Fraudulent Charge on Credit Card - possible Contabo breach (TBD)
-
Last night I received a text and email from my bank asking to confirm a purchase that I had not made. I responded with "no" and the bank denied the charge, canceled my card and is sending me a new one. I logged into my bank and changed my login credentials for safe measure. The reason why I suspect Contabo has been breached is because of the following:
1- The credit card I got charged on is the same I use for my Contabo plan.
2- The fraud charge is $210.99 while my Contabo monthly plan is $21.99.
3- Both charges occurred within 3 hours of each other (the fraud charge happened before the legit Contabo one, hoping I'd approve it without checking twice).
4- The fraud charge happened through Facebook; to be specific " FBPAY *STARS".I'm in the US and using Contabo's US server so this might be limited to Contabo's US billing system. I emailed Contabo last night regarding this but haven't heard back. Their policy is Mon-Fri so I doubt they'll respond during the weekend. These details might be a coincidence and maybe my card has been compromised elsewhere.
Is anyone else in the same boat? Check your credit cards!
-
@humptydumpty what a pain - at least they stopped it - phew.
-
I received a reply back from Contabo's support and they claim no breach has happened. The search continues...
Thank you for contacting Contabo support; We do not have of course any data breaches, however it might have been that your email used for Contabo account got hacked. Please secure your email and passwords we also recommend to use 2-factor authentication. Still, we are always available for you personally and will respond to all of your questions as soon as possible. Always feel free to contact us. -- Best regards, Dmytro Husiev Support Specialist
-
@timconsidine The bank handled things well and made it effortless for me. However, I'm still clueless as to where the compromise has occurred and that's got me paranoid. Is it my Cloudron mail/server, a specific app (roundcube, freescout, snappymail), idk.. my thoughts are all over the place. I can't shake the "coincidences" of the similarity in the amounts charged and the date and time of their occurrences.
I've changed all bank related credentials, double checked contact info and such, all good (no change and as they should be). I changed my admin login for my Cloudron server where my mail server resides which led to some errors in Freescout which I'm currently double checking since I deleted all app passwords under my admin profile.
I need to step back and chill a bit so a I can see this from a different angle.
-
@humptydumpty good actions, and understandable concern.
I've had it happen a couple of times, and I wasn't able to understand it at all. So be kind to yourself. It may just be a hack in the dark, your contabo debit is probably a standard amount for users. Good to search for reasons, but be prepared for it to be a mystery.
The little I know about it, it's often data from multiple sources and a huge amount of 'try it and see' from the perpetrators. Bit like phishing emails, they know 99.999% will fail, they just hope and wait for the 0.001% which works by some strange luck on their side.
-
@timconsidine I'm tying up some loose ends and rethinking my security measures like using a unique email for all services. CR 7.3 came out at the right time. I'm going to take advantage of the wildcard/alias feature and organize services by category*alias@domain.com.
The Contabo plan isn't the default amount since I have signed up for that server with a promotion and have extra storage added which adds a few more bucks to the bill. I also don't have the usual US-location fee added so the amount isn't common.
I've went through my card purchase history for the last year or so and compiled a loooooong list of vendors, some of which I need to change the card details for their recurring charges.
Like you've said though, I'll probably go nuts before I find the culprit. It's a good wake up call though for evaluating my tech stack and security measures.
-
@humptydumpty This is why I never use a card I rely on for other things. All my hosting-related costs (everything on the internet in fact) go on Revolut, that way I never need to worry about cards being cancelled and I know for sure where the problem originates from.
-
If you are in the US, I suggest Privacy.com for virtual payment cards.
If you are in Europe, I think Revolut has virtual cards as well.
-
@privsec said in Fraudulent Charge on Credit Card - possible Contabo breach (TBD):
If you are in Europe, I think Revolut has virtual cards as well.
They do, it's great.
With Revolut can create a one-time use set of card details which are automatically replaced as soon as they are used (and of course a notification is sent informing you they've just been used too).
I use them for doing things like giving Z Library money because I've no real idea who they are.
Here's my referral link if you want to sign-up:
-
@jdaviescoates +1 for Revolut.
Very useful when travelling in Europe (and presumably elsewhere) to reduce bank charges and improve currency conversion rates.
You still suffer, just less than you would with a high street bank.Just one word of caution : Revolut doesn't yet have a full UK banking licence, so don't put our life's savings with them.
Just in case.
Bank of England doesn't like their exposure to crypto.
And Revolut's management move too fast for BoE's liking!
But for transactional stuff and a front-end to protect your real account, Revolut are great.Also worth mentioning WISE (formerly TransferWise) : similar facilities, and possibly better than Revolut on currency rates and international payments (and GBP too).
-
@timconsidine Whoa, neat, ill have to look into them
-
I'm in the US so I'm not sure if Revolut would work for me (without a foreign transaction fee that is). I do use Privacy.com but it's for debit only, no credit cards. Anyone know of virtual cards for credit cards specifically?
-
@timconsidine said in Fraudulent Charge on Credit Card - possible Contabo breach (TBD):
Also worth mentioning WISE (formerly TransferWise) : similar facilities, and possibly better than Revolut on currency rates and international payments (and GBP too).
