Unauthorized debit card transactions

lawstudent

amuzia wrote: »

he has had the sharp end of my tongue and he has made a promise to pay it back out of his Saturday job pay and pocket money from his dad.

So you're going to be paid back by your son and want money back from steam as well. Seems fair.

keithrgj

sort of relevant

watch out in these sort of companies t&c, they will "opt you in" and debit your card

you have to "opt out" manually

i purchased an online number from skype three months ago. they have just debited my account for another three months subscription.

looking into it ,

I DID NOT UNCLICK THE "OPT IN" BOX TO" OPT OUT" FOR AUTOMATIC RECHARGES

Jinx

amuzia wrote: »

granted you may be able to untick a box that stores card details (this option may or may not have been present) it still doesn't escape the fact that the cvv details should never be stored as a part of order information or customer data.

in my experience and i do shop online quite a bit and have many accounts with stored card data i am always asked for the cvv number to confirm my purchase.

on the second point they by storing this became complacent in the fraudulent use of the card when they decided to store the cvv number which is a security feature and should never be stored as a part of order information or customer data.

I too shop online a lot and some major brands such as Amazon (as others have noted) dont ask for the cvv and neither do SimplyBe , Very etc who are part of huge parent companies.

Actually I wouldnt say it was the company involved who was complacent.

SammenForLivet2

Could I ask if you ever did get a response from Steam - out of curiosity?

The problem is -(from my understanding) IS steam is like Google Play or Apple - They take a cut and give the developers a cut. These developers have probably seen the money come into their account already; and Steam would actually have to withdraw/charge-back from these developers and for-go there cut; to pay yourself back.

Is it fair that these developers are going to loose money, because people have played their game - and that it is not their fault (either yours or steams - depending on your opinion).

Was the £750 in multiple transactions? If not; could you not setup SMS alerts for you to see money coming out of your account. This can normally be done if the amount is over £100.

Good luck; but don't be upset if you don't get your money back (which is probably fair- in my opinion only).

pookhi

The games have been purchased and downloaded by your son from Steam and no doubt also activated. Therefore it's not like he can return the games to Steam...

You are not entitled to a refund from Steam as they are not the responsible party. It's completely unreasonable for you to try and reclaim the money from Steam.

This will only be resolved between yourself & your son.

I'd estimate £750 would buy around 30 games from Steam. Each would have been multi-GB downloads. Don't be surprised when you see a huge bill from your broadband provider too as you most likely would have exceeded your monthly download cap.....

.... and no your not entitled to a refund if they do charge you for excess data usage either!

amuzia

meer53;

Its an account that i rarely use. maybe 3 purchases this year. usually i would make the purchase then transfer the money back into the account within a few days.


stclair

Lloydstsb.
i did ask them how £750 worth of payments to 1 online supplier could not have flagged up as unusual account activity especially as it was be a rarely used card. and they couldn't give me an answer

macfamilyent

the payments were made over a period of 5 weeks, as it was an account i dont use very often i dont check it all the time.


macfamilyent

i havent had a response from steam yet but it only went into them yesterday morning and its the weekend. i may have to wait till sometime next week to get a reply.

dalesrider

grumbler wrote: »

I think the correct assumption would be that the merchants that don't ask for CVV (let alone bypass Verified by Visa) deliberately take extra risk of getting a bigger number of fraudulent transactions that can be charged back by banks.

Retailer cannot bypass VBV.... It is a system that they pay Visa extra for.
So any retailer you use that does not use it at their checkout. Is simply not paying Visa for the service... NOT bypassing it.

grumbler wrote: »

Amazon's procedure is a joke and has to be changed by Amazon rather than followed by other companies. The account is protected by a very primitive password and any fraudster that gets access to the account can order goods to any address (even abroad) using the stored card details.

If Amazons procedure is such a joke. Why, as someone who deals with fraud on a daily basis. Do I see so little of this, that it can be counted on one hand over a year.....

To me Amazon are a retailer who take security to a level that other retalers need to llok and learn from.

So you can access your account with a password. Any breech of this is not Amazons fault, but the fault of the account holder. But again as I said. I see so little fraud to the retailer.

dalesrider

amuzia wrote: »

as you state on your site that you have no reoccurring frees
dalesrider,
the fact that you allow 1 payment to be made using a debit/credit card should not automatically mean that any further transaction goes unchecked, its almost like (i know not quite the same) going into a shop and using your card to purchase something then returning the next day and saying to the store i had permission to use it yesterday and want to use it today but i dont have it in my hand, and the shop saying well sir thats no problem at all we will just reuse all the details you provided for us then and reuse them including the pin number even though we arnt allowed to store this info we did.

I think what has happened is your son & you have created a account with Steam. As such that card is linked to the steam account. Did you read the T/C at the time??.
As it now appears your son has been downloading further games.
Have to say he must have know it was costing money as my daughter has a steam acc and it is clear on prices.

