When Fraud Detection Shuts Down Credit Cards Inappropriately
reifman writes: On Sunday, Capital One declined a $280 travel reservation I charged at India-based ClearTrip.com and immediately shut off my card for all transactions until I contacted them by phone. It wasn't the first time that CapitalOne had shut off my card after a single suspect transaction. But, I'd actually purchased from ClearTrip.com using my CapitalOne card on two prior occasions. It was an example of very poor fraud detection and led me on a tour of their pathetic customer service. The banks want to cut their losses regardless of how it impacts their customers.
Having had my own credit card suspended out of an abundance of caution on a different credit card issuer's part (for legitimate charges), but having recently had some widely known scam charges get accepted, the fraud protection algorithms that the credit companies use certainly seem inscrutable sometimes, and so do the surrounding practices about communicating with customers. How would you like it to work instead?
My experience has been actually very good with Chase cards...
They decline the transaction then text you asking to reply "1" for Yes or "2" for No if it was you. Then you just reply "1" and repeat the transaction and it goes through.
Simultaneously they send an email with a green "yes" and a red "no" button that functions similarly.
The person who used my cellphone number before I got it had such a deal, apparently, with her bank. Unfortunately, she never notified the bank that she no longer used that number, so I got frequent calls from Chase Bank asking her to respond to credit card activity. At first, I called Chase's response number to alert them to the problem, but after several fails, I simply took to refusing all credit requests made in her name.
I'm sure that her experience was even more annoying than mine was -- and mine went on for months, during which time I found out quite a lot about her personal buying habits.
As EMV chip card readers get cheaper, I keep waiting for banks to offer an on-line verification service where they supply a chip card reader to the card owner, which can then be used to verify on-line transactions. After all, the system is already designed to survive the POS terminal being compromised, so the same should apply to what is effectively a home POS terminal.
Ditto for me on Chase. They've caught real fraud quickly and got me a replacement card within a week. They've also made it very easy to authorize transactions that trigger their system (large purchases somewhere you've never shopped at will do it). You get a text message on your cell phone that you reply to then ask the shop to try again.
-- Will program for bandwidth
> The "fraud detection" is completely broken
I absolutely agree. They have THE WORST programmers/statisticians working on this.
How about adding a simple two-factor authentication? Instead of rejecting the payment outright and freezing the card, text message my phone IMMEDIATELY and I can read a 6 digit code to the cashier to allow the transaction. It isn't perfect, but that one simple step would make it about 90 percent better, more secure, and cut down on false positives. I swear this would increase customer satisfaction and increase the amount of money the credit cards make because they would then accept a higher number of legitimate transactions. What is wrong with that industry?
I've been happy with my credit union's fraud prevention and detection (which is outsourced to some company). Sometimes I'm 100 miles from home when I spend about $800 on electronics at Fry's or Microcenter. (The datacenter is 100 miles from my house, for now.) The transaction sometimes returns a "call to verify" code. The merchant COULD call, they are supposed to, but most cashiers just say "it didn't go through". This is a training issue on the merchants' side, in my opinion.
At the same time that the cashier is saying "it didn't go through", my phone rings. It's the fraud department calling to verify the purchase. The cashier re-runs the card and it works fine. It seems to mainly happen when buying from an electronics retailer, as I also remember the same thing at Best Buy. I'm fine with that. I know that if a crook gets my card, the bank is watching out.
Occasionally, they'll call about an internet purchase or some other purchase after it happens (fraud detection). It's quick and easy to verify the transaction.
I used to do another type of fraud prevention and detection, not directly related to credit cards, and I know our false positive rate was under 0.1%, probably under 0.01% - we stopped at least a thousand fraudulent instances for every one we declined in error.
In the EU (but not the UK), banks will send you a text for EVERY credit card transaction. If there's a problem, you can contact the bank. It's also free.
Are you really telling me, in this day and age, that we can't have suspect transactions result in a text to your phone that you can then authorise - even before the web page refreshes?
Banking is so in the 1950s of computing that it's laughable. It's done deliberately in some circumstances to profit from charges, fees and the timings of clearing payments. But you can't claim fraud if you haven't taken SIMPLE measures against it.
Like asking the user to confirm suspect transactions using a secondary method (that can be phone for old people without mobile phones, text for those with phones, maybe even the bank's secure app if you so choose). Declining a card transaction because it comes from an unusual place is no longer a metric to decide on the suspicion assigned to a transaction. I've purchased from all over the world, especially in the run-up to Christmas when Amazon, eBay et al only stock the normal boring stuff and I want something a bit different.
In one instance, my Italian relative came over, went to a DIY store with us, paid for the transaction and KNEW BEFORE WE'D HIT THE DOORS that he'd been double-charged on his bank account. A text came through, then another, in a foreign country, before he'd even left the shop. And we were then able to cancel the second transaction.
Why the fuck isn't just this standard practice?