A Matter Of Trust? 213
cameloid asks: "I've been ordering stuff from a couple of U.S. Web sites now (I live in the UK), and was a bit dubious about credit card security at first. However, it was always the case that I was worried about getting my details stolen or something. Last night I was browsing an interesting site looking for some anime ("Captain Tylor" out on DVD?), and naturally checked to see if they would deliver internationally. Now, they wanted proof that the credit card details I sent them really belonged to me, in the form of a photo of me and a photo of my credit card (actual size I suppose). Now this doesn't strike me as being of much use to anyone and got me thinking. As I'm already an established customer on a couple of other well known e-commerce sites would it not be possible to get some kind of referral from these sites, saying that I'm a worthy customer? What would the implications of this be?" I've been seeing lots of really pointed questions about e-commerce sites lately (this site being the latest entry on that list) and I'm wondering how much information a company really needs before they can do business with someone and what kind of information a person can legitimately withhold. Would such information sharing between commerce site be something that would benefit consumers or are there privacy issues here that we should be concerned with?
A photo of the card? (Score:1)
Hurry (Score:1)
Customer referral sounds like a great idea. You should patent the idea before Amazon gets a hold of it.
so don't buy from them (Score:1)
Network of trust (Score:2)
E-commerce companies are lazy. Keep this in mind when trying to form any "trust network". In addition, you'll need to show a clear profit-making incentive for companies to participate - it makes no sense (business-wise) to work with another unless you make a profit. I don't believe such a trust network is viable anyway without a central authority - if any member of the network acts in a dubious fashion it will be publicized, and companies will be less interested in joining due to bad PR. In addition, without a central authority you have no ability to remove bad elements from the pool. Just my $0.02.
no good. (Score:5)
It sounds like a good excuse for companies to trade information about you.
When to draw the line (Score:2)
If they ever start asking you to send urine/semen/fecal samples who know forcertain that the line should be drawn.
Credit Card Replication? (Score:1)
Maybe they'll just print it out and replicate it somewhere else. Then they can go on shopping spree!
Blacklisted (Score:1)
This still would be useful for some sites, especially dealing in high-risk trade and could prevent credit card losses.
However, like all technology, this could be used for good or evil.
the credit card companies! (Score:1)
I sure wouldn't do it... (Score:2)
Pictures of cards are not one of the things the credit card companies ask you to obtain, so I would assume it's a scam.
Re:so don't buy from them (Score:2)
Companies need to get their act together when it comes to Credit Card acceptance. I was recently at a site that wouldn't allow you to buy with a card that had an expiration date after 2003! I mean, come on! And it's staggering to still find sites that expect you to enter you info including card number on an insecure page.
If they don't make it easy to order from them, let them die. Survival of the fittest!
Give 'em your photo? (Score:1)
- Now, they wanted proof that the credit card details I sent them really belonged to me, in the form of a photo of me and a photo of my credit card (actual size I suppose).
I wouldn't go for that in a heartbeat.A photo of you and a photo of your credit card could be turned into a false ID and a fake credit card in moments.
Don't even think about it!
t_t_b
--
A common system should be established (Score:1)
Perhaps it should be a "reputable" server, where I establish an account, with physical information, kind of like registering for a drivers license, that asks me for my password and the account number of the e-commerce site, and the amount i want "wired" to them. In response, the commerce site sends me my stuff.
I know there are privacy issues involved in this, but imho, there are much more benefits.
Always Withhold your Social Security # (Score:3)
Anyone who has the right to ask for your social security number is *required by law* to give you documentation that they have this right and can withhold items or services until you give it to them.
This is very frequently abused especially by universities and the areas surrounding them. Put your foot down.
Vendors just passing on Credit Card Company buck (Score:3)
I dare say the very large online companies like Amazon and so on have different terms, but that is how it is for the smaller companies.
As someone who had my company credit card details ripped off and used by some prick in Indonesia to order ''Buffy the Vampire Slayer'' merchandise from a US-based website, I don't think it's such a bad thing. But really the Credit Card companies should be providing crypto to the customer in the form of so-called smartcards rather than squeezing the vendors.
-Andy
This is what is behind the tightening of
Re:Credit Card Replication? (Score:1)
Use the gimp or other such package to paste this weeks stolen credit card into the picture. you may have to edit the numbers on the card if you don't have the actual card but just got the numbers on-line. Also don't actually use a picture of yourself!
Distributed Trust? (Score:1)
Had to delve into the company records to find state certificates for the business's name. Painful.
Distributed trustworthiness... Some sort of "Well, no one else has been burned by accepting this CC#" algorythm? That leads to databases and privacy violations. What if I don't want my CD retailer knowing that I bought a box of sex toys last week? Or that I bought ANYTHING from certain businesses?
The credit card is the best defense, both for the seller and the buyer. Most businesses will only ship to the address on the card. If you receive goods you didn't order and suspect fraud, the CC companies have policies for dealing with it. You can also dispute charges for things you never received.
The photo can be faked. The scan of the card can be faked. CC#s can be stolen (I'm sure that shoulder surfing still goes on today). The system has been dealing with this for a long time.
--Threed
The Slashdot Sig Virus was foiled before it could spread.
AMEX Blue Card (Score:1)
Visa and MC already have started fixing this (Score:5)
Visa and MC now have some extra digits that are only written on the back of the CC, not embossed or shown on the front.
The idea is for internet companies to ask for these extra digits when people order stuff online, as a way to verify that you have physical possesion of the card.
American Express has their own solution - the "blue" card has an embedded chip, then with a reader hooked up to your PC you actually 'swipe' your own card.
Again, this is to prove you have the card in your hot little hands, not a carbon off a receipt.
Passport? (Score:1)
Re:Network of trust (Score:2)
I think there is a profit mechanism in there somewhere via the referral network (I work in a heavy referral industry where real money-making potential exists). Despite that, the FTC regs would probably be prohibitive since credit cards are involved in a substantial way. In any case, the fastest way to keep something from happening, good or bad, is to mention the L-word ("litigation").
-L
Bizzare! (Score:2)
Heck... let's see... I'll just take a picture of myself with my credit card - change the name, number and expiry date wit a good graphics editor - and wham... a pointless exercise in paranoia is proven insecure.
Is this because you are ordering internationally? Maybe they just want to see if you would do it... "Hey look at this joker... let's put him up on the wall - and order some pizza on him too!"
