Buying Online: Convenience vs. Security

I run an online store, and one of the features we offer is shipping to an address that isn’t the customer’s billing address. I did this for a couple of years without verifying that the shipping address was connected to the card holder, until some limo driver in Ohio defrauded us and other online stores by ordering items as one of his previous customers. He knew the real billing address because he picked the victim up at his house, and he used his own home address as the shipping address. Unfortunately, not all fraudsters are as dumb as this man, or the problem might weed itself out genetically.

Nowadays, we call the credit card company to verify that the customer’s shipping address is registered as an alternate shipping address with their account. This ensures that the actual card holder(*) has provided the address, rather than just someone who knows the card number and the real customer’s billing address. Ironically, even though I always offer to provide all the information and only ask for a yes or no response on the validity of the shipping address, some credit card companies won’t even talk to me because I’m not the cardholder, citing “security reasons.” It’s for “security reasons” that I’m doing this in the first place. Thankfully, these short-sighted policies are rare.

I know of no way to automate this, and it’s not clear that it’s even possible without each credit card licensee wanting to provide this service and agreeing on a common API(**). This means that the process is not convenient for the store, and it’s not convenient for customers who have no alternate shipping address on file and are asked to add one. Most large online stores don’t go through the pains of manually doing this verification, preferring to combat fraud through some combination of automated heuristics that don’t work all the time, random manual auditing, and after-the-fact actions like litigation. This means that all someone needs is your address and your card information, and they can probably order whatever they want and have it shipped wherever they want. It gets worse when the fraudster lives near you, since it’d pass any distance-based heuristics for guessing whether or not a shipping location is ok.

Think about who could have your address and your card information: cab companies, limousine companies, Lowe’s/Home Depot delivery, moving companies, or a cashier at a restaurant who copied your card information and looked up your address. “But Bob,” you say. “This is FUD! If it’s so easy to get this information, why hasn’t everyone become the victim of credit card fraud?” First of all, lots of people do fall victim to it. Credit card fraud is big business on all sides of the issue. Having said that, there’s a relatively small percentage of people who have access to your full credit card information, since it’s in the best interests of the business owners to make sure they minimize the number of eyes that can see it. I suppose it’s also fairly easy to catch most people who commit credit card fraud, especially when they can’t resist ordering lots of items and helping investigators to narrow down the search, so perhaps the failures of individuals sustain the notion amongst most would-be fraudsters that it’s too much risk for too little gain. It may also be the case that everyone has had someone try to commit fraud using their credit card, but some combination of store action and credit card company heuristics caught it before it happened.

Whether or not you choose to worry about this is up to you, but if you want to help stores out that do take the extra steps to make sure items bought with your card can only be sent to addresses that are associated with you, it’s easy to add an alternate shipping address to your credit card account. Just call up customer service, tell them you’d like to list an alternate shipping address, and they’ll know what to do because it’s far more common than you might have known. Then when people like me go through the manual process of calling up to make sure it’s your alternate shipping address and not some random place where a fraudster decided to hang out and wait, your order will go through without further intervention on your part.


(*) or at least someone who has access to so much sensitive information that they seem to be the actual cardholder

(**) This is one of the rare times when I think government regulation would help.

Leave a Reply

Your email address will not be published.