This entry was posted
on at and is filed under Uncategorized.
You can follow any responses to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.
No Responses to “”
1
Lezlee Says:
I don't believe they are going to start thinking until they are held accountable. They are careless and the merchants are forced to pick up the tab.
Merchants are to be united and together fight the fraudsters. Sharing information and common databases is the only means... We should not expect any assistance from government/VISA/whoever. Actually, we are the power and we are to set rules in this game.
As an online merchant who conducts 100% of his business CNP - "card not present", what really blows my mind is why ANY merchant would keep PIN numbers and complete credit card numbers in their database after transactions have been finalized. There is no need to do this, and it just exposes the merchant to attack. In fact, it greatly increases the risk to their reputation should they be hacked, in addition to the potential legal liability. We keep no card data on our servers; I sleep well at night.
Some of us do recurring billing or subscription type payments for customers. We have to store card information, but must do so RESPONSIBLY.
Credit card numbers, (but not CVV), are stored encrypted and require a corresponding encryption key be present on the 'local' computer to view the number. In addition, access to this interface is limited to a static single IP address - mine. If anyone tries to access from any other IP or without the corresponding encryption key installed on their computer, they can not see anything.
Heck, even the customer can not SEE the CC number we have on file for them.
We do about $4,000 a month in recurring billings so not storing credit card numbers is not an option.
I think that it is only a matter of time. The anger and resentment brewing with Merchants over fraud and overzealous chargebacks, makes merchants look for a better solution. Just look at eBay. They created PayPal, which almost forces the user to pull funds from their checking account with ACH, instead of credit cards. Merchants are going to drive this. Credit card companies don't give a damn about their merchants, who pay them billions of dollars every year.
Unless you plug up all 3 systems at the same time, you will only move fraud to other systems, rather than actually reducing it (assuming the technology actually works in the first place).
1/3 of a solution isn't a solution. It's hardly a finger in the dike.
Isn't it time that we used a more sophisticated system to prove identity? All it takes is my SIN, phone number, address, birthday and mother's maiden name for me to prove who I am. This information, in effect, is my identity "password". The trouble is that I must disclose my "password" to everyone I need to prove my identity to, and now they and anyone else who looks over their shoulder, or takes their laptop, or breaks into their network, can prove they are me. While it may be true that these companies have not taken proper precautions to safeguard important information, I think that the fundamental identity system is flawed - it is just too easy to break.
I propose that we move to a central, government run database of fingerprints and / or identity passwords. In order to prove my identity I would have to use a special, tamper-proof scanner to enter my finger print or password. It may be that for important documents, such as a mortgage, I would have to go to one of several "depots" where I would see a copy of the document I am trying to sign, and I would have to prove my identity at the depot with my fingerprint. This may be invonvenient, but at least I am protected against someone else imporsonating me and putting a mortgage on my house!
Let me get this straight. You want the Gub'ment to run this thing?
Arent they the ones that just lost 31.2 million social security numbers? Is this the same government that has printed "Not to be used for identification purposes" on social security cards for years but allows it to continue?
Not necessarily a bad idea, but let's let someone else run it. At least with private enterprise, we can punish them if they mess it all up.
I think you should not only do a top 10 list but generate a small web site of a few pages to honor the list. More likey to get picked up by the search engines. The member's of 911 could put a small link to it from home pages or anywhere. Google and the likes would find it.
Now is just needs a catchy name and keywords so people actually enter it on searches.
A small donation of $5 from 6 to 12 members would cover a year's costs. I would volunteer to host it but last time I hosted a site like this I just drew flies to the site causing too many hits from nefarious computers.
Your post implies that there is actually 'some' evidence of issuers changing chargeback reason codes to avoid fraud liability.
However it seems you are simply using circumstantial evidence (the presence of fines) to 'assume' that the fines must be there because the rules have been broken in the past. This is extremely thin logic.
If you examine how issuing bank call centers operate, you can understand how it is extremely difficult for them to defraud the payer authentication system.
A cardholder calls in to initiate a chargeback, claiming fraud, which is then categorized by the customer service operator as Visa Chargeback Reason Code 83. At this time, the operator does not know a) whether the cardholder is enrolled in Verified by Visa or b) whether the cardholder was shopping online at a website that was actively participating in Verified by Visa. The operator, an entry-level position, simply keys in the customers reason and goes on to the next call. Later, not in real-time, the chargeback is submittted to Visa for review, and it is at this time that transaction details are examined and it is determined that the Merchant was actively using VbV on their site and is not liable for the transaction. This then gets kicked back to the issuer. It is now impossible for the issuer to re-submit the chargeback under a different reason code, as an electronic paper-trail has been established that would expose this behavior. Consider also that US cardholder enrollment in VbV is only at about 3-5% overall. This would require a huge amount of effort on a relatively small population on cardholders to avoid liability.
Extremely thin logic is still logic. The fact remains that Visa and MC saw the potential for the problem and, at least potentially, fixed it.
However it goes further than that. At merchant911.org several of our members have presented evidence that this has happened.
Remember there is a very fine line between "I didn't make the charge" and "I don't recognize the charge." The former is subject to VbyV block, the latter is not. The merchant may prevail on rebuttal, but the chargeback fees stick. That's what it's all about - getting the fees. $550 million give or take a few.
I think chargeback initiated for "I don't recognize the charge" reason is actually a reason code 75 which in fact is covered. Check it here: http://www.cardinalcommerce.com/Newsletter/CardinalNews%20-%20February2006.htm
However, there are rumors that Visa International recently downgraded all non-US transactions for US merchants from ECI06 to 07, which means no liability shift.
You know that if a smaller merchant had done this their ability to accept credit cards would be suspended and they would never be able to take another card ever. But since it is one of the big boys, they will get a fine they can afford and most likely get a better discount rate than they had before because they are in compliance.
There are actually several reasons for the lack of public pushback. As you correctly point out, the zero liability plans from the credit card companies plays a huge role. But other roles are probably just as influential: 1) Media coverage. Those of us who track the retail technology space have a distorted media perspective. Headlines in the tradepress and some business publications have been numerous. But if you limit your reading to consumer dailies--even the major metro ones, such as the L.A. Times, the Chicago Tribune, the Philadelphia Inquirer, Miami Herald, Detroit News, etc.--you would have seen a story on the front of the business section from time to time, but that's it. For the daily newspaper-reading consumer, it was a VERY easy story to miss if you weren't already focused there (which most consumers aren't). Sadly, many consumers do not read their regional daily. If their news comes solely from television and radio broadcasts, the TJX reports were even more scarce, although they were out there. Again, they were very easy to miss. What if they relied on the Internet for their news? TJX rarely made the homepage story for Yahoo News and other consumer media sites. If you had preset search terms dealing with TJX or retail security or credit card security, you would have seen a lot, but few consumers would have done so. (Web news is quite good at telling people about the topics they care about, but much less effective for telling them things they didn't expect, until then the two six news stories of the day. And, of course, many Americans see little to new news at all on a regular basis. In short, a lot didn't know about it. 2) The TJX Name. Even for those who had heard about the TJX coverage, most of the stores do not trumpet the name of the corporate parent. TJMaxx's name is slightly different. Beyond that, of the handful of consumers who HAD heard about--and remembered--the coverage of TJX's troubles, how many connected it with Marshalls, HomeGoods, A.J. Wright, Bob's or their other branded stores? If the breach had been with CircuitCity--which uses CircuitCity as the name for all of its stores--the results MIGHT have been slightly different.
One reaction to the TJX situation was the passage of a law in Minnesota,and attempts to pass similar bills in other states, that imposes much more liability on merchants. The MN bill (CHAPTER 108-- H.F.No. 1758, effective 8/1/07 and 8/1/08) makes a merchant liable for retention of data contrary to law, including data retained by its service provider (payment card processor). That liability includes, among other things, liability for any fraudulent charges made to the card. The MERCHANT is liable for any fraudulent charges made on a customer's card as a result of a data breach of the merchant's service provider if the service provider retained certain specified data subsequent to authorization. Suppose a merchant's provider retained such data, there was a breach that was not discovered for some time, the issuing financial institution did not have fraud prevention checking in place, and the card holder did not become aware of the problem until the card was maxed out. The merchant is responsible for all those charges. Why in the world would any merchant accept a card from a Minnesota resident under those conditions? The merchant risk for a minor purchase is potentially thousands of dollars.
I know the topic here is mostly credit card fraud and online safety, but I just want to throw this out there. Good ol' paper checks are no more secure than advertising your bank routing and account number on a billboard somewhere.
Our business almost got banged with fraud because someone (obviously we don't know who) got his hands on a check - hey, it may even be one we mailed to him - created a fake check, and tried to cash it at the bank. Even had a fairly good representation of one of our signors. Only thing he did wrong was use a check number than had already been negotiated. So the bank caught it - but not him. Had he just added about 100 to the check number, it probably would have gone through.
Nothing is really safe anymore. So a stamp may not be the best insurance you can buy. Although it probably is the best you'll buy for $0.41.
I think the UK press/readers are more interested in criticising the government than the banks for their use and misuse of data.
There is massive opposition to the UK government's plan to impose ID cards (backed by a national database) on us, so any actual misuse of government data is going to make a popular story here.
I was just reading this,and had to do a verification as we here do them manually, and the fraudster on the phone told me it was a BOA card, and I did not believe a word from his mouth because he was just too fishy, and called me from another cell number because the one on the order was disconnected. Well aftet calling the card in, i find out it is a WAMU card and I am glad I called it in because it was a 1k item this person ordered via our reps! I told them to contact the cust and let them know that the card they have has been possibly breached! Has there been a breach at WAMU or are they just laxed on the security?
At this point, there is no reason to suspect a breach. Lax security appears to be the problem in the one case reported.
Did your transaction pass AVS?
Your situation proves the point that we make at Merchant911 all the time - never use the phone number supplied with the transaction to contact the 'customer.' Use the bank verified phone number! Any bad guy can give you their disposable cell number and give you the right answers.
The trans did pass AVS all the way. if not for the fact that I use my gut as much as my skills, this dude would have gotten a 1k stroller from us. I just thought it interesting that the same thing happened basically and it was a WAMU card too. I always scrutinize orders that use cell numbers as a contact medium, especially if it is shipping to a different address. same goes for a free email account. I appreciate all the helpful hints and articles provided via Merchant911, it has always been an invaluable resource for me.
hey, i read your article about ID theft inspect premier from washington mutual. well, i once worked for a third party that calls WaMu clients to sell this id theft... yup, we do get incentives for every SALE we get... you know, calling you like 5 times a day and telling you about "this great new program" and stuff like that until our clients shouts and say "DO NOT CALL!", "TAKE ME OFF THE LIST!"... haha.. i should say, i was pissed off and i resigned.
In response to the comment below you left on our blog:
“Tom Mahoney May 15th, 2008 at 3:32 pm
Ripoff artist! Your service proves what? That the person doing the order has a phone. Big deal. Unless you interface with the bank to verify against the phone number on file for the cardholder, you’ve done nothing.” Then our your own blog you wrote "It’s no surprise to me that they didn’t approve my comment or respond to it."
First of all, please note that the comment was posted and we responded within an hour on our blog.
Secondly, the majority of credit card transactions require a telephone number and in fact the bank validates the phone number. The point of our service is that if someone steals your credit card (or even just your credit card number) it is very easy for them to obtain your telephone number.
Therefore, if the company places a call to your telephone number each time a transaction is completed they ensure the owner of the telephone is the person placing the transaction. Generally, with fraudulent transactions the thief is not going to enter his or her own number. Without entering the number he or she is at, the transaction will not go through.
This system, in fact, has a significant positive effect on transaction reliability.
In addition, if you have verified the telephone is being answered by the person placing the order you have an additional verification that the person in fact intended to make the purchase.
This is a valuable service at an affordable price for SMBs.
Your comment is on the blog, and was responded to in less than an hour. Not sure why you didn't see it on the page.
I can speak from our own experience. Is it going to completely stop fraud? No, of course not. However, it has cut back on fraud on our site.
If a thief is trying to use stolen information, and has all relevant data on the card holder, and has a throw-away cell phone, then maybe verify-me-now won't help in that specific instance. However, in the majority of cases we've seen, that is not the case. Once they realize they can be tied to the phone number, then they give up on that transaction.
Plus, if you check the number on record with the card company, you will know you're tying back to the card holder. Plus, if it is stolen, and they enter the real number in, it will notify the card holder that someone who is not authorized is trying to use their card.
So I would respectfully disagree that it does not help.
YOU SAID:
Secondly, the majority of credit card transactions require a telephone number and in fact the bank validates the phone number. The point of our service is that if someone steals your credit card (or even just your credit card number) it is very easy for them to obtain your telephone number.
MY REPLY: Transactions do require a phone number but you do not interface with the bank, therefore the number entered on the transaction could easily be the bad guys - and if I was the bad guy I'd use my number and verify the transaction. And no, it's not easy for them to get a cardholders phone number but if they did, they wouldn't be dumb enough to use it.
YOU SAID:
Therefore, if the company places a call to your telephone number each time a transaction is completed they ensure the owner of the telephone is the person placing the transaction.
MY REPLY: Precisely my point! The owner of the telephone is tho one you call - even if it's the bad guy.
YOU SAID:
Generally, with fraudulent transactions the thief is not going to enter his or her own number.
MY REPLY: Oh no? I know for a fact that a lot of our 3700 members would disagree from personal experience.
YOU SAID:
In addition, if you have verified the telephone is being answered by the person placing the order you have an additional verification that the person in fact intended to make the purchase.
MY REPLY: Well, yes. Duh! Of course the person placing the order intended to make the purchase! Good guy or bad guy.
Thank you for the comments. I'll continue to denounce these call-back services as a rip until there is an interface to the issuing bank's verified telephone number.
Physical security is an important component of any overall security implementation.
As I previously indicated, most if not all credit card clearing companies offer the ability to validate telephone numbers. However without our service they have no way of knowing if the owner of the telephone is the person making the purchase.
If the the credit card clearing company verifies that the phone number used is the phone number on file, then our service verifies that the phone is in the possession of the owner.
Knowing that the phone associated with the phone number used to verify the transaction with the credit card company is in the possession of the owner adds a key location dependent security component. We now know where the phone physically resides.
If the owner of the phone receives a call about a purchase they did not make, then will not have the pin and therefore will not approve the purchase.
In implementing any security solution we continually make tradeoffs, since we live in an imperfect world. Our solution which costs only pennies per transaction does not attempt to guarantee transaction security. It just adds another layer of protection at a very minimal cost.
YOU SAID:
As I previously indicated, most if not all credit card clearing companies offer the ability to validate telephone numbers.
MY REPLY:
Do please enlighten me as to what issuers verify telephone numbers programmatically through API or other method. I've been fighting credit card fraud since 2001. That may not be as long as you have, but I have yet to hear of one that does. Merchants need to call and speak to a human to verify phone numbers. If you can provide me with evidence to the contrary, I will publicly eat my words and issue an apology. I don't believe that you can.
YOU SAID:
However without our service they have no way of knowing if the owner of the telephone is the person making the purchase.
MY REPLY:
Unless you interface with the issuer to verify phone numbers, this is precisely my point! The owner of the telephone is the one you call - even if it’s the bad guy.
YOU SAID:
If the the credit card clearing company verifies that the phone number used is the phone number on file, then our service verifies that the phone is in the possession of the owner.
MY REPLY:
You keep saying that but please give me some indication that even one issuing bank will provide this information programmatically.
YOU SAID:
Knowing that the phone associated with the phone number used to verify the transaction with the credit card company is in the possession of the owner adds a key location dependent security component. We now know where the phone physically resides.
MY REPLY:
No sir, you do NOT know where the phone physically resides. Making that statement completely ignores such technology as VoIP, Skype and the others, and phone number portability.
YOU SAID:
If the owner of the phone receives a call about a purchase they did not make, then will not have the pin and therefore will not approve the purchase.
MY REPLY:
Do you really think ANYONE, either legitimate cardholder or carder, would make a purchase and give someone else's phone number to verify the transaction? I think not.
YOU SAID: In implementing any security solution we continually make tradeoffs, since we live in an imperfect world. Our solution which costs only pennies per transaction does not attempt to guarantee transaction security. It just adds another layer of protection at a very minimal cost.
MY REPLY:
Your advertising claims that you can "SLASH" credit card fraud. OK - I'll give you the benefit of your marketing department's enthusiasm. I'm also well aware that we're in an imperfect world, especially as it relates to credit card fraud. That doesn't change the fact that I believe your "layer of protection," if there is one at all, is considerably thinner than the layer of false sense of security you sell to your customers.
Mr. Shapiro, you'd make a good politician. You have the gift of dancing around an issue, pointing out the good stuff, but leaving out the one key point that changes the entire picture. Banks don't verify phone numbers.
Prove me wrong. Please. I'd love to know there's something out there that works.
What a joke of a service. We verify our own phone numbers with issuing banks. I am not going to go into the details of our own security practices here in public. I really don't see the point in this service and the claims are all marketing oriented.
And yes, Shapiro, you should run for political office!
As a Merchant who always contacts the new customer at the phone number provided, I can say we have in fact been a victim on three occasions of the disposable phone problem.
CASE: Bad guy signs up for an account for web hosting with us and puts in what looks like valid information including a phone number. Credit Card passes AVS & CVV Verification. We call the phone number in the new customer signup and the bad guy answers the call and verifies all the information he gave in the online signup. We then proceed to setup and provision the account. 3 days later bad guy installs spamming software and proceeds to send out spam emails from his newly acquired account. We shut it off and call the bad guy on his phone. No Answer. About 6 weeks later we get a call from our merchant provider about an inquiry (starting process of a chargeback) We send them all of the information we have on the transaction and Merchant company sends us back information stating that the card belonged to a female in Northern California (San Jose), The phone number that we gave them DID NOT match the card holders information. The phone number was a 415 Area Code which matches the area, however upon our local police department making a subpoenaed request to TracFone and they reported that the phone was in the Boston area on the date we called it and was no longer turned on, probably thrown away. So this truly goes to show you that even a phone call DOES NOT eliminate fraud. I don't trust any "System" unless it would integrate into the actual card holder's information from the bank. We also don't allow customers to sign up with free email accounts. Period! We have a list of over 1000 domains offering free email services, most of which do not verify ANYTHING!
Bottom line: I would NOT pay for this service UNLESS of course you would guarantee the service against chargebacks. Put YOUR money where your mouth is pal and we'll talk. Until then Keep-it-Closed and stop ripping people off.
I think the statement that the above service will work in most cases is a bit misleading. I am sure it will work in "most" cases, but it is also true that "most' cases are good transactions. In most cases the AVS check will catch potential fraud, but it will also catch legitimate transactions too.
Fraud control is not easy and although some can be automated, there is no way to automate 100% of it and NOT loose legitimate sales. The cheapest and easiest fraud control on the market today (in my opinion) is Google Checkout. Google will approve the credit transaction and guarantee against fraud in "Most" cases too. Then you can check the remaining out yourself. The very nature of signing up for Google Checkout disqualifies the average thief.
I wonder if these clowns are aware that it is illegal in the state of New York to use computerized phone calls. From what I have read this service is a joke. Just another way to rip-off Merchants. Thanks Tom for exposing these clowns for what they are, "Frauds".
Not sure how Craigslist's use of the service relates to credit card fraud (and I'm sure they get plenty of it) but I'm attempting to contact them.
By the way, Derek posted from the same IP block as Khyle and IfByPhone, so I would hazard a guess that the three of them are all employees of this company. Note that Derek didn't say this is their service - not that it matters.
And the back-pedaling on their Blog is priceless. Worthy of a comedy routine!
OK... I'll bite at this one.
Derek said "Apparently, Craigslist sees the value in such a service:"
Perhaps he didn't expect us to actually read that short article... I read it as last I checked Craigslist listings are FREE.
1)They used a service to call the phone numbers associated with "Erotic Services" to stop unlawful activity. If someone is providing a number in one of these ads, they wyou... it is just my brain ill provide a number that allows them to sell their service. By calling that number you can discover the nature of their service... and discourage the use of your site for prostitution.
2) They used to do nothing to stop this... now they are doing something. a change should always be expected as you move from nothing to something. We however are using AVS, secure seals, hackersafe type services to check security of site etc... This service service does not offer us much/if any more.
3) I said craigslist was FREE, right? If they lose a customer they lose a big whopping... nothing. If the listing of one prostitute is successful, they make a big whopping...nothing.
Stephen, I think Derek was grasping at straws. I don't believe it's their service and Craigslist clearly doesn't use it for what Derek wants us to think they do.
These guys have used so many angles that they're going in circles.
You're over complicating the function of the Telephone Verification Service.
The point is NOT that "bad guys" are physically unable to perform illegal transactions after Telephone Verification. Of course they can still use their own working telephone number to bypass the step.
The point IS that "bad guys" will tend to steer clear of providing their own traceable telephone number with a stolen credit card. It's not worth the possibility of getting caught with the card or the information, and fraudsters would much rather eliminate that risk by going elsewhere where Telephone Verification is not present.
