U.S. challenger bank Chime launches Credit Builder, a credit card that works more like debit

U.S. challenger bank Chime, now valued at $5.8 billion, is entering the credit card market with today’s launch of a new card designed to help consumers build their credit history by way of everyday transactions. With the Chime Credit Builder Visa Credit Card, users can control how much they want to spend by transferring funds to a “Spending Account” and can then charge up to this amount wherever Visa is accepted.

This makes the card feel more like a debit card, as it’s tied to how much cash is in a user’s bank account — rather than a traditional credit card which can allow for overspending.

Chime wanted to develop a new kind of credit card experience due the growing popularity of debit cards in the U.S. In 2018, the U.S. Federal Reserve said debit cards represent 50% of all non-cash transactions, the company noted. And younger consumers, in particular, prefer debit over credit, Chime had reported in the past. In a 2015 survey, Chime found that 67% of millennials prefered debit cards, which they feel are more secure and less likely to get them into debt.

However, relying on debit cards alone means younger consumers aren’t building up their credit history — a decision that will come to matter when it’s time to finance a larger purchase, like a house.

“Americans have embraced debit cards for greater control but this limits their ability to establish or build their credit score,” noted Chime CEO Chris Britt, in a launch announcement. “We created Credit Builder to help our members stay in control and safely build their credit with their everyday purchases,” he said.

Chime’s credit card aims to straddle both worlds, debit and credit, by working to establish good credit while also preventing users from overspending.

To make this work, Chime users first add money to their Chime Spending Account and then charge their everyday purchases — like gas, groceries or subscriptions — using the credit card. At the end of the month, Chime’s Safer Credit Builder feature will automatically pay off the credit card balance from the secured account on time. It then reports the credit card payment to the major credit bureaus, including TransUnion, Experian, and Equifax.

The card also has the appeal of a debit card for its lack of fees. It doesn’t include an annual fee, interest or a minimum security deposit, like many of the secured credit cards it competes with.

The company has been thinking about how to better address the credit building needs of its users for some time. In fall 2018, Chime acquired the credit score improvement service Pinch which had focused on helping young adults build better credit. The startup was best known for a service called PinchRent, which reported on-time rent payments to credit bureaus to help its users increase credit scores.

Chime says it took learnings from Pinch and tapped into the team’s expertise in its creation of Credit Builder.

Chime has been beta testing Credit Builder since June 2019 and the service has grown to reach over 200,000 enrollees. During the test period Credit Builder has helped users increase their credit score by an average of 30 points, Chime says, citing data from Transunion. In addition, it helped 95% of members with no credit history establish a credit score for the first time. Anecdotal reports from its users, like these discussions on Reddit, also appear to support Chime’s statements about the card’s ability to improve their credit.

Today, Chime is opening up access to the waitlist for Credit Builder to all its Chime banking customers and it will roll out the service to more members every week over the summer.

Chime’s mobile banking app is now one of many challenger banks in the U.S. aiming to  address a younger generation’s shift away from big banks with physical branches to modern, mobile and digital banking experiences. Chime, however, is not a bank itself. Instead, banking services provided by The Bancorp Bank or Stride Bank, N.A., Members FDIC. The Credit Builder card is also issued by Stride Bank.

Like many of its rivals, Chime offers free checking accounts, with no overdraft fees, early access to direct deposit paychecks, automatic savings, and more. But Chime has outpaced much of its competition, having raised a $500 million round in late 2019 to value its business at $5.8 billion — a sizable increase from the $1.5 billion valuation it had earlier in 2019. It’s now growing at 4x year-over-year, the company says, and reached 8 million FDIC-insured accounts as of February 2020 according to Bloomberg.

Chime’s Credit Builder launch follows yesterday’s debut of the Apple Card “Path” program, which also helps to tackle the issue of young people who can’t quality for credit. In its case, the program alerts users to ways to improve their creditworthiness, like making payments to secured cards or resolving past due balances. This program, is more educational in nature, however, whereas Chime’s Credit Builder is about actual credit-building through transactions and payments.

