When Fraud Detection Shuts Down Credit Cards Inappropriately

reifman writes: On Sunday, Capital One declined a $280 travel reservation I charged at India-based ClearTrip.com and immediately shut off my card for all transactions until I contacted them by phone. It wasn't the first time that CapitalOne had shut off my card after a single suspect transaction. But, I'd actually purchased from ClearTrip.com using my CapitalOne card on two prior occasions. It was an example of very poor fraud detection and led me on a tour of their pathetic customer service. The banks want to cut their losses regardless of how it impacts their customers. Having had my own credit card suspended out of an abundance of caution on a different credit card issuer's part (for legitimate charges), but having recently had some widely known scam charges get accepted, the fraud protection algorithms that the credit companies use certainly seem inscrutable sometimes, and so do the surrounding practices about communicating with customers. How would you like it to work instead?

This is why you call your bank before tourism

[GoodNewsJimDotCom]

If you're going to make out of the ordinary purchases for overseas, or travel overseas, you always want to call your bank ahead of time. This is a standard operating procedure, and nothing to complain about on Slashdot.

Re:This is why you call your bank before tourism

Well, but there is still a point here. For example, I have had a couple of occasions of fraud on my account - they both happened when the "accounts got out" (massive breach of the credit union's credit card file). The first racked up three charges for $900.00 in Japan The next was a flight in India (in rupees) that came to well over $1,000 plus the foreign currency conversion fee. However, I have had the same card processor block the card and deny the purchases when I made two orders Newegg.com in the same day. The "fraud detection" is completely broken.

Re:This is why you call your bank before tourism

[Anonymice]

Except that it seems not all banks accept that. I tried to warn my bank when I was going travelling for a year & they said the only thing they could do was put a note on my account - that would only be seen when I phoned up to complain about my card being blocked! Completely fucking useless.
In the end I had to just call my bank over Skype after every other transaction, to get them to unblock it again.

Re:This is why you call your bank before tourism

[driblio]

They process billions of transactions a day. Thousands of them are fraudulent. Occasionally they get some wrong. But they do an amazing job - which is why you very rarely find out about fraud for the first time when it shows up on your bill. Most of the time, you never know about it at all. It is far from 'completely broken'.

Re:This is why you call your bank before tourism

[spire3661]

Bullshit. I had my card suspended because i sent $2.50 over paypal to a kid in the UK for some software. I went to get groceries later at my normal store and card declined. I was livid beyond belief. There is no excuse for that kind of incompetence over trivial amounts of money. Banking is based on trust, not ultimate security, having too sensitive fraud protection is not helpful to anyone.

Re:This is why you call your bank before tourism

[Martin+Blank]

Both of my frequent flier-linked cards have expressly said that there is no need to call and notify them. It doesn't really change much aside from them adding a note to the account which may or may not be read by the fraud investigator--if there is one. Every time my cards have been blocked, it's completely automated, and the programs aren't likely to examine notes left in the account.

Re:This is why you call your bank before tourism

[Martin+Blank]

My experience with Citi matches yours, but Chase seems to be on their game. Fraudulent transactions have triggered notifications within minutes of the transaction taking place, and they're very pleasant and professional when I call to discuss them.

Re:This is why you call your bank before tourism

[whoever57]

If you're going to make out of the ordinary purchases for overseas, or travel overseas, you always want to call your bank ahead of time. This is a standard operating procedure, and nothing to complain about on Slashdot.

Doesn't work.

I travel to the same country about once per year. I call my credit card company in advance and usually, I can make one purchase in that country and after that, my card is blocked.

Sometimes, I even get a fraud warning txt for a small purchase in a US airport where I have a stopover. The tickets were bought using the same credit card, so the card company knows that I will be travelling (as well as my call to warn the credit card company).

Re:This is why you call your bank before tourism

[rossz]

Ditto for me on Chase. They've caught real fraud quickly and got me a replacement card within a week. They've also made it very easy to authorize transactions that trigger their system (large purchases somewhere you've never shopped at will do it). You get a text message on your cell phone that you reply to then ask the shop to try again.