Additionally, the phone numbers that are used to verify a website's users are stored with the service provider, and can be summoned when needed.
In other words, if a transaction is identified as being illegitimate, the Phone Verification company can look up the phone number that was used with that transaction, and submit it to the police.
And are you really acusing the creators of this service AND the customers of this service of thinking the whole thing through that much less than you? Do you think the company that makes these services just "made" it without considering whether or not it would work?
I don't believe that I'm over complicating the function. I believe they are over simplifying it. They want their potential customers to believe that if they get a valid response to the call-back, all is peaches and cream, the order is valid, and they can feel comfortable about shipping the $900 camera. Most merchants that have been on line through a chargeback or two know better but the small, new merchant won't. I'm just letting 'em know it ain't so.
Most of your comments would have SOME validity except that you're forgetting VoIP phone, Disposable Cells, Vonage, and the list goes on. Bad guys just aren't worried about being traced to a phone number any more. And do really think the police will do anything? If you're a Merchant911 member and follow what's going on, you surely know better! Law Enforcement's response to on-line credit card fraud complaints is normally a shoulder shrug. But if you did get their attention - lots of luck proving in court that the phone number is owned by the bad guy AND was used by the bad guy AND was used with a bad card to make THAT transaction. I'm a former police officer. I know what a task that would be.
I'm certainly not accusing the creators of the service of not thinking this whole thing through. To the contrary, I'm sure they have. That's why they have done nothing on this blog page - or theirs - but back pedal. Go back and read the comments they've posted. They have yet to post anything that reasonably counters any of my objections. And I've asked - no, challenged them - to do so. So far, the best they've come up with is that it's used by Craigslist. But it's not used as a credit card fraud prevention measure. Craigslist is free.
And, in case you haven't noticed, there haven't been too many comments in their defense except theirs.
Fair enough: proving the bad guy actually used the card, etc. would be an overwhelming task with little gratification. The police most likely would not follow through with it, unless there was sufficient evidence.
The focal point however, should be on the mind of the criminal, and how much confidence they would have on the issue. From their POV, the stakes are much higher than from ours. It's their freedom we're talking about here, not ours. Again, why would they risk it rather than moving somewhere else?
I did not forget about anonymous numbers - I just assumed it was well known that Telephone Verification(at least the one Cragslist uses) has the ability to identify and screen the type of phone the caller is calling from. They can block vOIP numbers from calling their service thus forcing the user to use a real phone.
The selling point for these companies is not directed at the actual credit card holders that are buying merchandise, doing transactions, etc. Its directed towards the businesses that the card holders make purchases from: their customers. When businesses know they can make a change to ensure their customers better service, less charge backs due to credit card fraud, less negative press due to child prostitution on their site(as in cragslist's case), they have a strong incentive to make said change.
I don't understand why everyone has been complaining so excessively about Craigslist, and I'm sorry I chose your forum to vent my thoughts on, it just has a more intelligent conversation than most and I feel like I will be understood.
If you (not Tom, universal "you") are having a problem with Phone Verification, more particularly on Craigslist, then you probably are doing something you shouldn't. If you aren't a shady prostitute, then you are either a SPAMmer, or you are trying to advertise your personal business. Remember, Craigslist was not made for your own personal advertising convenience, it was made to introduce online bartering to a new level of convenience and access.
I don't personally care, but keep in mind that complaining about the decrease of advertising opportunities on their site does absolutely zero to convince them to change anything.
No - I didn't delete it. I just hadn't gotten to approving it. I have a life beyond this blog ;-)
You said:
The focal point however, should be on the mind of the criminal, and how much confidence they would have on the issue. From their POV, the stakes are much higher than from ours. It’s their freedom we’re talking about here, not ours. Again, why would they risk it rather than moving somewhere else?
My Reply:
That may be true in some cases. It's like the locked door - it makes it easier where there isn't one. But if you hang out in the carder sites like I do (know thine enemy) you know that we're primarily dealing with two elements here. One is the kid that doesn't have enough sense to be nervous and the other are the organized crime members who are, quite frankly, more sophisticated abut such things than most merchants. They know they won't get caught.
You said:
I did not forget about anonymous numbers - I just assumed it was well known that Telephone Verification(at least the one Cragslist uses) has the ability to identify and screen the type of phone the caller is calling from. They can block vOIP numbers from calling their service thus forcing the user to use a real phone.
My reply:
Again with Craigslist! They use the call back service to call the phone numbers associated with “Erotic Services” to stop unlawful activity - think prostitution. That's a perfectly good use for a call-back service and I'm sure it does it quite well. But I repeat - Craigslist, as far as I know - does NOT use the service for credit card fraud prevention but Derek, believed to be an If-By_Phone employee, brought it up as an argument for it's use in credit card fraud prevention. As to identifying VoIP numbers - Phone number portability has pretty much ruled that out at this point. But I guess my real point would be that If-By_Phone doesn't do that with the call back service they market to merchants. They simply call the phone number given during the on-line purchase and get confirmation codes.
You said:
The selling point for these companies is not directed at the actual credit card holders that are buying merchandise, doing transactions, etc. Its directed towards the businesses that the card holders make purchases from: their customers. When businesses know they can make a change to ensure their customers better service, less charge backs due to credit card fraud, less negative press due to child prostitution on their site(as in cragslist’s case), they have a strong incentive to make said change.
My reply:
Last things first... See my previous paragraph. Craigslist and what they do do weed out porn, hookers, and pedophiles has absolutely NOTHING to do with the credit card fraud prevention claims of If-By-Phone or any other company. Secondly, I'm well aware that the marketing is toward businesses. But the service does not - and CANNOT - promise less chargebacks or better service.
You said:
If you (not Tom, universal “you”) are having a problem with Phone Verification, more particularly on Craigslist, then you probably are doing something you shouldn’t. If you aren’t a shady prostitute, then you are either a SPAMmer, or you are trying to advertise your personal business.
My reply:
I have no problem with craigslist OR their use of If-By-Phone. PLEASE - ALL OF YOU - PAY ATTENTION: My only problem is with "If-By-Phone"s claims regarding credit card fraud prevention. I never even brought up craigslist; "If-By-Phone" did, in an attempt to defend themselves against something totally unrelated.
Read through all the comments posted thus far, I see Craigslist was mentioned as an adapter of telephone verification technology, but quickly dismissed because they don't use it for credit card verification purposes. I would like to add that Google also has adapted telephone verification for sign ups of it's adsense program, https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=32055. Same as Craigslist, Google isn't using it to verify whether the credit card information is stolen or not. They use it to "ensure that your that your information is accurate and up-to-date". Why does Google care if your personal information is accurate or up-to-date?
Also note that Google states "rotary phones, VoIP numbers and extensions do not work". As with Craigslist, Google must believe that when a new signup uses personal information that is accurate and up-to-date, it decreases the chance that the account will be used for fraudulent purposes. In a nutshell, this is the purpose of telephone verification.
People use the Internet to make a purchase because it's convenient. Most credit card issuers use a customer's home telephone number for record. If phone verification only called the telephone number on record with the credit card, it would severely limit where customers place their order, thus eliminating much of the purchasing convenience Internet customers are accustomed to. So limiting legitimate customers choices doesn't seem like a good policy for any online merchant. So you're example of using phone verification to verify the actual card holder's telephone number would not be an attractive solution to most online merchants.
In most cases, orders placed online with stolen credit card information do not ship to the billing address that's on the card. So if a merchant's only concern is to prevent credit card fraud, then why don't merchants choose to only ship orders to the billing address on record with the credit card being used? Wouldn't a policy like this help the merchant eliminate or at least drastically reduce credit card fraud?
The point is, there's a balance between verification and convenience. You can make customers jump through hoops to buy, which helps with fraud, but turns people off. Likewise you make it really easy to buy, but then risk your business to fraud. The goal is to deter while still making it easy to buy. If a thieve wants to buy a $900 camera with stolen credit card information and has 5 choices on where to buy it, but two use telephone verification, chances are they'll opt to use one of the other 3 who aren't using any verification. If you can agree to that, then you must agree that telephone verification does indeed deter fraud.
Your friends B&B looks awesome! I really miss Lancaster County. We're originally from northern VA and our favorite weekend escape destination was always Pennsylvania Dutch country. BTW, our toy poodle also ignored the wolves when I listened to your mp3.
I really don't have anything to add to this piece, but just wanted to first thank you Tom for all your effort on behalf of merchants accepting credit cards. The industry is so screwed up beyond belief it is nice to have a place where ideas and issues can be discussed.
Secondly, I am disappointed to see more people are not making use of this site. I realize most merchants are terribly busy, but it might help if you promoted this forum more in your alerts (or have I been missing something?)
Last but certainly not least, I am very tired of the outrageous fees I am charged, the way chargebacks are handled, and the overall treatment of the merchants by V/MC, etc. AS for the fees, the only thing that makes it a little easier to handle is that I can pay my suppliers by credit card (most of them anyhow) so I manage to get about a percent back, but even still, I'm probably getting hit with higher prices anyhow. Chargebacks ( I get very few as I screen carefully and am in a unique demographic) are handled as if I am guilty until proven innocent, with the burden always on the merchant, and not a lick of investigatory work on the part of the CC co's. I sometimes think this is a profit center for them. Most of the chargebacks could be stopped dead in their tracks if they would bother to pickup the phone. They have a lot of nerve charging $15.00 just become some ahole customer wants to give me a hard time for their misunderstanding.
Anyhow, you at one time seemed to be entertaining the idea that we could possibly band together to get group rates which would be more favorable. Is this still something you are considering?
I didn't say "useless" I said "dubious, if not down-right worthless." :-)
According to the quoted article, Visa says "If the PIN can be recorded surreptitiously, the card will prove no more secure than its predecessors." This is the case with Chip and PIN cards now so what's really gained with the new technology?
Do I have an answer? No. Truth is, there probably isn't one and maybe that's the point. All the technologies work when things go right but there is always going to be credit card fraud. But I think this initiative smells of marketing hype.
I've publicly stated (on CBS Evening News, National Public Radio and others) that the credit card companies have a revenue stream from chargeback fees and there is no financial incentive for them to to do anything about fraud except move the liability away from the issuers and on to the merchants. Their response has been to call the claim "ludicrous" but they have yet to convince anyone that a half a billion dollars in chargeback fees is anything but a cash cow.
I'm not big on self-promotion. Merchant911 membership continues to grow slowly and that's OK. I do it all out-of-pocket in my spare time after a full time job, three e-Commerce sites, and a brick and mortar so it is what it is and will be what it will be.
Yes, I still believe there is strength in numbers, both financially and politically. I'm just not sure what the magic number is. Is it our current strength of 3,750? Is it 5,000? I don't know the answer to that one. And of our current 3750, there are only a few dozen that contribute to the alerts and the forum that are available to members. And then there's my time factor. There's much that I'd like to accomplish yet but limited hours in a day. The blog post above went out at 11:00 PM last night - this comment is being typed before 8:00 AM before I head to my office. Merchant911 and all that goes with it is a full time job that I just don't have the time for. I'll keep on keeping on.
And my personal experience with bureaucracies says the merchant account companies will neglect to deduct any refunds, voids, and chargebacks. Mr IRS will assume we under-report by that amount...
I know my CPA will be smiling. Another form, another few dollars to them!
This blog entry and response all discusses how the new tech is not enough to battle the issue, but forgets the big point, the way it is today is worse. As security experts say, nothing is secure, but if we can move from level 0 to level 5 maybe someday we have a chance to get to level 10 (being nirvana). Also, about this liability shift from issuers to merchants, for CNP transactions, there is something called Verified by Visa, MasterCard SecureCode...implement this correctly at least most of the chargeback headaches (I didn't say all...) will be taken care of.
And... who do you think is going to fund the extra manpower needed at the processors to report this to the IRS? I'm sure they will just take that as a cost of doing business, without passing it on to the merchants [/sarcasm]
I wonder what the backlash would be if consumers realized just how much it is costing them. After all, we as merchants simply pass on those costs to our customers.
Maybe merchants should band together to work to educate the public on how this all affects them. Maybe then there could be enough pressure on the politicians to do something. Ooops - I forgot this is America.
Company profits should not be controlled by government. That is not the governments place. If a company is making a lot of profit, it is reasonable to assume they are providing good products or services. If one feels a company is making too much profit and that is something one would like to change then one should not support that company. I realize the world takes visa at this point but many changes in our history have been done with great work and were not easy. Stop the insanity and stop trying to control compay profits with legislation. How would you feel if you had grown a business that was making "too much money" and was under the gun to be controlled by the government? I for one hope to build a company that others envy and thus likely feel the company makes "too much money" and I certainly don't want to work towards that end just to have the rewards of my efforts capped by congress.
You do make some excellent points, but I think you're missing something. In the case of your company, you will make your profit because you are good at what you do and you offer a good value to your customers. If you don't, they'll go elsewhere and you'll be out of business.
This just isn't the case with the credit card companies. As merchants, we have to accept them, not because Visa and MC are a great value, but because if we don't, our customers will go elsewhere. Cardholders us them, not because they are a good value (how can they be at 29%) but because, other than cash, which they never seem to have enough of, there's no real choice - especially when you consider speed and convenience.
The interest rates charged to cardholders is literally illegal in almost every state. That's why all card companies are registered in Delaware and one or two others. The terms they issue in their contracts would be, and probably have been, laughed at and/or ruled illegal. They are, for all intents and purposes, a monopoly, but since there's a few of them, they aren't considered as such.
They have, in the past, through what could certainly be considered great marketing and good business sense, gotten themselves to the level where nobody in their right mind would use them if there were an alternative. And that's why they need to be regulated.
I read an article (actually the last FAQ) on Roadtrucker.com, http://www.roadtrucker.com/faq.htm, that opened my eyes to the unscrupulous and unethical loan-sharking practices of the credit card industry. Visa, Master Card and the like are the new mafia and most of us are kept in the dark about the true impact of these criminals.
The rates I now pay to VISA, MC, AmExp are now 100-200% higher then years ago. You made a profit years ago, so what happen?
The proposed legislation is there because of excessive rates and unmoral business practices. VISA needs to pull their head out of the sand and take a real good look at what they are doing.
I can assure you that if another financial instrument comes along, I will drop VISA, MC, and AmExp like a hot potato. I and many other merchants are continuously looking for a way to get rid of you guys. Until that happens, I will write my congressman/women and ask that they force you to conduct your business in a moral manner.
The Snopes info is still valid. Any mag stripe can be embedded with skimmed information and used as a vehicle to commit fraud. My credit card could be skimmed and that info put on the back of any card with a mag stripe (including hotel key cards). It is still true that hotels do not embed guests cc info on the back of their hotel key cards.
So, can I now call my processor, demand a refund for the last 18 years, and tell them I don't have to pay interchange fees anymore because Visa said so? LOL!
[...] - Fraud Prevention for Merchants Credit card quote of the weekCard Companies Insecure About SecurityWhy Identity Theft is such a problem!Chip and PIN FraudStreet Level Credit Card [...]
[...] card quote of the weekCard Companies Insecure About SecurityWhy Identity Theft is such a problem!Chip and PIN FraudStreet Level Credit Card [...]
I don't know what the position is in the USA but here in France we have been informed that, in an attempt to curb the incessant upward trend in credit card fraud, we will now have to supply our birth date in addition to cvv2 every time we make a purchase. That's a tough one for criminals to crack (NOT)! Seems to me that banks are really scraping the barrel now. It's like an admission that the credit card system has failed ...which is something you have been saying for a long time Tom.
Yes, I have been saying that, and as every month goes by and every breach gets announced I believe it more. It's certainly no secret that the U.S. economy is in deep trouble but the card companies just continue to put out more and more offers full of hidden language to the people that can least afford it.
Credit card debt is an unsecured loan. Unsecured and under secured loans are what got us into this mess over here. You'd think the card companies would have gotten a message from all this. With the bad debt and the bad security, how long can it last?
Payment by phone is big in Japan and they have been using it for quite a while now. I think South Korea as well. Do we know how secure it is over there?
Nokia were testing this in Sweden, if my memory serves me well, since 1998. To date, I have not heard of any fraud related actions with this technology. Maybe the security aspect has not been publicly revealed in order to avoid letting the bad guys come up with a loophole?
That's possible. I think most security folks would tell you that security by obscurity isn't one of the better methods. It's also possible that since it was only under test, the bad guys haven't been working too hard at it. They look at things like return on investment.
This could end up being very safe technology but the history of contactless payment is short and so far not very safe.
The up side of the Visa/Nokia roll out is that they are also incorporating immediate notification of use of the account. That, in my mind, is a good thing.
That was not a fun time being an OmniAmerican account holder. I was overseas at the time this happened, and I didn't know anything about it, so when I tried to use my debit card one day and it said "restricted", I was pretty mad. But then I found out from my mother, who also has an account with Omni, that the bank had been hacked into and they re-issued everybody's debit cards. I still had to wait about a month for mine and ended up opening another bank account with the credit union nearby.
Why would the FDIC guarantee deposits up to $100,000 if this was an identity scam? It is more likely I think that the requirement for such a guarantee is that they must know exactly who you are.
Your implied assertions about this company lack an understanding of the context of money in the US these days. If you are afraid then don't use them. Bashing in your way is, in my opinion rather unfair.
Have you contacted the company? Did they respond? If so you should publish it here.
Why would the FDIC guarantee deposits up to $100,000 if this was an identity scam? It is more likely I think that the requirement for such a guarantee is that they must know exactly who you are.
Your implied assertions about this company lack an understanding of the context of money in the US these days. If you are afraid then don’t use them. Bashing in your way is, in my opinion rather unfair.
Have you contacted the company? Did they respond? If so you should publish it here.
Thank you,
Ted
Ted:
I'm not sure your comment was for this entry, but if it was, I don't see you point at all!
The FDIC guarantees deposits - SoftCard is not a bank.
I made NO implied assertions at all; I simply stated that the company was collecting PII and credit card information on an insecure web page. Nor do I see how this has anything to do with my understanding of money. Money isn't part of this.
Bashing - Where? How?
Contact them? Yes - read the post. I called it to their attention in January - they had not responded or corrected the problem in May when this post was made.
Did they respond? No - but read the update. The page was removed and they gave an explanation to Breach Blog.
Funny, I can remember back around 2000 being asked by my processor to hang up and call back on a land line because cell phone transmissions could be intercepted.
It would be (and probably will be) looked at on a case by case basis, but generally no, it is not entrapment.
Yes, the forum was set up to catch bad guys but unless the forum user was actually tricked or coerced into signing up and then coerced into buying or selling, there would be no entrapment. Entrapment attaches when law enforcement somehow manipulates the defendant into doing something that (s)he would not have done without the manipulation.
I'm amazed that the NCFTA did not do a better job of hiding the true ownership of their IP address. Hopefully, they will learn from this. I know when local police departments do a fence operation, they usually take extreme measures to hide the connection to the local police department.
I have a bit of a problem with that myself. I only saw that information in two reports out of several. On the other hand, a two year sting with 58 arrests is a pretty good haul. Remember that there's an excellent probability that once the first arrest is made, the operation is compromised. I becomes a matter of how long you really want the thing to continue without making the busts.
I am constantly counseling people on what to look for when it comes to online fraud. The most aggravating part is how hard the credit card processors and companies make reporting these cases. I spent nearly an hour this morning trying to get through to Anyone at PayPal Pro to let them know they had authorized a possibly stolen card. Still no answer from them. Called Visa - couldn't do anything because I did not have the numbers they needed to identify the issuing bank.
I agree completely and have noticed a huge increase in my online fraud stats. I used to run at about 3% of TO of CNP fraud. Over the last 12 months this has increased to 5% with the last 3 months seeing an increase to about 6%.
I have noticed a trend, which in the UK is rather worrying especially as most of my customers are stateside. The trend which is hitting us more and more now is cyber shoplifting. People who order goods and check out completely, they get the goods then claim they have not recieved them. EVEN though most of these high ticket items are sent FEDEX they simply say "not my signature" and thats it, the bank gives them my money.
Until the delivery companies are prepared to offer a service of ID Verification for online companies then this will continue to happen. I need FEDEX or UPS to offer a full blown ID verification upon delivery service. I would gladly pay for this service, but thats the weakest link.
And unless anyone has any ideas these people will continue to rip us off with zero comeback. Cyber Shoplifting thats the frightening thing for me as no matter how much I check someone out, all they have to do is lie and they get all their money back.
Don't you get it? They don't care about rounding up the crooks. They have no liabilty, so why would they devote resources to that effort? Shift the liability to the bank or the association and they'd take your phone call in two seconds -- and actually do something with the information.
That's the beauty of Payer Authentication - Verified by Visa and Secure Code by MasterCard. They shift the liability of "friendly fraud" back to the issuer where it belongs.
