I reached out to them to get a refund for my Car Thing - and they actually sent me an email asking for my checking account number and routing number to be sent to them VIA EMAIL. And presumably into their ticket system where future hackers will find a nice collection of financial info.
Thanks for reaching out to us via messaging. Your case has been escalated to the highest tier of Customer Support here in Spotify. All communication within this email thread will be from the Escalation team from now on.
We can see that you've already sent a proof of purchase via chat. About refunding, please share the following details with us:
- Bank name
- Bank Location
- Account Holder Name
- Routing & Account no
- SWIFT
- A screenshot of the required bank details on your online banking or bank letter (if it's possible).
Make sure to hide any sensitive payment information like your full card number for your security.
We'll keep an eye out for your response so we could sort this out.
> they actually sent me an email asking for my checking account number and routing number to be sent to them VIA EMAIL
Is that an actual issue with US accounts? Over in EU it's common to publish your account number (IBAN) and routing code (BIC) on your website, letterhead, and obviously on bills you send to customers so they can pay you.
They should only be able to send you money, not use it to request money, right?
This isn't the reason why. Spotify has been a major player in the U.S. music streaming market for a long time. They have their own offices here, and these kinds of decisions are surely made domestically.
The reason for this is simply incompetence. They were given the order from leadership to discontinue Car Thing to cut costs, and they are given a short deadline with no options for extending or unlocking the hardware. Spotify's Lawyers don't see any way out of that issue, and also see liability for having discontinued a product so quickly and with such short notice, so they recommend to the Accounts team that Car Thing customers can opt-in to a refund, and that should indemnify Spotify from any disputes.
So the Accounts team gets this new recommendation from Legal, with an even tighter deadline than sunsetting Car Thing, where customers are entitled to refunds on-demand if they bought one. Requests come in immediately, and there is absolutely zero process in place for actually issuing refunds for this, so the Accounts team works directly with the Finance team and figures they can just wire refunds directly to customers, which the Finance team is happy to do if they are provided a spreadsheet of account/routing numbers.
Nobody in the process of making these decision has any understanding of the risks, they just move to actualize what leadership asked them to, doing as little work as possible to meet the deadline. The result is refund requests arriving before any refund process has been established, and so the process is invented on-the-fly without any regard to best practice.
Tl;Dr: Discontinuing Car Thing was a hastily made decision that was announced before the company had done due-diligence, and now they are dealing with a disorganized response.
SEPA Direct Debit is a thing here in Europe as well, this is why we could live just fine without credit cards for so long. We instead had our local variants of what y'all call ACH and a few cooperation networks, that got unified as part of the EU-wide SEPA rollout (must have been something like 10 years ago). Now you can do money transfers to and from the entirety of the EU between all banks, if you pay a bit extra most banks can actually do real-time nowadays. If someone does direct debit fraud with your account number, you can claw back the money just as easy as you can do with a credit card.
The only problem remains card-based POS transactions... unfortunately, MasterCard and VISA spent shit tons of money into lobbying to make sure people would finally all converge on their standard instead of an established domestic one, their closed network where these fuckers could finally get a chance at getting their cut from the 448 million EU citizens.
Oh man this would fix the most annoying and terrifying part of bank transactions in the US (IMO). Instead, we have a million third parties that help ease the situation, but all take a cut, so some services make you use the original method.
Nope. My utility company and also Verizon withdraw from my checking account, and all they needed was the account number, routing number, and my name. No further verification.
For that reason, I have two checking accounts, and don't keep large sums of money in the account I use for payments.
Only businesses can create SEPA Direct Debit mandates, and they can be blocked easily and refunded at the initiative of the account holder no-questions-asked within two months.
Spotify is an European company. Here it's normal to send people your bank account number, you put it on invoices, on your company website, etc. I assume someone who invented this process assumed this is normal everywhere (I learned today that in USA it isn't).
Spotify Technology S.A. may be headquartered in Sweden, but all business in the USA is conducted via Spotify USA Inc, which is a US company headquartered in the World Trade Center in New York City.
It is completely understandable that someone like you who doesn't live or work in the USA wouldn't know how sensitive a Bank Account/Routing number is here. If you exist in a modern banking system with proper security, it is easy to assume that the rest of the world works the same way.
However, there is absolutely no excuse for the decision makers at Spotify here in the USA not to understand this.
There was a poll with probably more signatures than that for adding "swipe to queue" to Android that they sat on for years until they finally implemented it.
I bought one of these for $25 back then hoping someone would create something sweet with it. Well its still in the box, no cool hacks had been released last time I checked. I believe the thing barely has any ram.
Car Thing is just a bluetooth remote control for Spotify or other audio applications. The music still comes from the phone - to the car's speaker system via whatever method your phone is connected (bluetooth, aux jack, etc..)
If that's really what it is then why does it matter if they won't be made anymore? There must be more to it such as always online DRM service also closing.
Nobody cares that it isn't being made anymore. People are upset that their already purchased devices are being turned into paperweights because they won't maintain the online infrastructure they required to use it. It's wasteful and unfair to the people who bought it and should not be allowed legally.
Yeah I understand that. That wasn't my point. If it was just a "bluetooth remote control" as the GP describes it why does it stop working when some remote service is turned off? It clearly isn't one.
I've really enjoyed using the Car Thing in my 14 year old Mazda CX9. My car shows no signs of failing, so I don't anticipate replacing it anytime soon for one with Carplay.
The Car Thing is so much more convenient than unlocking iPhone with my face, opening spotify, futzing around on the phone to change songs or playlists or whatever. And its easily accessible to my passenger. Its a far better interface than phone for use in the car! Its one of the main reasons I haven't switched to Apple Music which is bundled with my cell phone plan. I guess Spotify just wants me to got to Apple Music.
You don't need to spend that much, especially if you DIY the install. I installed a cheap Linux based head unit (ATOTO F7 WE) in my wife's old commuter car last weekend. $180 Canadian for the head unit, $25 for an aftermarket wiring harness adapter. Took a few hours to splice the harness together and install the head unit in the dash.
The head unit's software is definitely a little janky, but it doesn't really matter as all she uses it for is CarPlay anyway. It even supports wireless CarPlay so she doesn't need to take her phone out of her work bag - our brand new Kia with an expensive infotainment system doesn't even support wireless.
The people who are unhappy about only getting 2 years of service out of an $80 investment are probably not the people who are giddy about only spending $2,000 on a new radio for their car which will be practically worthless once it is installed.
I wonder if their CISO or security team is aware of this, I reached out to address found in https://www.spotify.com/.well-known/security.txt
Here is response I received:
Hello there,
Thanks for reaching out to us via messaging. Your case has been escalated to the highest tier of Customer Support here in Spotify. All communication within this email thread will be from the Escalation team from now on.
We can see that you've already sent a proof of purchase via chat. About refunding, please share the following details with us:
- Bank name - Bank Location - Account Holder Name - Routing & Account no - SWIFT - A screenshot of the required bank details on your online banking or bank letter (if it's possible).
Make sure to hide any sensitive payment information like your full card number for your security.
We'll keep an eye out for your response so we could sort this out.
Kind regards,
XXXX Escalations Team - Spotify Customer Support