Trying to Make Online Shopping More Secure - Useless - Please Enrol in 3D Secure

Due to Chip and Pin, the number of online fraudulent transactions (by fraudsters) has increased since they do not need a PIN number to use your cards if they have stolen/cloned it/got the numbers from somewhere.
Mastercard and Visa have introduced a good system so that when you have entered your card details, you enter three letters from a password before the payment will go through for verification. It is so easy to enrol in this scheme, and the password makes it almost impossible for anyone who is illegitimately using your card to make a purchase to complete the transaction. This scheme has been in place for over a year now, and we online traders are encouraged to use it to minimise the risk of fraud (something we are obliged to do under our Merchant T&C). Three times I have tried to implement it, but every time I do, we have more orders that never go through than those which do, and our business would fail, so we end up switching it off again. PLEASE enrol in this scheme, both for your protection and ours - it only takes a moment, and you are only required to enrol once - remember the password and use it for all MC/Visa transactions where 3D Secure is implemented. Under these difficult trading conditions, and increasing threat of fraud, we have to cooperate to beat the fraudsters and at the same time ensure that our businesses can actually remain trading. Thank you.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Maria wrote:

You're up late.
Interesting viewpoint. Can you tell me how it is for my protection?
In these times of hardship retailers need to be making it oh so easy for their customers and their customers will stick with them. My main supplier soft-coats me into shopping with them, it's easy, I like the web site, there's a stack-load of information, and a customer service rep who is pleasant to talk to. I probably spend 25k/year with them or 30k in a good year. The second supplier insists I phone up, he's ok to talk to, I can't browse and humm-and-ahh I probably spend 10k/year with him. There is no difference in the price, in fact the main supplier I tend not to negotiate on price so probably pay a little more.
3D Secure is a PITA to use, I can't ever remember my passwords, and if it comes up I goto a different site who doesn't use it. Me making life easier for you isn't the game. Soft-soaping your customers is.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Martin wrote:

Work work work...

Because it is your card that is at risk - it is you that will have to go to the hassle of trying to get money refunded if your card is cloned or stolen. What's more it could be some time before you realise that your card has been cloned or stolen, and the thief could have spent thousands on it...I don't really understand the question - I would have thought it self-evident. Do you not feel that you have any responsibility for your credit card? What about your wallet? As a retailer, I will promise not to process any transactions that look dodgy, but that does not mean that all retailers are as conscientious about it - I could just process all the payments and hope that none ever get charged back. I hope I am being a responsible retailer to that effect. I think that people should take similar responsibility for their belongings. If they don't want to, then I hope they will not complain that it happens to them - card fraud is a fact of life and isn't going away because people feel put out by it.

If we are not making a profit, it doesn't matter how easy it is - we are finished. This is a business...

Is this retail or wholesale? I mostly only do telephone payments with wholesalers.

I can't see why - all my cards with one bank have the same password. It might look annoying, but you soon get used to it, and if you do online banking, you are required to enter more information than that.

Sooner or later, we will be required to use it I'm afraid.

It isn't about you making my life easier - it's about you taking measures to ensure you are not ripped off. ? Still, it's your card and it's your choice.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Maria wrote:

Ahhhh. Work, the curse of the drinking class.

Well now, I can see it being good for the retailer. If someone who has my card number (and it's hardly the biggest secret in the world) makes a fraudulent transaction then the banks have to do a refund, they will reverse the transaction with the retailer who will not only have additional charges to pay for the reversal but might have shipped goods.
It's no hassle to me because I'm covered, it's no hassle for the banks, they are covered, the one exposed is you. So it's a simple question, how does it benefit me?
... >Is this retail or wholesale? I mostly only do telephone payments with wholesalers.
Servers mainly. Neither retail nor wholesale. I tend not to buy them in in batches :)
>> 3D Secure is a PITA to use,
>I can't see why - all my cards with one bank have the same password. It might look annoying, but you soon get used to it, and if you do online banking, you are required to enter more information than that.
Well it diverts you another unknown website and starts asking for security information. That is where I hang up on the transaction or if I really need it call the bank or get it entered manually. It's way too easy to forge these things using DNS insertion, fake certificates, or even just a fake website hanging off the merchant site (that wouldn't work on me because I do check the certificate). How do I know it's my bank and not a rogue site? I don't do online banking for the same reason, until they start to issue tokens or something similar.
> I can't ever remember my passwords, and if it comes up I goto a > different site who doesn't use it.
>Sooner or later, we will be required to use it I'm afraid.
Not true.
>> Me making life easier for you isn't the game. Soft-soaping your customers is.
>It isn't about you making my life easier - it's about you taking >measures to ensure you are not ripped off. ?
Ahh back to that again. It's not me who can be ripped off with a fraudulent transaction, it's you.
>Still, it's your card and it's your choice.
:)
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Because you are "covered" means it's no hassle?
Unusual way of looking at it.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

