'How I Stopped a Credit Card Thief From Ripping Off 3,537 People -- and Saved Our Nonprofit in the Process'

Quincy Larson, founder of freeCodeCamp, a non-profit organization that runs an open-source community for learning to code, writes in a blog post: I tucked my son under my arm and jogged to my desk. I'd been up until 2 a.m. finishing the announcement for our new #AWSCertified Challenge. And so far, the launch was going well. Our new Twitter bot was tweeting, and our Discord chatroom was abuzz with ambitious developers eager to earn their AWS certifications. I was getting ready to meet with my team when I noticed two strange emails -- both of which arrived within minutes of one another. "Your a fraud" read one of the emails in typo-riddled English. "That's exactly what I'm thinking since I see a charge on my financial institution from you and since I've never heard of you. Yes you need to resolve this." The other email was... well, let's just say it was also an angry letter and let's leave it at that. freeCodeCamp is a donor-supported nonprofit, and we have thousands of people around the world who donate to us each month. Once in a while, there are misunderstandings -- usually when one family member donates without telling the other. But this felt different.

So I tabbed over to Stripe, the credit card processing service our nonprofit uses for donations. On a typical day, we'd have 20 or 30 new donors. But here's what I saw instead: Stripe's dashboard showing 11,000 new customers and $60,000 in revenue for a single 24 hour period. It took me a moment to process what was happening. Our nonprofit -- which operates on an annual budget of less than $400,000 -- had just received more than $60,000 in 24 hours - and from thousands of donors. And my heart began to sink. There was no way those were real donations. We've had spikes in donations from articles in major newspapers. Heck -- I've even been interviewed on Good Morning America. But none of those spikes caused such a surge in donations. No. There was only one thing that could cause a surge in donations like this. Fraud. Extensive, programmatic credit card fraud. I'd heard about this technique before. It's called "card testing." Here's how it works: 1. A fraudster finds a website with a relatively simple credit card form. 2. Then they run scripts to test thousands of stolen credit card numbers in rapid succession. 3. That way they can see which cards are still valid and which ones have been cancelled. Then they turn around and sell those valid card numbers on the dark web. In this case, I'd detected the fraud much faster than a lot of other websites would have. So I had a window.

Massive failure

[DogDude]

And of course, it's yet another massive failure from our completely unregulated credit card industry. This should have been caught by several of the processors in the chain, and wasn't. And of course, any burden that comes from dealing with any sort of credit card problems always falls on the merchants. This situation should never happened.

The credit card industry in the US is badly broken, but average people don't give two shits because they don't know or see the problem. The biggest reason for this is because the credit card users don't pay the fees, or even have any ideas that the fees exist. This will never be fixed because the US government doesn't represent people any more, it only represents money.

Re:

[ae4ax]

Something like EU's Strong Customer Authentication is a possible fix, but only if the auth isn't neutered by only mandating SMS codes or something equally pointless.

Re:

[DogDude]

There shouldn't be laws about what the technical fix should be. All the laws need to say is that the card processors are responsible for what happens on their networks. We don't have that in the US. The card processors should figure out what they need to do to run their businesses properly whether it's with current technology, or technology ten years from now.

Re:

[mrfaithful]

When this was coming into force I got messages from my bank and all the credit card providers telling me the change to SCA and how I'll now need to have a mobile phone number tied to my account to receive OTP codes.

I seethed.

Then the commission ruled that SMS was not a valid authentication system.

I laughed while the implementation date got pushed back to let everyone retool. Though as a merchant I'm a bit worried that the additional barrier to sales is going to cost me. 3DSecure is already enough of a sales

Re:

[Megane]

SMS was not a valid authentication system

Haven't there been many cases where SMS was compromised by stealing SIM codes? (usually by social hacking the phone companies, IIRC)

Re:

[JustAnotherOldGuy]

This should have been caught by several of the processors in the chain, and wasn't.

Exactly, but all they care about is maximizing their profits and if it comes at your expense, oh well.

In fact it almost certainly sounded a bunch of alarms, but those pesky things were silenced by pushing the big red button marked "PROFIT".

Re:

[bluefoxlucid]

Completely unregulated, you say? [usa.gov]

They can't even impose fees for unused accounts, or charge multiple fees for one fee-generating event [fdic.gov]. They're required to apply any payments in excess of the minimum to the portion of the balance reflecting the highest APR.

They can charge fees for going over your balance, but they have to issue separate documents explaining this, clearly explain that you have to opt-in to being charged fees, get your consent to be charged fees, and stop charging you those fees if you c

Re:

[DogDude]

Again, you're only looking at the non-money making part of the credit cards: the consumer end. Credit card companies make their money from the MERCHANTS, most of which are small mom-and-pop operations who are completely and totally at the mercy of the card processors. Merchants have no legal protections that I'm aware of.

