Slashdot Mirror
A Matter Of Trust?
cameloid asks: "I've been ordering stuff from a couple of U.S. Web sites now (I live in the UK), and was a bit dubious about credit card security at first. However, it was always the case that I was worried about getting my details stolen or something. Last night I was browsing an interesting site looking for some anime ("Captain Tylor" out on DVD?), and naturally checked to see if they would deliver internationally. Now, they wanted proof that the credit card details I sent them really belonged to me, in the form of a photo of me and a photo of my credit card (actual size I suppose). Now this doesn't strike me as being of much use to anyone and got me thinking. As I'm already an established customer on a couple of other well known e-commerce sites would it not be possible to get some kind of referral from these sites, saying that I'm a worthy customer? What would the implications of this be?" I've been seeing lots of really pointed questions about e-commerce sites lately (this site being the latest entry on that list) and I'm wondering how much information a company really needs before they can do business with someone and what kind of information a person can legitimately withhold. Would such information sharing between commerce site be something that would benefit consumers or are there privacy issues here that we should be concerned with?
E-commerce companies are lazy. Keep this in mind when trying to form any "trust network". In addition, you'll need to show a clear profit-making incentive for companies to participate - it makes no sense (business-wise) to work with another unless you make a profit. I don't believe such a trust network is viable anyway without a central authority - if any member of the network acts in a dubious fashion it will be publicized, and companies will be less interested in joining due to bad PR. In addition, without a central authority you have no ability to remove bad elements from the pool. Just my $0.02.
As I'm already an established customer on a couple of other well known e-commerce sites would it not be possible to get some kind of referral from these sites, saying that I'm a worthy customer? What would the implications of this be?
It sounds like a good excuse for companies to trade information about you.
I'm wondering how much information a company really needs before they can do business with someone and what kind of information a person can legitimately withhold
If they ever start asking you to send urine/semen/fecal samples who know forcertain that the line should be drawn.
Sorry, but the only time I've ever sent a "picture" of a credit card was to a small business, and it was via fax; I killed the credit card a little later anyway. :)
Pictures of cards are not one of the things the credit card companies ask you to obtain, so I would assume it's a scam.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
Amen!
Companies need to get their act together when it comes to Credit Card acceptance. I was recently at a site that wouldn't allow you to buy with a card that had an expiration date after 2003! I mean, come on! And it's staggering to still find sites that expect you to enter you info including card number on an insecure page.
If they don't make it easy to order from them, let them die. Survival of the fittest!
You NEVER need to give your social security number when you are purchasing something online or otherwise. Not even when paying with checks, not even if it is your "student #" as well.
Anyone who has the right to ask for your social security number is *required by law* to give you documentation that they have this right and can withhold items or services until you give it to them.
This is very frequently abused especially by universities and the areas surrounding them. Put your foot down.
A couple of months ago all the major credit card groups including Mastercard and Visa imposed a new law on companies generating a high level of chargebacks. If more than 1.5% of your transactions are charged back, usually through fraud, then you have to pay large financial penalties to the credit card company.
I dare say the very large online companies like Amazon and so on have different terms, but that is how it is for the smaller companies.
As someone who had my company credit card details ripped off and used by some prick in Indonesia to order ''Buffy the Vampire Slayer'' merchandise from a US-based website, I don't think it's such a bad thing. But really the Credit Card companies should be providing crypto to the customer in the form of so-called smartcards rather than squeezing the vendors.
-Andy
This is what is behind the tightening of
Visa and MC now have some extra digits that are only written on the back of the CC, not embossed or shown on the front.
The idea is for internet companies to ask for these extra digits when people order stuff online, as a way to verify that you have physical possesion of the card.
American Express has their own solution - the "blue" card has an embedded chip, then with a reader hooked up to your PC you actually 'swipe' your own card.
Again, this is to prove you have the card in your hot little hands, not a carbon off a receipt.
A picture of you with your credit card?
Heck... let's see... I'll just take a picture of myself with my credit card - change the name, number and expiry date wit a good graphics editor - and wham... a pointless exercise in paranoia is proven insecure.
Is this because you are ordering internationally? Maybe they just want to see if you would do it... "Hey look at this joker... let's put him up on the wall - and order some pizza on him too!"
I'm sorry, anyone who came up with this idea has their head up their @$$.
BlackNova Traders
In an e-commerce world where companies are dying to know every last detail about you so that they can show you the banner ad that is most likely to get you to bite, I think it's fair to expect privacy problems if you get companies that have had previous business dealings with you to cooperate and 'share notes'. It seems like asking for your privacy to be invaded to me.
I'm not even quite sure why they would require the type of authentication that the poster is talking about. Even if it's straight credit card fraud, the company that ships the product still keeps the sale dollars, it's the credit card company (or the consumer) that eats the cost of the fraud. It seems that if companies don't have a problem with people complaining about them taking any credit card that is presented to them that they would do just that - why put extra hurdles in the way of a consumer, or make it less likely that a sale will actually be made?
