A Matter Of Trust?

cameloid asks: "I've been ordering stuff from a couple of U.S. Web sites now (I live in the UK), and was a bit dubious about credit card security at first. However, it was always the case that I was worried about getting my details stolen or something. Last night I was browsing an interesting site looking for some anime ("Captain Tylor" out on DVD?), and naturally checked to see if they would deliver internationally. Now, they wanted proof that the credit card details I sent them really belonged to me, in the form of a photo of me and a photo of my credit card (actual size I suppose). Now this doesn't strike me as being of much use to anyone and got me thinking. As I'm already an established customer on a couple of other well known e-commerce sites would it not be possible to get some kind of referral from these sites, saying that I'm a worthy customer? What would the implications of this be?" I've been seeing lots of really pointed questions about e-commerce sites lately (this site being the latest entry on that list) and I'm wondering how much information a company really needs before they can do business with someone and what kind of information a person can legitimately withhold. Would such information sharing between commerce site be something that would benefit consumers or are there privacy issues here that we should be concerned with?

no good.

[gargle]

As I'm already an established customer on a couple of other well known e-commerce sites would it not be possible to get some kind of referral from these sites, saying that I'm a worthy customer? What would the implications of this be?

It sounds like a good excuse for companies to trade information about you.

Visa and MC already have started fixing this

[BranMan]

Visa and MC now have some extra digits that are only written on the back of the CC, not embossed or shown on the front.

The idea is for internet companies to ask for these extra digits when people order stuff online, as a way to verify that you have physical possesion of the card.

American Express has their own solution - the "blue" card has an embedded chip, then with a reader hooked up to your PC you actually 'swipe' your own card.

Again, this is to prove you have the card in your hot little hands, not a carbon off a receipt.

Prove what?

[brown_out]

I don't see how a photo of you would prove anything to them. It just shows you are a real person and not some figment of their imagination. Even a photo of your credit card is pretty dubious since there are many tools that can make a doctored photo look realistic.
I would think the best form of verification is that, if they really want to see you are who you say you are is to call you. That information is readily available. They may not want to get bog downed in calling all the "questionable" customers, but is that really any less hassling than looking at all the pictures of people you thought were questionable?

Re: No We're Not - We need the information!

[bwoodring]

How much information does a small business selling on the Internet need about potential customers? As much as they can get.

I own a small, web based retailer selling engagement rings, and I can tell you that we need as much information as possible about each customer. You have no idea how much fraud there is on the Internet: on average, 4 out of every 5 orders at our site are fraudulent. Most of these orders come from the UK and Australia. As a result we have had to stop all international orders. We simply cannot afford the enormous risk.

A few facts that might help you empathize with small Internet merchants.

1. There is no way of reliably tracking international orders if you are a small business. Sending a diamond ring to the UK or Australia is like sending it to Timbuktu. You might think that the USPS and the UKPS would work smoothly together, but this is not nearly the case.
2. Credit card companies always side with the customer. No matter how ridiculous their claim. The merchant services company (in our case, Nova) will take money out of our bank account without warning, charge us a penalty for doing it, and hold the money as long as they want (we have never won a case against a fraudulent company).
3. The credit card companies don't care about fraud. They make a big deal about fighting credit card fraud, but it is all bluster. We have seen dozens of examples of outright fraud, which we promptly report. We have never heard back from anyone at any credit card company. Our complaints fall on deaf ears.

I have bought thousands of dollars of merchandise on the Internet and sold much more, and I can say from personal experience that the Internet is a much more dangerous environment for small businesses than it is for customers. I have never experienced fraud on the net as a consumer, but I see it every day as a merchant.

Remember, you are asking a merchant who has never seen you, and knows very little about you to ship expensive merchandise to you before they receive any money for it. Additionally, customers can almost always cancel the order without returning the merchandise and the merchant is out of luck.

Large corporations can absorb some of these losses, but most small business owners can't.

Regards,

Brian Woodring
Webmaster, Owner
Rings-Online.com

I wouldn't trust them

[remande]

I happen to work for a company that does online credit card processing, so I've run into some issues. I am not a true authority, since I work at the code level rather than the business level. IANAL, and all that.

