First  Prev  1  2  Next  Last
Post Reply still being charged, double charged some months.
Der Zoodirektor
26121 cr points
Send Message: Send PM GB Post
35 / M / Germany
Online
Posted 10/9/15 , edited 10/9/15

husty24 wrote:

i don't have any second account.


Most people assume that initially, but we require explicit user permission for all charges we perform. It's simply impossible for us to charge your account without you having given permission for us to charge you. If you have 2 concurrent charges it means that you have given us permission to charge your account twice. For example by misspelling your account email when logging in on a mobile device, therefore creating a new account and entering your payment data again afterwards.

Did you send in a ticket to our customer service yet?
2021 cr points
Send Message: Send PM GB Post
Offline
Posted 10/9/15
I did, but they don't message back. I am having problem with this
2021 cr points
Send Message: Send PM GB Post
Offline
Posted 10/9/15
i send it 3 days ago but... still waiting...
Der Zoodirektor
26121 cr points
Send Message: Send PM GB Post
35 / M / Germany
Online
Posted 10/9/15

husty24 wrote:

i send it 3 days ago but... still waiting...


I just found your requests. Do you use your Android phone a lot? Did you check yet what account it is currently logged into?
2021 cr points
Send Message: Send PM GB Post
Offline
Posted 10/9/15 , edited 10/9/15
it's same account. the user name is husty24
2021 cr points
Send Message: Send PM GB Post
Offline
Posted 10/9/15
I use at least 3 times in a week when i don't feel like using my laptop.
Der Zoodirektor
26121 cr points
Send Message: Send PM GB Post
35 / M / Germany
Online
Posted 10/9/15 , edited 10/9/15
Sent you a reply to one of your tickets, just reply there to my next question.
37749 cr points
Send Message: Send PM GB Post
46 / Seattle
Offline
Posted 10/9/15

shinryou wrote:


husty24 wrote:

i don't have any second account.


Most people assume that initially, but we require explicit user permission for all charges we perform. It's simply impossible for us to charge your account without you having given permission for us to charge you. If you have 2 concurrent charges it means that you have given us permission to charge your account twice. For example by misspelling your account email when logging in on a mobile device, therefore creating a new account and entering your payment data again afterwards.

Did you send in a ticket to our customer service yet?




With all due respect, this is a fairly-bold (no pun intended) and unwarranted assertion. The most likely explanation for a disturbingly-large number of incidents of unauthorized charges across multiple areas ("hacked" accounts upgrading status and buying store items, double-billing, months charged after cancellation, et al) is not that all of the people who say otherwise gave their explicit permission then lied about it. Not only are most people fairly honest, many (at least) would rather let a small-to-moderate charge they didn't make go rather than make a fuss about it when customer service doesn't respond.

When you have a lot of people telling you they're being billed for charges they didn't authorize, it's fair to assert that some are probably mistaken at best. But all of them? Not by a long shot, and it hardly enhances credibility to assert otherwise.
Der Zoodirektor
26121 cr points
Send Message: Send PM GB Post
35 / M / Germany
Online
Posted 10/9/15 , edited 10/9/15
This is strictly about creating new subscriptions. It is impossible for us to create a subscription on behalf of a user.

If a user manages passwords, and therefore the access to their previously authorized saved credit card data, badly, you are still in the user realm. In that situation it is actually impossible for the intruder to create a new subscription as well. Double billing due to an intruder in your account is *not* possible. You need 2 user accounts for that, and the owner of the accounts needs to enter the payment data twice.

The most common reasons for double billing is:
The user creates subscription on device 1, then tries to log in on device 2, but misspells or mistakes his email adress and creates a new account in the process. Puzzled by the lack of premium services they enter payment data again and start another subscription.
37749 cr points
Send Message: Send PM GB Post
46 / Seattle
Offline
Posted 10/9/15

shinryou wrote:

This is strictly about creating new subscriptions. It is impossible for us to create a subscription on behalf of a user.

If a user manages passwords, and therefore the access to their previously authorized saved credit card data, badly, you are still in the user realm. In that situation it is actually impossible for the intruder to create a new subscription as well. Double billing due to an intruder in your account is *not* possible. You need 2 user accounts for that.


This is still dubious given that at least the first person in the thread did not authorize the second account, but much closer to accurate than your original statement.
Der Zoodirektor
26121 cr points
Send Message: Send PM GB Post
35 / M / Germany
Online
Posted 10/9/15
He did. The usual initial reply is "No, I don't."

If they were aware of the fact that they have 2 accounts, they would not come asking.
37749 cr points
Send Message: Send PM GB Post
46 / Seattle
Offline
Posted 10/9/15 , edited 10/9/15

arimareiji wrote:

This is still dubious given that at least the first person in the thread did not authorize the second account, but much closer to accurate than your original statement.


shinryou wrote:

He did. The usual initial reply is "No, I don't."

If they were aware of the fact that they have 2 accounts, they would not come asking.


Unless you have proof he's being dishonest about his brother creating the account and using his credit card without his knowledge, that's a pretty bold statement. Also, "usually" and "strictly about creating new subscriptions" is not "all charges we perform".


shinryou wrote:

This is strictly about creating new subscriptions. It is impossible for us to create a subscription on behalf of a user.