As for the privacy though, I don't trust any company further than I can throw them. Companies are about profit, and when the concept of 'profit' coincides with my interests then the company will make me happy. But when somebody's idea of profit suggests that it might be a good idea to dig into my past purchases and compare consumer notes with another company in the name of "verification", it's pretty clearly not going to serve the customer's best interest.
If they HAVE to do this, it might be SLIGHTLY better to ask the credit card company for info rather than somebody else you have bought from. (i.e. when you dial up the company for card confirmation, have a way of digitally asking the question "if this purchase goes through, would it send up some weird red flag on this customer's account?" or something similar). Not that this would be good either, far from it. It seems like it might be slightly better though.
-- Truth goes out the door when rumor comes innuendo. -- Groucho Marx
"...what kind of information a person can legitimately withhold."
In the US anyway, I can withhold any information I want. I find it frightening that we've gotten to the point where we unconsciously equate business with government (which CAN demand information).
You are under NO legal obligation to provide ANYONE ANY information (except the gov't). Of course, businesses have policies and may refuse you service--in which case you go elsewhere. Although even those companies that claim to have policies usually waive them if you refuse.
For instance, I became a "member" at a video store recently. She was asking for information and eventually got to "Do you have a work phone number?". Luckily I had seen that question coming up on her computer and had an answer ready: "Yes, but I don't think you need it." She skipped that one.
On a previous occasion at a different store they actually asked for my Social Security #. I was so taken by surprise that I actually recited it without thinking. Won't be doing THAT again.
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
I don't see how a photo of you would prove anything to them. It just shows you are a real person and not some figment of their imagination. Even a photo of your credit card is pretty dubious since there are many tools that can make a doctored photo look realistic.
I would think the best form of verification is that, if they really want to see you are who you say you are is to call you. That information is readily available. They may not want to get bog downed in calling all the "questionable" customers, but is that really any less hassling than looking at all the pictures of people you thought were questionable?
After their numbers dwindled from 50 to 8, the other dwarves began to suspect Hungry.
Well if you noticed, most online companies that require credit card info also ask for billing address. So if someone takes your credit card, they may or may not know what the billing address for the card is. Asking for the expiration date makes sure that you have the card (since statements don't have that on there).
But even with all those precautions, people STILL can get your info and use it. I have had problems with this myself, and it has been hell and stressful to find out that someone has been using my information. Someone in Cleveland used my information to get a cell phone (which when I provided writing that it wasn't me, they did not hold any claims against me) and then, 7 months later (even with the credit fraud alert on my credit) they managed to get a landline phone and a couple more cell phones from a different company. Again, they didn't hold this against me, however I was under false impression that I could find out who did this and get them arrested (land line phones are connected to a house which is connected to people who live there). I couldn't get any info from the phone companies to give to the police, so nothing came of it.
Just be careful with your information, especially on the web. If this can happen to me, it can happen to anybody. It didn't deter me from using online banking and using my credit card on secure sites (since I don't think these criminals got my info from the web since they are in the same state as I am) but it sure is something to think about.
Something like a escrow would work for this. Essentially a third party (trusted by both parties) recieves your payment plus a small handling fee and then holds it until the product arrives. Then they pay the manufacturer or retailer or whoever for the merchandise and ship the product to you. E-Bay already uses this to help people who use their auction services. It's only a matter of someone setting up a business that everyone would trust to handle their matters and not skip with the payment and the product.
The big problem with ecommerce is that privacy laws in the US are very, very weak. Database Nation by Simson Garfinkel has a very nice description of why the US considered privacy legislation in the 70's, congress came up with recommendations and failed to pass laws based on these recommendations. Most European countries did, though.
The recommendations, and the legal situation in most European countries, are:
The lack of these kinds of protections in the US is what makes me very wary of using lots of ecommerce, since the situation here is more: give us as much information about you as possible, we will generate some more from your use of our service and then run with it. What scares me is the secrecy of the whole process, the fact that it is almost impossible to find out who is doing what with your data and how it will affect you in the future. Will raising a stink with Amazon.com make it more difficult for me to get a house loan in the future ?
Without privacy laws on the books, we are headed for a future similar to Kafka's Trial: companies make decisions about you based on information about you that is essentially secret. Until I as a consumer have certain rights to review my data and find out about it, I don't want those ecommerce sites to build a "web of trust" about my online shopping behavior. Don't give them any ideas.
When people take payment with credit cards, they need a signature, or they don't have a leg to stand on if the purchaser later claims someone else made the order.
Credit cards were never designed for e-commerce, and really shouldn't be used for it.
One very interesting system is e-gold. They work by transferring precious metals from one of their accounts to another (in a large range of amounts, down to well under 1 cent). You don't need any special software, and pretty much anyone in the world can use it; also they only take 1% of each transaction, which is capped at $0.50 (yes, that's an upper limit, not a lower one). The only problem is that initial purchase of metals; basically you have to send in a check or money-order.
