Frequent use of stolen credit cards to pay for World of Warcraft subscription has prompted UK bank Halifax to block payments to the game's publisher, Blizzard Entertainment. In a statement, the bank said its decision to block payments was not a reflection of the integrity of Blizzard or its billing systems. "We have seen a …
The banks are all spooked
but Halifax hmm I might tippy toe out and remove my funds from them if I had any that is.
This is a good example of why cashless societies are bad news. At the end of the day you are placing your ability (right?) to spend your money how you choose. Analysts, consultants, politicians, etc. can (and obviously will) refuse to let you spend how you want.
It's my money damn it!
How many "inside" jobs
Teenager playing WoW--how does he make payment?
And, once he has the card details, how does parent stop him paying again, short of reporting some sort of fraudulent use?
And how many parents would report the card lost or compromised, rather than blame the bills on a family member?
I wonder a little if the high fraud rate is all that high as a percentage of payments to WoW: just a lot higher than fraud rates for other online sales.
Banks need better system to deter fraud
This report shows that government's data protection and bank's Chip and PIN systems are failing to deter fraudsters and hence fraud will continue to grow until they exploit ID KEY system described on website www.xwave.co.uk to make signature and PIN systems reliable and foolproof.
They will still process the payments - you just need to let them know first...
There is a solution here.
Wow does sell prepaid cards in most game outlets. Just buy and use one of those. Not hard really is it?
You think it's your money... it's theirs
you pay tax to use the money supply. basically.
all money is created out of debt. no debt = no money.
yes a cashless society is on the horizon, i'm just not sure how you can tell the masses to hold on to their paper money when plastic cards are more convenient.
As an ex game master for WoW the amount of compromised accounts that I encountered was astounding. So many people play WoW with no clue about securing their pc, they get keylogged, trojans, you name it, and their credit details get swiped due to it. Halifax is doing those idiots a favour who have no clue about security. Unfortunately those who do will have a bit more hassle about it.
And yes it might be your money, but if you don't know how to take care of your computer, it'll all get nicked on you anyway, so it wont be yours much longer.
what about other fraudulent uses?
Hopefully this will apply to paypal as well someday........
Verified by Visa / Mastercard Securecard
I wonder if anyone who subscribes to Blizzard's services can tell us if they have to fill out a Verified by Visa / Mastercard Securecard password box when they enter their details?
The banks are currently proclaiming this as the answer to all internet fraudster woes. Lloyds have told me that if I don't install it on our transaction server, they'll put up their processing rates.
I'm not entirely convinced though - I notice while using the process that a) it is not mandatory to use, you can decline having to sign up, and b) if you forget your password it'll give you another one if you enter your date of birth. Hardly ultra-secure.
Paris 'cos all her passwords are probably the same.
Re: Cashless Society
Whilst I do agree that it's a probem not being allowed to access your own money (I left Natwest for exactly that reason) in this case the bank are perfecty entitled to. It' a credit card so it's not your money, it's theirs.
How would you do it in a cash based society then?
...sending your monthly subscription in the post? I thought PBM died out in the 80's?
"Blizzard representatives didn't reply to emails requesting comment."
If you played the game that is sort of like a statement of the bleeding obvious!
They never reply quickly.... give it a few weeks.
@ Soloman Grundy
Since when did Visa & Mastercard CREDIT cards become your money - you're spending the banks money with an agreement to pay it back - if it's a fraudulent transaction I'm sure you'd be up in arms about having to pay for it.
Plus it doesn't say you can't pay for it - you just have to give the bank a bell to ensure it's you - or you could always use a debit card which the article doesn't mention as being stopped.
New RAID dungeon
To ease the transition into Frozen throne, we at blizzard have decided to open up a new 25 man raid dungeon. Helleefex. Includes the master raid boss, KreditKuntrulus with shocking new abilities like 'drain gold' and 'reposess epic'
Those of you who succeed in slaying the raid boss could be in for ph4t l3wt like the legendary credit card of inifite expenses. You loot that, you don't ever spend any gold again. Ever.
