Online fraud: good for banks, bad for business
Every time an online store is contacted by a bank and notified that fraudsters used someone elses card to purchase goods on a website, the store owner has to pay a huge chargeback fee for each fraudulent transaction.
My brother who works the backend for a large online store and monitors illegal activity says that bank effectively get the chargeback and the original fee and refund fee. Banks make a fortune off chargebacks – that’s why they all offer online fraud protection on their cards.
I think this is outrageous and should be totally illegal. The onus should be on the bank to monitor illegal activity on their own customers accounts and they should pay if they miss anything – anything else should be covered by the banks insurance.
If a transaction is cleared by a bank to purchase completely legal items on a legal online store, then the store owner should be paid what they are owed by the bank. You’d think it should be that simple… dream on.
Did you know that the the USA banking system has massive fraud problems – apparently many US banks dont even do a complete security check for the transaction online. The name could even be wrong and the transaction would still clear. Its absolutely shocking that banks are getting away with this and small businesses are paying for it.
The whole system is so screwed up and if we dont keep an eye on it, it could devastate online businesses.
ken
The banks have to be signed up to it or it dosent work….
The customer gets a pop up window from VISA / MASTERCARD where theyre prompted for their password/pincode to proceed with the transaction….
the funny thing is when we tried this, there was a link for ” I forgot my password, create a new one”
After clicking on this, all you need to create a new password is birthdate!!!! after putting in birthdate (no secret question etc) you can just type in a new pincode!!! no hassles
what a joke!
ken
Well are signed up to both the mastercard and visa…and we still get chargebacks… even transactions where nothing matches… customer name, security code, country, etc…
I do not see the banks ever wanting to or needing to change this… they make more money with chargebacks, and they dont lose money by insuring their customers agaist fraud, that money comes back from the merchant, with a chargeback fee included.
Bastards 😛
Kittykatze
That is my understanding, aye.
Bear in mind though, the conference I went to was many years ago. Probably best to have a dig around and see if that’s still the case. 🙂
olivia
I see… so if for example Sock Dreams offered the visa & mastercard PIN option on their cart, regardless if any customers used it, they would not have to pay chargebacks on any fraudulent payments because they have taken all the steps necessary to protect customers cards?
It would be great news for the merchant if this is true…
Kittykatze
“In a perfect world these two idea by mastercard and visa are good… but only a few people will sign up to it… and as a merchant are you gonna ban the rest??? ”
You don’t have to.
As a Merchant, just by offering the facility to input an online PIN as an additional security feature, you have protected yourself against taking the hit in the case of fraud regardless of whether your customers have signed up for the scheme or not.
There is no real incentive for cardholders themselves to sign up for the scheme, as you say, they already have fraud protection. But there is an incentive for the banks/card issuers to gradually migrate all their customers to it.
The more Merchants that offer this, the more Banks will push customers to sign up for the online PIN, as every site with this facility is transferring the responsibility back onto the Banks.
The whole scheme is designed around protecting the merchant.
nathan
Hmm…is the timing of this post prophetic, Olivia?
Ken
I dont understand why a customer would want to sign up though… because as a customer you are offered fraud protection from any purchases online that you report as not being yours.
If you sign up to “verified by visa” etc… what you are doing is saying that you are responsible for ANY online purchases on your card… even if fraudulent.
Now imagine someone gets hold of your password information now… youre screwed with no fraud protection.
And believe me, these guys can get pretty much any info on your card they want… so I dont think a pin or a secret question is going to be much help. If there are forums online with thousands of credit card holders details being posted up daily, with address, phone number, card numbers, expiries on… then this is just adding a pin and question answer.
Card holders pay good money in charges and interest, merchants lose money becuase of fraud.
The Banks need to take responsibility for the service they are offering between the two.
In a perfect world these two idea by mastercard and visa are good… but only a few people will sign up to it… and as a merchant are you gonna ban the rest???
olivia
This is great Kat! I’m going to sign my cards up.
Kittykatze
I found the relevant info:
“Verified By Visa”
“Mastercard SecureCode”
Both work on a similar principle that the cardholder and cardissuer establish a secure question/answer or PIN between themselves; at an appropriate point, the online transaction between cardholder and merchant switches to cardholder and cardissuer for the exchange of secure info, then back to cardholder/merchant to complete transaction.
