Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security

'How I Stopped a Credit Card Thief From Ripping Off 3,537 People -- and Saved Our Nonprofit in the Process' (freecodecamp.org) 122

Quincy Larson, founder of freeCodeCamp, a non-profit organization that runs an open-source community for learning to code, writes in a blog post: I tucked my son under my arm and jogged to my desk. I'd been up until 2 a.m. finishing the announcement for our new #AWSCertified Challenge. And so far, the launch was going well. Our new Twitter bot was tweeting, and our Discord chatroom was abuzz with ambitious developers eager to earn their AWS certifications. I was getting ready to meet with my team when I noticed two strange emails -- both of which arrived within minutes of one another. "Your a fraud" read one of the emails in typo-riddled English. "That's exactly what I'm thinking since I see a charge on my financial institution from you and since I've never heard of you. Yes you need to resolve this." The other email was... well, let's just say it was also an angry letter and let's leave it at that. freeCodeCamp is a donor-supported nonprofit, and we have thousands of people around the world who donate to us each month. Once in a while, there are misunderstandings -- usually when one family member donates without telling the other. But this felt different.

So I tabbed over to Stripe, the credit card processing service our nonprofit uses for donations. On a typical day, we'd have 20 or 30 new donors. But here's what I saw instead: Stripe's dashboard showing 11,000 new customers and $60,000 in revenue for a single 24 hour period. It took me a moment to process what was happening. Our nonprofit -- which operates on an annual budget of less than $400,000 -- had just received more than $60,000 in 24 hours - and from thousands of donors. And my heart began to sink. There was no way those were real donations. We've had spikes in donations from articles in major newspapers. Heck -- I've even been interviewed on Good Morning America. But none of those spikes caused such a surge in donations. No. There was only one thing that could cause a surge in donations like this. Fraud. Extensive, programmatic credit card fraud. I'd heard about this technique before. It's called "card testing." Here's how it works: 1. A fraudster finds a website with a relatively simple credit card form. 2. Then they run scripts to test thousands of stolen credit card numbers in rapid succession. 3. That way they can see which cards are still valid and which ones have been cancelled. Then they turn around and sell those valid card numbers on the dark web. In this case, I'd detected the fraud much faster than a lot of other websites would have. So I had a window.

This discussion has been archived. No new comments can be posted.

'How I Stopped a Credit Card Thief From Ripping Off 3,537 People -- and Saved Our Nonprofit in the Process'

Comments Filter:
  • Massive failure (Score:5, Insightful)

    by DogDude ( 805747 ) on Wednesday January 22, 2020 @02:45PM (#59645050)
    And of course, it's yet another massive failure from our completely unregulated credit card industry. This should have been caught by several of the processors in the chain, and wasn't. And of course, any burden that comes from dealing with any sort of credit card problems always falls on the merchants. This situation should never happened.

    The credit card industry in the US is badly broken, but average people don't give two shits because they don't know or see the problem. The biggest reason for this is because the credit card users don't pay the fees, or even have any ideas that the fees exist. This will never be fixed because the US government doesn't represent people any more, it only represents money.
    • by ae4ax ( 2589741 )
      Something like EU's Strong Customer Authentication is a possible fix, but only if the auth isn't neutered by only mandating SMS codes or something equally pointless.
      • by DogDude ( 805747 )
        There shouldn't be laws about what the technical fix should be. All the laws need to say is that the card processors are responsible for what happens on their networks. We don't have that in the US. The card processors should figure out what they need to do to run their businesses properly whether it's with current technology, or technology ten years from now.
      • When this was coming into force I got messages from my bank and all the credit card providers telling me the change to SCA and how I'll now need to have a mobile phone number tied to my account to receive OTP codes.

        I seethed.

        Then the commission ruled that SMS was not a valid authentication system.

        I laughed while the implementation date got pushed back to let everyone retool. Though as a merchant I'm a bit worried that the additional barrier to sales is going to cost me. 3DSecure is already enough of a sales

        • by Megane ( 129182 )

          SMS was not a valid authentication system

          Haven't there been many cases where SMS was compromised by stealing SIM codes? (usually by social hacking the phone companies, IIRC)

    • This should have been caught by several of the processors in the chain, and wasn't.

