they won’t get anything usable with that.
This is a common issue with fraudulent Amazon accounts and other online merchants. The banks default to telling them the card updated. You can see it happen with apple wallet, Google wallet, and Samsung pay. When you request a new card due to fraud, those auto update depending on the bank.
Some banks do not even allow you to cancel the convenience of automatic biller update.