Re:

[bluefoxlucid]

It's a bit weak on that end:

Visa and MasterCard reached a settlement with the U.S. Justice Department in an antitrust case focused on the issue of competitiveness in the interchange market. The companies agreed to allow merchants displaying their logos to decline certain types of cards, or to offer consumers discounts for using cheaper cards.

Legislators are focused on the opaque nature of interchange fees and the whole problem with selling consumers on a card with lots and lots of benefits and forcing merchants to pay huge interchange fees and to accept all such cards. We've been looking at chip-and-pin stuff (merchant and cardholder not liable for fraud), but that's still in the pipeline.

The problem is somebody's always liable. The bank, the processor, the merchant, the consumer. If something is bought, someo

Re:

[rickb928]

Chip-and-PIN is here. Do you get out much?

Re:

[bluefoxlucid]

There was talk about the merchant not being liable for fraudulent transactions by chip-and-pin.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[DogDude]

Retail banking in the USA is one of our most regulated industries

That made me shoot water out of my nose.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[HiThere]

The problem is, being regulated doesn't help when there's regulatory capture. If the regulators are bankers, or beholden to them, then all the regulations do is prohibit new entries into the market.

The banks are not alone in managing this. It's quite common and widespread throughout numerous industries, and includes things like media companies writing the copyright legislation.

Re:

[TheDarkMaster]

I honestly don't see how the credit card company could have prevented this, because if I understood the story correctly, thousands of transactions were carried out with 20000 different cards (one transaction per card) and therefore from the card company's server's point of view this would appear as a normal day of operations.

Re:

[DogDude]

therefore from the card company's server's point of view this would appear as a normal day of operations.

20,000 cards originating from one location, all going to one tiny merchant that doesn't ever do that much business? Nothing about that is "normal".

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[DogDude]

OK, so this is normal, then: " On a typical day, we'd have 20 or 30 new donors. But here's what I saw instead: Stripe's dashboard showing 11,000 new customers and $60,000 in revenue for a single 24 hour period."

You're right. There's be no way for a computer to tell the difference between 20-30 and 11,000. Those numbers are almost identical.

Re:

[mrfaithful]

But say you were in charge of setting Stripe's policies, where do you set the threshold? So they only take 20-30 a day, and then suddenly they are taking 10 a minute. How quickly do you put a stop to it? Should you put a stop to it? Maybe the 20-30 was just the word of mouth and now you're seeing a massive international advertising campaign bear fruit and someone is going to get their balls kicked for freezing the account right as their business took off. Do you make it the merchant's responsibility to info

Re:

[N1AK]

No need to get pissy because they pointed out a weakness in your previous post. If you can't take feedback then maybe don't say anything on a public forum or work out how to be perfect rather than keep on digging.

In the real world payments don't always come in at an exactly static rate. If credit card companies froze out cards each time they were used with an organisation getting more transactions than normal you'd spend half your life with your cards blocked.

Re:

[Jaime2]

This is pretty much the poster child for "abnormal usage pattern".

Re:

[Dunbal]

The problem is that nobody really cares. The bank sells you "fraud protection" for extra cash. The bank itself is insured by an insurance company against this kind of thing. So long as the losses from fraud stay as a tiny fraction of the profits they charge for all the fees and interest, they just won't care either. The loss is written off if it's small, or an insurance claim is filed.

Re:

[DogDude]

I'm a merchant. I desperately, desperately care, because I'm the one who foots the bill for this kind of stuff, not the processors.

Re:

[rickb928]

You would be surprised how much your processor and the issuer, care. This is expensive for them. Disputes are incredibly expensive, and fraud brings with it the risks of additional regulatory oversight, claims and counter claims, and work. There is no 'insurance' for issuers or processors.

And that additional regulatory oversight, while not perceived as effective, is costly, intrusive, and hard to get rid of. Just as airliner maintenance is good business to keep plans for which lease payments are due in the

Re:Massive failure

[tlhIngan]

I'm a merchant. I desperately, desperately care, because I'm the one who foots the bill for this kind of stuff, not the processors.

Then you take precautions. I mean, as a merchant, you have the possibility of being passed a counterfeit bill too. And the rules around that ensure you lose that money (if you know it's counterfeit, it's illegal to pass it off as not. And if it was handed to you by an unsuspecting customer, guess what? You now get into a fight with said customer because you're not allowed to return the fake bill to them! Now you've "taken" money from the customer and can't give them anything because it's fake. Now the customer is angry at you because you took their money, told them it's fake, and can't return it (you can actually be convicted if you returned a fake note to the customer knowing they will just pass it off to someone else, too!)).

So you protect yourself.. You either stop taking large bills (lots of places don't accept $100 bills, for example, but sometimes this can be awkward if your products are such that people spend the better part of $100 at your store). You can train your staff on how to detect and find fakes and hope it doesn't happen (writing it off when it does), etc.

You can do the same with credit cards - you're not forced to accept them, and if you're genuinely terrified you'll be out thousands of dollars, then take precautions like extra verification and such. If your average credit card charge is under $100, and someone buys $500 worth of stuff, go ahead and verify.

