> because the sum stolen – £40,000 – is deemed not large enough to bother the authorities
There was an investigative news story on TV about a couple who would order hundreds of thousands of dollars of merchandise over the Internet using stolen credit card numbers and brazenly have it delivered to their own home. The TV crew showed their house brimming top to bottom with boxes and boxes of fraudulently obtained goods that they would resell on eBay. They said no police ever visited them.
In every one of the frauds the couple committed, the merchant would know that he shipped to (for example) 1234 Main St, Minneapolis. The credit card issuer, bank, and defrauded card holder would have the address also. Probably hundreds of police reports were made, or am I assuming too much? If a single policeman actually followed up on one of these "too small" thefts of $100 to $1000 they could have prevented hundreds of thousands of dollars of additional theft.
I imagine that the system breaks down because no one reports the fraud or pushes to get something done, or because the police don't follow up, or both.
It's kind of bizarre. I'm no expert but I feel like tackling petty theft is a form of preventative medicine for crime. Getting away with crime might embolden people and reinforce their assumption that you can get away with it.
When I was younger some teens would water balloon my family's house a few times a week. We called the police when we thought we figured out who it was. They showed up within an hour, had a chat about it then went to the kids' houses who promptly confessed. It was all handled outside the legal system. Later I told a police officer about this story and asked why they were able to give it so much attention so promptly. He said something along the lines of, "it's easier to deter them now while they're still afraid of their parents' wrath."
I wonder if it's just economically more advantageous for the credit card companies to absorb the debt and simply nudge interest rates up a bit to recover their losses.
That's exactly what they are doing except the part with "absorbing debt". Banks and credit card companies don't suffer any losses because it's the merchants who absorb them. And that's the root of the problem. Majority of CC fraud is easy to eradicate but banks just have no incentive to do it.
Sounds a little like the economics of employer based health insurance. The parties with negotiating power (companies and health insurance) don't have much incentive to get a good deal for the patient because the patient is captive. Same for merchants and credit card companies.
It could/should tho be changed so that health insurance up to x% of income is tax-deductible, but only if freely chosen on a free market by the employee, with any other constellations being taxed as regular income, without the tax-deductibility. There can still be plans only offered to employees of a specific company, but the issue of preventing an employee from shopping insurance himself is gone.
There are alternatives e.g. girocard/giropay in Germany where the bank of the buyer takes the risk (only if a PIN was used, iirc.). The former is POS, the latter online. Accepting the latter does still cost 3%, and like 20ct or so per transaction. The risk is just not there for the merchant, so this might make sense. Therefore it is in the interest of the buyer's bank to make him adopt tighter security, e.g. with 2FA, in the form of sms or a rubber keyboard/lcd/photodiode based device that enables HID and limited automatic reading of a 5-bar blinking code on the screen to the chip in the bank card, which provides an 8-digit code bound to this specific transaction that has to be entered below the blinking bars.
The main benefit there is that banks are iirc. legislated to provide this to everyone, and because merchants have no risk this way they don't ever have to filter potential customers based on perceived creditworthiness and similar factors.
In the case of eBay seller fraud, eBay absorbs the loss. Report the fraud to them and you'll get your money back.
They don't even bother suggesting that you report it to the police.
Insurance companies might insist on you telling them a crime-report number (I imagine this is quite effective in reducing fraudulent claims of fraud), but eBay don't.
This is surprising to me for when I was in Florida prison in 2003 there was a man who was serving a 15-year "3 strikes" sentence for stealing a rusty $30 bike off a house porch.
I was incredulous, as of course was he, and I asked to look at his paperwork because, frankly, I didn't believe him.
Often, I have learned, when you hear of things like this in the system, once you look at the paperwork you find out "oh, on top of stealing the bicycle you also pulled a gun on someone" or something of the like that explains things.
Not this time...the guy was a drug addict in his 40's who had a lifetime of petty crap, and I guess the judge was in a shit mood the day of sentencing. Since a porch is attached to a house..an "occupied dwelling" in Florida parlance, this was considered a rather serious crime, thus the 15-year bam!
I guess I'm trying to say...it depends upon several factors how things like this are going to be treated. To be honest, I have a few "friends" in Vegas now that are telling me they are really cracking down on fraud and handing out real time behind relatively minor offenses.
Just carrying a fake ID in Vegas with priors will get you a 2-5 year state-sponsored vacation.
I'd much rather live in a society where I have to guard my credit card info an lock my doors than one in which the state will cart people off for nonviolent crimes like stealing a bike or using a fake ID. Petty criminals are much less of a drag on society than the measures society would need to take to get rid of them.
