Headline losses from credit card fraud are only part of the problem facing UK ecommerce firms. Chargeback costs from failed transactions are also costing them dear. Credit card fraud protection specialist The 3rd Man reckons "card not present" crime in the UK is far higher than official statistics suggest and is getting worse. …
Why would there be chargebacks if the original transactions failed?
The banks won't take responsibility
I used to run a small retail business. iT was only through doing this that I realised how much the banks wash their hands of any kind of fraud or failed transactions.
They are all too happy to send out glossy brochures to Jo Public extolling the virtues of their credit cards and how Mr. Public won't be liable for any fraud etc. While this is perfectly true, the banks completely fail to point out that THEY won't make themselves liable either! I'm afraid that most of the expense resulting from fraud adn other issues such as chargebacks are met by the businesses that are offering ccard services. And they have no choice but to agree to this because the option is not to offer any service at all.
It stinks - the banks simply will not take any responsibility and they pass on all liability to anyone that they can. This is why fraud and chargebacks are such a serious problem - it's because the banks don't care
"Sharing data on suspicious transactions is one important technique for combatting the problem, he added"
I'd really like to know how to share this info. We have loads of fraudulent transactions, most of which we're able to spot. We've spoken to the police and our bank, but have had very little feedback on how to handle this sort of thing.
Re: The banks won't take responsibility
Rich said: "It stinks - the banks simply will not take any responsibility"
This is the main point that the Computer Laboratory Cambridge University (headed by Prof Ross Anderson) have been making in all their comments about insecurities in the banking system, from Chip & Spin onwards. You could start at http://www.lightbluetouchpaper.org/ ,
Until the banks are made responsible for the costs of their security failings, they have no incentive to improve security. They offset the cost of fraud either to the merchant or the real cardholder, depending on who they can get away with. Can a cardholder really PROVE that they have never relaxed their security to the levels adopted by the banks or the government (eg ask Nationwide or HMRC about lost customer details)?
No wonder that cash is being used more widely!
I don't understand fraud...
... when products or services are delivered to the house of the cc holder, and if a different address in, say, Morocco, is used then the business should double-check?
Of course, changing the cc address should require a bit more work than logging on - but once we establish the address is correct, then surely 99% of goods/services that can be bought online or over the phone will be relatively fraud free?
What am I missing here?
@Billy Goat Gruff
I want to buy a present for a friend.
I want to buy petrol.
I want to buy a subscription to a web site.
Etc, etc, etc
Re: I don't understand fraud
There are a number of things that can go wrong...
Someone can pay with a stolen card and the card is processed and the goods shipped out before the merchant (or indeed the bank) finds out that the card is stolen. This can be somewhat mitigated by only posting to the the card's registered address, but unfortunately people move about so much these days that doing this can cut off a lot of your customers.
A customer can complain that they never received the goods. Unless it's recorded delivery, it's impossible to prove otherwise, and indeed sometimes it may be true. The customer can get a chargeback on the card and the retailer is left out of pocket.
There are other disputes that can result in the customer getting their money back, again leaving the retailer out of pocket (which may be justified sometimes but not always).
One this I saw quite a bit were obvious attempts to use dodgy cards. I didn't send good out as a result; it's difficult to post goods when the address given is something like "hhkjhguy, London" (I kid you not). Clearly someone was just testing cards for authenicity, but this still cost me money because it incurred a transaction fee with the bank (only a few pence, but even so). By the way, when I informed the bank about these transactions they (and let's not beat about the bush here) didn't give a shit. They were not the least bit interested.
>I want to buy a present for a friend.
And the small business can double check
>I want to buy petrol.
Surely this is extremely unlikely when cardholder not present.
>I want to buy a subscription to a web site.
And the magazine is delivered to the cc address
>Etc, etc, etc
Any valid ones?
>This can be somewhat mitigated by only posting to the the card's registered address,
that's my point; with card-holder not present - it's almost entirely pointless for someone in Morocco to use your card to send something to the registered address.
>but unfortunately people move about so much these days that doing this can cut off a lot of your customers.
Really? Fraud is limited to people who have moved address but haven't told the bank? Then (a) fraud should be really small and (b) the business should reject it simply because it will reduce their fraud to 0.
Of course there are more complicated ways of telling if it's fraud, such as checking the name and address with a credit agency, but really, if the address is different that should be sufficient to either doublecheck with the purchaser or reject it.
I'm not trying to defend CC here - I refuse to use them because I'm still fuming over Chip&Pin redefining fraud as the cardholder's loss - and I'm not suggesting a magic bullet for customers denying they've received goods... but I can't see how checking and using the registered address would result in any gains for a thief, and thus the popularity of cc fraud would plummet...
@Billy Goat Gruff
Post your CC details on here & we can give you a demo!
I believe that's what Jeremy Clarkson thought until he did just that to prove a point. He soon changed his mind.
It's not fun for the legitimate card holder either !!!
I live in one EU Country and have my bank account in another EU Country.
Despite giving all the correct details when trying to make a purchase, the initial check that some of the on-line pay systems make, immediately rejects the transaction. (Presumably "Delivery address different country to Bank address" - even though the Bank Customers address is the Delivery address).