Where can I find more information about the $99 a year McAfee scans? The link you gave takes me straight to the signup page but I have no idea what my $99 gets me. Does the fee include any kind of site seal, for instance? Thanks.
**So, let me get this straight. It’s theft to charge a price that makes a business viable? **
Not if it's reasonable. You try jacking your rates by almost 100% and see what happens to your business. And there's the timing issue with the bailout.
**And I’ve yet to see any card company resort to eliminating the grace period. You can still get the loan for free even with the increase.**
Yes you can and if you're one of them, you're in good shape. But that's a small percent of cardholders. Most cardholders are in up to their eye sockets. More importantly, it's the principle of lending at one fee and then jacking up the interest rate almost 100%. And, for the record, there are issuers that are shortening the grace period.
Today's move by Federal Reserve, the Office of Thrift Supervision and the National Credit Union Administration is the first of what could be many attempts to further regulate the industry, as several members of Congress plan to codify the Fed's regulations next year and perhaps pass even more stringent rules. Under these rules, after 2010, the issuers will no longer be able to raise rates on existing balances unless the cardholder is a late payer.
While I'm all for tightening the screws on the credit card industry, Ed Yingling has a good point:
---------------------------------------------------------------
"Every proposal needs to be looked at in terms of its effect on credit availability," said Ed Yingling, president of the American Bankers Association. "They need to be concerned that on the one hand they're encouraging banks to lend more and on the other hand you have a series of policies that tell banks to lend less."
---------------------------------------------------------------
I'll probably post a blog entry on this later, but I think the Fed made a serious mistake (from the cardholder point of view) by making the new regulations effective in 18 months. I think it should have been much sooner.
The banks are using the excuse that they need even more than that to rework their business model. I don't buy it. How much time do they need to stop jacking up interest rates on existing balances? None. They just stop. I'm sure there are fiscal ramifications to that but I'm also quite sure that the issuers are capable of handling it.
I predict that we're going to see rate hikes of just about every one of their rate structures. They'll get it done while they can. In that regard, the Fed is not protecting the consumer one iota.
It all depends on how you spin it. There is the number of breaches and there is the number of records. Remember that in 2007 the TJX breach alone accounted for 94 million records - almost three times the 2008 total. In '05 there was the Card Systems Solutions of 40 million.
The TJX breach was preventable and there is no excuse for it but I hold banks and processors to a higher standard than a retailer. In my mind, the careless loss of a backup tape with 650,000 records is on par with 40 million records stolen in a sophisticated hack.
The payment industry is fining small merchants for PCI compliance violations while banks and processors are loosing backup tapes. What's wrong with that picture!
I do not know if you can edit your blog, but I think you may have said this incorrectly.
The Washington Post is now reporting that the breach involves 1000 million accounts.
I think you meant 100 million. The Washington post was referring to how many transactions it processes, not how many cards may have been breached. I do think they should list all the retailers that use Heartland. Consumers will not blame the merchants. I even read a comment on the consumerist website that said Heartland didn't even notify the merchant(s) of card breach.
"TrustMinder enables us to reduce risk in our merchant underwriting and boarding process, and to meet the Visa e-commerce merchant inspection
requirements in a single, easy-to-use solution," said Robert O. Carr, chairman, chief executive officer and founder of Heartland Payment Systems."
I am not sure why Heartland and/or Chase keep saying that Social Security numbers were not breached. I had my personal information stolen in this situation and the criminals have enough information on me to not only attempt to make transactions on my current accounts, but also they have opened new accounts since 1/24/2009. To me this means that they have my name, social security number, address, birthdate and whatever else they may need to open a new account. In addition, 2 of the cards that attempted and successful charges were made on have not been used for the past, at least, 2 years. So...obviously...these companies are hiding something more because if I know I haven't used 2 of my compromised credit cards in at least the past 2 years, how can the security breach with regards to transactions processed have happened within the past 6 months?
Just got a notice from Chse that they are raiseing the intrest rates by 4% and lowering my credit limits, this will put me overlimit on these. I have contacted them but they would not help. Iwill get anothercard and pay them off. They got the bail out so we are paying them twice.
In my humble opinion, this sounds like the rhetoric that is splashed around the industry on almost a daily basis. Let us be clear, as usual, big business is going to not follow responsible practices, such as informing the public about breaches as soon as they are found. It is up to organizations like Merchant 911 to inform us wee individuals, as we are NO Visa, Mastercard, or Citi Bank. I see this as fuel for future congressional investigation, and hopefully someday, policy change.
"The Card Companies are now fining the issuing banks as a result of the losses. That may sound a bit strange since the banks are victims in this whole mess."
But aren't the banks charging the merchants at the end with chargebacks, or they're eating up the losses?
That's true for on-line merchants. Fortunately for us, the Heartland breach involved track 2 data which allows cloning of the mag strip and I think we'll see more Card Present fraud.
Also, since this DID involve track data, the banks have been more proactive in replacing cards - as you would expect them to do when they can't pass the loss on to the merchant.
I don't have any connections in that circle but I have at least a few in other places that have the same information. They don't share it. I think it's a power thing.
There are so many opinionated misstatements in this article I don't even know where to begin.
First, the lack of information on the breach is not from a mysterious "shroud" of "corporate secrecy" but due to the lack of hard evidence on how much data was stolen. Data doesn't sit on the shelf like a physical object. The malware hackers are using is sophisticated enough to hide itself and prevent data forensics experts from knowing what actually happened. Putting the pieces together to determine how much data was stolen is not as simple as you think.
This was likely the case with another major data breach that occurred in 2008 in which the processor involved has not even announced the breach.
Then, you talk about the card "companies", in which you mean the CARD ASSOCIATIONS, Visa, Mastercard, Discover, etc. and their relationship with acquirers such as Heartland and issuing banks.
This is all wrong.
Card associations do not fine issuing banks for fraudulent activity or data compromises. Fines for data compromises affect the acquirer and the acquirer may pass these fines on to the merchant when the merchant is responsible. In this instance, no merchant was responsible for the data breach so the fines (when they are announced) will be absorbed by Heartland. The issuing banks deal with fraudulent activity as a result of any data compromise between the card holder and the merchant. Chargebacks may affect some merchants, but most likely, the distribution of these card numbers around the world will make the impact on US businesses almost non-existent. The effects have been felt mainly by card holders.
Everything you said in that paragraph is wrong. You might consider deleting this entire post or checking ALL of your facts first.
There's enough blogging and news media on this topic already. Do some research and get your facts straight.
There are so many opinionated misstatements in this article I don't even know where to begin.
Opinionated - of course. Most blogs are and I make no claims that mine is not.
First, the lack of information on the breach is not from a mysterious "shroud" of "corporate secrecy" but due to the lack of hard evidence on how much data was stolen. Data doesn't sit on the shelf like a physical object. The malware hackers are using is sophisticated enough to hide itself and prevent data forensics experts from knowing what actually happened. Putting the pieces together to determine how much data was stolen is not as simple as you think.
This was likely the case with another major data breach that occurred in 2008 in which the processor involved has not even announced the breach.
I don't think for a minute that it's easy and I'm also well aware that the hackers are more sophisticated than most of the people trying to catch them. Please don't tell me that there isn't a "shroud of corporate security" (your words, not mine) and in the next paragraph tell me that there was another major breach in 2008 that has yet to be disclosed. I think I see a bit of secrecy there. And then there's Heartland's very obvious attempt to withhold information with statements like the breach went on for "more than weeks" and their total silence on the number of accounts potentially exposed even as the affected issuers are, to some extent, coming clean.
Related to the undisclosed breach, If you read my March 3rd entry (http://www.merchant911.org/blog/index.php/2009/03/03/data-breach-double-talk-spin/)
you'll see that I'm aware of a lot of speculation on that incident. Visa did a (opinionated) very poor job of (/opinionated) denying that there was one. If I assume that you are someone in the industry rather than another blogger with "opinionated misinformation," then I can consider your comment as a verification of that breach - and a confirmation of my opinion that Visa is lying about it. A legitimate question for you, if you will, why hasn't that processor disclosed?
Then, you talk about the card "companies", in which you mean the CARD ASSOCIATIONS, Visa, Mastercard, Discover, etc. and their relationship with acquirers such as Heartland and issuing banks.
You are quite correct but, for the record, I'm quite aware of it. I couldn't help but absorb that distinction in the 8 1/2 years I've been working with e-commerce merchants. I used those words with the idea that some of my readers might not know what I meant when I referred to the Association. A matter of semantics in this case. If you look at most of the pres releases out there, you will see that the Associations are usually referred to as 'credit card companies.' I'm certainly not alone on that one.
This is all wrong.
Card associations do not fine issuing banks for fraudulent activity or data compromises. Fines for data compromises affect the acquirer and the acquirer may pass these fines on to the merchant when the merchant is responsible. In this instance, no merchant was responsible for the data breach so the fines (when they are announced) will be absorbed by Heartland. The issuing banks deal with fraudulent activity as a result of any data compromise between the card holder and the merchant. Chargebacks may affect some merchants, but most likely, the distribution of these card numbers around the world will make the impact on US businesses almost non-existent. The effects have been felt mainly by card holders.
Everything you said in that paragraph is wrong. You might consider deleting this entire post or checking ALL of your facts first.
I do stand corrected on the "issuing bank" statement and will shortly edit the paragraph accordingly. What I should have said is that fines are being issued to Heartland's sponsoring banks.
You are also correct that effects have been felt by cardholders but I refuse to consider them as victims in all this. Just last week I received a new debit card telling me that my old one may have been breached in the Heartland incident (yes, my bank named names.) That hardly makes me a victim. Even if my card had been used fraudulently I wouldn't consider myself a victim of anything but the inconvenience of calling my bank to report the fraud.
Bu then again, I didn't make any statement about who's a victim of what, only that the mess wil be very expensive.
There's enough blogging and news media on this topic already. Do some research and get your facts straight.
I do a lot of research but the sources that I have are a bit limited. They are, after all, pretty much limited to blogs and the press. We certainly are not getting a hell of a lot from the industry.
Tom, I agree,fraud prevention efforts are necessary, but they should also be aimed at protecting all those involved (ie: brick and mortar stores, e-commerce merchants, and card holders). As you said so well, I don't see the credit card companies (I see this word as more accurate than associations, as these companies are profit driven entities, not some sort of non-profit organization.)changing too many profit generating operandi. That would dip into the profit margins too deeply. I also don't see these companies finding any better ROI than they do from the excessive fees, penalties, fines, and rate hikes (all of which are documented online, television, and printed news), no, what I see is they will continue to find new layers of generating revenue in the existing customer base, and the merchants that deal with them. Sad to say, as long as lobbyists remain on capital hill, and politicians get paid, we will see no real assistance for e-commerce against credit card fraud.
They don't charge "Fines" to merchants who are victims of fraud and chargebacks, they charge "FEES". That way if the chargeback is reversed, the FEE stands, since, after all, it was a service provided to the merchant! Also, if a reversed chargeback is reinstated, well, another fee is assessed. You gotta give 'em their due: the banks know how to make money, as long as they stay out of mortgage backed securities.
That's a good point. Either way you look at it, there's a good revenue stream in chargebacks. I don't have current numbers, but back in 2000 when I was doing the initial research to start Merchant911, the payment industry's own numbers revealed a USD $550 million in chargeback fees alone. They don't publish those numbers any more.
"Sweeping the account" means to get the funds out of that account and into one that is not directly tied to the merchant account. That way, the processor will have a harder time getting their sticky fingers on it. Think of your merchant account as a collection account - leave only enough to keep the account open.
Tom, this just blows my mind. I just had an experience at the opposite end of the spectrum regarding activating a new credit card, and now I wonder if I even needed to bother with all of it!
I got a new Chase business credit card for our business purchases (because Citibank raised our interest rate to 18.99% for NO reason, ugh). Some of the cards we get let us activate them online, but this one had a toll free number.
Since I'm deaf, I had my husband call the number. I was right there (I could've talked into the phone, just not understood what was said back) and he knows all the usual stuff (last 4 of my social security, mother's maiden name, etc.) They would NOT let him activate the card.
They gave us a TTY number to use, so we hooked up the TTY and did that (which, to me, is stupid because he could just as easily be the one typing the answers and they wouldn't know). It wasn't the right department. They gave us another number to try.
Finally, about 30 minutes after we started, we got that darn card activated. I guess I should have tried just making some purchases straight off the bat and not bothered! :P
[...] implemented until February. Given that CitiBank, Chase and some others are already rushing into the rate jacking game, I think nine months will give the issuers plenty of time to start recovering the $10-$12 billion [...]
Maybe now they will actually combine my single account into one account and I won't be double charged for my credit card processing fees.
Every month, for the last 6 years, we go round and round about being double-billed because of the way my Authorize.net account was initially setup. Nobody ever listens to what I write or have to say at First Data, all they know how to say is "your fees are based on the 24 hour service you get."
I've never had to call them except for the fees, so they can close up the customer dis-service department if they like - I wouldn't miss it at all!
I don't collect any cc data on site. That is done by a third party processor on their website. Since I process very few cc transactions a year, I confess I have basically ignored the PCI developments till now. Sounds like a lot of hassle for unquantifiable usefulness.
However you have convinced me of the need to check it out.
Tom, you are bang on here... for those that outsource that is.
For those that choose NOT to, please be aware of what you are getting into. you can see my blog entry on the conversation had during hostingcon2009 about this very topic, from the perspective of webhosters. SIGNNIFICANT work involved, and yeah, anyone who is in the billions of sales will not be concerned about the infrastructure requirements.
Perhaps a better use of this new 'educational bandwidth' we have with the looming compliance deadline - outsource, not to outsource. operate it yourself, hire trusted experts. There are many pros and cons, but at this point, with a stated only 3 shopping cart vendors pursuing their own PCI compliance certification, there will be many merchants left in the lurch.
I'm not sure what (or if) you're disagreeing with any of my points. PCI is clearly a complex issue in many regards but doesn't the outsourcing merchant have a pretty easy go of it?
Did I miss something? It's certainly possible - I don't claim to be a security expert and I don't want to be passing bad information.
Thankfully, most of our customers are other businesses or government agencies. But, I take it upon myself to scrutinize each order that comes in. I am not afraid to call the "customer" to verify information. And, we get tracking numbers on all of the orders that are sent.
When the card associations launched SecureCode and VbyV, one of the drivers was to remove the risk of friendly fraud, since having to identify yourself to your bank meant that it was difficult for the cardholder to dispute the transaction.
Plus under the rules by implementing SecureCode and VbyV the merchants give themselves protection against chargeback even if the cardholder or indeed the issuing bank have not registered or do not support SecureCode or VbyV. So really a no brainer!
The link you are referencing was one that the "s" was left off when it was being linked. All the other links on that page led to a secure order form. It was an honest mistake on one link.
Again, thank you for pointing this out and the link was changed immediately.
[...] This post was mentioned on Twitter by Joan Miller. Joan Miller said: Google’s Sidewiki: Yes, YOUR website is being vandalized as you read this. http://bit.ly/2mfRnN [...]
[...] has a post up regarding the fact that many merchants don’t really understand PCI Compliance, and therefore probably aren’t compliant themselves, and are open to fines and penalties: [...]
It may sound naive, but the question that comes up is, "why use Google then?" Why not use MSN or Yahoo as your search engines and search advertisers.
I remember when Google first anounced "Gmail" and told people that they would scan the content of their private emails, so they can send you "relevant" advertisements. Everyone screamed privacy violation and then signed right up for Gmail.
I have had my Yahoo email and IM account for way over 10 years, before Google was around. I also know that I am probably the only person who still uses Yahoo for search and has never even touched Google.
Power is only given when everyone submits and buys into it, thereby supporting the very thing they don't want. But again, maybe I am understanding it wrong.
It's got nothing to do with search engines. It's about browsers with Google's Toolbox installed. The SideWiki is right there on your site. I can see it because I have Google's Toolbox installed on Firefox. I didn't even use a search engine to get to your site.
You could see it too, if you had Google's Toolbar and Sidewiki installed. Kinda makes you wonder what nasty stuff the Devil worshippers are saying about psychicdonut.com, doesn't it? Without SideWiki you'll never know.
This is OK for card present (retail) transactions. However, if you have a gun to your head, you'll give out the credit card PIN just as you would if you're being robbed by an ATM.
For online transactions, I don't see how this is any different than 3D Secure (Verified by Visa & MasterCard SecureCode) that's already in place. For online, will merchants then have to spend time and money to support a credit card PIN entry? Which merchants will be willing to adopt that without real benefits to them? Adopting 3D Secure benefits merchants because of the fraud chargeback protection.
What happens when the card is used online? I am assuming that the customer will enter the usual billing address and CVV, but surely they are not expected to enter their pin anywhere?
It will help card swiped stores, but not internet stores. If the card is stolen, it can still be used online without any problem.
How would you use something like that online? They are going to have to enter a pin number and some merchant is going to store that pin number and then the card can be comprimised.
How is not having your name on the card, a benefit to the card holder (in terms of security and having it used without authorization in retail environments)?
All a good pick pocket thieve has to do is be next to you when you're purchasing something and see you entering your pin, then pick your wallet before you even get to your car. Then they're free to use it at any retail outlets since it doesn't have any name on the card (nothing for the clerks to check). Thieves would love to get their hands on something like that.
I do get asked to show my ID more often than not these days when I'm purchasing with my credit card. But I'm never asked to show my ID when using my debit/ATM card.
I think they have a screw loose if they plan on leaving the card holders name off the card.
Seems like a good idea, but what about merchants who don't have processing methods that can distinguish a Debit Card from a Credit Card? My two favorite places to go to lunch don't have methods for PIN input. I have to sign for everything. Would these merchants be forced to change their processors? Or take on a second one?
While we're at it, how is this going to work in an online store? I'm not exactly an expert on the subject, but matching a name and card number input into a website looks to run the same risk as having card number and PIN. Instead of a name you have a PIN. It has to be stored somewhere. Doesn't this seem like the same security issue with different nomenclature?
Or maybe I'm wrong. I'd love to be wrong. Tell me I'm wrong and this is going to make our lives easier.
This might solve some problems, it's a little better than a CVV. But our number one problem with fraud is people wanting to ship to alternate addresses, and this won't help.
To help us, the card companies should tell all their customers it is a new REQUIREMENT that they can only have product shipped to addresses on file, so they should call their credit card companies and put their shipping addresses on file. The credit card companies should also have better systems in place to verify these addresses. It is incredibly time consuming now to inform the customer, convince the customer, contact the credit card company multiple times, etc.
I probably should have read between the lines on the referenced article. I did, of course realize that the card could not be used for online transactions. By design, there is no PIN involved in those.
What I did NOT pick up on, and a Merchant911 member pointed it out in our email list, (thank you David) was the fact that this is not a normally branded card from Visa, MasterCard, Amex, Diners, or Discover. It is it's own brand of card, a RevolutionCard, much like a Sears or Penny's card. First Third is simply going to be an issuer of those cards.
We had some discussion on our list about a year ago and pretty much decided that it was all but useless because not many retailers accepted it. That appears to be changing, albeit a bit slowly. They've added some notable national chains like BJ's , CVS, Office Depot, Walgreen's and others. See https://www.revolutioncard.com. No, I don't see it grabbing a major market share any time soon.
Still, I have to wonder if maybe they don't have something. Take the name off, take the account number off, take everything off except the mag strip. Then require a PIN that isn't recorded on the mag strip. Put the Visa brand on it and maybe we have something there if it's a credit card and not a debit.
Is it airtight - no. But it sounds like cloning the strip won't do it without a PIN. Can the PIN be gotten - of course. They're doing it now. But, put the same zero liability and theft reporting requirements on it and it's certainly no worse than what we have now. And there won't be an RFID chip for the bad guys to read while the card is in your pocket.
I'd carry it. The benefit to merchants? No Interchange fee, although I have to believe that would change if Visa branded it.
And Cindi is right - shipping to anything but the bank verified billing address is begging to be robbed.
This post was mentioned on Twitter by BJoanMiller: Fifth Third aims to prevent card fraud?: This is such a simple concept I have to wonder why it hasn't been done.. http://bit.ly/116lqP...
Interesting concept. It could work online if card issuers, gateways, and processors changed the paradigm to add an additional input field and check it against issuer records (much like the CVN is handled today). It would add an additional layer of protection in cases where someone's card was stolen.
The card associations could cover such transactions, similar to their guarantees on 3D secure purchases.
There are also, of course, some challenges with the idea. First, in cases where there is identity theft, it becomes moot - the thief just creates their own account together with a PIN and they look golden to the merchant(s). If it was opt-in for customers then it would be as ineffective as 3D Secure, where you see fraudsters signing up on customers' behalf because the customers have never heard about it or are afraid of it. There is also the potential problem of adoption and cost to change the paradigm, as with any new security concept.
Still, I think it's this type of thinking that is in the right direction - multi-factor security is a good idea.
