Curve, fraud, and terrible customer support

[TheOtherN]

Last week, I found a few fraudulent transactions on my Curve card summing mid four figures, all conducted over a single day. Presumably the card details have been scooped up somewhere.

Immediately locked the card and informed both Curve and the underlying card issuer.

The latter, being a real, grown-up bank, got on the phone and conducted an investigation, flagged (but not reversed) the tronsactions, and cancelled and reissued the card within an haur. Importantly, they said they would not address the charges before I’d contacted Curve themselves, being the facing payment processor.

On the other hand, Curve … did bugger all. In-app chats have not received a reply, an online form I filled out basically said “Thanks”, emailing the usual address has produced no response. Charges are still sitting on both cards, and presumably the window of opportunity to alert the merchants is closing – or has closed. It’s more than a week. No contact from them whatsoever.

You’d have thought card fraud was something quite important to address for a card issuer.

What are my options here? And, for those with more legal experience, what are my liabilities?

[svk]

I have previously found that sending a direct message on twitter (now X) resulted in hurrying up the chat people.
Of course they may only be open from 9am tomorrow.

Though not a legal expert, I do know that with fraudulent credit card spends you are only liable if you’ve been grossly negligent.

[Carlos]

Wondering why the 2FA didnt work
Wasnt there a pop up to say do you approve this transaction?

[John]

See my recent thread. Although Curve replied slowly to me they sorted it out within 7 days, so it is concerning that they haven’t replied to you at all after a week. I only used Curve’s fraud form to contact them.

If the underlying card details haven’t been stolen, only Curve, then cancelling the underlying card has no effect and them investigating is not particularly useful either unless you give up on curve.

In my case, the underlying card actually blocked some of the transactions itself, but it allowed the largest one (5 figures) through. No 2FA was used, I suspect because they were merchants which take payments over the phone. Although with one the fraudsters kept trying smaller and smaller amounts every 5 seconds hoping one would get through (underlying card blocked all) so seems unlikely that those were done over the phone.

My underlying card was both competent in blocking all but one of the transactions and immediately contacting me, but incompetent in that they didn’t understand what Curve is, somehow reissued my card 3 times so that I didn’t even know which one was the right one to activate when they all arrived together, and they are still bombarding me with texts and emails long after Curve reversed the transaction.

Lesson is to always keep curve locked or set to curve cash. Just don’t use it for any payments that aren’t processed immediately so that you can relock it straight away.

[TheOtherN]

Thanks all. An update for the curious:

@svk – I ended up sending a DM on that dreadful bird site and, lo, I actually got some contact from them. Nice they started to move, outrageous that their official support system remains silent and I had to go elsewhere to elicit support. They are still moving slawly but at least they are aware of the issue. Charges are still on the card though.

@Carlos – No 2fa because apparently these payments were made over the phone with my details, rather than online. Seems like a massive security hole to me.

@John – Same as you, these were merchants taking payments over the phone. Your advice to keep the card locked is wise. Sadly, I mainly used it for regular automated online payments (think Netflix etc), so locking it wouldn’t work in that case.

Keeping the card pointed at the small Curve cash balance for those regular payments and GBIT them to the actual underlying cards would probably be the way forward. Large transactions would fail and mysterious small ones wouldn’t cause much damage.

That is if I stick with Curve. This support experience has left a bad taste, unfortunately.

As an aside, compared to the handful of similar fintechs offering similar services, they have an alarmingly small number of employees. A couple of hundred compared to N26 or Monzo’s 2k or Revolut’s 10k, so unsurprising they’re stretched paper thin.

There is movement, but issues are still not resolved.

[NorthernLass]

Regular payments can go directly from the underlying card, I’d never keep Curve unlocked for this reason, as @John also points out above. In fact I only ever unlock it immediately before I make a transaction with it. Too many stories like this! I’ve had someone try to make fraudulent transactions while abroad but presumably stopped by the card being locked.

[BBbetter]

Do any of you affected use the Curve (or any other) card directly for payments? i.e., swipe your card or give it to retailer for swiping or use chip & pin?
I only use it with apple pay and wondering if thats the reason I have never faced such issues.

[NorthernLass]

I often use my physical card as it tends to be the main one I use abroad these days and also occasionally here in the UK (my hairdresser only takes debit cards). After using it in Washington DC last Christmas I had a couple of weird Curve notifications from Uber which I hadn’t made but they never appeared on my transaction list. It happened again in Vienna. I can imagine Uber being prime ground for fraud, TBH, it’s all so anonymous and who knows who has access to customer account details?

[zapato1060]

BBbetter wrote:

Do any of you affected use the Curve (or any other) card directly for payments? i.e., swipe your card or give it to retailer for swiping or use chip & pin?
I only use it with apple pay and wondering if thats the reason I have never faced such issues.

