BitPay Visa Alert. Cardholders having unauthorized purchases

[DaveF]

So I got this in my email today:

This week, a handful of BitPay cardholders let us know about unauthorized purchases made online and/or at several specific retail stores. While these appear isolated, we wanted to encourage you to review your transactions in light of what we have learned.
BitPay does not hold your card number or process Visa card transactions. As such, we are working with BitPay’s card program manager to investigate all unauthorized transaction activity with Visa and resolve these issues as soon as possible.
Please report any unauthorized card transactions directly to 1-855-884-7568. A cardholder services specialist will help you.

So, it looks like their card provider got hit.

Figured I would post about it for the people that might not see it in their email.

-Dave

[1715239215]

1715239215

[1715239215]

1715239215

[1715239215]

1715239215

[1715239215]

1715239215

[hello_good_sir]

I'm confused, basically, people with the Bitpay card are reporting that the Bitpay card (not their regular bank one) have been used for random transactions that they did not authorize?

I don't think it's an issue with their card issuer (Visa), could be something a lot more interesting.

If they are made at specific retail stores, could it be a possible hack or exploit or something? A bunch of people using those cards to chargeback stores and also commit other fraud?

Thanks for the post - I think there's actually a lot to this story, not just their card issuer getting hit or something.

[magneto]

I wonder if Visa would be able to compensate these unauthorised purchases?

That's what they usually do. But due to the irreversible nature of bitcoin that is involved in the transaction I'm not sure if they stance remains unchanged.

This is one of my primary concerns in regards to bitcoin debit cards - they sound awesome in the beginning but then you realise that you're tying something irreversible to somethnig that be accessed through just typing in a card number and expiry date (and CVV).

[LeGaulois]

I wonder if Visa would be able to compensate these unauthorised purchases?

It's not up to Visa to compensate people, but the card issuer, (in BitPay case, the Metropolitan Commercial Bank) or BitPay itself. But I doubt Visa or the MCB got exploited, otherwise it would be all over the news already.

Knowing BitPay has been hacked perhaps 3-4 times already I wouldn't be surprised if the breach comes from their system again even if BitPay does not hold the card number. Wait some hours and be sure it will hit Coindesk and co.

[hello_good_sir]

I wonder if Visa would be able to compensate these unauthorised purchases?

That's what they usually do. But due to the irreversible nature of bitcoin that is involved in the transaction I'm not sure if they stance remains unchanged.

This is one of my primary concerns in regards to bitcoin debit cards - they sound awesome in the beginning but then you realise that you're tying something irreversible to somethnig that be accessed through just typing in a card number and expiry date (and CVV).

It'll be bitpay compensating users. There's no way Visa got hacked, otherwise, we'll be seeing a lot more news and panic and a lot more than just some transactions at a retail store - and it'll be a lot more interesting.

Is that how those cards work? I thought the customers first needed to pay a certain fee and it'll end up having balance, not the system where it just takes BTC from your account during the time your using it. That's a lot more interesting, although I am still pretty sure we'll see refunds come in from bitpay's side.

A lot of those transactions are actually reversible, it's like a regular debit card where you are file for unauthorized transactions, etc, and get your money back from the company, don't think the bitcoin addition really changes much, but I could be wrong.

[DaveF]

Knowing BitPay has been hacked perhaps 3-4 times already I wouldn't be surprised if the breach comes from their system again even if BitPay does not hold the card number. Wait some hours and be sure it will hit Coindesk and co.

Since it's a re-loadable prepaid card, depending on the systems BitPay might not even have access to the number. They are just running API calls to the providers back end.
That was how it was done when I was dealing with selling them at my job. When you activated or looked at your transaction information or anything else we never had the data. It looked like the front end of our site, but it was not. We were just displaying data that was provided to us.

If there was an issue the number you called was for the card provider, if there was fraud it was between you and the provider. It looked like us, but it was not.