Are some of you still only shipping to the verified billing/shipping addresses? What about gift orders (especially during the holidays)? Seems like you're turning away a lot of good business with that mindset. Cindi, I agree that it is a great idea to require cardholders to list any additional addresses on file (I wish all issuers would start doing that!). However, that doesn't work with gift orders that need to be shipped somewhere else.
OK I realize this will not be popular but everyone pull out your marketing hat and tell me how many customers use their credit card versus their debit card simply for the fact that they don't have to remember a pin number... Similar to the Chip card there will need to be a demand before the Merchant and processors are going to be incented to accept this card type. (like every fifth third customer will need to have one in hand and be standing at the merchant location waiting to make a purchase) And as far as interchange I would imagine that eventually if this is to be a universal card used everywhere there will be costs involved with processors, gateways etc... therefore requiring some type of reimbursement or fee collections whether you call it interchange or processing fee... I do like the idea of no name or number on the card... I think we even have a name for that it is called gift card...
You make good points but when is the industry going to have to put security in front of convenience. This is something that I've been saying for a long time. I'm a merchant too, so I do understand the marketing aspect of it but the speed and convenience of transactions needs to take a back seat before any progress can be made in fraud prevention.
The emergence of the RFID cards is a good example. Is it really necessary to trim the two second card swipe down to the one second card wave? The payment industry would argue yes. Globally they process tens of thousands of transactions per second. I would argue that we've reached a point where security trumps speed but since the merchant, not the payment industry, takes most of the losses, there is no incentive for the industry to change.
I appreciate that most of the people commenting in this thread operates in an magnetic stripe environment, but I am from the Chip and PIN world, and on the card issuance side at that.
In my opinion, the name, card number and signature can all stay on the card, but the one thing that has to go is the magnetic stripe.
In the Chip & PIN world many of the problems discussed in this forum do not exist (excluding gun point robbery), or at least would not exist if it was not for the dreaded magnetic stripe.
The magnetic stripe and the ability to do manual transactions is the number one cause of financial fraud worldwide, and to date no-one has found a way to secure either.
Besides the fraud problems associated with magnetic stripe, magnetic stripe is also the cause for regulatory and compliance costs by merchant in the form of PCI-DSS. PCI-DSS would not be neccesary, if we would stop using magnetic stripe cards.
EMV (Chip and PIN) secures the transaction in such a way that duplicating the data on the chip is only useful for the transaction it is being used for; so there is no point for criminals to steal chip data, as they cannot steal the keys inside the card that secures the transaction. The same applies to contactless (also inaccurately referred to as RFID) cards. Even if the PIN is stolen, it is useless without the card.
EMV Cards can be used with PIN on the internet/telephone/mail order, in Europe we do it on a daily basis. I have a personal reader from my bank, which can obtain a PIN from me and verify the PIN on my card. I can use the card and reader to log into internet banking, sign transactions, and purchase goods on merchant websites that support 3DSecure.
Both Visa and MasterCard have built in support for these readers in 3DSecure, and since this functionality is implemented by the issuer (3DSecure implies that a page from the issuer to authenticate the transaction), merchants do not even need to know about a PIN, the payment technology used is transparent to the merchant.
In the EMV world there is no need to check the registered address with that on file on the issuer of the card, since the card is secured, and the cardholder is identified via PIN.
The biggest problem to EMV is, you would not guess it, but the magnetic stripe and the ability to do manual transactions. Since only 50 countries are in progress of migrating to EMV or have completed migration, the rest of the world still use magnetic stripe, so in order to make sure that EMV cards can be used worldwide, each EMV card includes a magnetic stripes. This means that criminals steal the magstripe and PIN data and use that data in non-EMV countries. A chain is only as strong as it's weakest link, and in this case the weakest link is the magstripe.
In europe almost all cards (debit and credit) are PIN based. Criminals have moved along with the times to steal magstripe data together with PINs with fake readers, PIN pads, cameras, and wireless transmitters attached to real ATMs. In some cases complete fake ATMs are being installed in busy locations!
From a fraud prevention point of view, everyone (except criminals) benefit from WorldWide migration to EMV and the banning of the magstripe and manual transaction. Merchants will be able to accept cards without fear of fraud loss, Cardholders will have their money safely protected, and banks will save millions due to reduction in fraud and the associated administrative costs of chargebacks.
To conclude with an analogy... would you trust the lives of your family in a car using 25 year old technology? How about your money, would you trust 25 year old technology to safeguard your money in this digital age?
Magstripe technology is more than 25 years old, and I suggest that if thousands of brilliant minds have not been able to fix it's shortcomings in 25 years, perhaps these shortcomings cannot be fixed? Regarding manual transaction technology, which is more 300 years old, it goes back to the invention of printed checks; surely everyone knows checks are dead for a good reason?
My opinion is that we should bury both of these insecure technologies, and embrace Chip and PIN with open arms...
Thank you for an interesting perspective from the industry.
I certainly agree with your observations on the magstripe but from what I'm seeing in reports, especially those from the UK, Chip and PIN isn't all it's cracked up to be either. It appears that it was very successful in reducing fraud in the CP world, reducing losses by as much as 48% in counterfeit cards. On the other hand, according to UKCreditCards.com, phishing scams increased by 55% and fraud on foreign issued cards is up by 36%.
Correct me if I'm wrong here, but from those numbers it appears that Chip and PIN has simply pushed fraud over to the CNP world where the merchants, and not the issuers are not responsible for the losses. Good for banks - bad for merchants.
I would point out too that from everything I've read, there are no plans for Chip and PIN to be deployed in the US - at least not anytime soon.
And then there is the problem of the Chip itself. With a PIN it is still only as secure as a magstripe with a PIN and with the proliferation of ATM fraud here, we know it's not all that good. Perhaps you should take a look at all the reports that tell us waving an RFID reader near a card is just as effective as waving a card near an RFID reader.
Since the decrypting is done at the reader, it doesn't look too secure to me. End to end encryption would probably solve this issue but as it stands, it doesn't look secure to me.
My point is that the magstripe should go. The fraud counterfeit and foreign fraud in the UK is due to cloning of the magstripe, not the chip. Take away the magstripe, and there is nothing left to clone.
My second point was that manual transactions should go as well (even less secure than using checks), which your first video also made clear... they copied the data from the chip and used it to do manual transaction!
Let me be clear: There is nothing that man can make that man can't break. The trick is to make it more expensive to break, than the profit that can be derived from breaking it - criminals are also in business. There is no such thing as 100% secure - just because something is secure today, does not mean it is secure tomorrow. Security is a system wide concept, and not something limited to a single point or service.
Not everything in a chip is encrypted (you have to leave some room for the minimum data required for a transaction), and the terminal does not decrypt anything from the card; it does however validate signatures and checksums, but it does not have the keys to decrypt Dynamic CVC3 or dCVV. I agree with your view that the most secure approach will be to 100% end to end (card to issuer) encrypt everything on the card, however the current payment network protocols cannot support that, and it will require an entire overhaul of all payment networks, as well as all cards, and all terminals.
Phishing scams are typically internet fraud targeted at stealing login credentials to internet banking websites, and this is not directly attributed to cards, but rather due to the use of outdated username password credentials for accessing something so important as your bank account. Phishing can easily be counterfeit using SMS challenges, or using a personal CAP/DPA reader together with your EMV card.
There is something called the Liability Shift, which are implemented on national level and enforced by payment schemes (and some governments) around the world. The liability shift is not yet applicable to international transactions.
The liability shift is a nutshell states that if an EMV card is presented at a non EMV terminal, the acquirer will be liable for the fraud. In all other instances (generally) the issuer is responsible for the fraud. It is typical for the acquirer to shift fraud losses down to the merchant.
Here is a fun (sic) exercise for anyone with a magnetic stripe card: travel to the UK, and try to pay at main street shop with your magnetic stripe card. A few years ago I still had a magstripe card, and I've found that more often than not the cashier would not accept the card for payment, since there is no chip on the card, and they have been trained to not swipe the card, since the merchant didn't want to take the fraud risk...
The problem with statistics and mainstream media is there is no bandwidth for specifics, and generalisation is the rule. Your second video supported this, and the fear the payment schemes have regarding the security of older and outdated cards, that are still being made due to lower costs. Once again merchant and acquirers are protected against poor security on these cards, and the issuer will have to bear cost of fraud. As an Mythbusters fan I'm however sad that this episode never got made!
Just because something lives on a chip doesn't mean it's secure. It requires proper implementation, and unfortunately some issuers released cards with poor security. With smartcards, compliance to the standards does not ensure the highest security, it's about the options within that standard you execute. However, where the liability shift applies, the cost for low security, falls to the issuer, so it should not affect merchants and acquirers.
There are two types of contactless payment cards, magstripe grade, and EMV grade. Magstripe grade is essentially magstripe data via contactless interface, EMV grade is the equivalent of EMV via contactless interface. There are two ways of securing magstripe grade contactless, either with a static pre-generated code , for example Static CVC3, or with dynamically generated codes, for example Dynamic CVC3 and dCVV. Dynamic CVC3 and dCVV means that the data read from the contactless interface cannot be used for a different transaction.
There are also something known as cross contamination attacks, in this scenario, data is read from the chip and used to create a conterfeit magnetic stripe. Once again, this is easily avoided using iCVC/iCVV on the Track 2 Equivalent Data inside the chip. iCVV/iCVC uses different keys than for the magnetic stripe, and thus CVV/CVC validation will fail when magstripe transaction are offered with chip iCVV/iCVC.
To summarise, a chip can be made extremely secure if the proper security options are implemented; if a chip implementation does leave room for fraud, the the liability shift states that the issuer must carry the cost... thus due to the liability shift merchants and acquirers are not held ransom to poor security decisions made by issuers when it comes to EMV.
Perhaps my intention was not clear; I intended to make a general point; that it's time to move away from magstripe and manual transactions, and to move in unison.
I understand that magstripe will still be with us for a long due to the sheer number of participants and the costs involved with migration.
The world of payments is a slow and lumbering giant that does not move quickly... the majority of transactions still occur in hard currency, a technology more than 3000 years old...
The US indeed do not seem to have plans to roll out EMV, however I believe their hand will be forced, as the rest of the world is migrating, and EMV migration causes fraud to migrate and consolidate in non EMV regions. US travellers will systematically find their magstripe cards not being accepted in EMV regions, thus pure acceptance will also play a role.
Biometrics certainly have potential, but will not do much towards improving card fraud. The number one reason for card fraud is the acceptance of transaction based solely on the information printed on the card (also known as manual transactions), or data on the magnetic stripe.
Visa and MasterCard both offer additional security for internet transactions by using 3D secure. 3DSecure navigates from the merchants page to a payment page on the issuing bank, and then back to the merchant. 3DSecure can be used with a variety of cardholder authentication methods, such a passcode, or using EMV cards for CAP/DPA (Chip Authentication Program, Dynamic Passcode Authentication) transactions (also known as Verified by Visa or MasterCard SecureCode).
Biometrics can easily be added to EMV cards for use with CAP/DPA, there are cards that include a display on the card, which can display a number on presenting a valid fingerprint, however I don't see how these cards would work at an ATM, since they need to be powered in order to capture a fingerprint, and ATMs typically capture the card before powering it...
On board powered cards with fingerprint scanner and dynamic magnetic stripes are available today...
The CardLab Biometric Credit Card will only "turn on" the dynamic magnetic stripe, when the card owner has authorized the card by swiping his/hers finger on the on board powered scanner. I.e. no power from an external scanner (such as an ATM) is needed.
The onboard display can, after authorization, show an on board generated One Time Password, e.g. a dynamic CVV code, and will thereby eliminate most online fraud
Copied credit cards will simply not work, since the CVV code is a One Time Code, and not printed on the card or stored on the magnetic stripe as it is today...
[...] This post was mentioned on Twitter by Tom Mahoney, Joan Miller. Joan Miller said: @merchant911 Real Time Keylogging: Real time keylogging malware makes one-time password technology obsolete. http://bit.ly/5reYKr [...]
[...] This post was mentioned on Twitter by Tom Mahoney, Joan Miller. Joan Miller said: RT@merchant911 The State of Merchant911: There is no question that on-line merchants are becoming more aware of the... http://bit.ly/855ff9 [...]
What makes you think he targeted only US citizens? The internet is a global medium and the techniques Gonzalez used to hack into those systems should be just as effective outside of the US. Want to take a guess at how many cards he REALLY got hold of?
Certainly a good point and we can only know what we're told. Clearly if any of these entities were doing global sales and their databases were hacked, then it's more than US cards. But we do know that at least some of the breaches were ongoing at the POS and those would be US only.
I do see breach reports from overseas now and then but I don't think they have the reporting requirements that we do so a lot of them are under the radar.
[...] This post was mentioned on Twitter by Tom Mahoney, Joan Miller. Joan Miller said: RT@merchant911 Anther data breach victim Part 2: In my last post I gave a few details about Albert Gonzalez and his... http://bit.ly/8VSj3t [...]
Very nice post. 170 million cards is a very scary number. Albert Gonzalez is one of thousands criminal that actually got caught.It makes me wonder how many cards in the world are actually still 'private" and not stolen.
For those of you who may have come here from https://infosecurity.us/?p=13068 you may have figured out by now that someone over there misread my post. This was NOT another Heartland breach - it was just more aftermath of the big one.
I just want to clarify. Heartland, as far as I know, has NOT been breached again. The 5000 First National Bank of Durango cards that were at risk appear to have been compromised in the Heartland breach announced last year.
Credit Card Fraud Prevention for Merchants
I don't believe they are going to start thinking until they are held accountable. They are careless and the merchants are forced to pick up the tab.
February 8th, 2006 at 5:59 PMMerchants are to be united and together fight the fraudsters. Sharing information and common databases is the only means... We should not expect any assistance from government/VISA/whoever. Actually, we are the power and we are to set rules in this game.
February 9th, 2006 at 8:44 AMAs an online merchant who conducts 100% of his business CNP - "card not present", what really blows my mind is why ANY merchant would keep PIN numbers and complete credit card numbers in their database after transactions have been finalized. There is no need to do this, and it just exposes the merchant to attack. In fact, it greatly increases the risk to their reputation should they be hacked, in addition to the potential legal liability. We keep no card data on our servers; I sleep well at night.
March 19th, 2006 at 10:40 PMSome of us do recurring billing or subscription type payments for customers. We have to store card information, but must do so RESPONSIBLY.
Credit card numbers, (but not CVV), are stored encrypted and require a corresponding encryption key be present on the 'local' computer to view the number. In addition, access to this interface is limited to a static single IP address - mine. If anyone tries to access from any other IP or without the corresponding encryption key installed on their computer, they can not see anything.
Heck, even the customer can not SEE the CC number we have on file for them.
We do about $4,000 a month in recurring billings so not storing credit card numbers is not an option.
March 24th, 2006 at 1:11 PMI think that it is only a matter of time. The anger and resentment brewing with Merchants over fraud and overzealous chargebacks, makes merchants look for a better solution. Just look at eBay. They created PayPal, which almost forces the user to pull funds from their checking account with ACH, instead of credit cards. Merchants are going to drive this. Credit card companies don't give a damn about their merchants, who pay them billions of dollars every year.
April 18th, 2006 at 9:33 AMThey had at least 3 problems to solve:
1) Card-present transactions on latest card terminals (ie: cash registers)
2) Card-present transactions on legacy (most) card terminals
3) Card-Not-Present transactions
Unless you plug up all 3 systems at the same time, you will only move fraud to other systems, rather than actually reducing it (assuming the technology actually works in the first place).
1/3 of a solution isn't a solution. It's hardly a finger in the dike.
May 21st, 2006 at 6:52 AMCompile a Top 10 list every year. This way you get to highlight 10 dumb companies and annoint one of them #1. Media outlets will eat this list up.
June 10th, 2006 at 11:25 AMWhy not have either an honorable mention or possibly a graduated scale from "dimwit" to "numbskull" to "How did management last this long"?
June 10th, 2006 at 11:34 AMIsn't it time that we used a more sophisticated system to prove identity? All it takes is my SIN, phone number, address, birthday and mother's maiden name for me to prove who I am. This information, in effect, is my identity "password".
The trouble is that I must disclose my "password" to everyone I need to prove my identity to, and now they and anyone else who looks over their shoulder, or takes their laptop, or breaks into their network, can prove they are me. While it may be true that these companies have not taken proper precautions to safeguard important information, I think that the fundamental identity system is flawed - it is just too easy to break.
I propose that we move to a central, government run database of fingerprints and / or identity passwords. In order to prove my identity I would have to use a special, tamper-proof scanner to enter my finger print or password. It may be that for important documents, such as a mortgage, I would have to go to one of several "depots" where I would see a copy of the document I am trying to sign, and I would have to prove my identity at the depot with my fingerprint. This may be invonvenient, but at least I am protected against someone else imporsonating me and putting a mortgage on my house!
June 10th, 2006 at 12:29 PMLet me get this straight. You want the Gub'ment to run this thing?
Arent they the ones that just lost 31.2 million social security numbers? Is this the same government that has printed "Not to be used for identification purposes" on social security cards for years but allows it to continue?
Not necessarily a bad idea, but let's let someone else run it. At least with private enterprise, we can punish them if they mess it all up.
June 10th, 2006 at 12:55 PMTom,
I think you should not only do a top 10 list but generate a small web site of a few pages to honor the list. More likey to get picked up by the search engines. The member's of 911 could put a small link to it from home pages or anywhere. Google and the likes would find it.
Now is just needs a catchy name and keywords so people actually enter it on searches.
A small donation of $5 from 6 to 12 members would cover a year's costs. I would volunteer to host it but last time I hosted a site like this I just drew flies to the site causing too many hits from nefarious computers.
June 10th, 2006 at 4:12 PMYour post implies that there is actually 'some' evidence of issuers changing chargeback reason codes to avoid fraud liability.
However it seems you are simply using circumstantial evidence (the presence of fines) to 'assume' that the fines must be there because the rules have been broken in the past. This is extremely thin logic.
If you examine how issuing bank call centers operate, you can understand how it is extremely difficult for them to defraud the payer authentication system.
A cardholder calls in to initiate a chargeback, claiming fraud, which is then categorized by the customer service operator as Visa Chargeback Reason Code 83. At this time, the operator does not know a) whether the cardholder is enrolled in Verified by Visa or b) whether the cardholder was shopping online at a website that was actively participating in Verified by Visa. The operator, an entry-level position, simply keys in the customers reason and goes on to the next call. Later, not in real-time, the chargeback is submittted to Visa for review, and it is at this time that transaction details are examined and it is determined that the Merchant was actively using VbV on their site and is not liable for the transaction. This then gets kicked back to the issuer. It is now impossible for the issuer to re-submit the chargeback under a different reason code, as an electronic paper-trail has been established that would expose this behavior. Consider also that US cardholder enrollment in VbV is only at about 3-5% overall. This would require a huge amount of effort on a relatively small population on cardholders to avoid liability.
September 6th, 2006 at 3:52 PMExtremely thin logic is still logic. The fact remains that Visa and MC saw the potential for the problem and, at least potentially, fixed it.
However it goes further than that. At merchant911.org several of our members have presented evidence that this has happened.
Remember there is a very fine line between "I didn't make the charge" and "I don't recognize the charge." The former is subject to VbyV block, the latter is not. The merchant may prevail on rebuttal, but the chargeback fees stick. That's what it's all about - getting the fees. $550 million give or take a few.
September 6th, 2006 at 4:31 PMVery telling post. Thanks for leading me here, interesting blog!
November 3rd, 2006 at 10:27 AMI think chargeback initiated for "I don't recognize the charge" reason is actually a reason code 75 which in fact is covered. Check it here:
November 13th, 2006 at 11:45 PMhttp://www.cardinalcommerce.com/Newsletter/CardinalNews%20-%20February2006.htm
However, there are rumors that Visa International recently downgraded all non-US transactions for US merchants from ECI06 to 07, which means no liability shift.
You know that if a smaller merchant had done this their ability to accept credit cards would be suspended and they would never be able to take another card ever.
But since it is one of the big boys, they will get a fine they can afford and most likely get a better discount rate than they had before because they are in compliance.
Jeffrey R. Collins
April 5th, 2007 at 9:27 PMNerdBoyInc.com
There are actually several reasons for the lack of public pushback. As you correctly point out, the zero liability plans from the credit card companies plays a huge role.
July 9th, 2007 at 8:37 AMBut other roles are probably just as influential:
1) Media coverage. Those of us who track the retail technology space have a distorted media perspective. Headlines in the tradepress and some business publications have been numerous. But if you limit your reading to consumer dailies--even the major metro ones, such as the L.A. Times, the Chicago Tribune, the Philadelphia Inquirer, Miami Herald, Detroit News, etc.--you would have seen a story on the front of the business section from time to time, but that's it. For the daily newspaper-reading consumer, it was a VERY easy story to miss if you weren't already focused there (which most consumers aren't).
Sadly, many consumers do not read their regional daily. If their news comes solely from television and radio broadcasts, the TJX reports were even more scarce, although they were out there. Again, they were very easy to miss.