Actually, I haven't seen any other e-commerce system that supports micropayments and is actually giving worldwide service (though there are plenty in "trial" stages and others that serve one country or region). Can anyone point one out?
I don't think that they will. The US economy by itself is large enough to support these companies. For a lot of companies international trade is insignificant in comparison. Judging by the numbers of online traders who refuse international orders, there can't be that much incentive for companies... or maybe they're just ignorant of the potential.
addresses are not printed on cards in this part of the world.
.oO0Oo.
In the UK the only thing known about a card holder that you use is the card number & expiry.
That's it
anything else is just bogus anyway
"You want my address. Well I've got two houses, what use is that?"
"Here's my photo. Of course you didn't see me have it taken"
I've personally been asked to fax my signature as some sort of proof before.
People are clueless and easily fooled because they want to trust you.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
What about using your Credit Card Company as a PKI providor? They would know who you are, and who the vendors are, and should be able to provide verification to both sides...
I man, what else is the interest & fees for, if not service?
Now, they wanted proof that the credit card details I sent them really belonged to me, in the form of a photo of me and a photo of my credit card (actual size I suppose).
Amazing. And you didn't tell them to fuck off? You must be a really kindhearted soul.
In any case, they are waaaay out of line and, of course, breathtakingly stupid. I mean, what's to stop you from sending them a photograph of some random Joe Q. Loser and slightly-Photoshop-processed picture of a credit card showing whatever numbers you want it to show?
If I were you, I'd tell these guys that they are being bloody utterly ridiculous and that you'll be glad to see the survival-of-the-fittest principle demonstrated on them. I mean who would ever buy from them??
Kaa
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
Now, let me get this straight. You're in the UK. The store is in the US.
Assumptions:
1. You've never been to this store in person.
2. You're not famous.
3. They have no idea what you look like.
So what does providing a photo prove? If I was going to use a credit card fraudulently, I'd steal the card. Take a picture of Joe Random Stranger, and send them off to the merchant.
Until such time that there is an international databse of people's photos, this should work just fine.
So either these guys are clueless or it's a scam. I'd shop elsewhere.
Steve M
I had an experience like that once, from one of those flakey retailers that makes their profit from advertising, not from sales.
Their attitude seemed to be, "We aren't making any money off of it, so who gives a damn? Actually we'd prefer not to sell you anything at all, please go back to the web site and look at some more ads."
And I thought aggressive upselling was annoying...
Credit card companies require companies to agree to relatively strict merchant agreements governing terms of their service. This nonsense may violate those agreements.
It's not uncommon for merchants to violate them -- anywhere you see a minimum required purchase to use a card is usually a violation.
I understand that everyone's just trying to cover their butt on this, Visa doesn't want to pay for fraud, neither does joe-the-e-tailer, but Consumers sure shouldn't be paying. We already pay larcenous interest rates, not to mention shipping and handling charges (did I mention that my wife paid 30$ S/H on a $150 bedspread? not including sales tax.) I think the consumer is paying enough.
To help prevent fraud, I just report my card stolen periodically. The company reissues with a different number. Couldn't we just have rolling numbers on all of them (a la secureID)?
If anyone asked me for a photo of myself and a copy of my credit card, I would laugh, then report then right away. I don't think I've shopped in a real store in almost two years. I buy everything online. Yeah, it would be nice to have an online credit card of sorts, but until they come around, I'm stuck using my regular one, and my debit card. I have yet to be asked for a photo of me, or of my credit card. I have even ordered from Germany and France, and Japan a few times. I did have a few small problems where they said they were having problems verifying my card. On the back of my card I have a customer service number that I gave them. For my debit card, I gave them the phone number to my bank. I have seen more and more sites requesting "extra numbers" or the customer service numbers from the back of cards. I think that is an excellent way to go. I'm all about more security. For the record, two years purchasing online, and I've had only one fraudulant charge to my card, and they were caught. Idiots had it sent to their house. My company called me to verify since it was being sent 10 states over, and I told them no, and they contacted the authories.
Thawte has an interesting take on the whole security idea. They will issue you a personal certificate if you present yourself to a "trusted" person, either someone already in the web of trust or a bank office, attorney, etc... It's not unlike PGP but a little more fleshed out.
Details here.
With Thawte acquired by Verisign, I'm not sure if they are committed to this in the future, since their site now seems to be covered with ads for Verisign's personal certificates.
But, the idea is an interesting one. A distributed ranking system where you accumulate "trust points" seems like a system that would work well with the open source world. In a sense, this is much like eBay, where you gain or lose "trust" in the system with every sale or purchase. While some people have been able to abuse the system on eBay, in general they haven't had wide-spread fraud, which is really what you should be worried about. The nice thing about eBay is that it empowers the individual. *I* get to decide if I trust you or not based on my personal criteria.
