Another Less-Than-Useless Service
Profit from credit card fraud
Marketing a service under the name of “Verify-Me-Now,” the company known as Ifbyphone is offering to “SLASH credit card fraud” with a simple telephone call. There’s a problem. They have no idea who their automated system is calling; it could be the real card holder or it could be a professional thief on a disposable cell phone. They do nothing to prevent credit card fraud.
I posted a comment to their Blog more or less hoping for some sort of explanation of how they knew they were calling the legitimate cardholder rather than whatever phone number the bad guy entered in their system. It’s no surprise to me that they didn’t approve my comment or respond to it.
Merchants beware
A telephone call and subsequent “verification” tell you nothing other than the person that generated the order has a telephone. Unless the phone call is made to the bank verified telephone number, you have gained nothing. Verify-Me-Now cannot do what they claim. It’s just that simple.
I’m sure that Ifbyphone has some very legitimate services but Verify-Me-Now isn’t one of them. Purchase the service if you want. The only thing you’ll be paying for is a false sense of security.
In response to the comment below you left on our blog:
“Tom Mahoney May 15th, 2008 at 3:32 pm
Ripoff artist! Your service proves what? That the person doing the order has a phone. Big deal. Unless you interface with the bank to verify against the phone number on file for the cardholder, you’ve done nothing.” Then our your own blog you wrote “It’s no surprise to me that they didn’t approve my comment or respond to it.”
First of all, please note that the comment was posted and we responded within an hour on our blog.
Secondly, the majority of credit card transactions require a telephone number and in fact the bank validates the phone number. The point of our service is that if someone steals your credit card (or even just your credit card number) it is very easy for them to obtain your telephone number.
Therefore, if the company places a call to your telephone number each time a transaction is completed they ensure the owner of the telephone is the person placing the transaction. Generally, with fraudulent transactions the thief is not going to enter his or her own number. Without entering the number he or she is at, the transaction will not go through.
This system, in fact, has a significant positive effect on transaction reliability.
In addition, if you have verified the telephone is being answered by the person placing the order you have an additional verification that the person in fact intended to make the purchase.
This is a valuable service at an affordable price for SMBs.
May 16th, 2008 at 10:04 amTom,
Your comment is on the blog, and was responded to in less than an hour. Not sure why you didn’t see it on the page.
I can speak from our own experience. Is it going to completely stop fraud? No, of course not. However, it has cut back on fraud on our site.
If a thief is trying to use stolen information, and has all relevant data on the card holder, and has a throw-away cell phone, then maybe verify-me-now won’t help in that specific instance. However, in the majority of cases we’ve seen, that is not the case. Once they realize they can be tied to the phone number, then they give up on that transaction.
Plus, if you check the number on record with the card company, you will know you’re tying back to the card holder. Plus, if it is stolen, and they enter the real number in, it will notify the card holder that someone who is not authorized is trying to use their card.
So I would respectfully disagree that it does not help.
May 16th, 2008 at 11:59 amYOU SAID:
Secondly, the majority of credit card transactions require a telephone number and in fact the bank validates the phone number. The point of our service is that if someone steals your credit card (or even just your credit card number) it is very easy for them to obtain your telephone number.
MY REPLY: Transactions do require a phone number but you do not interface with the bank, therefore the number entered on the transaction could easily be the bad guys - and if I was the bad guy I’d use my number and verify the transaction. And no, it’s not easy for them to get a cardholders phone number but if they did, they wouldn’t be dumb enough to use it.
YOU SAID:
Therefore, if the company places a call to your telephone number each time a transaction is completed they ensure the owner of the telephone is the person placing the transaction.
MY REPLY: Precisely my point! The owner of the telephone is tho one you call - even if it’s the bad guy.
YOU SAID:
Generally, with fraudulent transactions the thief is not going to enter his or her own number.
MY REPLY: Oh no? I know for a fact that a lot of our 3700 members would disagree from personal experience.
YOU SAID:
In addition, if you have verified the telephone is being answered by the person placing the order you have an additional verification that the person in fact intended to make the purchase.
MY REPLY: Well, yes. Duh! Of course the person placing the order intended to make the purchase! Good guy or bad guy.
Thank you for the comments. I’ll continue to denounce these call-back services as a rip until there is an interface to the issuing bank’s verified telephone number.
May 17th, 2008 at 3:32 pmPhysical security is an important component of any overall security implementation.
