Mastodawn

Did you know that there's a thing called the "Automatic Billing Update" program (ABU), that enables merchants to get notified of your replacement payment card number before it even shows up in your mailbox?

https://globalnews.ca/news/9763295/little-known-credit-card-program-companies-information/

Yep, you can guess what the bad guys are doing. They're registering as a merchant and then involuntarily signing people up for nonexistent "subscriptions" ... that their support path mysteriously refuses to let you unsubscribe from:

https://malwaretips.com/blogs/vigor-vita-cbd-gummies/

But if you naively report these to your issuer as simply 'fraud', they will just ... issue you a new card. And then the "subscription" will be charged again.

Many issuer support teams seem be totally unaware of this fraud type. You have to explicitly tell them it's a subscription scam, and ask them block that merchant from using ABU to get your new card number. (That card is lost, but at least the evil merchant won't get the next one).

(I found this out the hard way, helping some elderly friends, whose cards kept getting mysteriously "compromised". When I realized that an unexpected charge happened before they had even received the new card ... I knew it wasn't just ordinary skimming or phishing.)

tl;dr When you detect unauthorized charges, ask your issuer to check for ABU and block the entire merchant. Otherwise, you'll be caught in an unending cycle of useless reissuance!

The little-known credit card program that lets companies share your information

A Winnipeg man says a little-known program allowed his credit card company to share his credit card number with a merchant before he even had the card himself.

Global News

Claus Cramon Houmann Aug 21, 2024

@tychotithonus Oh I've seen Amazon the shopping app do this and only subconsciously registered it.

Rosemarie and Owen Kelly Aug 21, 2024

@tychotithonus 😮

Unknown Identity Aug 21, 2024

@tychotithonus any idea if the capability of blocking merchant might vary by region? (as in international region) I've tried to get my bank to block a merchant before (recently) and was told it wasn't possible. I would have thought visa could consistently do the same stuff everywhere in this respect though... And blocking a merchant doesn't sound like it should be hard.

Terin Stock Aug 21, 2024

@unknownIdentity I had a bank in the US initially refuse, but they were able to "make an exception" after doing a conference call including the merchant.

(tl;dr: the merchant was unable to find my account in the computer system to cancel)

Royce Williams Aug 21, 2024

@unknownIdentity As far as I can tell, if the issuer is participating in ABU, the issuer has the power to block a specific merchant-cardholder combo.

Kiran J. Holla Aug 21, 2024

@tychotithonus Is this a global thing or specific to North America?

Nonya Bidniss 🥥🌴Aug 21, 2024

@tychotithonus I wondered how that happened.

Andrew at MysticBearPaw Aug 21, 2024

@tychotithonus This is a tangent, but imagine what would happen if an expired card meant the subscription was cancelled? Consumers would save millions, no?

Virginicus Aug 21, 2024

@tychotithonus I wondered about that.

Russell Ramey Aug 21, 2024

@tychotithonus literally just had this happen but the charging entity was DoorDash. Never occurred to me or the fraud team at the bank to disable ABU until they allowed another charge before we even received the first new card. Of course, DoorDash eats the charge (unintentional pun but now I definitely intend it😏).

TheDude Aug 21, 2024

@tychotithonus A company for which I worked on billing systems used ABU legitimately at least 30 years ago to update expiration dates. Given we had 30 million CC customers on monthly billing plans, it was very convenient for customers, us, and processors when used for non fraud purposes, as it reduced declines for expired customer-supplied dates.

Royce Williams Aug 21, 2024

@TheDude No question that it's handy for legitimate merchants! It's just clear that the ways to abuse it aren't mitigated well.

SlightlyCyberpunk Aug 21, 2024

@tychotithonus I was reminded this morning by someone favoriting this old toot of mine that some "legitimate" merchants do very similar things...

https://mastodon.slightlycyberpunk.com/@admin/111903251282700115

I now suspect that any sufficiently advanced capitalism is indistinguishable from a scam...

SlightlyCyberpunk (@[email protected])

So my father passed away about a year ago. My mother is still finding random charges to her credit cards from his old Amazon account. Amazon was notified that he had passed. His credit cards were cancelled. He was never an authorized user on my mom's cards, and Amazon was never authorized to bill his subscriptions to her cards. The bank apparently says this happens a lot, it's a well known issue. It's a well known issue. That Amazon regularly commits credit card fraud. Christ I am so glad I no longer do business with those crooks.