The REAL reason
Howard got ganked.
RE: Cashless Society
No doubt you keep your life savings in a bundle under your mattress...
This seems odd, but if it is correct, I can see why they would do this. I recently paid a largish sum to a building society. I offered to do it by switch, but I was advised that the transaction would probably not be approved, because it would be very unusual. (Not a human decision, just automated detection), so I used a cheque. A few weeks ago I paid for a meal in my local pub by switch. Their card machine was down, so it was done on paper. The next morning I got a call asking me to confirm my last few switch transactions; obviously because the none PIN transaction was unusual. I thought this level of scrutiny was very positive. This contrasts with a couple of years ago, when my new switch card was stolen before it was posted to me, and some clown used it eleven times in four days to buy small items from the same garage, with £20 cash back every time. Obviousy I got all the money back eventually, but it caused a lot of hassle and a period with no switch card while one was cancelled and another issued.
Just contact the bank
It isn't a ban. It's an automatic refusal to authorize
without customer approval.
Of course, what they should do is publish a list of automatically
refused transactions so that customers know to contact them
in advance. Bet they won't though.
but they're right.
Having recently been saved money by the Halifax's anti-fraud department, I agree with this move.
If an innocent company is attracting fraudulent use of stolen details then why not block all payments unless separately authorised?
How hard is it to one time authorise payments?
Halifax are on *my* blacklist
Anyone with a Halifax account is duty bound to change to another bank.
Not because they think it's easier to cut fraud by denying huge numbers of completely legitimate payments (rather than, oh I don't know, phoning you up to check whether you intended to pay Blizzard money or not?). That is bad, but if you are still banking with Halifax right now then you deserve it.
Having an account Halifax funds their criminally annoying advertising. Stop it. Withdraw your money and change to someone else.
And don't try to say that you're massively overdrawn and thus costing them money. You know they'll claim it back in the end and make a profit from you. STOP FUNDING THIS SICK FILTH.
I dont remember any varified by visa when I signed up.
Let's get back to the point shall we? If your card was being used, I guess you'd be on the phone to them straight away. At least their actions are saving you a call.
Hi, my name is captain obvious
Let's just look at this situation for a second:
1) Stolen cards are being used to pay for accounts
2) Accounts connect to Blizzard's servers
3) Accounts hence display their IP address to Blizzard
So what do Halifax do? They stop stolen card payments to Blizzard. What would any sensible company do?
GET BLIZZARD TO REPORT THE FUCKING FRAUDULENT TRANSACTIONS AND THE IP ADDRESS TO THE POLICE SO THEY CAN FUCKING SUBPOENA THE ISP FOR THE PHYSICAL ADDRESS ASSIGNED TO THAT IP WHEN THE CREDIT CARD THEIF CONNECTS TO THE SODDING GAME!
Basically Halifax are saying "Yeah, we don't actually mind you continuing to use that stolen card, you just can't pay for WoW with it" when in fact they should be saying "lol you idiot now we can trace you to the address you're playing from and arrest you so you can't actually use that stolen card anymore and get punished for doing so in the first place".
Sure they could be routing through a proxy to Blizzard's servers but I'd bet the majority wouldn't be.
Does it really have to be so difficult? I'm really bothered that a bank would have this attitude to the security of people's money rather than just deal with the fraudsters outright. They're letting them get away to commit fraud with my card another day and in another potentially more costly manner!
My comment was about cashless societies in general. I apologize for my failing to recognize that English banking may not view debit cards the same as credit cards. In the States a debit card can be used anywhere a credit card is used (depending on the card it can be both) it may not be the same over there. My bad.
Irrespective of banking system nuances, my initial comment is still valid. If the bank has seen fit to issue me with a card, then they should leave me and my purchases alone. I review my statement each month and if something is wrong I can invoke my buyer protection privileges and the charge will be refunded. If people aren't reviewing their statements that's their problem. If banks can't implement a better system than having to call them to authorize a purchase, that's their problem. There are already plenty of systems in place to protect consumers.