As I previously indicated, most if not all credit card clearing companies offer the ability to validate telephone numbers. However without our service they have no way of knowing if the owner of the telephone is the person making the purchase.
If the the credit card clearing company verifies that the phone number used is the phone number on file, then our service verifies that the phone is in the possession of the owner.
Knowing that the phone associated with the phone number used to verify the transaction with the credit card company is in the possession of the owner adds a key location dependent security component. We now know where the phone physically resides.
If the owner of the phone receives a call about a purchase they did not make, then will not have the pin and therefore will not approve the purchase.
In implementing any security solution we continually make tradeoffs, since we live in an imperfect world. Our solution which costs only pennies per transaction does not attempt to guarantee transaction security. It just adds another layer of protection at a very minimal cost.
May 18th, 2008 at 8:04 pmMr. Shapiro;
YOU SAID:
As I previously indicated, most if not all credit card clearing companies offer the ability to validate telephone numbers.
MY REPLY:
Do please enlighten me as to what issuers verify telephone numbers programmatically through API or other method. I’ve been fighting credit card fraud since 2001. That may not be as long as you have, but I have yet to hear of one that does. Merchants need to call and speak to a human to verify phone numbers. If you can provide me with evidence to the contrary, I will publicly eat my words and issue an apology. I don’t believe that you can.
YOU SAID:
However without our service they have no way of knowing if the owner of the telephone is the person making the purchase.
MY REPLY:
Unless you interface with the issuer to verify phone numbers, this is precisely my point! The owner of the telephone is the one you call - even if it’s the bad guy.
YOU SAID:
If the the credit card clearing company verifies that the phone number used is the phone number on file, then our service verifies that the phone is in the possession of the owner.
MY REPLY:
You keep saying that but please give me some indication that even one issuing bank will provide this information programmatically.
YOU SAID:
Knowing that the phone associated with the phone number used to verify the transaction with the credit card company is in the possession of the owner adds a key location dependent security component. We now know where the phone physically resides.
MY REPLY:
No sir, you do NOT know where the phone physically resides. Making that statement completely ignores such technology as VoIP, Skype and the others, and phone number portability.
YOU SAID:
If the owner of the phone receives a call about a purchase they did not make, then will not have the pin and therefore will not approve the purchase.
MY REPLY:
Do you really think ANYONE, either legitimate cardholder or carder, would make a purchase and give someone else’s phone number to verify the transaction? I think not.
YOU SAID: In implementing any security solution we continually make tradeoffs, since we live in an imperfect world. Our solution which costs only pennies per transaction does not attempt to guarantee transaction security. It just adds another layer of protection at a very minimal cost.
MY REPLY:
Your advertising claims that you can “SLASH” credit card fraud. OK - I’ll give you the benefit of your marketing department’s enthusiasm. I’m also well aware that we’re in an imperfect world, especially as it relates to credit card fraud. That doesn’t change the fact that I believe your “layer of protection,” if there is one at all, is considerably thinner than the layer of false sense of security you sell to your customers.
Mr. Shapiro, you’d make a good politician. You have the gift of dancing around an issue, pointing out the good stuff, but leaving out the one key point that changes the entire picture. Banks don’t verify phone numbers.
Prove me wrong. Please. I’d love to know there’s something out there that works.
May 18th, 2008 at 9:22 pmTom good catch,
What a joke of a service. We verify our own phone numbers with issuing banks. I am not going to go into the details of our own security practices here in public. I really don’t see the point in this service and the claims are all marketing oriented.
And yes, Shapiro, you should run for political office!
May 18th, 2008 at 10:18 pmI see tom’s point clearly.
Unless Mr Sharpiro can clearly explain how their service verify via API the telephone numbers listed on issuing bank’s cardholder database.
I dont think issuing banks will give this type of information to third party providers.
May 18th, 2008 at 10:40 pmAs a Merchant who always contacts the new customer at the phone number provided, I can say we have in fact been a victim on three occasions of the disposable phone problem.