What if they relied on the Internet for their news? TJX rarely made the homepage story for Yahoo News and other consumer media sites. If you had preset search terms dealing with TJX or retail security or credit card security, you would have seen a lot, but few consumers would have done so. (Web news is quite good at telling people about the topics they care about, but much less effective for telling them things they didn't expect, until then the two six news stories of the day.
And, of course, many Americans see little to new news at all on a regular basis.
In short, a lot didn't know about it.
2) The TJX Name.
Even for those who had heard about the TJX coverage, most of the stores do not trumpet the name of the corporate parent. TJMaxx's name is slightly different. Beyond that, of the handful of consumers who HAD heard about--and remembered--the coverage of TJX's troubles, how many connected it with Marshalls, HomeGoods, A.J. Wright, Bob's or their other branded stores? If the breach had been with CircuitCity--which uses CircuitCity as the name for all of its stores--the results MIGHT have been slightly different.
And then people are surprised that credit card numbers are offered in India in bulk quantity.
September 4th, 2007 at 2:16 AMhttp://www.vondar.com
One reaction to the TJX situation was the passage of a law in Minnesota,and attempts to pass similar bills in other states, that imposes much more liability on merchants. The MN bill (CHAPTER 108-- H.F.No. 1758, effective 8/1/07 and 8/1/08) makes a merchant liable for retention of data contrary to law, including data retained by its service provider (payment card processor). That liability includes, among other things, liability for any fraudulent charges made to the card. The MERCHANT is liable for any fraudulent charges made on a customer's card as a result of a data breach of the merchant's service provider if the service provider retained certain specified data subsequent to authorization. Suppose a merchant's provider retained such data, there was a breach that was not discovered for some time, the issuing financial institution did not have fraud prevention checking in place, and the card holder did not become aware of the problem until the card was maxed out. The merchant is responsible for all those charges. Why in the world would any merchant accept a card from a Minnesota resident under those conditions? The merchant risk for a minor purchase is potentially thousands of dollars.
October 16th, 2007 at 10:58 AMFor Canadians,
November 27th, 2007 at 8:59 AMYou can get your credit reports from http://www.equifax.ca and http://www.transunion.ca - you can pay each to get your report onlines immediately, or you get them free by printing their PDF request forms and mailing them in via Canada Post. There's also Experian at creditbureau.ca - you can pay to get your report online immediately, or you canget it free by sending a letter by fax or mail via Canada Post (they only provide a list of the info needed; no actual form). Here are the direct links fo requesting free reports:
http://www.equifax.com/EFX_Canada/consumer_information_centre/docs/request_report_form_e.pdf
http://www.transunion.ca/docs/personal/Consumer%20Disclosure%20Request%20Form%20_en.pdf
http://www.creditbureau.ca/ENGLISH/Requested_Info.htm
I know the topic here is mostly credit card fraud and online safety, but I just want to throw this out there. Good ol' paper checks are no more secure than advertising your bank routing and account number on a billboard somewhere.
Our business almost got banged with fraud because someone (obviously we don't know who) got his hands on a check - hey, it may even be one we mailed to him - created a fake check, and tried to cash it at the bank. Even had a fairly good representation of one of our signors. Only thing he did wrong was use a check number than had already been negotiated. So the bank caught it - but not him. Had he just added about 100 to the check number, it probably would have gone through.
Nothing is really safe anymore. So a stamp may not be the best insurance you can buy. Although it probably is the best you'll buy for $0.41.
January 10th, 2008 at 9:52 AMHello Tom
I have been able to get processors for TMF Clients.
Won't know about this client until we talk!
No cost for trying.
Thanks, OnlineBob
March 1st, 2008 at 7:05 PMI'd heard of the British army a laptop containing soldiers personal data http://news.bbc.co.uk/1/hi/uk/7197628.stm
the UK driving licence records going missing in the US http://news.bbc.co.uk/1/hi/uk_politics/7147715.stm
and our tax authority losing 25 million child benefit records http://news.bbc.co.uk/1/hi/uk_politics/7199658.stm
but I'd never heard about this one.
I think the UK press/readers are more interested in criticising the government than the banks for their use and misuse of data.
There is massive opposition to the UK government's plan to impose ID cards (backed by a national database) on us, so any actual misuse of government data is going to make a popular story here.
April 15th, 2008 at 1:38 AMI was just reading this,and had to do a verification as we here do them manually, and the fraudster on the phone told me it was a BOA card, and I did not believe a word from his mouth because he was just too fishy, and called me from another cell number because the one on the order was disconnected. Well aftet calling the card in, i find out it is a WAMU card and I am glad I called it in because it was a 1k item this person ordered via our reps! I told them to contact the cust and let them know that the card they have has been possibly breached! Has there been a breach at WAMU or are they just laxed on the security?
April 15th, 2008 at 2:00 PMAt this point, there is no reason to suspect a breach. Lax security appears to be the problem in the one case reported.
Did your transaction pass AVS?
Your situation proves the point that we make at Merchant911 all the time - never use the phone number supplied with the transaction to contact the 'customer.' Use the bank verified phone number! Any bad guy can give you their disposable cell number and give you the right answers.
April 15th, 2008 at 2:16 PMThe trans did pass AVS all the way. if not for the fact that I use my gut as much as my skills, this dude would have gotten a 1k stroller from us. I just thought it interesting that the same thing happened basically and it was a WAMU card too. I always scrutinize orders that use cell numbers as a contact medium, especially if it is shipping to a different address. same goes for a free email account. I appreciate all the helpful hints and articles provided via Merchant911, it has always been an invaluable resource for me.
April 15th, 2008 at 3:28 PMhey, i read your article about ID theft inspect premier from washington mutual. well, i once worked for a third party that calls WaMu clients to sell this id theft... yup, we do get incentives for every SALE we get... you know, calling you like 5 times a day and telling you about "this great new program" and stuff like that until our clients shouts and say "DO NOT CALL!", "TAKE ME OFF THE LIST!"... haha.. i should say, i was pissed off and i resigned.
April 17th, 2008 at 11:54 AM[...] Vendor Exposing Card Numbers I blogged about this back in Early March, but I’m going to do it again. Yes, it’s THAT [...]
May 5th, 2008 at 9:14 AMExcellent article Tom!
May 8th, 2008 at 2:36 PMIn response to the comment below you left on our blog:
“Tom Mahoney May 15th, 2008 at 3:32 pm
Ripoff artist! Your service proves what? That the person doing the order has a phone. Big deal. Unless you interface with the bank to verify against the phone number on file for the cardholder, you’ve done nothing.” Then our your own blog you wrote "It’s no surprise to me that they didn’t approve my comment or respond to it."
First of all, please note that the comment was posted and we responded within an hour on our blog.
Secondly, the majority of credit card transactions require a telephone number and in fact the bank validates the phone number. The point of our service is that if someone steals your credit card (or even just your credit card number) it is very easy for them to obtain your telephone number.
Therefore, if the company places a call to your telephone number each time a transaction is completed they ensure the owner of the telephone is the person placing the transaction. Generally, with fraudulent transactions the thief is not going to enter his or her own number. Without entering the number he or she is at, the transaction will not go through.
This system, in fact, has a significant positive effect on transaction reliability.
In addition, if you have verified the telephone is being answered by the person placing the order you have an additional verification that the person in fact intended to make the purchase.
This is a valuable service at an affordable price for SMBs.
May 16th, 2008 at 10:04 AMTom,
Your comment is on the blog, and was responded to in less than an hour. Not sure why you didn't see it on the page.
I can speak from our own experience. Is it going to completely stop fraud? No, of course not. However, it has cut back on fraud on our site.
If a thief is trying to use stolen information, and has all relevant data on the card holder, and has a throw-away cell phone, then maybe verify-me-now won't help in that specific instance. However, in the majority of cases we've seen, that is not the case. Once they realize they can be tied to the phone number, then they give up on that transaction.
Plus, if you check the number on record with the card company, you will know you're tying back to the card holder. Plus, if it is stolen, and they enter the real number in, it will notify the card holder that someone who is not authorized is trying to use their card.
So I would respectfully disagree that it does not help.
May 16th, 2008 at 11:59 AMYOU SAID:
Secondly, the majority of credit card transactions require a telephone number and in fact the bank validates the phone number. The point of our service is that if someone steals your credit card (or even just your credit card number) it is very easy for them to obtain your telephone number.
MY REPLY: Transactions do require a phone number but you do not interface with the bank, therefore the number entered on the transaction could easily be the bad guys - and if I was the bad guy I'd use my number and verify the transaction. And no, it's not easy for them to get a cardholders phone number but if they did, they wouldn't be dumb enough to use it.
YOU SAID:
Therefore, if the company places a call to your telephone number each time a transaction is completed they ensure the owner of the telephone is the person placing the transaction.
MY REPLY: Precisely my point! The owner of the telephone is tho one you call - even if it's the bad guy.
YOU SAID:
Generally, with fraudulent transactions the thief is not going to enter his or her own number.
MY REPLY: Oh no? I know for a fact that a lot of our 3700 members would disagree from personal experience.
YOU SAID:
In addition, if you have verified the telephone is being answered by the person placing the order you have an additional verification that the person in fact intended to make the purchase.
MY REPLY: Well, yes. Duh! Of course the person placing the order intended to make the purchase! Good guy or bad guy.
Thank you for the comments. I'll continue to denounce these call-back services as a rip until there is an interface to the issuing bank's verified telephone number.
May 17th, 2008 at 3:32 PMPhysical security is an important component of any overall security implementation.
As I previously indicated, most if not all credit card clearing companies offer the ability to validate telephone numbers. However without our service they have no way of knowing if the owner of the telephone is the person making the purchase.
If the the credit card clearing company verifies that the phone number used is the phone number on file, then our service verifies that the phone is in the possession of the owner.
Knowing that the phone associated with the phone number used to verify the transaction with the credit card company is in the possession of the owner adds a key location dependent security component. We now know where the phone physically resides.
If the owner of the phone receives a call about a purchase they did not make, then will not have the pin and therefore will not approve the purchase.
In implementing any security solution we continually make tradeoffs, since we live in an imperfect world. Our solution which costs only pennies per transaction does not attempt to guarantee transaction security. It just adds another layer of protection at a very minimal cost.
May 18th, 2008 at 8:04 PMMr. Shapiro;
YOU SAID:
As I previously indicated, most if not all credit card clearing companies offer the ability to validate telephone numbers.
MY REPLY:
Do please enlighten me as to what issuers verify telephone numbers programmatically through API or other method. I've been fighting credit card fraud since 2001. That may not be as long as you have, but I have yet to hear of one that does. Merchants need to call and speak to a human to verify phone numbers. If you can provide me with evidence to the contrary, I will publicly eat my words and issue an apology. I don't believe that you can.
YOU SAID:
However without our service they have no way of knowing if the owner of the telephone is the person making the purchase.
MY REPLY:
Unless you interface with the issuer to verify phone numbers, this is precisely my point! The owner of the telephone is the one you call - even if it’s the bad guy.
YOU SAID:
If the the credit card clearing company verifies that the phone number used is the phone number on file, then our service verifies that the phone is in the possession of the owner.
MY REPLY:
You keep saying that but please give me some indication that even one issuing bank will provide this information programmatically.
YOU SAID:
Knowing that the phone associated with the phone number used to verify the transaction with the credit card company is in the possession of the owner adds a key location dependent security component. We now know where the phone physically resides.
MY REPLY:
No sir, you do NOT know where the phone physically resides. Making that statement completely ignores such technology as VoIP, Skype and the others, and phone number portability.
YOU SAID:
If the owner of the phone receives a call about a purchase they did not make, then will not have the pin and therefore will not approve the purchase.
MY REPLY:
Do you really think ANYONE, either legitimate cardholder or carder, would make a purchase and give someone else's phone number to verify the transaction? I think not.
YOU SAID: In implementing any security solution we continually make tradeoffs, since we live in an imperfect world. Our solution which costs only pennies per transaction does not attempt to guarantee transaction security. It just adds another layer of protection at a very minimal cost.
MY REPLY:
Your advertising claims that you can "SLASH" credit card fraud. OK - I'll give you the benefit of your marketing department's enthusiasm. I'm also well aware that we're in an imperfect world, especially as it relates to credit card fraud. That doesn't change the fact that I believe your "layer of protection," if there is one at all, is considerably thinner than the layer of false sense of security you sell to your customers.
Mr. Shapiro, you'd make a good politician. You have the gift of dancing around an issue, pointing out the good stuff, but leaving out the one key point that changes the entire picture. Banks don't verify phone numbers.
Prove me wrong. Please. I'd love to know there's something out there that works.
May 18th, 2008 at 9:22 PMTom good catch,
What a joke of a service. We verify our own phone numbers with issuing banks. I am not going to go into the details of our own security practices here in public. I really don't see the point in this service and the claims are all marketing oriented.
And yes, Shapiro, you should run for political office!
May 18th, 2008 at 10:18 PMI see tom's point clearly.
Unless Mr Sharpiro can clearly explain how their service verify via API the telephone numbers listed on issuing bank's cardholder database.
I dont think issuing banks will give this type of information to third party providers.
May 18th, 2008 at 10:40 PMAs a Merchant who always contacts the new customer at the phone number provided, I can say we have in fact been a victim on three occasions of the disposable phone problem.
CASE: Bad guy signs up for an account for web hosting with us and puts in what looks like valid information including a phone number. Credit Card passes AVS & CVV Verification. We call the phone number in the new customer signup and the bad guy answers the call and verifies all the information he gave in the online signup. We then proceed to setup and provision the account. 3 days later bad guy installs spamming software and proceeds to send out spam emails from his newly acquired account. We shut it off and call the bad guy on his phone. No Answer. About 6 weeks later we get a call from our merchant provider about an inquiry (starting process of a chargeback) We send them all of the information we have on the transaction and Merchant company sends us back information stating that the card belonged to a female in Northern California (San Jose), The phone number that we gave them DID NOT match the card holders information. The phone number was a 415 Area Code which matches the area, however upon our local police department making a subpoenaed request to TracFone and they reported that the phone was in the Boston area on the date we called it and was no longer turned on, probably thrown away. So this truly goes to show you that even a phone call DOES NOT eliminate fraud. I don't trust any "System" unless it would integrate into the actual card holder's information from the bank. We also don't allow customers to sign up with free email accounts. Period! We have a list of over 1000 domains offering free email services, most of which do not verify ANYTHING!
Bottom line: I would NOT pay for this service UNLESS of course you would guarantee the service against chargebacks. Put YOUR money where your mouth is pal and we'll talk. Until then Keep-it-Closed and stop ripping people off.
Cheers,
Darrel
May 18th, 2008 at 11:08 PMhttp://www.LasVegasWebHosting.com
I think the statement that the above service will work in most cases is a bit misleading. I am sure it will work in "most" cases, but it is also true that "most' cases are good transactions. In most cases the AVS check will catch potential fraud, but it will also catch legitimate transactions too.
Fraud control is not easy and although some can be automated, there is no way to automate 100% of it and NOT loose legitimate sales. The cheapest and easiest fraud control on the market today (in my opinion) is Google Checkout. Google will approve the credit transaction and guarantee against fraud in "Most" cases too. Then you can check the remaining out yourself. The very nature of signing up for Google Checkout disqualifies the average thief.
May 18th, 2008 at 11:44 PMin case you haven't noticed, the only people posting here or at the company's blog at http://public.ifbyphone.com/blog/security/reduce-e-commerce-credit-card-fraud-via-phone-with-verify-me-now/ that think it has any value are the folks that are feebly trying to market this junk.
As I said back in January -- http://www.merchant911.org/blog/index.php/2008/01/27/telephone-fraud-prevention-service/ -- this "service" will fall flat on it's face and fail.
May 19th, 2008 at 1:57 PMI wonder if these clowns are aware that it is illegal in the state of New York to use computerized phone calls. From what I have read this service is a joke. Just another way to rip-off Merchants. Thanks Tom for exposing these clowns for what they are, "Frauds".
May 20th, 2008 at 12:16 PMApparently, Craigslist sees the value in such a service:
http://www.telecentrex.com/2008/04/10/craigslist-deploys-phone-verification.html
May 20th, 2008 at 6:00 PMNot sure how Craigslist's use of the service relates to credit card fraud (and I'm sure they get plenty of it) but I'm attempting to contact them.
By the way, Derek posted from the same IP block as Khyle and IfByPhone, so I would hazard a guess that the three of them are all employees of this company. Note that Derek didn't say this is their service - not that it matters.
And the back-pedaling on their Blog is priceless. Worthy of a comedy routine!
May 20th, 2008 at 9:09 PMOK... I'll bite at this one.
Derek said "Apparently, Craigslist sees the value in such a service:"
Perhaps he didn't expect us to actually read that short article... I read it as last I checked Craigslist listings are FREE.
1)They used a service to call the phone numbers associated with "Erotic Services" to stop unlawful activity. If someone is providing a number in one of these ads, they wyou... it is just my brain ill provide a number that allows them to sell their service. By calling that number you can discover the nature of their service... and discourage the use of your site for prostitution.
2) They used to do nothing to stop this... now they are doing something. a change should always be expected as you move from nothing to something. We however are using AVS, secure seals, hackersafe type services to check security of site etc... This service service does not offer us much/if any more.
3) I said craigslist was FREE, right? If they lose a customer they lose a big whopping... nothing. If the listing of one prostitute is successful, they make a big whopping...nothing.
Very misleading
May 21st, 2008 at 10:23 AMStephen, I think Derek was grasping at straws. I don't believe it's their service and Craigslist clearly doesn't use it for what Derek wants us to think they do.
These guys have used so many angles that they're going in circles.
May 21st, 2008 at 11:01 PMYou should submit this story to news outlets. Excellent job!
July 14th, 2008 at 2:51 PMTom,
You're over complicating the function of the Telephone Verification Service.
The point is NOT that "bad guys" are physically unable to perform illegal transactions after Telephone Verification. Of course they can still use their own working telephone number to bypass the step.
The point IS that "bad guys" will tend to steer clear of providing their own traceable telephone number with a stolen credit card. It's not worth the possibility of getting caught with the card or the information, and fraudsters would much rather eliminate that risk by going elsewhere where Telephone Verification is not present.
Additionally, the phone numbers that are used to verify a website's users are stored with the service provider, and can be summoned when needed.
In other words, if a transaction is identified as being illegitimate, the Phone Verification company can look up the phone number that was used with that transaction, and submit it to the police.
And are you really acusing the creators of this service AND the customers of this service of thinking the whole thing through that much less than you? Do you think the company that makes these services just "made" it without considering whether or not it would work?
July 17th, 2008 at 4:00 PMBruno;
I don't believe that I'm over complicating the function. I believe they are over simplifying it. They want their potential customers to believe that if they get a valid response to the call-back, all is peaches and cream, the order is valid, and they can feel comfortable about shipping the $900 camera. Most merchants that have been on line through a chargeback or two know better but the small, new merchant won't. I'm just letting 'em know it ain't so.
Most of your comments would have SOME validity except that you're forgetting VoIP phone, Disposable Cells, Vonage, and the list goes on. Bad guys just aren't worried about being traced to a phone number any more. And do really think the police will do anything? If you're a Merchant911 member and follow what's going on, you surely know better! Law Enforcement's response to on-line credit card fraud complaints is normally a shoulder shrug. But if you did get their attention - lots of luck proving in court that the phone number is owned by the bad guy AND was used by the bad guy AND was used with a bad card to make THAT transaction. I'm a former police officer. I know what a task that would be.
I'm certainly not accusing the creators of the service of not thinking this whole thing through. To the contrary, I'm sure they have. That's why they have done nothing on this blog page - or theirs - but back pedal. Go back and read the comments they've posted. They have yet to post anything that reasonably counters any of my objections. And I've asked - no, challenged them - to do so. So far, the best they've come up with is that it's used by Craigslist. But it's not used as a credit card fraud prevention measure. Craigslist is free.
And, in case you haven't noticed, there haven't been too many comments in their defense except theirs.
July 17th, 2008 at 5:42 PMFair enough: proving the bad guy actually used the card, etc. would be an overwhelming task with little gratification. The police most likely would not follow through with it, unless there was sufficient evidence.
The focal point however, should be on the mind of the criminal, and how much confidence they would have on the issue. From their POV, the stakes are much higher than from ours. It's their freedom we're talking about here, not ours. Again, why would they risk it rather than moving somewhere else?
I did not forget about anonymous numbers - I just assumed it was well known that Telephone Verification(at least the one Cragslist uses) has the ability to identify and screen the type of phone the caller is calling from. They can block vOIP numbers from calling their service thus forcing the user to use a real phone.
The selling point for these companies is not directed at the actual credit card holders that are buying merchandise, doing transactions, etc. Its directed towards the businesses that the card holders make purchases from: their customers. When businesses know they can make a change to ensure their customers better service, less charge backs due to credit card fraud, less negative press due to child prostitution on their site(as in cragslist's case), they have a strong incentive to make said change.
