About Tutorials GameDevResources Games Code Projects Forums Blog Creative CV Contact News - Login

Unfortunately just recently I've been the vicitm of credit card fraud. They've not taken much as yet - just bought a few bits and pieces of WoW - but it's still depressing and inconvienient to have someone else spending you money. I'll get the money back of course and the card in question is already cancelled but still.

Being the geeky IT bloke that I am I can't help trying to solve the issue, so here it is, the solution.

Assumptions

1) The internet is considered a prominent part of credit card fraud. This is mostly because once card details have been stolen and/or skimmed they can be used on a wealth of online sites with little or no validation.
2) Stopping people using their cards is just dumb, it's inconvinence to the consumer and not to the fraudster. They win.
3) Everyone who uses online shopping, has an email address.
4) Banks, Vendors and Credit Agencys want to stop fraud. It's not productive or commercially positive for any of them.

Solution

The system would require some updates to online credit/debit card validation for online sites. Here's the use case:

1) The consumer signs up with the bank for a credit/debit card. As part of this they can choose to provide an idenitifed email address that can only be changed via the bank.
2) When an online card transaction is being validated via the bank the vendor's system is required to send a confirmation email to the address registered with the central bank system.
2a) Ideally the system allows the vendor to send the bank a confirmation URL and the bank forwards on the email to the registered address.
3) The consumer is displayed a message saying the transaction is pending until confirmation.
4) The consumer checks they're mail, clicks the confirmation URL and the transaction is completed as before.

I call it OPT - Online Payment Tracking. I'll even give you a slogan "OPT in, to prevent online fraud". The idea is free, no consultancy charge, just do it!

Why this is good!

1) This doesn't appear like it'd take much organisation or change given the online checks already have to contact banks to confirm credit status.
2) The email address is centralised, no more relying on the address that was registered for the [insert vendor name here] account.
3) The consumer gets record sent to them electronically of every transaction. It's just like the credit card reciept you get on top of the shop's reciept physically.
4) It prevents online fraud. The fraudster would have to get your email account details. They'd have to know where the email address was hosted to even start this process which has no visibility to the external user.
5) This doesn't reduce security. It's extra and optional. If the consumer doesn't care enough or is scared of technology, thats fine, don't use it.

So, please please please implement it.

EDIT: This could be made one step easier for the banks actually. Just send me an email with each online transaction on my card. Let me click a link to mark is as fraud. Vendors don't even need to care then.

By kevin at 2008-10-30 12:54 | Life | Rants | kevin's blog | add new comment

I used to work for a credit

I used to work for a credit card processing company and actually implemented something similar to this (utilizing your "EDIT:" revision)

It worked pretty well except for those that didn't frequently check their email or made frequent purchases. (Too many purchases caused them to ignore the notifications, and those that didn't check their email just didn't know they were victimized)

I like your first idea, except it splits the transactions in a way that a lot of online retailers wouldn't be comfortable with switching to.

Kev: Yeah, the edited version is just an extra aid for those whose could use it. The first version just inconvenience the retailers, but I would have thought fraud was more of a inconvenience to them.

By MutantNinjaLoungeSinger (not verified) at Sat, 2008-11-01 21:08 | reply

Merchants need 100%

Merchants need 100% guarantee that after swiping a card, they will be paid. I have been frauded and caught it while the transactions were still pending, but the bank said they could not cancel them and I would have to wait until the charges went through. Some were Dell and iTunes gift cards and other online purchases, but others appeared to be from brick and mortar shops in France. Anyway, I think there is a fundamental difference between online and in-person, and for online purchases a system like you outlined sounds great. Make the frauders risk cameras and such by doing it in-person.

The current closest thing is the "Verified by Visa" program. This is implemented by merchants and redirects you to Visa's site where you must enter a password to complete the transaction. You create your password the first time you go through a merchant implementing this. I agree with you that this should be at the option of the customer, not the merchant.

By Nate (not verified) at Mon, 2008-12-01 19:53 | reply