Disclaimer: Solomon Grundy has never, nor will he ever, participate in WoW. His comments were made based on principal.
Can we get a penguin in a black helicopter icon? It'd just be cool.
ID theft, ID's lost and the internet
Wow, I'd be happy to hear my bank was doing something about fraudulent claims coming thru their system, and I'd rather that little bit of extra hassle of contacting the bank to setup an account. The real problem about this particular cashless cow is there's no physical product, you pay for the service, download what's required and play. the only bits of info required are a card number, a name and address which could probably be found in local restaurant bins. As long as you play in public wifi spots you're pretty much untouchable...
I love the fact the government are so keen to crack down on piracy, peer to peer (which the BBC online service BBCi utilizes) and free internet, yet seem utterly impotent in the face of identity theft, email scams or, you know, keeping records of their own people safe.
Paris Hilton, just, because...
If they cared about their customers
They would stop making those tedious adverts that bombard us with wannabe singers and spend the money on something more useful.
Like helping retailers etc incorporate the verified by visa/mastercard system to help cut down card fraud
A side effect of the subprime stuff
Halifax is attempting to reduce its exposure to the possible burst of the World of Warcraft hut-ing bubble.
Unless it's the World of CardCraft they are worried about.
What makes it really stupid...
What makes it really stupid is that they're doing something without first trying to understand what the problem _is_. And unsurprisingly come up with a "solution" that's only annoying, but doesn't actually solve the problem.
There is fraud in WoW, there are keyloggers aimed at stealing WoW passwords, etc. Yes.
1) If a fraudster got your details that way, he's not going to use it to buy you another month of WoW. He'll try to transfer your money somewhere else, buy something with it, etc.
So blocking transfers to Blizzard is blocking the only thing that a fraudster _won't_ do with your account. But allowing everything else. Heh.
2) There is no indication (so far) that any customer details have been lost by _Blizzard_, nor that any fraudulent transaction has been done through Blizzard. Some people just get scammed into giving someone else their details, or into installing a keylogger.
So basically even blocking people from giving Blizzard their details at all, still solves the wrong problem. That's not how they lose their details. Even if people couldn't physically enter anything on Blizzard's site, those keyloggers and phishing sites would still do the same job anyway. In fact, by virtue of _not_ being Blizzard, the phishing sites are completely safe from this.
3) Requiring people to go through loops each month to get their subscription renewed, actually _lowers_ the security there.
In the normal case, you gave Blizzard or their bank your credit card number, and they'll automatically get some money each month from your account. But that's the important part: there's only one time when you give your credit card number, and only at that time it can be intercepted. if you force users to go through loops each month, you create extra opportunities for that to happen. You also create more opportunities for phishers and the like to masquerade as services that can automate for you, what a stupid bank tried to block. You create opportunities for phishers to pretend they're Blizzard's support checking credit card details, when someone finds their subscription expired because the bank stopped paying, and they haven't yet figured out why. Etc.
Now I'm not saying that it's the end of the world, nor that everyone will get scammed that way. But I can see a few extra people getting scammed... because their bank tried to protect them from the wrong threat.
I don't know... I find it just bloody sad. I know a lot of people are muppets who fake fixing a problem they don't even understand, just to look like they're doing something. But I'd expect a bit more responsibility from a bank. If that's how they respond to security or privacy problems... let's just say, I'd get my money out of there ASAP. I'd want my money handled by less clueless monkeys.
Any company which discriminates against wow losers is doing something right.
Halifax - funny money banking
Halifax is a strange bank to say the least...
It doesn't save you anything. Fraud is covered by your bank anyway. All it does is cause you inconvenience.
Also game cards for wow are not an alternative because they cost about 3 times as much as paying directly.
There is no reason at all for your bank to decline transactions willy nilly, what they should be doing is putting a decent verification process in place. Verified by visa and mastercard securecode have huge obvious flaws. What we need is for them to put some decent protection in place rather than all these measures to hoist the blame/liability for fraud onto cardholders.
it isn't the fact that people are stealing your credit cards to pay for your account, its the fact that WoW accounts are compromised regularly, the credit card details are then used to purchase WoW accounts for RMT (who mostly are in China, so are outside US/UK legal channels).
