Ben's Talk3G Blog

I've been getting a lot of cases of card fraud originating from the US recently. There are many transaction attempts, in many different names and using many different cards, but most worrying is the increasing number that have passed Verified by Visa or Mastercard Securecode.

Known as Cardholder Authentication, this mechanism is supposed, like Chip and PIN, to take liability for fraudulent transactions away from the merchant. Unfortunately both place much of it with the account holder, but I'm not going to play both sides of the coin here. When a merchant accepts an authenticated transaction they are, essentially, doing so with immunity from later charge-backs (reversals).

Why all of the fraud I'm investigating involves purely US cards isn't clear to me. Some sort of loophole, I presume, that's easier to exploit in that market - though I appreciate that it could just as easily be a criminal gang with certain geographical ties. Cardholder Authentication has already faced criticism for the ease at which criminals, armed with information such as the cardholders date of birth, can 'reset' the passwords used for the service. I do wonder why, when from my own first-hand experience it's clearly so flawed, the card companies stand so squarely behind it.

This isn't a small problem, either. In my position I'm often privy to the other transactions that the cardholder has identified as fraudulent and, while I can't tell you the names of those companies, I can report that many of the Internet's biggest names are often featured. Service providers where no physical goods are involved appear to be the primary targets.

Reaction from victims of this fraud has been interesting. Perhaps, even, specific to the nature of Americans. With complete sympathy to those affected, I've often found the arguments of these people both amusing and frustrating. Despite having no relationship with any of the companies that have billed their cards, the victims, some at the advice of their card companies, make contact with them demanding apologies and credit. Many feel that the company that applied the charge has deliberately stolen from them. Some even resort to threatening to take legal action for the unauthorised charges.

You try telling a crazed American that they need to report their card lost/stolen and deny making the transactions in question to their card issuer when they're sat at home holding the card that supposedly made the transactions. And then, even when you can get them to call up the card issuer, they're told that the transactions were authenticated and therefore they must seek a refund from the company that charged them. There's clearly a big problem with either the legal framework for providing card services in the US or the level of understanding amongst consumers of their rights.

Not to mention the fundamental problem that is Cardholder Authentication. The responsibility for card fraud must lie squarely with card issuers and schemes, not businesses or individuals, and it's high time that there were laws to ensure that.

Laws against stupidity and naivety wouldn't go a miss, either...