My Revolut card has been verified for a transaction I have not authorised

[Brendan Burgess]

So I just got a message telling me
Card Verification
Spl Spoke Weal Salon S
Today 8.09

Status
Verified. The merchant verified that the card is valid. Your account has not been charged.
Card: Mastercard 3361

It looks like a chain of US hair salons

Spoke & Weal – best hair salon

www.spokeandweal.com

 

[Brendan Burgess]

So I have frozen the card.

I presume that they needed all my details including expiry date and CVV to do this?

I did buy some stuff recently from a US supplier. I doubt that they are fraudsters. But they could have been compromised?

I paid via PayPal but used my credit card?

Brendan

 

[blackdog]

I had a similar issue (in my case a US make up company on the transaction) with a credit card from a different provider recently. I was told the fraudulent payment was set up as a subscription / recurring payment and hence didn't trigger the usual verification prompt. A loophole?

Small amounts but recurred over a few days before I caught it

 

[Brendan Burgess]

Thanks. But where did they get your credit card details?

 

[blackdog]

That was never confirmed, but I used PayPal for an Irish payment in the preceding days.

 

[TomEdison]

I presume you''ve never had anything to do with this merchant.

Likelihood is that the merchant is entirely innocent. Most probably, someone has cloned your card, and is now testing the card with this low-value transaction. Impossible to know where they got your card data from, but in a sense it doesn't matter because you are now going to cancel and replace the card. It's a pain, but it has to be done.

 

[Brendan Burgess]

I assume that the merchant is innocent.
But it does matter that it was cloned.
Maybe the merchant's system was compromised and they need to know.

Brendan

 

[TomEdison]

More likely some other merchant's system was compromised, the frausters obtained your card data from there, cloned a card and are now testing it. It makes sense that they would test it with a merchant other than the one from whom they stole the data.

[Plus, if you've never had anything to do with this merchant, how would they have your card data in the first place? The data must have been stolen from someone with whom you have had dealings, using this card.]

 

[Thomas1]

Was it a Revolut app notification or text message? If text, it mightn’t be legit at all?

Either way, create a new card for yourself. I wouldn’t use that one again.

 

[Brendan Burgess]

It was a Revolut app notification.

 

[Brendan Burgess]

More likely some other merchant's system was compromised

OK, I use it so rarely that I assumed it was a result of the most recent transaction.

But maybe some other merchant which I used months ago has been compromised.

Brendan

 

[Thomas1]

Interesting. There are options to disable/enable GPS security, online transactions etc in the card settings.

 

[Brendan Burgess]

Not sure if it's relevant, but it's my Revolut virtual card as distinct from the actual real life card which has a different number.

 

[Peanuts20]

Most probably, someone has cloned your card, and is now testing the card with this low-value transaction. Impossible to know where they got your card data from, but in a sense it doesn't matter because you are now going to cancel and replace the card. It's a pain, but it has to be done.

I used to run a retail website a few years ago and that behaviour was bog standard, especially if they were missing a digit from the card number, or CSV or the expiry date. We could see them trying multiple times and playing with the digits for low value transactions and once one got through, they vanished and the card was never seen again. We'd then block it (we'd still get a report on blocked transactions so could see if they ever tried us again, they never did) so we were covered and not send the goods out unless we got a complaint but it was quite tedious. I would imagine AI and bots now make it even easier and the fraudsters just automate the process. This is their livelihood after all.

As for how they got the card number in the first place, my personal view is that it is quite probable that every credit card and debit card I have is sitting on a compromised database somewhere in the dark web anyway as it probably has been stolen or hacked at some stage. However there are billons of cards out there where the details have been stolen at some stage so the chances of mine being used are not small but not large either so I don't worry about it. What I do do, is check all of my transactions on a daily/2 day basis and if anything suspicious occurs, I shout to my bank straight away. Everyone should do that

 

[Dr Strangelove]

I leave online purchases option switched off unless I am making on online purchase.

It’s easy in the settings.

 

[Brendan Burgess]

So I deleted the virtual card.
I got another one instantly.

I added the new one to Apple Pay , so I presume the few subscriptions I have will not be impacted.
I deleted the old one from Apple Pay

 

[Brendan Burgess]

I leave online purchases option switched off unless I am making on online purchase.

Is that only for physical cards? But good idea. I have switched off online purchases on this card as I don't use it for online purchases.

I use my virtual Revolut card for online purchases. It can't be switched off.

The virtual card is better as if it's compromised, it can be deleted and a new one reissued instantly, virtually.

Brendan

 

[Dr Strangelove]

Is that only for physical cards?

Yes.

For me the virtual regenerates every time with a different number.

 

[Towger]

Still shopping in M&S?

 

[elcato]

But the 2 factor verification did it's job here, right ? You needed to allow or dismiss it when notified ?