Halifax have an obligation and a duty to protect their clients financial details and to do whatever they can to protect them from fraud, so just adding a hoop to jump through to ensure you are not the victim of fraud is a good thing. Sure it won't stop stupid people having their accounts stolen through keyloggers, but it may help prevent them from having fraudulent transactions.
Not going to disagree with what you wrote, but I'd argue that (partially _because_ of that), the ban is even more stupid and ineffective than that.
Ok, let's say I were an asshat haxx0r (I'm not, but just for reductio-ad-absurdum argument sake), I stole your identity and (of all the stupid things) all I want to do with your credit card is buy a WoW subscription. Blocking transfers to Blizzard is going to help... how?
For the exact reasons you wrote, my directly giving your credit card number to Blizzard would be the dumbest thing ever. Plus it would buy me about a month of WoW, because after that you see the charge on your bank statement and block it. Blizzard would then probably ban my account too, when the bank tries to reverse the charge as fraudulent. So that's one char which probably won't get to level 70. Bummer.
No, what I'd want to do then is buy a 3 months game card from Amazon with that credit card. Which (A) isn't blocked by any bank, and (B) doesn't link that WoW account to a stolen credit card.
But again, that assumes that someone would go into the fraud line of work just so they can play WoW. A dozen or so bucks a month isn't worth the risk even by third world standards. If someone got a bunch of credit card numbers, they're going to want to get more expensive stuff with them.
El Reg crowd not understand banking?
1. That blog link by Mark Ford shows nothing wrong with the Halifax. They are free to choose what overdraft (if any) facility they offer their customers. If you don't like what they offer you there are plenty of other banks on the high street/internet.
Cash is quite expensive to handle, and coins more so. Banks therefore have limits on how much they will take in any given transaction, or more commonly now - in any given day. Again, if you don't like it, change banks.
And anyone walking around with an unsigned credit/debit card should be removed as a customer at once - they are massive risk. Fraud losses are covered by the bank, who get their money from you and I. I don't want to be paying for his stupidity. An unsigned Chip and Pin cards security is easily circumvented with a hammer and a biro. Walk into a Sony Centre, card a 44" Brava, oh the chip doesn't work? I'll just sign...
2. Asking banks to request ISPs give them IP addresses used in fraudulent transactions is a joke yeah? No?! First of all, this should be a criminal matter, as cross border civil matters are so easy to ignore. That means it's down to the POLICE to do that work, not the bank. Given the relatively small amounts of money taken by paying for WoW the Police really aren't going to go through the expense and hassle of working with foreign Police forces etc. Hell, my lady had £600 taken from her account by someone in Italy a couple of years ago and the Police weren't interested, so £10 for a month of WoW isn't going to get any attention. Now here's the important bit :
*** which is exactly why ppl do it! ***
The Halifax are making it a pain to use stolen cards for WoW, but legit users only have to auth it once with the bank and they're back to normal. If you want to throw a hissy fit and blame someone there are plenty of other ppl further up the queue before you get to the Halifax...
Data breach ?
Perhaps the reason only the Halifax is doing this is because they've had a data loss or breach that they've not disclosed...
@Hans, Ian and Solomon
@ Hans Mustermann
Try reading the actual article! It doesn't say that WoW users are the ones who are having their credit card details stolen, it's saying that stolen credit cards (from anywhere) are being used to pay for WoW subscriptions.
"So what do Halifax do? They stop stolen card payments to Blizzard. What would any sensible company do?
GET BLIZZARD TO REPORT THE FUCKING FRAUDULENT TRANSACTIONS AND THE IP ADDRESS TO THE POLICE SO THEY CAN FUCKING SUBPOENA THE ISP FOR THE PHYSICAL ADDRESS ASSIGNED TO THAT IP WHEN THE CREDIT CARD THEIF CONNECTS TO THE SODDING GAME!"