Re:This is why you call your bank before tourism

[brianwski]

> The "fraud detection" is completely broken

I absolutely agree. They have THE WORST programmers/statisticians working on this.

How about adding a simple two-factor authentication? Instead of rejecting the payment outright and freezing the card, text message my phone IMMEDIATELY and I can read a 6 digit code to the cashier to allow the transaction. It isn't perfect, but that one simple step would make it about 90 percent better, more secure, and cut down on false positives. I swear this would increase customer satisfaction and increase the amount of money the credit cards make because they would then accept a higher number of legitimate transactions. What is wrong with that industry?

Re:This is why you call your bank before tourism

[o_ferguson]

It's even worse than that. I've had legitimate purchases through eBay where, when I contact the seller after winning the auction, they say that they are refusing the sale because they thing something about my account may trigger Paypal's fraud protection. I pay the money, and they refuse to accept the paypal transfer, and refund it, because they don't think I'll pass Paypal's fraud protection.

Re:This is why you call your bank before tourism

[geekmux]

If you're going to make out of the ordinary purchases for overseas, or travel overseas, you always want to call your bank ahead of time. This is a standard operating procedure, and nothing to complain about on Slashdot.

Nor should this be a problem for the consumer, or a burden to call "ahead of time".

Let me put this another way. Would you think it normal or necessary to contact your ISP ahead of time should you choose to start surfing secure websites outside of your country?

The burden of securing transactions should be within the framework that provides it. I sure as hell don't have anything to do with the bank vault security guard hours at my chosen financial institution, or anything to do with a banks security. It should be no different here.

Re:This is why you call your bank before tourism

[bitingduck]

If you're going to make out of the ordinary purchases for overseas, or travel overseas, you always want to call your bank ahead of time. This is a standard operating procedure, and nothing to complain about on Slashdot.

Which kind of defeats the purpose and convenience of having a credit card.

It's also generally not necessary - I've gone on foreign travel on short notice and had no issues with my card, and even gone to some pretty unusual places and used various cards with no issues (the most difficult was that the card I prefer to use for travel didn't have a chip in places that were chip only). The only false positives I've had that turned the card off have been when I went to buy gas at a particular gas station in Montreal before return rental cars. It happened more than once because it was about a mile from my partner's house there. The same card provider has reliably caught a number of real positives, and their email/text system now works fast enough that other false positives get caught before they turn the card off.

Re:This is why you call your bank before tourism

[Archfeld]

BofA's viper system is really bad. I called both the bank and cardholder services, as well as opened a Lloyd's of London account and still encountered several refusals, having to call and confirm the note that I had already left with specific itinerary. I just started using my Amex and had no issues from that point on. What is the saddest is that after having returned home BofA refused a local charge because the previous charges had been in GB. They were quick to correct the issues when I did contact them though, and getting ahold of a customer service rep was fast and easy.

Re:This is why you call your bank before tourism

[Geoffrey.landis]

For example, I have had a couple of occasions of fraud on my account - they both happened when the "accounts got out" (massive breach of the credit union's credit card file). The first racked up three charges for $900.00 in Japan The next was a flight in India (in rupees) that came to well over $1,000 plus the foreign currency conversion fee. However, I have had the same card processor block the card and deny the purchases when I made two orders Newegg.com in the same day. The "fraud detection" is completely broken.

Isn't it likely that they blocked the new egg purchases because the account was hacked and previous purchases that day were fraudulent?

Closing the barn door after the horse got out-- but there may have been other horses in the barn that could get out.

Re:This is why you call your bank before tourism

[bitingduck]

I've had similar experiences with Chase. Once they caught someone buying a big screen TV from walmart.com on Dec 27. I was off on a multi-day bike ride and happened to check my email during a break and it had an email asking if I spent $2700 at walmart.com. A short phone call later and a new card was being fedexed.

Another time I did several legitimate but commonly fraud related transactions one morning (new cell phone, some software purchased by phone, a couple other things I don't remember) and they called me. It wasn't any of those that had alerted, but a $9.99 charge from some anonymous sounding company that's some kind of default name for whatever tool the fraudsters were using. A few minutes later the card was cancelled and a new one on the way.

