A Matter Of Trust?

cameloid asks: "I've been ordering stuff from a couple of U.S. Web sites now (I live in the UK), and was a bit dubious about credit card security at first. However, it was always the case that I was worried about getting my details stolen or something. Last night I was browsing an interesting site looking for some anime ("Captain Tylor" out on DVD?), and naturally checked to see if they would deliver internationally. Now, they wanted proof that the credit card details I sent them really belonged to me, in the form of a photo of me and a photo of my credit card (actual size I suppose). Now this doesn't strike me as being of much use to anyone and got me thinking. As I'm already an established customer on a couple of other well known e-commerce sites would it not be possible to get some kind of referral from these sites, saying that I'm a worthy customer? What would the implications of this be?" I've been seeing lots of really pointed questions about e-commerce sites lately (this site being the latest entry on that list) and I'm wondering how much information a company really needs before they can do business with someone and what kind of information a person can legitimately withhold. Would such information sharing between commerce site be something that would benefit consumers or are there privacy issues here that we should be concerned with?

A photo of the card?

[subtraho]

That sounds like a lot more security than is necessary. I think that the card companies themselves should have that kind of service, or offer a special "online-only" card.

Re:A photo of the card?

[powderhound]

That sounds like a lot more security than is necessary. I think that the card companies themselves should have that kind of service, or offer a special "online-only" card.

To me as well. Seems that with a copy of your credit card and an photo ID, they could also do some devious things.

Re:A photo of the card?

[darkith]

With a crappy faxed photocopy of a CC (which they already have all the information off of) and a driver's license? I doubt it. It's just a way to try and prevent somebody from snooping a number & name off of a transaction and using it anonymously...similar to stores which only ship to the billing address of the card.

Re:A photo of the card?

[Masked+Marauder]

Sounds suspicious to me. I've never had anyone request a photo of me or my credit card over the network before. I'm suspicious that they wanted the pictures for nefarious purposes.

Besides, it doesn't offer any additional security; it won't work. There is no way to know that the picture I sent was of me or, if it was me, that the name on the CC belongs to me.

Beware of people demanding irrelevant information.

What site was this, anyway? I'd like to pay them a virtual visit.

Re:A photo of the card?

In Australia, the banks are refusing to do bank to business credit card transactions with credit card numbers that come from the internet. I can hook up my EFTPOS to the bank - no problems, but as soon as information comes from the internet, I need to pay another company to transmit between my server and the bank. If the situation is anything like this in America, I could see some pedantic bank finally allowing business to bank transactions if accompanied by a photo of the buyer and their credit card. It sounds like bureaucracy gone mad (with power) again to me.


Does anyone know my /. password??

Re:A photo of the card?

[XyouthX]

This has happened to me a number of times, only when dealing with US companies though and only when having items shipped overseas. Everytime they demand a faxed copy/picture of my card+ID i cancel the order though, it's just plain silly.

Re:A photo of the card?

[Masked+Marauder]

Yeah, but how do they know the photo is a photo of the buyer? I could use the boss's picture so if the card triggers any alarms it'll be his mug on the post office wall, not mine.

Its either really dumb, or really nasty. I can't imagine a legitimate use, let alone need, for a photo from the buyer.

Re:A photo of the card?

[dch111]

Lets see, a copy of your credit card , a picture I.D. ,Hum, If I had a copy of Photoshop 5 , a truck load of plug-ins and little free time , I wonder what I could come up with? This sounds like a better fantasy that the one about the Queen mother , the purple Tu-Tu and the Jet Ski, Oh , I wasn't suppose to mention that , was I?

Hurry

[sredding]

Customer referral sounds like a great idea. You should patent the idea before Amazon gets a hold of it.

so don't buy from them

[Splork]

If a site makes it impossible to buy from them because they want unreasonably verification, then don't. They'll feel it. If you're worried about them feeling it, write them an email telling them that you enjoy shopping elsewhere.

Re:so don't buy from them

[paRcat]

Amen!

Companies need to get their act together when it comes to Credit Card acceptance. I was recently at a site that wouldn't allow you to buy with a card that had an expiration date after 2003! I mean, come on! And it's staggering to still find sites that expect you to enter you info including card number on an insecure page.

If they don't make it easy to order from them, let them die. Survival of the fittest!

Re:so don't buy from them

[Malc]

I don't think that they will. The US economy by itself is large enough to support these companies. For a lot of companies international trade is insignificant in comparison. Judging by the numbers of online traders who refuse international orders, there can't be that much incentive for companies... or maybe they're just ignorant of the potential.

Network of trust

[Signal+11]

Such a network would only be successful with a coalition of businesses. Businesses by their nature do not like doing more than the bare minimum to make money - hence the reason most e-commerce sites do not offer payment by money order or cashier's check. No, it must be a credit card.

E-commerce companies are lazy. Keep this in mind when trying to form any "trust network". In addition, you'll need to show a clear profit-making incentive for companies to participate - it makes no sense (business-wise) to work with another unless you make a profit. I don't believe such a trust network is viable anyway without a central authority - if any member of the network acts in a dubious fashion it will be publicized, and companies will be less interested in joining due to bad PR. In addition, without a central authority you have no ability to remove bad elements from the pool. Just my $0.02.

Re:Network of trust

[lbrlove]

Agreed, companies are lazy, and somewhere in the mix, someone will probably be irresponsible (or greedy) with the info.

I think there is a profit mechanism in there somewhere via the referral network (I work in a heavy referral industry where real money-making potential exists). Despite that, the FTC regs would probably be prohibitive since credit cards are involved in a substantial way. In any case, the fastest way to keep something from happening, good or bad, is to mention the L-word ("litigation").

-L

Re:Network of trust

[SgtPepper]

Ah, but there is one thing you fail to hit on. Companies will do just about ANYTHING to attract business. Even if it means, ugh, cooperation. Even better, have a centeral authority that utilizes something akin to a PGP public key. You have a secret key with the credit card company. E-commerce site emails credit card company with the PGP key you provided them, credit card company emails you ( using your public key ) you email them back using a code ( provided in the encrypted email ) and viola, even better, provide a service that does this automagically. Companies pay you to be part of it. What's in it for the companies? Well hell, what's in the internet for most companies? It costs lots of money for a successful business on the internet. But convience attracts customers and customers spend money. If it's easier on the customers, rest assured you'll see more profits. That DVD site almost certainly lost a customer, and that is NOT very good for profits is it?

Re:Network of trust

[smillie]

What you are discribing sounds a lot like ssl authenication. Public and private keys authenticated by a third party. I'd love to have a credit card that worked that way.

Re:Network of trust

[jafac]

e-commerce companies lazy?

No shit sherlock! The whole point of e-commerce is to minimize overhead!

I just remembered this old Metallica song. . .

no good.

[gargle]

As I'm already an established customer on a couple of other well known e-commerce sites would it not be possible to get some kind of referral from these sites, saying that I'm a worthy customer? What would the implications of this be?

It sounds like a good excuse for companies to trade information about you.

Re:no good.

[freakyKruiser]

There is a very good chance that on any well-established site someone is collecting and sharing some form of the purchase information anyway. Just because a company agrees not to give away your name or email address, you can be sure that your credit card transaction is being recorded by someone like TRW. It is gonna happen. Sounds like a business opportunity to me.

When to draw the line

[LegacyMan]

I'm wondering how much information a company really needs before they can do business with someone and what kind of information a person can legitimately withhold

If they ever start asking you to send urine/semen/fecal samples who know forcertain that the line should be drawn.

Credit Card Replication?

[freddie]

It seems kind of interesting that they want a picture of your credit card.

Maybe they'll just print it out and replicate it somewhere else. Then they can go on shopping spree!

Re:Credit Card Replication?

[the_other_one]

Use the gimp or other such package to paste this weeks stolen credit card into the picture. you may have to edit the numbers on the card if you don't have the actual card but just got the numbers on-line. Also don't actually use a picture of yourself!

Blacklisted

[jyuter]

Once certain problem you have is potential blacklisting. That is, someone could start planting false negative data about you and therfore prevent you from making any on-line purchases.

This still would be useful for some sites, especially dealing in high-risk trade and could prevent credit card losses.

However, like all technology, this could be used for good or evil.

the credit card companies!

[JonahC]

Seems to me that the credit card companies should be responsible for providing a quick way to verify all necessary information about a credit card (via a web service of some sort) so that e-commerce sites can check instantly before they process your order. The credit card company who provides this first would obviously benefit from wider use, and e-commerce sites would gain business for not hassling their customers for their maiden name, blood type, pantyhose size, etc.

I sure wouldn't do it...

[seebs]

Sorry, but the only time I've ever sent a "picture" of a credit card was to a small business, and it was via fax; I killed the credit card a little later anyway. :)

Pictures of cards are not one of the things the credit card companies ask you to obtain, so I would assume it's a scam.

Give 'em your photo?

[talks_to_birds]

• Now, they wanted proof that the credit card details I sent them really belonged to me, in the form of a photo of me and a photo of my credit card (actual size I suppose).

I wouldn't go for that in a heartbeat.

A photo of you and a photo of your credit card could be turned into a false ID and a fake credit card in moments.

Don't even think about it!

t_t_b
--

A common system should be established

[acecccp]

I myself have the same problem when I see things I like on foreign sites, and am afraid to order from them because I'm afraid they could misuse my cc number, and there would be nothing I could do about it, short of suing them overseas. I think there should be a third party between the site, and my credit card company.

Perhaps it should be a "reputable" server, where I establish an account, with physical information, kind of like registering for a drivers license, that asks me for my password and the account number of the e-commerce site, and the amount i want "wired" to them. In response, the commerce site sends me my stuff.

I know there are privacy issues involved in this, but imho, there are much more benefits.

Re:A common system should be established

[B.+Samedi]

Something like a escrow would work for this. Essentially a third party (trusted by both parties) recieves your payment plus a small handling fee and then holds it until the product arrives. Then they pay the manufacturer or retailer or whoever for the merchandise and ship the product to you. E-Bay already uses this to help people who use their auction services. It's only a matter of someone setting up a business that everyone would trust to handle their matters and not skip with the payment and the product.

Re:A common system should be established

[remande]

For the record, US Federal law prohibits a merchant from charging your card until they ship the product (when it leaves their door, not when it arrives at yours). If they have your money and can't prove that they shipped your product, they are in deep legal kimshi. This law protects you from a merchant not shipping your product. The "auth" system described below protects the merchant from you ordering something, then maxing out your card before they ship it.

When you place an order, the merchant sends an "auth request" through their credit card people. The CC guys do any fraud screening the merchant might want done (verifies that the card is real, not expired, not past due, etc.), and verifies that there is indeed "room" on your card. It also puts a lien on your credit card for the amount of the purchase. The merchant gets an auth code back, unrelated to the credit card data, so that they can wipe the credit card data (think of the auth code as a credit card magic cookie). This whole auth request/auth return takes place in real time (which is why you can get "credit refused" while placing an online order--the auth came back negative). You don't pay for the lien, it doesn't show up on your statement, but it is there and it lowers your effective limit. If I have a $5,000 limit on a card with no debt, and I order a $3,000 laptop, there is only $2000 in "real room" on my card, though I am not officially charged yet. That $3,000 is earmarked in the lien to guarantee to the merchant that they will get paid when they ship the laptop. In the meantime, I will get an "over the limit" refusal if I order another $3,000 laptop before they ship the first one and I pay down my card again.

For the record, auths do not last forever. I belive they go piffle somewhere between 30-90 days if they aren't redeemed.

When the merchant ships the product, they look up that auth code that they got, submit that back to the credit card people, and redeem the auth ("I have auth code 34908792 for $3,000. I shipped the goods. Pay up". The money gets automagically credited to the merchant account.

Re:A common system should be established

[godefroi]

I don't think so... It's too much of a pain, and if delay is incurred, then it's a problem. I can already go down the street to the store and buy whatever I want, so adding more delay only increases the problems that I have with e-commerce. There's an easier solution: if some e-commerce site rips me off, I reverse the charges. Easy.

Always Withhold your Social Security #

[SetupWeasel]

You NEVER need to give your social security number when you are purchasing something online or otherwise. Not even when paying with checks, not even if it is your "student #" as well.

Anyone who has the right to ask for your social security number is *required by law* to give you documentation that they have this right and can withhold items or services until you give it to them.

This is very frequently abused especially by universities and the areas surrounding them. Put your foot down.

Re:Always Withhold your Social Security #

[bribecka]

I am just curious, what real evil could come of someone having your SSN?

Re:Always Withhold your Social Security #

[darkith]

I've heard of it happening. People have gotten these numbers (Social Insurance Number here in Canada) and gotten appropriate documentation to support their fake identifications. Then the orignal owner spent years fighting off CC companys, governments, collection agencies before being able to set everything straight. That's the scary part, the burden of proof goes upon the person's shoulders...if they can't prove it, they lose!

Re:Always Withhold your Social Security #

[SnatMandu]

Try calling your favorite credit card company and doing ... well anything. How do they verify it's you on the phone? "What are the last/first n digits of your SSN?" That's how.

Also, a SSN is a pretty good starting place for developing a nice false identity. Pretty easy to get a birth certificate. With that and a SSN, you can, er, go places.

Re:Always Withhold your Social Security #

[zantispam]

Well, let's say your SSN is 123-45-6789.

First things first, I need a card. So I go to my post office and grab a request for a replacement social security card. It want's a copy of your birth certificate. Well, I can match up the SSN to a name pretty easy (trivial if I know what state you live in, even easier if I know what city). All I have to do is call the DMV and say that I'm in HR for the Yoyodyne corp and I'm doing a background check. I need to verify this SSN as belonging to Joe R Public. Oh, it's not him? Who is it?

Bingo. I have your name and your SSN.

Call the county courthouse and ask for a copy of your birth certificate (I'm doing genological research on my family). Weren't born there? Where were you born?

Bingo. I have your name, place of birth, and SSN.

So I call up the county courthouse where you were born and ask for a copy of your birth cirtificate (using the above story). It'll cost me, like, $1.50.

Bingo. I have your name, place of birth, DOB, DL#, SSN, social security card, parent's names, mother's maiden name, and just about any other piece of information that I want.

Hrmmm, let's go shopping, shall we?

Better yet, let's get some warrants out for your arrest.

Hell, let's go all the way and start getting your mail, your paper, your pension, your 401k, your health insurance, your life insurance, a job in your name...

That, my dear bribecka, is what I can do with a SSN.

Here's my copy of DeCSS. Where's yours?

Re:Always Withhold your Social Security #

[edp]

Anyone who has the right to ask for your social security number is *required by law* to give you documentation that they have this right and can withhold items or services until you give it to them.

This is false. The Privacy Act, Public Law 93-579, requires "Any Federal, State, or local government agency" to inform the requestee whether "disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it." The relevant part of the law is codified at 5 USC 552a, Note 7 (b). To my knowledge, no federal law imposes any similar requirement on non-government parties, and very few states do.

Re:Always Withhold your Social Security #

[finkployd]

Herritage Oaks, an apartment complex in State College, PA requires not only your social security number, but also both your parent's SS#s (if you are a student).

Outragous? Yes. Violation of federal law? Yes
But how many students who need housing (they are pretty inexpensive) are going to take the time to fight that.

Finkployd

Re:Always Withhold your Social Security #

[CaptSwifty]

In another part of this thread, this was also mentioned. Government agincies HAVE to provde you with documentation on how it's going to be used. Private business doesn't, and if you don't want to give it to them, they don't have to give you an apartment. I am very reluctant to give my SSN to a business, but I do tend to trust government agincies.

Vendors just passing on Credit Card Company buck

[warmcat]

A couple of months ago all the major credit card groups including Mastercard and Visa imposed a new law on companies generating a high level of chargebacks. If more than 1.5% of your transactions are charged back, usually through fraud, then you have to pay large financial penalties to the credit card company.

I dare say the very large online companies like Amazon and so on have different terms, but that is how it is for the smaller companies.

As someone who had my company credit card details ripped off and used by some prick in Indonesia to order ''Buffy the Vampire Slayer'' merchandise from a US-based website, I don't think it's such a bad thing. But really the Credit Card companies should be providing crypto to the customer in the form of so-called smartcards rather than squeezing the vendors.

-Andy

This is what is behind the tightening of

Distributed Trust?

[Threed]

To get a set of keys for a secure page, I needed to send in proof that I owned the domain and that I had the right to own the domain.

Had to delve into the company records to find state certificates for the business's name. Painful.

