Ben Langhofer, a financial planner and single father of three in Wichita, Kansas, decided to start a side business. He had made a handbook for his family, laying out core values, a mission statement, and a constitution. He wanted to help other families put their beliefs into a real book, one they could hold and display.
So Langhofer hired web developers about two years ago and set up a website, customer relationship management system, and payment processing. On Father’s Day, he launched MyFamilyHandbook.com. He’s had some modest success and has spoken with larger groups about bulk orders, but business has been mostly quiet so far.
That’s how Langhofer knew something was wrong on Friday, August 11, when a woman from California called about a fraudulent charge. He checked his merchant account and saw nearly 800 transactions.
“My heart, it sunk,” Langhofer told Ars on Thursday. He immediately contacted his payment vendor Stripe, who he said told him about card testing—a scheme in which online card thieves use tiny charges from an account to test for valid cards. Stripe said it would issue a bulk refund, Langhofer said. Knowing his payment processor was aware of the issue, he went about his weekend.
Langhofer awoke early Monday morning to a flurry of missed calls.
He said his site had attempted nearly 11,000 more transactions, each for $1, most of them initiated by email addresses minutely different from one another. Many of them involved Ally Bank cards, Langhofer said. He’d only ever had two phone calls to the forwarded number listed in his online store, but now his phone wouldn’t stop ringing.
“My dad always taught me to have a good name, so this hurts,” he said. “I don’t have a big staff, but I have a great name in Wichita, in this state. Now my business is tied up in this, and I have no idea what’s next.” In text messages before an Ars Technica interview, Langhofer said the ordeal “consumed my entire week and caused more panic than I recall having in a long time.”
For sale: debit cards, barely used
Langhofer’s business appears to be a victim in a chain of fraud that has affected thousands of debit card customers over the past week. Most prominent among them are Ally Bank customers, who have been tweeting and posting in the r/AllyBank subreddit about charges on cards, some they’ve never activated or used. They’ve reported (and Ars Technica has seen) phone support wait times of up to an hour or more.
There’s an overwhelming sentiment that something is happening, but for days, the major parties had yet to confirm anything.
(Update 4:56 p.m.: A spokesperson for Ally Bank said in a statement: “Across the board, the financial services industry is experiencing an uptick in debit card fraud activity caused by bad actors.” The statement noted that unauthorized transactions reported within 60 days of a statement will result in a new card and refunded charges.
The statement added: “Call centers are experiencing longer-than-usual wait times due to nationwide staffing challenges in combination with an increase in call volumes. This is not unique to Ally.”)
Two of those wondering what’s happening are Stephen Fuchs and Curt Grimes, a Chicago-area couple who spoke with Ars Technica and shared their documentation. They opened their joint Ally checking account in March 2022. Both had debit cards tied to it, each with different numbers. Fuchs never activated his card. Up until last week, Grimes had only used his card once, to send about $5 to someone via Apple Cash.
On August 10, a charge for $15 from a quirky software site appeared on one of their cards, but it went unnoticed. On Friday, August 12, Grimes received an SMS fraud alert from Ally, alerting him to charges from two different Shopify stores for nearly $200. Grimes flagged the charges as fraudulent, and Ally (and Apple Pay) reported that the card was suspended. After spending almost an hour waiting on the phone for Ally on Saturday, August 13, Grimes disputed the earlier $15 charge and saw in his Ally app that a new card, with a new number, was on its way.