Credit card fraud and personal responsibility

[zx10guy]

We all know about the issues with credit card fraud and the affect it has on us personally. Much of it has to do with security breaches with retailers as a lot of the recent news stories have attested.

So it angers me when I see outright stupidity by individuals that don't do simple things to prevent this stuff from happening. I was at an amusement park Saturday. I saw two people in the span of a few minutes having their credit card in clear view hanging from a lanyard in one of those clear badge holders. All I needed to do was take my phone out and take a picture of their credit card. It's bad enough how fraud has affected the cost of doing business along with the trickle down effect on us as consumers without idiots like the ones I saw contributing to it.

[The Wind Breezes]

You still would have needed the security code.

[ShopVac]

...and the new chips don't have the same number that's printed on the card.

Needless, don't think I'd want to show the number publicly.

[UncleWede]

And home address, to know where to "hang out" until your package was delivered

[NFiftyWon]

Majority of fraud and identity theft actually occurs in the form of social engineering and metasploits.

[zx10guy]

There are still merchants which will do a transaction without asking for the security code on the back. Also AMEX still has the security code printed on the front of their cards right with the credit card number, expiration date, and your full name.

[David70]

Quote:

Originally Posted by zx10guy

We all know about the issues with credit card fraud and the affect it has on us personally. Much of it has to do with security breaches with retailers as a lot of the recent news stories have attested.

So it angers me when I see outright stupidity by individuals that don't do simple things to prevent this stuff from happening. I was at an amusement park Saturday. I saw two people in the span of a few minutes having their credit card in clear view hanging from a lanyard in one of those clear badge holders. All I needed to do was take my phone out and take a picture of their credit card. It's bad enough how fraud has affected the cost of doing business along with the trickle down effect on us as consumers without idiots like the ones I saw contributing to it.

I eat out 3-4 times a week, sometimes many more when I am traveling for work. I give my card to the waiter, he takes it to the back and who knows what happens to it. I try to be careful with it but see the restaurant the biggest chance for credit card fraud. We should do what both Europe and Canada do and they bring the machine to the table.

[zx10guy]

Quote:

Originally Posted by David70

I eat out 3-4 times a week, sometimes many more when I am traveling for work. I give my card to the waiter, he takes it to the back and who knows what happens to it. I try to be careful with it but see the restaurant the biggest chance for credit card fraud. We should do what both Europe and Canada do and they bring the machine to the table.

Agreed. Many restaurants are doing that here. Not fast enough in my opinion. The point of my thread is why do something careless to add to the problem?

[UncleWede]

The ones I've run into in the US, you have to walk over to the cashier to enter your PIN and then they bring over the traditional paper/tip for you to sign.

Each time they come over I prepare to be undignified, claiming the card is perfectly fine, only to walk over and enter my PIN.

[JsL]

Quote:

Originally Posted by David70

I eat out 3-4 times a week, sometimes many more when I am traveling for work. I give my card to the waiter, he takes it to the back and who knows what happens to it. I try to be careful with it but see the restaurant the biggest chance for credit card fraud. We should do what both Europe and Canada do and they bring the machine to the table.

They bring you their card skimmer and you swipe it yourself

[xQx]

I run online retail. Our payment processor needs CVV, but we still get fraudulent orders.

You get to know certain types of orders (multiple easily resellable items) and certain addresses (mail-forwarding companies) not to ship from.

Just FYI, you only need the numbers. There are still many, many merchants that don't check the CVV. It's useful if you can also get the expiry, but given a good set of card numbers you can eventually guess the expiry date by putting through transactions with online retailers until one works.


The name on the card and the card-holder's address are invisible to most merchants. A fake name and an unoccupied house are all you need to get your mail-order goods.

A great trick is to send a friend into a retail store, buy something between $500 and $1,000 then they get to the checkout and say "oh crap, I've forgotten my wallet, I'll call my roommate - is it okay if you take the payment over the phone?" - Then the merchant will do a MOTO (Mail Order / Telephone Order) which doesn't need signature or pin, and usually doesn't need CVV.

Before you say "damn, don't be telling people how to do this" - what I've just said is really basic, and anyone with the slightest passing interest in credit card fraud will tell you what I just did.

There's a new technique which is beginning to be used that allows people to buy stuff with stolen cards online that is _impossible_ for merchants to pick up on or protect themselves from. Thankfully it's not very common (yet) - so I'm not going to describe it.

The big problem is that credit card fraud is basically insured by the bank, so there's little incentive for people to be careful. Also, since it's just the merchant (ie. the shopkeeper)'s loss and it happens across juristictions, there is seriously F*** all interest from the police in catching the bastards. It's just seen as a cost of doing business.

There is a pretty foolproof method for protecting yourself as a merchant, but it's labour intensive and time-consuming:
1) Take payment
2) Refund a random amount between $0.00 and $0.99
3) Ask the customer to login to online banking and tell you how much you refunded
(If you've stolen a card you will be unable to perform this step)
4) If they confirm the right amount, ship the goods. If they don't refund the whole transaction otherwise you'll get a $15 fee when the credit card company reverses it.