 

American Express launches new in-app restaurant reservation booking following its Resy acquisition

Earlier this year, American Express announced it was acquiring Resy, the New York-based restaurant reservation platform whose software was used by 4,000+ restaurants across 10 countries. This week, the company has taken the next step to now integrated Resy’s system within the Amex Mobile App. In a new restaurant booking feature, Resy’s inventory will be combined with the American Express Global Dining Collection and other partners, including BookTable and SevenRooms, to offer cardholders reservations from over 10,000 restaurants worldwide.

Currently, this restaurant-booking feature will be available only to a portion of Amex’s Platinum Card Member base. But American Express says the plan is to roll out the feature more broadly in the months ahead.

The company says its decision to go this route was driven by customer activity. Dining is a top spending category among cardholders and the number one request through the Platinum Concierge service — a premium perk that’s like having an assistant work for you to research travel, find gifts, or make dinner reservations, for example.

Resy fits in with Amex’s larger goal of providing services to cardholders that can help connect them to unique experiences, as its platform can be used to acquire reservations even at newer, hipper and hard to get into restaurants.

Before its acquisition, Resy’s software for restaurants had managed to steal market share away from OpenTable, thanks to its advances in table management solutions for restaurant owners, which includes features like an adaptive optimization engine, business intelligence capabilities, and the ability to combine different scheduling strategies, like slots and a more dynamic flex system. This system and the consumer-facing booking options continue to be available through Resy directly, even if users aren’t Amex members.

Resy was the latest in a string of Amex acquisitions aimed at expanding its Global Dining Program. Amex also bought Japan-based restaurant booking service Pocket Concierge in January, and U.K. fintech startup Cake Technologies, designed to help people more easily pay their restaurant bill.

More broadly, these acquisitions aim to help Amex become more central to its customers’ lives, the company had said at the time of the Resy deal. And that’s just as important as the points program.

In addition, by building more digital services into its app, Amex aims to better serve an increasingly mobile and tech-savvy audience. The company says that 84% of its card members now use the app or website to interact with the company, and it’s seen a 35% year-over-year increase in daily active American Express mobile app users globally.

The new in-app reservation booking tool will become available to the larger Platinum and Centurion Card Member base by 2020, following this week’s more limited launch.

Macy’s said hackers stole customer credit cards — again

For the second time in as many years, Macy’s customers have been hit by a data breach involving countless numbers of credit cards.

In a filing with the California attorney general, the retail giant said hackers siphoned off customers’ names, addresses, and phone numbers, but also credit card numbers, card verification codes, and expiration dates by inserting malicious code on its website and quietly sending the stolen data back to the hackers.

Macy’s said the breach lasted a week, between October 7 and October 15. The retail giant did not say how many customers were affected, but the breach is likely to affect thousands of customers.

It’s the latest example of hackers breaking into websites and installing credit card skimming malware. It’s not known who was behind the credit card theft, but a hacking group known as Magecart has been behind some of the largest credit card skimming efforts in recent years — including the American Cancer SocietyBritish AirwaysTicketmasterAeroGarden and Newegg.

Last year, Macy’s admitted a months-long breach that saw hackers steal credit card data and passwords about 0.5% of its customer base — on both its website and Bloomingdale’s site, which Macy’s owns. The breach resulted in a class action suit, which accused Macy’s of “lackadaisical, cavalier, reckless, and negligent” security practices.

Macy’s is one of the most popular websites in the U.S., according to Alexa rankings.

Google to offer checking accounts in partnership with banks starting next year

Google is the latest big tech company to make a move into banking and personal financial services: The company is gearing up to offer checking accounts to consumers, as first reported by the Wall Street Journal, starting as early as next year. Google is calling the projected “Cache,” and it’ll partner with banks and credit unions to offer the checking accounts, with the banks handling all financial and compliance activities related to the accounts.

Google’s Caesar Sengupta spoke to the WSJ about the new initiative, and Sengupta made clear that Google will be seeking to put its financial institution partners much more front-and-center for its customers than other tech companies have perhaps done with their financial products. Apple works with Goldman Sachs on its Apple Card credit product, for instance, but the credit card is definitely pretend primarily as an Apple product.

