5

This weekend I placed an order for a part from an online retailer ($300-400). Shortly thereafter I received an email from their sales team saying something similar to the following:

Hi, we have received your order #12345 and it has been triggered by our fraud alert system. Please send us a copy of your drivers license and credit card used in the transaction. You my black out any personal details like the DL# but please leave the last 4 digits of the credit card, name, and address.

This is no different than presenting your ID in a brick and mortar store. Thank you for your cooperation, blah blah blah.

My response to them was basically:

Hi, I would be happy to perform any verification through the bank issuing the card but unfortunately do not feel comfortable sending copies of my DL and credit card via email to an online retailer.

Their response basically reiterated their first email, but insisting that they already had all this information anyways and just needed to verify it. So I ended up cancelling the order and buying the same part from a different retailer. They are indeed legitimate retailers. Their name bounces around the forums without any issues and I found them, they didn't find me.

My question is, did I make an issue out of something that was reasonable for me to comply with?

A few points that crossed my mind:

1) I've had "fraud alerts" on my credit card before when making a larger than usual purchase. They come in the form of an email from my bank asking me to confirm whether I made a given purchase or not. Sometimes they even require that I call in to verify. This "fraud alert" was only from the retailer. My bank did not raise this issue.

2) As far as I'm concerned, I should never take a picture of my credit card. Even if I block out the important details, the original photo probably got synced to the cloud which means I have to go make sure it was deleted everywhere and trust the our google/apple/amazon overlords did indeed delete it. I'm sure there's ways to mitigate this, but it every hoop I jump through is an opportunity for mistakes.

3) If I was a fraudster, I'm pretty sure I could fake a credit card and corresponding ID via Photoshop that I could take a crappy photo of with my phone and satisfy them. I don't think there's much security in their process.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
noslenkwah
  • 273
  • 1
  • 2
  • 8
  • If a fraudster can photoshop their ID and Credit card, I'd be happy to get fooled by them. Most of fraudster don't know anything and they just place large orders with stolen credit card, they don't even type well when responding to emails (looks like copy paste) and it will make you much sadder to know you a fraud scheme has gotten you from someone who probably a kid trying to score some free stuff. – Mohammed Joraid Feb 01 '21 at 21:34

5 Answers5

5

Those responding here, probably haven't sold anything online and have no idea of the amount of credit card fraud retailers have to deal with.

It is very common to have some fraudster use someone else's credit card to make purchases. Merchants have zero protection in these cases and not only pay for the charge processed as well as a dispute fee. Also, their credit card processor will blacklist them and basically throw them out of business if the dispute rate increases.

So, almost any retailer that processes $1M+ in volume a month will use some kind fraud early warning software. There are plenty in market and they are making a killing as SaaS companies. Once a transaction is triggered as potential fraud, the merchant will attempt to verify via multiple methods.

One of the most common methods employed, is asking for Driving Licence/ID and a copy of credit card with numbers hidden. There is almost nothing anyone can do with this piece of info. You are giving away, nothing confidential. It just proves that you are in possession of the card and your name is on the card. If the charge is disputed, these images can be used to prove that the merchant took an effort to verify the transaction and shift liability. This method is employed by many famous companies: AirBnB, Agoda/Priceline, Lyft used it at one point.

It is not foolproof e.g. someone stealing your wallet with the ID can also complete this verification. Many merchants are willing to take that risk. Wish there was a better way.

sera
  • 51
  • 1
  • 2
  • This is why in the EU there is 3D Secure. Sure, it makes transactions more secure but the selling point for merchants is the shift in liability. If a payment goes through 3D Secure you are ok and it's the bank problem if it is actually fraud. – GACy20 Feb 01 '23 at 13:32
2

As someone who owns a small online business this is something that we are told to do by banks and our payment processors to prevent fraud. If someone is using a stolen card and you report it, it's not the bank refunding you, it's the business. The business loses the product and the money and often even get a chargeback.

It can be very damaging to businesses and so we need to take all the precautions necessary. If you are really concerned you can send a photo with your finger or a piece of paper blocking the personal info so it can't be stolen.

All we really need is just to see that the names match.

Brooke Kay
  • 21
  • 1
1

This is rational response. Better be safe than sorry.

