|
Verified by Visa - Facebook Fraud
Created:
Nov 05 2009, by Philip Connolly
|
Shop online & have a Facebook account? Well don't display your DOB, as fraudsters are using it to break the Verified by Visa system
|
|
WebTrafficAgents like thousands of other online retailers implemented the Verified by Visa and secure code offered by Mastercard. Why did we do this? well chip and pin has pushed card fraud onto the internet and our business like any other online commercial operation is vulnerable to fraudsters from anywhere on the planet. To combat online fraud, Visa and Mastercard implemented a system to authenticate online customers - with a liability shift back to the card company when it all goes wrong. However we have some experience where this system falls down..
A recent Spate of fraud against us involved a 'customer' who was fully authenticated by our Verified by Visa system (VbV), this means that the card company give you liability shift - basically you don't pick up the tab for a fraudulent transaction. We don't just rely on Vbv we also have other checks in place to flag potential bad customers, honed from years of online trading.
Well in this instance, we looked at all the transactions, the IP routes used, and made some interesting discoveries, all of the cards used were authenticated - that is, Visa recognized them as genuine customers since they had enrolled in the Vbv scheme by entering in a Date of Birth together with a password and a nominated email. The Vbv system relies on only the card holder knowing their Date of Birth, but that’s where the system falls down. What we then discovered shocked us, every instance where we suspected a card had been used fraudulently, when the card holders name together with Facebook was entered into Google, Google brought up the indexed result/page - with a Logon to button to then get the card holders DOB (if they have it displayed - as many do),this had enabled the fraudster to simply enroll using a free email address and their own selected password, and then shop online with the knowledge that Visa and Mastercard trusted the transactions.
So the lesson of this episode is, even if you don't shop online(since card details are sometimes obtained from bricks and mortar retail companies - think TKMAX) enroll into Vbv/securecode as soon as you get your card (this of course means buying something), and never enter your Date of birth anywhere on the web. Remember Google and others index everything, once online it stays online.
I am presuming that the card companies will honor their liability shift away from us merchants since we would be considerably out of pocket, however I'm sure this will make for some interesting disputes between the card companies and their card holders when the bills come in... |
Tags:Card Fraud,Online Payments,Facebook |
|
Comments: |
|
|
|
|
|
|