I don't understand why everyone has been complaining so excessively about Craigslist, and I'm sorry I chose your forum to vent my thoughts on, it just has a more intelligent conversation than most and I feel like I will be understood.
If you (not Tom, universal "you") are having a problem with Phone Verification, more particularly on Craigslist, then you probably are doing something you shouldn't. If you aren't a shady prostitute, then you are either a SPAMmer, or you are trying to advertise your personal business. Remember, Craigslist was not made for your own personal advertising convenience, it was made to introduce online bartering to a new level of convenience and access.
I don't personally care, but keep in mind that complaining about the decrease of advertising opportunities on their site does absolutely zero to convince them to change anything.
July 17th, 2008 at 6:13 PM...Did you just delete the last comment I left?
July 17th, 2008 at 7:13 PMNo - I didn't delete it. I just hadn't gotten to approving it. I have a life beyond this blog ;-)
You said:
The focal point however, should be on the mind of the criminal, and how much confidence they would have on the issue. From their POV, the stakes are much higher than from ours. It’s their freedom we’re talking about here, not ours. Again, why would they risk it rather than moving somewhere else?
My Reply:
That may be true in some cases. It's like the locked door - it makes it easier where there isn't one. But if you hang out in the carder sites like I do (know thine enemy) you know that we're primarily dealing with two elements here. One is the kid that doesn't have enough sense to be nervous and the other are the organized crime members who are, quite frankly, more sophisticated abut such things than most merchants. They know they won't get caught.
You said:
I did not forget about anonymous numbers - I just assumed it was well known that Telephone Verification(at least the one Cragslist uses) has the ability to identify and screen the type of phone the caller is calling from. They can block vOIP numbers from calling their service thus forcing the user to use a real phone.
My reply:
Again with Craigslist! They use the call back service to call the phone numbers associated with “Erotic Services” to stop unlawful activity - think prostitution. That's a perfectly good use for a call-back service and I'm sure it does it quite well. But I repeat - Craigslist, as far as I know - does NOT use the service for credit card fraud prevention but Derek, believed to be an If-By_Phone employee, brought it up as an argument for it's use in credit card fraud prevention. As to identifying VoIP numbers - Phone number portability has pretty much ruled that out at this point. But I guess my real point would be that If-By_Phone doesn't do that with the call back service they market to merchants. They simply call the phone number given during the on-line purchase and get confirmation codes.
You said:
The selling point for these companies is not directed at the actual credit card holders that are buying merchandise, doing transactions, etc. Its directed towards the businesses that the card holders make purchases from: their customers. When businesses know they can make a change to ensure their customers better service, less charge backs due to credit card fraud, less negative press due to child prostitution on their site(as in cragslist’s case), they have a strong incentive to make said change.
My reply:
Last things first... See my previous paragraph. Craigslist and what they do do weed out porn, hookers, and pedophiles has absolutely NOTHING to do with the credit card fraud prevention claims of If-By-Phone or any other company. Secondly, I'm well aware that the marketing is toward businesses. But the service does not - and CANNOT - promise less chargebacks or better service.
You said:
If you (not Tom, universal “you”) are having a problem with Phone Verification, more particularly on Craigslist, then you probably are doing something you shouldn’t. If you aren’t a shady prostitute, then you are either a SPAMmer, or you are trying to advertise your personal business.
My reply:
July 17th, 2008 at 9:54 PMI have no problem with craigslist OR their use of If-By-Phone. PLEASE - ALL OF YOU - PAY ATTENTION: My only problem is with "If-By-Phone"s claims regarding credit card fraud prevention. I never even brought up craigslist; "If-By-Phone" did, in an attempt to defend themselves against something totally unrelated.
WoW, loved it Tom and my dog Kody did too! She was all ears, lol
July 21st, 2008 at 12:11 PMInteresting. Our Standard Poodle totally ignored it.
July 21st, 2008 at 12:14 PMRead through all the comments posted thus far, I see Craigslist was mentioned as an adapter of telephone verification technology, but quickly dismissed because they don't use it for credit card verification purposes. I would like to add that Google also has adapted telephone verification for sign ups of it's adsense program, https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=32055. Same as Craigslist, Google isn't using it to verify whether the credit card information is stolen or not. They use it to "ensure that your that your information is accurate and up-to-date". Why does Google care if your personal information is accurate or up-to-date?
Also note that Google states "rotary phones, VoIP numbers and extensions do not work". As with Craigslist, Google must believe that when a new signup uses personal information that is accurate and up-to-date, it decreases the chance that the account will be used for fraudulent purposes. In a nutshell, this is the purpose of telephone verification.
People use the Internet to make a purchase because it's convenient. Most credit card issuers use a customer's home telephone number for record. If phone verification only called the telephone number on record with the credit card, it would severely limit where customers place their order, thus eliminating much of the purchasing convenience Internet customers are accustomed to. So limiting legitimate customers choices doesn't seem like a good policy for any online merchant. So you're example of using phone verification to verify the actual card holder's telephone number would not be an attractive solution to most online merchants.
In most cases, orders placed online with stolen credit card information do not ship to the billing address that's on the card. So if a merchant's only concern is to prevent credit card fraud, then why don't merchants choose to only ship orders to the billing address on record with the credit card being used? Wouldn't a policy like this help the merchant eliminate or at least drastically reduce credit card fraud?
The point is, there's a balance between verification and convenience. You can make customers jump through hoops to buy, which helps with fraud, but turns people off. Likewise you make it really easy to buy, but then risk your business to fraud. The goal is to deter while still making it easy to buy. If a thieve wants to buy a $900 camera with stolen credit card information and has 5 choices on where to buy it, but two use telephone verification, chances are they'll opt to use one of the other 3 who aren't using any verification. If you can agree to that, then you must agree that telephone verification does indeed deter fraud.
July 21st, 2008 at 2:28 PMYour friends B&B looks awesome! I really miss Lancaster County. We're originally from northern VA and our favorite weekend escape destination was always Pennsylvania Dutch country. BTW, our toy poodle also ignored the wolves when I listened to your mp3.
July 24th, 2008 at 8:15 PMAccounts Wells Fargo Online...
Please keep these excellent posts coming....
July 26th, 2008 at 8:05 AMOne-time password is a good option, But how do you say its useless? and what if the key is recorded, anyway its a one-time key right?
July 30th, 2008 at 2:00 AMI really don't have anything to add to this piece, but just wanted to first thank you Tom for all your effort on behalf of merchants accepting credit cards. The industry is so screwed up beyond belief it is nice to have a place where ideas and issues can be discussed.
Secondly, I am disappointed to see more people are not making use of this site. I realize most merchants are terribly busy, but it might help if you promoted this forum more in your alerts (or have I been missing something?)
Last but certainly not least, I am very tired of the outrageous fees I am charged, the way chargebacks are handled, and the overall treatment of the merchants by V/MC, etc. AS for the fees, the only thing that makes it a little easier to handle is that I can pay my suppliers by credit card (most of them anyhow) so I manage to get about a percent back, but even still, I'm probably getting hit with higher prices anyhow. Chargebacks ( I get very few as I screen carefully and am in a unique demographic) are handled as if I am guilty until proven innocent, with the burden always on the merchant, and not a lick of investigatory work on the part of the CC co's. I sometimes think this is a profit center for them. Most of the chargebacks could be stopped dead in their tracks if they would bother to pickup the phone. They have a lot of nerve charging $15.00 just become some ahole customer wants to give me a hard time for their misunderstanding.
Anyhow, you at one time seemed to be entertaining the idea that we could possibly band together to get group rates which would be more favorable. Is this still something you are considering?
If I posted this in the wrong place I apologize.
Thanks again.
Art
July 30th, 2008 at 3:37 AMNISH:
I didn't say "useless" I said "dubious, if not down-right worthless." :-)
According to the quoted article, Visa says "If the PIN can be recorded surreptitiously, the card will prove no more secure than its predecessors." This is the case with Chip and PIN cards now so what's really gained with the new technology?
Do I have an answer? No. Truth is, there probably isn't one and maybe that's the point. All the technologies work when things go right but there is always going to be credit card fraud. But I think this initiative smells of marketing hype.
I've publicly stated (on CBS Evening News, National Public Radio and others) that the credit card companies have a revenue stream from chargeback fees and there is no financial incentive for them to to do anything about fraud except move the liability away from the issuers and on to the merchants. Their response has been to call the claim "ludicrous" but they have yet to convince anyone that a half a billion dollars in chargeback fees is anything but a cash cow.
July 30th, 2008 at 7:35 AMART:
Thanks for the kind words.
I'm not big on self-promotion. Merchant911 membership continues to grow slowly and that's OK. I do it all out-of-pocket in my spare time after a full time job, three e-Commerce sites, and a brick and mortar so it is what it is and will be what it will be.
Yes, I still believe there is strength in numbers, both financially and politically. I'm just not sure what the magic number is. Is it our current strength of 3,750? Is it 5,000? I don't know the answer to that one. And of our current 3750, there are only a few dozen that contribute to the alerts and the forum that are available to members. And then there's my time factor. There's much that I'd like to accomplish yet but limited hours in a day. The blog post above went out at 11:00 PM last night - this comment is being typed before 8:00 AM before I head to my office. Merchant911 and all that goes with it is a full time job that I just don't have the time for. I'll keep on keeping on.
July 30th, 2008 at 7:49 AMI do not understand why that is an issue.
By law we must report our income. If we are working legally this does not effect us at all.
And all deposits are to a checking account so there is already a paper trail for IRS already to track all deposits.
August 5th, 2008 at 11:28 AMI'm not sure it's an issue to most merchants other than additional paperwork since you'll get something similar to a 1099.
On the other hand, I wonder how many personal eBayers will be affected.
And then there's processors, banks, PayPal, 2CO, etc. It looks like all of them are going to have a massive job ahead of them.
August 5th, 2008 at 12:11 PMAnd my personal experience with bureaucracies says the merchant account companies will neglect to deduct any refunds, voids, and chargebacks. Mr IRS will assume we under-report by that amount...
I know my CPA will be smiling. Another form, another few dollars to them!
August 5th, 2008 at 2:04 PMThis blog entry and response all discusses how the new tech is not enough to battle the issue, but forgets the big point, the way it is today is worse. As security experts say, nothing is secure, but if we can move from level 0 to level 5 maybe someday we have a chance to get to level 10 (being nirvana). Also, about this liability shift from issuers to merchants, for CNP transactions, there is something called Verified by Visa, MasterCard SecureCode...implement this correctly at least most of the chargeback headaches (I didn't say all...) will be taken care of.
August 5th, 2008 at 10:18 PMAnd... who do you think is going to fund the extra manpower needed at the processors to report this to the IRS? I'm sure they will just take that as a cost of doing business, without passing it on to the merchants [/sarcasm]
August 6th, 2008 at 2:32 PMI wonder what the backlash would be if consumers realized just how much it is costing them. After all, we as merchants simply pass on those costs to our customers.
Maybe merchants should band together to work to educate the public on how this all affects them. Maybe then there could be enough pressure on the politicians to do something. Ooops - I forgot this is America.
Well, I can dream can't I?
August 11th, 2008 at 7:40 PMCompany profits should not be controlled by government. That is not the governments place. If a company is making a lot of profit, it is reasonable to assume they are providing good products or services. If one feels a company is making too much profit and that is something one would like to change then one should not support that company. I realize the world takes visa at this point but many changes in our history have been done with great work and were not easy. Stop the insanity and stop trying to control compay profits with legislation. How would you feel if you had grown a business that was making "too much money" and was under the gun to be controlled by the government? I for one hope to build a company that others envy and thus likely feel the company makes "too much money" and I certainly don't want to work towards that end just to have the rewards of my efforts capped by congress.
August 11th, 2008 at 7:42 PMCorey;
You do make some excellent points, but I think you're missing something. In the case of your company, you will make your profit because you are good at what you do and you offer a good value to your customers. If you don't, they'll go elsewhere and you'll be out of business.
This just isn't the case with the credit card companies. As merchants, we have to accept them, not because Visa and MC are a great value, but because if we don't, our customers will go elsewhere. Cardholders us them, not because they are a good value (how can they be at 29%) but because, other than cash, which they never seem to have enough of, there's no real choice - especially when you consider speed and convenience.
The interest rates charged to cardholders is literally illegal in almost every state. That's why all card companies are registered in Delaware and one or two others. The terms they issue in their contracts would be, and probably have been, laughed at and/or ruled illegal. They are, for all intents and purposes, a monopoly, but since there's a few of them, they aren't considered as such.
They have, in the past, through what could certainly be considered great marketing and good business sense, gotten themselves to the level where nobody in their right mind would use them if there were an alternative. And that's why they need to be regulated.
August 11th, 2008 at 8:42 PMI read an article (actually the last FAQ) on Roadtrucker.com, http://www.roadtrucker.com/faq.htm, that opened my eyes to the unscrupulous and unethical loan-sharking practices of the credit card industry. Visa, Master Card and the like are the new mafia and most of us are kept in the dark about the true impact of these criminals.
August 12th, 2008 at 12:26 AMCorey,
The rates I now pay to VISA, MC, AmExp are now 100-200% higher then years ago. You made a profit years ago, so what happen?
The proposed legislation is there because of excessive rates and unmoral business practices. VISA needs to pull their head out of the sand and take a real good look at what they are doing.
I can assure you that if another financial instrument comes along, I will drop VISA, MC, and AmExp like a hot potato. I and many other merchants are continuously looking for a way to get rid of you guys. Until that happens, I will write my congressman/women and ask that they force you to conduct your business in a moral manner.
August 12th, 2008 at 3:35 PMThe Snopes info is still valid. Any mag stripe can be embedded with skimmed information and used as a vehicle to commit fraud. My credit card could be skimmed and that info put on the back of any card with a mag stripe (including hotel key cards). It is still true that hotels do not embed guests cc info on the back of their hotel key cards.
August 13th, 2008 at 12:19 PMCareful reading of the indictments show that the media, card issuers and Federal Trade Commission over-reacted to the TJX incident. TJX was not as bad as we were led to believe. --Ben http://legal-beagle.typepad.com/wrights_legal_beagle/2008/08/credit-card-iss.html
August 16th, 2008 at 6:42 PMI respectfully disagree with some of your points and will address them in my comments on your blog cited above.
August 16th, 2008 at 9:42 PMLink for countrywide article is busted. Here's a working one:
http://blog.absolute.com/countrywide-financial-insider-breaches-2-million/
August 22nd, 2008 at 3:34 PMWell heck - they're all busted now. I'll get them fixed. Thanks David!
August 22nd, 2008 at 4:50 PMAll better.
August 22nd, 2008 at 5:04 PMDone my part to forward this link on to all family and friends....need to make everyone we know aware of how bad this really is. :)
September 3rd, 2008 at 8:05 PMEric...
Have enjoyed your site very much and benefited from the information. Thank You....
September 6th, 2008 at 8:05 PMYes - new posts are made frequently.
September 8th, 2008 at 11:11 PMSo, can I now call my processor, demand a refund for the last 18 years, and tell them I don't have to pay interchange fees anymore because Visa said so? LOL!
September 12th, 2008 at 3:20 PM[...] - Fraud Prevention for Merchants Credit card quote of the weekCard Companies Insecure About SecurityWhy Identity Theft is such a problem!Chip and PIN FraudStreet Level Credit Card [...]
September 17th, 2008 at 8:05 AM[...] card quote of the weekCard Companies Insecure About SecurityWhy Identity Theft is such a problem!Chip and PIN FraudStreet Level Credit Card [...]
September 17th, 2008 at 8:06 AMI don't know what the position is in the USA but here in France we have been informed that, in an attempt to curb the incessant upward trend in credit card fraud, we will now have to supply our birth date in addition to cvv2 every time we make a purchase. That's a tough one for criminals to crack (NOT)! Seems to me that banks are really scraping the barrel now. It's like an admission that the credit card system has failed ...which is something you have been saying for a long time Tom.
October 5th, 2008 at 4:08 AMYes, I have been saying that, and as every month goes by and every breach gets announced I believe it more. It's certainly no secret that the U.S. economy is in deep trouble but the card companies just continue to put out more and more offers full of hidden language to the people that can least afford it.
Credit card debt is an unsecured loan. Unsecured and under secured loans are what got us into this mess over here. You'd think the card companies would have gotten a message from all this. With the bad debt and the bad security, how long can it last?
October 5th, 2008 at 11:02 AMPayment by phone is big in Japan and they have been using it for quite a while now. I think South Korea as well. Do we know how secure it is over there?
October 7th, 2008 at 3:33 PMI don't have any hard evidence one way or the other, but I refer you to a couple of my previous blog posts:
http://www.merchant911.org/blog/index.php/2008/09/17/united-states-credit-card-fraud-is-about-to-increase/
http://www.merchant911.org/blog/index.php/2008/09/03/credit-card-companies-insecure-about-security/
http://www.merchant911.org/blog/index.php/2008/08/16/chip-and-pin-fraud/
What I'm seeing here is that contactless payment just isn't secure. Period. End of paragraph.
This technology cold be different, but given Visa and MC's track record on security, I won't count on it.
October 7th, 2008 at 4:03 PMNokia were testing this in Sweden, if my memory serves me well, since 1998. To date, I have not heard of any fraud related actions with this technology. Maybe the security aspect has not been publicly revealed in order to avoid letting the bad guys come up with a loophole?
October 8th, 2008 at 11:47 PM@ Adrian:
That's possible. I think most security folks would tell you that security by obscurity isn't one of the better methods. It's also possible that since it was only under test, the bad guys haven't been working too hard at it. They look at things like return on investment.
This could end up being very safe technology but the history of contactless payment is short and so far not very safe.
The up side of the Visa/Nokia roll out is that they are also incorporating immediate notification of use of the account. That, in my mind, is a good thing.
October 9th, 2008 at 7:25 AMThat was not a fun time being an OmniAmerican account holder. I was overseas at the time this happened, and I didn't know anything about it, so when I tried to use my debit card one day and it said "restricted", I was pretty mad. But then I found out from my mother, who also has an account with Omni, that the bank had been hacked into and they re-issued everybody's debit cards. I still had to wait about a month for mine and ended up opening another bank account with the credit union nearby.
October 15th, 2008 at 6:10 AMWhy would the FDIC guarantee deposits up to $100,000 if this was an identity scam? It is more likely I think that the requirement for such a guarantee is that they must know exactly who you are.
Your implied assertions about this company lack an understanding of the context of money in the US these days. If you are afraid then don't use them. Bashing in your way is, in my opinion rather unfair.
Have you contacted the company? Did they respond? If so you should publish it here.
Thank you,
Ted
October 17th, 2008 at 3:02 PMTed wrote:
Ted:
I'm not sure your comment was for this entry, but if it was, I don't see you point at all!
The FDIC guarantees deposits - SoftCard is not a bank.
I made NO implied assertions at all; I simply stated that the company was collecting PII and credit card information on an insecure web page. Nor do I see how this has anything to do with my understanding of money. Money isn't part of this.
Bashing - Where? How?
Contact them? Yes - read the post. I called it to their attention in January - they had not responded or corrected the problem in May when this post was made.
Did they respond? No - but read the update. The page was removed and they gave an explanation to Breach Blog.
October 17th, 2008 at 4:06 PMWhile I think this is marvellous news, doesn't this kind of technique come under the heading of "Entrapment" in which case it would be illegal?
October 20th, 2008 at 8:13 AMFunny, I can remember back around 2000 being asked by my processor to hang up and call back on a land line because cell phone transmissions could be intercepted.
October 20th, 2008 at 9:39 AM@ Adrian:
It would be (and probably will be) looked at on a case by case basis, but generally no, it is not entrapment.
Yes, the forum was set up to catch bad guys but unless the forum user was actually tricked or coerced into signing up and then coerced into buying or selling, there would be no entrapment. Entrapment attaches when law enforcement somehow manipulates the defendant into doing something that (s)he would not have done without the manipulation.
October 20th, 2008 at 10:43 AMI'm amazed that the NCFTA did not do a better job of hiding the true ownership of their IP address. Hopefully, they will learn from this. I know when local police departments do a fence operation, they usually take extreme measures to hide the connection to the local police department.
October 20th, 2008 at 11:40 AM@ Karina:
I have a bit of a problem with that myself. I only saw that information in two reports out of several. On the other hand, a two year sting with 58 arrests is a pretty good haul. Remember that there's an excellent probability that once the first arrest is made, the operation is compromised. I becomes a matter of how long you really want the thing to continue without making the busts.
October 20th, 2008 at 11:50 AMI am constantly counseling people on what to look for when it comes to online fraud. The most aggravating part is how hard the credit card processors and companies make reporting these cases. I spent nearly an hour this morning trying to get through to Anyone at PayPal Pro to let them know they had authorized a possibly stolen card. Still no answer from them. Called Visa - couldn't do anything because I did not have the numbers they needed to identify the issuing bank.