Distributed trustworthiness... Some sort of "Well, no one else has been burned by accepting this CC#" algorythm? That leads to databases and privacy violations. What if I don't want my CD retailer knowing that I bought a box of sex toys last week? Or that I bought ANYTHING from certain businesses?

The credit card is the best defense, both for the seller and the buyer. Most businesses will only ship to the address on the card. If you receive goods you didn't order and suspect fraud, the CC companies have policies for dealing with it. You can also dispute charges for things you never received.

The photo can be faked. The scan of the card can be faked. CC#s can be stolen (I'm sure that shoulder surfing still goes on today). The system has been dealing with this for a long time.

--Threed

The Slashdot Sig Virus was foiled before it could spread.

Re:Distributed Trust?

[DrSkwid]

addresses are not printed on cards in this part of the world.

In the UK the only thing known about a card holder that you use is the card number & expiry.

That's it

anything else is just bogus anyway

"You want my address. Well I've got two houses, what use is that?"

"Here's my photo. Of course you didn't see me have it taken"

I've personally been asked to fax my signature as some sort of proof before.

People are clueless and easily fooled because they want to trust you.
.oO0Oo.

AMEX Blue Card

[captaingoodnight]

What about the AMEX Blue card? Shouldn't the smart card reader solve this problem if the site supports it?

Visa and MC already have started fixing this

[BranMan]

Visa and MC now have some extra digits that are only written on the back of the CC, not embossed or shown on the front.

The idea is for internet companies to ask for these extra digits when people order stuff online, as a way to verify that you have physical possesion of the card.

American Express has their own solution - the "blue" card has an embedded chip, then with a reader hooked up to your PC you actually 'swipe' your own card.

Again, this is to prove you have the card in your hot little hands, not a carbon off a receipt.

Re:Visa and MC already have started fixing this

[mandelbaum]

how does having extra digits make it harder to steal? it's just like a longer CC number. the sites will still need to keep all the numbers if they wanna do anything like easy checkout or recurring billing.

-aaron

Re:Visa and MC already have started fixing this

[remande]

Since the extra digits are not embossed, they don't show up on the carbon receipts they use at face-to-face places. This means that someone needs posession of your card to use it over the phone or online.

Without that, someone can go dumpster diving at a department store, come up with a bunch of carbon paper that have been thrown out, and have enough information to use your card over the phone.

BTW, if you use your card someplace that actually uses carbon on credit cards (the big clunky things that make the "kachunka" sound when they run it over your card), there are usually three sheets--your copy, the store copy, and the carbon paper. Ask the cashier for the carbon paper every time, and you protect your card a little bit more.

Re:Visa and MC already have started fixing this

[Zan+Thrax]

or, they could just write down the four extra numbers on the back when you hand it them at the restaurant...

Re:Visa and MC already have started fixing this

[CaptainZapp]

the big clunky things that make the "kachunka" sound Have we been reading Don Martin 'til late at night, again ?

Passport?

[Blooble]

Isn't this what Microsoft Passport's role in life is? A common place for security info to be held so that 'partner' sites can verify credit card details, etc?

Re:Passport?

[Malc]

I thought that the "Microsoft Wallet" was only for storing your details. These details could then be transmitted in a "secure" manner to a server (saving you the effort of entering the information at every site you want to make a purchase from).

Bizzare!

[Ron+Harwood]

A picture of you with your credit card?

Heck... let's see... I'll just take a picture of myself with my credit card - change the name, number and expiry date wit a good graphics editor - and wham... a pointless exercise in paranoia is proven insecure.

Is this because you are ordering internationally? Maybe they just want to see if you would do it... "Hey look at this joker... let's put him up on the wall - and order some pizza on him too!"

I'm sorry, anyone who came up with this idea has their head up their @$$.

Re:Bizzare!

[cameloid]

Yup, that's pretty much what I was thinking...

Privacy Issues

[Uruk]

In an e-commerce world where companies are dying to know every last detail about you so that they can show you the banner ad that is most likely to get you to bite, I think it's fair to expect privacy problems if you get companies that have had previous business dealings with you to cooperate and 'share notes'. It seems like asking for your privacy to be invaded to me.

I'm not even quite sure why they would require the type of authentication that the poster is talking about. Even if it's straight credit card fraud, the company that ships the product still keeps the sale dollars, it's the credit card company (or the consumer) that eats the cost of the fraud. It seems that if companies don't have a problem with people complaining about them taking any credit card that is presented to them that they would do just that - why put extra hurdles in the way of a consumer, or make it less likely that a sale will actually be made?

As for the privacy though, I don't trust any company further than I can throw them. Companies are about profit, and when the concept of 'profit' coincides with my interests then the company will make me happy. But when somebody's idea of profit suggests that it might be a good idea to dig into my past purchases and compare consumer notes with another company in the name of "verification", it's pretty clearly not going to serve the customer's best interest.

If they HAVE to do this, it might be SLIGHTLY better to ask the credit card company for info rather than somebody else you have bought from. (i.e. when you dial up the company for card confirmation, have a way of digitally asking the question "if this purchase goes through, would it send up some weird red flag on this customer's account?" or something similar). Not that this would be good either, far from it. It seems like it might be slightly better though.

Re:Privacy Issues

[tiwason]

Even if it's straight credit card fraud, the company that ships the product still keeps the sale dollars, it's the credit card company (or the consumer) that eats the cost of the fraud

Wrong.... that would be the merchant taking it up the rear for the fraud.... only cost to the credit card company is the time it toakes to take the $$$ back out of the merchants bank account.... oh wait.. thats what the $10 chargeback fee is for....

I'd be wary

[hargettp]

Especially the bit about requiring a photo of your credit card. Some US domestic sites, when using a bank debit card, will ask for 4 additional digits that are found on the back of most such cards. If one were to send photos including the card's back, this would make it easy for someone to impersonate you (if the site was bogus).

I'm not sure how legitimate such requests for "proof of credit card ownership" really are, the card companies (Visa, MasterCard) tend to have all sorts of rules in their contracts with vendors. For example, in Thailand, I had a travel agent charge me a 2.5% processing fee on a airplane ticket, even though that was against Visa's regulations for vendors, and part of their contract.

Who knows? Maybe asking for photos like this really is allowable by the credit card companies, and perhaps its justified. However, the whole point of a credit card is that the credit card issuer assumes the risk of non-payment in each transaction. Why should a merchant overly much who you are?

Of course, the rules of identity and proof thereof have changed, and perhaps the credit card companies haven't caught up.

</diarrhea of the mouth>

Privacy

[yuggoth]

To create such a "web of trust" the participating firms will have to share information about the customer. What better possibility to also create profiles for targeted advertising? IMO, the only possibility for customers to have their privacy respected would be an independent organisatiton restricted by law not to share any more information than absolutely necessary, which collected the credit information about the customers. IIRC, there are organisations like this in some countries, e.g. the german SCHUFA (although this one has information about your credit worthiness, not your actual credit card data...)

But if I where you, I would just shop somewhere else...:-)

Re:Privacy

[yuggoth]

There could either be an international treaty to introduce more or less the same law in all participating countries (quite unlikely, IMHO), or just one credit "meta" organisation per country. I am not an expert in e-commerce, but I think that most people tend to buy stuff in their own or a neighbouring country - less trouble if you have complains about the delivered goods. In such a case it could be sufficient if only firms in one country exchanged their customer credit information.

Frightening way to put it

[FascDot+Killed+My+Pr]

"...what kind of information a person can legitimately withhold."

In the US anyway, I can withhold any information I want. I find it frightening that we've gotten to the point where we unconsciously equate business with government (which CAN demand information).

You are under NO legal obligation to provide ANYONE ANY information (except the gov't). Of course, businesses have policies and may refuse you service--in which case you go elsewhere. Although even those companies that claim to have policies usually waive them if you refuse.

For instance, I became a "member" at a video store recently. She was asking for information and eventually got to "Do you have a work phone number?". Luckily I had seen that question coming up on her computer and had an answer ready: "Yes, but I don't think you need it." She skipped that one.

On a previous occasion at a different store they actually asked for my Social Security #. I was so taken by surprise that I actually recited it without thinking. Won't be doing THAT again.
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?

Prove what?

[brown_out]

I don't see how a photo of you would prove anything to them. It just shows you are a real person and not some figment of their imagination. Even a photo of your credit card is pretty dubious since there are many tools that can make a doctored photo look realistic.
I would think the best form of verification is that, if they really want to see you are who you say you are is to call you. That information is readily available. They may not want to get bog downed in calling all the "questionable" customers, but is that really any less hassling than looking at all the pictures of people you thought were questionable?

they already do

[DGregory]

Well if you noticed, most online companies that require credit card info also ask for billing address. So if someone takes your credit card, they may or may not know what the billing address for the card is. Asking for the expiration date makes sure that you have the card (since statements don't have that on there).

But even with all those precautions, people STILL can get your info and use it. I have had problems with this myself, and it has been hell and stressful to find out that someone has been using my information. Someone in Cleveland used my information to get a cell phone (which when I provided writing that it wasn't me, they did not hold any claims against me) and then, 7 months later (even with the credit fraud alert on my credit) they managed to get a landline phone and a couple more cell phones from a different company. Again, they didn't hold this against me, however I was under false impression that I could find out who did this and get them arrested (land line phones are connected to a house which is connected to people who live there). I couldn't get any info from the phone companies to give to the police, so nothing came of it.

Just be careful with your information, especially on the web. If this can happen to me, it can happen to anybody. It didn't deter me from using online banking and using my credit card on secure sites (since I don't think these criminals got my info from the web since they are in the same state as I am) but it sure is something to think about.

Re:they already do

[kels]

For buying from US companies when you have a US address, the billing address is usually used as proof. But there are a lot of companies that won't let you use a credit card issued outside the US, or even a US-issued one with an international address, because of this verification scheme (they have no way of doing it if it's not all within the US). So much for the global economy. I assume that this request for a photo is an attempt to verify that you have the card. Sort of bizzare, but at least there is a way to make the purchase. Many US companies wouldn't let this guy make the transaction at all, because he has a UK billing address.

I found this a real pain in the ass for dealing with US companies while I was living in Europe last year. I couldn't even order things to be mailed to a US address, because my credit cards were all billed to a foreign one. Amazon.com was one of the few companies that had no problem with this.

I don't trust any online company.

[jmccay]

I don't buy stuff online. The more I learn about online purchasing--the less I want to buy online. Whose to say what information they need, keep, and what they will do with this informaiton of mine. Another point, most store clerks (non-online) don't bother to check my drivers license when their is a quesiton about the signature on a credit card.
With all of the latest laws and violations of online privacy by big companies that has been happenning, I don't see a reason to trust them.

Of course the most obvious reason is because it gets me away from the computer screen, and it provides "social" contact for an introverted geek like myself. :)

Re:I don't trust any online company.

[mrzaph0d]

i have a bank checking card, have never signed the back of it, and have never been asked for my ID. I was amazed (after all i'd been told about how secure it would be) that no one would check to make sure i was really the right person.

on another note, the other day i went to cash my paycheck at the bank it was drawn on. i whipped out my two forms of ID, my drivers license and my SS card. d@mn if the teller doesn't tell me that the SS card isn't a valid form of ID and then proceeded to ask if i had maybe a business card instead....ug...
"Leave the gun, take the canoli."

Re:I don't trust any online company.

[cameloid]

The only things that I buy online, are those that are unavailable in my country. For instance, there aren't too many anime DVD's readily available in the UK.

That means that if I _really_ would like something, then I have to purchase it from another country.

Even then, I usually look for advertisements on a company in "reputable" magazines, references to them online, and try to find someone else who has bought from them.

Other things, such as books, I usually research online, then go down town to the book shop ;-)

Re:Hurry, really

[fawlty]

Patenting the idea sounds hilarious at first, but I wonder if it really is patentable, and thus could be an effective way to keep companies from actually doing that? Are there any other privacy-damaging schemes like this on the horizon that could be prevented through preemptive patenting?

In general, I'm against using patents for denial, but imagine if someone patented DoubleClick's banners first, and set a prohibitive licensing price.

My experience...

[Malc]

Some web sites are really picky about credit cards. I have two CC's from when I lived in the US. Since I moved, I had the billing address changed: it's now Canadian. In my mind these are not international CC's when used in the US, but many places don't treat them that way.

Some places are quite happy to ship internationally. Some do it with huge charges, some just plain refuse, and then there are those that make you jump through hoops by insisting on you faxing them copies of this that and the other, and waivers, etc.

Why it should be so hard, I don't know. Don't systems such as Visa ensure that merchants will get paid anyway? I can't believe how many companies will not ship to Canada, what with the economies and cultures so well integrated these days (oh!: 'dem be fi'ting words up here). Perhaps couriers such as UPS turn around and bill merchants for brokerage fees, etc when there are problems?

As for DVDs: the last DVD I ordered from Bigstar.com before I left the US seven months ago is still in lala land. They sent me the VHS version, which I returned, not leaving enough time for them to send a replacement. After battling with them, I arranged delivery to a friend who I was planning to visit in February. Of course, the credit card that I had on record had expired and been replaced by then. Now I can't get them to ship or refund as I'm now an international customer without a domestic CC (as I said above, it is domestic, but with a Canadian billing address). I wish those guys had a telephone number I could call.

Advice: don't order from somewhere without a telephone number for customer support. Email support in my experience for anything more than something trivial is a joke.

Re:My experience...

[fsck]

I am a Canadian living in BC, and I have a credit card in my name. I have ordered quite alot of stuff from the US, from thinkgeek, walnut creek, linuxmall, and some hardware sites. On your memorial day weekend, I placed an order for a k6-2 333 that would upgrade an old tired socket7 system. The cpu I found from pricewatch, and man it was a deal. The online order form even had zip/postal code and province/state options. Cool!
Tuesday I got a call from a girl of oriental descent stating that "Credit card must be in US"
Well since I'm Canadian living in Canada, thats going to be tough. "You can send money order".. wtf online ordering is cool because it is so fast and simple with a credit card. I tried to explain that the currency issues are handled transparently by my credit card and that I have ordered from the US before. No dice, I ended up cancelling the order.

Re:My experience...

[rjyanco]

1. As for DVDs: the last DVD I ordered from Bigstar.com before I left the US seven months ago is still in lala land. They sent me the VHS version, which I returned, not leaving enough time for them to send a replacement. After battling with them, I arranged delivery to a friend who I was planning to visit in February. Of course, the credit card that I had on record had expired and been replaced by then. Now I can't get them to ship or refund as I'm now an international customer without a domestic CC (as I said above, it is domestic, but with a Canadian billing address). I wish those guys had a telephone number I could call.

<Jiminy Cricket>When you wish upon a star...</Jiminy Cricket>

BigStar customer service is 1-888-865-9991. There's a canonical list of online DVD retailers' customer service phone numbers here.

We need privacy legislation first

[lutter]

The big problem with ecommerce is that privacy laws in the US are very, very weak. Database Nation by Simson Garfinkel has a very nice description of why the US considered privacy legislation in the 70's, congress came up with recommendations and failed to pass laws based on these recommendations. Most European countries did, though.

The recommendations, and the legal situation in most European countries, are:

• Tell people what information you are going to store about them.
• Do not share this information with others unless people give you permission to do so.
• Everybody has a right to know what information you are storing about them.

The lack of these kinds of protections in the US is what makes me very wary of using lots of ecommerce, since the situation here is more: give us as much information about you as possible, we will generate some more from your use of our service and then run with it. What scares me is the secrecy of the whole process, the fact that it is almost impossible to find out who is doing what with your data and how it will affect you in the future. Will raising a stink with Amazon.com make it more difficult for me to get a house loan in the future ?

Without privacy laws on the books, we are headed for a future similar to Kafka's Trial: companies make decisions about you based on information about you that is essentially secret. Until I as a consumer have certain rights to review my data and find out about it, I don't want those ecommerce sites to build a "web of trust" about my online shopping behavior. Don't give them any ideas.

Credit cards are not appropriate for e-commerce.

[TheDullBlade]

When people take payment with credit cards, they need a signature, or they don't have a leg to stand on if the purchaser later claims someone else made the order.

Credit cards were never designed for e-commerce, and really shouldn't be used for it.

One very interesting system is e-gold. They work by transferring precious metals from one of their accounts to another (in a large range of amounts, down to well under 1 cent). You don't need any special software, and pretty much anyone in the world can use it; also they only take 1% of each transaction, which is capped at $0.50 (yes, that's an upper limit, not a lower one). The only problem is that initial purchase of metals; basically you have to send in a check or money-order.

Actually, I haven't seen any other e-commerce system that supports micropayments and is actually giving worldwide service (though there are plenty in "trial" stages and others that serve one country or region). Can anyone point one out?