So why even bother getting into this game if it’s leaving a lot of the actual banking to traditional financial institutions? Well, Google obviously stands to gain a lot of valuable information and insight on customer behavior with access to their checking account, which for many is a good picture of overall day-to-day financial life. Google says it’s also intending to offer product advantages for both consumers and banks, including things like loyalty programs, on top of the basic financial services. It’s also still considering whether or not it’ll charge service fees, per Segupta – not doing so would definitely be and advantage over most existing checking accounts available.

Google already offers Google Pay, and its Google Wallet product has hosted some features beyond simple payments tracking, including the ability to send money between individuals. Meanwhile, rivals including Apple have also introducing payment products, and Apple of course recently expanded into the credit market with Apple Card. Facebook also introduced its own digital payment product earlier this week, and earlier this year announced its intent to build its own digital currency called ‘Libra’ along with partners.

The initial financial partners that Google is working with include Citigroup and Stanford Federal Credit Union, and their motivation per the WSJ piece appears to be seeking out and attracting younger and more digital-savvy customers who are increasingly looking to handle more of their lives through online tools. Per Sengupta’s comments, they’ll also benefit from Google’s ability to work with large sets of data and turn those into value-add products, but the Google exec also said the tech company doesn’t sue Google Pay data for advertising, nor does it share that data with advertisers. Still, convincing people to give Google access to this potentially sensitive area of their lives might be an uphill battle, especially given the current political and social climate around big tech.

American Cancer Society’s online store infected with credit card stealing malware

The American Cancer Society’s online store has become the latest victim of credit card stealing malware.

Security researcher Willem de Groot found the malware on the organization’s store website, buried in obfuscated code designed to look like legitimate analytics code. The code was designed to scrape credit card payments from the page, like similar attacks targeting British Airways, Ticketmaster, AeroGarden, and Newegg.

The attackers, known as Magecart, use their stolen credit card numbers to sell on the dark web or use the numbers for committing fraud.

de Groot said in a blog post explaining the breach, shared exclusively with TechCrunch, that the code was designed to send collected credit card numbers to a third-party server, operated by the attacker. The code was malformed, leading to it being inserted twice. When the malicious code was decoded, it revealed the web address of the the hacker’s third-party server.

acs magecart

The card skimming malware on the American Cancer Society’s store’s website. (Image: TechCrunch)

Trend Micro said the domain is known to be used by Magecart. The domain is registered in Moscow, but the website itself loads nothing more than a decoy page.

The code was injected into the online store at some point late last week. de Groot informed the organization of the incident as soon as he found the code on Thursday by calling its anti-fraud hotline, but the code was not immediately removed. After we reached out Friday, the code was no longer present.

American Cancer Society spokesperson Kathi Dinicola did not return requests for comment.

It’s not known how many users were affected, but anyone who entered information through the American Cancer Society late last week should contact their payments provider.

Walmart launches two new credit cards offering 5% back on digital purchases

Walmart is partnering with Capital One to launch a new credit card program, which rolls on September 24, and includes both co-branded and private-label cards. The former, the Capital One Walmart Mastercard, includes 5% back on purchases made on Walmart.com or paid for in-store using Walmart Pay (the latter for the first 12 months.) The private label card, the Walmart Rewards Card, will offer those same perks, but is limited to being used only in Walmart stores and on Walmart.com.

After the 12-month introductory period, the co-branded Mastercard will drop to 2% on Walmart purchases in stores, instead of 5%. However, it will continue to offer 5% on Walmart.com purchases, including Walmart Grocery.

It also offers 2% back on restaurants and travel and 1% back everywhere else. The card doesn’t include any annual fee or foreign transaction feeds, and its rewards can be used any time, Walmart says.

Customers can apply for the new card via Walmart’s website or app, or through CapitalOne.com. The application itself can be filled out using a mobile device and, once approved, customers gain access to the card immediately. They can also load the card into Walmart Pay or into the Walmart app before the physical card arrives in the mail — similar to how Apple’s new Apple Card works.

Through Capital One, customers will receive purchase notifications, security alerts, 0% fraud liability, and the ability to lock/unlock a lost or stolen card from the Capital One app.

