Cancelled card ‘loophole’ may leave door open for fraudsters, says Which?

Concerns have been raised by Which? that a feature designed to reduce hassle when renewing expired credit or debit cards may allow criminals to continue spending using replacement card details.

When a customer reports fraud on their account, the bank will cancel the card and issue a new one, with the expectation that this should sever the fraudster’s ability to spend.

But Which? said that a process which helps to make switching to the new card go smoothly could create a “loophole” which may allow fraud to continue.

Some people may find their card details are updated automatically where they have previously been saved, which could mean that subscriptions continue to be paid and card details are updated in digital wallets.

Which? said it is concerned about the potential for unintended consequences, which could mean that if a scammer has saved a victim’s card details to a major online merchant or digital wallet, the new card details could update there too, allowing the fraud to start again.

There can be various reasons why people may see fraud continuing on a replacement card though, including fraud victims being targeted more than once by criminals.

Which? said it has heard from some consumers who said fraud had followed them on to a replacement card.

The consumer group said its own mystery shop research indicated that some banks do not allow customers to opt out of the automatic billing updater process.

Which? also found that, for some banks, when a card is cancelled due to fraud, they will fully opt its replacement out of the automatic billing updater.

Some banks block payments and/or automatic billing updates to the particular merchants involved in the fraud attempt, sometimes known as “merchant block” – but Which? also raised concerns that this may prevent the legitimate account holder from spending with the blocked merchant.

Which? said that with banks applying different approaches, consumers should be vigilant.

Jenny Ross, Which? Money editor, said: “When you’re issued with a new card, having the new number automatically updated in places you’ve saved it can be incredibly handy, allowing subscriptions to renew seamlessly and enabling you to spend online without manually updating.

“However, Which? has found that if you’re a victim of fraud, if this update isn’t turned off it could have unintended consequences, allowing criminals to keep on spending.

“Even more alarmingly, customers are most often powerless to opt out of this update, leaving them at the mercy of their individual bank’s fraud policy.

“Which? is calling on banks to allow customers the option to turn off automatic billing updaters (ABUs), and to develop a consistent approach to ABU in cases of fraud.”

Which? suggested that, to help reduce the risk of card fraud, people reporting fraud to their bank should ask whether it has broken the link between their card and any fraudster-controlled accounts.

It said people should also closely monitor their account after being a victim of card fraud.

Unrecognised or suspect payments should be reported to the bank immediately.

A spokesperson for banking and finance industry body UK Finance said: “Account updater services help keep payments running smoothly and prevent regular payments from being blocked when a card is replaced.

“Banks manage this service in different ways but fraud linked to these updates is rare.

“Anyone who spots an unusual payment should contact their bank immediately and they will be able to help.”

An HSBC UK spokesperson said: “Billing updater services provide customers with smoother journeys and better outcomes.

“While customers are unable to opt out, our procedures prevent the type of repeat fraud described.

“When a customer’s card details are used by fraudsters, we inform Visa or Mastercard it’s been cancelled and block merchants from receiving replacement card details.”

A Lloyds Banking Group spokesperson told Which?: “If a customer requests for a payment to be blocked or there is suspected suspicious activity on the account, we apply continuous payment authority blocks which are carried over to newly issued cards.”

A Nationwide Building Society spokesperson told the consumer group: “If a customer spots a fraudulent recurring payment, we will refund and take action quickly to keep their account safe.

“If necessary, we can block specific recurring transactions or change account details and issue new cards to them.”

A Starling spokesperson told Which?: “The ABU process does not apply to cards that are cancelled by the customer or because of fraud. This is an additional layer of protection for our customers.”

A Visa spokesperson told Which? that Visa account updater helps keep payments running smoothly.

The spokesperson said VAU is offered and managed by each Visa card‑issuing bank and banks are responsible for handling the service for each cardholder, “which includes stopping VAU or stopping it for a specific merchant in an instance where fraud has been detected”.

A Mastercard spokesperson said: “Our automated billing updater service is designed with consumers in mind, helping reduce the inconvenience of missed or delayed payments by keeping card details up to date with retailers and service providers.

“If a card is lost or stolen, these updates are stopped if the cardholder’s bank marks the card as closed in ABU.

“At Mastercard, we are committed to protecting consumers at every step of the payment journey, combining technology, standards and safeguards to keep transactions secure.”