About the other part of the question...

[brother_b]

Since no one has mentioned this:
Capt. Tylor is not out on DVD. Yet. The dubs have been made now, but as for DVD, I don't know.

--

what a load of....

[davebooth]

Such BS. If they want to avoid problems they simply refuse to deliver to any address but the billing address of the card - which they can verify with the CC company - until you have established a track record with them. If any company tried to pull this on me my immediate response would be to remind them of this fact and if they still objected tell them they had just lost my business and go and purchase what I wanted elsewhere.
# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking

How about PKI?

[Jonny+Royale]

What about using your Credit Card Company as a PKI providor? They would know who you are, and who the vendors are, and should be able to provide verification to both sides...
I man, what else is the interest & fees for, if not service?

Bloody stupid, these blokes are

[Kaa]

Now, they wanted proof that the credit card details I sent them really belonged to me, in the form of a photo of me and a photo of my credit card (actual size I suppose).

Amazing. And you didn't tell them to fuck off? You must be a really kindhearted soul.

In any case, they are waaaay out of line and, of course, breathtakingly stupid. I mean, what's to stop you from sending them a photograph of some random Joe Q. Loser and slightly-Photoshop-processed picture of a credit card showing whatever numbers you want it to show?

If I were you, I'd tell these guys that they are being bloody utterly ridiculous and that you'll be glad to see the survival-of-the-fittest principle demonstrated on them. I mean who would ever buy from them??

Kaa

Re:Bloody stupid, these blokes are

[CaptainZapp]

Of course, you're completely right here. But shouldn't we be using the GIMP to alter numbers on credit card photos that we send to stoopid buzinesses ? I mean this is /. after all..

What about THEM?

[Cosmicbandito]

The other thing to consider here is THEIR trustworthiness. Do you really know this website? I think they are forgetting one of the inherent traits of any business model. There is always a risk involved. You CANNOT completely eliminate risk from a business transaction. If they aren't willing to do business with you on your terms or at least terms you find agreeable, screw'em. Who are you? Where are we going? And what's with this handbasket?

Verisign

[war2k1]

It sounds like what is needed is a type of VirtualID, I believe that versign was trying to do something like this. How would it be done so that it was secure and worked across machines?

Would a model like the AmEx Blue work? A gov't issued ID with a smart chip that could be read by the computer to verify identity. That would be kind of cool.

On one hand, it would be nice to have one card with a smart chip that functioned as cash, credit and all forms of ID, but on the other hand it would be kind of scary b/c with all that in one place it would seem as though it would be easy and disastarous to steal something of that nature. But an interesting thought to be sure.

There's also the problem of hardware complaince with this type of thing... If you had one of these cards and coupled it with some sort of biometric, that would be nearly flawless and pretty safe, but putting these readers and scanners on every piece of computing equipment would be difficult and expensive. But I imagine that this would be just the type of thing that credit card companies, banks and merchants would jump on, it would cut their fraud costs to nearly nothing.

Anyone think it's feasible? (I doubt that it is....)

Re:Verisign

[gaudior]

A gov't issued ID with a smart chip that could be read by the computer to verify identity. That would be kind of cool.

COOL?!

COOL?!

Are you out of your friggin mind?!

Do you really want the government, any government, to have that kind of control and information about you? It's bad enough what they get data-mining already. This would just dig it all up an hand it to them on a platter.

--

The information REALLY needed

[e-gold]

Would increase with the expected value of the transaction(s).

I suspect credit card companies will always share as much information as
the credit card companies can get away with, but I'm biased as hell. ;^) I've
noticed _NO_ credit card brand that competes with the other brands WRT
privacy policy (I might be wrong, but I think I'd have seen one).
JMR

This Helps the Merchant How?

[SteveM]

Now, let me get this straight. You're in the UK. The store is in the US.

Assumptions:
1. You've never been to this store in person.
2. You're not famous.
3. They have no idea what you look like.

So what does providing a photo prove? If I was going to use a credit card fraudulently, I'd steal the card. Take a picture of Joe Random Stranger, and send them off to the merchant.

Until such time that there is an international databse of people's photos, this should work just fine.

So either these guys are clueless or it's a scam. I'd shop elsewhere.

Steve M

Re:This Helps the Merchant How?

[jafac]

it's probably so they can hand-off the photo to the police if the transaction turns out fraudulent, who cares if it helps pin-down the criminal? The fact that they're cooperating with the police probably also helps in their dealings with the credit card company, and/or insurance. The cops probably shitcan it all anyway.

I just remembered this old Metallica song. . .

Its pretty simple really..

[Rombuu]

I'm wondering how much information a company really needs before they can do business with someone and what kind of information a person can legitimately withhold.

Well, I mean they can ask you for anything they want. You don't have to give it to them, but they can ask. They are also under no obligation to sell to you for any reason though.

Me, I wouldn't give 'em anything except a CC # and shipping address. If they don't want to see to me without other info, there are plenty of people out there who will.

Were there banner ads?

[TheDullBlade]

I had an experience like that once, from one of those flakey retailers that makes their profit from advertising, not from sales.

Their attitude seemed to be, "We aren't making any money off of it, so who gives a damn? Actually we'd prefer not to sell you anything at all, please go back to the web site and look at some more ads."

And I thought aggressive upselling was annoying...

Violating Merchant agreement?

[lythander]

Credit card companies require companies to agree to relatively strict merchant agreements governing terms of their service. This nonsense may violate those agreements.

It's not uncommon for merchants to violate them -- anywhere you see a minimum required purchase to use a card is usually a violation.

I understand that everyone's just trying to cover their butt on this, Visa doesn't want to pay for fraud, neither does joe-the-e-tailer, but Consumers sure shouldn't be paying. We already pay larcenous interest rates, not to mention shipping and handling charges (did I mention that my wife paid 30$ S/H on a $150 bedspread? not including sales tax.) I think the consumer is paying enough.

To help prevent fraud, I just report my card stolen periodically. The company reissues with a different number. Couldn't we just have rolling numbers on all of them (a la secureID)?

Re:Violating Merchant agreement?

[remande]

The merchant gets stuck with the bill. Visa/MC takes no financial risk, since they're just providing the standard and IT structure, not fronting the money (that's why banks issue Visa and MasterCard cards--they are in the business of fronting the cash and risking that you won't pay your bills). The issuing bank takes the nonpayment risk--they lose money if they can't get you to pay--but the merchant takes the fraud risk. AmEx and Discover, since they are both IT and the bank (they front the money) take the nonpayment risk, but I bet merchants still take the fraud risk. Giving merchants the fraud risk makes a sort of sense--it gives them incentive to be careful who they approve.

There are Federal laws protecting the consumer from credit card fraud (you've read the disclaimers about how you are only responsible for so many dollars if your card is stolen). Strangely enough, these laws do not apply to debit cards (the ones that pull from your checking account). If someone steals one of those, they can suck your account dry (and maybe even negative), and even FDIC insurance doesn't protect you. You assume risk for debit card fraud. In a high-risk environment, choose the credit card over the debit card to protect yourself.

BTW, the minimum purchase restriction (I believe it's illegal) isn't a fraud protection--nickel-and-dime fraud is more risky than big-ticket fraud, and takes more effort. Some places have these restrictions because the merchant pays a per-transaction fee (not a per-dollar fee) for processing a credit card purchase. Given that, the transaction fee on a small purchase may outweight the profit margin and cause them to incur a loss.

Don't Trust Anyone...

[Dizzy49]

If anyone asked me for a photo of myself and a copy of my credit card, I would laugh, then report then right away. I don't think I've shopped in a real store in almost two years. I buy everything online. Yeah, it would be nice to have an online credit card of sorts, but until they come around, I'm stuck using my regular one, and my debit card. I have yet to be asked for a photo of me, or of my credit card. I have even ordered from Germany and France, and Japan a few times. I did have a few small problems where they said they were having problems verifying my card. On the back of my card I have a customer service number that I gave them. For my debit card, I gave them the phone number to my bank. I have seen more and more sites requesting "extra numbers" or the customer service numbers from the back of cards. I think that is an excellent way to go. I'm all about more security. For the record, two years purchasing online, and I've had only one fraudulant charge to my card, and they were caught. Idiots had it sent to their house. My company called me to verify since it was being sent 10 states over, and I told them no, and they contacted the authories.

Re:Don't Trust Anyone...

["Zow"]

I think it's important to note that you don't have the same legal protection when using a debit card as you do when using a credit card (at least in the U.S. unless they changed this recently). With a CC, the law says that you are only required to pay up to $50 of the disputed charge(s), and most CC companies waive that. With a debit card, the money is deducted directly from your account and the bank is under no obligation to repay you that money unless they can recover it (which rarely happens and takes a long time if they can). So if a theif runs off with your debit card number, they can empty your bank account and you're the one who can't pay the mortgage/rent.

This is why I refuse to carry a debt card anymore - not even an ATM card that can be used as a debit card.

For the record, IANAL. I was enlightened by this fact by Spafford himself back when I was at Purdue, so I trust it and haven't heard of it being changed lately.

-"Zow"

A simple solution

[Obiwan+Kenobi]

Shop somewhere else.

-----------
Obi

consider the retailer side

[ragnar]

I operate an online business and we deal with more credit card fraud than your average over-the-counter merchant. The fact is that it can be hard to keep fraud under control, and merchants are trying to find ways of discouraging the large majority of punks who find it easy to committ credit card fraud. Believe me, we take efforts to stop this. Over half of the time we nip it in the bud with a phone call, but now and then one slips through.

It is safe to say that someone who wants to committ fraud badly enough will succeed, but this stuff follows the same logic as a bike lock or a car lock. You try to create an environment where the would-be thief moves on to a simpler target. Merchants realize that fraud will happen... they are just looking for ways to reduce it, and the laziness of many theives is our best ally.

As far as asking for your photo, I personally think that is going a little far and I think it crosses the threshold of diminishing returns. It will probably decrease fraud, but it will turn off way too many people, as it has done for you. A courtesy phone call stops enough fraud and sends a positive image to clients.

Trust, and how to make it work.

[Delta]

Please don't take this the wrong way, but I think there is a bit of a misunderstanding here. The problem the site is faced with is authenticating that you, the unknown entity in front of a computer, is the owner of the credit card. They already trust the credit card itself, or could run a check if they felt like it.
Checking the relationship between the card and other web sites would really get you nowhere, as it would only serve to validate the customer quality of the owner of the credit card, and would not help a bit in validating that you (the entity in front of the computer) is the owner of the card.

One way to fix such a problem is to roll out a public key infrastructure, which would cryptographically link you to your credit card, and/or to your customer profile with another site.

Getting the banks to roll out such a system will take time, and it will be hard. Getting shopping sites to cooperate might be easier. This is something that will be mutually benefitial to all online shopping sites, so I can see no reason why even competing sites would not want to share information.

If a bigger site feel it doesn't gain anything by sharing with smaller sites, one could always set up a system where the smaller sites buy the information from the bigger sites.

There are obviously a whole bunch of privacy issues with such a setup, but this can be solved in a number of ways. The solution I think I'd prefer will only work if profiles are freely available, and the bigger sites doesn't want to make money from the profiles. The idea is that sites such as amazon.com can give me a certificate stating that I've been a good customer, they've never had credit problems with me, and I've never made much problems. This certificate would then be encrypted to my public key, and emailed to me. I could then forward it to new sites should they need to validate me as a good customer, and link me to any credit cards.

Such a system will have good side effects as well. Big sites will get new customers because the customers will then get certificates they know are trusted all over the web, and smaller sites will benefit because they can validate new customers much more effectively.

Also, there is reason not to implement this the other way around as well, by allowing customers to write certificates about the online shops. It will take time before this will work, because you need to build a web of trust, with which you'll in time be able to map a trust path to someone who has shopped at the web page you want to buy stuff from, and validated that he got the stuff he ordered.

With this model, you will be able to go to a really small, highly specialised shop on the web, and read good and bad reviews of the site, that people are putting their reputations on the line for provind the validity of the review.

Another possibel way of implementing such a trust system is for the big provider (amazon in our example) to hang on to the profile, and when a smaller shop (the fictional store "Gothic Music Inc") need to validate that you're a good customer, and possibly also that you really do controll a VISA card, it will send a request to amazon, after looking up your info in a public database of who had information about you, or searching the databases of sites directly. At this time Gothic Music Inc only know where one can gain information about you. Amazon now sends a request for information release to you, and you either ignore it, because you're not the one that contacted Goth Inc, or you sign it, return it to amazon, and they sell the profile, because your approved the sale.

I don't like the latter method, because it provides less protection to the end user from abuse from bad providers, but it's more likely to be implemented. In face, how do we know that doesn't happen today without the user authorisation step? It probably does.

Anyways, enough mumbling for now, and back to sleep.

Not just eCommerce

[OmniFool]

As a regular traveller staying at hotels all over the world, it's just about impossible to simply provide your credit card number and expiry over the phone to make a reservation and pay for the room. The majority of want a photocopy of the card faxed along with a company letterhead explaning all this in detail. Then 50% of the time they ask for the card when you turn up, the fact that it's 3am in the morning back at head office, so no, there isn't anyone who you can call, doesn't seem to phase them.

Easy Valdiation

[rute_1]

Why don't the credit card companies just get your e-mail address when you sign up for the card. Then , when ever a charge is made on your card they can send you an e-mail with the info from the charging company. This makes you aware, imediately, of any charges made on your card. Also, they could even setup a reply from you to the credit card company before the charge will go through.
I guess this just sounds too simple...

Just say NO!

[Ho-Lee-Cow!]

I find this interesting, since credit card companies(VISA, MC, AmEX, etc) are complaining that online sales are secure enough that they don't make any money off the 'risk' there. They build their business models around a certain percentage of fraud(apparently), that usually isn't present in online sales. Crazy, weird, but fascinating.

Personally, with the general condition of privacy policy and my overall distrust of sites using M$ software for any kind of secure transaction, I refuse to order online anymore. This is counsel that I extend to family and friends liberally. If the company doesn't have an order line, then I just go somewhere else.

The laws governing phone sales fall under conventional consumer protections. Online transactions are still in that murky stink that has me wondering if they are going to be sending the telemarketers after me or not. Since I have my letter into the DMA telling them to make their organizations leave me alone, it is far better for me to follow traditional paths to goods and services, at least until the e-commerce people figure out that the backlash against them will be severe and devastating the moment they break the trust of consumers.

Thawte Web of Trust

[Twid]

Thawte has an interesting take on the whole security idea. They will issue you a personal certificate if you present yourself to a "trusted" person, either someone already in the web of trust or a bank office, attorney, etc... It's not unlike PGP but a little more fleshed out.

Details here.

With Thawte acquired by Verisign, I'm not sure if they are committed to this in the future, since their site now seems to be covered with ads for Verisign's personal certificates.

But, the idea is an interesting one. A distributed ranking system where you accumulate "trust points" seems like a system that would work well with the open source world. In a sense, this is much like eBay, where you gain or lose "trust" in the system with every sale or purchase. While some people have been able to abuse the system on eBay, in general they haven't had wide-spread fraud, which is really what you should be worried about. The nice thing about eBay is that it empowers the individual. *I* get to decide if I trust you or not based on my personal criteria.

It's obvious that the existing credit-card system isn't secure enough for the internet world, so I can understand the anime site requiring some form of extra identity. Some sort of "identity broker" or "infomediary", to use the trendy term, seems to be required to make this work. In some cases, maybe that is your bank or credit card company, but I think the long-term solution would need to be more distributed, otherwise it all gets bogged down in inter-company politics and positioning.

Perhaps in the future, you will need to establish a "trust rating", much like a credit rating, with one or several identity broker services before you can do business on the internet. Thawte's system is a good start, it would be nice to see something more open and endorsed by the business world.

-Twid

Re: No We're Not - We need the information!

[bwoodring]

How much information does a small business selling on the Internet need about potential customers? As much as they can get.

I own a small, web based retailer selling engagement rings, and I can tell you that we need as much information as possible about each customer. You have no idea how much fraud there is on the Internet: on average, 4 out of every 5 orders at our site are fraudulent. Most of these orders come from the UK and Australia. As a result we have had to stop all international orders. We simply cannot afford the enormous risk.

A few facts that might help you empathize with small Internet merchants.