Being a merchant brings a lot of risk. There's a risk the customer buying your items is a scammer and will try to do something or other like returning fake items. Or passing counterfeit bills. Or using a stolen credit card. At the end of the day, you balance the risks and potential losses and weigh them against the gains. If credit card fraud has you lying away at night, stop accepting credit cards.

Granted, it may make life easier on your competitors as customers decide to go to someone who does accept credit cards, but that's just another business cost. Bad things will happen, it's the cost of doing business.

And remember that everyone else has a stake in the game - if credit card fraud gets too high and causes merchants to drop accepting credit cards, that's a disaster for the processors as well.

Re:

[Cederic]

Then you take precautions.

Perhaps you could suggest sensible precautions that aren't already taken? Sensible, pragmatic, useful suggestions.

You can do the same with credit cards - you're not forced to accept them

No, you can just go out of business immediately.

take precautions like extra verification and such

How would you perform this extra verification? With whom would you verify? The card issuer? You don't know them. Your merchant provider? You're already using their verification process.

Sure, you could delay fulfilment for a few days or months while you wait to see whether there's a charge back, but I want options that include staying in business.

If your average credit card charge is under $100, and someone buys $500 worth of stuff, go ahead and verify.

Ho

Re:

[twocows]

In this particular instance, a script that temporarily took their donation service offline if it detected an unreasonable and unexpected increase in transaction volume would have probably saved them a lot of trouble -- if it was expected, they could take the script offline in advance. They said that this spike was higher than when they went on national TV, which was a planned event, so it's pretty unlikely they would have seen a legitimate activity spike of anywhere near this volume without advance warning.

Re:

[geekmux]

...The credit card industry in the US is badly broken, but average people don't give two shits because they don't know or see the problem. The biggest reason for this is because the credit card users don't pay the fees, or even have any ideas that the fees exist.

If credit card users don't know they exist, then they're too stupid to understand that the 15% interest rate they're being charged IS paying for the fees.

Just because you don't see a specific line item charge on your bill doesn't mean costs aren't being passed to you. In fact, that's usually the main reason for not itemizing your bill; you'd probably be pissed if you knew what you were paying for.

In other words, there's not a single credit card company crying poor or not paying out executive bonuses becau

Re:

[DogDude]

If credit card users don't know they exist, then they're too stupid to understand that the 15% interest rate they're being charged IS paying for the fees.

I don't think that you understand. The credit card fees are being primarily by the MERCHANT. When you hand anybody a card to pay for something, that person who accepted your card is the one paying the fees, not you.

If you're dumb enough to have a credit card balance, that's a totally separate thing.

If making that outrageous % on outstanding balanc

Re:

[geekmux]

If credit card users don't know they exist, then they're too stupid to understand that the 15% interest rate they're being charged IS paying for the fees. I don't think that you understand. The credit card fees are being primarily by the MERCHANT. When you hand anybody a card to pay for something, that person who accepted your card is the one paying the fees, not you.

And you assume the MERCHANT somehow isn't passing along those expenses? Hell, they're capitalizing on it with every transaction because they're charging a small percentage (via increased product cost) on everything they sell, regardless of how often they're dealing with fraud.

If making that outrageous % on outstanding balances was how credit cards made money, why do you think they'll still happily let people use cards who never carry a balance?

Simple. It's not worth the effort to be concerned about the 0.01% of people who don't carry a balance. They're too busy making shitloads of money from the other 99.9% of society that's in debt. I'm not sure how you ever assumed cha

Re:

[Megane]

And you assume the MERCHANT somehow isn't passing along those expenses? Hell, they're capitalizing on it with every transaction because they're charging a small percentage (via increased product cost) on everything they sell, regardless of how often they're dealing with fraud.

I'll bet you think that if they got paid with cash instead, they'd have all that extra (usually 3%) to themselves? Nope. Except for the smallest of mom-and-pop businesses, putting the cash into the bank, as well as getting fresh small cash for change in the register, means having to pay for an armored delivery service. For that 3% fee, the money goes straight into the bank without the chance of physical robbery along the way. The fee also goes toward the card company checking for fraud... usually, at least.

Re:

[DarkOx]

If making that outrageous % on outstanding balances was how credit cards made money, why do you think they'll still happily let people use cards who never carry a balance?

I absolutely is one of the ways they make money just not the ONLY way. One thing you might notices if you have good credit score and history of being a 'dead beat' or zero balance carrier; they will keep lifting your limits, a little at time. A thousand dollars one year, two thousand the next. They absolutely hope they can psych you into deciding to splurge on Christmas one year and running a balance for a few months.

Re:

[Cederic]

Every card I've had for at least two decades has had itemised billing.

I don't get charged fees.
I don't pay interest.

I do know that the merchant pays a processing fee, and that this funds the whole ecosystem. I know that the merchant effectively passes this cost on to me, but it's rarely explicitly stated.

