In Korea, incidents in which a ChatGPT paid membership was charged without consumer consent have occurred one after another. It is presumed to be cases in which card information leaked or stolen through hacking and other means was misused.
As of the 22nd, the number of suspected unauthorized charges for "ChatGPT Pro" identified in Korea totals 858. ChatGPT Pro is a high-priced plan with a monthly fee of 299,000 won, and the tallied damage amounts to about 256 million won.
The damage came to light as posts saying that credit card payment alert texts had been received began appearing online one after another. In the texts victims received, the merchant was shown as electronic payment gateway (PG) company NICE Information & Telecommunication, and the actual usage details had in common that they were payments for ChatGPT's high-priced artificial intelligence (AI) service plan.
As complaints and civil petitions from victims mounted, OpenAI, which operates ChatGPT, and the domestic PG company NICE Information & Telecommunication carried out payment cancellations and refunds. It was later reported that no additional damage had been confirmed.
The unauthorized charges in this incident appear more likely to have involved stolen or leaked card information being misused for payment than an OpenAI hack itself. The victimized payments were made by going through NICE Pay, the online payment service of NICE Information & Telecommunication, to pay for OpenAI's paid ChatGPT plan.
At many overseas online merchants, payment is possible by entering only basic card information such as the card number, expiration date, and security code (CVC). It is a structure in which payments can be attempted with only stolen or leaked card information.
Experts say the payment structure through a PG company delayed recognition of the damage. PG companies broker payment services on behalf of merchants that find it difficult to contract directly with card issuers. Because of this, in payments using a PG company, the PG company name often appears as the merchant name on card statements or payment alerts instead of the actual service name.
In this incident as well, "NICE Information & Telecommunication," not ChatGPT or OpenAI, was displayed in the payment details, making it difficult for consumers to figure out which service the payment was made to. Immediately after the incident, OpenAI and NICE Information & Telecommunication changed the merchant name so that NICE Information & Telecommunication and OpenAI or ChatGPT would be shown together at the time of payment.
There is also criticism that PG-company payments can be detected late by card issuers' fraud detection systems (FDS). The FDS is a system that detects abnormal transactions by comprehensively analyzing payment amounts, times, industries, and transaction patterns. However, if the actual payment destination information is not sufficiently revealed, it can take time to identify repeated abnormal signs at a particular merchant.
Meanwhile, damage from credit card theft or fraudulent use like this can be reduced through prevention and follow-up measures. According to the Credit Finance Association Consumer Support Center's "How to prevent and respond to damage from loss or theft," customers should sign the card's signature panel themselves as soon as they receive the card and strictly manage their PIN. If an unsigned card is used after being stolen, the cardholder may bear all or part of the responsibility.