[kprocivic]

Quote:

Originally Posted by xQx

There is a pretty foolproof method for protecting yourself as a merchant, but it's labour intensive and time-consuming:
1) Take payment
2) Refund a random amount between $0.00 and $0.99
3) Ask the customer to login to online banking and tell you how much you refunded
(If you've stolen a card you will be unable to perform this step)
4) If they confirm the right amount, ship the goods. If they don't refund the whole transaction otherwise you'll get a $15 fee when the credit card company reverses it.

that is a good idea but that would take forever.

[xQx]

Quote:

Originally Posted by kprocivic

that is a good idea but that would take forever.

It does - which is why it's not standard process for many, many businesses.

I'll only do it when a sale is worth >$500, and the buyer sounds legit, but the sale its self looks fraudulent (international shipping to a third-world country, a large order of an easily resellable item that the buyer could get cheaper elsewhere etc.) ... For times when there's a very big part of you wanting to tell someone to go jump, but you haven't got enough evidence to be sure that you're not just pissing off a good opportunity.

If it's domestic, I'll often refund the credit card and insist on bank transfer if I suspect fraud, but often the only reliable & cheap payment method for international customers is credit card.

[David70]

Quote:

Originally Posted by zx10guy

Agreed. Many restaurants are doing that here. Not fast enough in my opinion. The point of my thread is why do something careless to add to the problem?

I agree they shouldn't do it but the idea the crook is going to follow this person with a camera out waiting for the perfect time to take a picture of their card, while it is attached to their waist, seems pretty far fetched to me, then they still may not have the security code (my Amex has it on the front of the card, I guess they don't want the extra security of putting it on the back).

If credit card companies really cared to inconvenience people a little to raise security there are all kinds on things that could be done. Needed zip code, PIN use, restaurants machine brought to table, etc. but they don't feel the amount of money they lose justifies it.

My company card has a PIN associated with it, only place I have ever needed it is Subway.

[zx10guy]

Quote:

Originally Posted by David70

I agree they shouldn't do it but the idea the crook is going to follow this person with a camera out waiting for the perfect time to take a picture of their card, while it is attached to their waist, seems pretty far fetched to me, then they still may not have the security code (my Amex has it on the front of the card, I guess they don't want the extra security of putting it on the back).

If credit card companies really cared to inconvenience people a little to raise security there are all kinds on things that could be done. Needed zip code, PIN use, restaurants machine brought to table, etc. but they don't feel the amount of money they lose justifies it.

My company card has a PIN associated with it, only place I have ever needed it is Subway.

I didn't have to follow them around to get a good angle to take a picture of it hanging off of their waist. It was hanging flat against their chest (lanyard). If I was up to no good, I could have easily taken a clear picture of both of these idiot's credit card without them knowing within seconds of seeing it. And because we were at an amusement park, me holding my phone up in front of them wouldn't even raise any suspicions..

Also read xQx's post about how security is still lax with credit card transactions and why the security code isn't even needed for many transactions. I know personally that I had paid for stuff over the phone where the business didn't even ask for the security code. These transactions happened only a few weeks to a couple of months ago.

It's just plain stupid with all the publicity about keeping vital information tied to you protected. What gets me is these idiots probably will never see a consequence to their actions if there were fraudulent activity due to their poor personal security practices. We all end up absorbing the costs of their actions.

[BayMoWe335]

I don't think the credit card number being out is really all that big of a deal. You need expiration and CVV code to make a legit purchase. I don't understand why sometimes online retailers allow purchases to go through without a CVV.

These days, credit card numbers are stolen in unavoidable ways. They are either guessed through brute force tactics or skimmed/swiped when you make legitimate transactions. I have a charge for some online crap I didn't buy. Called my bank and they took it off immediately and FedEx a new card the next day. It's a hassle, but you're never responsible for fraudulent charges. My card never left my wallet and it still happened. The guy at the bank told me they got the expiration wrong and didn't have the CVV, but the retailer still let it go through. It was a "pending" status from the bank and they told me it would have eventually been declined.

No idea how they got any of my information because I never lost the card. I truly believe it's a computer testing millions of CC combinations with some basic logic. Sometimes, they get a hit.

[David70]

As long as the credit card user is minimally responsible for any fraud most users will take minimal safeguards to prevent the fraud.

I use my credit card whenever possible for both the points and the protections it provides, think I take reasonable precautions, and laugh when I hear people talk about how afraid they are of people stealing their credit card number. It could happen but it's far from the end of the world. I think the limits of my liability are $50? And this is if I do virtually nothing after it is stolen?

I don't use a debit card for purchases as I see the whole process and risk far worse. I will probably eventually get it sorted out but someone is taking the money directly out of my account.