1. There is no way of reliably tracking international orders if you are a small business. Sending a diamond ring to the UK or Australia is like sending it to Timbuktu. You might think that the USPS and the UKPS would work smoothly together, but this is not nearly the case.
2. Credit card companies always side with the customer. No matter how ridiculous their claim. The merchant services company (in our case, Nova) will take money out of our bank account without warning, charge us a penalty for doing it, and hold the money as long as they want (we have never won a case against a fraudulent company).
3. The credit card companies don't care about fraud. They make a big deal about fighting credit card fraud, but it is all bluster. We have seen dozens of examples of outright fraud, which we promptly report. We have never heard back from anyone at any credit card company. Our complaints fall on deaf ears.

I have bought thousands of dollars of merchandise on the Internet and sold much more, and I can say from personal experience that the Internet is a much more dangerous environment for small businesses than it is for customers. I have never experienced fraud on the net as a consumer, but I see it every day as a merchant.

Remember, you are asking a merchant who has never seen you, and knows very little about you to ship expensive merchandise to you before they receive any money for it. Additionally, customers can almost always cancel the order without returning the merchandise and the merchant is out of luck.

Large corporations can absorb some of these losses, but most small business owners can't.

Regards,

Brian Woodring
Webmaster, Owner
Rings-Online.com

I have to take issue with this!

[luckykaa]

Come on over here so we can get drunk, shoot you dead, and then loudly and raucously cheer your demise

Its a lot easier to get drunk in Europe. Our pints are larger, our beer is stronger, and a lot of EC countries sell it much cheaper than in America.

So how about we get drunk and go over there so you can shoot us dead and lodlay and raucously cheer our demise....

Re:I have to take issue with this!

[BluSkreen]

EC countries sell it much cheaper
Alcohol is far less expensive in the US than in ANY EC country, though hookers and pot are cheaper (and more readily available) in Europe.
Dave

Validation procedure & nob size

[chickenmadrasplease]

Here in UK, companies are supposed to only ship items to the registered card holder's address. Granted they generally don't adhere to this and it can be a really pain when they do! That said, I've never had any problems when ordering goodies from the US or purchasing expensive items in US shops (apart from those Customs & Excise miserable farts).

Is this just a UK protection law or something imposed by the companies that issue these cards?

Personally I'd never trust a company that was asking for such ridiculous items. They'll be asking for your todger size next!

Tell 'em to piss-off and take your hard-earned elsewhere!

Online reputations and Anonymity

[paulio]

As I'm already an established customer on a couple of other well known e-commerce sites would it not be possible to get some kind of referral from these sites, saying that I'm a worthy customer?

I like the idea of an online reputation. eBay has a feedback machanism that allows a user to get a reputation, a rating from others about how good a customer they are.

The interesting thing about the way eBay does it, is that you can both have a reputation and remain somewhat anonymous. Your email address is visible, but your name, address, etc. does not need to be visible to anyone.

Does this cut both ways?

[jabber]

What sort of assurance can we demand from the marketter in exchange for this sort of personal information?

I don't really like the idea of a digital image of my credit card, or myself for that matter, to be in the hands of a retailer. If a CC slip can be compromised, so can my likeness, and a jpeg of me can be sent to a retailer by people other than myself... They might paste my picture on a false testimonial, making it look more genuine, and possibly making me a suspect in false advertising.

We're being asked to provide identifying characteristics to a retailer before they will trust us - but how do we trust them to:

a) not abuse this identification
b) protect the confidentiality of this information
c) actually deliver the product

We've heard plenty of horror stories about fly-by-night operations that accept many orders, and many payments, and then close up shop without delivering the goods. It's easier to disappear on the net than it is in the real world.

It seems like a place that does this sort of 'integrity checking' could be trying to accomplish two things:

First, they try to appear more credible by showing 'innitiative' in excessive security. Frankly, I like the LISTSERV email handshake method of establishing trust - maybe a third party approach... Retailer verifies with your CC company that you are a customer, the CC company verifies with you that you want to deal with that retailer - pass some PIN or transaction digest in a full circle and you're set. Tedious, but you're not exposed. Digital certificates exist specifically to address this problem, and only small (less trustworthy?) dealers can not afford to use them.

Second, they could just be scarfing the net for people's identification, for use or sale. How valuable is a pic of your CC? Is it both sides? There's the burried issue of asking for an 'image' of my signature... How about your driver's license, with address, physical descrip, DONOR status... All this is valuable info to someone.

Digital Security

[Archangel+Michael]

First off, Digital security is still a joke. Why? Because the weakest link is always the "human factor" Kevin Mitnick. Until we fix the human factor there will never ever be a totally secure transaction. This includes old fashion bank robberies. The only way for us humans to secure the Human factor is to force security measures upon the populace. These security measures need to be semi-permanent and completely forge proof. I suggest a system like "digital angel". But then again, I would suggest the Bible, Rev 13:16. Repent for the Kingdom of GOD is at hand.

Microsoft Passport is just the service you need...

[celestical]

Check out http://www.passport.com With everyone having their info with Microsoft, you can buy anywhere you want... Is that not nice ?

What's your definition of international?

[Malc]

Do you ship to Canada? I know it's international, but many companies don't treat as such.

Re: What's your definition of international?

[bwoodring]

Joking: Countries outside the one I live in. What's yours?

Serious: Unfortunately, no. The USPS and the Canadian Postal Service do not work smoothly together.

If we ship to someone in Canada, and he or she claims to have not received it, it takes at least 90 days for the USPS to retreive tracking information from the Canadian Postal service.

Plus, we have very little ability to prosecute fraud in Canada.

I finally understand why large businesses split into many national divisions (ie. Nintendo of America, etc), so that they have actual legal power in those countries.

Regards,

Brian Woodring
Webmaster, Owner
Rings-Online.com

Re: What's your definition of international?

[Malc]

Thanks ;)

Your statement implies that you are using the postal service. Why not a courier such as UPS (at the customer's expense of course)? When I lived in the US, I shipped a monitor to my girl friend here in Canadian. Using the tracking number, I was able to get more info than I could possibly want: I saw it enter brokerage at Detroit, I saw it get cleared and enter Canada, I saw it re-enter brokerage/customs in Toronto after passing right through the destination city. Several calls to UPS gleaned more information, and I was even able to fax them additional information for Customs after I'd shipped. Of course, even with UPS, dealing with internation enquiries can be slower and more tricky, and time is money in business ;)

Re: What's your definition of international?

[bwoodring]

Unfortunately, neither UPS nor FedEx will insure jewelry, so we are SOL.

Re: What's your definition of international?

[Tower]

What about AirEx or DHL? Same policies? I'd say if you were buying jewelry, a little extra cash wouldn't be a big deal... of course, I'm not one who would buy jewelry sight unseen (well, gold maybe, but never a stone), so I'd probably just drive/bike over to a store... (sorry)

Re: What's your definition of international?

[bwoodring]

No sweat. Just remember, your local jeweler will screw you to the wall.

They feed on ignorance, we try to educate our customers.

Brian Woodring
Rings-Online.com

what can they ask for?

[brarrr]

The ONLY thing that ANY vendor can ask you for as proof of identification is your signature. They cannot ask for your liscence, a photo copy of your whatever... It is cleary stated in every card holder agreement which I have for all my cards. If a vendor requires anything other than sig, you can report them and they risk losing their contract w/ the credit card company. Regardless of being online or in person, they can only ask for a signature as proof.

I wouldn't trust them

[remande]

I happen to work for a company that does online credit card processing, so I've run into some issues. I am not a true authority, since I work at the code level rather than the business level. IANAL, and all that.

Sending a picture? For anime? Suspect trouble! They are willing to either wait for a hardcopy photograph, then pay to file and store it so that they can retrieve it, or they are willing to accept a softcopy and stow that on a disk somewhere. This eats seriously into their cash flow, turns customers away, and is generally a very expensive and ineffective way to do fraud control. If I were a merchant, I might consider measures that invasive if I was dealing with a four-figure purchase, though that wouldn't be my preferred way of doing it. For something under $100, this is the sort of thing that would cause them to lose money on every purchase.

Merchants do have to defend against credit card fraud, however. If you take my card number and buy that anime, when I see the charges, I can dispute them. The anime merchant would end up coughing up the charges; that's the breaks you take when you sign up to accept major credit cards. However, there are online services that do fraud checking.

Electronic fraud screening is available from several vendors, and it can give a merchant an idea as to how risky you are to sell to. Criteria include velocity screening (if your use per day changes drastically, it suspects theft), address checking (you are slightly more risky if the shipping address is not the home address of the cardholder), and how often you do chargebacks (having the credit card company remove a charge versus just getting a return out of the vendor). This has to be cheaper, and more effective, than getting photographs.

If somebody is resorting to photo methods, I have to guess that they either need to take Credit Card 101 or are actively malicious. While I would suspect the former (incompetence before malice), I would still steer clear, from what limited information you have given me.

Re:I wouldn't trust them

[Paolo]

You should never need a photo. A credit card processing agency requires only the number, expiration date, name and address. Optional are the "extra" numbers on the back of the card and a phone number. The processor sends the card number to the bank which sends back the address on the card and expiration date. Based on this information, the company you are buying a product from can accept or deny the charge; even if the addresses don't match the company can take a risk and accept the card.

This is detailed very well in Philip Greenspun's book, availible fulltext online. Here's the book.

Re:I wouldn't trust them

[BluSkreen]

even if the addresses don't match the company can take a risk and accept the card. The AMEX merchant account agreement states that if you don't use AVS, and the charge is disputed, you'll incur a chargeback. To be fully protected, you need to use an AVS. Philip and Alex's Guide to Web Publishing is a great book, but Phil doesn't have all the current info on online credit card transactions. The real info is in your merchant account agreement, which differ slightly from bank to bank. Dave

Re:I wouldn't trust them

[coell]

Um, I was under the impression that if a cardholder questions a charge, it is the credit card company, not the merchant, who has to eat the disputed amount. Credit card companies pay the merchant, and then they bill you for those charges. I could be wrong. The problem I see with the photograph method is that someone might have applied for, and obtained, a credit card using your personal data. Which means that the impostor *has* the illegit credit card in his posession, which has your name on it. Now that apparently it is extremely easy to get forged id's over the 'Net, this form of fraud might be more common than just getting someone's card number and using it. Crooks can now have a credit card with your name, *plus* a SSN card, and a drivers licence, with your name, but his/her picture on it. I think it's time we came up with a different method of paying for stuff over the Internet.

Why lose a potential customer?

[LL]

Let's look at some facts:
- technology is not a compelling competitive edge, you can always buy, hire or steal tech
- if you lose a potential customer to another site, then you've lost their life-time value
- stickiness is keen to retaining a returning customer base to help amortise your hardware

While it may sound attractive in theory, would sites (e.g. megaportals like Amazon) wish to let your eyes wander elsewhere when by investing in a little tech or buying out a small competitor they can keep your money in-house? Look at Sony, they are specifically buying a whole bank just so they can do e-commerce with their PlayStation2! Perhaps some of the smaller specialised sites may offer peering arrangements with a common infrastructure host but then it effectively means a lot of the profits disappear to the equivalent of the mall developer.

Trust is a rather difficult abstract quality to establish. In developing worlds tribes and clans are still the norm (e.g. they offer insider prices) and only the West with a relatively short and stressful history of rule by law that we've even got a semblance of belief that we're not tossing electronic bits of money into the e-void. But this has been the long struggle of consumer rights, anti-competitive commissions, financial oversight, and not a few lawsuites. Even then, fraud and downright commercial fly-by-night con jobs are not unheard of.

You cannot buy trust, but only earn it through a consistent policy, transparent operations and demonstrable willingness to follow up on your principles. The biggest benefit that off-line branded entities can bring to the internet strip-mall is probably their reputation and offering a third-party guarentee over another site is not something to be done lightly.

If you think about it, the act of pressing a few buttons, and expecting with 100% certainty that your ordered goods can be delivered from a totally unknown firm half-way around the world is a small miracle. Nobody likes tax but the benefits of a strong independent judicial oversight can never be underestimated.

LL

How portable will this reader be?

[BlueUnderwear]

> American Express has their own solution - the "blue" card has an embedded chip, then with a reader hooked up to your PC you actually 'swipe' your own card.

What protocol does the reader use to communicate with your PC? Or is it some sekrit proprietary Winders only thingy? That would be pretty bad, because any additional security given by the chip would be negated by the need to run an insecure OS... Somebody could just Outlook you a Trojan that eavesdrops on the communications between card and PC, and Cc the data to some rogue site.

And btw, isn't "Blue Card" trademarked by Visa (a least, that's what Visa cards are called in France, and yes, the French Visa Cards do have a chip)

Re:How portable will this reader be?

[mrzaph0d]

i work with smart cards, and i must say the readers are very portable. the one i have is a little bigger than the card itself, and uses one AAA battery (which lasts forever). it easily fits in a shirt pocket, and is a lot less bulky than even a PalmV...of course i don't have any place to use it, but if i did i'd carry it around all the time...
"Leave the gun, take the canoli."

Re:How portable will this reader be?

[BlueUnderwear]

In conclusion, without knowing the specifics of the Amex messages, if they are at all familar with what I know, it will be very secure, even on an insecure OS (if the OS is secure, then just keep all the info on the chip on the hard disk. Smartcards assume the OS is insecure). Also, I assume that they are windows only, but that could change.

As long as the keyboard connects directly to the reader, and all relevant data (not only the PIN, but also the amount and the account number where the mony should be transferred) are grabbed directly off the keyboard and not relayed through the computer or its insecure OS. If only the PIN is entered that way, a Trojan could still doctor the amount or other parameters.

they are not worth your business.

[Astralmind]

Any place which is giving you that much of a hard time about purchasing something does not deserve your business.

zKey and Passport

[CMU_Nort]

This is the goal of such services as zKey and Microsoft Passport. You register with them, they verify that you are a good and valid customer. Then any ecommerce sites which use their services instantly know you are a valid customer and also have all your existing information, thus eliminating hassle for you.

Convenience vs. Security

[LordNimon]

When it comes to things like credit cards, there's always a trade-off between convenience and security.

My wife and I both use one credit card for the bulk of our purchases. Actually, we have separate physical cards, but the account number is the same. The name and the signature on the cards are different. However, if I give my card to a clerk, and he gives me a receipt for my signature, my wife can sign it. Is that secure? Not really. But it's damn convenient.

It's all a question of where you draw the line. There have been instances where the lack of security has been a boon. I've been able to order computer hardware for my parents simply by having them give me the CC number and date. That's not secure, IMHO. If CC's were truly secure, I would not be able to do that.

But how do you make e-commerce transactions truly more secure? Adding more numbers or passwords doesn't help - it still lets other people make purchases. You could use biometric scanners, but that's a nightmare of its own, and it's still information being sent over the wire (you could copy the biometric data and retransmit it yourself).

How about limiting CC transactions from one IP address? Or having some kind of special key encoded in the computer (can we say Pentium serial number)? We all know these are bad ideas.

The truth is, there isn't anything you can really do to make CC's more secure over the Internet. The most you can do is make it more inconvenient for everyone. I get the feeling that some people equate less convenient with more secure.

So you might say that it's safer to only purchase items in a store. Well, who says the clerk behind the counter is any more trustworthy than a web site and 128-bit encryption?

The CC companies will reimburse customers for bogus transactions. But because e-commerce is so insecure, they think their risk is too high. So they're sharing the the burden with the vendors, and I think that's fair. If you're a vendor with greater than 1.5% returns, then you have bigger problems than the financial penalty. You either have a major security hole, or your products suck.

Re:Convenience vs. Security

[gaudior]

My wife and I both use one credit card for the bulk of our purchases. Actually, we have separate physical cards, but the account number is the same. The name and the signature on the cards are different. However, if I give my card to a clerk, and he gives me a receipt for my signature, my wife can sign it. Is that secure? Not really. But it's damn convenient.

The problem with security comes when you both use the card, the same day, 8000 miles apart. I was contracting in Denmark last summer. Everytime I went to get cash from the ATM, on my MC, I would get bounced. I call, and talk to several people, until they finally get it straight. The next time, it fails again.

The problem, it seems, is that they couldn't tell the system that it was OK, my account could be used in Copenhagen, and Illinois, at the same time.

After I got back, I switched to a different card vendor, and upgraded to platinum. I won't contract outside the US anymore, so it's probably a moot point.

--

Data Collection

[Hasues]

Think of this..now if these merchants trade, give, or sell customer information to database companies for the use of third party information collectors to use for their own personal use in profiling potential people for their own purposes, this gives them the ability to store one more item that totally destroys any privacy that you have, your picture. There is no way you should need to provide your picture for an online purchase, again this should be something that the credit card company can provide (as most have in the past..simply be a phone call to you), and thus the web site doesn't need to provide any security measures that allow them to collect even more sensitive material of an individual.