I'm sorry, anyone who came up with this idea has their head up their @$$.
Privacy Issues (Score:2)
I'm not even quite sure why they would require the type of authentication that the poster is talking about. Even if it's straight credit card fraud, the company that ships the product still keeps the sale dollars, it's the credit card company (or the consumer) that eats the cost of the fraud. It seems that if companies don't have a problem with people complaining about them taking any credit card that is presented to them that they would do just that - why put extra hurdles in the way of a consumer, or make it less likely that a sale will actually be made?
As for the privacy though, I don't trust any company further than I can throw them. Companies are about profit, and when the concept of 'profit' coincides with my interests then the company will make me happy. But when somebody's idea of profit suggests that it might be a good idea to dig into my past purchases and compare consumer notes with another company in the name of "verification", it's pretty clearly not going to serve the customer's best interest.
If they HAVE to do this, it might be SLIGHTLY better to ask the credit card company for info rather than somebody else you have bought from. (i.e. when you dial up the company for card confirmation, have a way of digitally asking the question "if this purchase goes through, would it send up some weird red flag on this customer's account?" or something similar). Not that this would be good either, far from it. It seems like it might be slightly better though.
I'd be wary (Score:1)
I'm not sure how legitimate such requests for "proof of credit card ownership" really are, the card companies (Visa, MasterCard) tend to have all sorts of rules in their contracts with vendors. For example, in Thailand, I had a travel agent charge me a 2.5% processing fee on a airplane ticket, even though that was against Visa's regulations for vendors, and part of their contract.
Who knows? Maybe asking for photos like this really is allowable by the credit card companies, and perhaps its justified. However, the whole point of a credit card is that the credit card issuer assumes the risk of non-payment in each transaction. Why should a merchant overly much who you are?
Of course, the rules of identity and proof thereof have changed, and perhaps the credit card companies haven't caught up.
</diarrhea of the mouth>
Privacy (Score:1)
To create such a "web of trust" the participating firms will have to share information about the customer. What better possibility to also create profiles for targeted advertising? IMO, the only possibility for customers to have their privacy respected would be an independent organisatiton restricted by law not to share any more information than absolutely necessary, which collected the credit information about the customers. IIRC, there are organisations like this in some countries, e.g. the german SCHUFA (although this one has information about your credit worthiness, not your actual credit card data...)
But if I where you, I would just shop somewhere else...:-)
Frightening way to put it (Score:3)
In the US anyway, I can withhold any information I want. I find it frightening that we've gotten to the point where we unconsciously equate business with government (which CAN demand information).
You are under NO legal obligation to provide ANYONE ANY information (except the gov't). Of course, businesses have policies and may refuse you service--in which case you go elsewhere. Although even those companies that claim to have policies usually waive them if you refuse.
For instance, I became a "member" at a video store recently. She was asking for information and eventually got to "Do you have a work phone number?". Luckily I had seen that question coming up on her computer and had an answer ready: "Yes, but I don't think you need it." She skipped that one.
On a previous occasion at a different store they actually asked for my Social Security #. I was so taken by surprise that I actually recited it without thinking. Won't be doing THAT again.
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?
Prove what? (Score:4)
I would think the best form of verification is that, if they really want to see you are who you say you are is to call you. That information is readily available. They may not want to get bog downed in calling all the "questionable" customers, but is that really any less hassling than looking at all the pictures of people you thought were questionable?
Re:A photo of the card? (Score:1)
To me as well. Seems that with a copy of your credit card and an photo ID, they could also do some devious things.
Re:Network of trust (Score:2)
they already do (Score:2)
But even with all those precautions, people STILL can get your info and use it. I have had problems with this myself, and it has been hell and stressful to find out that someone has been using my information. Someone in Cleveland used my information to get a cell phone (which when I provided writing that it wasn't me, they did not hold any claims against me) and then, 7 months later (even with the credit fraud alert on my credit) they managed to get a landline phone and a couple more cell phones from a different company. Again, they didn't hold this against me, however I was under false impression that I could find out who did this and get them arrested (land line phones are connected to a house which is connected to people who live there). I couldn't get any info from the phone companies to give to the police, so nothing came of it.
Just be careful with your information, especially on the web. If this can happen to me, it can happen to anybody. It didn't deter me from using online banking and using my credit card on secure sites (since I don't think these criminals got my info from the web since they are in the same state as I am) but it sure is something to think about.
Re:Always Withhold your Social Security # (Score:1)
I don't trust any online company. (Score:1)
With all of the latest laws and violations of online privacy by big companies that has been happenning, I don't see a reason to trust them.
Of course the most obvious reason is because it gets me away from the computer screen, and it provides "social" contact for an introverted geek like myself.
Re:Hurry, really (Score:1)
In general, I'm against using patents for denial, but imagine if someone patented DoubleClick's banners first, and set a prohibitive licensing price.
Re:A common system should be established (Score:2)
My experience... (Score:1)
Some places are quite happy to ship internationally. Some do it with huge charges, some just plain refuse, and then there are those that make you jump through hoops by insisting on you faxing them copies of this that and the other, and waivers, etc.
Why it should be so hard, I don't know. Don't systems such as Visa ensure that merchants will get paid anyway? I can't believe how many companies will not ship to Canada, what with the economies and cultures so well integrated these days (oh!: 'dem be fi'ting words up here). Perhaps couriers such as UPS turn around and bill merchants for brokerage fees, etc when there are problems?
As for DVDs: the last DVD I ordered from Bigstar.com before I left the US seven months ago is still in lala land. They sent me the VHS version, which I returned, not leaving enough time for them to send a replacement. After battling with them, I arranged delivery to a friend who I was planning to visit in February. Of course, the credit card that I had on record had expired and been replaced by then. Now I can't get them to ship or refund as I'm now an international customer without a domestic CC (as I said above, it is domestic, but with a Canadian billing address). I wish those guys had a telephone number I could call.
Advice: don't order from somewhere without a telephone number for customer support. Email support in my experience for anything more than something trivial is a joke.
We need privacy legislation first (Score:3)
The big problem with ecommerce is that privacy laws in the US are very, very weak. Database Nation by Simson Garfinkel has a very nice description of why the US considered privacy legislation in the 70's, congress came up with recommendations and failed to pass laws based on these recommendations. Most European countries did, though.
