Slashdot Mirror
A Matter Of Trust?
cameloid asks: "I've been ordering stuff from a couple of U.S. Web sites now (I live in the UK), and was a bit dubious about credit card security at first. However, it was always the case that I was worried about getting my details stolen or something. Last night I was browsing an interesting site looking for some anime ("Captain Tylor" out on DVD?), and naturally checked to see if they would deliver internationally. Now, they wanted proof that the credit card details I sent them really belonged to me, in the form of a photo of me and a photo of my credit card (actual size I suppose). Now this doesn't strike me as being of much use to anyone and got me thinking. As I'm already an established customer on a couple of other well known e-commerce sites would it not be possible to get some kind of referral from these sites, saying that I'm a worthy customer? What would the implications of this be?" I've been seeing lots of really pointed questions about e-commerce sites lately (this site being the latest entry on that list) and I'm wondering how much information a company really needs before they can do business with someone and what kind of information a person can legitimately withhold. Would such information sharing between commerce site be something that would benefit consumers or are there privacy issues here that we should be concerned with?
As I'm already an established customer on a couple of other well known e-commerce sites would it not be possible to get some kind of referral from these sites, saying that I'm a worthy customer? What would the implications of this be?
It sounds like a good excuse for companies to trade information about you.
You NEVER need to give your social security number when you are purchasing something online or otherwise. Not even when paying with checks, not even if it is your "student #" as well.
Anyone who has the right to ask for your social security number is *required by law* to give you documentation that they have this right and can withhold items or services until you give it to them.
This is very frequently abused especially by universities and the areas surrounding them. Put your foot down.
A couple of months ago all the major credit card groups including Mastercard and Visa imposed a new law on companies generating a high level of chargebacks. If more than 1.5% of your transactions are charged back, usually through fraud, then you have to pay large financial penalties to the credit card company.
I dare say the very large online companies like Amazon and so on have different terms, but that is how it is for the smaller companies.
As someone who had my company credit card details ripped off and used by some prick in Indonesia to order ''Buffy the Vampire Slayer'' merchandise from a US-based website, I don't think it's such a bad thing. But really the Credit Card companies should be providing crypto to the customer in the form of so-called smartcards rather than squeezing the vendors.
-Andy
This is what is behind the tightening of
Visa and MC now have some extra digits that are only written on the back of the CC, not embossed or shown on the front.
The idea is for internet companies to ask for these extra digits when people order stuff online, as a way to verify that you have physical possesion of the card.
American Express has their own solution - the "blue" card has an embedded chip, then with a reader hooked up to your PC you actually 'swipe' your own card.
Again, this is to prove you have the card in your hot little hands, not a carbon off a receipt.
"...what kind of information a person can legitimately withhold."
In the US anyway, I can withhold any information I want. I find it frightening that we've gotten to the point where we unconsciously equate business with government (which CAN demand information).
You are under NO legal obligation to provide ANYONE ANY information (except the gov't). Of course, businesses have policies and may refuse you service--in which case you go elsewhere. Although even those companies that claim to have policies usually waive them if you refuse.
For instance, I became a "member" at a video store recently. She was asking for information and eventually got to "Do you have a work phone number?". Luckily I had seen that question coming up on her computer and had an answer ready: "Yes, but I don't think you need it." She skipped that one.
On a previous occasion at a different store they actually asked for my Social Security #. I was so taken by surprise that I actually recited it without thinking. Won't be doing THAT again.
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
I don't see how a photo of you would prove anything to them. It just shows you are a real person and not some figment of their imagination. Even a photo of your credit card is pretty dubious since there are many tools that can make a doctored photo look realistic.
I would think the best form of verification is that, if they really want to see you are who you say you are is to call you. That information is readily available. They may not want to get bog downed in calling all the "questionable" customers, but is that really any less hassling than looking at all the pictures of people you thought were questionable?
After their numbers dwindled from 50 to 8, the other dwarves began to suspect Hungry.
The big problem with ecommerce is that privacy laws in the US are very, very weak. Database Nation by Simson Garfinkel has a very nice description of why the US considered privacy legislation in the 70's, congress came up with recommendations and failed to pass laws based on these recommendations. Most European countries did, though.
The recommendations, and the legal situation in most European countries, are:
The lack of these kinds of protections in the US is what makes me very wary of using lots of ecommerce, since the situation here is more: give us as much information about you as possible, we will generate some more from your use of our service and then run with it. What scares me is the secrecy of the whole process, the fact that it is almost impossible to find out who is doing what with your data and how it will affect you in the future. Will raising a stink with Amazon.com make it more difficult for me to get a house loan in the future ?
Without privacy laws on the books, we are headed for a future similar to Kafka's Trial: companies make decisions about you based on information about you that is essentially secret. Until I as a consumer have certain rights to review my data and find out about it, I don't want those ecommerce sites to build a "web of trust" about my online shopping behavior. Don't give them any ideas.
