Spooky auto update of new Monzo card on Kickstarter

I thought I’d see if anyone else has come across this. I’ve raised it with Monzo and they’ve passed it onto the specialist team to look into.

I pledged to a Kickstarter months ago, near the end of October. It was due to finish on 14th December.

On 5th December I had my works Xmas night out and lost my card. Froze it, reported it lost and ordered a new one as you do.

I’d totally forgotten about the Kickstarter pledge by this point. Skip to 14th December and I start to get messages from Kickstarter because the payment failed. So close to Christmas I regretted backing something to the tune of nearly £70 and was glad it hadn’t gone through.

Fast forward to a week later and the payment was suddenly taken! I checked my kickstarter account after raising it with Monzo and in my Kickstarter account were my latest debit card details. As the above paragraph will attest, I pointedly did not log on and change my card details.

I queried this with Kickstarter and they said it’s something that Stripe do, having the ability to charge a cancelled card. Some sort of measure that stops failed payments for pledges made.

This doesn’t only not make sense, it also rings all sorts of alarm bells!

Charging a cancelled card should never be possible or allowable by any payment services provider once a bank has allowed the cancelling of a card.

Secondly, my new card was charged, not the cancelled one. Somehow it’s like stripe have my card details on file and because they are the payment services provider for a huge number of businesses, small and large alike, I suspect that they’ve somehow appended themselves to my Kickstarter account as I will have put those card details through stripe on one website or another.

On principal, when the specialist team have their findings, I want the payment reversed. I feel like this breaches all sorts of security and privacy boundaries and I’m hoping Monzo find out what’s going on here and challenge it.

1 Like

I wonder if you have this Monzo Labs feature enabled? Monzo Labs: Share Card Replacements 💳

5 Likes

Good call but nope. I saw that when I went in not long ago to give the new sending money by text and email feature a go (which sidebar, is awesome) and went “er nope, I don’t bloody think so, that’s staying switched off!”

I’ll never agree to giving up that much control for the convenience.

This is the Mastercard Automatic Billing updater… https://www.mastercard.us/content/dam/mccom/en-us/issuers/Documents/Mastercard-Automatic-Billing-Updater-Merchant-Global-2017.pdf

3 Likes

What. The. Fudge.

I’m horrified. This is basically vendors ganging up and pressuring one of the two electronic payment gatekeepers on our planet to be allowed to have new card details without our permission.

No ma’am. I’m not having that. I’ve been back onto the message thread on chat support and told them I want that payment reversing. It should be up to me to replace card details as I see fit and as needs doing. I am not giving up that much control just because it may or not be convenient.

I am however, quite shocked that support didn’t know it was this straight away?!

Well, that’s fair. But I’m less bothered about that than this exists. I’ve just googled it. it’s not even that new O_O

I can see there are organisations that offer opt out’s for this. Monzo need to be doing the same.

Oh wait hang on, is it the feature that’s in labs?

I don’t have that switched on. Phew. In that case it makes sense that they’ve had to pass it along to the specialist team.

1 Like

What grounds are you asking for the reversal? You pledged money and they’ve taken payment. If you’d cancelled it then I’d understand.

Just curious

17 Likes

They took payment on card details they never should have had access to, not that I gave.

1 Like

But you did enter into a contract where you agreed to pay, and you didn’t cancel that agreement, preferring to rely on the payment failing. That in itself doesn’t tell Kickstarter you want to renege on what they expect you to pay for.

Then tech got the better of you and Kickstarter found a way to charge you.

It’s one thing questioning whether Monzo should have auto–updated your debit card details, but it’s bad form to treat Kickstarter that way. Monzo shouldn’t have to reverse the payment, you should speak with Kickstarter about it – presumably it’s covered by the distance selling regulations (but if what you paid for was delivered electronically you may not be able to get a refund).

31 Likes

Suppose we can add Kickstarter to the vendor share card Wiki…:sweat_smile:

In all seriousness, if this is the case, I’m not sure you’ll see that money again.

This is nothing to do with whether @phteven79 should honour a pledge on Kickstarter, it is whether venders should have charged a new card when the option is off in the settings. I’m sure Kickstarter is big enough, and corporate enough, to get over one person not paying a pledge and it is for them to question the break of contract with him.

5 Likes

As you’ve not enabled the labs feature that’s been mentioned I’m wondering if you’ve been charged as the result of a Continous Payment Authority instead? Businesses using these can also in effect charge expired cards.

It would kind of make sense from Kickstarter’s point of view to use these as the charge date may be delayed somewhat from the user making the pledge (and thus entering into the contract.

2 Likes

There’s a hint on the Kickstarter help page indicating they might be using CPAs as they say your bank may showing the pledge as a recurring charge even though it’s a one-off. See here:

3 Likes

I never knew this was a thing, I thought once you get a new card you have the confidence knowing that any dodgy/hacked website with those details no longer works.

Is this saying that they can obtain the new card details using the old, isn’t that itself a security issue?

On a related note, if you use PayPal go to Autopay page and you’ll be shocked the number of companies that took what you thought were one-off payments as ‘recurring’ so they can charge you by card at any point without asking you again. Happened to me with 123Reg as they turn on auto renew by default, got them to reverse it but a bit of hassle. I had ~30 listed now just two, Spotify and eBay.

https://www.paypal.com/myaccount/autopay/

1 Like

Wouldn’t this feature be open to abuse If you get your card details stolen fraudsters could still use if they’ve added it to a site that does recurring payments like subscription services.

1 Like

I believe MasterCard can tell the difference between a normal card replacement through damage/expiry and one replaced due to lost or stolen details.
In the later case it wouldn’t auto update them.

Wouldn’t Monzo not just break the continuous payment authority with the merchant the fraud took place so thats is why the card wouldn’t update? I would be happy to be corrected though.

How is the lab feature new if this is already being done?