Considering that the bad guys seem to constantly be coming up with new schemes and variations to defraud somebody in the payment chain, I don't stop to consider what's common or uncommon anymore.

Two years ago a charge to Hulu for ~$100 showed up on an Amex card that we had just used heavily on a Hawaiian vacation. I, not Amex, spotted the unauthorized charge and flagged it for dispute. Amex was reluctant to cancel the card immediately, and poked at me to make sure it wasn't a legitimate charge that I had just forgotten. For whatever reason, this charge did not trigger their fraud alert system. They started a verification inquiry, requiring more information from Hulu to validate the charge. The merchant is given ~21 days to respond, during which the card remains active, the transaction dispute is pending, but the cardholder is not obliged to pay the disputed amount. All other use of the card may proceed as usual, if you wish. At the end of the 21 days Amex sent a message: Good news! the merchant didn't respond, so we have removed the charge and you're off the hook. So, no news is good news, right? Not in this case. The next month another charge (same amount) to Hulu appears. I flag it and wait for it to post so I can dispute it. Meantime, another unauthorized charge appears for an international phone call, so when I call Amex they cancel the card immediately and overnight a replacement. (Had they not cancelled immediately this time, I was ready to threaten to close all Amex accounts and move my business elsewhere.)

So, did Hulu resubmit the original charge, or was the second instance an attempted recurring payment for a subscription? Was the charge really fraudulent, or just somebody's fat-fingered mistake? I don't have the answers, but from this experience, combined with a few other personal brushes with unauthorized transactions, and lots of anecdotal reports from FTers, Brian Krebs' excellent blog and elsewhere, I observe:

1. Any open credit or debit account is at some risk of unauthorized use, no matter how new/old, level of activity, usage patterns, etc.

2. It's comforting to have anti-fraud heuristics and other mechanisms watching your accounts, but it's still the cardholder who is primarily responsible to monitor his/her accounts.

3. Enable text/email alerts and do a regular review of all open accounts to check for any surprises before the closing date.

4. With regard to Critterlynn's point ("By trying to ensure continuity, they are creating more problems than they are preventing."), I think I agree. I would rather take this responsibility myself, trading convenience and built-in continuity for the certainty that I have handled each recurring payment.