The new Walmart store card, meanwhile, also offers 5% back on purchases on Walmart.com, in Walmart app, and on Walmart Pay in-store purchases during the introductory period. It then offers 2% back on Walmart purchases afterward. It also earns 2% back at Walmart Fuel Stations.

Current Walmart cardholders will be converted to the Capital One Walmart Rewards Mastercard or the Walmart Rewards Card, starting October 11, with physical cards arriving in November. They’ll also earn 5% back through Walmart Pay through October 14, 2020.

Walmart’s prior card, from Synchrony Bank, offered smaller rewards, noted Sara Rathner, credit cards expert at NerdWallet, in a statement published this morning.

“The Capital One Walmart Rewards Mastercard is definitely helping to cement 5% back as the gold standard among retail cards. We already see this rewards rate with the Amazon Prime Rewards Visa card and the Target REDcard. The previous Walmart card issued by Synchrony Bank only offered 3% back on Walmart.com and a paltry 1% back in-store, so the new card is a huge step up,” she said.

Credit card partnerships are an area of importance to major retailers, including Walmart’s chief rival, Amazon. Its credit card program includes a variety of options, including store cards, travel cards, prepaid cards, no annual fee cards, reward points cards and more. And of course both retailers today are, to some extent, challenged by Apple, which just entered the credit card space, too.

Branded store cards not only help to increase customer loyalty, they also drive more purchases, reduce credit card processing fees, create additional profit in the form of interest, and generate records of customer purchases that can be used for targeted advertising.

“As our company has evolved to serve customers shopping in stores, online, and on the Walmart apps, we also recognized the need to fully digitally enable the cardholder experience,” said Daniel Eckert, senior vice president, Walmart services and digital acceleration, in a statement. “That’s why we’ve worked with Capital One to make it possible for cardholders to manage essentially every interaction with the program right from the palm of their hands,” he said.

 

MoviePass exposed thousands of unencrypted customer card numbers

Movie ticket subscription service MoviePass has exposed tens of thousands of customer card numbers and personal credit cards because a critical server was not protected with a password.

Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, found an exposed database on one of the company’s many subdomains. The database was massive, containing 161 million records at the time of writing and growing in real-time. Many of the records were normal computer-generated logging messages used to ensure the running of the service — but many also included sensitive user information, such as MoviePass customer card numbers.

These MoviePass customer cards are like normal debit cards: they’re issued by Mastercard and store a cash balance, which users who sign up to the subscription service can use to pay to watch a catalog of movies. For a monthly subscription fee, MoviePass uses the debit card to load the full cost of the movie, which the customer then uses to pay for the movie at the cinema.

We reviewed a sample of 1,000 records and removed the duplicates. A little over half contained unique MoviePass debit card numbers. Each customer card record had the MoviePass debit card number and its expiry date, the card’s balance, when it was activated.

The database had more than 58,000 records containing card data — and was growing by the minute.

We also found records containing customers’ personal credit card numbers and their expiry date — which included billing information, including names, and postal addresses. Among the records we reviewed, we found records with enough information to make fraudulent card purchases.

Some records, however, contained card numbers that had been masked except for the last four digits.

The database also contained email address and some password data related to failed login attempts. We found hundreds of records containing the user’s email address and presumably incorrectly typed password — which was logged — in the database. We verified this by attempting log into the app with an email address and password that didn’t exist but only we knew. Our dummy email address and password appeared in the database almost immediately.

None of the records in the database were encrypted.

Hussain contacted MoviePass chief executive Mitch Lowe by email — which TechCrunch has seen — over the weekend but did not hear back. It was only after TechCrunch reached out Tuesday when MoviePass took the database offline.

It’s understood that the database may have been exposed for months, according to data collected by cyberthreat intelligence firm RiskIQ, which first detected the system in late June.

We asked MoviePass several questions — including why the initial email disclosing the security lapse was ignored, for how long the server was exposed, and its plans to disclose the incident to customers and state regulators. When reached, a spokesperson did not comment by our deadline.

