This is page 2 of:
LLBean.com: No Valid Address Required. Oops!
That’s as much of a response as we were able to get from the retailer—which is surprising, considering the current level of noise over the leaks of E-mail addresses from Epsilon, non-card personal information from Sony’s PlayStation Network and PIN-pad tampering at Michaels. Those incidents are getting large amounts of attention, even though they required plenty of effort on the part of thieves to steal the data.
But with L.L.Bean, there’s no sophistication required—just information from the face of a payment card. That’s easy to acquire. It might come from a thief scooping up numbers from contactless cards in a crowded place. But a thief could more easily snap a photo of the card with a mobile-phone camera when a customer uses the card in line at the checkout. Or if a customer puts the card down momentarily at an ATM. Easiest of all would be to simply get some card numbers and expiries from a cyberthieves’ site on the Internet.
Without a name or ZIP code match, much less a CVV number, the only authentication is the expiration date. That’s no authentication at all.
At a time when politicians are falling all over themselves to berate retailers and service providers for failing to protect non-financial information like the passwords to a free online games network, and when real-time authentication of payment cards is at the center of mobile-payment schemes, authentication should be a baseline requirement for any online transaction. Why wasn’t it here?
It’s true that if this had been actual fraud, instead of a purchase by the actual cardholder, the cardholder would probably have been able to get the charge reversed. And because L.L.Bean had made the transaction without proper authentication, the retailer would have eaten the loss.
That’s still a bad idea, because it depends on the cardholder—who may not even be a customer of the online retailer—to spot the bad charge, initiate a request to reverse it and generally do all the necessary legwork. From a financial standpoint, L.L.Bean would only get dinged for the charge if the cardholder noticed it in time to challenge the charge. If that cardholder wasn’t an L.L.Bean customer, that’s not exactly a great marketing gimmick.
And if the cardholder did happen by coincidence to be an L.L.Bean customer? When a customer connects a fraudulent charge with a retailer, the customer usually concludes that the thief somehow got the information from the retailer. That’s no way to make customers happy.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