Any goods purchase that contains the delivery address (software purchase may not have the info) that similar to your credit card is verifiable by the issuer.

Point 1 is not always true because it depends on the level of escalation, i.e. the middleman like Visa/Master/AMEX may have a delayed clearance issues with the bank. So the logical way to deal with this is calling the bank support.

Point 2 is valid, you should never send a copy of your credit card/ID to through email. At minimum, the merchant should at least provide an encrypted web interface to let you upload it. If they cannot do it due to cost and commission issue (some payment gateways are pretty expensive), then they should ask you to contact your bank than performing such shady process, even it is legitimate request.

mootmoot
  • 2,397
  • 10
  • 16
0

Yeah this sounds really sketchy to me. Good call on trusting your gut here. Fraud detection like that would obviously usually happen on the bank side. If for some reason the retailer were doing heavy fraud detection (which, for a store selling items of presumably smaller value, would surprise me), then asking for a copy of your identification without telling you what triggered the fraud alert smells weird. It may have been legit - after all, they did instruct you to obfuscate the valuable parts of the image - but not giving details is weird.

securityOrange
  • 921
  • 5
  • 12
  • Why do you think that the fraud detection was done by the retailer and not by the payment provider used by the retailer and thus implicitly by the bank=? – Steffen Ullrich Nov 27 '18 at 17:53
  • It seems there are 3rd party fraud detection companies that do the heavy spying for retailers and produce a risk level for the retailer to decide whether or not to process the transaction. – YetAnotherRandomUser Jan 09 '19 at 21:05
  • @YetAnotherRandomUser how do you know that the fraud detection was done by the retailer? Maybe the alert came from the payment gateway or a 3rd party fraud detection. E.g. Stripe will put a score of fraud likeability. The merchant then can do whatever they fell like doing. – Mohammed Joraid Feb 01 '21 at 21:38
  • @SteffenUllrich Because the payment processor and bank don’t care about fraud as much as the retailer does. If the transaction is reversed, they will recover their money and a processing fee from the retailer. It’s only the retailer who has a strong incentive to prevent fraudulent transactions. – Mike Scott Jun 01 '21 at 04:56
0

It is a legitimate request.

Not in the sense of "Geez dude, how could you not realize they need that?" but rather in the sense of "The credit card companies want it done even though they are skirting liability by strongly suggesting it rather than outright requiring it."

Our company just had a meeting with our bank officer and a salesman. (The bank wanting to push some new dollar-earning programs of theirs...) Nine days ago.

One thing they pushed was motivated by their approach (presented as already in place as such) to considering upon whom the crush of a fraudulent sale would fall. Basically, they said know your customer or don't do the sale because it will fall upon you from now on. Their example of a thing gone wrong was a company wanting an order of parts shipped overseas. The company itself had offices in Kentucky. Fraudulent, of course, and their idea of how that was tipped off to the seller was who in Kentucky would ever want a third-party shipment overseas? Since such a thing is entirely possible, reasonable, and a couple-of-times-a-year occurrence, their example was obviously meant to hustle us into the world of "knowing your customer" and that included getting ID.

(The company in question really did screw themselves, but with the initially presented story details and the bank's take on why the cost lay with the company, not them, it was not clear at all that the seller had been just plain stupid, so it supported my point above.)

Starting in the early 90's, asking for ANY ID to go along with the physical card was forbidden. Utterly so. (Of course, if you were sufficiently profitable, I'm sure they DID allow you to negotiate release from that.) I mentioned that and it turned out that since around 2013, they'd quietly done away with that. News to me and I've still to see their promised "in writing" documentation of the credit card companies now allowing this. But they then went back on the copy of a driver's license beat so it was very clear that allowed or not, if one did not get such, then that seller would bear the cost of fraud, not the bank.

So the website very likely was told the same thing. Given how I've seen business done over the decades, and that the OP's vendor's website clearly was told the same thing, that it really does come from the credit card companies to member banks, perhaps even with training materials (for the bank salespeople, not for dissemination to customers). Since they apparently are following the idea presented to us while almost certainly having a different bank than ours...