I'm unusual. Most people are aware that merchants pay card processing fees, but few people are aware of the inherent unfairness and one-sided risk that merchants suffer from charge backs and other fraudulen

Re:

[geekmux]

Every card I've had for at least two decades has had itemised billing.

I don't get charged fees. I don't pay interest.

I do know that the merchant pays a processing fee, and that this funds the whole ecosystem. I know that the merchant effectively passes this cost on to me, but it's rarely explicitly stated.

I'm unusual. Most people are aware that merchants pay card processing fees, but few people are aware of the inherent unfairness and one-sided risk that merchants suffer from charge backs and other fraudulent use.

Those charges aren't passed to the card holders by the issuers, and don't appear - itemised or otherwise - on the credit card statement. No stupidity needed to miss them, because they don't exist.

I hope that helps your understanding too.

I appreciate your feedback and clarifications, but one statement made by you tends to invalidate your argument here:

I know that the merchant effectively passes this cost on to me, but it's rarely explicitly stated..

Yes, it is explicitly stated. Right there in front of your eyes, every time you buy a product. Because it's in the price.

Most or all business costs are being passed to you via the price of the products you buy. You can choose to accept those passed on costs or not with your wallet, and most people do (hence Amazons dominance). Regardless, most or all business decisions stem from risk vs.

Re:

[Cederic]

Yes, it is explicitly stated. Right there in front of your eyes, every time you buy a product. Because it's in the price.

Price: £5

Tell me, where in that price is the explicit credit charge fee?

Just that, I paid for it with a bank note. If I'd used a credit card, the price would still have been £5.

Re:

[geekmux]

Yes, it is explicitly stated. Right there in front of your eyes, every time you buy a product. Because it's in the price.

Price: £5

Tell me, where in that price is the explicit credit charge fee?

Just that, I paid for it with a bank note. If I'd used a credit card, the price would still have been £5.

Where in the price does it explicitly state the cost of the cashier? Or the electric bill? Or the Managers salary? Because all of those are inherently included. Perhaps you were merely hyperfocused on grammatical correctness. Either way, your argument is so thin here it's anorexic.

And there are vendors who do offer a discount for cash transactions. Gas stations is a prime example, and I've not paid the additional tax on products plenty of times when offering a cash payment. Haggling isn't illegal. M

Re:

[bloodhawk]

hmmm NO, I would call this a failure on the his website to take into account this well known attack. Your credit card forms should have built in delays, checks for human interaction (e.g. capta's, browser fingerprinting, IP address checks, randomisation of form names, lots of ways to prevent scripted attacks or make it more difficult and hence not worth their while). The credit card provider is doing exactly what it is supposed to do, i.e. process details you send it.

Re:

[tlhIngan]

And of course, it's yet another massive failure from our completely unregulated credit card industry. This should have been caught by several of the processors in the chain, and wasn't. And of course, any burden that comes from dealing with any sort of credit card problems always falls on the merchants. This situation should never happened.

And it was. Out of 60,000 potential transactions, all but 3400 of them didn't go through at all. In other words, it was caught. I can't tell you about the remaining ones,

Re:

[kurkosdr]

Then don't take credit cards. There is a reason most small online merchants and charities only take PayPal. With PayPal there is no credit card to be leaked on the merchant's side (or any merchant's side), and as a result 20.000 people are less likely to leak their PayPal at the same time, compared to some crappy online merchant leaking 20.000 credit cards from a poorly secured database at once. Yes PayPal charges a fee. It's because they deal with credit card number storage, refunds and anti-DOS/anti-card-

Re:Massive failure

[DogDude]

Nope. Not liable unless...

As somebody who has dealt with accepting credit cards for more than 18 years, I can assure you that the merchant is indeed liable for anything and everything. If you've got a few hundred thousand to try to fight First Data or whoever in court over each fraud case, then good for you.

Re:

[UnderCoverPenguin]

I can assure you that the merchant is indeed liable for anything and everything.

Unless the merchant is a hotel. At least in the US, hotels get some kind of special status.

One time I stayed in a hotel, a second, identical charge was made to my card, 2 days after the original charge. The response from the credit card company was "You have to talk to the hotel and get them to refund the charge." When I talked to the hotel manager, he checked the transaction logs and found only the original transaction. The credit card company still insisted that only the hotel can fix the problem. Fortu

Re:

[redback]

I bet hotels would have a lot of problems with charging people for minibar, extra cleaning, damages etc if they didn't have this.

people would just contest the charges all the damn time.

Re:Massive failure

[aitikin]

any burden that comes from dealing with any sort of credit card problems always falls on the merchants

Nope. Not liable unless: A) It's an in-person transaction with the chip or some Apple/Google/Etc. pay bullshit. They assume those are 100% secure (they are not). B) It's an online/phone transaction and you accept it without the code on the back, without confirming a billing zip code, etc. C) You're actively part of the fraud.

