Study finds thieves using credit card chargeback policies against online merchants
November 12, 2012
By: Joe Taylor Jr.
Nine out of ten online merchants leave themselves vulnerable to credit card fraud, according to the results of a survey conducted by SignatureLink and CardNotPresent.com. In a statement to reporters, SignatureLink CEO Greg Wooten noted that only 10 percent of websites surveyed require shoppers to accept terms and conditions using voice consent, e-signature, or physical signatures. Despite merchant attempts to improve their fraud detection solutions, the lack of a trackable agreement to site terms and conditions leaves sellers exposed to the fine print in their merchant contracts.
Criminals have caught on, enabling a trend that Wooten calls "cybershoplifting." Scam artists place orders, receive shipped goods, then dispute the purchase with credit card issuers. While the charge-then-refund process can delay detection of a stolen credit card number, Wooten's researchers found cases where brazen criminals used accounts issued in their own names. With no signature or voice consent on file, Wooten said, his team discovered that merchants lost more than half of these chargeback disputes.
Criminals bypass widely-adopted account protection tools
Sixty-five percent of the e-commerce sites surveyed used 3-D Secure, the authorization platform branded as "Verified by Visa" and "MasterCard SecureCode." However, the study's authors told reporters that the protocol, frequently involving a pop-up window requesting a password, often confuses new users without offering significant protection from sophisticated thieves. The findings echo concerns expressed by digital marketing consultant Graham Charlton in a 2009 article, in which he cited the service's redundant checkout forms a "conversion killer" for all but the most mainstream shopping websites.
University of Cambridge researchers Steven J. Murdoch and Ross Anderson analyzed the 3-D Secure protocol for an academic paper in 2010. By that point, the team found that rings of cybercriminals had already found ways to circumvent the security protocol. Murdoch and Anderson asserted that many consumers would choose weak passwords, that could be guessed or revealed through social engineering scams.
V.me digital wallet arrives in the U.S. to combat credit card theft
The study arrives on the heels of news that regional bank PNC will become the first American debit and credit card issuer to enable Visa's V.me digital wallet service. The free tool enables shoppers to store their credit card number just once, on Visa's secure website. During online shopping sessions at participating merchants, account holders can place an order using a V.me password, without ever sharing their actual account details with a site's operators.
The V.me service operates similarly to digital wallets already operated by PayPal and Google. V.me plugs into an existing merchant account instead of requiring a separate processing channel. However, Wooten says, a digital wallet doesn't eliminate the problems caused when merchants fail to establish a "chain of custody" for ordered goods.