Creeva’s World 2.0

Orig­i­nal post is here

Excerpt:

…Com­pa­nies like Grand Cen­tral should be put out of busi­ness — they pose a threat to every online mer­chant who accepts credit cards.

By offer­ing a ser­vice where you can get a phone num­ber in any US city and that fur­ther­more you can receive and send calls from your real phone that are routed through that num­ber they have made the best fraud check­ing tool, call ver­i­fi­ca­tion, essen­tially useless…

My reply on his post:

Your wrong in some aspects.

The Mer­chant when ver­i­fy­ing the card num­ber with the credit card com­pany in online trans­ac­tions can ver­ify the phone num­ber matches to what’s tied to the account. If the mer­chant decides not to uti­lize this func­tion­al­ity and ver­i­fi­ca­tion it’s their own fault.

You can (and have for a cou­ple decades) been able to pur­chase a voice­mail box any­where in the world for a cou­ple dol­lars a month and usu­ally the voice­mail has it’s own unique num­ber. Most of these ser­vices also offer call forwarding.

Finally the largest gap in your the­ory that you is the cell phone mar­ket — I can lit­er­ally go to Wal-Mart and pick up a dis­pos­able cell phone today for 15.00 that comes with 60 min­utes of talk time.

If you want to crim­i­nal­ize grand­cen­tral for their behav­ior you have to take into account this other avenues for per­form­ing the same fraud in the same method.

The cost of entry is very low and I can say that I have never got­ten a call from any online mer­chant I a have dealt with in my 13 years on the Inter­net. I have how­ever got­ten a cou­ple bounce backs where a charge going through where my phone num­ber didn’t match what the credit card com­pany had on file for me.

UPDATED

His response

Creeva — you have some good points. How­ever I work in the data cen­ter busi­ness as sales man­ager for a large data cen­ter. Roughly 40% of all server orders are attempted frauds. I have a lot of tricks up my sleeve for deter­min­ing order authen­tic­ity, most of which I won’t dis­cuss for obvi­ous rea­sons, but this is going to hurt us. Not all frauds are CC — many are stolen Pay­Pal accounts and there’s no way to check phone num­bers on those. Not all banks use full authen­ti­ca­tion on the cards — they don’t require the address/phone num­ber to match their records when the card is processed just name, num­ber and PIN. Hell, even some of the for­eign banks (our cus­tomer base is world wide) don’t even use a PIN (CVV) on the cards. In gen­eral it is only North Amer­i­can banks (and not all of them) that require the details to match.

My follow-up:

So you feel the bar­rier to entry from a offer­ing a ser­vice such as this by mak­ing it free (though you still need a phone to ver­ify to grand­cen­tral) would be dras­ti­cally dif­fer­ent from hard core fraud­sters (I hate that term but applic­a­ble) over a 15 dol­lar cell phone?

I guess it would depend on the type of fraud and or the amount that you are work­ing with whether that few dol­lars could make a difference.

The prob­lem really is more on the credit cards com­pany side for not enforc­ing these secu­rity audits.

One thing retail­ers could do to help off­set this (and google may actu­ally give you this data ver­sus data that ties a cus­tomer to their pri­vate data) is to have them give you the phone exchanges they uti­lize their pools of addresses from.

This work by pick­ing new/underutilized/never uti­lized exchanges in a zip code. So you know if they use the exchange 541–256-XXXX or 789–986-XXXX that these are uti­lized by google or farmed out to SIP providers for sim­i­lar things — this would allow you to black­list address blocks on your side.

This allows peo­ple to main­tain their pri­vacy since the infor­ma­tion is only aggre­gate. They can make the choice if they wish to shop with you if you won’t accept it. You can black­list the exchanges you don’t wish to accept. If dis­pos­able cell phones use the same tech­nique (I’m next to pos­i­tive alot of them are in these same blocks that grand­cen­tral is using) it would cor­rect that issue also.

While this would not be fool­proof and 100% it actu­ally would give your com­pany sig­nif­i­cantly bet­ter trust then it has right now.

So where do I send the con­sult­ing bill to

The­o­ret­i­cally in an after­noon you could get about 70–90% of the exchanges that grand­cen­tral uses and have them added to your black­listed do not call database.

UPDATED

His final reply:

Alas the con­sult­ing bill will have to wait This is a strat­egy we are already con­tem­plat­ing if Google will release that infor­ma­tion as I alluded to in the post. Some­how I doubt they will but per­haps they will see it as yet another way to mon­e­tize their invest­ment in those blocks.

You wouldn’t nec­es­sar­ily lose those poten­tial cus­tomers — you could make it clear that GC and free cell phones will not be accepted but most of those indi­vid­u­als, the hon­est ones at least, have the real num­ber they can pro­vide, the one that GC for­wards to and from that they can pro­vide if they want the service.

I think we’ve now beat this horse to death.