The current method with text/email confirmation on potentially sketchy charges works well and quickly.

Re:This is why you call your bank before tourism

[JustAnotherOldGuy]

If you're going to make out of the ordinary purchases for overseas, or travel overseas, you always want to call your bank ahead of time.

I do, and they still freeze it. I call the bank and CapitalOne, and they still freeze the card. This has happened to me about 10 times in the last 5 or 6 years, regular as clockwork.

Re:This is why you call your bank before tourism

[Applehu+Akbar]

"In the end I had to just call my bank over Skype after every other transaction, to get them to unblock it again."

Get Chase.

Re:This is why you call your bank before tourism

[Macman408]

Maybe because it's not uncommon to test a stolen credit card with some trivial amount first, before making a huge purchase with it. That, combined with it being foreign, probably triggered the fraud alert.

Maybe it's obvious, but if you're having bad experiences with your bank, maybe you should... try a different bank? I can recall only a few instances where my bank has suspected fraud, and they've always called me before my card was deactivated. Once was when I moved halfway across the country, and I spent $350 at Target for random housewares - while I was loading the bags into my car in the Target parking lot, my bank called to make sure it was me. On the other hand, I've travelled to a number of different countries (often without notifying the bank), and I don't recall ever having a problem with my card.

I'll take a stab in the dark, and say it's because my card is through a large but local credit union, where they actually care about individual customers. I think the huge national outfits tend to care about customers in aggregate - if they can offer a better deal than everybody else (e.g. more cash back, or a "double" rewards card), then it doesn't matter if they lose you as a customer - they'll pick up two more to replace you. But that means that to maintain their margins, they have to catch fraud with a much higher false positive rate, because they can't afford any loss.

Re:This is why you call your bank before tourism

[stevel]

Another Chase fan here. Just after I arrived in Ireland for a two-week vacation this past May, I get a notice from Chase that they're canceling my card due to (actual) fraud and sending me a new one. Except that I was depending on the Chase card while I was in Ireland. Their CS was extremely helpful and suggested a setup where they'd authorize card-present transactions while I was in Ireland but block others (unless I explicitly authorized them.) (And then I was embarrassed when my card was declined in Ulster, but that was my fault because I wasn't in Ireland anymore - and they had asked what other countries I would be in.)

American Express has also been good about fraud detection and alerting me instantly, though on a previous European trip I noticed a whole slew of bogus charges to my card using a number that had been canceled two cards ago. Their explanation was that if it came through a processor that had done a valid transaction before (which had been the case), they'd let it go. No big deal to get it taken care of.

Re:This is why you call your bank before tourism

[demonlapin]

Chase really has wonderful service. Card declined? Call customer service, it immediately rings to an American call center with people who have the authority to fix your problem. Five minutes later, the transaction goes through.

Re:This is why you call your bank before tourism

[brxndxn]

This would probably fix 99.99% of all credit card fraud.. Will they do it? I doubt it. I swear there is somehow a business in allowing certain fraud. If there wasn't, the credit card companies wouldn't be so shitty in preventing it. Fucking Discover.. I travel a lot (usually within the states). I go to San Francisco and try to buy dinner for clients (after making a previous purchase successfully in San Fran).. DECLINED.. right in front of my clients. Make a phone call to Discover and they 'fix it' and I tell them I want my card to work. Then I go to pay the bar tab at LAX for a layover on my way back.. DECLINED.. right in front of everyone at the bar. It's so fucking annoying that I started carrying cash. Fuck these credit card companies.. I wish Bitcoin was accepted everywhere.

Re:This is why you call your bank before tourism

[IamTheRealMike]

Instead of rejecting the payment outright and freezing the card, text message my phone IMMEDIATELY and I can read a 6 digit code to the cashier to allow the transaction

How about an even better solution - insert your card into a reader, type in your PIN and that's the two factors right there. You know...... the system that's already used everywhere in the world except for America? It works pretty well. I think the USA is starting to roll it out now, albeit a slightly crippled form of it (they managed to take the 2-factor system everyone else uses and make it 1-factor).