See if you feel that way when it's your bike that gets stolen. Especially if it's your primary mode of transportation.
Petty crimes like this ruin otherwise helpful ideas. In my city I've come across a number of Bird scooters that have been vandalized, had the GPS ripped off to presumably steal them for personal use.
If nobody does anything about that, an otherwise great idea that could seriously help people get around more easily and reduce traffic and pollution will simply not work, because we allow some people to get away with being assholes.
the point is that you are claiming that they are being vandalized despite having demonstrated great social good, which, like cars, is the very notion under dispute with that vandalism.
Vandalism is not an appropriate way to express your opinion about whether something is a great social good. It's also very difficult for something to become a social good, if it's unavailable because of unchecked vandalism.
Also, they are not being only vandalized, but stolen, which would imply that the perpetrators do believe the scooters are quite useful, but simply don't want to pay for them.
I'm not saying that vandalism is a good or proper way to respond to something. I'm saying that their vandalism is directly correspondent with the fact that they are a nuisance rather than a boon. It doesn't matter if they are being appropriate about it, it's simply NOT a tragedy of the commons situation.
You are assuming that the motivation of the vandals is to protest the presence of the scooters because they dislike them. That is an unfounded assumption on your part. I don't know if you've ever been in a city or been a teenager, but generally vandals vandalize stuff because they enjoy doing so, not to make any kind of political statement.
You're also ignoring that many of the scooters are being stolen not vandalized, or the vandalism is part of the theft (ripping off the GPS unit so the scooter can't be tracked).
Besides nuisance/boon is not a binary switch. Even if the vandals were a handful of angry cranks who were annoyed by the scooters, that doesn't imply that the scooters aren't overall beneficial to the city.
Maybe this vandalism is done by someone with the intent of holding back any innovation, maybe some sort of conservatism or simply keeping the competition away with any means possible.. Sure, some of it may be pure vandalism...
> the state will cart people off for nonviolent crimes like stealing a bike or using a fake ID
Reasonable, morally normal people don't want anybody sent to prison for stealing a bike. That's a reductive straw man. The issue at hand is that this person had stolen before, had been caught stealing multiple times before, and, despite being told that doing it again would result in a long sentence, still couldn't stop himself from stealing a bike.
This is a pattern of bad behavior, even in response to the threat of dire consequences. That's not normal. And it's not just "stealing a bike." It's the totality of the behavior that's being punished. "Three strikes" laws require three strikes. It's silly to look at any one of those strikes in isolation. The point is that society is saying, "enough is enough."
My girlfriend's credit card was stolen and used to buy ~$500 of cosmetics. She was able to get the address they were shipped to from the merchant. Not-so-coincidentally, there was a Craigslist ad at that address selling the exact type and quantity of cosmetics that were fraudulently purchased.
She called the police and showed all this to them and they basically said that she wasn't a victim of the crime, since she had been made whole by the credit card company and the amount was too small for them to follow up on. So, nothing happened and presumably this person is still out there ripping off other people.
Yet another example of how many crimes depend upon a degree or more of separation to escape prosecution and conviction. We are most definitely victims when the recovery cost is borne through the revenue from the interest rate charges.
We should be wondering why doesn't every payment system run 0.1-0.5% overall end-to-end between both user, merchant, and payment system that simultaneously acts as a bank, or perhaps even lower for more decentralized systems. There's very little transparency at all the costs imposed by middlemen within the system.
I know this sounds frustrating, but it's not so hard to understand. They were right, basically. It's the bank who was harmed, and it needs to be the bank who reports to law enforcement.
Local cops serve the local community. They're responsible primarily for deterring/investigating crime that most directly affects the local community. So if they have to choose between chasing some bank's $500 and the perp who broke into a someone's garage, they're going to serve the locally registered voter every time. And that's how we want it.
Banks are very good at managing fraud, on the whole. They tend to view it at the level of detection and prevention, not punishment (which is far more expensive). And their techniques work. Total fraud in the credit card industry is actually very low.
The police aren't being asked to enforce a civil action. Theft is a crime and the police do not need the victim to approve action against the criminal. They simply didn't want to follow up.
The women would have been out $500 if she had not noticed it and because she did, she had to report it to get the money back. Both of those are problems that she had/would of had to suffer through.
Is this in the US. I'm tempted to call BS on the story.
I live in a country with bad policing and these type of crimes are taken seriously. Like if you use the card for 50-100$ purchases, your next will probably jail time.