      Exactly, but all they care about is maximizing their profits and if it comes at your expense, oh well.

      In fact it almost certainly sounded a bunch of alarms, but those pesky things were silenced by pushing the big red button marked "PROFIT".

    • Completely unregulated, you say? [usa.gov]

      They can't even impose fees for unused accounts, or charge multiple fees for one fee-generating event [fdic.gov]. They're required to apply any payments in excess of the minimum to the portion of the balance reflecting the highest APR.

      They can charge fees for going over your balance, but they have to issue separate documents explaining this, clearly explain that you have to opt-in to being charged fees, get your consent to be charged fees, and stop charging you those fees if you c

      • by DogDude ( 805747 )
        Again, you're only looking at the non-money making part of the credit cards: the consumer end. Credit card companies make their money from the MERCHANTS, most of which are small mom-and-pop operations who are completely and totally at the mercy of the card processors. Merchants have no legal protections that I'm aware of.
        • It's a bit weak on that end:

          Visa and MasterCard reached a settlement with the U.S. Justice Department in an antitrust case focused on the issue of competitiveness in the interchange market. The companies agreed to allow merchants displaying their logos to decline certain types of cards, or to offer consumers discounts for using cheaper cards.

          Legislators are focused on the opaque nature of interchange fees and the whole problem with selling consumers on a card with lots and lots of benefits and forcing merchants to pay huge interchange fees and to accept all such cards. We've been looking at chip-and-pin stuff (merchant and cardholder not liable for fraud), but that's still in the pipeline.

          The problem is somebody's always liable. The bank, the processor, the merchant, the consumer. If something is bought, someo

    • Comment removed based on user account deletion
      • by DogDude ( 805747 )
        Retail banking in the USA is one of our most regulated industries

        That made me shoot water out of my nose.
      • by HiThere ( 15173 )

        The problem is, being regulated doesn't help when there's regulatory capture. If the regulators are bankers, or beholden to them, then all the regulations do is prohibit new entries into the market.

        The banks are not alone in managing this. It's quite common and widespread throughout numerous industries, and includes things like media companies writing the copyright legislation.

    • I honestly don't see how the credit card company could have prevented this, because if I understood the story correctly, thousands of transactions were carried out with 20000 different cards (one transaction per card) and therefore from the card company's server's point of view this would appear as a normal day of operations.
      • by DogDude ( 805747 )
        therefore from the card company's server's point of view this would appear as a normal day of operations.

        20,000 cards originating from one location, all going to one tiny merchant that doesn't ever do that much business? Nothing about that is "normal".
        • Comment removed based on user account deletion
          • by DogDude ( 805747 )
            OK, so this is normal, then: " On a typical day, we'd have 20 or 30 new donors. But here's what I saw instead: Stripe's dashboard showing 11,000 new customers and $60,000 in revenue for a single 24 hour period."

            You're right. There's be no way for a computer to tell the difference between 20-30 and 11,000. Those numbers are almost identical.
            • But say you were in charge of setting Stripe's policies, where do you set the threshold? So they only take 20-30 a day, and then suddenly they are taking 10 a minute. How quickly do you put a stop to it? Should you put a stop to it? Maybe the 20-30 was just the word of mouth and now you're seeing a massive international advertising campaign bear fruit and someone is going to get their balls kicked for freezing the account right as their business took off. Do you make it the merchant's responsibility to info

            • by N1AK ( 864906 )
              No need to get pissy because they pointed out a weakness in your previous post. If you can't take feedback then maybe don't say anything on a public forum or work out how to be perfect rather than keep on digging.

              In the real world payments don't always come in at an exactly static rate. If credit card companies froze out cards each time they were used with an organisation getting more transactions than normal you'd spend half your life with your cards blocked.
      • by Jaime2 ( 824950 )
        This is pretty much the poster child for "abnormal usage pattern".
    • by Dunbal ( 464142 ) *
      The problem is that nobody really cares. The bank sells you "fraud protection" for extra cash. The bank itself is insured by an insurance company against this kind of thing. So long as the losses from fraud stay as a tiny fraction of the profits they charge for all the fees and interest, they just won't care either. The loss is written off if it's small, or an insurance claim is filed.
      • by DogDude ( 805747 )
        I'm a merchant. I desperately, desperately care, because I'm the one who foots the bill for this kind of stuff, not the processors.
        • You would be surprised how much your processor and the issuer, care. This is expensive for them. Disputes are incredibly expensive, and fraud brings with it the risks of additional regulatory oversight, claims and counter claims, and work. There is no 'insurance' for issuers or processors.