OK, lets have a reality check shall we? 1) Halifax have direct control over which transactions are and are not paid out. 2) Halifax do NOT have control of Blizzard's servers, so rely on contacting them in each case to get the information that's required. 3) Hiding your IP address is relatively simple these days, so getting the IP address that the fraudster connects from doesn't ensure they can track it to the actual criminal. 4) Every one of these fraudulent transactions gets paid for by Halifax, since the end user claims it back. 5) I dread to think how much money it would cost them in man power and legal fees to track down and presecute every single fraudster individually.
"If the bank has seen fit to issue me with a card, then they should leave me and my purchases alone. I review my statement each month and if something is wrong I can invoke my buyer protection privileges and the charge will be refunded."
So what you're basically saying is that you want to have your cake and eat it!?! You don't want the bank to stop transactions they feel are dodgy when they are made, yet you expect them to pick up the tab and clear the charge from your card when you find out that they were fraudulent?
I'm certainly not a big fan of many banks, but in this case I have to agree with their actions.
Not sure about in the UK, but in Australia one of the major banks tried to implement a more secure payment method by issuing chipped cards and giving (yes giving) their customers card readers so it could do a secure signature on the transaction and relied on you having the physical card for your online transactions.
People decided it was all too hard and the bank ended up with several thousand USB card readers in storage.
@ Antony Pearce
The idea of using bank-supplied card readers in the home was a fantastic one, and I never understood why it didn't take off. And it was because "People decided it was all too hard?"
What? Let's see:
Normal online transaction: I have to type my name, address, card PAN and CVC number, expiry date, and the cardholder name before submitting the transaction. Any fraudster can bang in details copied from a card along with a fake address.
Card-reader transaction: I swipe my card through a reader, key my PIN, and the bank does the rest. Far more secure, and it ensures that any goods ordered are delivered to the address the cardholder has registered with the bank, not some arbitrary address specified by a fraudster.
Anybody who thought this system was harder than the usual online formfest needs to be dragged out into the street and clubbed to death for the good of humanity.
....for the next "criminally annoying" (as another reader put) Halifax advert to be a bunch of dwarves and elven clerics dancing around singing.
I am ashamed to say that about 6 years ago, I used to live next to some guys who knew "Howard" and he popped around to their house. It was actually just after the first advert, when he'd become a bit of a celebrity. That's not the part I am ashamed of though, I'm disappointed in myself that I missed the opportunity to knock him off then and there, and save us all from years of shit adverts.
So, Reg readers, I apologise for my failure.
@ Hans Mustermann
ok, you missed a vital thing, they DO use the cards to buy another months subscription, they use lots of cards have lots of accounts and run bots all over the place farming items and gold which gets sold on in the real world,
It happened with Diablo; it happened with runescape, hell any game that you can trade with other players on it going to happen with
It’s happening on credit cards too, so they can’t just transfer cash to another account, they have to buy things, which if you buy real world items will get your address traced
It’s basically the ability to launder money off you, they spend a relatively unnoticed amount each month, use the subscription to get sellable items receive money from those items,
Large amounts of cash in hand taken using your card, with no way to trace them
I find this highly interesting..
What I found happens alot, a user orders something, a few weeks later - realises they dont want it - so instead of going down the root of speaking to the company to get a refund, they issue it as a chargeback / fraud.
What i expect is happening -
Teenages are using their parents cards, with or without consent - the user realises "Jesus thats a rob" and then issues the charge back - thus the bank sees this as fraud.
Halifax, is just "trying" to show some responsibility, but we all know - that if a hacker really wants to wipe you clean, they will do more than just order WoW I mean - hell, surely they would know the IP is traceable or atleast the range is - especially if they are on dynamic, it would be a little harder to trace but do -able
Personally, I dont think there should be any contact with the ISP to a certain extent, its not their fault, is it? Or is it?
I think its just the case of the public / users trying to bend the rules to make it work in their favour - ive seen it happen so many times on a day - to - day basis. Its crazy.
I think halifax could of done something a little more than declining transactions to WoW, what about the current users, that are real, what happens then? Its not ideal!
