[Previous] - [Index] [Thread Index] - [Previous in Thread] [Next in Thread]


Subject: RE: UKNM: Credit card fraud
From: Ben Thompson
Date: Wed, 1 Jul 1998 10:48:08 +0100

Typical, the list only livens up when you disappear for a fortnight (and for
those who asked, the move was a bloody nightmare and all delays/ killed
sites are due to it). However, Co. Durham is so much quieter than London....

Craig Pickup wrote:

> But when fulfilling orders on-line such as provision of software or access to
> on-line services then the transaction tends to be real-time with no address
> provided and so harder to spot and/or deal with. Other than the likes of SET
> (when/if it eventually is adopted and released) what means are there to check
> for fraud in these circumstances?

The simple answer is none. Credit cards are designed for point of sale use
where the signature or PIN number can be checked. For a mail order purchase
the only comeback is to ensure that the good was sent to the same address as
the cards bill is sent to. Even then (as both Lloyd's Bank and Barclay's
told me last year) there is little point in arguing over the chargeback and
fee unless you can PROVE the goods arrived. In fact Lloyd's have gone as far
as insisting on checking the phone number of the person and calling them
back to confirm the order.

The problem is not so bad in the states as Zip Codes can be checked as part
of the process. Again it is not perfect but it is slightly better then the
UK solution.

Two other things are worth noting.

1) Credit Card fraud is the least of the problem. What I would be far more
worried about is sites that provide the key (crackz) to install the software
or access you site for free.

2) From the other side, the worth of your brandname. Why should I trust your
company with my credit card details. How many people spend 6 months looking
at Amazon prior to using them the first time?

On other items discussed in the thread:-

The only cases I have heard of fraud on the Internet is where the database
of card numbers was hacked. The first time this occured was with Netcom in
95. This is purely down to poor network design. The machine should not be
accessable from the outside world (one solution is to connect to it without
TCP (i.e. using Novell)).


SET is a disgusting mess. I have the complete information somewhere (as part
of my 9 lever arch internet payment library (Mondex, SET, SSL...). It has
layers of complexity where it is not needed and misses bits where they are.
As an example how many people expect Barclaycard to send you a disk with
your certificate and support the installation of it? (Also, how do you
install a certificate from Disk into IE4 (don't tell me, I know, but how
many people will take one look and panic))?

One solution would be for banks to issue pure SET only accounts (i.e. no
card but an easy to use install system). Of course with the Euro and the
Asian Crisis new payment methods are the least of most banks problems.
Interestingly one of the main proponent banks for SET (Wells Fargo) now
offers online realtime processing without any mention of SET.

Concerning gambling it is probably worth mentioning that gambling via Visa
and MasterCard is a breach of their merchant service agreements and banks
can be removed from the network for breach of this term. And, yes, I have
done my research (http://www.firstlive.com was the last piece of contract
work I did).

Ben



[Previous] - [Index] [Thread Index] - [Next in Thread] [Previous in Thread]