It's obvious that the existing credit-card system isn't secure enough for the internet world, so I can understand the anime site requiring some form of extra identity. Some sort of "identity broker" or "infomediary", to use the trendy term, seems to be required to make this work. In some cases, maybe that is your bank or credit card company, but I think the long-term solution would need to be more distributed, otherwise it all gets bogged down in inter-company politics and positioning.
Perhaps in the future, you will need to establish a "trust rating", much like a credit rating, with one or several identity broker services before you can do business on the internet. Thawte's system is a good start, it would be nice to see something more open and endorsed by the business world.
-Twid
- "When you want something with all your heart, the entire universe conspires to give it to you" -Paulo Coelho
How much information does a small business selling on the Internet need about potential customers? As much as they can get.
I own a small, web based retailer selling engagement rings, and I can tell you that we need as much information as possible about each customer. You have no idea how much fraud there is on the Internet: on average, 4 out of every 5 orders at our site are fraudulent. Most of these orders come from the UK and Australia. As a result we have had to stop all international orders. We simply cannot afford the enormous risk.
A few facts that might help you empathize with small Internet merchants.
I have bought thousands of dollars of merchandise on the Internet and sold much more, and I can say from personal experience that the Internet is a much more dangerous environment for small businesses than it is for customers. I have never experienced fraud on the net as a consumer, but I see it every day as a merchant.
Remember, you are asking a merchant who has never seen you, and knows very little about you to ship expensive merchandise to you before they receive any money for it. Additionally, customers can almost always cancel the order without returning the merchandise and the merchant is out of luck.Large corporations can absorb some of these losses, but most small business owners can't.
Regards,
Brian Woodring
Webmaster, Owner
Rings-Online.com
What sort of assurance can we demand from the marketter in exchange for this sort of personal information?
I don't really like the idea of a digital image of my credit card, or myself for that matter, to be in the hands of a retailer. If a CC slip can be compromised, so can my likeness, and a jpeg of me can be sent to a retailer by people other than myself... They might paste my picture on a false testimonial, making it look more genuine, and possibly making me a suspect in false advertising.
We're being asked to provide identifying characteristics to a retailer before they will trust us - but how do we trust them to:
a) not abuse this identification
b) protect the confidentiality of this information
c) actually deliver the product
We've heard plenty of horror stories about fly-by-night operations that accept many orders, and many payments, and then close up shop without delivering the goods. It's easier to disappear on the net than it is in the real world.
It seems like a place that does this sort of 'integrity checking' could be trying to accomplish two things:
First, they try to appear more credible by showing 'innitiative' in excessive security. Frankly, I like the LISTSERV email handshake method of establishing trust - maybe a third party approach... Retailer verifies with your CC company that you are a customer, the CC company verifies with you that you want to deal with that retailer - pass some PIN or transaction digest in a full circle and you're set. Tedious, but you're not exposed. Digital certificates exist specifically to address this problem, and only small (less trustworthy?) dealers can not afford to use them.
Second, they could just be scarfing the net for people's identification, for use or sale. How valuable is a pic of your CC? Is it both sides? There's the burried issue of asking for an 'image' of my signature... How about your driver's license, with address, physical descrip, DONOR status... All this is valuable info to someone.
-- What you do today will cost you a day of your life.
Sending a picture? For anime? Suspect trouble! They are willing to either wait for a hardcopy photograph, then pay to file and store it so that they can retrieve it, or they are willing to accept a softcopy and stow that on a disk somewhere. This eats seriously into their cash flow, turns customers away, and is generally a very expensive and ineffective way to do fraud control. If I were a merchant, I might consider measures that invasive if I was dealing with a four-figure purchase, though that wouldn't be my preferred way of doing it. For something under $100, this is the sort of thing that would cause them to lose money on every purchase.
Merchants do have to defend against credit card fraud, however. If you take my card number and buy that anime, when I see the charges, I can dispute them. The anime merchant would end up coughing up the charges; that's the breaks you take when you sign up to accept major credit cards. However, there are online services that do fraud checking.
Electronic fraud screening is available from several vendors, and it can give a merchant an idea as to how risky you are to sell to. Criteria include velocity screening (if your use per day changes drastically, it suspects theft), address checking (you are slightly more risky if the shipping address is not the home address of the cardholder), and how often you do chargebacks (having the credit card company remove a charge versus just getting a return out of the vendor). This has to be cheaper, and more effective, than getting photographs.
If somebody is resorting to photo methods, I have to guess that they either need to take Credit Card 101 or are actively malicious. While I would suspect the former (incompetence before malice), I would still steer clear, from what limited information you have given me.
--The basis of all love is respect
This is the goal of such services as zKey and Microsoft Passport. You register with them, they verify that you are a good and valid customer. Then any ecommerce sites which use their services instantly know you are a valid customer and also have all your existing information, thus eliminating hassle for you.