In my experience as a customer it's a complete pain in the arse to be directed away from a merchants secure site to re-enter details that I've already supplied into some third party 'unknown' site that is often slow and times out.
When a seller makes payment for goods so difficult I usually abandon the purchase. Judging from you observation it's not that people haven't signed up but that the system doesn't work very well and people cannot actually pay for the goods. Often the card verification web pages and the way they are linked into the sellers web pages give the appearance of a phishing site!
What's wrong with the sellers only requiring these additional 'safeguards' when the goods are to be supplied to an address that isn't the card holders registered address?
--
Alan
news2006 amac f2s com
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Alan wrote:
...

You sound like a sensible chap. Exactly my experience and for the same reasons as well.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Alan wrote:

Mine is supplied by my card issuing bank, Natwest, so I presumed that it would not appear as an 'unknown' site to other people, but their card issuer's site. When I had to enrol on it to purchase something, it was just a seperate Natwest window - IIRC it asked me for my DOB and postcode to prove I was the cardholder, asked me to register a password, and then immediately returned me to the checkout pages of the site to continue what I was doing. I've never had it time out - maybe for other card issuing banks it's a different story, and it hadn't occurred to me that the was happening. Thanks.

There is no way of doing that - we can only force the 3D rules by setting value parameters for the transaction. NB A merchant bank rep I was talking to a while back told me there was no way that online retailers should even agree to send to any address other than the cardholders, though most business seems to.
I'm a little confused as to people's reluctance to engage with it (I know it is a problem as I have seen forum discussions about the volume of sales lost by retailers after implementing 3D) - it's just an online version of Chip & Pin.
Just to reiterate, my reason for posting this is the same reason I have posted before about the frustration of seeing payment after payment made with people's obviously stolen cards and no-one to report it to or to inform the cardholder. If people would use this system, at least for Visa and Mastercard, there would not point in the fraudsters even trying. This type of fraud increased 14% last year, so I personally really want to do something about it, as the banks and police are so ambivalent about it. Those left to pick up the pieces are the cardholder and the retailer who will just receive a chargeback.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Maria wrote:

Whoops..forgot the cite
http://www.telegraph.co.uk/finance/personalfinance/borrowing/creditcards/5016593/Credit-and-debit-card-fraud-jumps-as-criminals-beat-chip-and-pin.html
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Thu, 26 Mar 2009 12:13:11 +0000, Maria

For some types of goods it would be completely impractical for me to accept delivery at my home address, and for the rest it is a PITA to do so.
If there is usually nobody at home during working hours it makes far more sense to take delivery at your work address.
I have on occassion ordered large, heavy goods that I need to use on my boat. I need to have them delivered (by lorry) to where my boat is kept. Delivering such items to my home address would be useless to me, because I would then have to arrange separate transport to my boat.
--
Cynic


Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Cynic wrote:

I agree entirely - the problem is that a common feature of a fraudulent transaction is where they have the entire card details of someone, somehow, but have it delivered to a different address. There are some websites which don't allow different shipping address, but we do because so many of our customers are students away at college.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote

I`ve seen them time out regularly for a number of different banks. I also dislike the idea of having to enter security information into a frame that realistically I have no way of knowning who provides that frame. I have the option of digging down and finding out the hosting site, checking certificates and so on, or spending my money elsewhere. Which option do you think I`ll take?