If someone asks you for proof of id, send them either a) a picture of you wearing your favorite wookie mask. b) send them via snail mail a free complimentary stool sample.

NOTE: I won't be liable for you actually sending someone a stool sample.

It's To Protect the Merchant

[Crispin+Cowan]

The vast majority of Internet e-commerce fraud is people buying stuff with stolen credit card numbers. When a merchant ships goods to someone and the number turns out to be bad, the merchant gets to eat the loss. This action looks like a merchant that has been burned once too often trying to protect themselves.

Crispin
--------
Crispin Cowan, CTO, WireX Communications, Inc.
Free Hardened Linux Distribution

trust in god, but lock your car

[Sotired]

Asking customers to snailmail photos or copies of driving licenses is a growing trend. The idea is to reduce fraud but it also effectively kills part of the point of ecommerce. The referral system would work well except that most companies do not want to pool valuable customer info. In Europe this would also be contrary to the EU data directive. The question of how much information is vital. The companies asking for too much might reduce fraud but they will also loose potential clients. As for refusing information the company is free not to trade with you, so it depends upon how much of a risk they are willing to take.

Online vs. Phone orders

[anonymous+loser]

Do you take phone orders? If so, do you require the same amount of rigorous verification?

It seems there is a double standard emerging with respect to online orders. Companies are placing unusual restrictions on ordering from web sites, but don't follow the same guidelines when receiving orders by phone.

I have had many problems with websites wanting ridiculous amounts of information just to place an online order. The last online order I attempted, the company wanted my bank's phone number and address. When I call the same companies to place an order via phone, they usually ask for just the bare essentials (shipping address, CC#, expiration date) and could give a rat's ass about verification.

Re:Online vs. Phone orders

[LoonXTall]

It seems there is a double standard emerging with respect to online orders.

This might be because of the sense of anonymity on the Net. When you take away accountability, you remove conscience. Most people believe that phone calls can always be traced (maybe they can; I don't know), and that mail can be tracked. On the Net, you're just a someone in the world. I've seen enough untraceable spams (Received: from ppc@motorola.com (localhost [127.0.0.1]) by mail.crosswinds.net with ESMTP ID...) to know that it actually is possible to be anonymous.

-- LoonXTall

Re:Online vs. Phone orders

[Petethelate]

One thing that a lot of people aren't familiar with is a variant of Caller ID. 800 numbers often have the ability to see what you are calling from (AFAIK, the normal blocking codes don't work on these calls), and thus there's another level of checking.

If you are a repeat customer, they frequently have your account information available as soon as you are connected. One would presume that if you called from one number a lot, then did a huge order from another phone number, they'd want some additional validation.

Re:Online vs. Phone orders

[bwoodring]

Just to clear the air, Rings-Online.com does not require a photograph or a photocopy or anything of the sort. I merely sympathize with companies that do.

That having been said, we put the exact same restrictions on phone orders as we do online orders.

Brian Woodring
Rings-Online.com

Fraud Prevention, the ol' fashioned way

[LNO]

There was a (relatively) recent article in the E-Commerce Times regarding online fraud with some commentary from Alvin Cameron, credit/loss prevention manager for Digital River, an e-commerce provider. The article is somewhat sparse, but it has some interesting points.

Among these are the mention that 'identify theft' is a federal felony that's slowly becoming more and more prosecuted, and that "an estimated 20 to 40 percent of online purchases are fraud attempts." It's nice to see that someone would be penalized for illegally using my credit card online, but it's also disheartening to see how prevalent fradulent attempts are, especially when we see how difficult they are to prosecute currently.

I've purchased online extensively over the past few years, usually without any apprehension. The sites that give me reason to pause are the small shops - someone selling CDs of their band, what have you - that really don't have the funds to provide any sort of fraud protection. When a site is able to provide even basic information to assuage the concerns of a potential customer (see Digital River's information about fraud here) then they're better positioned to take advantage of the situation.

To stay on-topic for just a moment, I consider it doubtful that e-commerce companies would share information regarding fraudulent attempts with their competitors. If your company is losing money hand over fist because of fraud, I'll happily take whatever future customers you may have for my company. There may be an advantage in mutual benefit here, but I doubt many companies will see it that way.

Really, though, disheartening is the only way to look at it - being able to purchase anything online without any fear of loss of privacy would be a wonderful thing, but that's just being a bit too idealistic and naive. I guess we just need people like Mr. Cameron to try to minimize the damages.

pee

[jbarnett]

I had to give a piss test, 2 forms of photo id, eye scan, finger prints and a spinal tap before they let me into this one porn site.

But I feel safer now that my credit card isn't among the 31337 hAx0rs of the world.

Plus my credit card is hard to guess, you would of never guessed

AJ Bennett
4828719230128348
with an expiration date of 03/02

You would have never guessed that could you. HA, I am feeling like one secure mofo.

Re:pee

[martin-k]

Unfortunately, we cannot charge your VISA because the checksum is wrong ...

Please post again with the correct number.

-Martin

One word, two syllables.

[Mr+Z]

PayPal

--Joe
--

Never use credit cards online.. from experience..

[MikeFM]

I always use E-gold or something similar when possible because it protects me as a consumer. I did work for a large catalog/online company that sells computers and related products. While employeed there I showed them several methods their system could be penetrated, including grabbing a list of credit cards (several thousand) which I dropped on mgmt's desk w/ a detailed step-by-step list of how I did it and how to fix it. They never have fixed it (it's been over a year) and it's been enough to cure me from most online shopping. If I use a credit card I use a debit card with a hard limit and only a small amount of $ in the account. It should be noted that this company is using the same software that many other companies use and that I had no special access to the system. Just by knowing the software they used and how those bits work together I was able to access the system at a very high level.

Bogus Cards and Card Holders

[Kagato]

Online E-tailers really put a lot on the line when it comes to credit cards. When you sign the merchant agreement you agree to a lot of things that give the merchant bank all the power.

Most merchant banks handle things about the same. Joe Schmoe says the charge isn't his. The merchant bank puts the funds on hold. It goes around a few times. If by the third time the Card holder hasn't admited they made the charge they merchant bank will demand a signiture and an imprint of the card. It doesn't matter if you have a recording of the call with the person authorizing the charge. You lose, do not pass go, do not collect 200 dollars.

The only recourse the merchant has is small claims court.

Getting paid is a tricky job sometimes. There are plenty of ways of messing with the system. The only one who really gets rich is a merchant bank.

The reason is obvious...

[chrome+koran]

Anyone who has ever programmed an e-commerce system should realize what is going on here...

Card companies charge a varying percentage of the purchase price to the merchant for handling the transaction. Long ago, catalog and phone sales scenarios prompted credit card companies to charge a different rate for transactions of this nature than they do for traditional over-the-counter sales. The reasoning is that there was an increased risk of fraud when the card and cardholder were not actually present at the time of sale. This is, of course, known as (wait for it!) a "Card Not Present" transaction.

Obviously, the website is trying to pay the lower rate by producing this ridiculous photo which would make it just as good as if you and the card were present! Don't give it to them...they are obviously morons trying to squeeze an extra 0.5%... :-)

How would that help?

[zeck]

How would it help for companies to share information about you? Sure, they would get something out of it, (a chance to peek into your private life) but how will it help you?

If the company you are dealing with wants to verify that you are a "worthy customer", (which means, I assume, a customer who has the ability to pay and is not committing fraud) sharing information with other online companies probably is not going to help. If you give them a credit card number, they already check with the credit card company to see that your name and information matches the name and information on the card. So the only real concern is, how does the company know it's really you ordering the product, and not some other guy with your information pretending to be you? The answer: they probably don't. And referrals from other companies probably won't help. Just because John Doe has purchased something from Company A, and was a good customer, doesn't really help Company B figure out whether it's really John Doe trying to order something from them or just a punk who stole his credit card.

Some companies sort of solve the problem by refusing to ship to any address but the one listed with the credit card company. This causes just as many problems as it solves, though, because it makes it impossible for a legitimate customer to have a purchase sent to an alternate address. So what options are available for companies to use to verify customers' identities? Anyone have any suggestions?

Re:AMEX won't permit on-line pr0n purchases anymor

[Mr+Z]

More likely its a bit of ass-covering, since America's stolen card laws make the credit card company liable for most of the charges so long as the holder reports the stolen card quickly.

There's still a pretty big window where the thief can order up a bunch of guns, rack up a huge gambling debt, or, I guess, jack off to a bunch of pr0n. Likely, these companies are just saying "Hey, it's too financially risky, since these are common targets for stolen cards."

I say this after having two different credit cards shut off on different vacations, since I used them for gasoline purchases only on a large cross-country drive. All I had to do is call them and say "Yes, it's me, I drove from Texas to Michigan and bought gas along the way." Nothing about morality, and all about CYA.

--Joe
--

Re:Credit cards are not appropriate for e-commerce

[e-gold]

[...]

Thanks for the kind words. As always, I'll click a bit of e-gold to ANYONE on
./ who creates an account and sends me the number. e-gold can be fun, and
the FlyingRat project (Motto: "Slowly morphing to for-profit status!") might solve some problems (think "for-pay
customer-support" here). Try it, you'll like it!
JMR

You are a dope...

[chrome+koran]

The maximum liability you have on fraudulent credit card transactions (by law in the US) is $50 per card. For a debit card it is $500 and possibly the entire balance of the account if the bank can show that you failed to report the activity in a timely manner. By using the debit card you are actually exposing yourself to greater liability. Furthermore, the credit card companies will almost never even charge you the $50 because it's kind of like shooting themselves in the foot by discouraging use.

Re:You are a dope...

[MikeFM]

Possibly if I was bothering to buy really expensive things so that I needed to keep a lot of $ in the account. As usually I buy small things I rarely put more than $30 or so into the account at a time. If I was buying something expensive I'd probably look it up online and then go buy it in person just so I could do a reality check on it and also of course because I'd be excited to see my new toy.

And yes, I'm a dope on a rope. Is that like How to be an Evil Genius for Dummies book? I've been screwed over by almost every bank and credit card company I've tried (and I was an employee of them in some cases) so maybe I'm just paranoid about their promises. Is much safer not to give them the chance to let things go to hell. :)

Credit card fraud.

[James+Renken]

I have some very strong opinions about this. I used to sell Web hosting and UNIX shell accounts on my site, Sandwich.Net. We were doing very well for a while (we even ran some banner ads on Slashdot), but we shut down commercial operations after a very large loss brought on by credit card fraud.

Apparently, we were very popular with the "script kiddie" community. About 90% of credit card orders that we received turned out to be fraudulent (immediately or eventually) - not from credit cards that had been physically stolen, but from compromised credit card numbers and account information. For some reason, almost 75% of those fraudulent orders were either using Malaysian cards or came from Malaysian dial-up accounts.

For Internet ordering, most merchants use AVS, the Address Verification System, for fraud screening. I understand that there are some other systems available now. With AVS - and even with most new systems that I've seen hyped - if your personal information is compromised along with the card number (which is very common), the system is completely useless. AVS doesn't work with credit cards from outside the U.S. or Canada anyway.

If I had required that users fax me a copy of their credit card and picture ID, I suspect that I could have prevented very nearly all of the credit card fraud that happened. As it was, our merchant service provider terminated our merchant account for excessive chargebacks, and charged us a certain amount per chargeback, which added up to a large loss. It would have helped had the provider actually provided us with anything other than AVS for fraud screening, or with decent customer service or advice. A system like that suggested in the article, where assurance is traded among merchants, sounds good, but I agree that it raises some major privacy concerns.

Banks and merchant service providers don't seem to care very much about this. After I realized what was going on (far too late to stop most of the chargebacks), I ended up denying most international orders, and calling banks in North America to verify the charges. Most of them were very unhelpful - I now know which banks I never want to get a credit card from...

I could keep going on about this for several pages. :) Feel free to e-mail me if you're interested in more details. (I'd be happy to discuss the merchant service provider and credit card companies involved.) I hope this message made at least some amount of sense.

Also, regarding two other comments:

More financial penalties for high-chargeback merchants? That seems unhelpful, considering that in most cases (not all, admittedly), it isn't the merchant at fault. Additional fraud screening and actual help for confused merchants would probably more effectively prevent fraud. Penalties certainly encourage merchants to take action against fraud, but it's very difficult to find out how to do so.

The extra digits on the back of Visa/MC cards seem fairly useless to me, as if a Web site that asked for them is compromised, you're no better off than with a "normal" card.

citiwallet

[mvh]

I recently interviewed for a job at a company called Globeset who basically does just what this guy is talking about. An example of one of their customers' products in Citibank's citiwallet. Getting an account at citiwallet may solve his problem.

Sellers have to protect against credit card fraud.

[Phydoux]

I am friends with a local mail-order store owner who sells computer equipment. I noticed one day while I was at his business that he had a pile of faxes of driver's licenses and credit cards.

I asked him about them, and he told me that when they first started selling and taking orders, especially overseas orders, they started getting tons of charge disputes. People were claiming that their credit card had been stolen and that they didn't order the goods.

The credit card companies promply refunded the charges, but that meant that my friend's business had now lost their income from those sales (as well as the equipment!)

He said that they had to resort to requiring the individuals to send their ID and a copy of the front of the credit card number so that they could argue that the person did indeed have that credit card at the time of sale. In that case, it makes it harder for the credit card company to just remove the charge and leave the business high and dry.

The credit card company didn't leave him much of a choice. It was either adopt this policy, or ignore all foreign sales completely.

I'm not saying that you should just go ahead and send your information to the company. I'm just trying to explain that I've seen this first-hand and that's the reason why this particular business started a similar policy. If anything, we ought to complain about the credit card companies or about the insecurity of credit cards in general.
--

Security

[geekoid]

Assuming that the information transimtted to the eBusiness with strong encryption, there is still one big security hole, the database.
I have work with a couple of business that offer goods and or services online. Every single one of them keeps all the information you send them in there database, un-encrypted. The number of people who have at least read access to these databases is stagering.
In a field with as many temporary workers (contractors) as the computer industry, the possiblilty of credit card fraud is really high.
I was at an interview last year, they let me sit in front of there product, I could from that machine see people credit card information. If I was so inclined, I could of easily copied myself a few hundred numbers WITH confirmation information(expired year, name, etc...). They would have been hard pressed to prove it was me.
On the good side, I am trying to find backing to start a company that has a business model that would make this impossible, or at least extremely difficult.

Whatever happened to SET, and E-sales experience

[jfinkle]

Visa and MC were supposed to provide the SET protocol to

1. lower costs to merchants: the 'discount' rate for Mail Order/Telephone Order sales is typically 1% or more over a brick 'n' mortar store. SET is supposed to eliminate that.
2. increase security for both the customer and the card issuer (not the merchant - heh)

This was done using a digital certificate for each customer, vetted by the bank. The e-store never gets the credit card number, just various confirmation numbers from the bank, and credit in their account.

Well, it's been several years, and SET still isn't implemented at any major e-commerce site that I know of. The costs SET-compliant software are huge.

I wouldn't shop at any place that is that much of a hassle to order from. Unless I'm assured of a great deal ahead of time, I won't shop from places that (a) require a log-in (esp. with credit card) before I can put the first item in the cart, or (b) aren't up-front with the shipping costs.

Hey - Toys-R-Expensive^h^h^h^h^h^h^h^h^hUs doesn't even use a secure server!

My wife runs a small children's book store on the web, and fraud really hasn't been a problem. We've never had a customer complain about theft, we've never gotten stiffed for a bill, and the couple of customers who tried to reverse a charge after receiving legit merchandise were re-credited to us -- a hassle, but we won.

We did get a pair of orders one day both shipping to the same city in Hungary using US cards. This raised some virtual hackles, and when the customers didn't respond to e-mail, we canceled the order and reported them to the credit card company [hey - where's our reward?].

Admittedly, the major fraud risks are for large ticket items, or direct-download items, from software to smut, none of which we work with (I think the biggest ticket items are under $200 for hardback sets of The Chronicles of Narnia or some such).

J

Re:Never use credit cards online.. from experience

[e-gold]

Thanks for the kind words (again, my obligatory offer to click a bit of e-gold to /. readers applies here). I would not want you to get the wrong impression, while e-gold Ltd and OmniPay will NOT share, sell, give, trade, etc. customer data like the good contact information we need, e-gold can't sell privacy like Zer0Knowledge or actual digital cash forms, of which very few exist.

So, we can protect consumer privacy and provide merchants certainty of payment at low costs, but for maximum consumer protection use a credit card which extends warranties and provides product guarantees (which e-gold Ltd. & OmniPay cannot, at present). It's good to have a wide variety of payment methods, for example, I confess to being a big fan of PayPal (though I would not store very much value in their system).

