▲ Unauthorized ChatGPT payments
Recently, a series of posts have appeared online from users who suddenly received credit card notification text messages stating that a payment of 299,000 won had been approved for an overseas purchase.
While some speculated that it might be a phishing (financial fraud) attempt, an investigation revealed it was a financial crime in which stolen card information was used without authorization.
More than 800 cases of damage have been identified so far.
The victims shared a commonality: the merchant listed in the text messages they received was "NICE Information & Telecommunication," a payment gateway (PG) company, and the transaction history showed payments for a high-priced subscription plan of ChatGPT, an artificial intelligence (AI) service.
The situation was resolved as OpenAI, the operator of ChatGPT, and NICE Information & Telecommunication, its domestic PG partner, took measures to cancel the payments and issue refunds.
However, the incident raised questions because payments could be processed using only card information, without any additional verification such as mobile phone identity authentication.
OpenAI stated that the incident was not a hacking event, but rather a financial crime where others made unauthorized payments using card information leaked externally.
According to the card industry, a total of 1,368 payments for the ChatGPT Pro subscription plan (299,000 won) were processed in South Korea this month, amounting to approximately 400 million won.
Among these, 858 cases worth approximately 250 million won were classified as suspected fraudulent payments.
Specifically, the damage occurred through direct payments for OpenAI's ChatGPT via NICEPAY, the online payment service of NICE Information & Telecommunication.
This was possible because many overseas online merchants, including OpenAI, allow payments to be made simply by entering the card number, expiration date, and security code (CVC).
Although there are cases where additional verification is required, it is structured to be applied conditionally based on the judgment of the card company and the issuing bank.
In contrast, domestic simple payment services require additional authentication procedures, such as fingerprints, patterns, or simple passwords, even after registering a card.
The Electronic Financial Supervisory Regulations require real-name verification when issuing access media used for electronic financial transactions.
However, this applies to the issuance of certificates, simple passwords, and biometric information used in electronic financial transactions.
Furthermore, the Electronic Financial Supervisory Regulations only state that financial companies or electronic financial business operators must use secure authentication methods considering the type, nature, and risk level of electronic financial transactions, meaning real-name verification is not mandatory when making payments by directly entering card information.
Consequently, most payments using authentication methods that have already undergone real-name verification, such as certificates, simple passwords, or fingerprints, are processed without separate additional verification.
However, domestic card company app cards and payment services like Naver Pay independently run additional authentication procedures, such as passwords and biometric authentication, to enhance security.
Yet, many overseas merchants still adhere to the method of entering only the "card number, expiration date, and security code."
NICE Information & Telecommunication explained, "Under domestic law, there is no separate mandatory regulation requiring mobile phone identity verification for this method," adding, "The payment method is applied by comprehensively considering the merchant's service operation method and the global payment environment."
However, while the method of entering only the "card number, expiration date, and security code" offers high payment convenience, it is relatively vulnerable compared to methods with additional verification in situations where card information is leaked, as in this case.
NICE Information & Telecommunication stated that, following this incident, it is in discussions with OpenAI to implement identity verification and is currently conducting testing and development procedures.
The payment structure through payment gateways (PGs) is also pointed out as a factor that delays the detection of damage.
PGs act as intermediaries for payment processing for businesses that find it difficult to contract directly with card companies.
Therefore, when using a business that employs a PG, the merchant name on the card statement is mostly displayed as the PG's name.
In this case of unauthorized payment, the transaction history showed "NICE Information & Telecommunication" instead of ChatGPT or OpenAI, making it difficult for customers to intuitively identify that they had been victimized by a merchant payment related to ChatGPT.
In response to criticisms that this may have delayed reporting, OpenAI and NICE Information & Telecommunication changed the merchant name so that both NICE Information & Telecommunication and OpenAI or ChatGPT appear together during payment.
There are also concerns that payments through PGs may delay detection by card companies' Fraud Detection Systems (FDS).
The FDS is a system that detects abnormal transactions by comprehensively analyzing payment amounts, times, industries, and transaction patterns. If information about the actual payment location is not sufficiently revealed, it can take time to identify repeated abnormal signs at a specific merchant.
An official from a card company explained, "When making online payments through a PG, there are cases where the PG does not clearly send the card company information on where the payment was made, delaying the identification of abnormalities at the merchant." The official added, "For overseas payments, monitoring for fraudulent use works relatively well because customers' usage patterns are set quite conservatively. However, if the merchant is recorded as a normal domestic merchant (the PG), it is currently difficult to detect even if it is a fraudulent payment."
Although it is a matter of choice for merchants and customers, financial authorities explained that if security is valued over convenience, it is advisable to choose a payment method with two-factor authentication.
This means that when using overseas websites, cardholders are also better off paying with various payment services that have two-factor authentication rather than directly entering their card numbers.
A financial authority official explained, "As authentication steps increase, customer inconvenience also grows, so each company compares the services they provide to choose the level of authentication required," adding, "While a simple authentication process increases convenience, adding authentication is advantageous in terms of security."
Damage caused by credit card theft or fraudulent use, like in this case, can be minimized through various preventive and follow-up measures.
According to the "Prevention and Response Methods for Damage Caused by Loss or Theft" by the Consumer Support Center of the Credit Finance Association, customers must sign the signature line of the card themselves immediately upon receiving it and manage their passwords thoroughly.
If an unsigned card is used after being stolen, the cardholder may bear all or part of the responsibility.
Since fraudulent use often occurs through overseas payments, it is also helpful to set up features provided by card companies, such as "blocking Dynamic Currency Conversion (DCC)," "blocking overseas use," and "safe overseas use settings."
Consenting to the use of immigration information through the card company's website can prevent the fraudulent use of credit cards overseas after returning to the country.
When using overseas paid services, instead of the actual card number, users can also issue and use a "virtual card number" supported by the card company's app, which is for one-time use or only allows a set amount to be paid.
However, like in this theft incident, transactions through domestic PGs are recorded as domestic payments, making them difficult to block.
If a text message about a card transaction that you did not make arrives, as in this case, you must immediately call the card company's service center to report it.
In the case of credit cards, if you contact one card company that is registered with the "Integrated Card Loss Reporting Service," most card companies allow you to report cards from other companies all at once.
Even if you lose a smartphone with a mobile credit card issued, you must report the loss to the card company in the same way as a physical credit card to prevent damage.
In the event of card loss or theft, you can receive compensation for fraudulent use that occurs within 60 days from the date the report is received, so the sooner you report it, the better.
Card companies generally provide compensation, except in cases where there is intentional intent or negligence on the part of the member.
However, for fraudulent transaction amounts exceeding 500,000 won that occurred before the time of reporting loss or theft, a certain compensation processing fee may be charged.
A card industry official advised, "If an online payment that you did not use occurs, you must immediately suspend the card and report the fraudulent use," adding, "Securing the card approval number and transaction details is necessary for quick compensation."
※ Please note: This article was translated by AI and may contain errors.