The recommendations, and the legal situation in most European countries, are:
The lack of these kinds of protections in the US is what makes me very wary of using lots of ecommerce, since the situation here is more: give us as much information about you as possible, we will generate some more from your use of our service and then run with it. What scares me is the secrecy of the whole process, the fact that it is almost impossible to find out who is doing what with your data and how it will affect you in the future. Will raising a stink with Amazon.com make it more difficult for me to get a house loan in the future ?
Without privacy laws on the books, we are headed for a future similar to Kafka's Trial: companies make decisions about you based on information about you that is essentially secret. Until I as a consumer have certain rights to review my data and find out about it, I don't want those ecommerce sites to build a "web of trust" about my online shopping behavior. Don't give them any ideas.
Credit cards are not appropriate for e-commerce. (Score:2)
When people take payment with credit cards, they need a signature, or they don't have a leg to stand on if the purchaser later claims someone else made the order.
Credit cards were never designed for e-commerce, and really shouldn't be used for it.
One very interesting system is e-gold [e-gold.com]. They work by transferring precious metals from one of their accounts to another (in a large range of amounts, down to well under 1 cent). You don't need any special software, and pretty much anyone in the world can use it; also they only take 1% of each transaction, which is capped at $0.50 (yes, that's an upper limit, not a lower one). The only problem is that initial purchase of metals; basically you have to send in a check or money-order.
Actually, I haven't seen any other e-commerce system that supports micropayments and is actually giving worldwide service (though there are plenty in "trial" stages and others that serve one country or region). Can anyone point one out?
About the other part of the question... (Score:1)
Since no one has mentioned this:
Capt. Tylor is not out on DVD. Yet. The dubs have been made now, but as for DVD, I don't know.
--
what a load of.... (Score:1)
# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking
Re:so don't buy from them (Score:2)
Re:Distributed Trust? (Score:2)
In the UK the only thing known about a card holder that you use is the card number & expiry.
That's it
anything else is just bogus anyway
"You want my address. Well I've got two houses, what use is that?"
"Here's my photo. Of course you didn't see me have it taken"
I've personally been asked to fax my signature as some sort of proof before.
People are clueless and easily fooled because they want to trust you.
How about PKI? (Score:2)
I man, what else is the interest & fees for, if not service?
Bloody stupid, these blokes are (Score:3)
Amazing. And you didn't tell them to fuck off? You must be a really kindhearted soul.
In any case, they are waaaay out of line and, of course, breathtakingly stupid. I mean, what's to stop you from sending them a photograph of some random Joe Q. Loser and slightly-Photoshop-processed picture of a credit card showing whatever numbers you want it to show?
If I were you, I'd tell these guys that they are being bloody utterly ridiculous and that you'll be glad to see the survival-of-the-fittest principle demonstrated on them. I mean who would ever buy from them??
Kaa
Re:Visa and MC already have started fixing this (Score:1)
-aaron
What about THEM? (Score:1)
Verisign (Score:1)
Would a model like the AmEx Blue work? A gov't issued ID with a smart chip that could be read by the computer to verify identity. That would be kind of cool.
On one hand, it would be nice to have one card with a smart chip that functioned as cash, credit and all forms of ID, but on the other hand it would be kind of scary b/c with all that in one place it would seem as though it would be easy and disastarous to steal something of that nature. But an interesting thought to be sure.
There's also the problem of hardware complaince with this type of thing... If you had one of these cards and coupled it with some sort of biometric, that would be nearly flawless and pretty safe, but putting these readers and scanners on every piece of computing equipment would be difficult and expensive. But I imagine that this would be just the type of thing that credit card companies, banks and merchants would jump on, it would cut their fraud costs to nearly nothing.
Anyone think it's feasible? (I doubt that it is....)
Re:Passport? (Score:1)
The information REALLY needed (Score:1)
I suspect credit card companies will always share as much information as
the credit card companies can get away with, but I'm biased as hell.
noticed _NO_ credit card brand that competes with the other brands WRT
privacy policy (I might be wrong, but I think I'd have seen one).
JMR
This Helps the Merchant How? (Score:2)
Assumptions:
1. You've never been to this store in person.
2. You're not famous.
3. They have no idea what you look like.
So what does providing a photo prove? If I was going to use a credit card fraudulently, I'd steal the card. Take a picture of Joe Random Stranger, and send them off to the merchant.
Until such time that there is an international databse of people's photos, this should work just fine.
So either these guys are clueless or it's a scam. I'd shop elsewhere.
Steve M
Its pretty simple really.. (Score:1)
Well, I mean they can ask you for anything they want. You don't have to give it to them, but they can ask. They are also under no obligation to sell to you for any reason though.
Me, I wouldn't give 'em anything except a CC # and shipping address. If they don't want to see to me without other info, there are plenty of people out there who will.
Were there banner ads? (Score:3)
Their attitude seemed to be, "We aren't making any money off of it, so who gives a damn? Actually we'd prefer not to sell you anything at all, please go back to the web site and look at some more ads."
And I thought aggressive upselling was annoying...
Violating Merchant agreement? (Score:2)
It's not uncommon for merchants to violate them -- anywhere you see a minimum required purchase to use a card is usually a violation.
I understand that everyone's just trying to cover their butt on this, Visa doesn't want to pay for fraud, neither does joe-the-e-tailer, but Consumers sure shouldn't be paying. We already pay larcenous interest rates, not to mention shipping and handling charges (did I mention that my wife paid 30$ S/H on a $150 bedspread? not including sales tax.) I think the consumer is paying enough.
To help prevent fraud, I just report my card stolen periodically. The company reissues with a different number. Couldn't we just have rolling numbers on all of them (a la secureID)?
Don't Trust Anyone... (Score:3)
A simple solution (Score:1)
-----------
Obi
Re:My experience... (Score:1)
Tuesday I got a call from a girl of oriental descent stating that "Credit card must be in US"
Well since I'm Canadian living in Canada, thats going to be tough. "You can send money order".. wtf online ordering is cool because it is so fast and simple with a credit card. I tried to explain that the currency issues are handled transparently by my credit card and that I have ordered from the US before. No dice, I ended up cancelling the order.
consider the retailer side (Score:1)
It is safe to say that someone who wants to committ fraud badly enough will succeed, but this stuff follows the same logic as a bike lock or a car lock. You try to create an environment where the would-be thief moves on to a simpler target. Merchants realize that fraud will happen... they are just looking for ways to reduce it, and the laziness of many theives is our best ally.