Re:This is why you call your bank before tourism

[NostalgiaForInfinity]

I have to second these experiences: I found Bank of America and Citibank to be absolutely horrible and incompetent.

Re:This is why you call your bank before tourism

[mysidia]

they say that they are refusing the sale because they thing something about my account may trigger Paypal's fraud protection.

File a complaint with eBay. Report them as a Non-Performing seller which is an eBay Terms of Service Violation.

A completed sale is contractual, the seller must go through with the transaction, otherwise they are violating the contract and can even be sued by you.

Re:This is why you call your bank before tourism

[mjwx]

> The "fraud detection" is completely broken

I absolutely agree. They have THE WORST programmers/statisticians working on this.

How about adding a simple two-factor authentication? Instead of rejecting the payment outright and freezing the card, text message my phone IMMEDIATELY and I can read a 6 digit code to the cashier to allow the transaction. It isn't perfect, but that one simple step would make it about 90 percent better, more secure, and cut down on false positives. I swear this would increase customer satisfaction and increase the amount of money the credit cards make because they would then accept a higher number of legitimate transactions. What is wrong with that industry?

They'll never implement 2 factor auth because all the mouth breathing idiots will complain about it. Look at how many whinged when they talk about switching from signature to PIN (this has already happened in my country but the laggards still have a big cry about it). Its just too inconvenient.

I think the big players already have tried this (IIRC: Verified by Visa was the product name for Visa) but I haven't seen it in years because no-one wanted to use it.

The second issue with this is, if you make people jump through hoops to buy things, people will make fewer impulse purchases. A lot of the credit addled will go back to using cash because their bank has made it "too hard" as well.

You're right that 2 factor auth would kill 99.5% of credit card fraud, however it would kill a percentage of purchases and that cant be allowed. Right now it's cheaper to eat the costs of fraud than to lose a percentage of their fees. That is what is wrong with the industry.

Re: This is why you call your bank before tourism

[NostalgiaForInfinity]

I work in online/phone based sales and we have probably the best fraud prevention known in the US, but I'd like to see what YOU think that means.

As I was saying: "public key cryptography, one time card numbers, smart cards, pins, and instant notification". It means, among other things, that you don't ever get any credit card numbers or billing addresses. All you get is a one time code for a specific amount of money, valid for a limited amount of time and valid only for you. If anybody steals your customer and order database, they can't do anything with it. It also means that you can instantly verify that the payment is valid without contacting the credit card company.

On the customer side, it means that he needs to talk to his smart card credit card in order to generate that code, and that requires either a pin or even a second physical token. In addition, customers get notified of large charges as soon as they get generated (not when you process them), and optionally verify them via their phone.

HSBC are worse

[DCFC]

I have had serious problems with the aggressively incompetent HSBC 'fraud' detection.

The 'best' was when they claimed the reason they had (again) blocked my card was that a whole batch of cards had been compromised and it wasn't just my card.

Sadly for the liar at HSBC was I'm a tech journalist, so I immediately contacted their PR department who denied any knowledge of the breach.

It was just made up to make me go away.

Re:HSBC are worse

[west]

It's likely that your card was used at a location for which an abnormal number of cards were found to have been skimmed. This is usually the reason that a whole batch of cards get cancelled. ("Kill every card used at Joe's Gas Station between Monday and Thursday.")

Ten years ago, the US banks didn't want the expense of switching to EMV. The cost would be that Americans would have to expect to have several cards declined at any one time because of fraud-fighting measures. The banks knew this was the future.

As it was, as all the world's bank card fraud organizations migrated to the US, the US was compelled to switch anyway. (You never want to be the last vulnerable man standing.) They'd have been far better going a decade ago.

Text message on use

[sunderland56]

My CC sends me a text message whenever it is used. It's quick (usually arrives before I've signed the slip), it's free, and it doesn't need some stupid app installed with insane permissions. So, *I* can decide which transactions are bogus, instead of some computer algorithm; and when a truly bogus one does appear, I can notify the bank immediately. The bank can then concern themselves with actual proven bogus purchases, instead of thousands of "suspect" ones.