MoviePass has been on a rollercoaster since it hit mainstream audiences last year. The company quickly grew its customer base from 1.5 million to 2 million customers in less than a month. But MoviePass took a tumble after critics said it grew too fast, forcing the company to cease operating briefly after the company briefly ran out of money. The company later said it was profitable, but then suspended service, supposedly to work on its mobile app. It now says it has “restored [service] to a substantial number of our current subscribers.”

Leaked internal data from April said its customer numbers went from three million subscribers to about 225,000. And just this month MoviePass reportedly changed user passwords to hobble access for customers who use the service extensively.

Hussain said the company was negligent in leaving data unencrypted in an exposed, accessible database.

“We keep on seeing companies of all sizes using dangerous methods to maintain and process private user data,” Hussain told TechCrunch. “In the case of MoviePass, we are questioning the reason why would internal technical teams ever be allowed to see such critical data in plaintext — let alone the fact that the dataset was exposed for public access by anyone,” he said.

The security researcher said he found the exposed database using his company-built web mapping tools, which peeks into non-password protected databases that are connected to the internet, and identifies the owner. The information is privately disclosed to companies, often in exchange for a bug bounty.

Hussain has a history of finding exposed databases. In recent months he found one of Samsung’s development labs exposed on the internet. He also found an exposed backend database belonging to Blind, an anonymity-driven workplace social network, exposing private user data.

Read more:

Credit Karma glitch exposed users to other people’s accounts

Users of credit monitoring site Credit Karma have complained that they were served other people’s account information when they logged in.

Many took to a Reddit thread and complained on Twitter about the apparent security lapse.

“First time logging in it gave me my information, but as soon as I refreshed the screen, it gave me someone else’s info,” said one Reddit user. “Refreshed again and bam! someone else’s info — it’s like roulette.” Another user said they logged in and out several times and each time they had “full access to a different random person’s credit file,” they said.

One user told TechCrunch that after they were served another person’s full credit report, they messaged the user on LinkedIn “to let him know his data was compromised.”

Another user told us this:

The reports are split into two sections: Credit Factors — things like number of accounts, inquiries, utilization; and Credit Reports — personal information like name, address, etc.. The Credit Reports section was my own information, but the Credit Factors section definitely wasn’t. It listed four credit card accounts (I have more like 20 on my report), a missed payment (I’m 100% on time with payments), a Honda auto loan (never had one with Honda), student loan financing (mine are paid off and too old to appear on my report), and cards with an issuer that I have no relationship with (Discover).

Several screenshots seen by TechCrunch show other people’s accounts, including details about their credit card accounts and their current balance.

Another user who was affected said they could read another person’s Credit Factors — including derogatory credit marks — but that the Credit Report tab with that user’s personal information, like names and addresses, was blank.

One user said that the login page was pulled offline for a brief period. “We’ll be right back,” the login page read instead.

Credit Karma spokesperson Emily Donohue denied there was a data breach, but when asked would not say how many customers were affected.

“What our members experienced this morning was a technical malfunction that has now been fixed. There is no evidence of a data breach,” the statement said.

The company didn’t say for how long customers were experiencing issues.

Credit Karma offers customers free credit score monitoring and reports. The company allows users to check their scores against several major credit agencies, including Equifax, which last month was fined at least $575 million for a 2017 data breach.

Apple Card can’t be used to buy crypto

Cryptocurrency fans who were hoping to use Apple’s forthcoming credit card to splash on coin are out of luck. You also won’t be able to use the Apple Card to buy lottery tickets, casino gambling chips in any form, physical or virtual, or foreign currency or travelers checks.

Reuters spotted the detail in a customer agreement posted to Apple Card’s card issuer partner Goldman Sachs’ website which lists restrictions on transactions it describes as “cash advance and cash equivalents”.

The agreement defines these as meaning “any cash advance and other cash-like transaction, including purchases of cash equivalents such as travelers checks, foreign currency, or cryptocurrency; money orders; peer to peer transfers, wire transfers or similar cash-like transactions; lottery tickets, casino gaming chips (whether physical or digital), or race track wagers or similar betting transactions”.