As far as asking for your photo, I personally think that is going a little far and I think it crosses the threshold of diminishing returns. It will probably decrease fraud, but it will turn off way too many people, as it has done for you. A courtesy phone call stops enough fraud and sends a positive image to clients.
Trust, and how to make it work. (Score:1)
Checking the relationship between the card and other web sites would really get you nowhere, as it would only serve to validate the customer quality of the owner of the credit card, and would not help a bit in validating that you (the entity in front of the computer) is the owner of the card.
One way to fix such a problem is to roll out a public key infrastructure, which would cryptographically link you to your credit card, and/or to your customer profile with another site.
Getting the banks to roll out such a system will take time, and it will be hard. Getting shopping sites to cooperate might be easier. This is something that will be mutually benefitial to all online shopping sites, so I can see no reason why even competing sites would not want to share information.
If a bigger site feel it doesn't gain anything by sharing with smaller sites, one could always set up a system where the smaller sites buy the information from the bigger sites.
There are obviously a whole bunch of privacy issues with such a setup, but this can be solved in a number of ways. The solution I think I'd prefer will only work if profiles are freely available, and the bigger sites doesn't want to make money from the profiles. The idea is that sites such as amazon.com can give me a certificate stating that I've been a good customer, they've never had credit problems with me, and I've never made much problems. This certificate would then be encrypted to my public key, and emailed to me. I could then forward it to new sites should they need to validate me as a good customer, and link me to any credit cards.
Such a system will have good side effects as well. Big sites will get new customers because the customers will then get certificates they know are trusted all over the web, and smaller sites will benefit because they can validate new customers much more effectively.
Also, there is reason not to implement this the other way around as well, by allowing customers to write certificates about the online shops. It will take time before this will work, because you need to build a web of trust, with which you'll in time be able to map a trust path to someone who has shopped at the web page you want to buy stuff from, and validated that he got the stuff he ordered.
With this model, you will be able to go to a really small, highly specialised shop on the web, and read good and bad reviews of the site, that people are putting their reputations on the line for provind the validity of the review.
Another possibel way of implementing such a trust system is for the big provider (amazon in our example) to hang on to the profile, and when a smaller shop (the fictional store "Gothic Music Inc") need to validate that you're a good customer, and possibly also that you really do controll a VISA card, it will send a request to amazon, after looking up your info in a public database of who had information about you, or searching the databases of sites directly. At this time Gothic Music Inc only know where one can gain information about you. Amazon now sends a request for information release to you, and you either ignore it, because you're not the one that contacted Goth Inc, or you sign it, return it to amazon, and they sell the profile, because your approved the sale.
I don't like the latter method, because it provides less protection to the end user from abuse from bad providers, but it's more likely to be implemented. In face, how do we know that doesn't happen today without the user authorisation step? It probably does.
Anyways, enough mumbling for now, and back to sleep.
Not just eCommerce (Score:1)
As a regular traveller staying at hotels all over the world, it's just about impossible to simply provide your credit card number and expiry over the phone to make a reservation and pay for the room. The majority of want a photocopy of the card faxed along with a company letterhead explaning all this in detail. Then 50% of the time they ask for the card when you turn up, the fact that it's 3am in the morning back at head office, so no, there isn't anyone who you can call, doesn't seem to phase them.
Easy Valdiation (Score:1)
I guess this just sounds too simple...
Just say NO! (Score:1)
I find this interesting, since credit card companies(VISA, MC, AmEX, etc) are complaining that online sales are secure enough that they don't make any money off the 'risk' there. They build their business models around a certain percentage of fraud(apparently), that usually isn't present in online sales. Crazy, weird, but fascinating.
Personally, with the general condition of privacy policy and my overall distrust of sites using M$ software for any kind of secure transaction, I refuse to order online anymore. This is counsel that I extend to family and friends liberally. If the company doesn't have an order line, then I just go somewhere else.
The laws governing phone sales fall under conventional consumer protections. Online transactions are still in that murky stink that has me wondering if they are going to be sending the telemarketers after me or not. Since I have my letter into the DMA telling them to make their organizations leave me alone, it is far better for me to follow traditional paths to goods and services, at least until the e-commerce people figure out that the backlash against them will be severe and devastating the moment they break the trust of consumers.
Thawte Web of Trust (Score:2)
Details here [thawte.com].
With Thawte acquired by Verisign, I'm not sure if they are committed to this in the future, since their site now seems to be covered with ads for Verisign's personal certificates.
But, the idea is an interesting one. A distributed ranking system where you accumulate "trust points" seems like a system that would work well with the open source world. In a sense, this is much like eBay, where you gain or lose "trust" in the system with every sale or purchase. While some people have been able to abuse the system on eBay, in general they haven't had wide-spread fraud, which is really what you should be worried about. The nice thing about eBay is that it empowers the individual. *I* get to decide if I trust you or not based on my personal criteria.
It's obvious that the existing credit-card system isn't secure enough for the internet world, so I can understand the anime site requiring some form of extra identity. Some sort of "identity broker" or "infomediary", to use the trendy term, seems to be required to make this work. In some cases, maybe that is your bank or credit card company, but I think the long-term solution would need to be more distributed, otherwise it all gets bogged down in inter-company politics and positioning.
Perhaps in the future, you will need to establish a "trust rating", much like a credit rating, with one or several identity broker services before you can do business on the internet. Thawte's system is a good start, it would be nice to see something more open and endorsed by the business world.
-Twid
Re: No We're Not - We need the information! (Score:5)
How much information does a small business selling on the Internet need about potential customers? As much as they can get.
I own a small, web based retailer selling engagement rings [rings-online.com], and I can tell you that we need as much information as possible about each customer. You have no idea how much fraud there is on the Internet: on average, 4 out of every 5 orders at our site are fraudulent. Most of these orders come from the UK and Australia. As a result we have had to stop all international orders. We simply cannot afford the enormous risk.
A few facts that might help you empathize with small Internet merchants.
I have bought thousands of dollars of merchandise on the Internet and sold much more, and I can say from personal experience that the Internet is a much more dangerous environment for small businesses than it is for customers. I have never experienced fraud on the net as a consumer, but I see it every day as a merchant.