Now, they wanted proof that the credit card details I sent them really belonged to me, in the form of a photo of me and a photo of my credit card (actual size I suppose).
Amazing. And you didn't tell them to fuck off? You must be a really kindhearted soul.
In any case, they are waaaay out of line and, of course, breathtakingly stupid. I mean, what's to stop you from sending them a photograph of some random Joe Q. Loser and slightly-Photoshop-processed picture of a credit card showing whatever numbers you want it to show?
If I were you, I'd tell these guys that they are being bloody utterly ridiculous and that you'll be glad to see the survival-of-the-fittest principle demonstrated on them. I mean who would ever buy from them??
Kaa
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
I had an experience like that once, from one of those flakey retailers that makes their profit from advertising, not from sales.
Their attitude seemed to be, "We aren't making any money off of it, so who gives a damn? Actually we'd prefer not to sell you anything at all, please go back to the web site and look at some more ads."
And I thought aggressive upselling was annoying...
If anyone asked me for a photo of myself and a copy of my credit card, I would laugh, then report then right away. I don't think I've shopped in a real store in almost two years. I buy everything online. Yeah, it would be nice to have an online credit card of sorts, but until they come around, I'm stuck using my regular one, and my debit card. I have yet to be asked for a photo of me, or of my credit card. I have even ordered from Germany and France, and Japan a few times. I did have a few small problems where they said they were having problems verifying my card. On the back of my card I have a customer service number that I gave them. For my debit card, I gave them the phone number to my bank. I have seen more and more sites requesting "extra numbers" or the customer service numbers from the back of cards. I think that is an excellent way to go. I'm all about more security. For the record, two years purchasing online, and I've had only one fraudulant charge to my card, and they were caught. Idiots had it sent to their house. My company called me to verify since it was being sent 10 states over, and I told them no, and they contacted the authories.
How much information does a small business selling on the Internet need about potential customers? As much as they can get.
I own a small, web based retailer selling engagement rings, and I can tell you that we need as much information as possible about each customer. You have no idea how much fraud there is on the Internet: on average, 4 out of every 5 orders at our site are fraudulent. Most of these orders come from the UK and Australia. As a result we have had to stop all international orders. We simply cannot afford the enormous risk.
A few facts that might help you empathize with small Internet merchants.
I have bought thousands of dollars of merchandise on the Internet and sold much more, and I can say from personal experience that the Internet is a much more dangerous environment for small businesses than it is for customers. I have never experienced fraud on the net as a consumer, but I see it every day as a merchant.
Remember, you are asking a merchant who has never seen you, and knows very little about you to ship expensive merchandise to you before they receive any money for it. Additionally, customers can almost always cancel the order without returning the merchandise and the merchant is out of luck.Large corporations can absorb some of these losses, but most small business owners can't.
Regards,
Brian Woodring
Webmaster, Owner
Rings-Online.com
Sending a picture? For anime? Suspect trouble! They are willing to either wait for a hardcopy photograph, then pay to file and store it so that they can retrieve it, or they are willing to accept a softcopy and stow that on a disk somewhere. This eats seriously into their cash flow, turns customers away, and is generally a very expensive and ineffective way to do fraud control. If I were a merchant, I might consider measures that invasive if I was dealing with a four-figure purchase, though that wouldn't be my preferred way of doing it. For something under $100, this is the sort of thing that would cause them to lose money on every purchase.
Merchants do have to defend against credit card fraud, however. If you take my card number and buy that anime, when I see the charges, I can dispute them. The anime merchant would end up coughing up the charges; that's the breaks you take when you sign up to accept major credit cards. However, there are online services that do fraud checking.
Electronic fraud screening is available from several vendors, and it can give a merchant an idea as to how risky you are to sell to. Criteria include velocity screening (if your use per day changes drastically, it suspects theft), address checking (you are slightly more risky if the shipping address is not the home address of the cardholder), and how often you do chargebacks (having the credit card company remove a charge versus just getting a return out of the vendor). This has to be cheaper, and more effective, than getting photographs.
If somebody is resorting to photo methods, I have to guess that they either need to take Credit Card 101 or are actively malicious. While I would suspect the former (incompetence before malice), I would still steer clear, from what limited information you have given me.
--The basis of all love is respect
My wife and I both use one credit card for the bulk of our purchases. Actually, we have separate physical cards, but the account number is the same. The name and the signature on the cards are different. However, if I give my card to a clerk, and he gives me a receipt for my signature, my wife can sign it. Is that secure? Not really. But it's damn convenient.
It's all a question of where you draw the line. There have been instances where the lack of security has been a boon. I've been able to order computer hardware for my parents simply by having them give me the CC number and date. That's not secure, IMHO. If CC's were truly secure, I would not be able to do that.