--------- Beware the dragon, for you are crunchy and good with ketchup.
My wife and I both use one credit card for the bulk of our purchases. Actually, we have separate physical cards, but the account number is the same. The name and the signature on the cards are different. However, if I give my card to a clerk, and he gives me a receipt for my signature, my wife can sign it. Is that secure? Not really. But it's damn convenient.
It's all a question of where you draw the line. There have been instances where the lack of security has been a boon. I've been able to order computer hardware for my parents simply by having them give me the CC number and date. That's not secure, IMHO. If CC's were truly secure, I would not be able to do that.
But how do you make e-commerce transactions truly more secure? Adding more numbers or passwords doesn't help - it still lets other people make purchases. You could use biometric scanners, but that's a nightmare of its own, and it's still information being sent over the wire (you could copy the biometric data and retransmit it yourself).
How about limiting CC transactions from one IP address? Or having some kind of special key encoded in the computer (can we say Pentium serial number)? We all know these are bad ideas.
The truth is, there isn't anything you can really do to make CC's more secure over the Internet. The most you can do is make it more inconvenient for everyone. I get the feeling that some people equate less convenient with more secure.
So you might say that it's safer to only purchase items in a store. Well, who says the clerk behind the counter is any more trustworthy than a web site and 128-bit encryption?
The CC companies will reimburse customers for bogus transactions. But because e-commerce is so insecure, they think their risk is too high. So they're sharing the the burden with the vendors, and I think that's fair. If you're a vendor with greater than 1.5% returns, then you have bigger problems than the financial penalty. You either have a major security hole, or your products suck.
And the men who hold high places must be the ones who start
To mold a new reality... closer to the heart
i have a bank checking card, have never signed the back of it, and have never been asked for my ID. I was amazed (after all i'd been told about how secure it would be) that no one would check to make sure i was really the right person.
on another note, the other day i went to cash my paycheck at the bank it was drawn on. i whipped out my two forms of ID, my drivers license and my SS card. d@mn if the teller doesn't tell me that the SS card isn't a valid form of ID and then proceeded to ask if i had maybe a business card instead....ug...
"Leave the gun, take the canoli."
this is just a placeholder till i send back my real sig from the future.
Do you take phone orders? If so, do you require the same amount of rigorous verification?
It seems there is a double standard emerging with respect to online orders. Companies are placing unusual restrictions on ordering from web sites, but don't follow the same guidelines when receiving orders by phone.
I have had many problems with websites wanting ridiculous amounts of information just to place an online order. The last online order I attempted, the company wanted my bank's phone number and address. When I call the same companies to place an order via phone, they usually ask for just the bare essentials (shipping address, CC#, expiration date) and could give a rat's ass about verification.
Among these are the mention that 'identify theft' is a federal felony that's slowly becoming more and more prosecuted, and that "an estimated 20 to 40 percent of online purchases are fraud attempts." It's nice to see that someone would be penalized for illegally using my credit card online, but it's also disheartening to see how prevalent fradulent attempts are, especially when we see how difficult they are to prosecute currently.
I've purchased online extensively over the past few years, usually without any apprehension. The sites that give me reason to pause are the small shops - someone selling CDs of their band, what have you - that really don't have the funds to provide any sort of fraud protection. When a site is able to provide even basic information to assuage the concerns of a potential customer (see Digital River's information about fraud here) then they're better positioned to take advantage of the situation.
To stay on-topic for just a moment, I consider it doubtful that e-commerce companies would share information regarding fraudulent attempts with their competitors. If your company is losing money hand over fist because of fraud, I'll happily take whatever future customers you may have for my company. There may be an advantage in mutual benefit here, but I doubt many companies will see it that way.
Really, though, disheartening is the only way to look at it - being able to purchase anything online without any fear of loss of privacy would be a wonderful thing, but that's just being a bit too idealistic and naive. I guess we just need people like Mr. Cameron to try to minimize the damages.
I had to give a piss test, 2 forms of photo id, eye scan, finger prints and a spinal tap before they let me into this one porn site.
But I feel safer now that my credit card isn't among the 31337 hAx0rs of the world.
Plus my credit card is hard to guess, you would of never guessed
AJ Bennett
4828719230128348
with an expiration date of 03/02
You would have never guessed that could you. HA, I am feeling like one secure mofo.
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
PayPal
--Joe--
Program Intellivision!
I always use E-gold or something similar when possible because it protects me as a consumer. I did work for a large catalog/online company that sells computers and related products. While employeed there I showed them several methods their system could be penetrated, including grabbing a list of credit cards (several thousand) which I dropped on mgmt's desk w/ a detailed step-by-step list of how I did it and how to fix it. They never have fixed it (it's been over a year) and it's been enough to cure me from most online shopping. If I use a credit card I use a debit card with a hard limit and only a small amount of $ in the account. It should be noted that this company is using the same software that many other companies use and that I had no special access to the system. Just by knowing the software they used and how those bits work together I was able to access the system at a very high level.