My thought at the time, and still now, is that obviously a miscreant (vile vermin that is) would be able to produce a document that has a fake ID at its root. (In fact, the step of "copying my driver's license" would cover the sin of the document looking like a fake since the presented copy would "be to blame" 'cause you know how copiers mess stuff up. Interestingly, many copiers have internal software to not produce any life-size copy, and sometimes any copy at all, of certain types of documents including driver's licenses.) However, it's another hurdle for some length of time, until most miscreants have software for that too.

A thought that comes to mind is that if one insisted upon a photograph, not a copy, many miscreants might forget about EXIM data and such a photo, if stored, might lead to their location and identification by cops, if cops were willing to take on such a case.

Like all security measures, it only accomplishes two things for security: as a new thing, tripping up or fully stopping miscreants for a time, and making the difficulty of achieving the theft goal harder than trying elsewhere and so pushing miscreants off to the slow runner (I don't have to be faster than the lion, just faster than you... that slow runner.) who is less work. Again, only for a time until their defeating it is pretty easy so it doesn't apply anymore.

However, in the meantime, requiring such is a way the bank people claimed would keep liability in their court, not ours. I got the impression that anything they defined as just really stupid (and greedy, or careless) would still leave you with the loss, but it wasn't explicit.

As a consumer, you have to be very concerned though, that such a photo would now be out in the world. How well do they treat such things? Is it so early they don't even have a good way to store them yet, much less a secure way? The communication that sent the copy... is it subject to a wholesale man-in-the-middle harvesting of such pictures? If such a treasure trove ever were stolen, what liability would they assume for that? If telling their industries, so an industry repository they all subscribe to is up to date, that a data breach occurred, does that repository blacklist everyone whose records were compromised? Does it share with other industries? Going along with it, having a data breach for the copies alone, so maybe no real money fraud occurring, but you getting blacklisted since your own copies in the breach are now available three for a dollar to miscreants and now you cannot do any buying on the internet at all, maybe for years... is it worth the risk of that to get today's order which might be available elsewhere instead? Individual decision time.

But from the merchant's point of view, being protected from a $400 sale suddenly being a $400 chargeback could make the decision to require such, at least from new customers, a must. Perhaps it will settle out to being only an at-sign-up kind of thing, perhaps not. But especially for companies that see a fair amount of fraud occur through them, it will be a must in some form.

I won't be indulging them myself though. Sorry Bezos the Clown, if Amazon does it, we're done. Our company won't either because we don't want the liabilities that arise from getting and storing such kinds of records. But other people and companies will make their own decisions and you'll have to expect to see it cropping up more and more.

My bet is right after getting the sale authorized so they: 1) Have you on the hook as you've put in some time and effort getting this far, and 2) You know there's now a hold on your card for the sale amount which is important in a lot of cases as now you haven't limit enough to do the sales elsewhere, and 3) They might even send the order anyway, even if you abort, and so you'd have two piles of stuff and two charges.

I imagine some businesses will also regard it as making you think you can't challenge the charges now that you've provided the DL copy. So you can't pretend there's a problem with things and that if the merchant doesn't kick in a discount, an extra or two, and maybe a credit on your site account, you'll tell your credit card provider on them. The losses to that kind of person have to be noticeable so that might seem a way to staunch the blood flow. (My wife is one of those people: in her case it's something she didn't understand or refuses to accept that it's within the expected range, gets all righteous and angry about it, and wants compensation. Never fraud, but a very disproportionate response, usually (she's dead right fairly often), to the shoddiness or other failure. Once such a warpath hinged upon the idea that something's poor packaging which did not in any way match the website's pics should be compensated for because what if she'd been buying it for a gift to someone?) Sellers bring such losses upon themselves much of the time, but this could help them to lower the cost of doing so. A valuable thing to a certain kind of vermin. So yes, it could also drive asking for DL copies, definitely.

The website was almost certainly on the up-and-up. But honestly asking because one has been instructed to by one's bank doesn't mean it's safe for the customer as the likelihood is no one really is set up yet to securely store and handle such things. One can WANT to do right a whole lot, but it doesn't mean one is CAPABLE of doing right even much at all.

We're all going to see a lot more of this as time passes into a year or two from now.

Jeorje
  • 1