07-24-2017, 01:39 PM | #1 |
Brigadier General
5516
Rep 3,323
Posts |
Credit card fraud and personal responsibility
We all know about the issues with credit card fraud and the affect it has on us personally. Much of it has to do with security breaches with retailers as a lot of the recent news stories have attested.
So it angers me when I see outright stupidity by individuals that don't do simple things to prevent this stuff from happening. I was at an amusement park Saturday. I saw two people in the span of a few minutes having their credit card in clear view hanging from a lanyard in one of those clear badge holders. All I needed to do was take my phone out and take a picture of their credit card. It's bad enough how fraud has affected the cost of doing business along with the trickle down effect on us as consumers without idiots like the ones I saw contributing to it. |
07-24-2017, 03:11 PM | #6 |
Brigadier General
5516
Rep 3,323
Posts |
There are still merchants which will do a transaction without asking for the security code on the back. Also AMEX still has the security code printed on the front of their cards right with the credit card number, expiration date, and your full name.
|
Appreciate
0
|
07-24-2017, 05:22 PM | #7 | |
Colonel
1755
Rep 2,835
Posts |
Quote:
__________________
2006 Z4M Coupe - ZHP knob, stubby antenna, clutch delay delete
|
|
Appreciate
0
|
07-24-2017, 05:54 PM | #8 | |
Brigadier General
5516
Rep 3,323
Posts |
Quote:
|
|
Appreciate
0
|
07-24-2017, 06:08 PM | #9 |
Long Time Admirer, First Time Owner
18430
Rep 9,426
Posts |
The ones I've run into in the US, you have to walk over to the cashier to enter your PIN and then they bring over the traditional paper/tip for you to sign.
Each time they come over I prepare to be undignified, claiming the card is perfectly fine, only to walk over and enter my PIN. |
Appreciate
0
|
07-24-2017, 06:35 PM | #10 | |
Major
454
Rep 1,266
Posts |
Quote:
|
|
Appreciate
0
|
07-24-2017, 07:14 PM | #11 |
General
906
Rep 1,004
Posts
Drives: 2008 BMW 135i (E88 N54 6AT)
Join Date: Aug 2016
Location: Sunshine Coast QLD Australia
|
I run online retail. Our payment processor needs CVV, but we still get fraudulent orders.
You get to know certain types of orders (multiple easily resellable items) and certain addresses (mail-forwarding companies) not to ship from. Just FYI, you only need the numbers. There are still many, many merchants that don't check the CVV. It's useful if you can also get the expiry, but given a good set of card numbers you can eventually guess the expiry date by putting through transactions with online retailers until one works. The name on the card and the card-holder's address are invisible to most merchants. A fake name and an unoccupied house are all you need to get your mail-order goods. A great trick is to send a friend into a retail store, buy something between $500 and $1,000 then they get to the checkout and say "oh crap, I've forgotten my wallet, I'll call my roommate - is it okay if you take the payment over the phone?" - Then the merchant will do a MOTO (Mail Order / Telephone Order) which doesn't need signature or pin, and usually doesn't need CVV. Before you say "damn, don't be telling people how to do this" - what I've just said is really basic, and anyone with the slightest passing interest in credit card fraud will tell you what I just did. There's a new technique which is beginning to be used that allows people to buy stuff with stolen cards online that is _impossible_ for merchants to pick up on or protect themselves from. Thankfully it's not very common (yet) - so I'm not going to describe it. The big problem is that credit card fraud is basically insured by the bank, so there's little incentive for people to be careful. Also, since it's just the merchant (ie. the shopkeeper)'s loss and it happens across juristictions, there is seriously F*** all interest from the police in catching the bastards. It's just seen as a cost of doing business. There is a pretty foolproof method for protecting yourself as a merchant, but it's labour intensive and time-consuming: 1) Take payment 2) Refund a random amount between $0.00 and $0.99 3) Ask the customer to login to online banking and tell you how much you refunded (If you've stolen a card you will be unable to perform this step) 4) If they confirm the right amount, ship the goods. If they don't refund the whole transaction otherwise you'll get a $15 fee when the credit card company reverses it. |
07-24-2017, 07:38 PM | #12 | |
Lieutenant Colonel
814
Rep 1,575
Posts |
Quote:
__________________
2.0l ecosmackkaa
|
|
Appreciate
0
|
07-24-2017, 10:31 PM | #13 |
General
906
Rep 1,004
Posts
Drives: 2008 BMW 135i (E88 N54 6AT)
Join Date: Aug 2016
Location: Sunshine Coast QLD Australia
|
It does - which is why it's not standard process for many, many businesses.
I'll only do it when a sale is worth >$500, and the buyer sounds legit, but the sale its self looks fraudulent (international shipping to a third-world country, a large order of an easily resellable item that the buyer could get cheaper elsewhere etc.) ... For times when there's a very big part of you wanting to tell someone to go jump, but you haven't got enough evidence to be sure that you're not just pissing off a good opportunity. If it's domestic, I'll often refund the credit card and insist on bank transfer if I suspect fraud, but often the only reliable & cheap payment method for international customers is credit card. |
Appreciate
0
|
07-25-2017, 08:14 AM | #14 | |
Colonel
1755
Rep 2,835
Posts |
Quote:
If credit card companies really cared to inconvenience people a little to raise security there are all kinds on things that could be done. Needed zip code, PIN use, restaurants machine brought to table, etc. but they don't feel the amount of money they lose justifies it. My company card has a PIN associated with it, only place I have ever needed it is Subway.
