[Rhodes22-list] Shoddy credit card security

Brad Haslett flybrad at gmail.com
Thu Oct 23 23:06:14 EDT 2008 

Ben,

Follow up report-

One thing I learned from my old boss at CFS in Little Rock in the late
70's is never, never, ever do anything on credit with a political
campaign. Obama is living on the "float".

Brad

----------------

BarackObama.com's Lax Security Opens Door to Online Donor Fraud


by Patrick Ruffini | October 23, 2008 at 2:26 PM


I just contributed $5 to Barack Obama.

I didn't want to. Ideally, I could have contributed $0.01 and cost
them money. But it was the only way to confirm the root cause of the
fraudulent micro-donations to the Obama campaign ("Doodad Pro" for
$17,300 and "Good Will" for $11,000).

The Obama campaign has turned its security settings for accepting
online contributions down to the bare minimum -- possibly to juice the
numbers, and turning a blind eye towards the potential for fraud not
just against the FEC, but against unsuspecting victims of credit card
fraud.

The issue centers around the Address Verification Service (or AVS)
that credit card processors use to sniff out phony transactions. I was
able to contribute money using an address other than the one on file
with my bank account (I used an address I control, just not the one on
my account), showing that the Obama campaign deliberately disabled AVS
for its online donors.

AVS is generally the first line of defense against credit card fraud
online. AVS ensures that not only is your credit card number accurate,
but the street address you've submitted with a transaction matches the
one on file with your bank.

Authorize.net, the largest credit card gateway provider in the
country, lists AVS as a "Standard Transaction Security Setting,"
recommends merchants use it, and turns it on by default. So, in order
for AVS to be turned off, it has to be intentional, at least with
Authorize.net.

Authorize.net's website describes it this way:

    Bankcard processors implemented the Address Verification Service
(AVS) to aid merchants in the detection of suspicious transaction
activity. The payment processing network compares the billing address
provided in the transaction with the cardholder's address on file at
the credit card issuing bank. The processing network returns an AVS
response code that indicates the results of this comparison to the
payment gateway. You can configure your account to reject certain
transactions based on the AVS code returned. For example, the AVS code
"A" indicates that the street address matched, but the first five
digits of the ZIP Code did not.

The end result? "Donors" like "Doodad Pro" can submit tons of
donations totaling well above the $2,300 limit using different bogus
addresses (this does clarify how donations from "Palestine", or PA,
got through). And the campaign has no way to reliably de-dupe these
donations, besides looking at the last four digits of the credit card
number, which with 3.1 million donors is an identifier that could be
shared by literally hundreds of donors, and is not as easy to eyeball
like a common name or address would be. The ability to contribute with
a false address, when the technology to prevent it not only exists but
comes standard, is a green light for fraud.

One could understand the oversight if prior to the bogus donor story
breaking. But you'd think they would have taken measures to step up
their donor security in the aftermath of the revelations. Having AVS
turned on would have stopped or significantly deterred the fraudulent
donations (or, at a very minimum, made them easily detectable). By
turning this basic setting off, the Obama campaign invited this kind
of fraud and has taken no steps to correct it.

More information about the Rhodes22-list mailing list