CASE: Bad guy signs up for an account for web hosting with us and puts in what looks like valid information including a phone number. Credit Card passes AVS & CVV Verification. We call the phone number in the new customer signup and the bad guy answers the call and verifies all the information he gave in the online signup. We then proceed to setup and provision the account. 3 days later bad guy installs spamming software and proceeds to send out spam emails from his newly acquired account. We shut it off and call the bad guy on his phone. No Answer. About 6 weeks later we get a call from our merchant provider about an inquiry (starting process of a chargeback) We send them all of the information we have on the transaction and Merchant company sends us back information stating that the card belonged to a female in Northern California (San Jose), The phone number that we gave them DID NOT match the card holders information. The phone number was a 415 Area Code which matches the area, however upon our local police department making a subpoenaed request to TracFone and they reported that the phone was in the Boston area on the date we called it and was no longer turned on, probably thrown away. So this truly goes to show you that even a phone call DOES NOT eliminate fraud. I don’t trust any “System” unless it would integrate into the actual card holder’s information from the bank. We also don’t allow customers to sign up with free email accounts. Period! We have a list of over 1000 domains offering free email services, most of which do not verify ANYTHING!
Bottom line: I would NOT pay for this service UNLESS of course you would guarantee the service against chargebacks. Put YOUR money where your mouth is pal and we’ll talk. Until then Keep-it-Closed and stop ripping people off.
Cheers,
Darrel
May 18th, 2008 at 11:08 pmhttp://www.LasVegasWebHosting.com
I think the statement that the above service will work in most cases is a bit misleading. I am sure it will work in “most” cases, but it is also true that “most’ cases are good transactions. In most cases the AVS check will catch potential fraud, but it will also catch legitimate transactions too.
Fraud control is not easy and although some can be automated, there is no way to automate 100% of it and NOT loose legitimate sales. The cheapest and easiest fraud control on the market today (in my opinion) is Google Checkout. Google will approve the credit transaction and guarantee against fraud in “Most” cases too. Then you can check the remaining out yourself. The very nature of signing up for Google Checkout disqualifies the average thief.
May 18th, 2008 at 11:44 pmin case you haven’t noticed, the only people posting here or at the company’s blog at http://public.ifbyphone.com/blog/security/reduce-e-commerce-credit-card-fraud-via-phone-with-verify-me-now/ that think it has any value are the folks that are feebly trying to market this junk.
As I said back in January — http://www.merchant911.org/blog/index.php/2008/01/27/telephone-fraud-prevention-service/ — this “service” will fall flat on it’s face and fail.
May 19th, 2008 at 1:57 pmI wonder if these clowns are aware that it is illegal in the state of New York to use computerized phone calls. From what I have read this service is a joke. Just another way to rip-off Merchants. Thanks Tom for exposing these clowns for what they are, “Frauds”.
May 20th, 2008 at 12:16 pmApparently, Craigslist sees the value in such a service:
http://www.telecentrex.com/2008/04/10/craigslist-deploys-phone-verification.html
May 20th, 2008 at 6:00 pmNot sure how Craigslist’s use of the service relates to credit card fraud (and I’m sure they get plenty of it) but I’m attempting to contact them.
By the way, Derek posted from the same IP block as Khyle and IfByPhone, so I would hazard a guess that the three of them are all employees of this company. Note that Derek didn’t say this is their service - not that it matters.
And the back-pedaling on their Blog is priceless. Worthy of a comedy routine!
May 20th, 2008 at 9:09 pmOK… I’ll bite at this one.
Derek said “Apparently, Craigslist sees the value in such a service:”
Perhaps he didn’t expect us to actually read that short article… I read it as last I checked Craigslist listings are FREE.
1)They used a service to call the phone numbers associated with “Erotic Services” to stop unlawful activity. If someone is providing a number in one of these ads, they wyou… it is just my brain ill provide a number that allows them to sell their service. By calling that number you can discover the nature of their service… and discourage the use of your site for prostitution.
2) They used to do nothing to stop this… now they are doing something. a change should always be expected as you move from nothing to something. We however are using AVS, secure seals, hackersafe type services to check security of site etc… This service service does not offer us much/if any more.
3) I said craigslist was FREE, right? If they lose a customer they lose a big whopping… nothing. If the listing of one prostitute is successful, they make a big whopping…nothing.
Very misleading
May 21st, 2008 at 10:23 amStephen, I think Derek was grasping at straws. I don’t believe it’s their service and Craigslist clearly doesn’t use it for what Derek wants us to think they do.
These guys have used so many angles that they’re going in circles.
May 21st, 2008 at 11:01 pmTom,
You’re over complicating the function of the Telephone Verification Service.
The point is NOT that “bad guys” are physically unable to perform illegal transactions after Telephone Verification. Of course they can still use their own working telephone number to bypass the step.