          And that additional regulatory oversight, while not perceived as effective, is costly, intrusive, and hard to get rid of. Just as airliner maintenance is good business to keep plans for which lease payments are due in the

        • Re:Massive failure (Score:4, Informative)

          by tlhIngan ( 30335 ) <slashdotNO@SPAMworf.net> on Wednesday January 22, 2020 @06:31PM (#59645776)

          I'm a merchant. I desperately, desperately care, because I'm the one who foots the bill for this kind of stuff, not the processors.

          Then you take precautions. I mean, as a merchant, you have the possibility of being passed a counterfeit bill too. And the rules around that ensure you lose that money (if you know it's counterfeit, it's illegal to pass it off as not. And if it was handed to you by an unsuspecting customer, guess what? You now get into a fight with said customer because you're not allowed to return the fake bill to them! Now you've "taken" money from the customer and can't give them anything because it's fake. Now the customer is angry at you because you took their money, told them it's fake, and can't return it (you can actually be convicted if you returned a fake note to the customer knowing they will just pass it off to someone else, too!)).

          So you protect yourself.. You either stop taking large bills (lots of places don't accept $100 bills, for example, but sometimes this can be awkward if your products are such that people spend the better part of $100 at your store). You can train your staff on how to detect and find fakes and hope it doesn't happen (writing it off when it does), etc.

          You can do the same with credit cards - you're not forced to accept them, and if you're genuinely terrified you'll be out thousands of dollars, then take precautions like extra verification and such. If your average credit card charge is under $100, and someone buys $500 worth of stuff, go ahead and verify.

          Being a merchant brings a lot of risk. There's a risk the customer buying your items is a scammer and will try to do something or other like returning fake items. Or passing counterfeit bills. Or using a stolen credit card. At the end of the day, you balance the risks and potential losses and weigh them against the gains. If credit card fraud has you lying away at night, stop accepting credit cards.

          Granted, it may make life easier on your competitors as customers decide to go to someone who does accept credit cards, but that's just another business cost. Bad things will happen, it's the cost of doing business.

          And remember that everyone else has a stake in the game - if credit card fraud gets too high and causes merchants to drop accepting credit cards, that's a disaster for the processors as well.

          • by Cederic ( 9623 )

            Then you take precautions.

            Perhaps you could suggest sensible precautions that aren't already taken? Sensible, pragmatic, useful suggestions.

            You can do the same with credit cards - you're not forced to accept them

            No, you can just go out of business immediately.

            take precautions like extra verification and such

            How would you perform this extra verification? With whom would you verify? The card issuer? You don't know them. Your merchant provider? You're already using their verification process.

            Sure, you could delay fulfilment for a few days or months while you wait to see whether there's a charge back, but I want options that include staying in business.

            If your average credit card charge is under $100, and someone buys $500 worth of stuff, go ahead and verify.

            Ho

            • In this particular instance, a script that temporarily took their donation service offline if it detected an unreasonable and unexpected increase in transaction volume would have probably saved them a lot of trouble -- if it was expected, they could take the script offline in advance. They said that this spike was higher than when they went on national TV, which was a planned event, so it's pretty unlikely they would have seen a legitimate activity spike of anywhere near this volume without advance warning.
    • ...The credit card industry in the US is badly broken, but average people don't give two shits because they don't know or see the problem. The biggest reason for this is because the credit card users don't pay the fees, or even have any ideas that the fees exist.

      If credit card users don't know they exist, then they're too stupid to understand that the 15% interest rate they're being charged IS paying for the fees.

      Just because you don't see a specific line item charge on your bill doesn't mean costs aren't being passed to you. In fact, that's usually the main reason for not itemizing your bill; you'd probably be pissed if you knew what you were paying for.

