146

I've made a single photo purchase from Shutterstock back in 2012. I created an account and gave them my debit card #. I haven't made a single purchase from them since.

Silently in 2018, they activated auto-renew without my consent, without notifying me via e-mail and without sending a receipt. They just started charging my new debit card. One that I hadn't even given them. This went on for 3 years without me noticing.

Then in July 2020 I lost my wallet, so I requested a new card. Somehow, Shutterstock had my updated debit card number and was able to withdraw from my checking account again in 2021, without me giving them my new debit card info.

I've never given them any of the newer card numbers since 2012. How is it possible for them to always have it? Is my banking information available somewhere for them to look up?

enter image description here

Marquizzo
  • 1,907
  • 4
  • 9
  • 13
  • 9
    Crossdupe https://money.stackexchange.com/questions/98728/how-can-a-retailer-automatically-get-details-of-my-new-payment-cards (coincidentally _from_ 2018) – dave_thompson_085 Jan 05 '21 at 02:46
  • 47
    This is why it's important to regularly review all your recent credit activity. Seriously though, I don't say that to imply this is your fault. This auto update "feature" of credit cards causes more problems than it solves, and should die a fiery death. Companies that regularly charge cards without sending receipts should also did a fiery death. Unfortunately, these things do happen, which is why regularly checking account activity is a necessity these days. – Conor Mancone Jan 05 '21 at 13:08
  • 1
    I bet in 2018, you made an interaction with the Shutterstock site, and you used the site in a cavalier manner believing you were anonymous and surely it would give you a login challenge for anything that cost money. Unbeknownst to you, your browser sold you out: it still had your 2012 cookie! Shutterstock treated the activity as a renewal, per TOS. There may have even been cautions that you ignored because we're all human. And this "error" may be an intentional strategy, i.e. a trap. *This is why I purge cookies regularly*. – Harper - Reinstate Monica Jan 05 '21 at 21:46
  • 6
    @Harper-ReinstateMonica That doesn't explain how they got the new card number. A card isn't stored in a browser's cookies. – mbomb007 Jan 05 '21 at 22:43
  • 5
    @Harper-ReinstateMonica I also wasn’t using the same computer between 2012 and 2018. Additionally, the auto-renew was activated on Jan 3rd, when I was on holiday vacation with my family. I don't think it's as much of a user error as you're implying. – Marquizzo Jan 05 '21 at 22:50
  • @mbomb007 The client-side cookie would have stored OP's identity i.e. their userid in a signed cookie. The site would have a server-side database of CC credentials for each user ID. So the site would pull the client-side cookie, validate it, take the user ID and then look in their server-side database to get the CC#. However as OP reports, they changed PCs, so the cookies didn't come over *presumably*. But regardless, OP was not active then, so this was unilaterally done by Photobucket as some sort of policy blunder or DB corruption or software bug. – Harper - Reinstate Monica Jan 05 '21 at 23:32
  • 7
    Beyond filing a fraud report, I'd also just contact Shutterstock and firmly request a cancelation of my account, and complete refund for the last four years. They should have data showing you haven't been using the account. – SafeFastExpressive Jan 06 '21 at 00:13
  • 3
    @SafeFastExpressive Advice to actively cancel the Shutterstock account is good, though I'm sure they'll just laugh in OP's face when they request a refund because they haven't been using the account. A company who does this is *not* one who will honor such good faith requests, IMO. – TylerH Jan 06 '21 at 14:22
  • @Harper-ReinstateMonica As the OP stated, the CC# was not the same, and your explanation completely ignores that. – mbomb007 Jan 06 '21 at 14:34
  • 1
    @TylerH Companies that pull this crap can also care about their brand, so don't be too sure they won't refund, especially if the victim threatens to go to social media with it. After all they can continue to pull this scam profitably even if they refund everyone who asks because they will likely only be asked by a small minority of victims. – SafeFastExpressive Jan 06 '21 at 15:36
  • @mbomb007 At the time you asked, several answers already covered that. I had assumed you had read them so I aimed at the aspect of your question which they did not address :) Please, try to keep up :) – Harper - Reinstate Monica Jan 06 '21 at 18:50

1 Answers1

161

Simply put, Account Updater:

When participating issuers re-issue cards, they submit the new account number and expiration date to VAU. Participating merchants send inquiries on their credentials-on-file to VAU and are provided with updated card information, if available. This helps participating issuers retain cardholders by maintaining continuity of their payment relationships with participating merchants.

Shutterstock subscribes to Account Updater, and gets updated copies of your card info when it expires or is replaced.

VAU is Visa's version; more info is in a fact sheet here. MasterCard calls their version Account Billing Updater. American Express calls their version Cardrefresher. Payment processors will often aggregate multiple Card Brand's versions into a single service for Merchants.

It is theoretically possible to opt out of Account Updater, going through your bank to do so. It's one of those 'you have to know in order to ask' type of things, and I'm betting the ease of doing so varies from bank to bank.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/118153/discussion-on-answer-by-gowenfawr-how-does-shutterstock-keep-getting-my-latest-d). – Rory Alsop Jan 07 '21 at 13:22