Remember, you are asking a merchant who has never seen you, and knows very little about you to ship expensive merchandise to you before they receive any money for it. Additionally, customers can almost always cancel the order without returning the merchandise and the merchant is out of luck.Large corporations can absorb some of these losses, but most small business owners can't.
Regards,
Brian Woodring
Webmaster, Owner
Rings-Online.com [rings-online.com]
I have to take issue with this! (Score:1)
Its a lot easier to get drunk in Europe. Our pints are larger, our beer is stronger, and a lot of EC countries sell it much cheaper than in America.
So how about we get drunk and go over there so you can shoot us dead and lodlay and raucously cheer our demise....
Validation procedure & nob size (Score:1)
Is this just a UK protection law or something imposed by the companies that issue these cards?
Personally I'd never trust a company that was asking for such ridiculous items. They'll be asking for your todger size next!
Tell 'em to piss-off and take your hard-earned elsewhere!
Online reputations and Anonymity (Score:1)
The interesting thing about the way eBay does it, is that you can both have a reputation and remain somewhat anonymous. Your email address is visible, but your name, address, etc. does not need to be visible to anyone.
Does this cut both ways? (Score:2)
I don't really like the idea of a digital image of my credit card, or myself for that matter, to be in the hands of a retailer. If a CC slip can be compromised, so can my likeness, and a jpeg of me can be sent to a retailer by people other than myself... They might paste my picture on a false testimonial, making it look more genuine, and possibly making me a suspect in false advertising.
We're being asked to provide identifying characteristics to a retailer before they will trust us - but how do we trust them to:
a) not abuse this identification
b) protect the confidentiality of this information
c) actually deliver the product
We've heard plenty of horror stories about fly-by-night operations that accept many orders, and many payments, and then close up shop without delivering the goods. It's easier to disappear on the net than it is in the real world.
It seems like a place that does this sort of 'integrity checking' could be trying to accomplish two things:
First, they try to appear more credible by showing 'innitiative' in excessive security. Frankly, I like the LISTSERV email handshake method of establishing trust - maybe a third party approach... Retailer verifies with your CC company that you are a customer, the CC company verifies with you that you want to deal with that retailer - pass some PIN or transaction digest in a full circle and you're set. Tedious, but you're not exposed. Digital certificates exist specifically to address this problem, and only small (less trustworthy?) dealers can not afford to use them.
Second, they could just be scarfing the net for people's identification, for use or sale. How valuable is a pic of your CC? Is it both sides? There's the burried issue of asking for an 'image' of my signature... How about your driver's license, with address, physical descrip, DONOR status... All this is valuable info to someone.
Digital Security (Score:1)
Microsoft Passport is just the service you need... (Score:1)
I wouldn't trust them (Score:5)
Sending a picture? For anime? Suspect trouble! They are willing to either wait for a hardcopy photograph, then pay to file and store it so that they can retrieve it, or they are willing to accept a softcopy and stow that on a disk somewhere. This eats seriously into their cash flow, turns customers away, and is generally a very expensive and ineffective way to do fraud control. If I were a merchant, I might consider measures that invasive if I was dealing with a four-figure purchase, though that wouldn't be my preferred way of doing it. For something under $100, this is the sort of thing that would cause them to lose money on every purchase.
Merchants do have to defend against credit card fraud, however. If you take my card number and buy that anime, when I see the charges, I can dispute them. The anime merchant would end up coughing up the charges; that's the breaks you take when you sign up to accept major credit cards. However, there are online services that do fraud checking.
Electronic fraud screening is available from several vendors, and it can give a merchant an idea as to how risky you are to sell to. Criteria include velocity screening (if your use per day changes drastically, it suspects theft), address checking (you are slightly more risky if the shipping address is not the home address of the cardholder), and how often you do chargebacks (having the credit card company remove a charge versus just getting a return out of the vendor). This has to be cheaper, and more effective, than getting photographs.
If somebody is resorting to photo methods, I have to guess that they either need to take Credit Card 101 or are actively malicious. While I would suspect the former (incompetence before malice), I would still steer clear, from what limited information you have given me.
Re:Always Withhold your Social Security # (Score:2)
Also, a SSN is a pretty good starting place for developing a nice false identity. Pretty easy to get a birth certificate. With that and a SSN, you can, er, go places.
zKey and Passport (Score:2)
This is the goal of such services as zKey and Microsoft Passport. You register with them, they verify that you are a good and valid customer. Then any ecommerce sites which use their services instantly know you are a valid customer and also have all your existing information, thus eliminating hassle for you.
Convenience vs. Security (Score:5)
My wife and I both use one credit card for the bulk of our purchases. Actually, we have separate physical cards, but the account number is the same. The name and the signature on the cards are different. However, if I give my card to a clerk, and he gives me a receipt for my signature, my wife can sign it. Is that secure? Not really. But it's damn convenient.
It's all a question of where you draw the line. There have been instances where the lack of security has been a boon. I've been able to order computer hardware for my parents simply by having them give me the CC number and date. That's not secure, IMHO. If CC's were truly secure, I would not be able to do that.
But how do you make e-commerce transactions truly more secure? Adding more numbers or passwords doesn't help - it still lets other people make purchases. You could use biometric scanners, but that's a nightmare of its own, and it's still information being sent over the wire (you could copy the biometric data and retransmit it yourself).
How about limiting CC transactions from one IP address? Or having some kind of special key encoded in the computer (can we say Pentium serial number)? We all know these are bad ideas.
The truth is, there isn't anything you can really do to make CC's more secure over the Internet. The most you can do is make it more inconvenient for everyone. I get the feeling that some people equate less convenient with more secure.
So you might say that it's safer to only purchase items in a store. Well, who says the clerk behind the counter is any more trustworthy than a web site and 128-bit encryption?
The CC companies will reimburse customers for bogus transactions. But because e-commerce is so insecure, they think their risk is too high. So they're sharing the the burden with the vendors, and I think that's fair. If you're a vendor with greater than 1.5% returns, then you have bigger problems than the financial penalty. You either have a major security hole, or your products suck.
Re:Always Withhold your Social Security # (Score:5)
First things first, I need a card. So I go to my post office and grab a request for a replacement social security card. It want's a copy of your birth certificate. Well, I can match up the SSN to a name pretty easy (trivial if I know what state you live in, even easier if I know what city). All I have to do is call the DMV and say that I'm in HR for the Yoyodyne corp and I'm doing a background check. I need to verify this SSN as belonging to Joe R Public. Oh, it's not him? Who is it?