      In other words, there's not a single credit card company crying poor or not paying out executive bonuses becau

      • by DogDude ( 805747 )
        If credit card users don't know they exist, then they're too stupid to understand that the 15% interest rate they're being charged IS paying for the fees.

        I don't think that you understand. The credit card fees are being primarily by the MERCHANT. When you hand anybody a card to pay for something, that person who accepted your card is the one paying the fees, not you.

        If you're dumb enough to have a credit card balance, that's a totally separate thing.

        If making that outrageous % on outstanding balanc
        • If credit card users don't know they exist, then they're too stupid to understand that the 15% interest rate they're being charged IS paying for the fees. I don't think that you understand. The credit card fees are being primarily by the MERCHANT. When you hand anybody a card to pay for something, that person who accepted your card is the one paying the fees, not you.

          And you assume the MERCHANT somehow isn't passing along those expenses? Hell, they're capitalizing on it with every transaction because they're charging a small percentage (via increased product cost) on everything they sell, regardless of how often they're dealing with fraud.

          If making that outrageous % on outstanding balances was how credit cards made money, why do you think they'll still happily let people use cards who never carry a balance?

          Simple. It's not worth the effort to be concerned about the 0.01% of people who don't carry a balance. They're too busy making shitloads of money from the other 99.9% of society that's in debt. I'm not sure how you ever assumed cha

          • by Megane ( 129182 )

            And you assume the MERCHANT somehow isn't passing along those expenses? Hell, they're capitalizing on it with every transaction because they're charging a small percentage (via increased product cost) on everything they sell, regardless of how often they're dealing with fraud.

            I'll bet you think that if they got paid with cash instead, they'd have all that extra (usually 3%) to themselves? Nope. Except for the smallest of mom-and-pop businesses, putting the cash into the bank, as well as getting fresh small cash for change in the register, means having to pay for an armored delivery service. For that 3% fee, the money goes straight into the bank without the chance of physical robbery along the way. The fee also goes toward the card company checking for fraud... usually, at least.

        • by DarkOx ( 621550 )

          If making that outrageous % on outstanding balances was how credit cards made money, why do you think they'll still happily let people use cards who never carry a balance?

          I absolutely is one of the ways they make money just not the ONLY way. One thing you might notices if you have good credit score and history of being a 'dead beat' or zero balance carrier; they will keep lifting your limits, a little at time. A thousand dollars one year, two thousand the next. They absolutely hope they can psych you into deciding to splurge on Christmas one year and running a balance for a few months.

      • by Cederic ( 9623 )

        Every card I've had for at least two decades has had itemised billing.

        I don't get charged fees.
        I don't pay interest.

        I do know that the merchant pays a processing fee, and that this funds the whole ecosystem. I know that the merchant effectively passes this cost on to me, but it's rarely explicitly stated.

        I'm unusual. Most people are aware that merchants pay card processing fees, but few people are aware of the inherent unfairness and one-sided risk that merchants suffer from charge backs and other fraudulen

        • Every card I've had for at least two decades has had itemised billing.

          I don't get charged fees. I don't pay interest.

          I do know that the merchant pays a processing fee, and that this funds the whole ecosystem. I know that the merchant effectively passes this cost on to me, but it's rarely explicitly stated.

          I'm unusual. Most people are aware that merchants pay card processing fees, but few people are aware of the inherent unfairness and one-sided risk that merchants suffer from charge backs and other fraudulent use.

          Those charges aren't passed to the card holders by the issuers, and don't appear - itemised or otherwise - on the credit card statement. No stupidity needed to miss them, because they don't exist.

          I hope that helps your understanding too.

          I appreciate your feedback and clarifications, but one statement made by you tends to invalidate your argument here:

          I know that the merchant effectively passes this cost on to me, but it's rarely explicitly stated..

          Yes, it is explicitly stated. Right there in front of your eyes, every time you buy a product. Because it's in the price.

          Most or all business costs are being passed to you via the price of the products you buy. You can choose to accept those passed on costs or not with your wallet, and most people do (hence Amazons dominance). Regardless, most or all business decisions stem from risk vs.

          • by Cederic ( 9623 )

            Yes, it is explicitly stated. Right there in front of your eyes, every time you buy a product. Because it's in the price.