I do repeated new customer sign ups with Deliveroo and paying with Google Pay as it masks the card number so your presumption is probably correct. The fraudsters dont get an access to your 16 #.

[Rui N.]

I don’t user G Pay and Curve is my main non-Amex card which has been used in several countries and never had any issues.

[JDB]

I don’t believe there’s any great correlation between where/how you use a card and fraud. I have had a Curve card since inception some seven years ago. It’s never locked and I have never suffered any fraud although I use the card extensively online, over the telephone, in person contactless and using PIN all over the world. In that same time I have had two Amex cards and a Tesco MC compromised. It’s just chance/bad luck. I have never lost a card or had one stolen but somehow bad actors have attempted dodgy transactions picked up by both card companies and not authorised.

It has been mentioned above (with the suggestion that it’s exclusively a Curve issue) that telephone transactions don’t use 2FA, but that’s my experience on all cards although they sometimes use the digits from the postcode as additional identification, but a merchant can override this if they are either willing to take more risk or in on some scam.

[timajackson]

Reveived a phonecall from an 0203 number yesterday claiming to be from Curve Security Team. Knew my name and last 4 card digits. Asked if i’d made transactions at Dominos in Dublin and a few other random locations (I hadn’t).Got cut off and they called me back again on a witheld number 10 secs later.
I didn’t give any information out other than to confirm my name when they called. They said they would have to send me a link to reset my seucrity via text message, at which point I hung up on them.
Given that I only use Curve on either NS&I (fronted) or Apple Pay it seems they must have suffered a data hack/ breach.
I contacted curve via the app but obviously no response.
It is unsustainable to run a financial company this way and unfortunately (especially as I invested) I feel it is ony a matter of time until they are no more.

[memesweeper]

timajackson wrote:

Knew my name and last 4 card digits.

Taken alone, this is not proof that Curve have themselves been breached. Your lack of use of the card elsewhere makes it highly suspicious though. Most scams where fraudsters have some of your details occur when then details are skimmed from a retailer, or intermediary, not the financial institution that issued the card.

If you have the landline number saved report it here immediately: https://www.ncsc.gov.uk/collection/phishing-scams/report-scam-call

I contacted curve via the app but obviously no response.

Curve Data Protection Officer DPO@curve.com email them with your concerns, and mention the lack of timely response to a fraud notification in-app.

No prompt response from that? Then I’d contact the ICO.

[Crafty]

timajackson wrote:

Reveived a phonecall from an 0203 number yesterday claiming to be from Curve Security Team. Knew my name and last 4 card digits.

I have had this today but, unfortunately, gave them one of the OTP codes before I clocked what was happening. It was quite sophisticated, to give them credit. Luckily the underlying card issuer, Barclaycard, appears to have blocked all transaction attempts and reissued the underlying card, so fingers crossed there shouldn’t be any getting through. But pretty unnerving nonetheless.

They have also managed to get me locked out of my Curve account (presumably this was done before they called me, so I could not verify their claims), which is a pain as there appears to be no way (!) to contact Curve “live” outside the app. No phone number, no live chat service. Can this actually be the case?!

They knew much more than name and 4 digits. They had my full address and previous addresses too. They clearly had direct access to my account and my personal data, suggesting there has been a data breach.

For me – this is the final nail in the coffin for Curve; if they cannot even man a phone number to deal with fraud, let alone protect my card details (it never leaves my person or my house), then I cannot justify continuing to have their product. Once I have finally been able to get back in touch with them, I will cancel.

Everyone else – be vigilant.

[can2]

That’s scary @Crafty, hope it will be resolved quickly.
On the other hand, a lot of agencies have a lot of our personal data, so I am still not sure if the personal data was leaked from Curve.

[Crafty]

Really? They had access to my Curve account. They could even reel off specific, genuine transactions. Surely it seems highly likely (I am not an expert, but I would’ve thought) that this is also the source of the personal information?

[Toaster]

Crafty wrote:

Really? They had access to my Curve account. They could even reel off specific, genuine transactions. Surely it seems highly likely (I am not an expert, but I would’ve thought) that this is also the source of the personal information?

Did they tell you the transactions before or after you gave them the OTP?

[BBbetter]

Sounds more like an insider job to me if they were able to tell you transactions before you gave them otp. Unless the card details were stolen from a merchant and obviously they know you made a payment there.

[John]

What was the OTP for – to log into curve on a new device? Or to verify a transaction?

[can2]

Open banking? Nectar? We heard many horror stories about nectar, too? And who knows what Curve does with our data.
I am certainly not defending Curve, but, it is relatively easy these days to access plethora of financial data — we all let them do it. And at some point it breaks.

Think like this: computer security exists just because some people/hackers are better than them. They often manage to stop the most, but still some go through the cracks.