Stripe or whoever else you contract may try to dick you around. They may say they're going to penalize you fr reversing transactions, they may threaten to jack up your rates, etc. But if you had the full, correct info it's not your fault as a merchant and they can't do anything but huff and puff about the fact that they had to do their fucking job.

The only times the burden of proof is not on the merchant is when the card is physically present and the signature/chip & pin are properly read. Even then, the credit card companies tend to protect the consumer over the merchant.

As someone who works for a merchant who has fought (and won) chargebacks AND has prevented literally millions of dollars worth of fraud every year for the past 5+ minimum (probably closer to 12) years, it's not easy with "card not present" transactions. So much so that we had a bit of a hard time one time with someone who, while knowingly on a recorded line, admitted to initiating the chargeback even though he received the merchandise.

So no, your statement is patently false. Merchants are almost always held responsible for not verifying it perfectly and lose the money on chargebacks.

Re:

[DogDude]

The only times the burden of proof is not on the merchant is when the card is physically present and the signature/chip & pin are properly read. Even then, the credit card companies tend to protect the consumer over the merchant.

Exactly. And even if chip and pin are all correct, I've had processors weasel their way out in some way. It usually comes via "something in the fine print about PCI compliance blah blah blah".

Re:

[Jaime2]

Same here. In the card implementations I did, I told my company to assume all fraud was our risk and to put appropriate measures in place. That's why address verification comes back with a code, but doesn't stop the transaction - it's the merchant's job to make the risk determination.

I was lucky enough to work at places where the shipping address was controlled by the sales department, so random strangers couldn't buy from us with stolen cards. However, the scheme mentioned in the article would have worked

Re:Massive failure

[Jason Levine]

Even then, the credit card companies tend to protect the consumer over the merchant.

Of course, the credit card companies don't protect the consumer any more than they legally need to. My identity was stolen and was used to open a Capital One credit card in my name. Despite numerous red flags (wrong mother's maiden name, immediate address change to another state, request to withdraw thousands before the card was activated), they pressed on with issuing the card. I only became aware of it because of a fluke in Capital One's system sent the card to me by mistake instead of the new address the thieves put in.

When I called Capital One up, they first insisted that it couldn't be fraud and my wife likely opened up the account without telling me. My wife who was standing beside me freaking out over the identity theft that we had just discovered. Then, they told me that it might be fraud, but they couldn't give me the new address on the account (the one that had MY SSN and DOB on it) since "If you go and shoot these people, we'd be liable." They closed the account but refused to tell me more and directed all law enforcement inquiries to a number that went straight to voicemail which was never answered.

Remember, you're not the customer when it comes to credit card companies and credit bureaus. You're just a source of income and any fraud that can ruin your life is a minor write-off to them.

Re:Massive failure

[AK Marc]

I just got defrauded. Turns out, there are lots of legit-looking merchant sites that don't ship what they advertise. Then they ship something. In my case, advertise a $500 motorcycle helmet for $100 (a great price, but not obviously fraudulent, as 80% off sales aren't unheard of), and they shipped me a $5 bicycle helmet instead.

They have proof of shipment of a "helmet". And they refuse to accept a return, so I have the item I paid for. So the bank said I don't get to do a chargeback, but I was able to file a fraud complaint, and the fraud team might eventually authorize a chargeback. But for now, they have the money.

Re:

[SuricouRaven]

Sometimes they stall shipping too - they'll take two weeks to post it, then they'll explain you were sent the wrong item by mistake and need to send it back. Sucker sends it back, a week later the company apologises and says the new one will be there in two more weeks... by the time the customer realises they've been conned and contacts the bank, the bank can only explain that it's impossible to conduct a charge-back more than thirty days after the payment.

Re:

[AK Marc]

They also geo-tag customers and present local information, so it seems they are shipping from down the street. The item is a purchase from Alibaba, shipped from China and the local contact information you saw was never real, which you don't find out until after it's too late.

Re:

[sexconker]

You have that BACKWARDS.

When it's a physical transaction with card present and chip, any and all disputes will be AUTOMATICALLY ruled against the merchant.

Re:Massive failure

[Solandri]

Clearly you have no experience accepting credit cards as a merchant.

• Customer (or fraudster) purchases an item at your store with a credit card.
• You cross all the i's, dot all the t's, jump through all the hoops required for security. For in-person transactions with Chip and Sign (in the U.S.), this requires the physical card be inserted, and the cardholder signs authorizing the purchase. For simpler or online/phone transactions, this involves the customer giving you a piece of information only they are supposed to know, like their phone number or billing zip code (this is why gas station pumps ask you for your zip code - it's not so they can track who is buying gas).
• Few days later customer claims the charge is fraudulent, and files a dispute.
• Credit card processor tells you the charge is under dispute, and asks you for any evidence you collected to confirm the charge is legit (signature, zip code, phone number, etc).
• You send them all that info. The signature matched the one on the card. The billing zip code and phone number were also matches.
• Credit card processor holds a secret meeting, then tells you they're rejecting your evidence and issuing a chargeback. No explanation. No appeal. Their decision is final.
• You (the merchant) are out the merchandise and the money. You have paid for the fraud.