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
Online E-tailers really put a lot on the line when it comes to credit cards. When you sign the merchant agreement you agree to a lot of things that give the merchant bank all the power.
Most merchant banks handle things about the same. Joe Schmoe says the charge isn't his. The merchant bank puts the funds on hold. It goes around a few times. If by the third time the Card holder hasn't admited they made the charge they merchant bank will demand a signiture and an imprint of the card. It doesn't matter if you have a recording of the call with the person authorizing the charge. You lose, do not pass go, do not collect 200 dollars.
The only recourse the merchant has is small claims court.
Getting paid is a tricky job sometimes. There are plenty of ways of messing with the system. The only one who really gets rich is a merchant bank.
How would it help for companies to share information about you? Sure, they would get something out of it, (a chance to peek into your private life) but how will it help you?
If the company you are dealing with wants to verify that you are a "worthy customer", (which means, I assume, a customer who has the ability to pay and is not committing fraud) sharing information with other online companies probably is not going to help. If you give them a credit card number, they already check with the credit card company to see that your name and information matches the name and information on the card. So the only real concern is, how does the company know it's really you ordering the product, and not some other guy with your information pretending to be you? The answer: they probably don't. And referrals from other companies probably won't help. Just because John Doe has purchased something from Company A, and was a good customer, doesn't really help Company B figure out whether it's really John Doe trying to order something from them or just a punk who stole his credit card.
Some companies sort of solve the problem by refusing to ship to any address but the one listed with the credit card company. This causes just as many problems as it solves, though, because it makes it impossible for a legitimate customer to have a purchase sent to an alternate address. So what options are available for companies to use to verify customers' identities? Anyone have any suggestions?
I have some very strong opinions about this. I used to sell Web hosting and UNIX shell accounts on my site, Sandwich.Net. We were doing very well for a while (we even ran some banner ads on Slashdot), but we shut down commercial operations after a very large loss brought on by credit card fraud.
:) Feel free to e-mail me if you're interested in more details. (I'd be happy to discuss the merchant service provider and credit card companies involved.) I hope this message made at least some amount of sense.
Apparently, we were very popular with the "script kiddie" community. About 90% of credit card orders that we received turned out to be fraudulent (immediately or eventually) - not from credit cards that had been physically stolen, but from compromised credit card numbers and account information. For some reason, almost 75% of those fraudulent orders were either using Malaysian cards or came from Malaysian dial-up accounts.
For Internet ordering, most merchants use AVS, the Address Verification System, for fraud screening. I understand that there are some other systems available now. With AVS - and even with most new systems that I've seen hyped - if your personal information is compromised along with the card number (which is very common), the system is completely useless. AVS doesn't work with credit cards from outside the U.S. or Canada anyway.
If I had required that users fax me a copy of their credit card and picture ID, I suspect that I could have prevented very nearly all of the credit card fraud that happened. As it was, our merchant service provider terminated our merchant account for excessive chargebacks, and charged us a certain amount per chargeback, which added up to a large loss. It would have helped had the provider actually provided us with anything other than AVS for fraud screening, or with decent customer service or advice. A system like that suggested in the article, where assurance is traded among merchants, sounds good, but I agree that it raises some major privacy concerns.
Banks and merchant service providers don't seem to care very much about this. After I realized what was going on (far too late to stop most of the chargebacks), I ended up denying most international orders, and calling banks in North America to verify the charges. Most of them were very unhelpful - I now know which banks I never want to get a credit card from...
I could keep going on about this for several pages.
Also, regarding two other comments:
More financial penalties for high-chargeback merchants? That seems unhelpful, considering that in most cases (not all, admittedly), it isn't the merchant at fault. Additional fraud screening and actual help for confused merchants would probably more effectively prevent fraud. Penalties certainly encourage merchants to take action against fraud, but it's very difficult to find out how to do so.
The extra digits on the back of Visa/MC cards seem fairly useless to me, as if a Web site that asked for them is compromised, you're no better off than with a "normal" card.
Visa and MC were supposed to provide the SET protocol to
This was done using a digital certificate for each customer, vetted by the bank. The e-store never gets the credit card number, just various confirmation numbers from the bank, and credit in their account.
Well, it's been several years, and SET still isn't implemented at any major e-commerce site that I know of. The costs SET-compliant software are huge.
I wouldn't shop at any place that is that much of a hassle to order from. Unless I'm assured of a great deal ahead of time, I won't shop from places that (a) require a log-in (esp. with credit card) before I can put the first item in the cart, or (b) aren't up-front with the shipping costs.
Hey - Toys-R-Expensive^h^h^h^h^h^h^h^h^hUs doesn't even use a secure server!
My wife runs a small children's book store on the web, and fraud really hasn't been a problem. We've never had a customer complain about theft, we've never gotten stiffed for a bill, and the couple of customers who tried to reverse a charge after receiving legit merchandise were re-credited to us -- a hassle, but we won.