No idea of the BitPay deal.

-Dave

[audaciousbeing]

So I got this in my email today:

This week, a handful of BitPay cardholders let us know about unauthorized purchases made online and/or at several specific retail stores. While these appear isolated, we wanted to encourage you to review your transactions in light of what we have learned.
BitPay does not hold your card number or process Visa card transactions. As such, we are working with BitPay’s card program manager to investigate all unauthorized transaction activity with Visa and resolve these issues as soon as possible.
Please report any unauthorized card transactions directly to 1-855-884-7568. A cardholder services specialist will help you.

So, it looks like their card provider got hit.

Figured I would post about it for the people that might not see it in their email.

-Dave

This is really a sad news for their customers who got it by this shady activity perpetrated by some people. What BitPay have just done with this mail is just to get ahead of the situation and by putting the clause that they don't keep card details of their users is absolving themselves of responsibility which I feel is not ideal for a business to do. What trust are they trying to build in the crypto market especially to those who haven't used their services? When unauthorized transactions happen on visa and MasterCard, you approach your bank issuer and they take responsibilities not shifting and making it seems its not their responsibility.

[DaveF]

So I got this in my email today:

This week, a handful of BitPay cardholders let us know about unauthorized purchases made online and/or at several specific retail stores. While these appear isolated, we wanted to encourage you to review your transactions in light of what we have learned.
BitPay does not hold your card number or process Visa card transactions. As such, we are working with BitPay’s card program manager to investigate all unauthorized transaction activity with Visa and resolve these issues as soon as possible.
Please report any unauthorized card transactions directly to 1-855-884-7568. A cardholder services specialist will help you.

So, it looks like their card provider got hit.

Figured I would post about it for the people that might not see it in their email.

-Dave

This is really a sad news for their customers who got it by this shady activity perpetrated by some people. What BitPay have just done with this mail is just to get ahead of the situation and by putting the clause that they don't keep card details of their users is absolving themselves of responsibility which I feel is not ideal for a business to do. What trust are they trying to build in the crypto market especially to those who haven't used their services? When unauthorized transactions happen on visa and MasterCard, you approach your bank issuer and they take responsibilities not shifting and making it seems its not their responsibility.

The problem is BitPay might contractually be able to do anything or even have access to do anything.

More then likely from what I have been seeing they may not even have access to any card management back end. You log into their site and load your card and see your transactions but as I said in my above post they probably are just displaying data from and sending data to the card providers site. No different then if you contracted with MCB  to provide the audaciousbeing prepaid Visa.

Just my view from what they have said and having done something similar before.

-Dave

[hello_good_sir]

Knowing BitPay has been hacked perhaps 3-4 times already I wouldn't be surprised if the breach comes from their system again even if BitPay does not hold the card number. Wait some hours and be sure it will hit Coindesk and co.

Since it's a re-loadable prepaid card, depending on the systems BitPay might not even have access to the number. They are just running API calls to the providers back end.
That was how it was done when I was dealing with selling them at my job. When you activated or looked at your transaction information or anything else we never had the data. It looked like the front end of our site, but it was not. We were just displaying data that was provided to us.

If there was an issue the number you called was for the card provider, if there was fraud it was between you and the provider. It looked like us, but it was not.

No idea of the BitPay deal.

-Dave

Ah, that does make a lot more sense - I don't think Visa would be giving out their back end access to any other companies, so I think bitpay would be in a similar one with your's.

As I said before, it's likely an issues on Bitpay's network, they sent out cards to the wrong place, or some of their users got hacked and now their debit card numbers are displayed, and the best way for them to fix the issue if it really is widespread, lock all cards that seem to be hacked, and then resend them all out and replenish lost funds that seem to be hacked previously. Difficult course of action but keeps people safe.