Another point: Did the card owner complain? Usually, when a complaint happen multiple parties are involved. The shipper gets a charge back on his account, so he'll actually care to pursue. MasterCard/Visa also pursue these issues as well as the banks involved in these transactions.
tl;dr: probably BS in the US. And from what I read the only countries where you can get away with are Russia, Nigeria, etc...
I have previously worked at Southwest Airlines HQ as a Customer Relations Supervisor, and when something as serious as booking $1000's of dollars of flights and flying or No-showing several to cover the one they were actually intent on flying the most we would do is issue a charge back and report to our internal fraud prevention dept which would simply add it as a data point to automatically cancel flights similar to this in the future.
We would have the fraudster's full name, address, phone number, email, and sometimes their social for their ticket to be valid to get past TSA. Even with all this, nothing more than canceling a Rapid Rewards account or blacklisting their email was actually ever done to the thief.
> On Oct. 1, 2015, Visa and MasterCard put in force new rules that can penalize merchants who do not yet have chip-enabled terminals. Under the new rules, merchants that don’t have the technology to accept chip cards will assume full liability for the cost of fraud from purchases in which the customer presented a chip-enabled card.
> But those rules don’t apply to fuel stations in the United States until October 2017, and a great many stations won’t meet that deadline, said Verifone’s Turner.
I'm not from the US though I visit often. It's the only place I ever use the magnetic stripe on my card. I tend to be able to use the chip when buying groceries, but in most restaurants & coffee shops its mag stripe all the way. Realistically is that going to change any time soon?
Chips require certification to make sure merchant is sending the right data over the network. This is why you see chip readers but the merchant only supports swipe. Visa and other card brands are trying to clean up all the screwed up data on network, really stupid things like a merchant bought a used card reader but never bothered to change the old merchant info on it.
Pinpads and terminals have to be re-injected with debit keys for the appropriate bank and reconfigured with the correct software load & merchant account before you can use hardware that was used by another merchant. If you don't do that, the other merchant is very likely to receive the funds you charge your clients cards for, short of their merchant account being closed.
The reason EMV isn't enabled at most merchants is its both more expensive than standard swipe transactions, and massively slower unless your Costco & Kroger (who both just got quick chip). 30 seconds of waiting for a card to process, combined with EMV chip read errors due to partial insertion or failing/oxidized contacts (especially common on pinpads that aren't mounted to the table, most often the Pax S300 cause those customers are cheap AF) is a recipe for long lines.
Grocers are leading the EMV transition as they are the most powerful block of merchants when it comes to beating down interchange rates and processing fees, with Walmart repeatedly suing Mastercard, and other large retailers doing the same to the other card vendors. For that small segment, they've been able to beat down Visa & Mastercard on the per kilobyte data transmission fee and on the other BS fees that make processing EMV cards more expensive than magstripe.
An honest question: why would the cost of chip processing be prohibitive and the speed of chip processing be 30 seconds of waiting in the US, when its essentially rolled out en-mass in AUS and neither of those things (appear) to applicable, or at the very least they haven't stopped mass adoption?
It certainly doesn't take 30 seconds of waiting to tap and pay here...
Probably because most US transactions are still done offline, so when an online EMV transaction is attempted the terminal has to bring up its network interface, obtain an IP, etc.
Here in the UK pretty much all terminals are always online and so EMV transactions only take a couple of seconds to authorise.
Reverse that. The US has always had online terminals because we didn't get EMV initially. Taking impressions and filling out charge slips was 'online' (call the auth center,) swipe transactions were online, and then we just do EMV online too since every credit card terminal in the country was already online.
In Europe where EMV was first introduced, offline transaction processing was extremely common because there had been no reason to put terminals online prior to the EMV rollout and merchants did what merchants do and whined about the cost of acquiring telecom, so offline mode was required in Europe.
I have literally never seen a fully offline transaction in the US (in fact, very few US cards even ship the certs necessary to conduct offline transactions), but several of them in Europe and the UK as recently as last year.
Same goes for Norway; swiping is just a fallback measure if the chip is unreadable; you then have to sign at the register and your signature is supposed to be compared to the one on your card.
Transaction (be it chip or swipe) is approved in a couple of seconds.
The last couple of years, we've had cards fitted with NFC, too - so if the terminal is compatible, no need to type the PIN code, either - just put the card next to the terminal, done. (This only works for smaller charges - less than $65-ish, methinks - and every now and then you're asked to type your PIN anyway.)