The point IS that “bad guys” will tend to steer clear of providing their own traceable telephone number with a stolen credit card. It’s not worth the possibility of getting caught with the card or the information, and fraudsters would much rather eliminate that risk by going elsewhere where Telephone Verification is not present.
Additionally, the phone numbers that are used to verify a website’s users are stored with the service provider, and can be summoned when needed.
In other words, if a transaction is identified as being illegitimate, the Phone Verification company can look up the phone number that was used with that transaction, and submit it to the police.
And are you really acusing the creators of this service AND the customers of this service of thinking the whole thing through that much less than you? Do you think the company that makes these services just “made” it without considering whether or not it would work?
July 17th, 2008 at 4:00 pmBruno;
I don’t believe that I’m over complicating the function. I believe they are over simplifying it. They want their potential customers to believe that if they get a valid response to the call-back, all is peaches and cream, the order is valid, and they can feel comfortable about shipping the $900 camera. Most merchants that have been on line through a chargeback or two know better but the small, new merchant won’t. I’m just letting ‘em know it ain’t so.
Most of your comments would have SOME validity except that you’re forgetting VoIP phone, Disposable Cells, Vonage, and the list goes on. Bad guys just aren’t worried about being traced to a phone number any more. And do really think the police will do anything? If you’re a Merchant911 member and follow what’s going on, you surely know better! Law Enforcement’s response to on-line credit card fraud complaints is normally a shoulder shrug. But if you did get their attention - lots of luck proving in court that the phone number is owned by the bad guy AND was used by the bad guy AND was used with a bad card to make THAT transaction. I’m a former police officer. I know what a task that would be.
I’m certainly not accusing the creators of the service of not thinking this whole thing through. To the contrary, I’m sure they have. That’s why they have done nothing on this blog page - or theirs - but back pedal. Go back and read the comments they’ve posted. They have yet to post anything that reasonably counters any of my objections. And I’ve asked - no, challenged them - to do so. So far, the best they’ve come up with is that it’s used by Craigslist. But it’s not used as a credit card fraud prevention measure. Craigslist is free.
And, in case you haven’t noticed, there haven’t been too many comments in their defense except theirs.
July 17th, 2008 at 5:42 pmFair enough: proving the bad guy actually used the card, etc. would be an overwhelming task with little gratification. The police most likely would not follow through with it, unless there was sufficient evidence.
The focal point however, should be on the mind of the criminal, and how much confidence they would have on the issue. From their POV, the stakes are much higher than from ours. It’s their freedom we’re talking about here, not ours. Again, why would they risk it rather than moving somewhere else?
I did not forget about anonymous numbers - I just assumed it was well known that Telephone Verification(at least the one Cragslist uses) has the ability to identify and screen the type of phone the caller is calling from. They can block vOIP numbers from calling their service thus forcing the user to use a real phone.
The selling point for these companies is not directed at the actual credit card holders that are buying merchandise, doing transactions, etc. Its directed towards the businesses that the card holders make purchases from: their customers. When businesses know they can make a change to ensure their customers better service, less charge backs due to credit card fraud, less negative press due to child prostitution on their site(as in cragslist’s case), they have a strong incentive to make said change.
I don’t understand why everyone has been complaining so excessively about Craigslist, and I’m sorry I chose your forum to vent my thoughts on, it just has a more intelligent conversation than most and I feel like I will be understood.
If you (not Tom, universal “you”) are having a problem with Phone Verification, more particularly on Craigslist, then you probably are doing something you shouldn’t. If you aren’t a shady prostitute, then you are either a SPAMmer, or you are trying to advertise your personal business. Remember, Craigslist was not made for your own personal advertising convenience, it was made to introduce online bartering to a new level of convenience and access.
I don’t personally care, but keep in mind that complaining about the decrease of advertising opportunities on their site does absolutely zero to convince them to change anything.
July 17th, 2008 at 6:13 pm…Did you just delete the last comment I left?
July 17th, 2008 at 7:13 pmNo - I didn’t delete it. I just hadn’t gotten to approving it. I have a life beyond this blog ;-)
You said:
The focal point however, should be on the mind of the criminal, and how much confidence they would have on the issue. From their POV, the stakes are much higher than from ours. It’s their freedom we’re talking about here, not ours. Again, why would they risk it rather than moving somewhere else?
My Reply:
That may be true in some cases. It’s like the locked door - it makes it easier where there isn’t one. But if you hang out in the carder sites like I do (know thine enemy) you know that we’re primarily dealing with two elements here. One is the kid that doesn’t have enough sense to be nervous and the other are the organized crime members who are, quite frankly, more sophisticated abut such things than most merchants. They know they won’t get caught.