Slightly Cyberpunk Mastodon

Ken Goldsholl Aug 21, 2024

@tychotithonus ABU should be illegal, or at the very least, opt-in. Banks can easily add this option to their websites, it should be part of their security settings.

aspragg Aug 21, 2024

There's a really good article by Patrick McKenzie (aka patio11) on his "Bits About Money" blog about the ways that card updates get handled behind the scenes for merchants:

https://www.bitsaboutmoney.com/archive/improving-cards-under-the-hood/

Improving how credit cards work under the covers

Card networks are legacy systems. Some bugs have persisted for decades, surprisingly, but they can be fixed. Stripe provides examples.

Bits about Money

Interpipes 💙Aug 21, 2024

@tychotithonus @briankrebs what’s annoying is that none of the merchants you actually want to use ABU seem to actually use it

@tychotithonus does that include the CVV and canncardhilders get a list?

@tychotithonus (no)

Garth Cummings Aug 21, 2024

@tychotithonus @dgoldsmith In my case, the bad guys signed me up for Instacart.

I had to go through the hassle of getting a second new card and having all charges from Instacart from any of my accounts blocked.

I learned that credit unions don’t typically participate in the ABU program so you won’t have to deal with this if your card was issued by a CU.

LisPi Aug 21, 2024

@tychotithonus @mooncorebunny Is there a reason *not* to ask the merchant to be blocked in general?

LisPi Jul 2, 2025

@mooncorebunny @tychotithonus More specifically, "block the merchant" should the implicit assumption. Almost no one /cares/ about the specific subscription.

Although I have to say, ABU is an anti-feature in general, why was it ever considered worth the minor convenience of its existence considering all the ways it's a problem?

Bill Seitz Aug 22, 2024

@tychotithonus
I thought ABU just tells merchants (or, more precisely, payment processors) about card number changes for cards they had previous accepted charges with.

Royce Williams Aug 22, 2024

@billseitz Ah, indeed. We may have to explore the definition of "accepted". If a vendor signs you up involuntarily for a "subscription", and you go through the normal process of trying to "unsubscribe" for a while unsuccessfully, how much time has to pass for that to become technically "accepted"?

Bill Seitz Aug 22, 2024

@tychotithonus and if you call your card issuer and block the merchant, that carries over to the new card number.

Royce Williams Aug 22, 2024

@billseitz Yes, I thought that was covered in context by my post.

Jens Glad Balchen Aug 23, 2024

@tychotithonus I did know that. It means you can't rely on card expiration either.

Kit Bashir Aug 23, 2024

@tychotithonus @gsuberland surely the whole /point/ of expiry of credit cards is to limit the scope of fraud?

Royce Williams Aug 23, 2024

Indeed - as implemented, it decidedly sidesteps an essential control.

I can see the use case - how customers and legit vendors could benefit from automatic migration to a new card.

What's missing here is a way for the cardholder to view and manage which merchants are allowed to do so.

ewanm89 Aug 28, 2024

@tychotithonus @Unixbigot @gsuberland Problem is it is not ever to the cardholders benefit as it is entirely transparent to them. Not sure if EU cards are in the system anymore, GDPR and all... Urm, going to want to figure that out.

corbeaucrypto Aug 24, 2024

@tychotithonus I had an experience with Kaspersky where I had bought a 5 license AV pack. After some time, I opted for a different choice. First year, it auto renewed. Okay - mea culpa. So I looked online for a place to cancel (none) and then called in to cancel. Thought I was done. Renewal time came and another fee hits the card. So then I call in and claim my card is stolen and I need a new number. Thought I had it pegged. C’est non. Again a charge. Finally - I did what I should’ve done all along. I called in and declared this as fraud. We’ve had a similar situation with Microsoft on Azure billing. I really dislike ABU.

waldi Aug 24, 2024

@tychotithonus How do they get the new CVV2 required to process the card absent transaction?

Royce Williams Aug 24, 2024

@waldi That's an excellent question, and I have no idea other than maybe the token (that the merchant has upon first successful transaction) is "updated" to keep allowing charging without it?

ewanm89 Aug 28, 2024

@tychotithonus Yep, knew about this one, and quite frankly, VIsa and Mastercard should be prosecuted for it. It is almost entirely made to be abused.

aproitz Sep 25, 2024

Sounds reilly #weird ! What a bad #Scam. If #Criminals would use their evil #Creativity for something good....

:gnomeHey:

samiamsam Jul 2, 2025

yes, i've had issues with it and so have people i know

i have been able to get the transactions cancelled and i block any future payments to that company after they do this

Chris Alemany🇺🇦🇨🇦🇪🇸Jul 3, 2025

@tychotithonus this should be illegal for basic privacy rights.

mapleleafroundel

@tychotithonus @chris The bank should ask for permission before authorizing an ABU merchant to receive the information and allow their customers to revoke the permission.