Which in itself is a reason to avoid it like the plague - it shifts the blame from the bank/retailer onto the customer. I have a chip&signature card, and if someone steals the card and uses it fraudulently then the bank has to prove it is my fault. If I have a chip&pin card and someone steals the card after obtaining the pin, I have to prove I wasn`t negligent. And how can I prove that - the fraudster has my pin number, so I must have been negligent. Ditto 3D security - if the fraudster has my PIN, then it`s my fault.
Until and unless a merchant gives me a good reason to use 3D, I wont do it. If it cuts down on your costs due to fraud then reward me with a discount for using it. Otherwise you`re asking your customers to put up with agravation simply to make life better for you, and why would a customer want to do that?
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Simon Finnigan wrote:

Ok I got that part!

I am not aware that the customer gets blamed if they get ripped off while they have a chip and pin card. ? Is it the case that should you still be ripped off, you won't be believed and won't get your money back, because I've never heard of it. As far as I know it's just another tool in the anti-fraud toolbox, not a way of transferring blame. Also as far as I know the banks are never blamed, and the retailer doesn't have a leg to stand on - he just gets a chargeback anyway. BTW the retailer is not to blame if someone uses your stolen card details on his site - if you want to blame him for being negligent in not using available anti-fraud tolls to avoid dodgy cards, then why not also blame the customer for being negligent in not using available tools in order to minimise the chance of their card being used by a dodgy person? I agree that the banks are ambivalent about it - they aren't going to make any loss so why should they bother? They will process any payment they are asked to, whether the card details match or not. The retailer is definitely in a worst position because there is always a presumption against him and the money automatically charged back (with associated expenses).

As far as I know, all you have to do is say that you did not make the transaction to get your money back. We have had numerous customers with totally correct card details who have later said that they did not make the transaction - they are simply refunded and the money zapped from the retailers bank account. Too many of those and the retailer can lose their merchant account - they are out of business.

Is this true? Do you have any details of that because I've never heard of it. My bank card was cloned a while back and my account cleaned out through a hole in the wall. I did not lose the money even though they obviously entered the correct PIN to get the money out. The bank refunded the money the next day.

It is meant to be for your protection...and at the same time benefits the retailer. It is a symbiotic relationship, customer and retailer, though you'd never think so at times...

How is it to make life better just for me? Or is that the customer v. retailer conflict again? It does make us more certain that the card use is genuine, but that benefits both parties, not just the retailer. It is in all parties interest to prevent card fraud, isn't it? If we as retailers did not co-operate with fraud prevention, we would be attacked for refusing to co-operate! If a customer refuses to co-operate, then he is just what...daft? Sensible? Now having read the comments here, I understand the reasons why customers might be reluctant to use the 3D system, but I stand by my comments that it is in both our interests - for you to protect your cards, and us to protect our merchant account, and I would guess that with banks pulling credit facilities all over the place at the moment, that is even more so these days. I can only hope then that something better than 3D secure comes along soon, but I don't suppose it will make customers any more inclined to use it because it will always be an inconvenience, even if it is safe.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Who is telling you that it is any safer than not going through 3D? Surly not the same people who have misplaced many 100s of billions of GBP because they have no idea of what's happening inside their own organisations and networks..
Perhaps the increase of fraudulent activity is directly related to the way retailers operate their own sites and then lose control of secure information when redirecting to a third party site. Judging by your observations I guess that for many this redirection away from the retailers site is a suspect part of the transaction and people are taking the good advice given by the banks and abandoning the transaction. Banks and credit card companies tell us to NEVER give passwords or any other details to a phishing sites. Is the pop-up window actually the banks own site or is it somewhere else? Just because it has a mastercard/visa logo on the page doesn't make it genuine.
--
Alan
news2006 amac f2s com
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Alan wrote:

I think the real problem with that is that it so undermines the concept of an SSL certificate that it becomes impossible to teach the general public how to use them securely.
Basically, if you get redirected off to acme-payment-service.com, or worse secure.yoyodyne.net (apologies if these domains exist) and you do not know what these domains are, you have no guarantee that you are not giving your payment details to a fraudster, or even that the referring site is owned by the company you thought you were ordering from.
With time one learns to recognise companies like WorldPay, who can be trusted to validate their customers and handle your payment securely, but until you learn to recognise and trust a payment handler, you could be dealing with anyone.
Actually there is a benefit in dealing with a really well known payment handler, in that they will have made some checks that the web site is a reasonable business, whereas an SSL certificate for the site itself, at best, only tells you the name of the owning company, not whether they are a reputable business. However, at least at one time, sites handing off to a payment handler would try and disguise this, whereas for security it should done very openly.

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

The pop-up window contains the passphrase which you originally agreed with the card issuer when you registered for the service.
Chris
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Chris Blunt wrote:

And increases your confidence that some money will be taken out of your account, and paid to someone. However, the rogue trader you are talking to has all the information they need to set up an independent connection to Cyota to get that information, and pass it on to you and they can make the actual transaction with a different amount of money, or to a different account, or simply save the passphrase and password for a subsequent fraudulent transaction.
Moreover, anyone else intercepting the transaction can do the same, as long as you do not full authenticate the trader (assuming they did use SSL).
In my view the passphrase has no security value at all, or rather a negative one, as it gives false confidence. The only way of being certain you are giving your password to someone authorised by your bank is to:
1) determine the identity of organisation/web site that operates the service for your bank;
2) on every transaction, verify that the SSL certificate for the frame belongs to that organisation and was issued using one of the better authenticated root certificates from a certifying authority you truet.
(This assumes that you are confident that your browser and PC haven't been tampered with.)
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote

But by asking me to use 3D, you`re asking me to give security information to an unknown website. That is surely a very bad idea!

I do take all reasonable steps. I avoid any site that asks me for anything more than the bare essential info for a payment. I keep my card physically secure, and I keep my house network as secure as possible. Asking me to verify the security credentials of every site I want to buy from, and every step along the payment chain, is being unreasonable. I could just as easily ask you to manually verify every transaction is going to an address associated with the registered card holder, and telephone that address to check its legit. Both are an unreasonable use of time.

Not everyone is as lucky as you.

But it ISN`T for my protection at all. What it is there fore is to "prove" I was negligent in letting someone else get my details. Duff transaction using 3D, I must have given my password out, therefore I have to foot the bill. Why would I agree to such a system when the current one makes it much harder for me to get into that situation.

Yes, but Im not the one who will be paying for the fraud, you will be. And if you want me to use a slower, more annoying method to verify who I am, you will have to make it worth my while. Until that is done, I`ll stick with the current system which works very well for me.

It depends - would you consider giving advice that goes against all anti-phishing advice to be a good idea or a bad idea?

Yes it will be more annoying to use, but why not offer a trade off. Get 1% off your order for using our new secure system. It`ll reduces your costs due to fraud, and give people an incentive to pay that way. Is there any reason why this isn`t an option?
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Maria wrote:

Natwest's site is https://www.nwolb.com/ which comes up with a nice green title bar saying it is owned by Royal Bank of Scotland Group plc.
The Mastercard Secure thing comes up as something like https://www.securesite.co.uk/ with no green title bar to reassure me that it is not a phising site, and further digging suggests it is owned by someone I've never heard of.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Perhaps another reason why many transactions may fail when redirected to that bank's site
<quote> The Internet browser you are using is not supported by online banking. </quote>
And yet they claim to support the browser that I'm using (Opera 9.63)!!
--
Alan
news2006 amac f2s com
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

BeanSmart.com is a site by and for consumers of financial services and advice. We are not affiliated with any of the banks, financial services or software manufacturers discussed here. All logos and trade names are the property of their respective owners.

Tax and financial advice you come across on this site is freely given by your peers and professionals on their own time and out of the kindness of their hearts. We can guarantee neither accuracy of such advice nor its applicability for your situation. Simply put, you are fully responsible for the results of using information from this site in real life situations.