October 21st, 2008 at 11:53 AMHi Tom
I agree completely and have noticed a huge increase in my online fraud stats. I used to run at about 3% of TO of CNP fraud. Over the last 12 months this has increased to 5% with the last 3 months seeing an increase to about 6%.
I have noticed a trend, which in the UK is rather worrying especially as most of my customers are stateside. The trend which is hitting us more and more now is cyber shoplifting. People who order goods and check out completely, they get the goods then claim they have not recieved them. EVEN though most of these high ticket items are sent FEDEX they simply say "not my signature" and thats it, the bank gives them my money.
Until the delivery companies are prepared to offer a service of ID Verification for online companies then this will continue to happen. I need FEDEX or UPS to offer a full blown ID verification upon delivery service. I would gladly pay for this service, but thats the weakest link.
And unless anyone has any ideas these people will continue to rip us off with zero comeback. Cyber Shoplifting thats the frightening thing for me as no matter how much I check someone out, all they have to do is lie and they get all their money back.
James
October 21st, 2008 at 12:08 PMDon't you get it? They don't care about rounding up the crooks. They have no liabilty, so why would they devote resources to that effort? Shift the liability to the bank or the association and they'd take your phone call in two seconds -- and actually do something with the information.
October 21st, 2008 at 7:49 PM@ Ben:
That's the beauty of Payer Authentication - Verified by Visa and Secure Code by MasterCard. They shift the liability of "friendly fraud" back to the issuer where it belongs.
October 21st, 2008 at 8:58 PMWhere can I find more information about the $99 a year McAfee scans? The link you gave takes me straight to the signup page but I have no idea what my $99 gets me. Does the fee include any kind of site seal, for instance? Thanks.
December 8th, 2008 at 8:46 AMEdward*
There is more information at http://www.merchant911.org/resources/McAfeePCI.html And you can also go directly to the McAfee site - http://www.mcafeesecure.com
December 8th, 2008 at 11:02 AMSo, let me get this straight. It's theft to charge a price that makes a business viable?
And I've yet to see any card company resort to eliminating the grace period. You can still get the loan for free even with the increase.
They may actually be making some of the other credit card options more viable.
December 18th, 2008 at 11:14 AM**Dave:
**So, let me get this straight. It’s theft to charge a price that makes a business viable? **
Not if it's reasonable. You try jacking your rates by almost 100% and see what happens to your business. And there's the timing issue with the bailout.
**And I’ve yet to see any card company resort to eliminating the grace period. You can still get the loan for free even with the increase.**
Yes you can and if you're one of them, you're in good shape. But that's a small percent of cardholders. Most cardholders are in up to their eye sockets. More importantly, it's the principle of lending at one fee and then jacking up the interest rate almost 100%. And, for the record, there are issuers that are shortening the grace period.
December 18th, 2008 at 11:35 AMAnd this JUST hit the wires:
http://www.washingtonpost.com/wp-dyn/content/article/2008/12/17/AR2008121703474.html?hpid=topnews
Today's move by Federal Reserve, the Office of Thrift Supervision and the National Credit Union Administration is the first of what could be many attempts to further regulate the industry, as several members of Congress plan to codify the Fed's regulations next year and perhaps pass even more stringent rules. Under these rules, after 2010, the issuers will no longer be able to raise rates on existing balances unless the cardholder is a late payer.
December 18th, 2008 at 11:58 AMWhile I'm all for tightening the screws on the credit card industry, Ed Yingling has a good point:
---------------------------------------------------------------
December 18th, 2008 at 11:30 PM"Every proposal needs to be looked at in terms of its effect on credit availability," said Ed Yingling, president of the American Bankers Association. "They need to be concerned that on the one hand they're encouraging banks to lend more and on the other hand you have a series of policies that tell banks to lend less."
---------------------------------------------------------------
William;
I agree that Yingling has a good point.
I'll probably post a blog entry on this later, but I think the Fed made a serious mistake (from the cardholder point of view) by making the new regulations effective in 18 months. I think it should have been much sooner.
The banks are using the excuse that they need even more than that to rework their business model. I don't buy it. How much time do they need to stop jacking up interest rates on existing balances? None. They just stop. I'm sure there are fiscal ramifications to that but I'm also quite sure that the issuers are capable of handling it.
I predict that we're going to see rate hikes of just about every one of their rate structures. They'll get it done while they can. In that regard, the Fed is not protecting the consumer one iota.
December 19th, 2008 at 2:46 PMGreat, now let's see them do some work for the merchants and start regulating the hidden "non-qualified" fees and chargeback fees.
January 2nd, 2009 at 5:22 PM<>
That's almost 1/8 of the entire US population compromised ...IN ONE YEAR!!!
January 6th, 2009 at 1:32 AMHow long do these guys require to expose the rest of the continent?
They're working on it. According to the Washington Post, the number of breaches is up "nearly 50%" and the number of records is 35.7 million.
http://www.washingtonpost.com/wp-dyn/content/article/2009/01/05/AR2009010503046.html
It all depends on how you spin it. There is the number of breaches and there is the number of records. Remember that in 2007 the TJX breach alone accounted for 94 million records - almost three times the 2008 total. In '05 there was the Card Systems Solutions of 40 million.
The TJX breach was preventable and there is no excuse for it but I hold banks and processors to a higher standard than a retailer. In my mind, the careless loss of a backup tape with 650,000 records is on par with 40 million records stolen in a sophisticated hack.
The payment industry is fining small merchants for PCI compliance violations while banks and processors are loosing backup tapes. What's wrong with that picture!
January 6th, 2009 at 8:01 AMI do not know if you can edit your blog, but I think you may have said this incorrectly.
The Washington Post is now reporting that the breach involves 1000 million accounts.
I think you meant 100 million. The Washington post was referring to how many transactions it processes, not how many cards may have been breached. I do think they should list all the retailers that use Heartland. Consumers will not blame the merchants. I even read a comment on the consumerist website that said Heartland didn't even notify the merchant(s) of card breach.
January 21st, 2009 at 3:58 PMGreg, you are correct. I've deleted the reference to the Post article but I do stand by my 300 Million number.
Thanks for catching the 999 million record typo!
January 21st, 2009 at 4:24 PMThis quote is from the PCI assessor of Heartland:
"TrustMinder enables us to reduce risk in our merchant underwriting and boarding process, and to meet the Visa e-commerce merchant inspection
January 26th, 2009 at 8:00 PMrequirements in a single, easy-to-use solution," said Robert O. Carr, chairman, chief executive officer and founder of Heartland Payment Systems."
Hi there.
I am not sure why Heartland and/or Chase keep saying that Social Security numbers were not breached. I had my personal information stolen in this situation and the criminals have enough information on me to not only attempt to make transactions on my current accounts, but also they have opened new accounts since 1/24/2009. To me this means that they have my name, social security number, address, birthdate and whatever else they may need to open a new account. In addition, 2 of the cards that attempted and successful charges were made on have not been used for the past, at least, 2 years. So...obviously...these companies are hiding something more because if I know I haven't used 2 of my compromised credit cards in at least the past 2 years, how can the security breach with regards to transactions processed have happened within the past 6 months?
February 1st, 2009 at 11:17 PMJust got a notice from Chse that they are raiseing the intrest rates by 4% and lowering my credit limits, this will put me overlimit on these. I have contacted them but they would not help. Iwill get anothercard and pay them off. They got the bail out so we are paying them twice.
February 17th, 2009 at 3:47 PMDo they think we have "stupid" stamped on our foreheads.
How can it not be a new breach if the entity has yet to disclose?
They must think we're as dimwitted as they are!
The feeblemindedness of the entire global banking industry worries me greatly!
Or, maybe they're just all insane. Einstein defined madness as doing the same thing over again and expecting a different result.
March 3rd, 2009 at 1:23 PMIn my humble opinion, this sounds like the rhetoric that is splashed around the industry on almost a daily basis. Let us be clear, as usual, big business is going to not follow responsible practices, such as informing the public about breaches as soon as they are found. It is up to organizations like Merchant 911 to inform us wee individuals, as we are NO Visa, Mastercard, or Citi Bank. I see this as fuel for future congressional investigation, and hopefully someday, policy change.
March 3rd, 2009 at 1:58 PMCould it be an existing breach that was not fully discovered or disclosed?
March 11th, 2009 at 9:40 AM"The Card Companies are now fining the issuing banks as a result of the losses. That may sound a bit strange since the banks are victims in this whole mess."
But aren't the banks charging the merchants at the end with chargebacks, or they're eating up the losses?
March 23rd, 2009 at 6:04 AM*Michel
That's true for on-line merchants. Fortunately for us, the Heartland breach involved track 2 data which allows cloning of the mag strip and I think we'll see more Card Present fraud.
Also, since this DID involve track data, the banks have been more proactive in replacing cards - as you would expect them to do when they can't pass the loss on to the merchant.
March 23rd, 2009 at 6:33 AMHi Tom,
Perhaps you can get a friendly credit union to share with you their user name and password.
Wally
March 27th, 2009 at 3:58 PMWally,
I don't have any connections in that circle but I have at least a few in other places that have the same information. They don't share it. I think it's a power thing.
March 27th, 2009 at 5:44 PMThere are so many opinionated misstatements in this article I don't even know where to begin.
First, the lack of information on the breach is not from a mysterious "shroud" of "corporate secrecy" but due to the lack of hard evidence on how much data was stolen. Data doesn't sit on the shelf like a physical object. The malware hackers are using is sophisticated enough to hide itself and prevent data forensics experts from knowing what actually happened. Putting the pieces together to determine how much data was stolen is not as simple as you think.
This was likely the case with another major data breach that occurred in 2008 in which the processor involved has not even announced the breach.
Then, you talk about the card "companies", in which you mean the CARD ASSOCIATIONS, Visa, Mastercard, Discover, etc. and their relationship with acquirers such as Heartland and issuing banks.
This is all wrong.
Card associations do not fine issuing banks for fraudulent activity or data compromises. Fines for data compromises affect the acquirer and the acquirer may pass these fines on to the merchant when the merchant is responsible. In this instance, no merchant was responsible for the data breach so the fines (when they are announced) will be absorbed by Heartland. The issuing banks deal with fraudulent activity as a result of any data compromise between the card holder and the merchant. Chargebacks may affect some merchants, but most likely, the distribution of these card numbers around the world will make the impact on US businesses almost non-existent. The effects have been felt mainly by card holders.
Everything you said in that paragraph is wrong. You might consider deleting this entire post or checking ALL of your facts first.
There's enough blogging and news media on this topic already. Do some research and get your facts straight.
March 31st, 2009 at 2:03 PMKelvin wrote:
Opinionated - of course. Most blogs are and I make no claims that mine is not.
I don't think for a minute that it's easy and I'm also well aware that the hackers are more sophisticated than most of the people trying to catch them. Please don't tell me that there isn't a "shroud of corporate security" (your words, not mine) and in the next paragraph tell me that there was another major breach in 2008 that has yet to be disclosed. I think I see a bit of secrecy there. And then there's Heartland's very obvious attempt to withhold information with statements like the breach went on for "more than weeks" and their total silence on the number of accounts potentially exposed even as the affected issuers are, to some extent, coming clean.
Related to the undisclosed breach, If you read my March 3rd entry (http://www.merchant911.org/blog/index.php/2009/03/03/data-breach-double-talk-spin/)
you'll see that I'm aware of a lot of speculation on that incident. Visa did a (opinionated) very poor job of (/opinionated) denying that there was one. If I assume that you are someone in the industry rather than another blogger with "opinionated misinformation," then I can consider your comment as a verification of that breach - and a confirmation of my opinion that Visa is lying about it. A legitimate question for you, if you will, why hasn't that processor disclosed?
You are quite correct but, for the record, I'm quite aware of it. I couldn't help but absorb that distinction in the 8 1/2 years I've been working with e-commerce merchants. I used those words with the idea that some of my readers might not know what I meant when I referred to the Association. A matter of semantics in this case. If you look at most of the pres releases out there, you will see that the Associations are usually referred to as 'credit card companies.' I'm certainly not alone on that one.
I do stand corrected on the "issuing bank" statement and will shortly edit the paragraph accordingly. What I should have said is that fines are being issued to Heartland's sponsoring banks.
You are also correct that effects have been felt by cardholders but I refuse to consider them as victims in all this. Just last week I received a new debit card telling me that my old one may have been breached in the Heartland incident (yes, my bank named names.) That hardly makes me a victim. Even if my card had been used fraudulently I wouldn't consider myself a victim of anything but the inconvenience of calling my bank to report the fraud.
Bu then again, I didn't make any statement about who's a victim of what, only that the mess wil be very expensive.
I do a lot of research but the sources that I have are a bit limited. They are, after all, pretty much limited to blogs and the press. We certainly are not getting a hell of a lot from the industry.
March 31st, 2009 at 7:12 PMTom, I agree,fraud prevention efforts are necessary, but they should also be aimed at protecting all those involved (ie: brick and mortar stores, e-commerce merchants, and card holders). As you said so well, I don't see the credit card companies (I see this word as more accurate than associations, as these companies are profit driven entities, not some sort of non-profit organization.)changing too many profit generating operandi. That would dip into the profit margins too deeply. I also don't see these companies finding any better ROI than they do from the excessive fees, penalties, fines, and rate hikes (all of which are documented online, television, and printed news), no, what I see is they will continue to find new layers of generating revenue in the existing customer base, and the merchants that deal with them. Sad to say, as long as lobbyists remain on capital hill, and politicians get paid, we will see no real assistance for e-commerce against credit card fraud.
April 9th, 2009 at 5:38 PMThey don't charge "Fines" to merchants who are victims of fraud and chargebacks, they charge "FEES". That way if the chargeback is reversed, the FEE stands, since, after all, it was a service provided to the merchant! Also, if a reversed chargeback is reinstated, well, another fee is assessed. You gotta give 'em their due: the banks know how to make money, as long as they stay out of mortgage backed securities.
April 10th, 2009 at 11:32 AM@Doug
That's a good point. Either way you look at it, there's a good revenue stream in chargebacks. I don't have current numbers, but back in 2000 when I was doing the initial research to start Merchant911, the payment industry's own numbers revealed a USD $550 million in chargeback fees alone. They don't publish those numbers any more.
April 10th, 2009 at 11:46 AMI like this theme you are using... what is it?
April 13th, 2009 at 12:07 AMIt's Blueline 1.0 available at http://www.gpsgazette.com/wp-themes/
April 13th, 2009 at 7:34 AMWhat do you mean by, "sweep their merchant accounts on a regular basis to avoid falling into this trap". How do I do this?
Thanks.
May 1st, 2009 at 11:29 AMParesh
"Sweeping the account" means to get the funds out of that account and into one that is not directly tied to the merchant account. That way, the processor will have a harder time getting their sticky fingers on it. Think of your merchant account as a collection account - leave only enough to keep the account open.
May 1st, 2009 at 11:36 AM[...] we reported at Merchant911 back in January, there is a problem. If passed by the Senate and signed by Obama (and he’s indicated that he [...]
May 3rd, 2009 at 12:31 PMYesss! Big lesson learned. While I was looking around to deal with the crooked frausters, FirstData cleaned it all out of my bank account.
May 12th, 2009 at 7:05 PMWe didn't lose the game; we just ran out of time.
Vince Lombardi
And now we are back, equiped with more tools and knowledge, to beat up the crooked fraudsters.
May 12th, 2009 at 7:29 PMTom, this just blows my mind. I just had an experience at the opposite end of the spectrum regarding activating a new credit card, and now I wonder if I even needed to bother with all of it!
I got a new Chase business credit card for our business purchases (because Citibank raised our interest rate to 18.99% for NO reason, ugh). Some of the cards we get let us activate them online, but this one had a toll free number.
Since I'm deaf, I had my husband call the number. I was right there (I could've talked into the phone, just not understood what was said back) and he knows all the usual stuff (last 4 of my social security, mother's maiden name, etc.) They would NOT let him activate the card.
They gave us a TTY number to use, so we hooked up the TTY and did that (which, to me, is stupid because he could just as easily be the one typing the answers and they wouldn't know). It wasn't the right department. They gave us another number to try.
Finally, about 30 minutes after we started, we got that darn card activated. I guess I should have tried just making some purchases straight off the bat and not bothered! :P
May 22nd, 2009 at 8:07 AM[...] implemented until February. Given that CitiBank, Chase and some others are already rushing into the rate jacking game, I think nine months will give the issuers plenty of time to start recovering the $10-$12 billion [...]
May 22nd, 2009 at 7:14 PM[...] eBay Seller Alert I won’t go into any detail here but there is further information at Merchant911.org [...]
May 26th, 2009 at 7:06 AMMaybe now they will actually combine my single account into one account and I won't be double charged for my credit card processing fees.
Every month, for the last 6 years, we go round and round about being double-billed because of the way my Authorize.net account was initially setup. Nobody ever listens to what I write or have to say at First Data, all they know how to say is "your fees are based on the 24 hour service you get."
I've never had to call them except for the fees, so they can close up the customer dis-service department if they like - I wouldn't miss it at all!
June 15th, 2009 at 11:24 AMBruce, you expect big things from little minds.
June 15th, 2009 at 2:22 PMTom,
The .pdf file for the feedbacks is not working. This is what I've got when I clicked it.
"The file is damaged and could not be repaired."
June 30th, 2009 at 2:50 AMIt's working for me here.
June 30th, 2009 at 7:54 AMI don't collect any cc data on site. That is done by a third party processor on their website. Since I process very few cc transactions a year, I confess I have basically ignored the PCI developments till now. Sounds like a lot of hassle for unquantifiable usefulness.
However you have convinced me of the need to check it out.
Thanks Tom for keeping us informed.
July 1st, 2009 at 4:40 AMI must say this is a great article i enjoyed reading it keep the good work :)
July 13th, 2009 at 11:54 PM[...] This post was Twitted by Merchant911 [...]
September 2nd, 2009 at 5:43 PMTom, you are bang on here... for those that outsource that is.
For those that choose NOT to, please be aware of what you are getting into. you can see my blog entry on the conversation had during hostingcon2009 about this very topic, from the perspective of webhosters. SIGNNIFICANT work involved, and yeah, anyone who is in the billions of sales will not be concerned about the infrastructure requirements.
Perhaps a better use of this new 'educational bandwidth' we have with the looming compliance deadline - outsource, not to outsource. operate it yourself, hire trusted experts. There are many pros and cons, but at this point, with a stated only 3 shopping cart vendors pursuing their own PCI compliance certification, there will be many merchants left in the lurch.
September 15th, 2009 at 1:41 AMJason,
I'm not sure what (or if) you're disagreeing with any of my points. PCI is clearly a complex issue in many regards but doesn't the outsourcing merchant have a pretty easy go of it?
Did I miss something? It's certainly possible - I don't claim to be a security expert and I don't want to be passing bad information.
September 15th, 2009 at 2:40 AM[...] This post was Twitted by jlscott_iCop [...]
September 15th, 2009 at 12:26 PMThankfully, most of our customers are other businesses or government agencies. But, I take it upon myself to scrutinize each order that comes in. I am not afraid to call the "customer" to verify information. And, we get tracking numbers on all of the orders that are sent.
September 21st, 2009 at 11:56 AMThe WirelessWall solution offers PCI network security compliance with no new hardware -- even if you have POS equipment that only supports WEP.
September 21st, 2009 at 2:19 PMSee this article: http://www.wi-fiplanet.com/columns/article.php/3839266
September 22nd, 2009 at 2:09 PMOne solution to the wireless problem to be sure. Just don't forget that there is a lot more to PCI than wireless.
September 22nd, 2009 at 4:00 PMWhen the card associations launched SecureCode and VbyV, one of the drivers was to remove the risk of friendly fraud, since having to identify yourself to your bank meant that it was difficult for the cardholder to dispute the transaction.
Plus under the rules by implementing SecureCode and VbyV the merchants give themselves protection against chargeback even if the cardholder or indeed the issuing bank have not registered or do not support SecureCode or VbyV. So really a no brainer!
Nealle
September 24th, 2009 at 7:37 AMThank you for finding this for us.
The link you are referencing was one that the "s" was left off when it was being linked. All the other links on that page led to a secure order form. It was an honest mistake on one link.
Again, thank you for pointing this out and the link was changed immediately.
Thank you!
Aaron Foster
September 25th, 2009 at 1:54 PMCEO
BusinessOwnersOnline.com
[...] This post was mentioned on Twitter by Joan Miller. Joan Miller said: Google’s Sidewiki: Yes, YOUR website is being vandalized as you read this. http://bit.ly/2mfRnN [...]
October 6th, 2009 at 10:42 AM[...] has a post up regarding the fact that many merchants don’t really understand PCI Compliance, and therefore probably aren’t compliant themselves, and are open to fines and penalties: [...]
October 8th, 2009 at 3:12 AMIt may sound naive, but the question that comes up is, "why use Google then?" Why not use MSN or Yahoo as your search engines and search advertisers.