Bingo. I have your name and your SSN.
Call the county courthouse and ask for a copy of your birth certificate (I'm doing genological research on my family). Weren't born there? Where were you born?
Bingo. I have your name, place of birth, and SSN.
So I call up the county courthouse where you were born and ask for a copy of your birth cirtificate (using the above story). It'll cost me, like, $1.50.
Bingo. I have your name, place of birth, DOB, DL#, SSN, social security card, parent's names, mother's maiden name, and just about any other piece of information that I want.
Hrmmm, let's go shopping, shall we?
Better yet, let's get some warrants out for your arrest.
Hell, let's go all the way and start getting your mail, your paper, your pension, your 401k, your health insurance, your life insurance, a job in your name...
That, my dear bribecka, is what I can do with a SSN.
Here's my [redrival.com] copy of DeCSS. Where's yours?
Re:I don't trust any online company. (Score:2)
on another note, the other day i went to cash my paycheck at the bank it was drawn on. i whipped out my two forms of ID, my drivers license and my SS card. d@mn if the teller doesn't tell me that the SS card isn't a valid form of ID and then proceeded to ask if i had maybe a business card instead....ug...
"Leave the gun, take the canoli."
Online vs. Phone orders (Score:2)
It seems there is a double standard emerging with respect to online orders. Companies are placing unusual restrictions on ordering from web sites, but don't follow the same guidelines when receiving orders by phone.
I have had many problems with websites wanting ridiculous amounts of information just to place an online order. The last online order I attempted, the company wanted my bank's phone number and address. When I call the same companies to place an order via phone, they usually ask for just the bare essentials (shipping address, CC#, expiration date) and could give a rat's ass about verification.
Fraud Prevention, the ol' fashioned way (Score:2)
Among these are the mention that 'identify theft' is a federal felony that's slowly becoming more and more prosecuted, and that "an estimated 20 to 40 percent of online purchases are fraud attempts." It's nice to see that someone would be penalized for illegally using my credit card online, but it's also disheartening to see how prevalent fradulent attempts are, especially when we see how difficult they are to prosecute currently.
I've purchased online extensively over the past few years, usually without any apprehension. The sites that give me reason to pause are the small shops - someone selling CDs of their band, what have you - that really don't have the funds to provide any sort of fraud protection. When a site is able to provide even basic information to assuage the concerns of a potential customer (see Digital River's information about fraud here [digitalriver.com]) then they're better positioned to take advantage of the situation.
To stay on-topic for just a moment, I consider it doubtful that e-commerce companies would share information regarding fraudulent attempts with their competitors. If your company is losing money hand over fist because of fraud, I'll happily take whatever future customers you may have for my company. There may be an advantage in mutual benefit here, but I doubt many companies will see it that way.
Really, though, disheartening is the only way to look at it - being able to purchase anything online without any fear of loss of privacy would be a wonderful thing, but that's just being a bit too idealistic and naive. I guess we just need people like Mr. Cameron to try to minimize the damages.
pee (Score:3)
I had to give a piss test, 2 forms of photo id, eye scan, finger prints and a spinal tap before they let me into this one porn site.
But I feel safer now that my credit card isn't among the 31337 hAx0rs of the world.
Plus my credit card is hard to guess, you would of never guessed
AJ Bennett
4828719230128348
with an expiration date of 03/02
You would have never guessed that could you. HA, I am feeling like one secure mofo.
One word, two syllables. (Score:2)
PayPal [paypal.com]
--Joe--
Never use credit cards online.. from experience.. (Score:2)
Re:Always Withhold your Social Security # (Score:2)
Anyone who has the right to ask for your social security number is *required by law* to give you documentation that they have this right and can withhold items or services until you give it to them.
This is false. The Privacy Act, Public Law 93-579, requires "Any Federal, State, or local government agency" to inform the requestee whether "disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it." The relevant part of the law is codified at 5 USC 552a, Note 7 (b). To my knowledge, no federal law imposes any similar requirement on non-government parties, and very few states do.
Bogus Cards and Card Holders (Score:2)
Most merchant banks handle things about the same. Joe Schmoe says the charge isn't his. The merchant bank puts the funds on hold. It goes around a few times. If by the third time the Card holder hasn't admited they made the charge they merchant bank will demand a signiture and an imprint of the card. It doesn't matter if you have a recording of the call with the person authorizing the charge. You lose, do not pass go, do not collect 200 dollars.
The only recourse the merchant has is small claims court.
Getting paid is a tricky job sometimes. There are plenty of ways of messing with the system. The only one who really gets rich is a merchant bank.
How would that help? (Score:2)
If the company you are dealing with wants to verify that you are a "worthy customer", (which means, I assume, a customer who has the ability to pay and is not committing fraud) sharing information with other online companies probably is not going to help. If you give them a credit card number, they already check with the credit card company to see that your name and information matches the name and information on the card. So the only real concern is, how does the company know it's really you ordering the product, and not some other guy with your information pretending to be you? The answer: they probably don't. And referrals from other companies probably won't help. Just because John Doe has purchased something from Company A, and was a good customer, doesn't really help Company B figure out whether it's really John Doe trying to order something from them or just a punk who stole his credit card.
Some companies sort of solve the problem by refusing to ship to any address but the one listed with the credit card company. This causes just as many problems as it solves, though, because it makes it impossible for a legitimate customer to have a purchase sent to an alternate address. So what options are available for companies to use to verify customers' identities? Anyone have any suggestions?
Re: (Score:2)
Credit card fraud. (Score:3)
Apparently, we were very popular with the "script kiddie" community. About 90% of credit card orders that we received turned out to be fraudulent (immediately or eventually) - not from credit cards that had been physically stolen, but from compromised credit card numbers and account information. For some reason, almost 75% of those fraudulent orders were either using Malaysian cards or came from Malaysian dial-up accounts.
For Internet ordering, most merchants use AVS, the Address Verification System, for fraud screening. I understand that there are some other systems available now. With AVS - and even with most new systems that I've seen hyped - if your personal information is compromised along with the card number (which is very common), the system is completely useless. AVS doesn't work with credit cards from outside the U.S. or Canada anyway.
