E-commerce and credit cards in particular are always considered to have succeeded in overcoming the big problem of fraud. All too often when a new security mechanism is presented to combat credit card fraud its opponents claim that fraud in credit card transactions is already mitigated to an adequate extent. This does not seem as a false claim as we don’t see Visa, Mastercard, or American Express going bankrupt due to fraud. The fraud figures are not too bad either considering the fact that no state-of-the-art mechanism is deployed yet for the masses.
However, trying to make an online purchase recently made me lose any respect I had for the so-called anti-fraud mechanisms that are used today.
Fraud may have been eliminated to a large extent, but this seems to be have been generally by disabling global commerce. We all know that security is a set of tradeoffs; it’s what you give and what you get in return. Protecting against fraud by making global commerce practically impossible does not seem to me as a victory but rather as a loss.
What I have noticed just a little while ago is that credit card companies protect themselves against fraud generally at the cost of making the transaction very unpleasant to the user, or by eliminating it completely, if the transaction introduces more than the minimal risk. I experienced this when attempting to make a purchase using an international credit card. Most merchants will just refuse to accept these, but let us focus on the ones that will not.
Transactions with international cards pose a threat of fraud. The ways to minimize this threat today are notoriously low-tech and inconvenient, almost to the extent that they are not worth the purchase for the user. In an attempt to get a camcorder using an international AMEX card I had to face the most absurd requirements. Many vendors required a faxed copy of my ID and credit card. Some even went as far as asking me to call my card issuer and ask him to call the merchant or to accept a call by the merchant; now this doesn’t scale that well, does it?
After the confirmation saga is over, many merchants refused to ship internationally, and when I asked to ship it to an address at which I stayed in the US, they did not like the fact that the shipping address differs from the billing address; quite of a dead-lock for international card holders. The few that did agree to accept an international card and to make the shipping to a different address in the US, after receiving the abovementioned fax confirmation, did not agree to ship to a hotel. Not very helpful. I have an international card; hence, I don’t live in the US. When I ship to an address in the US it will always be a hotel or alike, won’t it?
The end of my personal story is simple and unhappy. I spent two full days looking for a way to buy the camcorder online and just could not pass the “fraud prevention” schemes. I got to the US and bought it in a physical store in a “card present” transaction. That’s certainly not what global e-commerce was envisioned to be.
My conclusion is that fraud may have been mitigated to a large extent, but for a non-acceptable price. Mitigating fraud at the price of sending the user to a fax machine or to his card issuer, let alone by eliminating the transaction altogether is just like protecting against spam by not using e-mail at all.