When Fraud Detection Shuts Down Credit Cards Inappropriately

reifman writes: On Sunday, Capital One declined a $280 travel reservation I charged at India-based ClearTrip.com and immediately shut off my card for all transactions until I contacted them by phone. It wasn't the first time that CapitalOne had shut off my card after a single suspect transaction. But, I'd actually purchased from ClearTrip.com using my CapitalOne card on two prior occasions. It was an example of very poor fraud detection and led me on a tour of their pathetic customer service. The banks want to cut their losses regardless of how it impacts their customers. Having had my own credit card suspended out of an abundance of caution on a different credit card issuer's part (for legitimate charges), but having recently had some widely known scam charges get accepted, the fraud protection algorithms that the credit companies use certainly seem inscrutable sometimes, and so do the surrounding practices about communicating with customers. How would you like it to work instead?

Advice: Just cut up the card

I've had this happen a couple of times now. Once I even spent a half-hour on the phone, while traveling, with customer service trying to convince them that I was who I said I was. Gave up and cut up the card. Highly recommend just having a lot of accounts and ditching cards after a set time investment (e.g., ten minutes) trying to get them re-enabled.

It doesn't matter what we would like. All that matters is having enough people ditch their cards to wake the credit card companies up to their lost profits.

Chase cards text and email

[peon_a-z,A-Z,0-9$_+!]

My experience has been actually very good with Chase cards...

They decline the transaction then text you asking to reply "1" for Yes or "2" for No if it was you. Then you just reply "1" and repeat the transaction and it goes through.

Simultaneously they send an email with a green "yes" and a red "no" button that functions similarly.

No Bed of Roses

The person who used my cellphone number before I got it had such a deal, apparently, with her bank. Unfortunately, she never notified the bank that she no longer used that number, so I got frequent calls from Chase Bank asking her to respond to credit card activity. At first, I called Chase's response number to alert them to the problem, but after several fails, I simply took to refusing all credit requests made in her name.

I'm sure that her experience was even more annoying than mine was -- and mine went on for months, during which time I found out quite a lot about her personal buying habits.

Why no Chip Card Reader at home?

[west]

As EMV chip card readers get cheaper, I keep waiting for banks to offer an on-line verification service where they supply a chip card reader to the card owner, which can then be used to verify on-line transactions. After all, the system is already designed to survive the POS terminal being compromised, so the same should apply to what is effectively a home POS terminal.

Re:This is why you call your bank before tourism

[rossz]

Ditto for me on Chase. They've caught real fraud quickly and got me a replacement card within a week. They've also made it very easy to authorize transactions that trigger their system (large purchases somewhere you've never shopped at will do it). You get a text message on your cell phone that you reply to then ask the shop to try again.

Re:This is why you call your bank before tourism

[brianwski]

> The "fraud detection" is completely broken

I absolutely agree. They have THE WORST programmers/statisticians working on this.

How about adding a simple two-factor authentication? Instead of rejecting the payment outright and freezing the card, text message my phone IMMEDIATELY and I can read a 6 digit code to the cashier to allow the transaction. It isn't perfect, but that one simple step would make it about 90 percent better, more secure, and cut down on false positives. I swear this would increase customer satisfaction and increase the amount of money the credit cards make because they would then accept a higher number of legitimate transactions. What is wrong with that industry?

my credit union calls me in seconds. Cashiers shou

[raymorris]

I've been happy with my credit union's fraud prevention and detection (which is outsourced to some company). Sometimes I'm 100 miles from home when I spend about $800 on electronics at Fry's or Microcenter. (The datacenter is 100 miles from my house, for now.) The transaction sometimes returns a "call to verify" code. The merchant COULD call, they are supposed to, but most cashiers just say "it didn't go through". This is a training issue on the merchants' side, in my opinion.

At the same time that the cashier is saying "it didn't go through", my phone rings. It's the fraud department calling to verify the purchase. The cashier re-runs the card and it works fine. It seems to mainly happen when buying from an electronics retailer, as I also remember the same thing at Best Buy. I'm fine with that. I know that if a crook gets my card, the bank is watching out.