I hope that folks also get interested in our phone spends of e-metal -- if it involved anything else but the filthy yellow metal, it would probably be a news story. :^/ Oh well...
JMR

innocent until proven guilty...

[ChiaBen]

Hmmm, back in the day, we used to believe in innocent until proven guilty. Of course that was pre-Metallica, Napster, Microsoft, and Bill Clinton.

regards,
Benjamin Carlson

Haiku

[575]

Referrals scare you
Paranoid of big brother
Privacy, now lost

Trust vs Anonymity and eBay

[Gray]

People in the tape/CD trading scene use eBay their eBay rating to present themselves as trustworthy all the time.. I assume other groups of people use it for the same thing. It's certainly possible to abuse this system, but a dozen positive comments from other ebay nicks I trust goes a long way to my piece of mind..

Unfortionitly, this system wouldn't help cameloid.. The company here is worried that you're some h4x0r nerd with a stolen card, not just a jerk who doesn't pay. It's not a question of trust, it's the old question of identification. If cameloid had a unique MAC address on file with VISA, the site would be able to verify off and happly ship whatever to wherever. Of course, that leads to terrible privacy problems and custom coupons on your microwave.

Photo ID for net purchase? Pretty questionable.

[JeffRC]

The whole thing seems rather pointless, and the possibility of criminal intent is very real. If you make an electronic purchase and then send an electronic image of your ID and credit card, How does this provide verification of actually owning the card. Even most credit card companies don't know what you look like, and photo editing software makes it easy to fake a card and ID. The second problem is that if your personal data (card number, etc.) is subject to be stolen from an e-commerce site, why wouldn't they off with your image as well. Not a very good idea. Maybe we need some sort of public key encrypted personal ID number, something that can be checked but not forged.

Credit cards??

[wide-eyed]

If you have a problem with sharing your credit card and other information you probibly would be weary of giving out information to the said company at all. In cases where your not sure what they want or they want too much information, you have three options. Don't do buisness with them, send them the information and cross your fingers, or simply send them a money order or some equivelant. If they won't accept a money order then that is there problem and you shouldn't do buisness with them anyhow.

not needed - existing practices good enough.

[Pinball+Wizard]

I work for an online bookstore, so I've had to deal with this stuff. I don't see why a photo ID is necessary. The only time my company has ever requested an ID is in cases like academic software, where a student ID is required by the software company.

Standard CC transactions already let you map a number to the owner and his or her home address. That's all that should be needed. The only possible thing that could happen if you have things set up right is that a person could use a stolen credit card and send whatever product to a different shipping(as opposed to billing) address. But even there the criminal is exposing himself to getting caught, and so that's not likely to happen.

We have been victim of fraud, but so far, after many thousands of orders, its either been on returns(no credit card solution is going to help there) or from people shipping items to PO Boxes. We had to stop shipping to PO Boxes because these cannot be traced to an address, and certain people would try to steal things that way.

Of a far greater to concern to these people should be protecting the credit card information in their database. I imagine it was quite damaging to the companies that stored database info on their webserver and then were subsequently cracked.

The only thing I can see this useful for is marketing and thats where our companies differ. My company stongly supports privacy and would never share customer information.

I know a thing or two about this..

[BigZaphod]

I'm in the process of setting up secure ordering online right now. You'd be amazed just how much the credit card companies don't care about merchants.....

If you have too many charge backs (fraud, etc) they can boot and/or fine you.

If you have no proof that the user owns the card (ie, you don't have the actual imprint or it wasn't scanned using the magnetic strip), then you have nearly no protections.

When there's a problem (chargeback, etc) you not only are out that money, you also have to pay a fine (usually something like $20.00). The credit card holder gets a refund (to keep them happy since that's where they make the money), and the merchent gets screwed over by the thief or the cardholder who just decided you didn't deserve the money after all.

Unfortunatly, there's pretty much no good way to verify that a user of a number is the owner of that number. So, we merchants often have to revert to using the billing address. The credit card systems (Visa/Mastercard, anyway) have a system called AVS (address verification service) that attempts to match the address given with the address for that card number. The problem is, it only works in the USA.

Without an AVS match, you have nothing to fall back on. You could argue against a chargeback until you are blue in the face, but it won't matter. With an AVS match, you have some proof that you at least tried to verify ownership as much as you can. Then you could argue about it a bit.

Unfortunatly, though, since AVS is USA only, it makes it very hard for us small merchants to take orders outside the US. And no, Canada is not part of the USA. :-)

So there's the problem. The credit card companies have almost nothing to allow merchants to verify ownership with an online transaction. And what little we do have doesn't really hold much water in an argument. So most places just refuse any card they can't get an AVS match on which includes the entire world minus the United States.

That's why things in the e-commerce world kind of suck. Each merchant has their own standards on how secure they want to be and how much they want to avoid chargebacks. Until the credit card companies figure out a better/universal way to verify that a person actually has the card and has the right to use it, e-commerce is not going to be getting better any time soon.

l8r
Sean

Credit Card Fraud

[simon333]

First thing, do NOT send them a copy of your credit card. There are usually 4 numbers above the imprinted digits. Knowing these numbers can help credit card thieves use your card and/or make changes to your credit account.

I have a merchant account for online credit card transactions and the problem that companies face in the U.S. is the large amount of chargebacks and fraudulant charges from overseas. In fact, I have a list of over 70 country codes that I was given by the bank and advised to block entirely. All of Italy being one of those countries. The UK was not on the list but I can see how some banks may require some special authentication.

Also, I just found out that Ibill, one of the major third party credit card processors, just lost the ability to use American Express for all adult related websites due to high number of chargebacks and fake charges.

As for companies sharing info, I don't think that's the way to go.

- Simon

Dubious e-commerce

[Tirs]

Hi! I work as an e-commerce developer, so I think my two cents might be worth 1/50th of a dollar on this topic.
There are several ways of protecting shoppers privacy while giving merchants the security they want. The most common is using a third party as payment gateway. This third party is a certified authority and has an agreement with a bank (or is a bank itself) or with a credit card issuing company, so they can check if a credit card is valid via a digital certificate which gives warranty on *your card*. This means that, if somebody steals your card or peeks at the number, s/he can do nothing with it because s/he does not have the 128-or-more bit digital fingerprint that resides safely in your computer (hacking is another issue here; we are talking about credit cards now, ok?)

Besides that, if no certificate is used, WHAT CAN THEY DO WITH A PICTURE OF YOU AND YOUR CREDIT CARD? Maybe these guys never heard about a nice software called The Gimp (well, let's say Photoshop if you are not an OpenSourcer), which allows you to alter a picture your own credit card, changing the numbers by any others you want while preserving your name. Even better, if you manage to steal a wallet, almost for sure you can find the credit card along with a picture of the owner! (passport, driving license if yours are also the European model, etc).

So, bottom line: asking you for a picture is both untrustworthy and useless.

Fraud detection

[Howl]

There are already data sharing systems that solve this issue without privacy violations.

CyberSource has one (which I helped design) that process cards for lots of merchants - when a new transaction comes in they look at it on a lot of different factors one of which is the history of this person (card/email/phys address/phone#) on other sites - if there has been no problems and it passes the other tests they give back a low score and the transaction happens - if there have been problems they give back a high score; the merchant can then decide what to do next (reject or ask for more info).

In all of this the customers data given to one merchant is never disclosed to another (nor is anything about the customer or their history). It's a basic premis of the system that data goes in but does not come out. It works remarkably well.

CyberSource is at http://www.cybersource.com
Disclosure: I used to be CTO at CyberSource (before I retired :-) and I still own a lot of stock.

I won't ever buy from Megahaus again

[goingware]

I had ordered two Quantum 10,000 RPM 18gb Ultra 160 SCSI drives and an adaptec 39160 dual-channel ultra-160 SCSI controller from Megahaus. These are high-end items and came to over $1500

They say on their order page that they need to have the shipping address match the credit card address and as I'm out of the country (in Canada) for a few months I explained the situation in the comments field and gave them my phone number.

Then the trouble began.

I got a message from them asking me to "add" my shipping address to my credit card. Well, it's a debit card and you can't do that, the best I could do was change my permanent address with the bank to the place I'm staying at in Canada. I didn't want to do that because I'm not staying here permanently but I really need the equipment. The bank was happy doing that over the phone.

I got a call from Bank Security verifying the transaction so I know that the transaction was approved by the debit card company.

But when they verified my address again it still hadn't gone through. No problem, I thought, I'll just give them the number of the lady at the bank who approved the address change.

Well that wouldn't satisfy them. I ended up spending all day on the phone, alternately with my bank who bent over backwards to be helpful and who assured me they would do everything in their power to get Megahaus to send me their drives, and some obnoxious chick in Megahaus order processing who said - get this - she wasn't permitted to dial an extension when verifying my address.

It is impossible to reach anyone at my bank without dialing an extension. The branches don't even have their own phone numbers. When you dial the number you get a switchboard and the person at the switchboard doesn't have bank record information available.

The chick at Megahaus said if she couldn't get the verfication from the person who answered the phone she wouldn't send me the drives.

Now I could wait three days for my address change to register on Visa's records (isn't this the 21st century) but instead I canceled my order and ordered from Insight instead.

Mike

Tilting at Windmills for a Better Tomorrow.

CCs aren't always secure in the flesh

[ripicheep]

I have used other peoples credit cards over the phone. (always with their permission)

Once I rented a van with someone elses CC and my drivers license. The clerk behind the counter copied down all of my DL info and used the CC machine to do the bill on that and never noticed that the names were different.

I wasn't sure which name to sign on the final reciept, but I don't think it would have mattered either way.

Fraud is always a potential problem with extending credit to someone. It's not necesarily easier on the net but people think they can get away with it more easily. I forsee a new netCC with seperate/higher fraud insurance rates for the customer/vendor than regular CCs.

Even If it is a good Idea

[SigVn]

(And to be honest I doubt it) I doubt Online venders will ever trust one another enough to trade inforamtion on customers (Amazon.com & Chapters.ca both sell books and movies so trading inforamtion is basicly tradeing a customer list...Not likely to happen when they are both losing money.)

I would not be suprised tho if some of the existing credit rating services move online. (Anybody looking to get rich in B2B there ya are)

Please report all merchant violations.

[redninja]

Not specific to ecommerce but if any merchant is asking for ID, always refuse and point out the violation to them. Then make sure to report the merchant name, location and attendant name to the credit card company. Here is a link for reporting these violations to mastercard: http://www.mastercard.com/consumer/cust_serv.html

Re:Please report all merchant violations.

[BluSkreen]

It's not a violation of the merchant account agreement to require ID on transactions. In a "card not present" transaction, the merchant is required in most cases to use AVS, or some other way to verify the legitimacy of the card/cardholder.

Dave

Stupid, stupid stupid

[Jake_Man]

The only thing you'd be giving them is your card number with expiration date. Furthermore, with your grinnin' mug there in the pic, they could claim that you were giving permission to have your (surprise!) credit card number publicized on a web page (a very creative way to steal them).

That, or you're dealing with some very stupid merchants (more than likely).

You see, with telephone or Internet or other non in-person transactions, they don't need much in the way of proof of ID. Visa, and other credit card companies will pay all theft claims. It's very expensive, and that's why the credit card rates are so ridiculously high.

They simply do not need your picture with the credit card. Hell, you don't even have to do that with PayPal.com!

Very questionable. However, I think it's their intelligence that is questionable and not their intent.

Re:Stupid, stupid stupid

[tiwason]

Visa, and other credit card companies will pay all theft claims. It's very expensive, and that's why the credit card rates are so ridiculously high.

Guess you decided not to read any comments and just display your ignorance...

Visa/Mastercard take the fraud $$ striaght back from the merchant..... plus charge the merchant some extra $$ just for the privalage....

Re:Stupid, stupid stupid

[Jake_Man]

Ignorant is a childish flame such as yours. I've read the posts, and I stand corrected. What purpose did your post serve other than a little ego-stroking?

Trust models which solve this problem

[techmuse]

I'm a computer security researcher. This is sort of a variation on one of the problems that I have been researching for a long time. There are several trust models which have been proposed, which handle part or all of this problem in different ways. Some of them are: The Biba trust model (multilevel, single domain) The Bell-Lapadula trust model (multilevel, single domain) The PEM certificate hierarchy (hierarchical trust domains requiring trust of a top level authority) The PGP/X.509 certificate web of trust (transitive application of trust relationships, which is more like what you were talking about). The Solar Trust Model (user-centric multilevel interpretive model with dynamicly generated trust relationships) I would suggest reading the paper on The Solar Trust Model. It goes into great depth on these issues, and suggests possible solutions.

Attack the clear data stream, not the encrypted!

[BlueUnderwear]

eing signed, they couldn't modify it

This is unfortunately a common fallacy. The data stream between the smartcard and the network is indeed encrypted, and thus inattackable. However, what is often forgotten is that the data stream between keyboard/mouse and the smartcard is in the clear. A smart trojan would attack that stream, and just tell the card "the user just keyed in an order to pay www.chaos.de $20, please encrypt". There's really no way to protect against that, short of putting a mini-keyboard + display on the card reader itself (it seems that the German "Geldkarte" system is mandating readers like that, but as they are expensive to produce, providers are reluctant to adopt them).

Set

[Thorkild]

In Norway (where I come from) they created a system called SET (I think, it's been a while since I looked at that). What this system did, was by using encryption, validated you request, but without the shop getting the details.

How it did this was by using a trusted third party (which isn't that a new concept). This is typically the bank, or the cardcompany. This combined with digital signatures ment that the shop couldn't change the values, and it didn't even know the credittcard number. It just knew that the transaction was ok, since the third party said so.

There is a lot more details of course.

This system seems to have died, since it was too complicated, and the netshops didn't support it. A shame if you ask me, but then, nobody does..:-)

Shop somewhere else

[Snaller]

Must be a very amateurish place. When we've done dealings 'over there' they could validate the information at their end. If these guys can't then it seems to me they are not very professional, no?

--

Frauduleant chargebacks are a major problem

[Count+Fragula]

Having run a medium size e-commerce hardware wholesaler for some time a while back, I can tell you that at least for international orders, chargebacks are a major issue. Twice our company was burned when foreign "entities" (can't really call them companies in these cases) basically ordered a bunch of hardware from us, on Visa or JCB, and then upon receiving the shipment immediately charged back the order to their card company, claiming they never received the order.

Yes, this is fraud, and yes the credit card companies claimed to be "looking into the matter." As did the shipping companies. But these groups have little vested interest in resolving the problem since they already got their money back from us. We were left holding the bag.

Needless to say, subsequently we either never bothered with international orders from companies we didn't already recognize, or else we made them send a bank draft, or verify their shipping sizteen ways to sunday before dealing with them. Sorry, but here again was a case of the irresponsibility of the few infringing upon the freedom of the many.

From what I know.. (not much :P)

[Jekyll]

From my experience (with Nova Merchant Systems) you need the card number, the expiration date, and the zip code. Address verification (AVS) is also optional, and sometimes required based on the fee you get (When you sign up for a merchant there is normally a monthly fee + % of sales; the more risk the processor has (or the lesst auth) , the higher the % will be. AVS, a real card swipe, signature all help lower that %; but as far as net transactions go... card swipe & online signatures aren't exactly there yet (in any great numbers at least).

Everything else you don't send. The expiration date has nothing to do with anything, from what I have heard/seen. It's simply a test to see if the date on it is a valid date (no algorithms for determining experation date, nor is it checked at the records). American Express is simliar, but a bit different... they do all their processing.. whereas with Visa/MC you hafta go to a 3rd party to process the transactions.

American Express is generall a bit more expensive (It's a fee on top of the Visa/MC processing).. but due to the type of card it is (It's not really credit -- you can't carry over charges (til recently at least)), as well as the offers they make (freq. flyer meles; etc..)

I'm sure each processor has different requirements, but from what I have heard this is the norm.

use paypal.com

[karmma]

Paypal.com is a great business model and a good service. You give paypal your credit card information. They send the vendor a check for your purchase. Your credit card data is in one place -- a lot more secure than having it in a dozen (or more) places - or being "traded" by vendors with each other.

disclaimer - I am not affiliated with paypal. I just think it's a good idea.

--

regional coding?

[peter]

If you buy DVDs from the US, I think you would need a modified player (or decent software on your computer) to play it, because the UK is a different region than the US. I don't know, since I'm holding off on DVDs until the corporate jugular-grab surrounding them is resolved.
#define X(x,y) x##y

Re:regional coding?