The reason the rest of the world uses Chip and PIN is because it releases the merchant from liability. If the chip portion fails, then the fraud is the credit card issuer's fault. If the correct PIN was entered by someone other than the cardholder, then the fraud is the cardholder's fault for giving away their PIN. The merchant is never liable. But that's exactly why the credit card companies rejected Chip and PIN in the U.S., and went with Chip and Sign. By using only a signature comparison as proof of the customer's legitimacy, the credit card issuer or preserved the ability to claim it was the merchant's fault a fraudulent card was used (based on their subjective evaluation of a signature match), and so the merchant has to pay for the fraud.

"Sometimes the merchant asks to see my ID, to confirm that it matches the name on the card. Why can't you just do that?" Because the credit card companies got laws passed making it illegal for merchants to do that. We're allowed to ask, but if you refuse to show your ID, we can't deny use of the card based on your refusal. The law forces us to accept the credit card regardless of whether you show us your ID or not.

The entire system is broken because the ones with any power to make changes to the system to lessen fraud (the credit card companies and processors), are not the ones paying for fraud. So they have zero incentive to fix it. Profits and liability should never be allowed to be split up in this way. If you benefit from doing an activity, then you also need to be liable for any harm that arises from that activity. That way you, the one with the power to alter the activity, have an incentive to minimize the harm. Pollution is probably the best other example of how screwed up things can get when you decouple profit and liability (the person benefiting by generating the pollution, simply dumps the pollution onto everyone else). Other examples are Monsanto (profited from forcing all farmers to pay for RoundUp-Ready seed even if the farmer didn't plant it themselves, but escaped liability for paying to clean up organic farms which didn't want the GMO crops that somehow made it onto their fields), and copyright holders (they want to make money from copyright, but they want ISPs or the government to be the ones paying to enforce it).

Re:

[rickb928]

Signature hasn't been required or even considered since around April of last year. Seeing what passes for a signature, it's not any loss at all.

Card acceptance requirements center around reasonable items, such as an EMV card actually being dipped, working, and succeeding. PIN is excellent, since when that's lost nothing can be certain any more.

I've been hit by a grocery on the US keying in my debit card - grocers are not card not present merchants, and this triggered the alert and stopped the fruad, but I'v

Re:

[sjames]

Not liable, but still paid for in the form of higher transaction fees. Ultimately passed on to customers, but with the credit cards doing their best to make sure it's not in the form of higher prices or fees specific to credit card users (with varying success).

Meanwhile, to minimize the impact of that policy (without taking on the expense themselves), they will use any undotted i or uncrossed t (real or imagined) as an excuse to put the whole thing in the merchant's lap.

Re:

[DogDude]

It's "regulated" just barely from the consumer side. Unfortunately, the consumers pay very little if any of the actual fees from the card companies. That's not how they make the bulk of their money.

Re:

[thomn8r]

the financial consumer protections bureau is being gutted and undermined.

MAGA! Drain the swamp!

Re:

[rickb928]

FCRB isn't something that should have been permitted. It's issued regulations, but that's not the measure of success you were looking for.

The FTC doesn't do too badly, it sets rules and processes, and at least you know what to expect.

Re:

[account_deleted]

Comment removed based on user account deletion

Re: Massive failure

[samkass]

(Specifically Warren. The CFPB was her brainchild, and she was supposed to lead it until the Republican Senate refused to confirm her. So she went and became a senator herself instead.)

Re:

[rickb928]

"Credit cards can have over 100% APRs as punishment for missing payments. "

Citations, or BS.

No

[sexconker]

TLDR

Dude works for a non-profit and uses Stripe. One day he saw a couple of angry emails about credit card fraud. So he looked at Stripe and saw a very large spike in donations and realized stolen cards were being tested against the donation form at the non-profit's site (really, against the Stripe payment processing back end).

This isn't new or special or unique. You acting like you're on a crusade isn't new or special or unique.

If this happens to you, do the following.
1 - Call your payment processor and i

Re:No

[DogDude]

Oh, kid, that's funny. You've never accepted credit cards before.

1 - Call your payment processor and inform them.

And they'll say, "Yeah, so what?"

2 - Shut down your donation form, web store, etc. until your payment processor gives you the all clear. Or don't - you're not on the hook when full, valid card details are presented online.

Not sure what you mean about "all clear". That's not something the credit card processors do.

3 - Revamp your donation form, web store, etc. to be more resilient against bots.

Sure. If you're a massive international corporation, you *might* have the resources to try to fight bots. Otherwise, there's no practical way to do anything on your own.

4 - Maybe look into the server logs and realize that you don't actually need your server to be accessible from China, Russia, and South America.

Server logs? You think that this little non-profit has "server logs"? You think that they can direct traffic away from their servers? They're paying a hosting service, I'm sure.