So there is no way your bank will be able to assist, as you provided the co with the details.
Sure if they now take anything further you can claim the money back.
But cases like yours are something I see on a all to regular basis.

As I said previously they retailer will not be using the CVV on subsquent transactions.
So will not have stored them.
As to your retailer entering your PIN.... A retailer has no access to your PIN (unless you tell them) even then they would need to enter your card into the terminal to process a chip/PIN trans. So your scenario is way off the mark.
But you are correct in a way. As a retailer till roll has your full card number on, so that could process further transaction on your details (which is how fraudsters get them)

I will answer some of the other questions that have cropped up as well.

i did ask them how £750 worth of payments to 1 online supplier could not have flagged up as unusual account activity especially as it was be a rarely used card. and they couldn't give me an answer

Fraud systems do not look at your spending patterns. They look at known fraud patterns. Do not know about your bank, but Steam is not a retailer that we see fraud to. So would not flag up.

Its an account that i rarely use. maybe 3 purchases this year. usually i would make the purchase then transfer the money back into the account within a few days.

So why use that account then?
TBH. Any account you have you should be checking on at the very least a weekly basis.
Do they not have sms alerts or such you can set up?

grumbler

dalesrider wrote: »

Retailer cannot bypass VBV.... It is a system that they pay Visa extra for.
So any retailer you use that does not use it at their checkout. Is simply not paying Visa for the service... NOT bypassing it.

OK, fine.
So, why do some (most?) retailers use the system and pay extra? Are they just wasting money if they can easily not to use it? Ignoring the word 'bypassing' that is of no importance, what you say in fact supports my argument.

Some retailers use it and pay extra. Other retailers deliberately chose not to use it and to take extra risk of having the transactions reversed.

If Amazons procedure is such a joke. Why, as someone who deals with fraud on a daily basis.

Yes, it is a joke because, as I said, their account security is very week - much weaker than any bank or card security. However, a fraudster getting access to Amazon account can easily use the stored card details for ordering goods and, what's important, to any address, even abroad - not only to the registered address.

To me Amazon are a retailer who take security to a level that other retalers need to llok and learn from

Any real facts supporting this? What I see is just a very short and a very primitive password that will fail strength test at any other financial organisation. Yes, it is financial because they store my card details and allow using them for purchases without any further checks.

So you can access your account with a password. Any breech of this is not Amazons fault, but the fault of the account holder.

Even banks with much higher level of security do offer customers some protection.
It's very easy not to provide an adequate security and to blame customers for everything. Is it really something "to look at and to learn from"?

securityguy

grumbler wrote: »

Some retailers use it and pay extra. Other retailers deliberately chose not to use it and to take extra risk of having the transactions reversed.

That's exactly right, but I fail to see what you see wrong with it. A merchant can choose to use VBV, at a cost, and have fewer transactions reversed. And not just cost paid to the VBV provider, but also in the extra complexity in their website. VBV increases the number of abandoned transactions, by people who are legitimate purchasers but have registered for VBV but forgotten the password, or don't want to register, or got bored after the third screen of payment stuff, or whatever.

Or they can not take that cost, accept that a percentage of transactions will be reversed because of fraud, and make a commercial judgement. But if they're not seeing a harmful level of fraud without VBV, why should they pay to reduce it yet further? Your fish and chip shop probably checks £20 notes carefully, and would refuse a £50 note, but doesn't bother with £5 notes: this isn't because they're in cahoots with forgers, but because it's not on balance worth their while.

Hotels accept bookings without VBV,and, usually, without CV2, even for pre-pay where they never have sight of the card. Even if they take a swipe on check-in, they don't insist it's the same card as was used for pre-pay. Presumably they're seeing a low enough level of card-not-present fraud that it's not worth their while checking.

What I see (for Amazon) is just a very short and a very primitive password.

Mine's sixteen random characters drawn from all the printables, or around a hundred bits of entropy. Out of curiosity I've just changed it to 32 random characters, or about 200 bits of entropy. Amazon use all the characters, too: deleting the last character and using just the first 31 results in a login failure. An adversary able to brute-force that has better things to do than buy stuff with my credit card, given they would control the world's entire IT infrastructure for many millennia and be consuming a significant proportion of all energy available on the planet.

Obviously, password complexity is not a guarantee of security, and password schemes fail for all sorts of other reasons, but it's simply not true to say Amazon use "a very short and very primitive password". If Amazon leaked the password hashes, even if they were unsalted, I'd be pretty relaxed: their password policy allows me to use a password which is essentially immune to brute-force attacks. That's more than I can say of all the websites that limit passwords to 8 letters and numbers: 48 bits is eminently brute-forceable.

Obviously, the weakness now for my account is password recovery, so I need to have a similarly strong authentication mechanism on the linked email account. But Google now offer two-factor authentication, free, so there's no excuse for failure on that front.