South Korea sees 858 cases of unauthorized ChatGPT subscriptions, totaling $256 million won in damages

South Korea is grappling with a surge of unauthorized ChatGPT Plus subscriptions, with over 850 cases reported, resulting in approximately 256 million South Korean won (about $185,000 USD) in fraudulent charges. The high-cost service, priced at 299,000 won per month, has become a target for criminals suspected of exploiting stolen or leaked credit card information.

Payment processor NICE Information Service, which handles domestic card payments for OpenAI's ChatGPT, has taken action by halting new card registrations and payments for the affected merchant. The company is also processing full refunds for all reported fraudulent charges. While NICE Information Service stated that no further fraudulent transactions have occurred since implementing these measures, the incident highlights vulnerabilities in the payment system.

“

If even one unauthorized payment occurs, it means the card information has been completely exposed to criminals. Do not be complacent just because you received a payment cancellation; you could suffer secondary damage at any time with the same information. You must immediately suspend and reissue your card.

Security experts believe the unauthorized charges may be a tactic to test the validity of stolen credit card information. The payment process, which typically requires card number, expiration date, security code, and partial personal information, did not mandate mobile phone verification for all transactions. NICE Information Service explained that this leniency was to accommodate various payment scenarios, such as corporate or family cards, and to align with global payment practices that prioritize user convenience. However, the company is now considering implementing mobile phone verification as an additional user protection measure.

This incident has prompted calls for a broader review of past data breaches, as compromised card information can be exploited long after the initial leak. Experts emphasize that even if immediate fraudulent charges are not detected, the same card details can be used for secondary damages. They strongly advise affected users to immediately suspend and reissue their credit cards, rather than relying solely on payment cancellation. The situation underscores the need for enhanced security protocols, potentially including risk-based authentication for high-risk or high-value transactions, to better protect consumers in the evolving digital payment landscape.

“

It is important to identify who caused this incident and for what purpose, as it has affected a large number of unspecified victims.