Given the wild swings in crypto valuations the Apple+Goldman credit tie-up saying a firm ‘no’ to cardholders splashing on such shaky stuff is hardly surprising.

Apple announced it was getting into the credit card game back in March, saying the card would offer a 2% cash back incentive for using Apple Pay to make purchases. (The physical version of the Apple Card is slightly less generous vs the digital card.) While if you’re buying stuff direct from Apple there’s 3% cash-back.

There are also no late fees and no penalty rates. Interest rates for Apple Card are in the range of 13-24%, based on the user’s creditworthiness.

As with Apple Pay, there’s a privacy promise too — with a pledge that Apple Card transaction data won’t be sold for advertising or marketing, not by Apple, Goldman or any other partners. Though data may be shared with regulators for financial reporting purposes and so on.

The Apple Card is due to be released in the US next month.

Capital One’s breach was inevitable, because we did nothing after Equifax

Another day, another massive data breach.

This time it’s the financial giant and credit card issuer Capital One, which revealed on Monday a credit file breach affecting 100 million Americans and 6 million Canadians. Consumers and small businesses affected are those who obtained one of the company’s credit cards dating back to 2005.

That includes names, addresses, phone numbers, dates of birth, self-reported income and more credit card application data — including over 140,000 Social Security numbers in the U.S., and more than a million in Canada.

The FBI already has a suspect in custody. Seattle resident and software developer Paige A. Thompson, 33, was arrested and detained pending trial. She’s been accused of stealing data by breaching a web application firewall, which was supposed to protect it.

Sound familiar? It should. Just last week, credit rating giant Equifax settled for more than $575 million over a date breach it had — and hid from the public for several months — two years prior.

Why should we be surprised? Equifax faced zero fallout until its eventual fine. All talk, much bluster, but otherwise little action.

Equifax’s chief executive Richard Smith “retired” before he was fired, allowing him to keep his substantial pension packet. Lawmakers grilled the company but nothing happened. An investigation launched by the former head of the Consumer Financial Protection Bureau, the governmental body responsible for protecting consumers from fraud, declined to pursue the company. The FTC took its sweet time to issue its fine — which amounted to about 20% of the company’s annual revenue for 2018. For one of the most damaging breaches to the U.S. population since the breach of classified vetting files at the Office of Personnel Management in 2015, Equifax got off lightly.

Legislatively, nothing has changed. Equifax remains as much of a “victim” in the eyes of the law as it was before — technically, but much to the ire of the millions affected who were forced to freeze their credit as a result.

Mark Warner, a Democratic senator serving Virginia, along with his colleague since turned presidential candidate Elizabeth Warren, was tough on the company, calling for it to do more to protect consumer data. With his colleagues, he called on the credit agencies to face penalties to the top brass and extortionate fines to hold the companies accountable — and to send a message to others that they can’t play fast and loose with our data again.

But Congress didn’t bite. Warner told TechCrunch at the time that there was “a failure of the company, but also of lawmakers” for not taking action.

Lo and behold, it happened again. Without a congressional intervention, Capital One is likely to face largely the same rigmarole as Equifax did.

Blame the lawmakers all you want. They had their part to play in this. But fool us twice, shame on the credit companies for not properly taking action in the first place.

The Equifax incident should have sparked a fire under the credit giants. The breach was the canary in the coal mine. We watched and waited to see what would happen as the canary’s lifeless body emerged — but, much to the American public’s chagrin, no action came of it. The companies continued on with the mentality that “it could happen to us, but probably won’t.” It was always going to happen again unless there was something to force the companies to act.

Companies continue to vacuum up our data — knowingly and otherwise — and don’t do enough to protect it. As much as we can have laws to protect consumers from this happening again, these breaches will continue so long as the companies continue to collect our data and not take their data security responsibilities seriously.

We had an opportunity to stop these kinds of breaches from happening again, yet in the two years passed we’ve barely grappled with the basic concepts of internet security. All we have to show for it is a meager fine.

Thompson faces five years in prison and a fine of up to $250,000.

Everyone else faces just another major intrusion into their personal lives. Not at the hands of the hacker per se, but the companies that collect our data — with our consent and often without — and take far too many liberties with it.