How hackers used little-known credit-card feature to defraud woman, $1.99 at a time

Christian Hetrick, The Philadelphia Inquirer on

Published in Business News

A Google spokesperson said the web giant "identified and closed the accounts associated with the fraudulent charges."

Criminals have realized that banks and other card issuers won't investigate unreported charges if they're less than $50, said Kayne McGladrey of the Institute of Electrical and Electronics Engineers, which includes computer scientists and cybersecurity experts. Card issuers use algorithms tuned to spot expensive purchases, so criminals now buy a lot of items of little value, McGladrey said. For example, fraudsters buy streaming services such as Netflix and Spotify because banks may not find the charges unusual, he said.

"It's low effort for them. Once they set up the subscription and unless the subscription is canceled, they don't have to do any other work and they can resell access to that subscription," he said. "So it's a guaranteed line of profit for them until somebody goes and notices there's been a problem."

Criminals typically resell access to the services on secondary markets, McGladrey said. Criminals may resell a streaming service that's normally $10 per month for $5, netting the thieves $5 monthly. While a single crime is not that profitable, there have been cases where groups have reaped millions of dollars by charging small amounts to hundreds of thousands of consumers, he said.

In recent years, major credit card companies have offered account updater services to avoid disrupting recurring charges when new cards are issued. Medium to large businesses selling subscriptions -- from gym memberships to Amazon -- use the service to ensure they don't lose customers who get new cards. Consumers are typically enrolled in these programs automatically through their card issuer's service agreements, though they can ask to opt out, experts said.

"The unintended consequence is it is really easy for a threat actor to know (the consumer's account) is going to be automatically updated," McGladrey said. "So sure, (the consumer) got a new credit card number. The revenue stream is uninterrupted."

Consumers should scrutinize their credit card statements for any unauthorized charges, regardless of how inexpensive, experts said. There are web applications such as Trim that help find unwanted subscriptions on your bill. Consumers should also dispute charges directly with the card issuer, which must stop unauthorized charges under federal law, said Ed Mierzwinski of the U.S. Public Interest Research Group.

"The credit card company and the merchant like to punt back and forth," he said. "The credit card company doesn't want to lose the fees from the merchant, and it's just a pain in the neck for consumers."

Robison was charged for Google cloud storage to store emails, documents, and pictures. Google sells 100 gigabytes of storage for $1.99 per month. Robison was billed up to 14 times monthly, suggesting she was charged for 1.4 terabytes of storage, or enough space for half a million photos.

Sponsored Video Stories

Letters from Capital One showed she disputed the charges at least five times. In addition, Robison said she spoke with the bank and Google on a three-way phone call in April, when Google determined that Robison did not purchase the storage. The charges continued anyway.

The headache didn't end once Robison canceled her credit card account. When she tried to reopen a new one with Capital One this month, the bank initially denied her before ultimately signing her up, according to records and emails.

"It got to be kind of a game," she said.

Robison is a personal coach and business consultant, so she sees a lot of people's paperwork. Lately, she said she's noticed $1.99 Google storage charges on clients' bills, even though they did not authorize the charge.

"A lot of people choose to deal with the $1.99 because it's two bucks," Robison said. "And it's a lot more hassle to get it changed."

(c)2019 The Philadelphia Inquirer

Visit The Philadelphia Inquirer at

Distributed by Tribune Content Agency, LLC.


blog comments powered by Disqus

Social Connections


Wee Pals Sarah's Scribbles Hi and Lois Ginger Meggs Poorly Drawn Lines Carpe Diem