This happened to me on a debit card a couple weeks ago, then to a bunch of colleagues more recently with Brex cards. All alerted that fraudulent attempts were made to use the cards at online merchants (Spotify, Shopify, etc.), i.e. card not present transactions, but some detail (cvv, expiration, etc.) of the card didn't match.

I hadn't used that debit card in over a year, and when I called my bank to cancel my debit card, they said that the Spotify charges were common attempts where bad guys just try card numbers to then see if the card was valid.

I've often wondered, there aren't THAT many digits of randomization in a payment card number (6 digits are the bin number, 1 is the luhn checksum), so I don't think it would be that hard, for example, to have a bot network just try tons of numbers at various online merchants.

Is this just paranoia, or has anyone else seen an uptick in these kinds of card-denied transactions?