But how do you make e-commerce transactions truly more secure? Adding more numbers or passwords doesn't help - it still lets other people make purchases. You could use biometric scanners, but that's a nightmare of its own, and it's still information being sent over the wire (you could copy the biometric data and retransmit it yourself).
How about limiting CC transactions from one IP address? Or having some kind of special key encoded in the computer (can we say Pentium serial number)? We all know these are bad ideas.
The truth is, there isn't anything you can really do to make CC's more secure over the Internet. The most you can do is make it more inconvenient for everyone. I get the feeling that some people equate less convenient with more secure.
So you might say that it's safer to only purchase items in a store. Well, who says the clerk behind the counter is any more trustworthy than a web site and 128-bit encryption?
The CC companies will reimburse customers for bogus transactions. But because e-commerce is so insecure, they think their risk is too high. So they're sharing the the burden with the vendors, and I think that's fair. If you're a vendor with greater than 1.5% returns, then you have bigger problems than the financial penalty. You either have a major security hole, or your products suck.
And the men who hold high places must be the ones who start
To mold a new reality... closer to the heart
I had to give a piss test, 2 forms of photo id, eye scan, finger prints and a spinal tap before they let me into this one porn site.
But I feel safer now that my credit card isn't among the 31337 hAx0rs of the world.
Plus my credit card is hard to guess, you would of never guessed
AJ Bennett
4828719230128348
with an expiration date of 03/02
You would have never guessed that could you. HA, I am feeling like one secure mofo.
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
I have some very strong opinions about this. I used to sell Web hosting and UNIX shell accounts on my site, Sandwich.Net. We were doing very well for a while (we even ran some banner ads on Slashdot), but we shut down commercial operations after a very large loss brought on by credit card fraud.
:) Feel free to e-mail me if you're interested in more details. (I'd be happy to discuss the merchant service provider and credit card companies involved.) I hope this message made at least some amount of sense.
Apparently, we were very popular with the "script kiddie" community. About 90% of credit card orders that we received turned out to be fraudulent (immediately or eventually) - not from credit cards that had been physically stolen, but from compromised credit card numbers and account information. For some reason, almost 75% of those fraudulent orders were either using Malaysian cards or came from Malaysian dial-up accounts.
For Internet ordering, most merchants use AVS, the Address Verification System, for fraud screening. I understand that there are some other systems available now. With AVS - and even with most new systems that I've seen hyped - if your personal information is compromised along with the card number (which is very common), the system is completely useless. AVS doesn't work with credit cards from outside the U.S. or Canada anyway.
If I had required that users fax me a copy of their credit card and picture ID, I suspect that I could have prevented very nearly all of the credit card fraud that happened. As it was, our merchant service provider terminated our merchant account for excessive chargebacks, and charged us a certain amount per chargeback, which added up to a large loss. It would have helped had the provider actually provided us with anything other than AVS for fraud screening, or with decent customer service or advice. A system like that suggested in the article, where assurance is traded among merchants, sounds good, but I agree that it raises some major privacy concerns.
Banks and merchant service providers don't seem to care very much about this. After I realized what was going on (far too late to stop most of the chargebacks), I ended up denying most international orders, and calling banks in North America to verify the charges. Most of them were very unhelpful - I now know which banks I never want to get a credit card from...
I could keep going on about this for several pages.
Also, regarding two other comments:
More financial penalties for high-chargeback merchants? That seems unhelpful, considering that in most cases (not all, admittedly), it isn't the merchant at fault. Additional fraud screening and actual help for confused merchants would probably more effectively prevent fraud. Penalties certainly encourage merchants to take action against fraud, but it's very difficult to find out how to do so.
The extra digits on the back of Visa/MC cards seem fairly useless to me, as if a Web site that asked for them is compromised, you're no better off than with a "normal" card.
On a side note -- Wired magazine had an article a few days ago about how American Express will no longer cover credit card transactions from porn sites. AMEX says that porn sites have such a high charge back rate from fraud that they are no longer interested in working with those companies. One thing the article pointed out is that a lot of the fraud from these sites doesn't come from stolen cards or invalid numbers, but from people disputing what are probably valid charges because they don't want to admit to embarassing purchases. ("No, honey, I don't know how that charge got on my bill. Someone must have stolen my card...")
Considering how lucrative the online market is for porn and other goods and services people would rather purchase with the benefit of anonymity, credit card companies should probably focus some of their security research on techniques for nonrepudiation, not just improving methods for authentication and preventing interception of card numbers.
When violence rules the world outside / And the headlines make me want to cry / It's not the time to just keep quiet
Visa, and other credit card companies will pay all theft claims. It's very expensive, and that's why the credit card rates are so ridiculously high.
Guess you decided not to read any comments and just display your ignorance...
Visa/Mastercard take the fraud $$ striaght back from the merchant..... plus charge the merchant some extra $$ just for the privalage....