American Express

[LaoTzePhuuk]

I travel quite bit and I have found that American Express (AMEX) does the best job of fraud prevention & detecting bad transactions without losing the ability to use my card.
The only downside is how many merchants don't take AMEX at point of sale :(

Advice: Just cut up the card

I've had this happen a couple of times now. Once I even spent a half-hour on the phone, while traveling, with customer service trying to convince them that I was who I said I was. Gave up and cut up the card. Highly recommend just having a lot of accounts and ditching cards after a set time investment (e.g., ten minutes) trying to get them re-enabled.

It doesn't matter what we would like. All that matters is having enough people ditch their cards to wake the credit card companies up to their lost profits.

Re:Advice: Just cut up the card

[Martin+Blank]

Closing accounts can negatively affect your credit score by reducing available credit and time of oldest account (and possibly average age of accounts). If you try to maintain the same number of accounts, you also add to the number of applications, which is another negative against credit scores.

Chase cards text and email

[peon_a-z,A-Z,0-9$_+!]

My experience has been actually very good with Chase cards...

They decline the transaction then text you asking to reply "1" for Yes or "2" for No if it was you. Then you just reply "1" and repeat the transaction and it goes through.

Simultaneously they send an email with a green "yes" and a red "no" button that functions similarly.

Tell me about it

[ClickOnThis]

My pet frog used my card without me knowing. Do you have any idea what it costs to ship special-order flies, worms and a massively tricked-out terrarium from Bangkok?

Frog protection my ass.

No Bed of Roses

The person who used my cellphone number before I got it had such a deal, apparently, with her bank. Unfortunately, she never notified the bank that she no longer used that number, so I got frequent calls from Chase Bank asking her to respond to credit card activity. At first, I called Chase's response number to alert them to the problem, but after several fails, I simply took to refusing all credit requests made in her name.

I'm sure that her experience was even more annoying than mine was -- and mine went on for months, during which time I found out quite a lot about her personal buying habits.

Use cash.

Use cash.

Seriously. I remember when we could get on a flight, sit down, then have a purser come by and pay in cash for the flight.

OTOH, I let 2 of my credit card companies know where I'll be traveling - they have an online tool for that. Amex seems to figure it out, though I've had 3 different CC refused because they weren't chip-n-pin in Turkey (away from tourist areas). It was embarrassing to take 12 people to a business dinner at a nice restaurant and not be able to pay. Amex, Visa, MC all were refused. I made a stink about this to the MC company and 8 months later, I was part of their early test group. Also got screwed in Amsterdam having to wait in line to get a train ticket from the airport because non-chip-n-pin CCs weren't allowed at the train kiosks. 10 line. Should have just gotten on for free - nobody seems to check for tickets into town.

Also remember traveling around Japan before they started accepting CCards anywhere. Cash was it. It was a hassle to carry the equiv of US$1000 to be able to pay for hotels, but necessary.

Was in Seoul a few years ago - the subway token machines only accepted cash, but a cash machine was available about 50ft away. Got the feeling they didn't want to be accused of tracking riders by name. I dunno.

I still use cash whenever it makes sense for trivial purchases under US$50 - except in transfer airports when I don't have any local currency. That $3 cup of coffee while waiting for a connecting flight just isn't worth it. Also feel bad tipping in USD, but sometimes that is the difference for the bellboy - $0 or US$5.

Why no Chip Card Reader at home?

[west]

As EMV chip card readers get cheaper, I keep waiting for banks to offer an on-line verification service where they supply a chip card reader to the card owner, which can then be used to verify on-line transactions. After all, the system is already designed to survive the POS terminal being compromised, so the same should apply to what is effectively a home POS terminal.

even worse fraud detection:

[doug141]

I rented a huge U-haul on a citibank card. Day of the move, I was buying gas at gas stations every few hundred miles in a line across the US's major interstates. Citibank cut me off after 4 gas stations. Good thing I had a backup.

Its not actually your money...

[myowntrueself]

When you use a credit card you aren't actually spending your own money; you are borrowing money. Its no surprise they are antsy about fraud detection; its they who stand to lose the most.