[TobascoKid]

Most DVD players in the UK are modified when you buy them, or are quite inexpense to modify (about 40 pounds). Not only that, but most of the low end machines don't need to be modified, they are either region free straight from the factory, or have so called "software hacks" that usually involve either a certain sequence of buttons pressed on the remote control, or in some cases pressing a button on a remote control from an entirely different piece of hardware (a cassette deck for example) will allow you to change regions. I know that last "hack" seems a bit strange, but it is true (I believe it's some of the Samsungs that have this sort of hack).

Basically, regional coding is a bit of a joke in this country. Even government ministers have said that if the movie industry woke up and released titles at the same time and at a similar price on both sides of the pond, then people would be less likely to import (my words, but that was the gist of what he was saying). Of course, if they did that, then they would never have needed RC in the first place.

How 19th Century

[FunkyRat]

I do a lot of work for some companies that use a specific vendor for filling all of their needs for a specific department, such as housekeeping. Before becoming a customer of these vendors, they require a written credit application that does ask for credit references from (usually) the three largest vendors the company does business with and a bank.

The advantage is that these vendors then extend complete credit to their customers who then have the privilege of ordering anything, anytime it is needed without worrying if the last order is paid off. While this works fine, it seems to me that this is a very nineteenth century way of doing business, and as someone else pointed out in this forum, it seems like a good venue for companies to swap information about individuals and other companies. Finally, while this might work for the kind of situation such as I detailed above it would seem to create a whole lot of overhead when applied to the individual person level.

Neither do solutions such as Amex's Blue card seem to be adequate. First of all, I find it insulting that I should be required to have a piece of plastic in my hands whenever I want to do some shopping. What is the advantage of this over money anyway? (Yes, I know -- digital money means never having to get a fresh supply of dead presidents from the holy money wall - ATM)

Secondly, what is to prevent a thief from simply stealing my blue card and using it? The thief would have the physical piece of plastic in their hands and that would seem all that matters. (Excuse any ignorance I'm showing with regard Amex's Blue Card, I am not at familiar with it's actual implementation)

It would instead seem to me that a public/private key signature is the only secure way of implementing credit cards in the online age, but then that brings up the matter of who verifies that a particular key is actually from the person it pretends to be?

I don't want to stir up the old capitalist/socialist bee's nest here, but situtations like this really make me think that problems like the one above are what will really be the undoing of capitalism.

Let your bank help!

[mertner]

I had a really positive experience that could maybe become more standard practice. I ordered some expensive items from a US web site (I live in France) and my bank (which happens to be a UK one) actually called me and asked if I agreed with this transaction.

The conversation took about 30 seconds but left me with a lot more confidence in the whole e-commerce thing than before. I am now basically reassured that if anyone attempts to buy expensive goods using my credit card details, I'll get a chance to say no before payment goes through.

If this is not feasible, the method used by my Danish bank could also be used - if not quite as convenient. They send me a statement every month, with details of every item that will be paid from my credit card next month. If I disagree with any of the items, I just call the bank and let them know. Of course, if you have a payment that must be cleared and go through urgently, this approach is not quite as powerful or flexible as when you get your bank to call you.

Has anyone else had the same experiences, or am I just lucky? For reference, the bank is First Direct in the UK, which offers telephone and online banking only...

Re:Convenience vs. Security - Clerks arent safer

[sylvester]

Apparently a lot of stolen credit cards were used to ring up over 100 million dollars in charges. Amex got suspicious when they noticed that all these cards had been used in a particular restaurant in NYC.
When the feds went to the restaurant in one of the back rooms they saw a card swipe machine hooked up to a laptop. The crooks used to swipe the card and get the persons info, the card #, etc etc and would make duplicate cards which they would use to make purchases. The victim never knew that he/she was victimised till 30-60 days later ...

They're pretty stupid. If they were smart, they would never have done the transaction at all. Then the way they were caught would never have worked, because as far as the CC companies were concerned, those people had never been to that restaurant.
Stupid stupid stupid. Sometimes I think I should become a criminal. :-)

Re:Vendors just passing on Credit Card Company buc

[cafebabe]

On a side note -- Wired magazine had an article a few days ago about how American Express will no longer cover credit card transactions from porn sites. AMEX says that porn sites have such a high charge back rate from fraud that they are no longer interested in working with those companies. One thing the article pointed out is that a lot of the fraud from these sites doesn't come from stolen cards or invalid numbers, but from people disputing what are probably valid charges because they don't want to admit to embarassing purchases. ("No, honey, I don't know how that charge got on my bill. Someone must have stolen my card...")

Considering how lucrative the online market is for porn and other goods and services people would rather purchase with the benefit of anonymity, credit card companies should probably focus some of their security research on techniques for nonrepudiation, not just improving methods for authentication and preventing interception of card numbers.

Good question

[LoonXTall]

So what options are available for companies to use to verify customers' identities?

My first thought was certificates, but given the ease of cracking {insert your favorite OS to flame here}, that doesn't seem like a very good option.

Since they have the IP address you're connecting from, they might be able to do a reverse DNS lookup and cross-reference with the ISP on your record. Problems: big hassles to order from another computer (work/home) or if you change ISPs; other crackers on your ISP could get in anyway.

Just some thoughts.

-- LoonXTall

Re:Vendors just passing on Credit Card Company buc

[LoonXTall]

But really the Credit Card companies should be providing crypto to the customer in the form of so-called smartcards rather than squeezing the vendors.

Problems: cost of reader; trojans reading key (by replacing the endec program?); resource conflicts (USB error: power draw exceeded, PCI error: INT #B not available, (E)ISA error: lost Intel's blessing); desktop space (I hold my keyboard on my lap and work sans mouse).

-- LoonXTall

passport

[konstant]

I cringe to recommend the service to this hostile group, but Microsoft is attempting to address this very problem with Passport. By authenticating yourself centrally, and storing your essential information such as credit card numbers, on their servers, you are immediately authenticated to any sites that recognize the passport mark.

Of course, this has yet to become popular, and I could understand if you had reservations about handing such important data into a corporation's safekeeping.

-konstant
Yes! We are all individuals! I'm not!

Internet Escrow Services...

[Psyko]

Another way around this would be to have the company issue the transaction through an internet escrow service like escrow.com or the like. They will act as a neutral third party and make sure that everyone involved in the transaction gets what they were expecting for an extra 1 or 2% of the item cost.

Kafka

[Scrymarch]

Without privacy laws on the books, we are headed for a future similar to Kafka's Trial: companies make decisions about you based on information about you that is essentially secret.

Whoah there, I don't remember that from when I read Kafka! Unless were talking about another wacky Czech existentialist who wrote a book called The Trial . In fact, I thought one of the points was they could have misidentified him entirely; his failures were on a moral level it was absurd to judge with any formal apparatus.

Someone must have been telling lies about Joseph K., for one morning he woke to find someone had sold all of his furniture on Ebay.

OTOH, it does have a familiar ring to it.

They shouldn't.

[Hedgehog]

When e-buying moderately priced stuff, the assurance of actually getting payment for it, should entirely be the problem of the online store.
I never buy books at Amazon, I just won't provide credit card credentials online. I also don't really like paying in advance. There's a great online book store back here in Belgium where you only have to provide your delivery/billing address and e-mail. They send you the stuff, and if you like it, you pay by ordinary money transfer, and if you don't, you send it back. I just won't have my visa number up for grabs in some big database accessible through the internet. Because as a security engineer, I know how easy it is to overlook something when securing an e-commerce platform. I just won't provide my visa data online. I'll gladly buy stuff online, in fact I do it often, but only when I can pay after the goods arrive, or when I can use 'Proton', which is a popular smart card back here acceppted by all banks and a lot of (online and offline) merchants.
Personally, I feel smart cards are the way to go when it comes to providing online credentials or payment: they can store a whole bunch of certificates (for PKI based infrastructures such as logging on to W2K) and private keys, advanced versions of smart cards easily run java applications (you can build nice e-commerce app support in 32K of chip memory), and fit in your back pocket.
I don't like the idea of online stores correlating my purchase behaviour or cross-referencing my data with other online e-merchants just for authorisation. It's an easy excuse for marketing and data mining, as already pointed out here.

AVS seems to be the next small leap for bank-kind

[cliveholloway]

Having had to trawl through loads of cc verification stuff for my baby, I can vouch that it can be a major problem.

The transaction companies we have dealt with in the UK cover their asses by making the percentage on each transaction quite high (err, 7% I think I remember hearing for some!), but that covers you for chargebacks (insurance or something...).

When playing with Barclays ePDQ, I ended up reading the cybercash docs (basically what ePDQ is, but re-branded). They had a great feature, the Address Verification System (AVS) that didn't just take the CC number, name and expiry date, but also takes the first line of the cardholder's address and their zip/postcode for verification. You can then choose to reject transactions where either or both fail (can be problematic - 1 Main St. is not the same as 1 Main Street).

So I started looking at integrating it, but at the moment, Barclays doesn't support it. From what I can gather though, they will be soon, and when they do, the transaction fee will be less for shops that use AVS to verify cardholder's address and only allow shipping to billing address.

Of course, the easiest solution is to remove yourself from consumer culture and buy as little as possible. But then, not everyone wants to be a hippy <sigh>

Credit card authenticity checks.

[lkchild]

The problem Ive found recently (Im in the UK too) is that with UK credit/debit cards (I have a Visa/Connect from Barclays Bank), the banks dont seem to let people outside the UK get access to the registered card address - this means that the company you are buying from cant check that your address matches the one on the card which is their primary security. - I had to send a photo of my card and my passport to bidpay to get authenticated there, and some companies just refuse to do business with you!

Oh well - its worth the hassle - ebay is my life....:-)

--
Lauren Child, lauren@laurenchild.net

Credit checks in rl vs. el

[daemonenwind]

Now, as a fellow /.er, I try to leave my computer as infrequently as possible. But when I do, and I choose to use my credit card, I have to sign something. Then, my signature is (supposed to be - doesn't always happen) checked against the back of the card. This way, the people at the store know I am the true owner of the credit card.

Now, let's suppose I steal some grandma's purse and head straight for my computer with the credit cards. Since I don't have to sign anything, or prove my identity in any way, I could get a lot of neat toys before the free credit card spree ends.

Sure, some online stores are getting paranoid about who's charging what. CDW, a great place to buy computer toys online, requires a signed photocopy of your driver's license and credit card before they'll do business with you. Why? To protect their customers and themselves from false charges. I'm all for it. Sure, it's a little bit of a pain, but I'd be really glad for it if it was my card that was stolen.

And, if fraud is kept down, then we can still get nice, cheap online deals. And, aside from the coolness of buying our favorite toys with our favorite toy, deals are the big reason to shop online. Stop-frauds will help keep it cheap.

-Frauen sind wie Spielzeuge. Je billiger, noch besser!

Just to educate

If anyone has actually read the merchant agreements that merchants have to sign with their authorizing bank, they would notice that the merchants get majorly screwed when it comes to accepting credit cards.

Merchants have to pay to the bank:

1. Monthly equipment rentals (swipe terminal, and/or online processing)
2. Monthly service charges
3. A percentage of sales (usually 2-3% which is mis-called a 'discount' rate by the banks)
4. Service fees for chargebacks
5. And in many cases, a hefty deposit for mail order transactions. Common is the equivalent of 2 months average worth of sales (if you are a heavily trafficed site)

Now, if someone goes and submits a stolen credit card, the card still goes through, the goods go out, and then the actual card holder receives their statement, the first thing they usually do is call their card company to question the charge. This then eventually turns into a 'challenge' and the merchant then has to supply proof that the customer was there with the card and signed for it.

The only acceptable proof is an imprint of the card and the signature of the original card holder. This is why you see some merchants (myself included at one time) ask for a photocopy of the customer card along with a signature and statement saying we can use it for the purchase. It's not exactly what the bank wants, but it did tend to deter bad apples.

If the merchant cannot meet those requirements of proof, then the charge is reversed, the card holder get's a credit, and the merchant is out the goods that they have already shipped, and the bank makes a service charge.

It's totally totally in the customers and banks favour. The merchant essentially gets screwed. But because of the society we live in and the convience that credit cards offer, merchants really have no choice but to hope that it all works out and live with the small percentage of the ones that don't.

Someone mentioned earlier about there being an automated way that a merchant can verify the customers information.

Well steps have already been put in place for that. It's called SET. It's used through a lot of US banks to verify US addresses, but cannot be used for many addresses outside of the US. Why? Because ALL the banks have not yet agreed upon a way to share the information between each other.

-Klyde
Someone who has been doing this for many many years already and hates banks.

It's the Merchants I Worry About

[SEGV]

I just tried to order a digital camera today. Many don't ship to Canada. Two had 800 numbers that were not in service. My credit card is fine, it's the online merchants I worry about.

--
Marc A. Lepage (aka SEGV)

I want electronic cash NOW!

[mcelrath]

How long will this go on? Credit card fraud is HUGE! And CC companies have no interest in fixing it. Government covers litigation for them, consumers and vendors absorb the cost of fraud.

You, yes you sitting smug there behind your keyboard, go start a company RIGHT NOW that will encrypt transactions so that fraud is nigh impossible. Make it so I can beam money to people with my palmpilot, and while you're at it, establish a public key infrastructure that can verify my identity as well. PGP is well and good, but no one is selling it to companies! Some corporation must invest the resources to sell a better system. Companies aren't going to just pick up something like PGP and start encrypting transactions because no one is selling it to them and because they don't know about it, because no one is selling it to them.

Methinks consumers and vendors would come running in droves for a fraud proof electronic money.

--Bob

It's worth it.

[bludwulf]

I've worked with two companys that sell shell service and web hosting, and about 95% of our orders were paid for with a credit card. Or so we thought. Out of $20,000 dollars worth of income, we had one legit customer. If not a photo of the card, there needs to be some kind of bulletproof way to be sure that the customer is legit.

Furthermore: If someone steals a card and swipes it at a store to buy something, its the bank that pays for it. If someone steals a card and uses it to shop online, its the online company that pays for it. This isn't fair. The banks need to come up with a way to make e-commerce more secure (we've emailed many suggestions to banks around the world: email notification of card purchases, etc.) so that things like this don't happen. Beau Gunderson bludwulf@crackrock.net

E-gold?

[MikeFM]

I do have a few wishes for e-gold and similar online banks I use. The biggest problem I face with them is the ease of putting money in and getting money out. It'd be nice to be able to wire or charge to my credit card the amount I want and have a reasonable short wait before I could spend that e-gold $$$. Also it'd be nice if these places issued actual debit cards that I could use at real stores/atm's and if they could wire the money to my bank the same day I asked for it (Pay-pal says 3-5 days which is painful when you need the money right away.). I don't like it when reality and the Net don't merge painlessly into one another. :) GoldChanger seems to be going to take paypal and wire transfers to make e-gold which is great but it still needs some work before it's ready for every Tom, Dick, and and Harry. :)

Re:E-gold?

[e-gold]

Because e-gold is a different currency (actually, four currencies) denominated in grams, the expensive part of the whole process (and the part that feeds me!) is the exchange transaction from other currencies (here's a calculator). e-gold is still cheaper than credit cards, especially for large companies with clue-resistant management.

e-gold Ltd. is a bailee, and not a bank (in fact, e-gold Ltd. has never even had a bank account). A bailee merely stores things on behalf of customers (imagine those mini-storage warehouses springing up all over in the USA for a similar legal relationship example) and cannot make loans, etc. e-gold Ltd. concentrates on storing allocated, good-delivery bars of bullion metal.

OmniPay, which currently shares the e-gold.com site with e-gold Ltd., has plenty of bank accounts all over the planet in a variety of currencies, and is the principal market maker in the e-metal family of currencies. It's important to keep in mind that e-gold & OmniPay are 2 separate companies (soon to have two separate websites). OmniPay can send wires on your behalf, or send checks to any snailmail address, in exchange for your e-metal grams.

Anyway, getting grams of e-gold is getting easier all the time, and you can definitely use a credit card either with Western Union or other options, so go ahead and buy some ounces from us or buy a few grams from an Australian or buy some e-gold from a US citizen and there are others springing up all the time.

I predict with the new system(s)* both you and I will be very happy, e-gold stats on the present system have been great ever since The Gold Casino arrived on the scene, and now the casino just put up a "bet on the closing price of gold today" pool with no house take.
JMR

* "Real soon now." -- and it will definitely be more Tom, Dick, & Harry friendly.

Re:E-gold?

