" Active Card Check " Most Likely Fraudulent

Monzo? Ticketmaster 2.0? :pray:

@jonj1 i think you right RE: my mom’s card being tested on that Canadian site. She just had an attempted transaction at Walmart CA this afternoon. Monzo declined because the card had been replaced.

Unrelated to the Lyca incident, but thought I’d update here nonetheless.

(speculation:) Yep, what I think has happened is that all of Lyca’s customer cards have been dumped onto a card selling marketplace, which have added a function to “test” a card before you buy it, or the marketplace automatically tests these cards at an interval

I spent some time reading up on it, mainly here https://www.bleepingcomputer.com/news/security/new-bidencash-site-sells-your-stolen-credit-card-for-just-15-cents/

So what I think has happened is the Lyca database of cards has been published onto this marketplace or a similar one. This would explain why we see actual UK based fraud after a USA/CA active card check

The active card check was an automated test, the UK/GBP fraud was an actual fraudster purchasing that card and then using it at a UK (or Australian) retailer - some were Coles, PizzaHut in AUS and Amazon, Eneba in UK/GBP

This means we will obviously see some overlap from people who never used Lyca, which is why I was always looking at the majority here. My point has always been, I shouldn’t be able to throw a relatively small net on a forum like this and find so many users with compromised cards all at the same retailers, I should just find one or two - like I did when (you and one guy?) hadn’t had their card leaked by Lyca

The only real outlets onto these sites are:

  • Malware, e.g a keylogger on your device
  • Data breaches

Again, speculation, but I think that this is the most likely solution. There is very rarely a case where credit cards are breached and then used by the “hackers” because they have so many, so they are sold in bulk onto marketplaces so people can buy them for cheap and commit petty fraud.

+1 for Lyca with my Lyca-only Revolut VC.

I blame @andrew_fishy for ever getting me to try this shambolic operator


That’s fair, hey. if I knew how bad it truly was…


Lyca replied to ISPR stating they conducted a review and found nothing

If we entertain the BIN idea, realistically it’s possibly that my card was BIN attacked, the odds are like 1 in 1 Million, which becomes entirely unrealistic when you find people on “small” communities like these

Maybe the database of Lyca didn’t get breached, maybe there was something in the middle, maybe they got access to the emails they send with 10 out of 16 digits of the card number and it gave them better odds for generating cards… but somewhere, someone got breached. If this was a BIN attack it would have to be affecting a lot more people to find so many on ISPR,Monzo, and the gateways would’ve shut it down a long time ago

It’s not a BIN attack. Mark is wrong. The characteristics of what we’re seeing don’t align with what we’d expect from a BIN attack.

If it were a BIN attack we’d be observing the following:

  1. The common denominator would be a card issuer, not a merchant.
  2. The issue would be affecting a number of cards belonging to that BIN. Assuming the BIN for Monzo’s virtual cards, you’d be seeing it for other Monzo virtual cards, not just the ones used with a common merchant (in this case Lyca).

Instead, we’ve observed the issue affecting multiple card issuers with very different BINs, with their use at Lyca being the only known common denominator linking these individual cases together.

We also have not observed it happening with other Monzo virtual cards belonging to the same BIN which have not been used with Lyca. Something we’d expect to see in the event of a BIN attack.

So the idea it’s more likely a BIN attack than a data breach at Lyca just isn’t a plausible here.

1 Like

I’m certain it’s not a BIN attack, was just entertaining the idea

Of course speculation, but this is what I believe happened

  • Lyca just migrated from a Wordpress site to a new NextJS based site
  • An outsourced developer tasked with migrating an unencrypted version of the data to a new database, took a copy of the cards and sold them

Which wouldn’t generate any log files, likely no trail that they can see

Also the Reddit thread I posted now has over 20 unique people who were Lyca users, saying they searched the transaction name and found the thread

Sure it’s a bit biased because it says Lyca all over the thread, but shouldn’t I have found a guy saying I was charged and I never used Lyca, by now?

Maybe. The fact you’ve included a list of known merchants where the active card checks are occurring should open you up to folks searching up those merchants too, not just lyca customers. I suspect it’ll be the folks who has those card checks finding the thread first and foremost, not Lyca customers. So it’s more credible evidence.

In a bin attack, the people stumbling across that would all be with the same bank. Not with the same mobile provider.

I wonder though, I’m curious if the lyca trend would have been apparent had your post been targeting Monzo customers instead. Or if that would have painted a trend more similar to that of a BIN attack.

But then this thread does that, and it sits squarely within a more Monzo-esque niche bubble, and that Lyca trend was still apparent, so…

That’s what I was thinking, no one would be searching for Lyca but they would search for the name of the merchant, so surely that should find some none Lyca customers but it doesn’t

Here’s a thread where users found a BIN attack at their bank, it goes very different and it’s very obvious it’s just the bank that’s the common denominator:

And there’s a LOT more people, like you’d expect, if this is a BIN attack it has to be a huge scale one to affect many members of this forum

1 Like

By my recollection, this has happened to Monzo (virtual and physical) cards, Revolut (virtual and physical) cards, Lloyds cards, HSBC cards, Starling cards, Chase virtual cards, and possibly others.

The common link between them is Lyca not the BIN. That about says it all, really.

I think some folks are mistakenly zoning in on Monzo and ignoring or missing the fact that many other card issuers are caught up in this incident too.

1 Like

Yes, but even if we pretend like it was only affecting Monzo users, I don’t know how to use the right words to point out how impossibly low the odds are that they affect users of this forum, but don’t affect a huge amount of monzo users that would result in a megathread like the Citibank one above

A bin attack would have to affect a majority (or a lot) of Monzo customers before you’d find so many affected users on here, right?

Not necessarily, but it would affect more than just virtual cards used exclusively with Lyca and Monzo customers who have also been a Lyca customer. It would be affecting those who have never used Lyca more prominently than those who have, given that they’re a tiny network whom only a small proportion of Monzo’s customers will have ever used.

I think we’d have had more threads on here of virtual cards being compromised by folks who have never used Lyca.

1 Like

Yeah, maybe majority is too strong of a word, but we should definitely be seeing a lot more complaints? I’d expect maybe a Reddit thread on the monzo SB, etc

You described what I was trying to say great, we should be seeing more non Lyca users than Lyca users, in every thread

I’ve just had 19.99 taken from my Monzo account as an Amazon transaction. It’s defo not anything that’s been purchased on my Amazon account.

There was an active card check right before it.

And guess what, it’s the card on my Lyca account.

It appears I can’t do anything to get help. Could this be because it still shows as pending?

1 Like

Help is a bit tricky but I managed to flag it. I was refunded straight away and told the fraud report has closed. Is this normal?

I’m guessing it’s simply because I said I still had my card and phone secure. Guess I’ll be going the virtual card route with Lyca until I can ditch them…

Poster with 86 virtual cards has fraud on one of them, guess what? It’s the Lyca Card

How were they able to actually use mine, if everyone else is being declined?