Again, it all falls back to control - if a normal person can't access their own money and pay for things with their own money at places they wish - then why give us a card then?
It probably, falls back to the government - big brother is watching.
I'm glad Halifax decided to tell their customers...
This is the first I've heard of this. No one from Halifax has actually informed me that this is happening. I take it I'm supposed to guess after they reject the payment as to why this is happening.
I have had fraud done with my card in the past, they way they seemed to test the card was to buy some music tracks from a place in Brazil and then a few days later started going for the big stuff from all over the world. I found out what happened when I checked my on-line account. Nothing had arrived in my recent transactions by all my money had gone out of my account. This was before chip and pin (And a local garage I frequented was shut down around 8 months after due to credit card irregularity's).
I can't see how blocking transactions to certain companies (Unless the company were actually responsible for the card details theft) is going to help. Surly they would just use the details to buy something else.
It sounds like a bean counters reaction to a problem. "Hmm, most of the fraud is done on these types of transactions, so lets just block them, that will solve the problem, and to save even more money, lets not tell them, let them find out for their selves."
Who would play WOW anyway,
WOW has 8 million teenagers and kids, no wonder it's rife with people nicking daddy's credit details.
Must be bad for a bank to do this. LOL
Being from halifax and knowing most of their IT deparments through social drinking, I am shocked at how large it is and how each section of the bank doesn't talk to each other.
So customers not knowing isn't much of a shock.
Bottom Line - They're Crap!
Halifax Bank that is. If I wasn't currently in dispute with them I'd have left long ago
@ Ian Ferguson, RE:Verified by Visa / Mastercard Securecard
Regarding when you pay for the account/few new months or whatever using a Visa/Mastercard i can assure you that there is not verifed by visa popup meaning you need to input another password.
For Domino's Pizza though, there is..but then for something like Amazon, there isn't. Depends on the site really, some do, some don't.
My wife has some froaud on her accoutn the other year and sure enough it was someone paying for Warcrack. All refunded after reporting of course.
Naturally if a bank finds one particular destination for a lot of fraudulent payments they're goign to crack down. I'm sure a load of porn sites get blocked like this every month. No issue with their action at all.
One of the weaknesses that Blizzard enforce on the WoW community is periodic updates via BitTorrent, using an Updater that shows the IP addresses of your fellow updaters. I'm sure this information must be of use to those criminally minded - a person is currently online on a PC with this IP address... check is they've got up-to-date PC protection, if not install keylogger...
The subscription process doesn't trigger SecureCard - it didn't for my card this weekend - no call from India. I guess Blizzard store the details at the time of subscription and then issue their monthly, quarterly or six monthly request.
You only have to set up a sub once per life of your creditcard. Maybe Blizzard should suspend accounts where the payment card changes monthly, and restrict each card to a single person (or registered family) account.
Re: 8 million teenagers
The average age of the WoW player is like 28. Women players are on average older than male players, but are fewer in number (bored housewives probably). There have been quite a few demographic surveys, older players perfer alliance chars, younger ones horde, and so on. Interesting in itself.
WoW broke out of the teenage geek niche that confined other Online Multiplayer Massive Thingmajigs (or whatever they are called), thats why its so successfull.
"I apologize for my failing to recognize that English banking may not view debit cards the same as credit cards. In the States a debit card can be used anywhere a credit card is used (depending on the card it can be both) it may not be the same over there. My bad."
I would imagine that in the US (as it certainly is in the UK) a DEBIT card is not the same as a CREDIT card. A debit card takes money from your bank account straight away. Whereas a credit card takes money from the bank's account. The bank then passes that charge on to you to pay 30 days later.
A not very subtle difference.
- Review Reg man looks through a Glass, darkly: Google's toy ploy or killer tech specs?
- MEN WANTED to satisfy town full of yearning BRAZILIAN HOTNESS
- +Comment 'Stop dissing Google or quit': OK, I quit, says Code Club co-founder
- Nokia: Read our Maps, Samsung – we're HERE for the Gear
- Ofcom will not probe lesbian lizard snog in new Dr Who series