Here in the UK too we have the NFC thing and we call it 'contactless'. It works well, but the limit is £30 at the moment, although that's slowly increasing by about £5 per year.
It's really popular now, all my cards and even my credit card come with it, so some people aren't happy about that naturally, although personally I've never had any problems.
Contactless is a really convenient technilogy. I use it all the time, to the point where I actively have to think about what my PIN is when it inevitably asks for it.
A large percentage (possibly a majority at this point; seems to be fairly close on either side of the 50% mark) of places around here, small and large, now support chip, and rural Upstate NY is not exactly the heart of things.
While I noticed some chip readers seemed slower than magstripe in the initial wave of rollouts, that no longer appears to be true. I've certainly never seen one take 30 seconds to process; that just sounds absurd. 3-8 seconds seems to be closer to the norm.
Of course, gas stations still haven't adopted them. I've even seen gas stations that have updated their machines with new hardware since the chip machines started to appear, that are clearly still magswipe.
The most bizarre thing I've seen so far in terms of the transition to chip machines is at Wegman's, where the regular cashiers' machines will let you use the chip—but the ones at the café, despite being chip-capable machines, have various stickers on them and an insert in the chip slot saying "SWIPE ONLY". Gotta wonder what piece of rigamarole prevents them using chips there.
I've had a chip with oxidation issues once after years of using the same card.
Funnily, the best way I found of dealing with it was just wiping the cooper with the (leather) wallet itself. Seems like it's abrasive enough to take out the oxide layer without major issues (and it does not accumulate static)
As for payment speed, it usually doesn't take 30s but now most payments are done with contactless, which is even faster.
Costs are exactly the same for EMV or non-EMV (swiped) processing. If your acquirer is doing something different, you need to dump them, because it's so far out of industry standard I'd literally be speechless.
The only speedup from Quick Chip is not running issuer scripts. The actual auth process doesn't take much (if any) amount longer than with a swiped transaction. Quick Chip feels significantly faster because you can insert and remove at any time during the transaction, but it doesn't actually do much to speed up the transaction processing. It just makes you feel like the transaction is faster because you aren't sitting there at the end waiting for the terminal.
I think we have mostly converted. But small price restaurants and coffee shops are the last ones to switch. They aren’t big fraud targets since you can’t convert their product to cash. Their maginal cost is low so fraud isn’t a huge concern.
Grocery stores and big ticket places seem to already have switched.
Though they seem to allow swiping if your chip gets a bad read three times (under the assumption it is broken). That sort of defeats the security.
> But those rules don’t apply to fuel stations in the United States until October 2017
It's July 2018. So this should be in effect right? right?
> Realistically is that going to change any time soon?
Unlikely. Until the penalties affect consumers/voters en masse, it's highly unlikely to ever change. Even if it did, a few congressional hearings would lull voters enough to not care any longer.
The only hope is that fraud becomes so expensive for the card folks that they actually enforce this themselves. Obviously that hasn't happened for all, but maybe they are making progress?
So dumb question: What does chip and signature accomplish?
I assume that someone who installs a skimmer can still use the card data somewhere that does not have a chip terminal... it is my understanding that the vast majority of fraud in the states is CNP (card not present).
It will take a long time. I live in NY and regularly go to big stores that already have chip-capable hardware installed, but have disabled it and ask customers to swipe instead.
Like anything in the US, retail businesses frequently prefer doing the opposite of what the world does, and ignore what's the most sensible decision.
My everyday driver is an old Land Cruiser; long ago, I fitted extended range fuel tanks; capacity is 180L (just shy of 50 US gallons.)
On several occasions, I've had attendants come out to ask a question or two when filling up - my guess is some kind of warning sounds inside if you pump too much fuel in one go from the pumps intended for smaller vehicles.
(One attendant kept looking nervously on the concrete the car was parked on - half expecting to find us standing in rapidly expanding a puddle of diesel...)
While customers victim of online scams and identity theft are more or less protected by big vendors or banks because of regulations, provided they act swiftly, small merchants are often on hook when a scam happens with very little options to recoup the money lost. What are the solutions for merchants? insurances? anti-fraud detection services? What could you recommend to a merchant that is starting to do business online? restrict with whom one does business with? use bigger merchants to do transactions? what works, what doesn't to mitigate risk?
see eCommerce Fraud Prevention. There are a few companies focused on this space to protect merchants from fraudulent chargebacks. But in short, you can get pretty complex with multiple vendors being leveraged, but the economics of fraud vs fraud prevention really depends on your business.