[MikeFM]

Well I meant bank in a general way.. as any place I can keep something valuable to me. Last time I checked Western Union ate a sizable amount of $ from anything you transfered through them. Also do they offer a way for the e-store linking to them to suggest the users name, address, etc as used by e-gold in the making of a new suer account. It'd be very good if the site could provide this information (and the user edit it if needed) so that it'd be less of a hassle for users to start a new e-gold account while in the middle of shopping from the e-store. I know I at least get annoyed at providing the same information about myself to a dozen sites a day and I'm sure my customers do also and I don't want them to lose interest in the middle of a sell. Passing a template of common information would help I think.

Re:E-gold?

[e-gold]

Western Union does take a bite, speed and risk cost more, but you can always
lock in a rate and snail a check. The problem with templates of common information
is that we don't trust other financial institutions (even Western Union) with customer
info. There are a number of marketing friendly things that our policies keep us from
doing, and I'm constantly trying to think of ways to comply and still do what I want.
JMR

Re:E-gold?

[MikeFM]

I don't mind a reasonable bite but Western Union takes a bite that would have been fair in the days before everyone and their dog could wire information back and forth for little or nothing. A 3% fee wouldn't be a problem. A 15% fee is a problem. Afterall this is essentially a loan where they get the money before they give it to you.. just in a different place than you are.. there is little risk for them and obviously the wiring of the information costs little so their fee isn't justified IMO. :) In an ideal world I could spend Internet money in real life stores but until that day comes I still need a way to convert between the two easily, quickly, and affordably.

Well as I said the information would be editable by the user after the other site supplies the data. You'd want to do some sort of check for any possible hidden chars/data depending on how you passed the information in but as long as you did this and then showed it all to the end-user so that they could correct information as needed it shouldn't present any problems. It'd just pass in the default values for each form element so as long as the information was correct it'd save the user a lot of hassle. ie name, address, email address, phone number, etc are pretty easy to pass along and it'd present little security risk in accepting the default values from the originating site.

Nice idea, too many complications

[DeAtHaWe]

It would be a nice idea if the various e-companies were to share information and that, making it easier for customers to shop. However, there are too many legal implications, most noteably being, the privacy issue. Although, I suppose if they notified the user they were going to be doing that, they might be able to get away with it.

Re:Attack the clear data stream, not the encrypted

[wmitty]

However, what is often forgotten is that the data stream between keyboard/mouse and the smartcard is in the clear. A smart trojan would attack that stream, and just tell the card "the user just keyed in an order to pay www.chaos.de $20, please encrypt".

The Amex Blue readers, as well as some of the readers the my company products have a PS/2 interface on them. The reader sits between the keyboard and the computer. When entering information to the card (specifically a PIN) the reader intercepts the the signal, and it never reachers the computer, which means it is never available to a trojan.

More security than not, but there are still ways to attack that system (Tempest, video camera watching the keyboard, etc.) -- Walter Mitty wmitty at hushmail dot com

The problem is the card companies

[SmilieZ]

I can fully understand, and relate to companies requiring a faxed photocopy of someones card and ID.

It proves

A) You have the card
B) You are prepared to be identified with the card.

We don't ship Credit card orders outside of Australia and NZ now without either prior arrangement, or faxed copies of cards and id, as out of the 20 odd international orders we received over the last 3 months, only 3 of them were legitimate.

As for verifiying the delivery address matches the card, this is VERY hit and miss, as it HAS to be done by the issuing bank.. So first.. I have to get the NAME and NUMBER of the issuing bank, NOT an easy task to start with. Then you actually have to CONTACT the bank.. yes.. International phone rates, at wierd hours.. Then it's up to the banks policy if they will even honor your request for validation... Then they might do it for you..

All this for a $10 order?? I think not.

And if we just run the gauntless, and let it go through anyway, in come the chargeback requests 3 months later. And guess who gets screwed... Us.. every time.

Anthony

CYA!

[jmkaza]

E-commerce companies get hammered by credit card fraud. People are more likely to punch in someone else's card number online than use a stolen card in person. The photo thing is probably just joe-site owners way of feeling secure that he's not going to get screwed. I don't see this as a violation of privacy at all. Just an extra added precaution. If it's a hard to get item at a good price, how could sending the pic hurt. Hell, if it's a paranoia thing, just have your friend pose. Nobody will know the difference.

Other options, like Escrow...

[Halon50]

Since you live in the UK, a lot of options like X.COM or PAYPAL aren't available to you. On the other hand, there are relatively inexpensive escrow services--in particular, iEscrow--that can take the place of your "trust" in dealing with online merchants.

The idea is simple--pay your money to iEscrow--, with a $2.50 fee (normally), the merchant sends you the merchandise, you inspect it, then release the money held in escrow to the merchant if you're satisfied.

The problem with using Escrow services is that most merchants won't want to deal with them, since they require you, the customer, have an "inspection period" to inspect the merchandise and make sure everything's ok before you send them the money. This means that not only do you have to trust the merchant, but the merchant also has to trust you, the consumer. Most are unwilling to do this, and so will instead try to get you to send alternate forms of proof of ID, like you're dealing with now.

As several people mentioned below, the person or people asking you for photo ID for a silly credit transaction are mostly causing themselves problems, not you.

A picture of your dog as well

[dilvish_the_damned]

Maybe a picture of your dog so we can duplicate that as well.
I do not have a vast amount of experience in this but I do have some. Based upon said experience I can say this: If they are taking your credit card number then they have a financial institution to deal with the transaction. Even many large and well to-do websites do not handle the transaction personally. It is up to these institutions to accept or deny your credit card as they are the ones that ultimately pay the website owner.
The system that is used and the rules employed for acceptance or denial have been used for well over a decade. They have never included a blood sample (or a photo to be sent). If they did, what good would they be? Why not just send a check?,br> If anyone asks for anything other than your credit card info and items that can be derived from that info (like your address, this can be derived and is used for verification that you are not pulling a fast -- one in some paranoid cases) I would be very suspect. Not only suspect of if they just wanted the card, but suspect of just how profesional they really are. If they are professional they would not be doing security checks by hand, leave that up to the credit crard security profesionals i.e. the bankers.

This already exists: www.passport.com

[ektor]

There's a company called Microsoft that already has a service like this.

You can create an account with all your details on http://www.passport.com and when you shop on any of the participant sites you don't have to enter any information. For a list of the participant sites go here.

Re:Attack the clear data stream, not the encrypted

[BlueUnderwear]

Neat. I suppose the reader also intercepts the signal when entering the amount and destination for the funds, or else it would still be vulnerable...

Unfortunately, many other smartcard systems aren't that well protected :(

Re: A Matter Of Trust?

[Linegod]

After many months of consideration, I only accept C.O.D. or cheque/money order. I'm safe, you're safe, and the banks and the government only know what I tell them :=)
"What do I care, if life ain't fair,
If you look at me real sore.
I've paid my dues and you should too,
as a son-of-a-bitch to the core"

Re:Whatever happened to SET, and E-sales experienc

[Puh]

>Well, it's been several years, and SET still >isn't implemented at any major e-commerce site >that I know of. The costs SET-compliant software >are huge. Well, maybe not on any major sites, but many smaller sites at least here in Europe are already using it. Lists by Visa and Mastercard.

How much information can you withold?

[Syberghost]

Let's say I open a store, and post a guard at the front door, with instructions not to let anybody in unless they put a blue sock on their left hand, shove an ice-cream bar up their ass, and promise to say "boogah" every six minutes while in the store.

Now you're my potential customer, standing at the door.

Is what I'm asking you unreasonable? Yep.

But if I don't make an exception for anyone based on the color of their skin, their sex, or certain other characteristics that may or may not be readily apparant by looking at them, your only legal recourse is to tell me to go eff myself and turn around and walk away.

So how much information can you withold? As much as you want.

How much service can they withold if you do? As much as they want.

Your rights don't override theirs.

If they were a monopoly, the rules would change; but "the only place I can find Captain Harlock on letterboxed DVD" doesn't qualify as a monopoly.

Bottom line; don't do business with anybody whom you feel has unreasonable requirements, and send them a polite letter detailing why you think they are unreasonable. Other than that, quit yer bitchin'.

--

This sounds very dubious

[EmmaLouise99]

I've worked in the financial services industry for some time and your experience is ringing major alarm bells.

If you are buying a product which requires shipping, all the company needs to do is check with the card issuer that the address you have given tallies with the address on the card. this makes e-commerce for tangibles far more secure than over the counter shopping where a quick scrible of the biro (often not even checked too closely) is all that's needed to liberate your goods.

As has already been mentioned, a quich 5 minutes with photoshop and you could knock up passable id. What's worrying is that this company then has an electronic copy of your id and card (real or otherwise), not something I'd be too happy about.

Most credit card fraud is perpetrated by dodgy merchants (or their staff) rather than by thieves/muggers/hackers. in the UK the worse candidates are filling (gas) stations. Don't forget that it's not that hard to set yourself up as a merchant. Caveat emptor!

Follow Up...

[cameloid]

Hm, I didn't realise this would generate so many different opinions...

The kind of solution I was thinking of would be some kind of certificate that I could obtain from an e-commerce site that I already deal with.

This would of course be encrypted so that I , or anyone else, wouldn't be able to tamper with it.

The certificate would contain information about me being a good guy, it's originator etc. I could then pass this certificate to the new site that I wanted to deal with who would then be able to verify this certificate with the originator, thus confirming that I was trustworthy. Preferably without passing around addresses, photos or credit card details. All that really needs to be done is to prove that I'm a good guy.

Now, I've not used PGP yet (and I know very little about security or encryption), but this kind of scheme sounds similar to that, I think. Whereby a third party would be able to authenticate my identity securely.

Perhaps, as e-commerce becomes more pervasive, it would even be possible for the browser itself to initiate a three-way conversation between new sites and ones that you currently use to do all this on the user's behalf.

As the company that I already buy stuff off of already has my details, it would not hurt them to "return" them to me, it certainly wouldn't cost anything. Perhaps a server application could do this, as the information is already being held electronically.

At the end of the day I like all this e-commerce stuff. There's an awful lot of cool gear available over the net that I simply cannot get easily in this country. I believe that it is up to the e-commerce companies to make it as simple as possible to buy stuff off of them, I don't want to worry about proving who I am I just want to get cool gear. I could say that the customer is always right, but that probably isn't true anymore...

Anyone know how to patent stuff like this in the UK? I haven't got a clue.

Anyway, I've got to get back to finishing this pointless Director project.

Bye!

Credit card fraud

[Olias]

Given the type of purchase you were making, anime DVD's, I can see where there might be a problem with kids ordering merchandise without parental consent, and that is probably what the merchant is trying to stop. (However, any kid can easily get a picture or a photocopy of mom and dad's ID if they wish to.) If the parents call in a dispute for an unauthorized charge and the store can produce a photocopy of the card and a photo of the card holder, the store is in the clear. I think the store is just protecting itself. In credit card fraud rings all that is needed is a blank piece of plastic and a credit card number. If this store is part of a ring having your card number is enough. A picture of you isn't going to give them any added benefit of ripping you off.

Re: No We're Not - We need the information!

[bungalow]

Seems to me that FEDEX would be the way to go. It is a bit more pricey than USPS, byt if someone is buying a diamond ring across the globe, they might appreciate the features of a connection - oriented delivery system. (so to speak)

Re: No We're Not - We need the information!

[bungalow]

I noticed that FEDEX shipping was not an option on your last post. (see my previous post)

Pardon the brand - loyalty, but if I was purchasing a $6,000. ring, whether nationally or internationally, I would not consider any other shipping method (except possibly UPS).

Re:Vendors just passing on Credit Card Company buc

[bungalow]

The vendors are the last line of defense against fraud. Anything after purchase approval is recovery and a pain in the ass.

The vendors should accept the responsibility of ensuring that the customer and the guy named on the card are the same person. The vendors SHOULD verify signatures, or (preferably) licenses and photographs. I'd much rather flash my license than be inconvenienced with a fraudulent purchase.
(On the reverse of my cards, "DEMAND MY LICENSE" is written where the signature might be)

Recently, vendors have punted this responsibility. You've seen the personal approval machines at your grocery's checkout counters. This isn't for your convenience. This is to prove that the cashier never had the opportunity to botch a credit card approval process, and offload more responsibility to credit card approval services.

Re:Address Verification

[DrSkwid]

address checking?

most card billing is done electronically with a PDQ machine. You get a verifaction number AND bear the cost of fraudulent use.

I worked on an e-commerce thing and learned a lot about the chain of validation.

Address checking is hard electronically because of Spelling & word layout.

21, St. Andrews St.
21 St. Andrews Street
21 Saint Andrews Street
Saint Andrews St.

A bit contrived I know but throw in Village, Town and County and things get more complicated.

You could just try street number and post code but we're not obliged to memorize such things as post codes.

I've thought that one-shot pre-paid billing from a clearing house might be some sort of solution. Kind of like buying credits you can use, especially for those of us that can't get credit cards because of our previous "activities" ;-)


.oO0Oo.

Dealing with non-US cards

[shawnek]

As the company referenced in the post above (www.rightstuf.com), I hesitate to post to this group, but here goes.

We were having so many problems with credit card fraud, especially internationally. All kinds of orders from all over the world, and a large % of them were junk. We had one week where one person tried to use 20 different card#s under different names shipped to different locations.

It is apparent from the posts here that most people do not understand how credit card merchants (especially internet and mail-order merchants) have to deal with cards.

Non-possession of card transactions are "trust" transactions; thus, you are trusting that the person on the other side actually has the card, owns it, and will pay according to the agreement. Credit card processors often will not defend chargbacks for non-possession of card, only chargebacks where someone had possession of the card and/or imprinted a copy of it.

Thus, if you purchase something on line, you can say you didn't order it, and even if I can prove that you received it with a POD with a signature, you can say you didn't order it and didn't receive it, and I will almost *ALWAYS* lose. The credit card companies don't lose - the MERCHANT does. The processor simply takes the full amount out of your account. Plus, the processor gets hit with a "chargeback" fee, and too many chargebacks push your processing rate way up! So, it is in the merchant's best interest to fight fraud aggressively.

Someone also mentioned that we should just use AVS. (Address Verification Service). Here's another joy... not all banks provide AVS information. Debit cards cannot be AVS certified, and cards outside of the US cannot be AVS certified. So, this helps us merchants for US customers only, and only if they are shipping to their home (which many people don't want, they want stuff shipped to their homes.) Seems silly, doesn't it. We are required to use AVS, but the banks are not all required to provide the information.

Someone else mentioned calling the customer's bank. OK, try doing this when the bank is on the other side of the world and isn't open and on top of that you have the language barrier? Is this worth it for a $25 order? Sometimes it is almost impossible (we have actually tried this.)

So, our solution for non-US customers was to ask to get a copy of the card and some form of ID (picture or not) by mail or fax. This at least tells us that the card *exists* and that there is a person with the same name having ID that matches the card, and that the address given is the same on the ID as it is on the order. Thus, it's not likely a card number made by a number generator from a list of stolen cards posted on IRC or something.

THIS IS FOR NON-US Customers only! (We can use AVS for US/some Canadian customers, which, as I mentioned above, works usually)

No - it's not foolproof. As mentioned herein, someone could spend a great deal of time mocking something up in photoshop/etc. to bypass this. However, most card thieves don't have the time or are unwilling to waste the time, when they can simply go somewhere that doesn't have such a requirement.

We only ask for this information once to set up an account, and it is never asked for again. I'm not sure that you could really do anything more with this information (the copies from a FAX) than you could with just having the card#. Maybe. Keep in mind this is a 200dpi or less image from a photocopied source to begin with, and with no colors, etc.

This procedure has dropped our international chargebacks to almost none. It has likely lost a few customers for us as well; however, what do you do as a merchant? One chargeback can be hundreds of dollars, wiping out the profit reprented by 30+ orders. I watched another company virtually get taken under by chargebacks last year. FYI: You can charge back a transaction up to 3 YEARS after you receive your statement. Talk about fun research.

I'm not familiar with how paypal or the other systems work at present, but I will certainly look into it.

I've been very interested to see the different replies posted here, ranging from "These people suck" to "yeah, being a merchant sucks."

Any suggestions that you can provide are wholeheartedly appreciated. We want to provide service to everyone, but you have to weigh the risk when you're a merchant. We've tried to come up with something that's fair.

By the way, the Tylor DVD is not out yet. We are releasing the Tylor OVAs beginning in July (Dub and Sub) and are working to see if we can make the DVD set a reality. Keep checking at www.rightstuf.com if you are interested.

Best,
Shawne Kleckner
President
The Right Stuf International, Inc.
shawnek@rightstuf.com