[1Referee]

As I said before, it's likely an issues on Bitpay's network, they sent out cards to the wrong place, or some of their users got hacked and now their debit card numbers are displayed, and the best way for them to fix the issue if it really is widespread, lock all cards that seem to be hacked, and then resend them all out and replenish lost funds that seem to be hacked previously. Difficult course of action but keeps people safe.

It has definitely to do with BitPay. I'm not exactly sure what data they store on their servers and how well (or not) protected that data is, but it should be possible to load one's data into a blanco card and use that blanco card the way people use their BitPay card. This is one of the reasons I would never use a card issued by an amateur in the financial sector.

Visa's network is rock solid and with how trigger happy they are to put a block on people's cards for safety purposes, it would have been triggered already.

Whether it's BitPay's merchant tools or their BitPay card, there is no shortage of bad publicity due to their way of operating.

[DaveF]

Another email that was the same as the 1st one I posted came in yesterday.
No other updates or info about it.

Looking at the size of Metropolitan Commercial Bank (they are small in terms of banks) it makes you wonder if they are running their Visa program or if it is 3rd party.
Could be a lot of behind the curtain stuff here which is why they are not making a definitive statement about it.

-Dave

[daarul50]

I wonder if Visa would be able to compensate these unauthorised purchases?

It's not up to Visa to compensate people, but the card issuer, (in BitPay case, the Metropolitan Commercial Bank) or BitPay itself. But I doubt Visa or the MCB got exploited, otherwise it would be all over the news already.

Knowing BitPay has been hacked perhaps 3-4 times already I wouldn't be surprised if the breach comes from their system again even if BitPay does not hold the card number. Wait some hours and be sure it will hit Coindesk and co.

i'm leaving bitpay already since they often changing the policy , i don't like it especially when they finally require KYC.

that is a move that killing the business and now we have seen a couple times they hit by security breach , i'm watching them since 2018 where copay -a wallet developed by bitpay- was infected by malicious code.
even i think since 2015 bitpay several times facing lawsuit problem.
i don't want to speculate here but it is my personal decision that bitpay is sucks , i have no trust on them anymore.
too much security breach they faced in the last couple years , yes i know nothing can be free from any security breach but a multiple times like this is just something to me.

[DaveF]

I wonder if Visa would be able to compensate these unauthorised purchases?

It's not up to Visa to compensate people, but the card issuer, (in BitPay case, the Metropolitan Commercial Bank) or BitPay itself. But I doubt Visa or the MCB got exploited, otherwise it would be all over the news already.

Knowing BitPay has been hacked perhaps 3-4 times already I wouldn't be surprised if the breach comes from their system again even if BitPay does not hold the card number. Wait some hours and be sure it will hit Coindesk and co.

i'm leaving bitpay already since they often changing the policy , i don't like it especially when they finally require KYC.

that is a move that killing the business and now we have seen a couple times they hit by security breach , i'm watching them since 2018 where copay -a wallet developed by bitpay- was infected by malicious code.
even i think since 2015 bitpay several times facing lawsuit problem.
i don't want to speculate here but it is my personal decision that bitpay is sucks , i have no trust on them anymore.
too much security breach they faced in the last couple years , yes i know nothing can be free from any security breach but a multiple times like this is just something to me.

This also really does show how bad Visa / MasterCard are.
Think about it BitPay does not do the card.
Reading between the lines MCB provides the financial back end but is not dealing with the cards either.

Apple and Amazon 2 of the largest businesses who actually have their own branded cards DONT EVEN DEAL WITH IT. They hand it off to other places and just take a cut.

Heck Amazon has 2 different banks for their cards one for the Visa and one for their store card.

How big a mess do you have to be for a company that large, dealing with that many transactions to say "Nah, let Chase handle it not worth the stress"

Back to the BitPay issue, yeah they have had their issues and yeah KYC sucks. But if you are US based they are the only people who let you do CC loads with BTC on a debit card. You can get Virtual gift cards with BTC other places but nobody else gives you the plastic card to make transactions.

-Dave