Yes, I'll second that..
Wise are very useful worldwide. Here's an invite link. -
Check out divvy pay, maybe what your looking for
-
@timconsidine said in Fraudulent Charge on Credit Card - possible Contabo breach (TBD):
Also worth mentioning WISE (formerly TransferWise) : similar facilities, and possibly better than Revolut on currency rates and international payments (and GBP too).
Yeah, I use Wise for all the things you mentioned Revolut is good for (for which it is even better).
Literally the only thing I use Revolut for is their one time card details. If Wise did those too I'd ditch Revolut.
Here's my Wise referral link!
-
@timconsidine said in Fraudulent Charge on Credit Card - possible Contabo breach (TBD):
Just one word of caution : Revolut doesn't yet have a full UK banking licence, so don't put our life's savings with them.
They don't have any licence. The money you hold with them is still protected under FSCS as they use UK banks to hold the money who do have a licence.
They are completely safe up to the FSCS limit.
Not really a problem as their overall service is very limited until they get a licence. Early next year hopefully.
-
@LeeW said in Fraudulent Charge on Credit Card - possible Contabo breach (TBD):
The money you hold with them is still protected under FSCS as they use UK banks to hold the money who do have a licence.
Kind of.
https://www.revolut.com/how-we-keep-your-money-safe/ explictly states "not FSCS"
https://www.revolut.com/legal/savings-vaults/ says:
"Your normal Revolut accounts (which are e-money accounts you hold with us) are not covered by the Scheme, but are āsafeguardedā. This means that whenever money is moved from your Savings Vault back to your normal Revolut account, it stops being protected by the FSCS, but is safeguarded instead."
and https://www.revolut.com/legal/terms/ says:
"8. How is my money protected?
"When we become aware of a payment for your account, or you add money to it, we issue the equivalent value of e-money to your account immediately.
"When we receive that payment or the money you add, we quickly either:
- place it into one of the dedicated client money bank accounts that we hold with large commercial or central banks (client money accounts keep your money separated from our own money, and the types of banks we can use are set by regulations); or
- invest it in low-risk assets that have been approved by our regulator, which are also kept in dedicated client accounts with financial institutions.
"We call this "safeguarding".
"The time at which we receive a payment for you or receive the money you add depends how we receive it:
- We only become aware of inbound bank transfers when they arrive in our bank account. When we receive these transfers, we issue the e-money to your account straight away.
- When you add money on the Revolut app (for example, by using your stored card, Apple or Google pay, or some other payment methods), we know the payment is coming before we actually receive it, so we issue the e-money to your account straight away. However, we donāt safeguard the money for these payments until we actually receive it. If itās been more than five business days since we issued you the e-money but the payment still hasn't arrived, we safeguard the money for you, using our own money, anyway.
"A business day is a day other than a weekend or bank holiday in England.
"We keep safeguarding your money until you pay it out. This happens when you spend or withdraw it using your Revolut card, send it to another bank account or Revolut user, or spend it in any other way.
"What would happen in an insolvency?
"Safeguarding helps protect you if we were to become insolvent. If that were to happen, you (and all our other customers) would be paid out your e-money balances from our client money bank accounts. This process would be handled by an insolvency practitioner, not by us. However, safeguarding regulations make sure that once any costs related to an insolvency are paid out you will be paid from our client money accounts before anyone else.
"The money in your account isn't covered by the Financial Services Compensation Scheme (because itās safeguarded instead)."
-
@LeeW said in Fraudulent Charge on Credit Card - possible Contabo breach (TBD):
Early next year hopefully.
From Telegraph in Sep 2022 (https://www.telegraph.co.uk/business/2022/09/08/revolut-does-not-deserve-banking-licence/) :
Instead of wondering why Revolut hasn't been granted a licence, the question may need rephrasing: will it ever get one?
Their involvement in crypto is a big unresolved issue.
I can't see BoE taking the risk. Despite what their founder says.Doesn't stop me being a fan of them for certain situations.
-
I use them for small but regular transactions, internet, travel and so on. I would never use them, Monzo, Starling or other online FI with my income or savings.
Revolut has a clear purpose for most, it is not their main banking account.
-
@LeeW said in Fraudulent Charge on Credit Card - possible Contabo breach (TBD):
Starling
Starling Bank is a fully licensed and regulated bank so isn't really in the same camp as Revolut.
IMHO they are the best business current account provider in the UK (in terms of a balance of ethics and value - Triodos more ethical but often not open to new applications and they charge fees for doing almost anything), unless you're a business that isn't a Company but is instead a Society or other legal structure as only companies can use Starling (I think just because their automatic ID checks check stuff on the Companies House register which they can't check for other entities).
For non-companies I recommended Unity Trust Bank
Anyways, Starling will plant a tree if you switch using this link:
https://www.starlingbank.com/referral/?code=zw8QLn
PS Monzo is also a fully licensed and regulated bank, but not as ethical as Starling (despite Ethical Consumer giving them the same overall rating), see
https://www.ethicalconsumer.org/sites/default/files/flipbook/Issue186/16/