Ben Langhofer, a financial planner and single father of three in Wichita, Kansas, decided to start a side business. He had created a handbook for his family outlining core values, a mission statement, and a constitution. He wanted to help other families write their beliefs in a proper book, one they could keep and display.
So about two years ago, Langhofer hired web developers and set up a website, customer relationship management system, and payment processing. He started on Father’s Day MyFamilyHandbook.com. He’s had modest success and has spoken to larger groups about bulk orders, but business has been mostly quiet so far.
That’s how Langhofer knew something was wrong on Friday, August 11, when a woman from California called about a fraudulent charge. He checked his merchant account and saw almost 800 transactions.
“My heart sank,” Langhofer told Ars on Thursday. He immediately contacted his payment provider, Stripe, who he says told him about it test cards– a system where online card thieves use tiny charges from an account to test valid cards. Stripe said it would issue a bulk refund, Langhofer said. Knowing his payment processor was aware of the issue, he headed for the weekend.
Langhofer woke up early Monday morning to a barrage of missed calls.
He said his site attempted nearly 11,000 more transactions, each for $1, most of them initiated from email addresses that differed slightly from one another. Many of them involved Ally Bank cards, Langhofer said. He had only received two calls to the forwarded number listed on his online store, but now his phone would not stop ringing.
“My dad always taught me to have a good name, so that hurts,” he said. “I don’t have a big staff, but I do have a big name in Wichita, in this state. Now my business is busy with it, and I have no idea what’s next.” In text messages ahead of an Ars Technica interview, Langhofer said the ordeal “took up my entire week and caused more panic than I can remember , for a long time”.
For sale: debit cards, hardly used
Langhofer’s business appears to have fallen victim to a chain of scams that have affected thousands of debit card customers over the past week. Most prominent among them are Ally Bank customers who were tweet and post in the r/AllyBank subreddit about charges on cards, some of which have never been activated or used. They have reported (and Ars Technica has seen) wait times for phone support of up to an hour or more.
There is an overwhelming feeling that something is happening, but the major parties have yet to confirm anything.
Ars Technica has contacted Ally Bank multiple times by phone and email to comment on this story. We’ll update this post when we get feedback.
Two of those wondering what’s happening are Stephen Fuchs and Curt Grimes, a Chicago-area couple who spoke to Ars Technica and shared their documentary. They opened their joint Ally checking account in March 2022. They both had debit cards tied to it, each with different numbers. Fuchs never activated his card. Up until last week, Grimes had only used his card once to send about $5 to someone through Apple Cash.
On August 10, a $15 charge from a quirky software site appeared on one of their cards, but it went unnoticed. On Friday, August 12, Grimes received a text message fraud alert from Ally, alerting him to nearly $200 in charges from two different deals. Grimes flagged the charges as fraudulent, and Ally (and Apple Pay) reported the card was blocked. After waiting for Ally on the phone for nearly an hour on Saturday, August 13, Grimes disputed the earlier $15 charge and saw on his Ally app that a new card with a new number was on the way.