I remember when Google first anounced "Gmail" and told people that they would scan the content of their private emails, so they can send you "relevant" advertisements. Everyone screamed privacy violation and then signed right up for Gmail.
I have had my Yahoo email and IM account for way over 10 years, before Google was around. I also know that I am probably the only person who still uses Yahoo for search and has never even touched Google.
Power is only given when everyone submits and buys into it, thereby supporting the very thing they don't want. But again, maybe I am understanding it wrong.
October 15th, 2009 at 6:34 PMCarmen,
It's got nothing to do with search engines. It's about browsers with Google's Toolbox installed. The SideWiki is right there on your site. I can see it because I have Google's Toolbox installed on Firefox. I didn't even use a search engine to get to your site.
You could see it too, if you had Google's Toolbar and Sidewiki installed. Kinda makes you wonder what nasty stuff the Devil worshippers are saying about psychicdonut.com, doesn't it? Without SideWiki you'll never know.
October 15th, 2009 at 10:37 PMThis is OK for card present (retail) transactions. However, if you have a gun to your head, you'll give out the credit card PIN just as you would if you're being robbed by an ATM.
For online transactions, I don't see how this is any different than 3D Secure (Verified by Visa & MasterCard SecureCode) that's already in place. For online, will merchants then have to spend time and money to support a credit card PIN entry? Which merchants will be willing to adopt that without real benefits to them? Adopting 3D Secure benefits merchants because of the fraud chargeback protection.
October 23rd, 2009 at 1:49 PMTom,
What happens when the card is used online? I am assuming that the customer will enter the usual billing address and CVV, but surely they are not expected to enter their pin anywhere?
It will help card swiped stores, but not internet stores. If the card is stolen, it can still be used online without any problem.
Steve
October 23rd, 2009 at 1:53 PMHow would you use something like that online? They are going to have to enter a pin number and some merchant is going to store that pin number and then the card can be comprimised.
October 23rd, 2009 at 2:07 PMHow is not having your name on the card, a benefit to the card holder (in terms of security and having it used without authorization in retail environments)?
All a good pick pocket thieve has to do is be next to you when you're purchasing something and see you entering your pin, then pick your wallet before you even get to your car. Then they're free to use it at any retail outlets since it doesn't have any name on the card (nothing for the clerks to check). Thieves would love to get their hands on something like that.
I do get asked to show my ID more often than not these days when I'm purchasing with my credit card. But I'm never asked to show my ID when using my debit/ATM card.
I think they have a screw loose if they plan on leaving the card holders name off the card.
October 23rd, 2009 at 2:20 PMSeems like a good idea, but what about merchants who don't have processing methods that can distinguish a Debit Card from a Credit Card? My two favorite places to go to lunch don't have methods for PIN input. I have to sign for everything. Would these merchants be forced to change their processors? Or take on a second one?
While we're at it, how is this going to work in an online store? I'm not exactly an expert on the subject, but matching a name and card number input into a website looks to run the same risk as having card number and PIN. Instead of a name you have a PIN. It has to be stored somewhere. Doesn't this seem like the same security issue with different nomenclature?
Or maybe I'm wrong. I'd love to be wrong. Tell me I'm wrong and this is going to make our lives easier.
October 23rd, 2009 at 4:59 PMThis might solve some problems, it's a little better than a CVV. But our number one problem with fraud is people wanting to ship to alternate addresses, and this won't help.
To help us, the card companies should tell all their customers it is a new REQUIREMENT that they can only have product shipped to addresses on file, so they should call their credit card companies and put their shipping addresses on file. The credit card companies should also have better systems in place to verify these addresses. It is incredibly time consuming now to inform the customer, convince the customer, contact the credit card company multiple times, etc.
October 23rd, 2009 at 5:02 PMI probably should have read between the lines on the referenced article. I did, of course realize that the card could not be used for online transactions. By design, there is no PIN involved in those.
What I did NOT pick up on, and a Merchant911 member pointed it out in our email list, (thank you David) was the fact that this is not a normally branded card from Visa, MasterCard, Amex, Diners, or Discover. It is it's own brand of card, a RevolutionCard, much like a Sears or Penny's card. First Third is simply going to be an issuer of those cards.
We had some discussion on our list about a year ago and pretty much decided that it was all but useless because not many retailers accepted it. That appears to be changing, albeit a bit slowly. They've added some notable national chains like BJ's , CVS, Office Depot, Walgreen's and others. See https://www.revolutioncard.com. No, I don't see it grabbing a major market share any time soon.
Still, I have to wonder if maybe they don't have something. Take the name off, take the account number off, take everything off except the mag strip. Then require a PIN that isn't recorded on the mag strip. Put the Visa brand on it and maybe we have something there if it's a credit card and not a debit.
Is it airtight - no. But it sounds like cloning the strip won't do it without a PIN. Can the PIN be gotten - of course. They're doing it now. But, put the same zero liability and theft reporting requirements on it and it's certainly no worse than what we have now. And there won't be an RFID chip for the bad guys to read while the card is in your pocket.
I'd carry it. The benefit to merchants? No Interchange fee, although I have to believe that would change if Visa branded it.
And Cindi is right - shipping to anything but the bank verified billing address is begging to be robbed.
October 23rd, 2009 at 5:55 PMSocial comments and analytics for this post...
This post was mentioned on Twitter by BJoanMiller: Fifth Third aims to prevent card fraud?: This is such a simple concept I have to wonder why it hasn't been done.. http://bit.ly/116lqP...
October 24th, 2009 at 12:54 PMInteresting concept. It could work online if card issuers, gateways, and processors changed the paradigm to add an additional input field and check it against issuer records (much like the CVN is handled today). It would add an additional layer of protection in cases where someone's card was stolen.
The card associations could cover such transactions, similar to their guarantees on 3D secure purchases.
There are also, of course, some challenges with the idea. First, in cases where there is identity theft, it becomes moot - the thief just creates their own account together with a PIN and they look golden to the merchant(s). If it was opt-in for customers then it would be as ineffective as 3D Secure, where you see fraudsters signing up on customers' behalf because the customers have never heard about it or are afraid of it. There is also the potential problem of adoption and cost to change the paradigm, as with any new security concept.
Still, I think it's this type of thinking that is in the right direction - multi-factor security is a good idea.
Are some of you still only shipping to the verified billing/shipping addresses? What about gift orders (especially during the holidays)? Seems like you're turning away a lot of good business with that mindset. Cindi, I agree that it is a great idea to require cardholders to list any additional addresses on file (I wish all issuers would start doing that!). However, that doesn't work with gift orders that need to be shipped somewhere else.
October 24th, 2009 at 8:53 PMOK I realize this will not be popular but everyone pull out your marketing hat and tell me how many customers use their credit card versus their debit card simply for the fact that they don't have to remember a pin number... Similar to the Chip card there will need to be a demand before the Merchant and processors are going to be incented to accept this card type. (like every fifth third customer will need to have one in hand and be standing at the merchant location waiting to make a purchase) And as far as interchange I would imagine that eventually if this is to be a universal card used everywhere there will be costs involved with processors, gateways etc... therefore requiring some type of reimbursement or fee collections whether you call it interchange or processing fee... I do like the idea of no name or number on the card... I think we even have a name for that it is called gift card...
October 25th, 2009 at 12:05 AMLaurie,
You make good points but when is the industry going to have to put security in front of convenience. This is something that I've been saying for a long time. I'm a merchant too, so I do understand the marketing aspect of it but the speed and convenience of transactions needs to take a back seat before any progress can be made in fraud prevention.
The emergence of the RFID cards is a good example. Is it really necessary to trim the two second card swipe down to the one second card wave? The payment industry would argue yes. Globally they process tens of thousands of transactions per second. I would argue that we've reached a point where security trumps speed but since the merchant, not the payment industry, takes most of the losses, there is no incentive for the industry to change.
October 25th, 2009 at 12:07 PMI appreciate that most of the people commenting in this thread operates in an magnetic stripe environment, but I am from the Chip and PIN world, and on the card issuance side at that.
In my opinion, the name, card number and signature can all stay on the card, but the one thing that has to go is the magnetic stripe.
In the Chip & PIN world many of the problems discussed in this forum do not exist (excluding gun point robbery), or at least would not exist if it was not for the dreaded magnetic stripe.
The magnetic stripe and the ability to do manual transactions is the number one cause of financial fraud worldwide, and to date no-one has found a way to secure either.
Besides the fraud problems associated with magnetic stripe, magnetic stripe is also the cause for regulatory and compliance costs by merchant in the form of PCI-DSS. PCI-DSS would not be neccesary, if we would stop using magnetic stripe cards.
EMV (Chip and PIN) secures the transaction in such a way that duplicating the data on the chip is only useful for the transaction it is being used for; so there is no point for criminals to steal chip data, as they cannot steal the keys inside the card that secures the transaction. The same applies to contactless (also inaccurately referred to as RFID) cards. Even if the PIN is stolen, it is useless without the card.
EMV Cards can be used with PIN on the internet/telephone/mail order, in Europe we do it on a daily basis. I have a personal reader from my bank, which can obtain a PIN from me and verify the PIN on my card. I can use the card and reader to log into internet banking, sign transactions, and purchase goods on merchant websites that support 3DSecure.
Both Visa and MasterCard have built in support for these readers in 3DSecure, and since this functionality is implemented by the issuer (3DSecure implies that a page from the issuer to authenticate the transaction), merchants do not even need to know about a PIN, the payment technology used is transparent to the merchant.
In the EMV world there is no need to check the registered address with that on file on the issuer of the card, since the card is secured, and the cardholder is identified via PIN.
The biggest problem to EMV is, you would not guess it, but the magnetic stripe and the ability to do manual transactions. Since only 50 countries are in progress of migrating to EMV or have completed migration, the rest of the world still use magnetic stripe, so in order to make sure that EMV cards can be used worldwide, each EMV card includes a magnetic stripes. This means that criminals steal the magstripe and PIN data and use that data in non-EMV countries. A chain is only as strong as it's weakest link, and in this case the weakest link is the magstripe.
In europe almost all cards (debit and credit) are PIN based. Criminals have moved along with the times to steal magstripe data together with PINs with fake readers, PIN pads, cameras, and wireless transmitters attached to real ATMs. In some cases complete fake ATMs are being installed in busy locations!
From a fraud prevention point of view, everyone (except criminals) benefit from WorldWide migration to EMV and the banning of the magstripe and manual transaction. Merchants will be able to accept cards without fear of fraud loss, Cardholders will have their money safely protected, and banks will save millions due to reduction in fraud and the associated administrative costs of chargebacks.
To conclude with an analogy... would you trust the lives of your family in a car using 25 year old technology? How about your money, would you trust 25 year old technology to safeguard your money in this digital age?
Magstripe technology is more than 25 years old, and I suggest that if thousands of brilliant minds have not been able to fix it's shortcomings in 25 years, perhaps these shortcomings cannot be fixed? Regarding manual transaction technology, which is more 300 years old, it goes back to the invention of printed checks; surely everyone knows checks are dead for a good reason?
My opinion is that we should bury both of these insecure technologies, and embrace Chip and PIN with open arms...
October 26th, 2009 at 6:25 AMWynand,
Thank you for an interesting perspective from the industry.
I certainly agree with your observations on the magstripe but from what I'm seeing in reports, especially those from the UK, Chip and PIN isn't all it's cracked up to be either. It appears that it was very successful in reducing fraud in the CP world, reducing losses by as much as 48% in counterfeit cards. On the other hand, according to UKCreditCards.com, phishing scams increased by 55% and fraud on foreign issued cards is up by 36%.
Correct me if I'm wrong here, but from those numbers it appears that Chip and PIN has simply pushed fraud over to the CNP world where the merchants, and not the issuers are not responsible for the losses. Good for banks - bad for merchants.
I would point out too that from everything I've read, there are no plans for Chip and PIN to be deployed in the US - at least not anytime soon.
And then there is the problem of the Chip itself. With a PIN it is still only as secure as a magstripe with a PIN and with the proliferation of ATM fraud here, we know it's not all that good. Perhaps you should take a look at all the reports that tell us waving an RFID reader near a card is just as effective as waving a card near an RFID reader.
http://www.youtube.com/watch?v=vmajlKJlT3U
http://www.youtube.com/watch?v=X034R3yzDhw
Since the decrypting is done at the reader, it doesn't look too secure to me. End to end encryption would probably solve this issue but as it stands, it doesn't look secure to me.
October 26th, 2009 at 8:02 AMTom,
My point is that the magstripe should go. The fraud counterfeit and foreign fraud in the UK is due to cloning of the magstripe, not the chip. Take away the magstripe, and there is nothing left to clone.
My second point was that manual transactions should go as well (even less secure than using checks), which your first video also made clear... they copied the data from the chip and used it to do manual transaction!
Let me be clear: There is nothing that man can make that man can't break. The trick is to make it more expensive to break, than the profit that can be derived from breaking it - criminals are also in business. There is no such thing as 100% secure - just because something is secure today, does not mean it is secure tomorrow. Security is a system wide concept, and not something limited to a single point or service.
Not everything in a chip is encrypted (you have to leave some room for the minimum data required for a transaction), and the terminal does not decrypt anything from the card; it does however validate signatures and checksums, but it does not have the keys to decrypt Dynamic CVC3 or dCVV. I agree with your view that the most secure approach will be to 100% end to end (card to issuer) encrypt everything on the card, however the current payment network protocols cannot support that, and it will require an entire overhaul of all payment networks, as well as all cards, and all terminals.
Phishing scams are typically internet fraud targeted at stealing login credentials to internet banking websites, and this is not directly attributed to cards, but rather due to the use of outdated username password credentials for accessing something so important as your bank account. Phishing can easily be counterfeit using SMS challenges, or using a personal CAP/DPA reader together with your EMV card.
There is something called the Liability Shift, which are implemented on national level and enforced by payment schemes (and some governments) around the world. The liability shift is not yet applicable to international transactions.
The liability shift is a nutshell states that if an EMV card is presented at a non EMV terminal, the acquirer will be liable for the fraud. In all other instances (generally) the issuer is responsible for the fraud. It is typical for the acquirer to shift fraud losses down to the merchant.
Here is a fun (sic) exercise for anyone with a magnetic stripe card: travel to the UK, and try to pay at main street shop with your magnetic stripe card. A few years ago I still had a magstripe card, and I've found that more often than not the cashier would not accept the card for payment, since there is no chip on the card, and they have been trained to not swipe the card, since the merchant didn't want to take the fraud risk...
The problem with statistics and mainstream media is there is no bandwidth for specifics, and generalisation is the rule. Your second video supported this, and the fear the payment schemes have regarding the security of older and outdated cards, that are still being made due to lower costs. Once again merchant and acquirers are protected against poor security on these cards, and the issuer will have to bear cost of fraud. As an Mythbusters fan I'm however sad that this episode never got made!
Just because something lives on a chip doesn't mean it's secure. It requires proper implementation, and unfortunately some issuers released cards with poor security. With smartcards, compliance to the standards does not ensure the highest security, it's about the options within that standard you execute. However, where the liability shift applies, the cost for low security, falls to the issuer, so it should not affect merchants and acquirers.
There are two types of contactless payment cards, magstripe grade, and EMV grade. Magstripe grade is essentially magstripe data via contactless interface, EMV grade is the equivalent of EMV via contactless interface. There are two ways of securing magstripe grade contactless, either with a static pre-generated code , for example Static CVC3, or with dynamically generated codes, for example Dynamic CVC3 and dCVV. Dynamic CVC3 and dCVV means that the data read from the contactless interface cannot be used for a different transaction.
There are also something known as cross contamination attacks, in this scenario, data is read from the chip and used to create a conterfeit magnetic stripe. Once again, this is easily avoided using iCVC/iCVV on the Track 2 Equivalent Data inside the chip. iCVV/iCVC uses different keys than for the magnetic stripe, and thus CVV/CVC validation will fail when magstripe transaction are offered with chip iCVV/iCVC.
I'm not alone in saying the that magstripe must go:
http://www.smartcardalliance.org/articles/2009/10/13/smart-card-alliance-contactless-and-mobile-payments-council-plans-more-education-on-chip-cards-and-u-s-payments-fraud-for-upcoming-year
To summarise, a chip can be made extremely secure if the proper security options are implemented; if a chip implementation does leave room for fraud, the the liability shift states that the issuer must carry the cost... thus due to the liability shift merchants and acquirers are not held ransom to poor security decisions made by issuers when it comes to EMV.
October 27th, 2009 at 5:43 AMAddendum to previous post:
Perhaps my intention was not clear; I intended to make a general point; that it's time to move away from magstripe and manual transactions, and to move in unison.
I understand that magstripe will still be with us for a long due to the sheer number of participants and the costs involved with migration.
The world of payments is a slow and lumbering giant that does not move quickly... the majority of transactions still occur in hard currency, a technology more than 3000 years old...
The US indeed do not seem to have plans to roll out EMV, however I believe their hand will be forced, as the rest of the world is migrating, and EMV migration causes fraud to migrate and consolidate in non EMV regions. US travellers will systematically find their magstripe cards not being accepted in EMV regions, thus pure acceptance will also play a role.
The magstripe is dead. Long live the chip. :)
October 27th, 2009 at 5:59 AMBiometrics certainly have potential, but will not do much towards improving card fraud. The number one reason for card fraud is the acceptance of transaction based solely on the information printed on the card (also known as manual transactions), or data on the magnetic stripe.
Visa and MasterCard both offer additional security for internet transactions by using 3D secure. 3DSecure navigates from the merchants page to a payment page on the issuing bank, and then back to the merchant. 3DSecure can be used with a variety of cardholder authentication methods, such a passcode, or using EMV cards for CAP/DPA (Chip Authentication Program, Dynamic Passcode Authentication) transactions (also known as Verified by Visa or MasterCard SecureCode).
Biometrics can easily be added to EMV cards for use with CAP/DPA, there are cards that include a display on the card, which can display a number on presenting a valid fingerprint, however I don't see how these cards would work at an ATM, since they need to be powered in order to capture a fingerprint, and ATMs typically capture the card before powering it...
November 16th, 2009 at 4:42 AMOn board powered cards with fingerprint scanner and dynamic magnetic stripes are available today...
The CardLab Biometric Credit Card will only "turn on" the dynamic magnetic stripe, when the card owner has authorized the card by swiping his/hers finger on the on board powered scanner. I.e. no power from an external scanner (such as an ATM) is needed.
The onboard display can, after authorization, show an on board generated One Time Password, e.g. a dynamic CVV code, and will thereby eliminate most online fraud
Copied credit cards will simply not work, since the CVV code is a One Time Code, and not printed on the card or stored on the magnetic stripe as it is today...
November 21st, 2009 at 11:45 AM[...] This post was mentioned on Twitter by Tom Mahoney, Joan Miller. Joan Miller said: @merchant911 Real Time Keylogging: Real time keylogging malware makes one-time password technology obsolete. http://bit.ly/5reYKr [...]
November 24th, 2009 at 12:27 PM[...] [...]
December 2nd, 2009 at 11:07 AM[...] This post was mentioned on Twitter by Tom Mahoney, Joan Miller. Joan Miller said: RT@merchant911 The State of Merchant911: There is no question that on-line merchants are becoming more aware of the... http://bit.ly/855ff9 [...]
December 21st, 2009 at 8:21 PMWhat makes you think he targeted only US citizens? The internet is a global medium and the techniques Gonzalez used to hack into those systems should be just as effective outside of the US. Want to take a guess at how many cards he REALLY got hold of?
January 1st, 2010 at 7:55 AMAdrian,
Certainly a good point and we can only know what we're told. Clearly if any of these entities were doing global sales and their databases were hacked, then it's more than US cards. But we do know that at least some of the breaches were ongoing at the POS and those would be US only.
I do see breach reports from overseas now and then but I don't think they have the reporting requirements that we do so a lot of them are under the radar.
January 1st, 2010 at 9:17 AM[...] This post was mentioned on Twitter by Tom Mahoney, Joan Miller. Joan Miller said: RT@merchant911 Anther data breach victim Part 2: In my last post I gave a few details about Albert Gonzalez and his... http://bit.ly/8VSj3t [...]
January 4th, 2010 at 4:51 PMVery nice post. 170 million cards is a very scary number. Albert Gonzalez is one of thousands criminal that actually got caught.It makes me wonder how many cards in the world are actually still 'private" and not stolen.
January 5th, 2010 at 2:19 PM[...] Merchant 911, we are reminded of the serious security breach of Heartland 130 Million credit and debit cards [...]
March 5th, 2010 at 9:57 PMFor those of you who may have come here from https://infosecurity.us/?p=13068 you may have figured out by now that someone over there misread my post. This was NOT another Heartland breach - it was just more aftermath of the big one.
I just want to clarify. Heartland, as far as I know, has NOT been breached again. The 5000 First National Bank of Durango cards that were at risk appear to have been compromised in the Heartland breach announced last year.
March 8th, 2010 at 4:02 PM