If I had required that users fax me a copy of their credit card and picture ID, I suspect that I could have prevented very nearly all of the credit card fraud that happened. As it was, our merchant service provider terminated our merchant account for excessive chargebacks, and charged us a certain amount per chargeback, which added up to a large loss. It would have helped had the provider actually provided us with anything other than AVS for fraud screening, or with decent customer service or advice. A system like that suggested in the article, where assurance is traded among merchants, sounds good, but I agree that it raises some major privacy concerns.
Banks and merchant service providers don't seem to care very much about this. After I realized what was going on (far too late to stop most of the chargebacks), I ended up denying most international orders, and calling banks in North America to verify the charges. Most of them were very unhelpful - I now know which banks I never want to get a credit card from...
I could keep going on about this for several pages.
Also, regarding two other comments:
More financial penalties for high-chargeback merchants? That seems unhelpful, considering that in most cases (not all, admittedly), it isn't the merchant at fault. Additional fraud screening and actual help for confused merchants would probably more effectively prevent fraud. Penalties certainly encourage merchants to take action against fraud, but it's very difficult to find out how to do so.
The extra digits on the back of Visa/MC cards seem fairly useless to me, as if a Web site that asked for them is compromised, you're no better off than with a "normal" card.
Re:Visa and MC already have started fixing this (Score:3)
Without that, someone can go dumpster diving at a department store, come up with a bunch of carbon paper that have been thrown out, and have enough information to use your card over the phone.
BTW, if you use your card someplace that actually uses carbon on credit cards (the big clunky things that make the "kachunka" sound when they run it over your card), there are usually three sheets--your copy, the store copy, and the carbon paper. Ask the cashier for the carbon paper every time, and you protect your card a little bit more.
Whatever happened to SET, and E-sales experience (Score:2)
Visa and MC were supposed to provide the SET protocol to
This was done using a digital certificate for each customer, vetted by the bank. The e-store never gets the credit card number, just various confirmation numbers from the bank, and credit in their account.
Well, it's been several years, and SET still isn't implemented at any major e-commerce site that I know of. The costs SET-compliant software are huge.
I wouldn't shop at any place that is that much of a hassle to order from. Unless I'm assured of a great deal ahead of time, I won't shop from places that (a) require a log-in (esp. with credit card) before I can put the first item in the cart, or (b) aren't up-front with the shipping costs.
Hey - Toys-R-Expensive^h^h^h^h^h^h^h^h^hUs doesn't even use a secure server!
My wife runs a small children's book store on the web, and fraud really hasn't been a problem. We've never had a customer complain about theft, we've never gotten stiffed for a bill, and the couple of customers who tried to reverse a charge after receiving legit merchandise were re-credited to us -- a hassle, but we won.
We did get a pair of orders one day both shipping to the same city in Hungary using US cards. This raised some virtual hackles, and when the customers didn't respond to e-mail, we canceled the order and reported them to the credit card company [hey - where's our reward?].
Admittedly, the major fraud risks are for large ticket items, or direct-download items, from software to smut, none of which we work with (I think the biggest ticket items are under $200 for hardback sets of The Chronicles of Narnia or some such).
J
Re:Violating Merchant agreement? (Score:2)
There are Federal laws protecting the consumer from credit card fraud (you've read the disclaimers about how you are only responsible for so many dollars if your card is stolen). Strangely enough, these laws do not apply to debit cards (the ones that pull from your checking account). If someone steals one of those, they can suck your account dry (and maybe even negative), and even FDIC insurance doesn't protect you. You assume risk for debit card fraud. In a high-risk environment, choose the credit card over the debit card to protect yourself.
BTW, the minimum purchase restriction (I believe it's illegal) isn't a fraud protection--nickel-and-dime fraud is more risky than big-ticket fraud, and takes more effort. Some places have these restrictions because the merchant pays a per-transaction fee (not a per-dollar fee) for processing a credit card purchase. Given that, the transaction fee on a small purchase may outweight the profit margin and cause them to incur a loss.
not needed - existing practices good enough. (Score:2)
Standard CC transactions already let you map a number to the owner and his or her home address. That's all that should be needed. The only possible thing that could happen if you have things set up right is that a person could use a stolen credit card and send whatever product to a different shipping(as opposed to billing) address. But even there the criminal is exposing himself to getting caught, and so that's not likely to happen.
We have been victim of fraud, but so far, after many thousands of orders, its either been on returns(no credit card solution is going to help there) or from people shipping items to PO Boxes. We had to stop shipping to PO Boxes because these cannot be traced to an address, and certain people would try to steal things that way.
Of a far greater to concern to these people should be protecting the credit card information in their database. I imagine it was quite damaging to the companies that stored database info on their webserver and then were subsequently cracked.
The only thing I can see this useful for is marketing and thats where our companies differ. My company stongly supports privacy and would never share customer information.
Credit Card Fraud (Score:2)
I have a merchant account for online credit card transactions and the problem that companies face in the U.S. is the large amount of chargebacks and fraudulant charges from overseas. In fact, I have a list of over 70 country codes that I was given by the bank and advised to block entirely. All of Italy being one of those countries. The UK was not on the list but I can see how some banks may require some special authentication.
Also, I just found out that Ibill, one of the major third party credit card processors, just lost the ability to use American Express for all adult related websites due to high number of chargebacks and fake charges.
As for companies sharing info, I don't think that's the way to go.
- Simon
I won't ever buy from Megahaus again (Score:2)
They say on their order page that they need to have the shipping address match the credit card address and as I'm out of the country (in Canada) for a few months I explained the situation in the comments field and gave them my phone number.
Then the trouble began.
I got a message from them asking me to "add" my shipping address to my credit card. Well, it's a debit card and you can't do that, the best I could do was change my permanent address with the bank to the place I'm staying at in Canada. I didn't want to do that because I'm not staying here permanently but I really need the equipment. The bank was happy doing that over the phone.
I got a call from Bank Security verifying the transaction so I know that the transaction was approved by the debit card company.
But when they verified my address again it still hadn't gone through. No problem, I thought, I'll just give them the number of the lady at the bank who approved the address change.
Well that wouldn't satisfy them. I ended up spending all day on the phone, alternately with my bank who bent over backwards to be helpful and who assured me they would do everything in their power to get Megahaus to send me their drives, and some obnoxious chick in Megahaus order processing who said - get this - she wasn't permitted to dial an extension when verifying my address.