Occasionally, they'll call about an internet purchase or some other purchase after it happens (fraud detection). It's quick and easy to verify the transaction.

I used to do another type of fraud prevention and detection, not directly related to credit cards, and I know our false positive rate was under 0.1%, probably under 0.01% - we stopped at least a thousand fraudulent instances for every one we declined in error.

Credit Cards

[ledow]

In the EU (but not the UK), banks will send you a text for EVERY credit card transaction. If there's a problem, you can contact the bank. It's also free.

Are you really telling me, in this day and age, that we can't have suspect transactions result in a text to your phone that you can then authorise - even before the web page refreshes?

Banking is so in the 1950s of computing that it's laughable. It's done deliberately in some circumstances to profit from charges, fees and the timings of clearing payments. But you can't claim fraud if you haven't taken SIMPLE measures against it.

Like asking the user to confirm suspect transactions using a secondary method (that can be phone for old people without mobile phones, text for those with phones, maybe even the bank's secure app if you so choose). Declining a card transaction because it comes from an unusual place is no longer a metric to decide on the suspicion assigned to a transaction. I've purchased from all over the world, especially in the run-up to Christmas when Amazon, eBay et al only stock the normal boring stuff and I want something a bit different.

In one instance, my Italian relative came over, went to a DIY store with us, paid for the transaction and KNEW BEFORE WE'D HIT THE DOORS that he'd been double-charged on his bank account. A text came through, then another, in a foreign country, before he'd even left the shop. And we were then able to cancel the second transaction.

Why the fuck isn't just this standard practice?

It's even worse as an international merchant :-(

[Anonymous+Brave+Guy]

I had my card suspended because i sent $2.50 over paypal to a kid in the UK for some software.

I'll see you that and raise you how it looks from a UK merchant's side. Running a simple on-line service with a small monthly subscription fee and a fair proportion of international customers, we literally lose more subscriptions because of unexplained card failures than all other causes put together, including active cancellation by a subscriber's own choice.

Worse, as far as we can tell, there is absolutely nothing we can do about it. The system simply doesn't work reliably and there is no useful information whatsoever provided to the merchant when the card fails. About the best you can do as a merchant is contact your customers after the failed charge, try to convince them that their card being declined is neither an indication of fraud on your part nor something they should be embarrassed about themselves, and hope they are willing to sit on the phone being told how important their call is for a few minutes while they wait to speak to their card issuer and confirm it's a valid transaction. Unsurprisingly, relatively few customers will actually do this, even those who have otherwise been active customers apparently happy with the service.

The card industry's incompetence is a tax on trade, and the sooner it dies its long overdue death and payment methods fit for this century take over, the better off literally everyone involved else will be.

Re:This is why you call your bank before tourism

[IamTheRealMike]

Yeah, it is completely broken. This is a problem more or less specific to America.

I have several cards. I travel constantly. I have never, not once, told my bank where I am going and I have never, not once, had my card declined.

How do they achieve this witchcraft? Well,

1. The cards are all EMV. The magstripe can be cloned, but you can't use it in most countries (other than America)

2. Many online purchases are protected by 3D-Secure, which basically just lets your bank put a login/ID verification screen after the card number is entered

3. Their fraud models expect people to travel whereas lots of Americans don't

Re: This is why you call your bank before tourism

[NostalgiaForInfinity]

1 in every 5 people have had an attempted fraudulent charge stopped by these systems. And credit card fraud isn't the only type of crime these frausters perpetrate. Wire fraud and identity theft are on the rise and are becomming more and more of a problem as the US gets closer to their pin-and-chip deadline.

And the reason this kind of fraud is so frequent is because your industry uses extremely poor security. Fraud detection software should be largely unnecessary if credit card transactions were properly protected using available technology. That means proper use of public key cryptography, one time card numbers, smart cards, pins, and instant notification.