Fraudulent Charges Persist After Card is Stopped: What Compensation Can the Issuer Offer?

Is there a difference in coverage depending on the rank of the card?

There is no end to card fraud. It is still fresh in our minds that a large number of fraud victims were reported by AEON Card, and the slow response to the problem became a hot topic. One of the most surprising was a post on a social networking service that said, “Even if you stop the card, the fraudulent use doesn’t stop.

Why on earth would such a thing happen? To what extent do credit card companies compensate for such incidents? We asked Kenji Matsuoka, a money writer and an expert on credit cards, about the latest situation.

The most common type of credit card fraud these days is the indiscriminate attack by random number type.

In the past, credit card information was often copied during payments or PINs were stolen. Later, phishing scams became widespread. Fraudulent websites would trick people with messages like “Your card usage is restricted” or “Your package is held,” prompting them to input personal information, which was then used to create fake virtual cards.

Currently, however, the most common method has become random attacks, where large organizations work together to randomly find real credit card numbers.

“The typical 16-digit credit card number has a pattern. The first six digits are usually fixed for each company, so by generating combinations for the remaining 10 digits and accessing them randomly, you might hit a valid number after millions of attempts.

Once a real card is found, fraudsters can create a virtual card based on that data, and then simply guess the four-digit PIN. This seems to be the most effective method currently,” says Kenji Matsuoka.

Losses, theft, entering personal data in phishing emails, or shopping on suspicious websites may involve some fault on the user’s side. However, a random attack is just bad luck if you are targeted.

 The Pitfalls of “Touch Payment” on Smartphones

What was most surprising about the recent incidents of fraud with Aeon was that even after the credit cards were suspended, the fraudulent transactions continued. People believed that once they canceled their cards upon detecting fraud, the issue would be resolved. However, this was not the case.

One theory, though speculative, is that the victims were primarily those using Apple Pay for contactless payments. Apple Pay can use e-money methods like iD or QuickPay, where small payments are often made offline, meaning no authentication is required for each transaction.

While international credit card standards require authentication with every transaction, Japan’s initial adoption of offline e-money systems, such as Suica, created a vulnerability. Attackers exploited this gap, as once the card was stopped, the virtual card in the smartphone remained unaffected since no real-time authentication occurred.

Fraudsters reportedly took advantage of this gap by repeatedly making small purchases of up to 10,000 yen per transaction, sometimes in massive numbers. “It’s highly organized,” says an expert, pointing out that this could involve hundreds of people, repeatedly using contactless payments at convenience stores to maximize their haul.

 

Online discussions have suggested the involvement of international criminal organizations, a claim which Matsuoka acknowledges as plausible. The current trend in card fraud, he explains, involves large networks aiming for small, incremental gains, rather than one-time big scores.

 

Fraudulent charges are fully covered by the card company as a rule. However, if it exceeds “61 days,” then…

I saw a post about the Aeon Card issue, saying that unauthorized use continued for three months even after the card was stopped. Why did it take so long?

“Even if authentication was not performed with touch payment, the blacklist should be updated about once a day in the system. If a new card is flagged, it automatically sends a notification from the server to the merchant’s system.

In this case, perhaps the volume of fraud was so overwhelming that the server couldn’t keep up, or there was a part of the system that couldn’t catch up, resulting in delays. I think it’s undeniable that there was a certain amount of negligence or poor handling on Aeon’s part.”

In cases of damage like this, how much compensation does the card company provide? Does the level of compensation vary by company?

“I don’t think there’s any company that wouldn’t cover fraud damages. Although this case is behind schedule, it should be properly compensated.

Originally, credit card companies operate on the assumption that fraud is inevitable, so as long as the proper conditions are met, they will provide compensation.”

However, there is something to be cautious about regarding those conditions. They will cover fraudulent transactions going back up to 60 days from the time of reporting, but anything beyond 61 days becomes exempt from compensation and falls outside coverage.

“Therefore, if you notice fraud, it’s crucial to contact the card company as soon as possible. In large-scale fraud cases, it may be difficult to get through due to staffing shortages, and even if you do, you may face various delays. However, for higher-status cards like platinum or gold, the process tends to go more smoothly.”

So, regardless of the card status, damages within 60 days are always covered, but there may be slight differences in handling. It’s a bit like flying first class or business class on an airplane—you arrive at the same destination, but the comfort of the journey differs.

 

Things You Must Remember! Defense Strategies Against Various Troubles

With the spread of “Unlucky Hit Scams,” are there any defense strategies users can take? Here’s a summary of key points to help you handle various troubles—please take a look.

◇Check “Push Notification” Settings

Review your usage history at least once a month to check for unusual charges. However, few people clearly remember charges from over a month ago, and there’s a risk of brushing off small amounts with “What was this? Oh well.” To avoid this, pay attention to push notifications that arrive as quickly as 10 minutes after a payment. This lets you confirm right away if you made the transaction. Note that this service began only 1–2 years ago, so for cards issued earlier, you may need to enable notifications manually. If you’re not receiving notifications, check your push notification settings and turn them on.

Keep Track of Your “Subscriptions”

Small monthly charges are easy to overlook, especially if they’re only three digits. Even if you don’t recognize them, you might think, “It’s probably some subscription,” but there have been cases where people were unknowingly charged ¥980 per month for three years straight. Knowing which subscriptions you’re paying for is essential.

How to Identify “Scam Emails”

Although phishing emails have become more sophisticated, the Japanese is often awkward, and the sender’s address, though it may look fine before the “@,” is often a mess afterward. Simply opening a phishing email is harmless, but if it leads you to a fake site, the worst consequence might be letting the sender know your address is active. Avoid entering any personal information, and if you’re unsure about an email’s authenticity and clicked on it, contact your card company immediately.

 Dispose of “Unused Cards”

If you created a card for a one-time service and haven’t used it since, dispose of it. Leaving unused cards active increases your chances of falling victim to “Unlucky Hit Scams.”

Report “Lost or Stolen” Cards Immediately!

If you lose your card, report it to the police right away. Some card companies require this report as a condition for compensation. Nowadays, you can also file a report online instead of going to a police station.

 Certain “PINs” May Not Be Covered

If your card is lost and used, compensation may be denied if your PIN is your birthdate. Avoid using easily guessed numbers like birthdates or phone numbers.

Kenji Matsuoka – Money Writer, Financial Planner. After working as a market analyst at a securities firm, he became independent in 1996, writing about finance and asset management for business and economic publications. Author of The First-Year Guide to Robo-Advisor Investing and The Definitive Guide to Profiting from Cashless Payments, with Clear Diagrams.