If a user manages passwords, and therefore the access to their previously authorized saved credit card data, badly, you are still in the user realm. In that situation it is actually impossible for the intruder to create a new subscription as well. Double billing due to an intruder in your account is *not* possible. You need 2 user accounts for that, and the owner of the accounts needs to enter the payment data twice.

The most common reasons for double billing is:
The user creates subscription on device 1, then tries to log in on device 2, but misspells or mistakes his email adress and creates a new account in the process. Puzzled by the lack of premium services they enter payment data again and start another subscription.


Bluntly speaking: Regardless of how the intruder gets in (and that is quite open to reasonable doubt), it's not the user's fault that CR 1) is apparently ignoring the wise suggestion by TheAncientOne to stop sending change-email notifications only to the new email (and if possible, include a link in the notification to the old email that lets the real user revert the change), and 2) as far as I can tell, keeps users from de-authorizing or removing their card information unless they provide a new valid card... then allows an intruder to charge anything they like. These are a recipe for disaster.
Der Zoodirektor
26121 cr points
Send Message: Send PM GB Post
35 / M / Germany
Online
Posted 10/9/15 , edited 10/9/15

arimareiji wrote:

Unless you have proof he's being dishonest about his brother creating the account and using his credit card without his knowledge, that's a pretty bold statement. Also, "usually" and "strictly about creating new subscriptions" is not "all charges we perform".

Bluntly speaking: Regardless of how the intruder gets in (and that is quite open to reasonable doubt), it's not the user's fault that CR 1) is apparently ignoring the wise suggestion by TheAncientOne to stop sending change-email notifications only to the new email (and if possible, include a link in the notification to the old email that lets the real user revert the change), and 2) as far as I can tell, keeps users from de-authorizing or removing their card information unless they provide a new valid card... then allows an intruder to charge anything they like. These are a recipe for disaster.


Whether it was himself or his brother, there was a second account that used his card. Look at the second user in this thread, he's the prime example of 2 accounts definitely made by the same person.

Email notification only helps you if the intruder actually changes the email address. That is not a given. The point of changing the address for the intruder is often to maintain their grip on the account and therefore the resale value, as the access data comes from public password dumps, mostly gathered from sources such as compromised minecraft servers, small-time forums, shady services such as illegal streaming sites, or big hacks such as of the PlayStation network in 2014 - which are all available to everyone who knows how to use Google. The sources of the password dumps are actually traceable quite well, as many users actually put references for what they were using their email/password for into their email address or passwords in order to remember them more easily.
I actually backtrack those cases frequently to figure out where they came from and to make sure that all the others on the lists have their account secured without having to contact our support individually.

Of course you cannot remove a card that is currently in use. You can delete a card from your account at all times while it is not actively used for a subscription.

37749 cr points
Send Message: Send PM GB Post
46 / Seattle
Offline
Posted 10/9/15 , edited 10/9/15

shinryou wrote:

Whether it was himself or his brother, there was a second account that used his card. Look at the second user in this thread, he's the prime example of 2 accounts definitely made by the same person.

"That used his card" is not the same as "He authorized the charges".


shinryou wrote:
Email notification only helps you if the intruder actually changes the email address. That is not a given. The point of changing the address for the intruder is often to maintain their grip on the account and therefore the resale value, as the access data comes from public password dumps, mostly gathered from sources such as compromised minecraft servers, small-time forums, shady services such as illegal streaming sites, or big hacks such as of the PlayStation network in 2014 - which are all available to everyone who knows how to use Google. The sources of the password dumps are actually traceable quite well, as many users actually put references for what they were using their email/password for into their email address or passwords in order to remember them more easily.
I actually backtrack those cases frequently to figure out where they came from and to make sure that all the others on the lists have their account secured without having to contact our support individually.

So because it only helps the victim in the vast majority of the cases that have been publicly reported in the forums, there's no point in fixing poor security? Email changes to keep the victim from resetting the password, which are extremely helpful to the intruder given that it can take days or weeks for customer support to respond, happen in almost every case reported.


shinryou wrote:
Of course you cannot remove a card that is currently in use. You can delete a card from your account at all times while it is not actively used for a subscription.

"Of course you cannot remove a card" that is charged once a year in my case and an unknown number of other cases, once a month in the rest? The only way that makes sense is to make it difficult for people to leave. It's not like the subscriber is going to receive physical goods in advance then not pay - if they don't re-enter their card info and can't be charged, suspend access and they won't receive anything they haven't paid for.

Granted, forcing subscribers into default renewal does benefit a company if they're worried that subscribers won't want to re-subscribe and they want to make them do so anyway. But it's horrible security. Add the fact that the card information can also be used freely in the CR store, and it's gross malpractice given how many cases of compromised accounts there have been.

I'm reminded of an axiom about personal relationships that applies to business relationships as well: If you're more worried about making the other person stay than you are about why they want to leave, you've already lost.
First  Prev  1  2  Next  Last
You must be logged in to post.