We did get a pair of orders one day both shipping to the same city in Hungary using US cards. This raised some virtual hackles, and when the customers didn't respond to e-mail, we canceled the order and reported them to the credit card company [hey - where's our reward?].
Admittedly, the major fraud risks are for large ticket items, or direct-download items, from software to smut, none of which we work with (I think the biggest ticket items are under $200 for hardback sets of The Chronicles of Narnia or some such).
J
Standard CC transactions already let you map a number to the owner and his or her home address. That's all that should be needed. The only possible thing that could happen if you have things set up right is that a person could use a stolen credit card and send whatever product to a different shipping(as opposed to billing) address. But even there the criminal is exposing himself to getting caught, and so that's not likely to happen.
We have been victim of fraud, but so far, after many thousands of orders, its either been on returns(no credit card solution is going to help there) or from people shipping items to PO Boxes. We had to stop shipping to PO Boxes because these cannot be traced to an address, and certain people would try to steal things that way.
Of a far greater to concern to these people should be protecting the credit card information in their database. I imagine it was quite damaging to the companies that stored database info on their webserver and then were subsequently cracked.
The only thing I can see this useful for is marketing and thats where our companies differ. My company stongly supports privacy and would never share customer information.
No, Thursday's out. How about never - is never good for you?
First thing, do NOT send them a copy of your credit card. There are usually 4 numbers above the imprinted digits. Knowing these numbers can help credit card thieves use your card and/or make changes to your credit account.
I have a merchant account for online credit card transactions and the problem that companies face in the U.S. is the large amount of chargebacks and fraudulant charges from overseas. In fact, I have a list of over 70 country codes that I was given by the bank and advised to block entirely. All of Italy being one of those countries. The UK was not on the list but I can see how some banks may require some special authentication.
Also, I just found out that Ibill, one of the major third party credit card processors, just lost the ability to use American Express for all adult related websites due to high number of chargebacks and fake charges.
As for companies sharing info, I don't think that's the way to go.
- Simon
They say on their order page that they need to have the shipping address match the credit card address and as I'm out of the country (in Canada) for a few months I explained the situation in the comments field and gave them my phone number.
Then the trouble began.
I got a message from them asking me to "add" my shipping address to my credit card. Well, it's a debit card and you can't do that, the best I could do was change my permanent address with the bank to the place I'm staying at in Canada. I didn't want to do that because I'm not staying here permanently but I really need the equipment. The bank was happy doing that over the phone.
I got a call from Bank Security verifying the transaction so I know that the transaction was approved by the debit card company.
But when they verified my address again it still hadn't gone through. No problem, I thought, I'll just give them the number of the lady at the bank who approved the address change.
Well that wouldn't satisfy them. I ended up spending all day on the phone, alternately with my bank who bent over backwards to be helpful and who assured me they would do everything in their power to get Megahaus to send me their drives, and some obnoxious chick in Megahaus order processing who said - get this - she wasn't permitted to dial an extension when verifying my address.
It is impossible to reach anyone at my bank without dialing an extension. The branches don't even have their own phone numbers. When you dial the number you get a switchboard and the person at the switchboard doesn't have bank record information available.
The chick at Megahaus said if she couldn't get the verfication from the person who answered the phone she wouldn't send me the drives.
Now I could wait three days for my address change to register on Visa's records (isn't this the 21st century) but instead I canceled my order and ordered from Insight instead.
Mike
-- Could you use my software consulting serv
When you place an order, the merchant sends an "auth request" through their credit card people. The CC guys do any fraud screening the merchant might want done (verifies that the card is real, not expired, not past due, etc.), and verifies that there is indeed "room" on your card. It also puts a lien on your credit card for the amount of the purchase. The merchant gets an auth code back, unrelated to the credit card data, so that they can wipe the credit card data (think of the auth code as a credit card magic cookie). This whole auth request/auth return takes place in real time (which is why you can get "credit refused" while placing an online order--the auth came back negative). You don't pay for the lien, it doesn't show up on your statement, but it is there and it lowers your effective limit. If I have a $5,000 limit on a card with no debt, and I order a $3,000 laptop, there is only $2000 in "real room" on my card, though I am not officially charged yet. That $3,000 is earmarked in the lien to guarantee to the merchant that they will get paid when they ship the laptop. In the meantime, I will get an "over the limit" refusal if I order another $3,000 laptop before they ship the first one and I pay down my card again.
For the record, auths do not last forever. I belive they go piffle somewhere between 30-90 days if they aren't redeemed.
When the merchant ships the product, they look up that auth code that they got, submit that back to the credit card people, and redeem the auth ("I have auth code 34908792 for $3,000. I shipped the goods. Pay up". The money gets automagically credited to the merchant account.