You said:
I did not forget about anonymous numbers - I just assumed it was well known that Telephone Verification(at least the one Cragslist uses) has the ability to identify and screen the type of phone the caller is calling from. They can block vOIP numbers from calling their service thus forcing the user to use a real phone.
My reply:
Again with Craigslist! They use the call back service to call the phone numbers associated with “Erotic Services” to stop unlawful activity - think prostitution. That’s a perfectly good use for a call-back service and I’m sure it does it quite well. But I repeat - Craigslist, as far as I know - does NOT use the service for credit card fraud prevention but Derek, believed to be an If-By_Phone employee, brought it up as an argument for it’s use in credit card fraud prevention. As to identifying VoIP numbers - Phone number portability has pretty much ruled that out at this point. But I guess my real point would be that If-By_Phone doesn’t do that with the call back service they market to merchants. They simply call the phone number given during the on-line purchase and get confirmation codes.
You said:
The selling point for these companies is not directed at the actual credit card holders that are buying merchandise, doing transactions, etc. Its directed towards the businesses that the card holders make purchases from: their customers. When businesses know they can make a change to ensure their customers better service, less charge backs due to credit card fraud, less negative press due to child prostitution on their site(as in cragslist’s case), they have a strong incentive to make said change.
My reply:
Last things first… See my previous paragraph. Craigslist and what they do do weed out porn, hookers, and pedophiles has absolutely NOTHING to do with the credit card fraud prevention claims of If-By-Phone or any other company. Secondly, I’m well aware that the marketing is toward businesses. But the service does not - and CANNOT - promise less chargebacks or better service.
You said:
If you (not Tom, universal “you”) are having a problem with Phone Verification, more particularly on Craigslist, then you probably are doing something you shouldn’t. If you aren’t a shady prostitute, then you are either a SPAMmer, or you are trying to advertise your personal business.
My reply:
July 17th, 2008 at 9:54 pmI have no problem with craigslist OR their use of If-By-Phone. PLEASE - ALL OF YOU - PAY ATTENTION: My only problem is with “If-By-Phone”s claims regarding credit card fraud prevention. I never even brought up craigslist; “If-By-Phone” did, in an attempt to defend themselves against something totally unrelated.
Read through all the comments posted thus far, I see Craigslist was mentioned as an adapter of telephone verification technology, but quickly dismissed because they don’t use it for credit card verification purposes. I would like to add that Google also has adapted telephone verification for sign ups of it’s adsense program, https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=32055. Same as Craigslist, Google isn’t using it to verify whether the credit card information is stolen or not. They use it to “ensure that your that your information is accurate and up-to-date”. Why does Google care if your personal information is accurate or up-to-date?
Also note that Google states “rotary phones, VoIP numbers and extensions do not work”. As with Craigslist, Google must believe that when a new signup uses personal information that is accurate and up-to-date, it decreases the chance that the account will be used for fraudulent purposes. In a nutshell, this is the purpose of telephone verification.
People use the Internet to make a purchase because it’s convenient. Most credit card issuers use a customer’s home telephone number for record. If phone verification only called the telephone number on record with the credit card, it would severely limit where customers place their order, thus eliminating much of the purchasing convenience Internet customers are accustomed to. So limiting legitimate customers choices doesn’t seem like a good policy for any online merchant. So you’re example of using phone verification to verify the actual card holder’s telephone number would not be an attractive solution to most online merchants.
In most cases, orders placed online with stolen credit card information do not ship to the billing address that’s on the card. So if a merchant’s only concern is to prevent credit card fraud, then why don’t merchants choose to only ship orders to the billing address on record with the credit card being used? Wouldn’t a policy like this help the merchant eliminate or at least drastically reduce credit card fraud?
The point is, there’s a balance between verification and convenience. You can make customers jump through hoops to buy, which helps with fraud, but turns people off. Likewise you make it really easy to buy, but then risk your business to fraud. The goal is to deter while still making it easy to buy. If a thieve wants to buy a $900 camera with stolen credit card information and has 5 choices on where to buy it, but two use telephone verification, chances are they’ll opt to use one of the other 3 who aren’t using any verification. If you can agree to that, then you must agree that telephone verification does indeed deter fraud.
July 21st, 2008 at 2:28 pm