__________________
2006 Z4M Coupe - ZHP knob, stubby antenna, clutch delay delete
|
|
Appreciate
0
|
07-25-2017, 08:36 AM | #15 | |
Brigadier General
5516
Rep 3,323
Posts |
Quote:
Also read xQx's post about how security is still lax with credit card transactions and why the security code isn't even needed for many transactions. I know personally that I had paid for stuff over the phone where the business didn't even ask for the security code. These transactions happened only a few weeks to a couple of months ago. It's just plain stupid with all the publicity about keeping vital information tied to you protected. What gets me is these idiots probably will never see a consequence to their actions if there were fraudulent activity due to their poor personal security practices. We all end up absorbing the costs of their actions. |
|
Appreciate
0
|
07-25-2017, 10:51 AM | #16 |
Colonel
1201
Rep 2,132
Posts |
I don't think the credit card number being out is really all that big of a deal. You need expiration and CVV code to make a legit purchase. I don't understand why sometimes online retailers allow purchases to go through without a CVV.
These days, credit card numbers are stolen in unavoidable ways. They are either guessed through brute force tactics or skimmed/swiped when you make legitimate transactions. I have a charge for some online crap I didn't buy. Called my bank and they took it off immediately and FedEx a new card the next day. It's a hassle, but you're never responsible for fraudulent charges. My card never left my wallet and it still happened. The guy at the bank told me they got the expiration wrong and didn't have the CVV, but the retailer still let it go through. It was a "pending" status from the bank and they told me it would have eventually been declined. No idea how they got any of my information because I never lost the card. I truly believe it's a computer testing millions of CC combinations with some basic logic. Sometimes, they get a hit. |
Appreciate
0
|
07-25-2017, 02:06 PM | #17 |
Colonel
1755
Rep 2,835
Posts |
As long as the credit card user is minimally responsible for any fraud most users will take minimal safeguards to prevent the fraud.
I use my credit card whenever possible for both the points and the protections it provides, think I take reasonable precautions, and laugh when I hear people talk about how afraid they are of people stealing their credit card number. It could happen but it's far from the end of the world. I think the limits of my liability are $50? And this is if I do virtually nothing after it is stolen? I don't use a debit card for purchases as I see the whole process and risk far worse. I will probably eventually get it sorted out but someone is taking the money directly out of my account.
__________________
2006 Z4M Coupe - ZHP knob, stubby antenna, clutch delay delete
|
Appreciate
0
|
07-25-2017, 03:49 PM | #18 | |
Lieutenant
52
Rep 410
Posts |
Quote:
(Of course, I suppose a processor could give the finger to a merchant and not abide by the agreement, and the merchant if small enough wouldn't really have an recourse via lawsuit, but that's still fraud and I'd imagine word would get out about that processor doing that... Then again, lots of people still use PayPal despite the numerous stories of PayPal screwing people over.) |
|
Appreciate
0
|
07-25-2017, 04:02 PM | #19 |
Colonel
1622
Rep 2,036
Posts |
They probably haven't been a victim of identity theft/ c.c. fraud......yet!
__________________
|
Appreciate
0
|
07-25-2017, 10:38 PM | #22 | |||
General
906
Rep 1,004
Posts
Drives: 2008 BMW 135i (E88 N54 6AT)
Join Date: Aug 2016
Location: Sunshine Coast QLD Australia
|
Quote:
The first thing you're asked for is a copy of the signature, which obviously, you can't produce for a Mail Order / Telephone Order / Internet Order. If you did get a valid signature, you might stand a chance of the card issuer taking on their customer and saying 'hey, it was you'; but they generally don't, and when they unilaterally determine it was an unauthorized transaction, your funds get pulled. Consumer Protection regulation tends not to cover businesses - this is an excellent example of what happens in business when one side has far more bargaining power than the other. Basically, if you don't like the terms, you're free to not sign the agreement. That said - I can't speak for the agreement Wallmart might have with their banking provider. There _was_ a scheme called verified by visa, where you hand the transaction right back to the card issuer who verifies the customer using something other than the name/numbers/expiry/cvv (typically their bank login or customer number) - and when you processed one of those transactions you were 100% covered for fraud. However, it was cumbersome, put customers off, and wasn't supported by many banks. So here we are. Quote:
Quote:
But it is almost universally safer by a significant margin. There's one use-case where it's not (I'll mention that last). Signatures were so easy to forge or write-over on a card it is an effectively useless authentication technology. PIN is much better. Obviously no pin is less secure than pin, but no pin paywave means consumers use the cards a lot more, which means more transactions and more money for card issuers. So while no pin is less secure than pin, it's got a greater reward (for card issuers) to offset the greater risk. But pinless PayWave or Chip is more secure than Mag-strip and pin for one reason: It's dead easy to copy a mag-strip, but it's impossible* to copy chip or NFC. A stunningly small amount of credit card fraud is conducted in person with the original card. It's either MOTO transactions with card numbers gained as per above, or a freshly minted forged card with a copy of a legitimate mag-strip in the hands of someone who knows the pin because they own an ATM or EFTPOS skimmer. To summarize: ATM skimming is very common, but it only works with mag-strips. The one use-case where paywave/no pin fails: At the pub. You will find many pubs & clubs won't let you paywave, because it's the one place where someone is likely to leave their card lying around and someone else is likely to have the courage to stand under a security camera and use that stolen card to make lots of small transactions using paywave. (Source: I worked for the telco arm of an Australian Bank where we developed a mobile payments app in the years before paywave/NFC took off) *MIT have a historical tendency to prove how you can copy these things which are 'impossible' to copy. But Banks tend to take these findings on board and improve their technology a lot quicker than say 'Oyster/MyKi/MiFare' do. |
|||
Appreciate
0
|
Post Reply |
Bookmarks |
|
|