            Price: £5

            Tell me, where in that price is the explicit credit charge fee?

            Just that, I paid for it with a bank note. If I'd used a credit card, the price would still have been £5.

            • Yes, it is explicitly stated. Right there in front of your eyes, every time you buy a product. Because it's in the price.

              Price: £5

              Tell me, where in that price is the explicit credit charge fee?

              Just that, I paid for it with a bank note. If I'd used a credit card, the price would still have been £5.

              Where in the price does it explicitly state the cost of the cashier? Or the electric bill? Or the Managers salary? Because all of those are inherently included. Perhaps you were merely hyperfocused on grammatical correctness. Either way, your argument is so thin here it's anorexic.

              And there are vendors who do offer a discount for cash transactions. Gas stations is a prime example, and I've not paid the additional tax on products plenty of times when offering a cash payment. Haggling isn't illegal. M

    • hmmm NO, I would call this a failure on the his website to take into account this well known attack. Your credit card forms should have built in delays, checks for human interaction (e.g. capta's, browser fingerprinting, IP address checks, randomisation of form names, lots of ways to prevent scripted attacks or make it more difficult and hence not worth their while). The credit card provider is doing exactly what it is supposed to do, i.e. process details you send it.
    • by tlhIngan ( 30335 )

      And of course, it's yet another massive failure from our completely unregulated credit card industry. This should have been caught by several of the processors in the chain, and wasn't. And of course, any burden that comes from dealing with any sort of credit card problems always falls on the merchants. This situation should never happened.

      And it was. Out of 60,000 potential transactions, all but 3400 of them didn't go through at all. In other words, it was caught. I can't tell you about the remaining ones,

    • Then don't take credit cards. There is a reason most small online merchants and charities only take PayPal. With PayPal there is no credit card to be leaked on the merchant's side (or any merchant's side), and as a result 20.000 people are less likely to leak their PayPal at the same time, compared to some crappy online merchant leaking 20.000 credit cards from a poorly secured database at once. Yes PayPal charges a fee. It's because they deal with credit card number storage, refunds and anti-DOS/anti-card-
  • TLDR

    Dude works for a non-profit and uses Stripe. One day he saw a couple of angry emails about credit card fraud. So he looked at Stripe and saw a very large spike in donations and realized stolen cards were being tested against the donation form at the non-profit's site (really, against the Stripe payment processing back end).

    This isn't new or special or unique. You acting like you're on a crusade isn't new or special or unique.

    If this happens to you, do the following.
    1 - Call your payment processor and i

    • Re:No (Score:4, Insightful)

      by DogDude ( 805747 ) on Wednesday January 22, 2020 @03:01PM (#59645108)
      Oh, kid, that's funny. You've never accepted credit cards before.

      1 - Call your payment processor and inform them.

      And they'll say, "Yeah, so what?"

      2 - Shut down your donation form, web store, etc. until your payment processor gives you the all clear. Or don't - you're not on the hook when full, valid card details are presented online.

      Not sure what you mean about "all clear". That's not something the credit card processors do.

      3 - Revamp your donation form, web store, etc. to be more resilient against bots.

      Sure. If you're a massive international corporation, you *might* have the resources to try to fight bots. Otherwise, there's no practical way to do anything on your own.

      4 - Maybe look into the server logs and realize that you don't actually need your server to be accessible from China, Russia, and South America.

      Server logs? You think that this little non-profit has "server logs"? You think that they can direct traffic away from their servers? They're paying a hosting service, I'm sure.
      • by hey! ( 33014 )

        Server logs? You think that this little non-profit has "server logs"? You think that they can direct traffic away from their servers? They're paying a hosting service, I'm sure.

        Well, yes.. Yes I do think so. Even if they're paying for a hosting service there is bound to be logs they can get access to, if not analytic and site management services.

    • by Dunbal ( 464142 ) *

      you don't actually need your server to be accessible from China, Russia, and South America.

      This is one that pisses me off. This and the mandatory localization that happens on most international websites nowadays. I'm a native English speaker living in Latin America. At least give the the choice to stick to English. I usually buy things from American stores and have them shipped to my mail forwarder in Miami, simply because they're not available in the local market. It takes an extra week and I have to pay expensive shipping and duty on top of that, but when the alternative is not getting it at al

      • by DogDude ( 805747 )
        But some stores lock me out because I am outside the US/EU. Here is a paying customer and they just turn me away.