Re:Next time it'll be cash

[Overzeetop]

Given that this is an area with a large opportunity for fraud (the manually added tip), it's not too surprising. I'd rather have a verification from my bank than find out that someone put an extra zero on the end two weeks later.

Which is why I never use debit

[Overzeetop]

People are always more careful with their own money. If I haven't paid my CC bill, the CC company is out that money. If it comes out of my bank account, I'm SOL until they get around to figuring it out. It's why I always decline when offered a debit card - WTF would I want *my* money on the line where a fraudulent transaction might occur?

my credit union calls me in seconds. Cashiers shou

[raymorris]

I've been happy with my credit union's fraud prevention and detection (which is outsourced to some company). Sometimes I'm 100 miles from home when I spend about $800 on electronics at Fry's or Microcenter. (The datacenter is 100 miles from my house, for now.) The transaction sometimes returns a "call to verify" code. The merchant COULD call, they are supposed to, but most cashiers just say "it didn't go through". This is a training issue on the merchants' side, in my opinion.

At the same time that the cashier is saying "it didn't go through", my phone rings. It's the fraud department calling to verify the purchase. The cashier re-runs the card and it works fine. It seems to mainly happen when buying from an electronics retailer, as I also remember the same thing at Best Buy. I'm fine with that. I know that if a crook gets my card, the bank is watching out.

Occasionally, they'll call about an internet purchase or some other purchase after it happens (fraud detection). It's quick and easy to verify the transaction.

I used to do another type of fraud prevention and detection, not directly related to credit cards, and I know our false positive rate was under 0.1%, probably under 0.01% - we stopped at least a thousand fraudulent instances for every one we declined in error.

Credit Cards

[ledow]

In the EU (but not the UK), banks will send you a text for EVERY credit card transaction. If there's a problem, you can contact the bank. It's also free.

Are you really telling me, in this day and age, that we can't have suspect transactions result in a text to your phone that you can then authorise - even before the web page refreshes?

Banking is so in the 1950s of computing that it's laughable. It's done deliberately in some circumstances to profit from charges, fees and the timings of clearing payments. But you can't claim fraud if you haven't taken SIMPLE measures against it.

Like asking the user to confirm suspect transactions using a secondary method (that can be phone for old people without mobile phones, text for those with phones, maybe even the bank's secure app if you so choose). Declining a card transaction because it comes from an unusual place is no longer a metric to decide on the suspicion assigned to a transaction. I've purchased from all over the world, especially in the run-up to Christmas when Amazon, eBay et al only stock the normal boring stuff and I want something a bit different.

In one instance, my Italian relative came over, went to a DIY store with us, paid for the transaction and KNEW BEFORE WE'D HIT THE DOORS that he'd been double-charged on his bank account. A text came through, then another, in a foreign country, before he'd even left the shop. And we were then able to cancel the second transaction.

Why the fuck isn't just this standard practice?

Re:my credit union calls me in seconds. Cashiers s

[TWX]

And I've had times where I was trying to pay for something basically essential and the card got rejected and I had to call. In my case it was buying automobile tires, on a Sunday because that's when the tires gave out and only a few tire places are open on Sundays, in my own city, and they decided to reject it.

I think that the fraud-detection algorithms need improvement.

CapitalOne Website Instructions

[Tokolosh]

1. Sign in to capitalone360.com.
2. Click on the 'My Accounts' tab.
3. Click '360 Checking' under the "Checking and Savings" section.
4. Go to the 'Debit Card' tab.
5. Click 'let us know' under the "Travel Plans" section.
6. Enter your Departing Date, Returning Date and locations for international travel.
7. Click 'Submit.'

Don't use 'em

[cascadingstylesheet]

I just don't use credit cards anymore.

'course, the bankruptcy helped with that decision ...

Re:my credit union calls me in seconds. Cashiers s

[ILongForDarkness]

Also the bank is on the hook for the fraud so they rightly so will be as tight as they can get away with without losing customers. This is why I always have at least $200 in my pocket at all times. Might not be enough for tires but can generally get me food, a place to stay and a ride home should anything go wrong.