I don’t want to write about Annette Bricca for a long list of reasons.
First, because her problem — or, more specifically, her daughter’s problem — was fixed. And then some. The company in question, Lush Fresh Handmade Cosmetics, not only reversed her phantom purchases, but threw in a $200 gift certificate.
That’s an extraordinarily generous resolution.
Second, because the problem is a potential security flaw that could be exploited by outside forces. Websites are imperfect sales vehicles and hackers are what they are. My workaround? I waited five weeks before publishing anything about this case to give the good people at Lush plenty of time to fix this.
Finally, and perhaps most importantly, we don’t really know what happened. I have Bricca’s firsthand account and I have screenshots of the charges. But I wasn’t with her daughter when she purchased $815 worth of cosmetics.
I have a daughter, and I know what she would tell me if she “accidentally” bought $815 in cosmetics online. I might not believe her story.
But I had to write something because as we swim into the uncertain waters of mainstream consumer advocacy, there will be more cases like this. Cases with lots of unanswerable questions. Cases that, if we cover them, could do as much harm as good. So how do we handle them?
Here’s the setup. Bricca’s daughter, using a debit card, went online to make her Lush purchase. Within a few minutes, the system had effectively “drained” her account dry. (I put “drained” in quotes because those are the actual words used by Bricca.)
“When she entered her card information in the online checkout cart system, Lush’s system said her billing information was not correct,” says Bricca. “She returned to the cart, re-entered the information, pressed send again and she got the same error. Like most of us, she repeated her steps, trying to see where the problem was. She tried five times to figure out what was wrong with her billing address, and finally gave up.”
(Commenters, please be nice to her.)
Lush didn’t give up.
According to screen shots she sent me, Lush charged her $40, then $106, then $173, then $239, and then $257.
“What she didn’t know was that despite it declining her purchase due to bad information, it was putting authorization holds on her card each time,” says Bricca. “Sadly, she did it enough times to empty – or put on hold – her entire account balance. She was traveling and was stuck without money for a taxi, food, hotel – everything.”
We had a debate about credit card holds a few weeks ago.
Fortunately, the story has a happy ending. Lush reversed the charges in the end. But not without a fight.
“It took us a week to get Lush to release the charges – complete nightmare – and they did issue us $200 in gift cards,” says Bricca. “I am not beating the dead horse of the hold anymore. That’s no longer the problem.”
So what is the problem? It’s this:
My concern is that this company has a faulty paywall gateway that’s allowing authorizations to go through when, in fact, they should have been denied. Or is it that our bank allowed the loophole? I have never seen multiple pending charges like this when a transaction was declined due to billing issues.
If it’s a website order form issue, someone could theoretically put a huge hold on someone’s account if they knew their credit card number and billing address.
For example, my credit card statement got delivered to the wrong address recently. If someone kept that, they’d have a lot of the info needed – just not the Card Verification Value (CVV) – to wreak havoc on my account.
I have sent many requests to Lush to find out what went wrong and to see if it has been fixed. This is one of those times when an individual case is resolved but the potential exists for many more consumers to be harmed.
So far, I’ve heard nothing back from Lush.
Should I even be writing about this, since it could damage other customers and, perhaps, the merchant? Or is warning them the right move? When an individual problem gets fixed, is my job done — or do I have an obligation to address the larger problem?