[TriLUG] OT: lack of security at BofA

Wes Garrison wes at xitechusa.com
Mon Dec 22 09:22:37 EST 2014 

I will take Aaron's position one step farther and say that ALL of the costs
are pushed back on the merchant (merchant means business owner), unless the
merchant has gone out of business.

You can not win one of these disputes (as a business owner) without an
imprint of the card.

At Takeout Central, we accept "card not present" transactions, which means
that anytime someone uses a fraudulent card at our business, we are
screwed.  Not only does the money come back out of our account, they also
charge us a "chargeback fee" which is usually $25.  It continues to amaze
me how many people do not know this.  Pretty much only business owners know
this.

The way we protect ourselves is to require a valid CVV code in order to
process a transaction.  The CVV is printed on the card, but NOT stored on
the magnetic stripe, so the person presumably has to have the card in hand
in order to use it.  (of course they could have stolen the CVV in other
ways).

This still does not protect us from someone who has managed to get the CVV
number somehow.

Last year I had 15 disputes at once, all from a Raleigh Doctor whose (14
yr. old) daughter was using her card to order "dinner for 2" at home at 4
PM.  I did finally end up winning the disputes, but I still lost the $375
in chargeback fees.  To add injury to insult when we "won", they processed
the chargeback refunds as negative chargebacks instead of as a "reversal",
so they credited us back the merchandise amount but charged me $375 more in
chargeback fees for receiving the credit.  So ... $750 in fees for someone
using her mom's credit card.

This is a bad situation.

_________________________________
Wesley S. Garrison
Network Engineer
Xitech Communications, Inc.
phone:  (919) 260-0803
pager:   (919) 869-1744
fax:       (919) 932-5051
__________________________________
"Lead us not into temptation, but deliver us from email."

On Sun, Dec 21, 2014 at 10:53 PM, Joseph Mack NA3T <jmack at austintek.com>
wrote:
>
> On Sun, 21 Dec 2014, Aaron Joyner wrote:
>
>  Don't forget that a solid portion of the fraud costs get pushed onto the
>> merchant, rather than the bank.  If you wish to learn more, read about
>> "chargebacks".  One view is that it's reasonable if you consider that the
>> merchant has the best chance of evaluating the person in the store for
>> fraud,
>>
>
> well ...
>
> there's no training of PoS people to check for fraud. They just learn to
> operate the PoS system and that's it. When I started using credit cards, I
> was surprised to find that none of the PoS people were trained in
> handwriting recognition. Not even the bank tellers are trained in it (or
> weren't back then). How would they know if the signature was forged? They
> don't and no-one pretends they do. It's theatre.
>
> It's quite difficult to tell if people are lying, particularly the people
> who've made a lifestyle out of it. It takes months to train people to
> detect lying with any confidence (eg police, interogators). There are
> courses on detecting lying. They take weeks, then you have to practice.
>
> I had to check photo IDs and signatures for about 200 people in less than
> 30mins once for accreditation for an event. I have no idea if any
> interlopers got in. No-one gave me any training. I would hate to do that
> for 8hrs every day. After a year I don't expect I'd care a lot, at the pay
> of a checkout person. The vendor people are supposed to know what a
> hologram card looks like when most cards aren't holograms. How many people
> are nervous because they're committing fraud and how many are just that way
> anyhow or are late for an appointment or are having a bad day.
>
> I don't know what the fraud rate is (% of transactions) but from the
> numbers I got today ($100/person and I do $10k/yr) it's 1%. So the checkout
> person has to lookout for a low signal, when the cost of a false +ve
> (calling fraud when the PoS machine says OK) is enormous. You have to call
> the manager, stop the line at the grocery store...
>
> Forget it. If the PoS accepts it, then it's not my problem.
>
> the credit card company is in the best position to stop fraud. Beyond
> making sure the required info is there, the vendor can't do anything. If
> they have a cloned card, there's nothing they can do.
>
>  and putting a large portion of the liability at their feet encourages
>> them to be vigilant, such as requiring the card to be present, asking for
>> ID, comparing signatures,
>>
>
> the signatures are always perfect. I get my card through the mail and it's
> blank. I can put any signature on it I want. You should have to sign it at
> the bank and compare it to the signature on file. I can erase it any time I
> like and put on a new one. The signature should not be erasable. Even if
> it's not eraseable, anyone can forge a signature, anyone's signature, if
> you have the original in front of you to practice from. Similarly the
> person who clones the cards can put on any signature they want.
>
> I found a card with signature on the ground once. I called the bank at the
> number on the back. They didn't want to talk to me about it and hung up. I
> cut it up an put it in the garbage.
>
>  considering if you appear nervous or shady.. all the things you'd expect
>> if they were taking a paper IOU.
>>
>
> as an untrained person I wouldn't expect anything. I just want to keep the
> line moving and not have to call the manager.
>
>  For those of us who frequently use plastic for purchases (likely everyone
>> who will ever read this), most merchants are not particularly vigilant,
>> because they do not encounter enough fraud to warrant it.
>>
>
> yes. And it doesn't come out of the PoS person's pocket.
>
> However after today, I'll be more sympathetic to all the IDs the PoS
> person asks for. I've always thought that if the card swipes that should be
> it and that they were just trying to make my life difficult. I didn't
> realise that the system doesn't work and needs a whole lot of other
> band-aid layers to back it up (driver's license, photo ID...).
>
>  In the big picture, the payments market has essentially solved this
>> problem
>> by using "big data" analysis techniques to keep those trying to game the
>> system from being successful repetitively,
>>
>
> making five $200 purchases in an hour in two towns yesterday (Creedmore,
> Oxford) in two Food Lions and Wallgreens, before the system shut them out,
> is not an example of a problem solved. These people must have been running
> from store to store and shovelling stuff into the shopping carts as fast as
> they could. The limitation was the mechanics of getting the stuff out of
> the stores, not the bank's AI software locking them out.
>
>  or with a high rate, and writing off the minor amount of fraud that slips
>> through that system, in the name of making the economic wheels roll as
>> smoothly as possible for every legitimate transaction.
>>
>
> 2% of transactions being fraudulent is a minor amount? $18G a year is
> minor? Minor maybe for a bank that knows it can be covered with bailouts
> and doesn't know that they should authenticate when they call a customer.
>
> for some perspetive, 18G is the budget of NASA. NASA operates on the
> amount of money that is written off as fraud in banks.
>
> http://en.wikipedia.org/wiki/Budget_of_NASA
>
> Joe
>
> --
> Joseph Mack NA3T EME(B,D), FM05lw North Carolina
> jmack (at) austintek (dot) com - azimuthal equidistant
> map generator at http://www.wm7d.net/azproj.shtml
> Homepage http://www.austintek.com/ It's GNU/Linux!
> --
> This message was sent to: Wes <wes at xitechusa.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  : http://www.trilug.org/mailman/
> options/trilug/wes%40xitechusa.com
> Welcome to TriLUG: http://trilug.org/welcome
>

More information about the TriLUG mailing list