> In one instance, it froze thousands of pounds that had arrived into an account. “We blocked it and contacted the originating bank,” says Blomfield. “But that bank [one of the biggest UK players] said it was all fine. Then it rang a few days later to say it looked like the customer had been conned. Luckily, we were able to return the money.”
I wonder how often it happens that the bank simply keeps the money it froze, either telling nothing to the originating bank, or telling the originating bank that the money has been transferred or withdrawn. For two banks that rarely deal with each and are in different countries, what can the originating bank possibly do other than take whatever the receiving bank says at face value?
I used my chip card in Canada during the last week. I used my visa chip card heavily for gas, bc ferries, food, etc. I remember giving out my card number, expiry date and security code to an agency that offers whale seeing tours in Victoria Island. Next day, I saw two charges: $108.XX from Chick-A-Fil, Salisbury, MD and $1.00 from Sweden. The card issuer called me right away to verify what's going on.
I wonder how my cc details were compromised. Was it a skimmer at gas stations? or one of those credit card scanners in Canada (Canadians seems to use PIN number with credit cards) or bcferries.com website.
It can be difficult to know. I had some fraudulent charges from a Best Buy in Washington (IIRC), despite never having been to the States. I had ordered from Best Buy online, but that was about six months prior so no idea if that is related.
It's also a card I've _never_ used in person, and most of my online transactions are through PayPal or Amazon, so no idea how my card details leaked.
I recently returned from a trip to the USA and was a bit surprised that they asked for ZIP code instead of PIN for my credit card. While the NY subway accepted my non-US ZIP code, some gas stations did not as they apparently checked the entered ZIP code against valid US ZIP codes.
"These 'mule' accounts are a vital link for crooks moving money around the banking system."
Indeed. A vast majority of digital financial crimes in some way rely upon these types of accounts. I really don't understand why I haven't heard of any of these people who sell their accounts to criminals being charged as accessories (before the fact). Perhaps because enforcement is low in general. But I think that a lot of the alleged college students doing this wouldn't risk ruining their future on felony fraud charges for $200 if we started prosecuting some of these people. The mere fact that not all of the money was routed back out and some remained as payment is essentially the smoking gun that they were knowingly involved. Any decent investigator/detective would be able to break these students in 15 minutes once presented with that evidence.
>Frustratingly, there are few mechanisms for banks to communicate with each other. “In the US, there is a web portal for banks to contact each other on these issues. Here, it’s just email, Blomfield adds. “Sometimes we are even told to use a fax.”
Interesting. In many ways the Americans are far behind (still writing checks, lack of chip and pin) but in this arena they have Europe beat.
> because of his ears... ear positions are the most difficult thing to fake
ROFL :)
Credit Card security model, with CVV, is so broken, but also so widespread, it is cheaper to cover fraud than change it. Especially if card processors (Visa, MasterCard) can shift damages onto merchants.
I think it depends. If it's a really big bank, even when it's only $100 the police will probably follow up on it. But with the small competitor banks even big sums like $40k will not get pursued. And you can't say $40k is not a big sum. It certainly is.
As a bank one has other options besides the law, though. Lawyers, private detectives, even deals with gangs. It's not impossible to survive such things and defend against it.
The only thing stopping the bank is the bank itself. Like most organisations a bank is probably barely able to achieve what it makes money with and everything else trailing off into nirvana in an unlimited amount of bureaucracy.
That's how you get information. Someone is interested to spread the info for a selfish reason.
Also when you hear politician A did scandal B. That's actually the team of politician C putting pressure on A.
Or when you hear a German car company having trouble with fulfilling US safety guidelines. That's one or more US car companies trying to fend off a competitor.
The world is a selfish place. But thanks to that competition between different parties even normal people like you and me can gather some info about it.
There was an investigative news story on TV about a couple who would order hundreds of thousands of dollars of merchandise over the Internet using stolen credit card numbers and brazenly have it delivered to their own home. The TV crew showed their house brimming top to bottom with boxes and boxes of fraudulently obtained goods that they would resell on eBay. They said no police ever visited them.
In every one of the frauds the couple committed, the merchant would know that he shipped to (for example) 1234 Main St, Minneapolis. The credit card issuer, bank, and defrauded card holder would have the address also. Probably hundreds of police reports were made, or am I assuming too much? If a single policeman actually followed up on one of these "too small" thefts of $100 to $1000 they could have prevented hundreds of thousands of dollars of additional theft.
I imagine that the system breaks down because no one reports the fraud or pushes to get something done, or because the police don't follow up, or both.