It is impossible to reach anyone at my bank without dialing an extension. The branches don't even have their own phone numbers. When you dial the number you get a switchboard and the person at the switchboard doesn't have bank record information available.
The chick at Megahaus said if she couldn't get the verfication from the person who answered the phone she wouldn't send me the drives.
Now I could wait three days for my address change to register on Visa's records (isn't this the 21st century) but instead I canceled my order and ordered from Insight [insight.com] instead.
Mike
Re:A common system should be established (Score:2)
When you place an order, the merchant sends an "auth request" through their credit card people. The CC guys do any fraud screening the merchant might want done (verifies that the card is real, not expired, not past due, etc.), and verifies that there is indeed "room" on your card. It also puts a lien on your credit card for the amount of the purchase. The merchant gets an auth code back, unrelated to the credit card data, so that they can wipe the credit card data (think of the auth code as a credit card magic cookie). This whole auth request/auth return takes place in real time (which is why you can get "credit refused" while placing an online order--the auth came back negative). You don't pay for the lien, it doesn't show up on your statement, but it is there and it lowers your effective limit. If I have a $5,000 limit on a card with no debt, and I order a $3,000 laptop, there is only $2000 in "real room" on my card, though I am not officially charged yet. That $3,000 is earmarked in the lien to guarantee to the merchant that they will get paid when they ship the laptop. In the meantime, I will get an "over the limit" refusal if I order another $3,000 laptop before they ship the first one and I pay down my card again.
For the record, auths do not last forever. I belive they go piffle somewhere between 30-90 days if they aren't redeemed.
When the merchant ships the product, they look up that auth code that they got, submit that back to the credit card people, and redeem the auth ("I have auth code 34908792 for $3,000. I shipped the goods. Pay up". The money gets automagically credited to the merchant account.
Re:I wouldn't trust them (Score:2)
This is detailed very well in Philip Greenspun's book, availible fulltext online. Here's the book [photo.net].
Set (Score:2)
How it did this was by using a trusted third party (which isn't that a new concept). This is typically the bank, or the cardcompany. This combined with digital signatures ment that the shop couldn't change the values, and it didn't even know the credittcard number. It just knew that the transaction was ok, since the third party said so.
There is a lot more details of course.
This system seems to have died, since it was too complicated, and the netshops didn't support it. A shame if you ask me, but then, nobody does..:-)
Re:Vendors just passing on Credit Card Company buc (Score:3)
On a side note -- Wired magazine had an article [wired.com] a few days ago about how American Express will no longer cover credit card transactions from porn sites. AMEX says that porn sites have such a high charge back rate from fraud that they are no longer interested in working with those companies. One thing the article pointed out is that a lot of the fraud from these sites doesn't come from stolen cards or invalid numbers, but from people disputing what are probably valid charges because they don't want to admit to embarassing purchases. ("No, honey, I don't know how that charge got on my bill. Someone must have stolen my card...")
Considering how lucrative the online market is for porn and other goods and services people would rather purchase with the benefit of anonymity, credit card companies should probably focus some of their security research on techniques for nonrepudiation, not just improving methods for authentication and preventing interception of card numbers.
passport (Score:2)
Of course, this has yet to become popular, and I could understand if you had reservations about handing such important data into a corporation's safekeeping.
-konstant
Yes! We are all individuals! I'm not!
AVS seems to be the next small leap for bank-kind (Score:2)
The transaction companies we have dealt with in the UK cover their asses by making the percentage on each transaction quite high (err, 7% I think I remember hearing for some!), but that covers you for chargebacks (insurance or something...).
When playing with Barclays ePDQ [epdq.co.uk], I ended up reading the cybercash docs (basically what ePDQ is, but re-branded). They had a great feature, the Address Verification System (AVS) that didn't just take the CC number, name and expiry date, but also takes the first line of the cardholder's address and their zip/postcode for verification. You can then choose to reject transactions where either or both fail (can be problematic - 1 Main St. is not the same as 1 Main Street).
So I started looking at integrating it, but at the moment, Barclays doesn't support it. From what I can gather though, they will be soon, and when they do, the transaction fee will be less for shops that use AVS to verify cardholder's address and only allow shipping to billing address.
Of course, the easiest solution is to remove yourself from consumer culture and buy as little as possible. But then, not everyone wants to be a hippy <sigh>
Re:Stupid, stupid stupid (Score:3)
Guess you decided not to read any comments and just display your ignorance...
Visa/Mastercard take the fraud $$ striaght back from the merchant..... plus charge the merchant some extra $$ just for the privalage....
Re:Attack the clear data stream, not the encrypted (Score:2)
However, what is often forgotten is that the data stream between keyboard/mouse and the smartcard is in the clear. A smart trojan would attack that stream, and just tell the card "the user just keyed in an order to pay www.chaos.de $20, please encrypt".
The Amex Blue readers, as well as some of the readers the my company products have a PS/2 interface on them. The reader sits between the keyboard and the computer. When entering information to the card (specifically a PIN) the reader intercepts the the signal, and it never reachers the computer, which means it is never available to a trojan.
More security than not, but there are still ways to attack that system (Tempest, video camera watching the keyboard, etc.) -- Walter Mitty wmitty at hushmail dot com
Re:How portable will this reader be? (Score:2)
As long as the keyboard connects directly to the reader, and all relevant data (not only the PIN, but also the amount and the account number where the mony should be transferred) are grabbed directly off the keyboard and not relayed through the computer or its insecure OS. If only the PIN is entered that way, a Trojan could still doctor the amount or other parameters.
How much information can you withold? (Score:2)
Now you're my potential customer, standing at the door.
Is what I'm asking you unreasonable? Yep.
But if I don't make an exception for anyone based on the color of their skin, their sex, or certain other characteristics that may or may not be readily apparant by looking at them, your only legal recourse is to tell me to go eff myself and turn around and walk away.
So how much information can you withold? As much as you want.
How much service can they withold if you do? As much as they want.
Your rights don't override theirs.
If they were a monopoly, the rules would change; but "the only place I can find Captain Harlock on letterboxed DVD" doesn't qualify as a monopoly.
Bottom line; don't do business with anybody whom you feel has unreasonable requirements, and send them a polite letter detailing why you think they are unreasonable. Other than that, quit yer bitchin'.
--