POSB debit cardholder fraudulently charged for 'ChatGPT subscription' -- and he's not the only one

Could it happen to you?

A POSB debit cardholder discovered a fraudulent charge for a "ChatGPT subscription" on May 7 in his account and learnt he was not alone.

Other bank card holders also reported deductions for "ChatGPT subscription" even though they never subscribed to the paid version of OpenAI’s artificial intelligence programme, which was launched in February and costs US$20 (S$27) per month.

Stomper YP said: "I was checking my POSB debit card transaction and found a suspicious transaction of US$20 for a 'ChatPT subscription'.

"I called POSB immediately to enquire about this transaction and request to cancel my card and any similar transactions.

"The bank explained that scammers have managed to churn out correctly the 16-digit debit card number, card expiry date and the card validation value (CVV). While the bank has in goodwill returned the money, what struck me was scammers were able to guess correctly all three domains correctly.

"I checked with my friends and a lot of them said they experienced the same thing. What is the probability of guessing it correctly for so many people?

"We deduced that the bank must have somehow leaked out our details unknowingly instead of scammers churning out the data."

Stomp has contacted POSB for more info.

Since January, the police have received four reports of OpenAI or ChatGPT making such unauthorised transactions, said The Straits Times.

Mr Ian Lim, Palo Alto Networks’ field chief security officer, told ST these card details could have been derived from a Bank Identification Number (BIN) attack, where fraudsters have the leading six digits in a credit card and use software to generate the remaining numbers, along with the card verification value or CVV, and expiration dates.

Mr Lim said: “The fully generated numbers are then tested against real transactions to see if the card is still valid.”

Also, most merchants do not require the user to provide two or more verification factors to make transactions that do not require physical cards to facilitate the ease of use, Mr Lim said, noting that BIN attacks have been rising in tandem with online purchases.

This allows emuneration machines to generate different combinations of numbers without the need for customers to approve each of these transactions. The fraudulent transaction is successful when a debit or credit card number generated by trial and error works.

Fraudulent transactions can also occur when cyber criminals use card details from a data leak or when a customer’s data is stolen from an unsecured website, said Mr Beaver Chua, OCBC Bank’s head of anti-fraud, group financial crime compliance.