Re:

[hey!]

Server logs? You think that this little non-profit has "server logs"? You think that they can direct traffic away from their servers? They're paying a hosting service, I'm sure.

Well, yes.. Yes I do think so. Even if they're paying for a hosting service there is bound to be logs they can get access to, if not analytic and site management services.

Re:

[Dunbal]

you don't actually need your server to be accessible from China, Russia, and South America.

This is one that pisses me off. This and the mandatory localization that happens on most international websites nowadays. I'm a native English speaker living in Latin America. At least give the the choice to stick to English. I usually buy things from American stores and have them shipped to my mail forwarder in Miami, simply because they're not available in the local market. It takes an extra week and I have to pay expensive shipping and duty on top of that, but when the alternative is not getting it at al

Re:

[DogDude]

But some stores lock me out because I am outside the US/EU. Here is a paying customer and they just turn me away.

It's just not worth the risk to our company, at least, to do business outside of the US. We, the merchants, have to eat this fraud, not the credit card companies. I'd love it if our company could ship all over the world, but as a small company, we don't have the resources to deal with all of the fraud out there.

Re:

[Dunbal]

I'd love it if our company could ship all over the world

You would be shipping to Miami.

Re:

[DogDude]

Right. I meant that I wish we could (safely) sell all over the world.

Re:

[Dunbal]

Larger risk, but larger market.

Re:

[Invidious]

I hate to be That Guy, but, dude, get a cheap VPN with US exit points.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[z0idberg]

Venezuela won't be in the shipping address. Miami will.

The mail forwarder in Miami is to get around non-shipping to international.
VPN is to get around blocking IP address from certain countries.

Re:

[Dunbal]

No sometimes it's the CARD that gives you away. Non US bank.

Re:

[aitikin]

2 - Shut down your donation form, web store, etc. until your payment processor gives you the all clear. Or don't - you're not on the hook when full, valid card details are presented online.

That's well and good if you're a non-profit taking donations, but if you're a merchant running a card not present transaction, you better have every, "t" crossed, "i" dotted and literally every minor detail correct with the billing information and be shipping to the billing address if you want any hope of avoiding the responsibility of a fraudulent charge. When we ship product to an address that's not the billing address, and the customer initiates a chargeback, 95% of the time, we're out the merchandise

Re:

[sexconker]

if you're a merchant running a card not present transaction

If you collect the CVV / CID code on the back and pass it on to the processor, and you collect a billing address with zip code, you've got everything you need to defend your charge as legitimate.

If you don't collect those, it's on you for being stupid.

When we ship product to an address that's not the billing address, and the customer initiates a chargeback, 95% of the time, we're out the merchandise and the money

Only if you're stupid or a door mat. There's zero requirement I've ever seen for a shipping address to be the same as the billing address for a charge to be considered legitimate. You just have a shitty payment processor, you refuse to stand up for yourself,

Re:

[ElizabethGreene]

You TLDR'd over the most important part.

By following your 4 step program the non-profit would get bad PR that could scare off future customers, lose up to 15% of their annual budget in chargeback fees, and allow those cards to be used in additional fraud.

Being the "rock star vigilante hero" prevented those outcomes. That's worth something.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[sexconker]

If you allow someone to even know about your bank account beyond a temporary slush account, you're a moron.

You're not on the hook because if you READ YOUR FUCKING AGREEMENT it spells out EXACTLY what you're required to verify, and if you show that you've done that, they can't take shit from you. If they do, fucking sue them or, if you're a bitch, drop them. ("Durrr, binding arbitration!!!" You can still fucking sue them, you idiots, and a judge will decide what the fuck is going on.)

Re:

[citylivin]

"you're not on the hook when full, valid card details are presented online."

As a merchant? You are 100% on the hook for fraudulent charges that get charged back. Where do you think they get the money from, the russian scammer? No, the money gets pulled out of your account and no one will help you if you actually shipped the product or committed services before you realized that. Maybe insurance, but for most transactions thats obviously not worth a claim.

So you don't know what you are talking about, as usua

Re:

[sexconker]

You are 100% on the hook for fraudulent charges that get charged back.

Of COURSE you are.
But you are NOT on the hook for LEGIT charges. If you do your due diligence, you won't get hit for fraudulent charges.

You will still get hit with disputed charges, because you sell crap, don't honor your return policy, or have shitty customers who will say you sell crap and don't honor your return policy. That's an entirely different issue.

Re:

[Cederic]

You appear to have missed the $15 fee per chargeback that they would have been charged. Which for over three and a half thousand chargebacks adds up to a material sum of money.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[cas2000]

i haven't looked the thedailywtf.com site for years...followed your link and looked at it again just now. it has changed a lot.

when did they start rewriting the stories? (or is that just writing the stories)?

it used to be people writing their own stories of stupid shit they'd seen and/or been forced to perpetrate by their employer, and was often amusing.

now it's bland copy-written morality tales written by an "editor" to meet a word count, and about as amusing as an ad.

it looks like even the old tales fro

Delay, delay, delay

[JustAnotherOldGuy]

I have delays built into my credit card forms to help prevent this. It's not perfect; if they're smart enough to use lots of different IPs then they might (will) get away with some submissions. I also set a cookie in case they aren't smart enough to clear their cookies after ever form submission.