The important bit WorldPay (the confernence I went to that explained this system) emphasized was that the cardholder and cardissuer did not have to have established the secure exchange for the receiving merchant to be protected; the merchant would be protected provided he/she offered the opportunity for that exchange to take place. That put the onus back onto the cardholders (to regsiter with the appropriate scheme) and the cardissuers (to encourage cardholders to register).
niqkita
I think I’m going to be sick now ~;) yeah, I banned Indonesian purchases years ago. But recently a woman started writing (from indonesia) and she seemed nice enough so we helped her out a few times. But red flags quickly went up and we banned her and swore to never ever deal with indonesians again, too bad, I’m sure there must be some decent people there.
Ken
I’m investigating a bunch of fraudsters who commit fraud on my companies website…These guys are very organised and even have private “invite only” forums where they post up numbers of active credit cards daily!
Ive managed to gain access into these forums and couldnt believe the posts!
These details include card details, full address, names, expiry, telephone number etc…
They have closely knit online groups and use eachothers physical mail addresses to send packages to incase they get investigated, then UPS the packages back to eachother.
I’ve managed to even spy on their mail activities (dont ask me how) and this is how I’ve learned how they operate.
A lot of bogus email accounts and tonnes of online merchants purchase order receipts, a lot of different names and addresses!
One thing about these people is that they have patterns which you can identify them with.
If you have an online business with an e-commerce system, and have problems with fraud, its a good Idea to run queries on your sales database on specific transactions to look out for these patterns.
If youre a fraudster, you will make multiple buying accounts as you have to “test” out a lot of different cards till one works and you get your goods. Because of this they have to keep a common password or login name/surname which makes identifying these rouge accounts easier. If you can search your database on passwords, or even customer names, bonus…
Also they will do their damage at relatively the same time each week with similar days and hours…. so you could look at purchases in a specific timeframe, unusually high orders etc…
Also if you get asked for a speedy delivery, be carefull… thats a major telltale sign.
A lot of them use anonymous proxies or softwares to hipe their IP addresses when committingh fraud… if this is the case then they most likely doing it from their own home… If you can find out that it is infact an anonymous proxie, then you could contact them and demand you get the details of who did the transaction at that time. With those details build a stronger case.
I was having huge problems with indonesia and fraud and infact did not have one legitimate order from there. Eventually just banned any indonesian IP addresses from accessing the website.
Also another thing to look out for is the originating IP address and the IP address code of the country the credit card is linked to… you can also blacklist these purchases from going through.
If you have an online business and have problems with fraud ask Ms Wakame for my contact details and perhaps I can help 🙂
niqkita
There is the CVV, three digits on the back of the card above your sig, four on the front of american express, but it doesn’t go far to protect the merchants and customers are often leary about sharing that number because they aren’t clear on why it’s there and how it helps protect them and the merchant. Our site has a link explaining it right next to where it is required, but people still get confused by links and pop ups windows sometimes.
olivia
Wow what a great idea! I ‘d be so happy to use my pin it it meant nobody else could use my card number online.
Kittykatze
Many years ago they were talking about introducing a PIN that you use online (similar to Chip & PIN cards).
This would effectively put the onus back on the banks rather than having the retailer take the hit, but I’ve heard nothing new about it for years, probably because it’d be the banks that need to impliment it and they’re the ones standing to make a loss. meh. :/
niqkita
It shocks me that this is such a dirty little secret too. They do very little to support merchants and are quick to stand behind customers who are obviousely lying. Yes, I’ve seen comletely wrong names used and approved, large orders with nothing matching but the credit card number sometimes getr approval while someone else merely mistypes their zipcode and gets declined and there are the people who will use their own card then claim they never got the merchandise (after selecting not to sign for the package) and despite the tracking info showing it was delivered o their door the merchant is out the money. Should yhe recipient who didn’t provide a safe location to receive heir package be responsible? or perhaps the post office who left it (or didn’t) somewhere where it wasn’t safe. And don’t even get me started about our postal service (or try to tell me that alternate carriers are any better).