Visa is slowly rolling out an on line pin system for transaction verification in conjunction with some of the Banks (my UK one at least). When this is used, it is much like using an ATM (but even more secure) and the transaction goes through and all three (Bank, seller and buyer) are instantly happy. This system needs to be made more widespread so that we can all move on.
Paris - because she is bound to forget her password and therefore write it on the back of the card where her signature goes :-)
Banks? Huh... what are they good for...?
We get this all the time. If there is a way to track down the real card holder I try to let them know whenever possible (usually through a snail-mail letter to their verified card holder address). Whenever we do this we always get a call from the person thanking us for taking the time out to do it.
I did try to get help from one of the major banks once to do this with one customer and they put me through to a number for their fraud team which was a premium rate one (10p/minute or something).
So... the bank wanted me to take the risk for the transaction if we send the goods (obviously we didn't), pay the transaction cost for a fraudulent order made using their customers compromised card (we had no choice) AND pay for a premium rate number to try and let their customer know that their card was compromised (I hung up).
The banks care 0% about this simply because they've offloaded all the risk and workload onto the retailers.
not all the blame....
can be put on the banks.... retail shops are just as bad at implamenting checks on cards.
yesterday, i went to visit argos to get a new microwave oven and a new satnav to replace a stolen one... I reserved the items online, went to the shop, used the quickpay kiosk, and used my girlfriends argos card to pay. The payment required a signiture, so i scrawled somthing reasonably close to her signiture on the card, then collected the items. The assistant did not check the name on the card, or verify the signiture....infact, they did not even look at the card. Out the shop i went, with the assistant carrying said microwave to the car for me.
Next on to Morrisons to pick up a few bits.... got to the till, again, paying with my girlfriends card, but I had forgotten the PIN. after the second attempt, the assistant offered to do a manual transaction process, swiped the card, gave me the slip to put my monica on...... out the shop i went....
two counts of fraud, both should have been stoped by the staff on the tills.
blame the banks all you like, but the staff in shops have gotta take some responsibility.
mine is the one with the security tag still attached...
The original transaction did not fail - it went through just fine, but the card holder disputed the charge. Most
card companies offer "protection" that means that if you didn't make the charge or didn't receive what you thought you were paying for they charge the merchant the original amount + plus a service fee which generally doesn't take into account their original processing fee, so the merchant ends up paying more than the original transaction was worth. It's sort of like PayPal, but even meaner.
@Billy Goat Gruff
We're an online retailer of digital cameras and out of 1,000 orders a week, around 100 are fraudulent. Luckily only around 1 every 2 months slip through the net. The ones that do slip through the net, tend to be fraudsters who are able to get access to the credit card holders account and change the registered card address to their own address. This means it passed the address check but we have no way of knowing it's a fraudulent card beyond using our experience to look for certain products / delivery areas which are known to be high risk.
We also allow customer to ship to an address other than the registered card address, as otherwise we'd lose hundreds of orders a week - we perform an additional security check over the phone, which is mildly inconvenient for customers as it can delay the dispatch of the order if they haven't put a contact phone number. However, there is no way round this, give that we are 100% liable.
As a merchant you can negate liability of chargebacks by enrolling in a 3D Secure program. This is Verified by Visa or MasterCard SecureCode. In the UK, France, Sweden, Finland etc, this means that liability for any fraudulent transactions lies with the card issuer, not the customer or the merchant. As long as the merchant is enrolled, they are are not liable.
Problem with this is that not enough awareness of 3D Secure has been given to the public. It does stop the small merchants from being targetted by gang and makes sure that anyone unfortunate enough to be a victim will get their money back.
Strange that the banks have promoted this more..........
The bank and police don't have the resources, but there is a case for sharing your fraud data amongst your peers. If fraudsters get detected at one site, they simply move onto the next. If more retailers came together and shared their intelligence they add another layer of defence, especially against more organised fraud.If anyone is interested in fraud sharing please email me: firstname.lastname@example.org
This has probably died now, but I still find it interesting...
When the thief has managed to change the registered address then I would say it's the banks fault, and the banking code should reflect that.
The trouble with 'verified by visa' is that buying online from tescos is becoming too complicated with too many written down passwords, or passwords in my browser 'secure store', and now I have to use a little card-reader to generate hash numbers to do some transactions. It's all getting too complicated and it could be greatly simplified by the business and bank treating the registered address as sacrosanct.
As for shipping goods as a present, which I often do over christmas, I don't have a good suggestion other than a credit agency confirming the name/address of the shipping address is accurate...
How do they do that!
What happens is that someone will break into any account that you have i.e. Yahoo Mail, hotmail, paypal, go jobsite etc. They are looking for credit card details but also stuff like mother maiden name. They will then write to your bank (there are only a few large ones so, no matter if a couple of letters get binned)
They will inform the bank of a new address and ask for some cardage. : )
- YARR! Pirates walk the plank: DMCA magnets sink in Google results
- Pics Whisper tracks its users. So we tracked down its LA office. This is what happened next
- Review Xperia Z3: Crikey, Sony – ANOTHER flagship phondleslab?
- OnePlus One cut-price Android phone on sale to all... for 1 HOUR
- UNIX greybeards threaten Debian fork over systemd plan