Check your bank statements for payments to ‘Crunchyroll trial’. There’s been a scam running for several years, but it seems to have picked up this year. Banks are aware of it and yet they still allow payments to go through. Took me an hour on hold before I got it sorted on the phone this morning with CBA and have now got the card cancelled and money to be refunded (although if some stories on the internet are to be believed, not everyone gets their money back). Your credit/debit card number is obtained through an automated card number generator, so there’s little defence against it except constant vigilance.

Is this a reference to ‘Crunchy Roll’ a legitimate business taking money without authority, or a fake business debiting credit cards without authority?

Are you able to provide some further details of what has happened.

Note, one on line commentary, dated,
https://www.reddit.com/r/Crunchyroll/comments/o0vjlq/theres_a_scam_happening_be_careful_everyone/

Yes, sorry, should have clarified - crunchyroll is a legit video streaming service. The scammers are ‘just’ using the ‘crunchyroll *trial’ name. It appeared on my (debit card) statement as:

CRUNCHYROLL *TRIAL 415-503-9235 CA USA Card xx3510 NZD 124.99 Value Date: 27/04/2023

-$116.16

They use the same numbers in other examples I’ve seen on the net.
There is no suggestion that crunchyroll are in any way associated with the scam.

Do we know if the scammers have more than a CC number they have randomly created, or are they using details obtained through a data breach/theft?

The next obvious question is one expects Visa etc require more than just a CC number to charge an account. Further VISA or your bank must know where IE Payee, the funds are being directed. So where is the defect in their systems that enables the SCAM.

All good questions, Mark, I found this on the net, it’s a bit old but the same numbers are used.

Also found something from last year - a paypal user receiving invoices from crunchyroll.
The item on my account was pending for a few days but CBA would not act until payment went through. That raises another question. And the CBA rep I spoke with had heard about the scam and had ‘dealt with a few cases’. I suggested that I thought I had an idea when a breach might have happened (a single time I entered my card details on a legit website recently) and she dismissed that and explained that the card numbers were auto-generated. Why the bank just stands back and lets it happen I do not know.

Autogenerated? I find it very hard to believe that a valid card number, with a matching card holder name, and matching CCV, could be produced by a scammer. Sure, there are sites that generate CCs with all the details that can pass validation on Web sites, but that is not the same as the ACTUAL checking that is done in an ACTUAL transaction, where the details are validated for real.

A CC transaction should require all three of those, and all three validated. Throw in expiry date and there are four.

More likely some site where you have entered the card details has been compromised. I think you are right, and the bank person is wrong. Or perhaps the bank, your issuer, doesn’t really check inbound transactions. Nah, that couldn’t be.

I’d have to agree, Greg, although I did a bit of a web search for card number autogenerators and found a lot, such as this one edit: URL removed which can also generate CCV and name. They are legal and used for " eCommerce data testing purposes." but “cannot be used to purchase anything”. Hmm. I don’t have anything near the tech savvy to make any judgement on the veracity of that statement, but I’m with you in thinking that matching 3 or 4 components would be an unlikely feat. Would be good to have some input from a maths/algorithm expert on this. As it happens I have only used my card details online once this year and just a few days before the bogus transaction appeared. I only used it because I was offered no choice - had to prepay postage to return an item that I’d bought in error and it was the only payment method offered. This incident has certainly strengthened my aversion to posting my card details on the web.

A possible other source of your CC details being compromised is the malware out there that can install on your device and monitors entry of keystrokes and then sends that off to the scammer’s server.

Usually gets in by clicking on links in scam emails or SMS. Or in some instances applications downloaded from the Internet.

Cardholder name isn’t critical for credit card transactions for cards issued in Australia to be processed. Credit card number, expiry date, and CVV are critical and must be correct otherwise transactions will be declined. In our own business we sometimes have misspelt names which have been used…and in one case used a maiden name instead of a married name - these transaction proceeded successfully with manual credit card (not in person) transactions.

I also find it surprising that these three pieces of critical information (number, expiry and CVV) were randomly generated as it would take a large number of attempts to eventually get a combination right. If a large number (taking about potentially millions), a card issuer will suspend a card as it indicates that fraudulent transaction attempts in a card are likely.

I agree with @Gregr that it is most likely the credit card details were obtained by other means. Either by malicious apps, buying online from a dodgy website or by signing up to a free trial subscription somewhere using credit card details for activation, and these credit card details being harvested and used illegally.

This happened to me also, the card was 10 weeks old and never used for remote transactions. i.e. I had never used the CCV at any point.

During the conversation I had with the bank, there were claims that the card number could be bruteforced, and that the CCV wasn’t always necessary.

In addition, two charges were pending at the time, which I identified as fraudulent. They let them through, and took 3 weeks to reverse them.

Welcome to the Community @KenCleanAirSystem

Thanks for posting your experience. There should be a difference between reporting a disputed charge and a fraudulent charge in how they respond. Without further information it appears your experience was done as disputed transactions rather than a compromised card. Is that right?

I have had cards compromised over the past decades and never has the compromised card ‘lasted’ to the end of the phone call when it was cancelled/locked and a replacement issued with a new number. It used to be a major inconvenience when one had to await a new card in the post to move on. Today Westpac and probably others issue digital cards available for use in a few minutes that work online and with ‘Wallet’ for in-store use while awaiting a replacement plastic one, so the impost is updating ‘memorised’ and direct debit accounts.

OTOH disputed transactions were always handled as you described and often did not ‘clear’ on my account for weeks and sometimes multiple billing cycles although the amount was never billed until the dispute was resolved.

Deciding which (disputed transaction or compromised card) makes a difference in how it is processed.

That suggests whoever brute forced it might have had a record of what worked and what didn’t suggesting you need to keep a close watch and if there are any further fraudulent charges go with a compromised card if you have not already.

I can’t say what class of scam it was.

I was awoken by a text at about 2:30am, the bank was telling me that my card was blocked, and did I authorise this Crunchyroll charge. So they told me about the bogus charges (lucky they did, as I don’t check the account that frequently). When answered no to the authorisation query, they called me straight away, the card was cancelled. Mentioned a few other random charges, all nonsense.

They did well identifying a compromised card. The issuers usual process then is to lock the card account with all the charges in it, make the cardholder a new account and over the next few days migrate the ‘real charges’ to the new account. Exactly how they treat what remains in the old compromised account can vary but bogus charges disappear after a while.