advertisement No Valid Address Required. Oops!

Written by Frank Hayes
May 18th, 2011

L.L.Bean will let online customers complete a purchase with only a payment-card number and expiration date—no name, billing address match or other authentication required. A number-and-expiration-date-only policy for card-not-present transactions could be a huge problem today: With huge numbers of consumers walking around with contactless payment cards in their wallets, thieves can brush up against purses and backsides in any crowd and collect card data automatically.

Contactless backers have always pooh-poohed this as a security threat, pointing out that customer names, security codes and other authentication information isn’t transmitted by the cards. But if retailers are only relying on numbers and expiration dates, with one contactless grab—or one well aimed digital picture snap from a mobile—thieves get all they need.

And although the E-tailer’s customer-service department insists that card numbers with the wrong name attached should be rejected, a simple experiment made it clear that at least some transactions are approved that way. (Two out of two media tests had transactions approved and shipped.) If it had been fraudulent, it would have been up to the payment-card holder to notice, complain and get the charge reversed.

L.L.Bean did not respond when we described the problem by E-mail. That’s troubling, too. There could be a strategy behind this approach—for example, that the company has decided it’s willing to take the loss for what it calculates to be a small number of low-value fraudulent purchases that it doesn’t catch. But without an explanation, it’s impossible to say whether it’s a policy or a security hole.

The point here is clearly not that L.L.Bean is less secure than other chains. Indeed, the significance of this situation is that many other chains have similar security holes. It may be against policy—as it is with L.L.Bean—and it may be against how customer service is trained, but it happens.

For more than five years, payment vendors have been arguing that the data leaks created by contactless cards are not a concern, because they generate insufficient information to make a transaction with a major E-tailer.

Our experiment began after we received a tip that a purchase would go through on with only a card number and date. The editor who placed the order used his own card number and expiration date, but used an address that was in no way associated with the credit card used (even the ZIP code was different). The name used for the order had the same initials as the card holder, but couldn’t have been mistaken for the name on the card account.

The E-Commerce site’s system accepted the order for an under-$25 item with the valid card number and non-matching name and address. Within a few minutes, an initial confirmation arrived at the Gmail address given with the order. Less than 90 minutes after that, another confirmation arrived with an order number and word that the order was being processed. More than a day later, a third E-mail message arrived, confirming that the order had been shipped. The payment card was charged on the day of the order.

During the long gap between getting an order number and getting shipping confirmation, we called customer service and inquired about the order by order number. We expressed surprise that the name was wrong, muttered that it was because someone else had actually placed the order for us, and corrected the name—but not the address.

The customer-service rep told us she could correct the name in the system, but she couldn’t stop the order because the package was “already on the truck.” When we expressed surprise that the order would go through with a name and address that didn’t match the card, the rep said, “I’m not sure why it went through. It shouldn’t have.”

That’s as much of a response as we were able to get from the retailer.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.