It is a reality of life these days: your data will be compromised.

Makes me sick to my stomach.

[TheOtherN]

A small update, for those keeping score:

It required an official letter of complaint, emailed to their complaints@ address, in combination with a DM on Twitter to get them to read it, to finally bring the issue to the top of their support queue.

They assigned someone to get into (minimum) back and forth via email, asking about the details of the situation (which I had already previously provided). Three days later, the transactions were reversed and credited back to the underlying card. They issued and dispatched a new Curve card.

They also, to be fair, refunded me a small (sub £50) amount as a goodwill gesture for an expense I incurred due to the inabiity to use my underlying credit card. But they refunded it in Curve credit.

It took just over three weeks, three reissued cards, one crime report, and one letter of complaint, to get this resolved.

What did I learn?

Curve’s customer support is worse than I remembered. It seems to be a tiny company struggling with the size of its customer base. 24-48 hours delay waiting on support replies from some immaterial tech company is irritating; weeks in the case of a financial service dealing with reported fraud suggests a broken company.

Twitter contact worked better than in-app support. I hate this. You should hate this. The c-suite at the company should hate this. Whoever designed the support infrastructure at Curve should hate this but they’ve probably been let go in a cost-cutting exercise.

A letter of complaint also got treated seriously – by which I mean someone bothered to read it, understand the situation, and actually reply. A situation like this should rarely need to reach this level. Another sign that a company is experiencing serious issues if a simple, urgent situation based around the heart of their business model takes over 3 weeks to resolve.

What will I do going forward

My use case for Curve is really specific and suits my needs.

I primarily use it for small, regular online payments to tech services companies (think domain registrars) for both personal and business expenses, and GBIT to debit the correct personal or company card. I do this precisely to avoid storing the undelying card details.

Mission creep saw me using the card more for other personal expenses in recent months. I won’t make this mistake again.

In this case, it’s not convenient for me to keep the Curve card locked, as I need those payments to be debited as and when. However, I will keep the Curve card pointed at a low balance ‘safety’ debit card and then GBIT in batches to temporarily unlocked cards.

I would love to find another, similar system to route personal and business payments through to similar services going forward. Can anyone suggest anything similiar?

I have now taken to locking other cards when not in use, which may be good practise anyway.

Other online spending

Revolut has single-use cards which I have been using online now for one-off payments. These work is most cases, but are sometimes declined by vendors. They also have virtual, multi-use cards which I understand can be destroyed and reissued as and when.

Will I stay with Curve? Should you?

I’m seriously reconsidering their offering. If there were another company that fit my use-case, I would move everything over tomorrow.

I will certainly be putting absolutely minimal spend through the card now, and severely restrict its use..

[Gagravarr]

They are really really terrible at timely responses…

In late November, I noticed a couple of £1-2 charges on my curve card that weren’t me. Contacted them via the terrible form from the app on Monday 27 November, got an automated reply. On Thursday 14 December they replied asking a few questions (most of which I’d already answered in the original submission). I replied on Sunday 17th. Finally heard back today (Thursday 4th January) saying they’d refunded the transactions and issued me a new card. That’s almost 6 weeks!

[BBbetter]

TheOtherN wrote:

Curve’s customer support is worse than I remembered. It seems to be a tiny company struggling with the size of its customer base.

Am not sure why this is surprising to many. When no one is going to use their cards unless they have a net gain after fees, the company is going to cut corners somewhere. Typically thats the non-revenue generating bit.
Use it until it goes out of business.

For alternatives, Wise also offers digital only cards that can be easily locked or restricted.

[JDB]

Curve had no complaints taken to the FOS in the latest published data (H1 2023). The same cannot be said of Revolut, Wise, Starling or Monzo so they can’t be doing quite as much wrong as people like to make out. I’m sure Curve support is grossly understaffed and it’s no excuse for them that Revolut apparently also has terrible service although that is much more serious as people use it as a bank that holds their money (even if it isn’t yet a bank) and it seems they can freeze your account, fail to pay DDs etc. and leave one in limbo, sometimes for weeks.

To me it feels much more serious that Amex, with all the resources available to it, cannot provide decent customer support or chat service and that, as constantly stated on HfP, nothing a chat agent ever tells you can be relied upon. Amex could easily afford to employ better staff and train them properly but they choose not to. That feels the greater sin than the understaffed minnow fintechs support failures.

[diesel678]

I had this same happen to me on Wednesday 3 January. I gave the code to the fraud agent who then authorised £1000.oo transaction to an online crypto currency company. Was locked out of my curve app and it has been a nightmare since. The underlying card is now blocked but they say it has nothing to do with them and to contact curve. Curve do not answer the phone. I have filled in online form over and over. One person did call me back but said that is not you email etc. I dont know what to do