        It's just not worth the risk to our company, at least, to do business outside of the US. We, the merchants, have to eat this fraud, not the credit card companies. I'd love it if our company could ship all over the world, but as a small company, we don't have the resources to deal with all of the fraud out there.
      • I hate to be That Guy, but, dude, get a cheap VPN with US exit points.

    • by aitikin ( 909209 )

      2 - Shut down your donation form, web store, etc. until your payment processor gives you the all clear. Or don't - you're not on the hook when full, valid card details are presented online.

      That's well and good if you're a non-profit taking donations, but if you're a merchant running a card not present transaction, you better have every, "t" crossed, "i" dotted and literally every minor detail correct with the billing information and be shipping to the billing address if you want any hope of avoiding the responsibility of a fraudulent charge. When we ship product to an address that's not the billing address, and the customer initiates a chargeback, 95% of the time, we're out the merchandise

      • if you're a merchant running a card not present transaction

        If you collect the CVV / CID code on the back and pass it on to the processor, and you collect a billing address with zip code, you've got everything you need to defend your charge as legitimate.

        If you don't collect those, it's on you for being stupid.

        When we ship product to an address that's not the billing address, and the customer initiates a chargeback, 95% of the time, we're out the merchandise and the money

        Only if you're stupid or a door mat. There's zero requirement I've ever seen for a shipping address to be the same as the billing address for a charge to be considered legitimate. You just have a shitty payment processor, you refuse to stand up for yourself,

    • You TLDR'd over the most important part.

      By following your 4 step program the non-profit would get bad PR that could scare off future customers, lose up to 15% of their annual budget in chargeback fees, and allow those cards to be used in additional fraud.

      Being the "rock star vigilante hero" prevented those outcomes. That's worth something.

    • Comment removed based on user account deletion
      • If you allow someone to even know about your bank account beyond a temporary slush account, you're a moron.

        You're not on the hook because if you READ YOUR FUCKING AGREEMENT it spells out EXACTLY what you're required to verify, and if you show that you've done that, they can't take shit from you. If they do, fucking sue them or, if you're a bitch, drop them. ("Durrr, binding arbitration!!!" You can still fucking sue them, you idiots, and a judge will decide what the fuck is going on.)

    • "you're not on the hook when full, valid card details are presented online."

      As a merchant? You are 100% on the hook for fraudulent charges that get charged back. Where do you think they get the money from, the russian scammer? No, the money gets pulled out of your account and no one will help you if you actually shipped the product or committed services before you realized that. Maybe insurance, but for most transactions thats obviously not worth a claim.

      So you don't know what you are talking about, as usua

      • You are 100% on the hook for fraudulent charges that get charged back.

        Of COURSE you are.
        But you are NOT on the hook for LEGIT charges. If you do your due diligence, you won't get hit for fraudulent charges.

        You will still get hit with disputed charges, because you sell crap, don't honor your return policy, or have shitty customers who will say you sell crap and don't honor your return policy. That's an entirely different issue.

    • by Cederic ( 9623 )

      You appear to have missed the $15 fee per chargeback that they would have been charged. Which for over three and a half thousand chargebacks adds up to a material sum of money.

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Wednesday January 22, 2020 @02:52PM (#59645070)
    Comment removed based on user account deletion
  • Delay, delay, delay (Score:5, Interesting)

    by JustAnotherOldGuy ( 4145623 ) on Wednesday January 22, 2020 @02:54PM (#59645074) Journal

    I have delays built into my credit card forms to help prevent this. It's not perfect; if they're smart enough to use lots of different IPs then they might (will) get away with some submissions. I also set a cookie in case they aren't smart enough to clear their cookies after ever form submission.

    • Browser fingerprinting adds another layer and works really well in practice. Scammers think just using TOR will make them undetectable but it will not circumvent that.

      • Hmmmm, I may just get up off my butt and look into implementing that. I haven't been hit with this kind of thing yet, but it's good to be prepared.