--The basis of all love is respect
In Norway (where I come from) they created a system called SET (I think, it's been a while since I looked at that). What this system did, was by using encryption, validated you request, but without the shop getting the details.
How it did this was by using a trusted third party (which isn't that a new concept). This is typically the bank, or the cardcompany. This combined with digital signatures ment that the shop couldn't change the values, and it didn't even know the credittcard number. It just knew that the transaction was ok, since the third party said so.
There is a lot more details of course.
This system seems to have died, since it was too complicated, and the netshops didn't support it. A shame if you ask me, but then, nobody does..:-)
-- Thorkild
On a side note -- Wired magazine had an article a few days ago about how American Express will no longer cover credit card transactions from porn sites. AMEX says that porn sites have such a high charge back rate from fraud that they are no longer interested in working with those companies. One thing the article pointed out is that a lot of the fraud from these sites doesn't come from stolen cards or invalid numbers, but from people disputing what are probably valid charges because they don't want to admit to embarassing purchases. ("No, honey, I don't know how that charge got on my bill. Someone must have stolen my card...")
Considering how lucrative the online market is for porn and other goods and services people would rather purchase with the benefit of anonymity, credit card companies should probably focus some of their security research on techniques for nonrepudiation, not just improving methods for authentication and preventing interception of card numbers.
When violence rules the world outside / And the headlines make me want to cry / It's not the time to just keep quiet
I cringe to recommend the service to this hostile group, but Microsoft is attempting to address this very problem with Passport. By authenticating yourself centrally, and storing your essential information such as credit card numbers, on their servers, you are immediately authenticated to any sites that recognize the passport mark.
Of course, this has yet to become popular, and I could understand if you had reservations about handing such important data into a corporation's safekeeping.
-konstant
Yes! We are all individuals! I'm not!
-konstant
Yes! We are all individuals! I'm not!
The transaction companies we have dealt with in the UK cover their asses by making the percentage on each transaction quite high (err, 7% I think I remember hearing for some!), but that covers you for chargebacks (insurance or something...).
When playing with Barclays ePDQ, I ended up reading the cybercash docs (basically what ePDQ is, but re-branded). They had a great feature, the Address Verification System (AVS) that didn't just take the CC number, name and expiry date, but also takes the first line of the cardholder's address and their zip/postcode for verification. You can then choose to reject transactions where either or both fail (can be problematic - 1 Main St. is not the same as 1 Main Street).
So I started looking at integrating it, but at the moment, Barclays doesn't support it. From what I can gather though, they will be soon, and when they do, the transaction fee will be less for shops that use AVS to verify cardholder's address and only allow shipping to billing address.
Of course, the easiest solution is to remove yourself from consumer culture and buy as little as possible. But then, not everyone wants to be a hippy <sigh>
-- Trinity in high heels carrying a whip: The donimatrix - there is no spoonerism
Visa, and other credit card companies will pay all theft claims. It's very expensive, and that's why the credit card rates are so ridiculously high.
Guess you decided not to read any comments and just display your ignorance...
Visa/Mastercard take the fraud $$ striaght back from the merchant..... plus charge the merchant some extra $$ just for the privalage....
However, what is often forgotten is that the data stream between keyboard/mouse and the smartcard is in the clear. A smart trojan would attack that stream, and just tell the card "the user just keyed in an order to pay www.chaos.de $20, please encrypt".
The Amex Blue readers, as well as some of the readers the my company products have a PS/2 interface on them. The reader sits between the keyboard and the computer. When entering information to the card (specifically a PIN) the reader intercepts the the signal, and it never reachers the computer, which means it is never available to a trojan.
More security than not, but there are still ways to attack that system (Tempest, video camera watching the keyboard, etc.) -- Walter Mitty wmitty at hushmail dot com
As long as the keyboard connects directly to the reader, and all relevant data (not only the PIN, but also the amount and the account number where the mony should be transferred) are grabbed directly off the keyboard and not relayed through the computer or its insecure OS. If only the PIN is entered that way, a Trojan could still doctor the amount or other parameters.
Say no to software patents.
Let's say I open a store, and post a guard at the front door, with instructions not to let anybody in unless they put a blue sock on their left hand, shove an ice-cream bar up their ass, and promise to say "boogah" every six minutes while in the store.
Now you're my potential customer, standing at the door.
Is what I'm asking you unreasonable? Yep.
But if I don't make an exception for anyone based on the color of their skin, their sex, or certain other characteristics that may or may not be readily apparant by looking at them, your only legal recourse is to tell me to go eff myself and turn around and walk away.
So how much information can you withold? As much as you want.
How much service can they withold if you do? As much as they want.
Your rights don't override theirs.
If they were a monopoly, the rules would change; but "the only place I can find Captain Harlock on letterboxed DVD" doesn't qualify as a monopoly.
Bottom line; don't do business with anybody whom you feel has unreasonable requirements, and send them a polite letter detailing why you think they are unreasonable. Other than that, quit yer bitchin'.
--