[jolmg]

I'm trying to think of how to avoid something like this ever happening to me, and I think the lesson I can learn from this is to use a debit card instead of a credit card? That way, the account can go to 0. That debit card would only be for services with automated billing like this, and would have limited funds.

I mean, I imagine the main problem here is that you can't close your credit card because the bank now says you owe them that money, right? If it were a debit card, that would never be a problem.

EDIT:

> I've even requested a new credit card from the bank, however the bank continues to forward AWS charges to me.

They forwarded from one card to another? AWS charged a closed card and the bank forwarded it? Sounds like you need to close the client account (your whole client relationship with the bank), not the card.

EDIT 3: Or do you mean that you requested a new card without closing the old one? If they're both open, it's not that charges are being forwarded, but rather that the old card is still valid and both are linked to the same credit account. Maybe you can ask them to close it?

EDIT 2:

> Nor will Amazon simply remove the credit card number that I can provide them.

By the way, if you can't authenticate with Amazon as the rightful owner of that account, it sounds unreasonable for them to comply to a stranger asking them to simply remove a credit card number of some account.

[unknownsavage]

> They forwarded from one card to another? AWS charged a closed card and the bank forwarded it?

Yup.

> By the way, if you can't authenticate with Amazon as the rightful owner of that account, it sounds unreasonable for them to comply to a stranger asking them to simply remove a credit card number of some account.

I disagree. If I can provide a full credit card number, they should be able to remove it from all accounts. Either the card is compromised, or I'm telling the truth.

[cmurf]

The AWS account is what's compromised. And Amazon is aiding the attacker in committing fraud. Both AWS and the attacker benefit from the continued charges to your account.

Every AWS and bank account has clear terms including how to unilaterally close the account. I'm not sure why you're slow walking this rather than pulling the fire alarm on both accounts.

[detaro]

So anyone you ever bought something from with that credit card should be able to kill your AWS account with a simple phone call?

[Nextgrid]

They could send an email to the owner of the account asking to reauthenticate the card (re-enter the numbers & CVV, go through 3D-Secure or provide a picture of the card or bank statement).

This would mitigate incidents like this - as far as I’m aware the attacker doesn’t actually have the card number, so giving them 24 hours to confirm it (or the card gets removed after that) would be a good solution while remaining only a minor inconvenience for legitimate usage (realistically speaking, how many online stores who might have your card number are malicious enough to call companies and try to get your accounts shut down, with no benefit to themselves?)

[wjnc]

I feel for the Kaskaesk nightmare, but isn't this what courts are for? A judge should be able to adjudicate this conflict especially if you give convincing evidence of your communications with both Amazon and the Bank. My venue of legal approach (ianal and not even US) would be that once you show you are not the account holder (since hacked any fully shut out) anymore you don't have a contract with Amazon and they don't have the title to bill you. If they can show you ARE the account holder, than you can cancel. Both ways of that approach before a judge will get your problem sorted?

[cosmie]

> I think the lesson I can learn from this is to use a debit card instead of a credit card? That way, the account can go to 0. That debit card would only be for services with automated billing like this, and would have limited funds.

Generally speaking, this is a bad idea. Credit cards have more legal protections than debit cards[1], giving you more avenues for recourse.

Banks can also choose to honor a transaction and and overdraw your account. This can result in a negative balance, leaving you with fewer legal protections on the original transaction (since it was debit instead of credit) and owing money to your bank. Plus possible overdraft fees.

> Or do you mean that you requested a new card without closing the old one? If they're both open, it's not that charges are being forwarded, but rather that the old card is still valid and both are linked to the same credit account. Maybe you can ask them to close it?

It's a feature of the processing networks called account updater[2]. It sounds like the credit line itself was not canceled, only the card. With a new card issued against the same credit line. The link at [2] mentions the logic for when account updater can happen, but essentially if a merchant has successfully processed your card in the last year and it gets declined on subsequent transactions (because you canceled it or it expired), they can request the new card information to retry the transaction against. It's designed to prevent lapses in recurring payments when cards expire or get re-issued, while limiting exposure to fraud since new merchants without a history of transactions on your account can't get the new account info.

If you're ever in this situation, what you want to do is 1) initiate a chargeback dispute on the initial transaction and 2) explicitly request your bank to decline future transactions from that merchant (referencing the initial transaction so they know explicitly which merchant). The merchant should then get hit with this[3] decline code next time they attempt to charge you, which will be a hard decline that indicates it was due to a cardholder-requested block.

That way you only have to deal with one dispute involving your credit card company and any subsequent transactions are prevented from even getting to that point (and if one slips through, the fact that you requested a merchant block becomes it's own supporting evidence for disputing a charge). As OP experienced, repetitive disputes tend to shift over time from the consumer's favor to the merchant's favor, so only disputing the transactions after they occur only tend to work the first few times.

[1] https://www.fdic.gov/consumers/consumer/news/cnwin1213/stopp...

[2] https://articles.braintreepayments.com/guides/account-update...

[3] https://articles.braintreepayments.com/control-panel/transac...