  • by Dunbal ( 464142 ) * on Wednesday January 22, 2020 @03:04PM (#59645130)

    Then they run scripts to test thousands of stolen credit card numbers in rapid succession. 3. That way they can see which cards are still valid and which ones have been cancelled.

    I can confirm this. It started with a single $1 purchase from the Google Play store. Fortunately my bank has a system whereby every single charge to the card gets forwarded to me instantly via SMS. Knowing that the card was probably compromised, I called the bank and immediately cancelled the card and got them to start the process of issuing a new one. The next day, $500+ charges start coming in on the cancelled card. At some point the bank was trying to get out of its obligations by sticking me with those charges. Uhhhh, I called and canceled the card the day before - remember? Eventually it got worked out and the bank had to deal with the fraud.

    • by DogDude ( 805747 )
      Eventually it got worked out and the bank had to deal with the fraud.

      No, some merchant somewhere got stuck with the fraud, not the bank.
      • by v1 ( 525388 )

        oh, no, the bank "deals" with it, by sticking all the merchants with the bill.

        It's VERY rare when the banks lose. They almost always manage to find a way to make someone else the loser.

      • by tlhIngan ( 30335 )

        No, some merchant somewhere got stuck with the fraud, not the bank.

        Only if the marchant didn't check. Most fraud is detected within 24 hours of presentation - and it's usually caught in the pre-authorization phase (where the balance is checked and amount held first), not in the actual payment processed phase.

        The merchant would know when they tried to charge the card that the authorization then failed and they're out the time and money packing the product for shipment.

        Sometimes it works so fast that the user

  • by kalpol ( 714519 ) on Wednesday January 22, 2020 @04:09PM (#59645372)
    If you find fraudulent activity on your card, call the vendor and notify them. They may have no idea. I had my card skimmed once and used to purchase hundreds of dollars of optical equipment over the Internet. When I found out, I called the vendor who was able to cancel the order - and who was extremely grateful and offered me a discount at his store. I didn't need telescopes at the time but especially for mom and pop shops this could really, really help them.
    • by Mal-2 ( 675116 )

      That doesn't help much when the vendor is brown paper-bagged (obfuscated) as is very common for porn, dating sites, sex toys, medical equipment, etc. There are perfectly legitimate reasons to do this, ranging from "not wanting to get shamed for buying a vibrator" to "don't want people to know I have a colostomy", to less legitimate but still legal reasons like "I want to have an affair and not get caught". Of course when no physical goods are shipped, the financial risk is fairly small (and I wouldn't bothe

  • by Corporate T00l ( 244210 ) on Wednesday January 22, 2020 @06:11PM (#59645710) Journal

    After finishing the article, it seems that the whole narrative is driven forward by a single key difference in fee structure between a refund and a chargeback.

    It is stated that a customer-initiated chargeback (for any reason) costs the merchant $15. As a result, they are in a race against time to refund all of the charges. That seems to imply that the cost of a refund is much less than $15. Given how quickly and decisively they choose to act, it seems that the refund fee may be as little as $0 and thus worth doing as quickly as possible within the time frame. The idea that they might refund some non-fraudulent donations doesn't seem to cross their minds at all.

    • Given that the ratio of fraudulent to non-fraudulent donations that day was clearly greater than 15:1, doing so seems like a pretty prudent idea. Maybe they would even consider refunding all of the days donations.
  • There should be a system in place where a merchant can report these attacks back along the processing chain. A simple thing that wouldn't break the existing network or protocols would be to use an amount that matches the part of the merchants account number as a flag that the card's prior transactions should be looked into. Implement that in 100 banks around the world and card testing will be far more difficult.

  • I have an online store. Instead of running the card to take the money, I only authorize it. If the order looks good, I can then just click a button to finish and take the money. Much safer and good way to double check orders. Also I get tons of emails of people who want to place seeming stupid orders, and btw do I accept credit cards? The scammers are everywhere.

  • by dwater ( 72834 ) on Wednesday January 22, 2020 @10:58PM (#59646328)

    ... I read the f'ing article. It's been years since that last happened!
    Quite a riveting story :)

  • They obviously doesn't know how to write code that is secure.

The goal of Computer Science is to build something that will last at least until we've finished building it.

Working...