Re:

[Martin S.]

Browser fingerprinting adds another layer and works really well in practice. Scammers think just using TOR will make them undetectable but it will not circumvent that.

Re:

[JustAnotherOldGuy]

Hmmmm, I may just get up off my butt and look into implementing that. I haven't been hit with this kind of thing yet, but it's good to be prepared.

Yes

[Dunbal]

Then they run scripts to test thousands of stolen credit card numbers in rapid succession. 3. That way they can see which cards are still valid and which ones have been cancelled.

I can confirm this. It started with a single $1 purchase from the Google Play store. Fortunately my bank has a system whereby every single charge to the card gets forwarded to me instantly via SMS. Knowing that the card was probably compromised, I called the bank and immediately cancelled the card and got them to start the process of issuing a new one. The next day, $500+ charges start coming in on the cancelled card. At some point the bank was trying to get out of its obligations by sticking me with those charges. Uhhhh, I called and canceled the card the day before - remember? Eventually it got worked out and the bank had to deal with the fraud.

No

[DogDude]

Eventually it got worked out and the bank had to deal with the fraud.

No, some merchant somewhere got stuck with the fraud, not the bank.

Re:

[v1]

oh, no, the bank "deals" with it, by sticking all the merchants with the bill.

It's VERY rare when the banks lose. They almost always manage to find a way to make someone else the loser.

Re:

[tlhIngan]

No, some merchant somewhere got stuck with the fraud, not the bank.

Only if the marchant didn't check. Most fraud is detected within 24 hours of presentation - and it's usually caught in the pre-authorization phase (where the balance is checked and amount held first), not in the actual payment processed phase.

The merchant would know when they tried to charge the card that the authorization then failed and they're out the time and money packing the product for shipment.

Sometimes it works so fast that the user

One of the best things you as an individual can do

[kalpol]

If you find fraudulent activity on your card, call the vendor and notify them. They may have no idea. I had my card skimmed once and used to purchase hundreds of dollars of optical equipment over the Internet. When I found out, I called the vendor who was able to cancel the order - and who was extremely grateful and offered me a discount at his store. I didn't need telescopes at the time but especially for mom and pop shops this could really, really help them.

Re:

[Mal-2]

That doesn't help much when the vendor is brown paper-bagged (obfuscated) as is very common for porn, dating sites, sex toys, medical equipment, etc. There are perfectly legitimate reasons to do this, ranging from "not wanting to get shamed for buying a vibrator" to "don't want people to know I have a colostomy", to less legitimate but still legal reasons like "I want to have an affair and not get caught". Of course when no physical goods are shipped, the financial risk is fairly small (and I wouldn't bothe

Re:

[samwichse]

Yeah, they love those iTunes gift cards as a vehicle to launder that stolen money.

Stolen card -> iTunes -> eBay -> 80% of the money, but "clean" on the other side.

Refund vs. Chargeback Fee Structure

[Corporate T00l]

After finishing the article, it seems that the whole narrative is driven forward by a single key difference in fee structure between a refund and a chargeback.

It is stated that a customer-initiated chargeback (for any reason) costs the merchant $15. As a result, they are in a race against time to refund all of the charges. That seems to imply that the cost of a refund is much less than $15. Given how quickly and decisively they choose to act, it seems that the refund fee may be as little as $0 and thus worth doing as quickly as possible within the time frame. The idea that they might refund some non-fraudulent donations doesn't seem to cross their minds at all.

Re:

[Ed Tice]

Given that the ratio of fraudulent to non-fraudulent donations that day was clearly greater than 15:1, doing so seems like a pretty prudent idea. Maybe they would even consider refunding all of the days donations.

Merchants can't report problems

[thogard]

There should be a system in place where a merchant can report these attacks back along the processing chain. A simple thing that wouldn't break the existing network or protocols would be to use an amount that matches the part of the merchants account number as a flag that the card's prior transactions should be looked into. Implement that in 100 banks around the world and card testing will be far more difficult.

Dont run card not present to completion!

[Mes]

I have an online store. Instead of running the card to take the money, I only authorize it. If the order looks good, I can then just click a button to finish and take the money. Much safer and good way to double check orders. Also I get tons of emails of people who want to place seeming stupid orders, and btw do I accept credit cards? The scammers are everywhere.

OMG...

[dwater]

... I read the f'ing article. It's been years since that last happened!
Quite a riveting story :)

And they teach others to code?

[trevc]

They obviously doesn't know how to write code that is secure.

Re:

[Jaime2]

or had their POS system compromised.