Sending a picture? For anime? Suspect trouble! They are willing to either wait for a hardcopy photograph, then pay to file and store it so that they can retrieve it, or they are willing to accept a softcopy and stow that on a disk somewhere. This eats seriously into their cash flow, turns customers away, and is generally a very expensive and ineffective way to do fraud control. If I were a merchant, I might consider measures that invasive if I was dealing with a four-figure purchase, though that wouldn't be my preferred way of doing it. For something under $100, this is the sort of thing that would cause them to lose money on every purchase.

Merchants do have to defend against credit card fraud, however. If you take my card number and buy that anime, when I see the charges, I can dispute them. The anime merchant would end up coughing up the charges; that's the breaks you take when you sign up to accept major credit cards. However, there are online services that do fraud checking.

Electronic fraud screening is available from several vendors, and it can give a merchant an idea as to how risky you are to sell to. Criteria include velocity screening (if your use per day changes drastically, it suspects theft), address checking (you are slightly more risky if the shipping address is not the home address of the cardholder), and how often you do chargebacks (having the credit card company remove a charge versus just getting a return out of the vendor). This has to be cheaper, and more effective, than getting photographs.

If somebody is resorting to photo methods, I have to guess that they either need to take Credit Card 101 or are actively malicious. While I would suspect the former (incompetence before malice), I would still steer clear, from what limited information you have given me.

Convenience vs. Security

[LordNimon]

When it comes to things like credit cards, there's always a trade-off between convenience and security.

My wife and I both use one credit card for the bulk of our purchases. Actually, we have separate physical cards, but the account number is the same. The name and the signature on the cards are different. However, if I give my card to a clerk, and he gives me a receipt for my signature, my wife can sign it. Is that secure? Not really. But it's damn convenient.

It's all a question of where you draw the line. There have been instances where the lack of security has been a boon. I've been able to order computer hardware for my parents simply by having them give me the CC number and date. That's not secure, IMHO. If CC's were truly secure, I would not be able to do that.

But how do you make e-commerce transactions truly more secure? Adding more numbers or passwords doesn't help - it still lets other people make purchases. You could use biometric scanners, but that's a nightmare of its own, and it's still information being sent over the wire (you could copy the biometric data and retransmit it yourself).

How about limiting CC transactions from one IP address? Or having some kind of special key encoded in the computer (can we say Pentium serial number)? We all know these are bad ideas.

The truth is, there isn't anything you can really do to make CC's more secure over the Internet. The most you can do is make it more inconvenient for everyone. I get the feeling that some people equate less convenient with more secure.

So you might say that it's safer to only purchase items in a store. Well, who says the clerk behind the counter is any more trustworthy than a web site and 128-bit encryption?

The CC companies will reimburse customers for bogus transactions. But because e-commerce is so insecure, they think their risk is too high. So they're sharing the the burden with the vendors, and I think that's fair. If you're a vendor with greater than 1.5% returns, then you have bigger problems than the financial penalty. You either have a major security hole, or your products suck.

Re:Always Withhold your Social Security #

[zantispam]

Well, let's say your SSN is 123-45-6789.

First things first, I need a card. So I go to my post office and grab a request for a replacement social security card. It want's a copy of your birth certificate. Well, I can match up the SSN to a name pretty easy (trivial if I know what state you live in, even easier if I know what city). All I have to do is call the DMV and say that I'm in HR for the Yoyodyne corp and I'm doing a background check. I need to verify this SSN as belonging to Joe R Public. Oh, it's not him? Who is it?

Bingo. I have your name and your SSN.

Call the county courthouse and ask for a copy of your birth certificate (I'm doing genological research on my family). Weren't born there? Where were you born?

Bingo. I have your name, place of birth, and SSN.

So I call up the county courthouse where you were born and ask for a copy of your birth cirtificate (using the above story). It'll cost me, like, $1.50.

Bingo. I have your name, place of birth, DOB, DL#, SSN, social security card, parent's names, mother's maiden name, and just about any other piece of information that I want.

Hrmmm, let's go shopping, shall we?

Better yet, let's get some warrants out for your arrest.

Hell, let's go all the way and start getting your mail, your paper, your pension, your 401k, your health insurance, your life insurance, a job in your name...

That, my dear bribecka, is what I can do with a SSN.

Here's my copy of DeCSS. Where's yours?