RE: UKNM: Credit card fraud

[Ben Thompson]

Typical, the list only livens up when you disappear for a fortnight (and for

those who asked, the move was a bloody nightmare and all delays/ killed

sites are due to it). However, Co. Durham is so much quieter than London....


Craig Pickup wrote:


> But when fulfilling orders on-line such as provision of software or access to

> on-line services then the transaction tends to be real-time with no address

> provided and so harder to spot and/or deal with. Other than the likes of SET

> (when/if it eventually is adopted and released) what means are there to check

> for fraud in these circumstances?


The simple answer is none. Credit cards are designed for point of sale use

where the signature or PIN number can be checked. For a mail order purchase

the only comeback is to ensure that the good was sent to the same address as

the cards bill is sent to. Even then (as both Lloyd's Bank and Barclay's

told me last year) there is little point in arguing over the chargeback and

fee unless you can PROVE the goods arrived. In fact Lloyd's have gone as far

as insisting on checking the phone number of the person and calling them

back to confirm the order.


The problem is not so bad in the states as Zip Codes can be checked as part

of the process. Again it is not perfect but it is slightly better then the

UK solution.


Two other things are worth noting.


1) Credit Card fraud is the least of the problem. What I would be far more

worried about is sites that provide the key (crackz) to install the software

or access you site for free.


2) From the other side, the worth of your brandname. Why should I trust your

company with my credit card details. How many people spend 6 months looking

at Amazon prior to using them the first time?


On other items discussed in the thread:-


The only cases I have heard of fraud on the Internet is where the database

of card numbers was hacked. The first time this occured was with Netcom in

95. This is purely down to poor network design. The machine should not be

accessable from the outside world (one solution is to connect to it without

TCP (i.e. using Novell)).



SET is a disgusting mess. I have the complete information somewhere (as part

of my 9 lever arch internet payment library (Mondex, SET, SSL...). It has

layers of complexity where it is not needed and misses bits where they are.

As an example how many people expect Barclaycard to send you a disk with

your certificate and support the installation of it? (Also, how do you

install a certificate from Disk into IE4 (don't tell me, I know, but how

many people will take one look and panic))?


One solution would be for banks to issue pure SET only accounts (i.e. no

card but an easy to use install system). Of course with the Euro and the

Asian Crisis new payment methods are the least of most banks problems.

Interestingly one of the main proponent banks for SET (Wells Fargo) now

offers online realtime processing without any mention of SET.


Concerning gambling it is probably worth mentioning that gambling via Visa

and MasterCard is a breach of their merchant service agreements and banks

can be removed from the network for breach of this term. And, yes, I have

done my research (http://www.firstlive.com was the last piece of contract

work I did).


Ben