Tell HN: Amazon allows unauthorized parties to use credit cards

30 points by nateb2022 ↗ HN
About three weeks ago I noticed an unauthorized charge on my Discover card from Amazon -- I have the Discover mobile app and get instant notifications for every transaction. I immediately froze my account. After contacting Amazon, they confirmed that the charge did not originate from my account and told me to contact Discover; I contacted Discover, got my card cancelled, and a week later had a new card with a different number.

That was the end of my problems. Or so I thought.

The day before yesterday I noticed a recent charge from Amazon. Upon calling Amazon, it appears that it was for the Prime subscription of another Amazon account, not mine. I put it very plainly that this charge was unauthorized, and that I do not want anyone else using my credit card with their Amazon account. To my surprise, they told me that they couldn't remove my credit card from another person's Amazon account as a form of payment. All they could do was refund the amount to me. I asked if that party would be able to continue to charge purchases to my credit card, and the customer service representative said yes. And there was nothing they could do about it.

Amazon, being a big company, I'm sure they somehow update credit card information from the credit card companies themselves. Thus, they were able to get the new number for my card after I cancelled the old one, and I assume they surreptitiously linked it to every account which had my old credit card linked.

I contacted Discover again and they're investigating it. I just can't believe Amazon is allowed to operate this way -- I assume it's illegal in some form. Do I have any form of legal recourse? Has anyone else experienced this?

21 comments

[ 2.7 ms ] story [ 69.5 ms ] thread
Discover or other banks/credit card companies will not just handover credit card numbers to Amazon. This would be a serious banking violation.

What you're describing is credit fraud. Amazon has no idea who authorized users of the card are. It's not required that the name on the card match the name of the person using it. Many places want it to match to prevent fraud as often times the end business is left with the loss of money and product but there's no legal or policy requirements. It's only that a person has been authorized to use it

CC numbers leaked from hacks that happen all the time. If this has happened twice in a row now, most likely the leak is on your side somewhere. Someone may have access to your systems or it could be a restaurant you frequent or any number if things. Amazon isn't the one to contact about fraud, your credit card company is the one to contact.

Their department has access to all the charges and fraud reports. Credit card companies do correlate fraud reports between them. One of the most simple and basic attacks is simply copying credit card numbers down at restaurants or any other place where your card may be out of your site for a few moments and it's totally normal for that to be the case.

You don't have any legal recourse against Amazon because they didn't do anything wrong. Unless of course you can show that they were the ones that perpetrated the fraud but them simply accepting a card it is appropriate for them to assume it was authorized to be used. Any legal recourse would be against your credit card company but in my experience I have never had to go the legal route with a credit card company. They are excellent at reimbursing for fraudulent charges and reissuing cards and tracking down the source of the fraud. If discover has not immediately reimbursed you for the charge on your card then they are the ones you need to talk to and point out these are fraudulent charges and the fraud happened twice. There should be no need for legal recourse because you have suffered no damages.

> them simply accepting a card it is appropriate for them to assume it was authorized to be used

At first it was appropriate, but once he called them and said it wasn't authorized, then it wasn't anymore.

How would amazon know if he is the true ‘authorized’ owner of the card, or perhaps someone who is just trying to mess with the owner of the card?

The only solution here is really to get a new card number

> Discover or other banks/credit card companies will not just handover credit card numbers to Amazon. This would be a serious banking violation.

Card issuers generally participate in credit card account updater programs. Although, when a new number is issued due to fraud, they're supposed to not include that in the updates.

I'm sure that's exactly what happened here. You can opt out of that but it's a pain in the ass and some companies make it so you have to do it for each merchant
Card issuers will not automatically update merchants with changed card numbers. Card issues will identify automatic charges and alert you too update them.

Merchants can have an agreement with issuers to access your account but this is 100% opt-in mechanic and can't be accidentally tripped over. I haven't looked on my Amazon account but I've never been offered that option as they have no reason to access my credit card account.

Have a look at some merchant facing (sales) documentation about account updaters [1]. I'm not affiliated (or even in the payments business, thank goodness), but this seems like a pretty decent overview of programs.

Maybe your issuer doesn't participate, but most do. Many merchants that do recurring or card on file billing will use these services because people often inadverdantly forget to update accounts and don't respond to notifications but do contact customer service when the renewal fails or their new order fails.

[1] https://paymentcloudinc.com/blog/account-updater/

All of these are opt-in services not automatic services that get enabled without your knowledge.
The merchant may have to opt-in, but the card holder generally doesn't.
Just for clarity, when a CPA is enacted, the card number isn't used so changing the card will not prevent the charges as it's tied to account (haven't seen this used for a while but the idea is to make it easy for people when they lose card etc) - it's worth asking the issuer if they can kill that particular agreement as you've now objected and want to withdraw which is your right (also suggest they deal with Amazon as you've reported the unauthorized use but they evidently aren't fulfilling their obligations set by card networks)
You said the account was frozen ... but it was still used. Sound like Discover is to blame here.

Amazon didn't approve the transaction to your "frozen" card ... Discover did.

I understand it was the replacement card, which Amazon automatically got added to the other person's account.

Again, this is why I want all my transactions to be authorised through my bank, and not through any other site.

through my bank, and not through any other site.

I agree. It's easy to setup automatic payments through your bank.

Or as an alternative, use a junk credit card for subscriptions --- one you won't mind canceling if necessary.

This is an interesting vector for fraud. While I look over my bills for unauthorized charges, I buy enough from Amazon that I can't begin to scrutinize them effectively. And until now, I've trusted them. This is going to make my bill paying more time intensive.
You're kinda skipping over the gaping OpSec hole you have that resulted in the disclosure of your card number to a third party. You might want to check into that.
> gaping OpSec hole you have that resulted in the disclosure of your card number to a third party

You mean like the server I hand my credit card to to pay my check at dinner?

Yes, that is in fact a security gap that can be (and is) exploited. In Europe at least, they bring the payment point to you and you place the card yourself (or ask you to go to the register)
Yes, that could potentially be a source. There could be another source as well, since you’re experiencing this multiple times.

I personally pay cash if they can’t bring the POS Terminal to my table.

Both visa and mastercard have processes in place that automatically substitute new cards - that part is normal. Quite strange that they'd do that after a card replacement due to fraud though
Maybe you left a TV logged into Amazon Prime after you checked out of an AirBnB