More on the GameStop thing

2008-11-06 15:38

This is a followup to GameStop doesn’t like my email address.

I’ve done some calling around, and the more I look at this, the more I think this is actually harmful rather than merely stupid. The key issue is this:

In the event that the “card verification service” does not think an order looks legitimate, the order is not even presented to the credit card issuer, at all. Nor are they contacted. What that means is that the fraud prevention people who actually have the ability to, for instance, disable a card that is being used fraudulently, are completely denied any information about the suspected fraud. They don’t even get notified that someone tried to use the card at a given merchant.

The argument that, if you think a transaction is fraudulent, you should not contact the customer (because they might realize you were on to them and adapt their attacks), is questionable but perhaps plausible. The argument that you should not contact the issuing bank is perhaps less so. Unless you know that the issuing bank is itself a knowing party to fraud, it seems very unlikely that there is any harm to come from letting them know about fraudulent use of their cards.

The underlying model, I think, is basically incorrect. If you have some third party other than the card companies doing fraud monitoring secretly, and without contacting the card companies, you’ve created a huge potential for left-hand/right-hand problems, as well as an agency with absolutely no accountability for false positives. If a credit card company generates too many false positives in their fraud detection, the customer can call them and threaten to leave. This third party, though, simply has no reason to care; as long as the number is “small”, they have two defenses. The first is to say “hey, we’re saving you more than we cost you”, which may even be true. The second is to claim that they are not false positives. After all, how would anyone know? It’s very hard to prove that a given transaction isn’t “fraudulent” in some way without someone, at some point, contacting the bank (who can contact their customer). So if you make it a policy that you NEVER contact the bank, it becomes impossible to determine whether there’s a problem.

Sounds to me like bad business.

Update: I spoke with them some more, and I know have an inkling of what they were pinging off of; it’s inconvenient, but not totally crazy. And wonder of wonders, they think they can get my order reinstated! So that’s pretty nice of them.

Peter Seebach