[elistan]

Quote:

Originally Posted by xQx

There is a pretty foolproof method for protecting yourself as a merchant

I would have thought that the best way to protect yourself as a merchant is to exactly follow the agreement with their processor. If the merchant does everything properly yet a transaction still gets reported as fraud, the agreement says they're not liable, right?

(Of course, I suppose a processor could give the finger to a merchant and not abide by the agreement, and the merchant if small enough wouldn't really have an recourse via lawsuit, but that's still fraud and I'd imagine word would get out about that processor doing that... Then again, lots of people still use PayPal despite the numerous stories of PayPal screwing people over.)

[scostu]

Quote:

Originally Posted by zx10guy

Agreed. Many restaurants are doing that here. Not fast enough in my opinion. The point of my thread is why do something careless to add to the problem?

They probably haven't been a victim of identity theft/ c.c. fraud......yet!

[ASAP]

Arent the new Chip cards supposed to be safer... oddly enough, I am rarely now asked for a PIN or to sign anything... not sure of the safer part.

[Reborn_]

To my understanding, the chips are simply harder to "skim" compared to the traditional swipe with regards to skimmers and scanners.

[xQx]

Quote:

Originally Posted by elistan

I would have thought that the best way to protect yourself as a merchant is to exactly follow the agreement with their processor. If the merchant does everything properly yet a transaction still gets reported as fraud, the agreement says they're not liable, right?

Obviously I can't speak for all agreements. But not here, nope. If you do everything by the book and someone walks out after paying with a stolen card, you loose your money, your goods, and a $15 'dishonor fee'. If you don't like it, feel free to not accept credit card.

The first thing you're asked for is a copy of the signature, which obviously, you can't produce for a Mail Order / Telephone Order / Internet Order. If you did get a valid signature, you might stand a chance of the card issuer taking on their customer and saying 'hey, it was you'; but they generally don't, and when they unilaterally determine it was an unauthorized transaction, your funds get pulled.

Consumer Protection regulation tends not to cover businesses - this is an excellent example of what happens in business when one side has far more bargaining power than the other. Basically, if you don't like the terms, you're free to not sign the agreement.

That said - I can't speak for the agreement Wallmart might have with their banking provider.

There _was_ a scheme called verified by visa, where you hand the transaction right back to the card issuer who verifies the customer using something other than the name/numbers/expiry/cvv (typically their bank login or customer number) - and when you processed one of those transactions you were 100% covered for fraud. However, it was cumbersome, put customers off, and wasn't supported by many banks. So here we are.

Quote:

Originally Posted by NFiftyWon

Majority of fraud and identity theft actually occurs in the form of social engineering and metasploits.

Hacking, Brute Force & guessing, predicting card numbers a certain bank issues (finding patterns in their cards), malware, fake sites. It's big business. If you want to get in on the game, you don't need to do any of this though - just load up tor and find the latest replacement for silk road and pay someone who's done the hard work about $8 in bitcoin for a verified, working fraudulent card number. (Warning: It's hard to know if you're buying it from a real criminal or a Secret Service agent - if it's any consolation you'll find out soon enough after your transaction)

Quote:

Originally Posted by ASAP

Arent the new Chip cards supposed to be safer... oddly enough, I am rarely now asked for a PIN or to sign anything... not sure of the safer part.

Chips were adopted without much resistance, NFC really scares people. The US banking system lags the rest of the world by a significant margin. Credit Card payments (because of NFC) just took over Cash in Australia as the most common form of payment. Much of that is because while people are scared of pinless NFC (tap & go, PayWave, PayPass etc) they've adopted it in droves because it's so convenient.

But it is almost universally safer by a significant margin. There's one use-case where it's not (I'll mention that last). Signatures were so easy to forge or write-over on a card it is an effectively useless authentication technology. PIN is much better.

Obviously no pin is less secure than pin, but no pin paywave means consumers use the cards a lot more, which means more transactions and more money for card issuers. So while no pin is less secure than pin, it's got a greater reward (for card issuers) to offset the greater risk.

But pinless PayWave or Chip is more secure than Mag-strip and pin for one reason: It's dead easy to copy a mag-strip, but it's impossible* to copy chip or NFC.

A stunningly small amount of credit card fraud is conducted in person with the original card. It's either MOTO transactions with card numbers gained as per above, or a freshly minted forged card with a copy of a legitimate mag-strip in the hands of someone who knows the pin because they own an ATM or EFTPOS skimmer. To summarize: ATM skimming is very common, but it only works with mag-strips.

The one use-case where paywave/no pin fails: At the pub.

You will find many pubs & clubs won't let you paywave, because it's the one place where someone is likely to leave their card lying around and someone else is likely to have the courage to stand under a security camera and use that stolen card to make lots of small transactions using paywave.

(Source: I worked for the telco arm of an Australian Bank where we developed a mobile payments app in the years before paywave/NFC took off)

*MIT have a historical tendency to prove how you can copy these things which are 'impossible' to copy. But Banks tend to take these findings on board and improve their technology a lot quicker than say 'Oyster/MyKi/MiFare' do.