[Rhodes22-list] Shoddy credit card security

ben benonvelvetelvis at theskinnyonbenny.com
Fri Oct 24 00:21:17 EDT 2008


I'm not big on donating money to campaigns through any method.  If I believe
in a candidate (or any cause for that matter), I'd prefer to volunteer my
time and energy. 

I was shocked at the number of people who signed up for a text message to
find out when the VP candidate was chosen.  What did they think the campaign
is going to do with all of their cell phone numbers?  I'm quite sure they
didn't dispose of them.  God only knows where that database of numbers will
fall in 8, 12, 16, etc. years.

Fools almost deserve all of the junk calls they get for the rest of their
lives.

-----Original Message-----
From: rhodes22-list-bounces at rhodes22.org
[mailto:rhodes22-list-bounces at rhodes22.org] On Behalf Of Brad Haslett
Sent: Thursday, October 23, 2008 22:06
To: The Rhodes 22 Email List
Subject: Re: [Rhodes22-list] Shoddy credit card security

Ben,

Follow up report-

One thing I learned from my old boss at CFS in Little Rock in the late
70's is never, never, ever do anything on credit with a political
campaign. Obama is living on the "float".

Brad

----------------

BarackObama.com's Lax Security Opens Door to Online Donor Fraud


by Patrick Ruffini | October 23, 2008 at 2:26 PM


I just contributed $5 to Barack Obama.

I didn't want to. Ideally, I could have contributed $0.01 and cost
them money. But it was the only way to confirm the root cause of the
fraudulent micro-donations to the Obama campaign ("Doodad Pro" for
$17,300 and "Good Will" for $11,000).

The Obama campaign has turned its security settings for accepting
online contributions down to the bare minimum -- possibly to juice the
numbers, and turning a blind eye towards the potential for fraud not
just against the FEC, but against unsuspecting victims of credit card
fraud.

The issue centers around the Address Verification Service (or AVS)
that credit card processors use to sniff out phony transactions. I was
able to contribute money using an address other than the one on file
with my bank account (I used an address I control, just not the one on
my account), showing that the Obama campaign deliberately disabled AVS
for its online donors.

AVS is generally the first line of defense against credit card fraud
online. AVS ensures that not only is your credit card number accurate,
but the street address you've submitted with a transaction matches the
one on file with your bank.

Authorize.net, the largest credit card gateway provider in the
country, lists AVS as a "Standard Transaction Security Setting,"
recommends merchants use it, and turns it on by default. So, in order
for AVS to be turned off, it has to be intentional, at least with
Authorize.net.

Authorize.net's website describes it this way:

    Bankcard processors implemented the Address Verification Service
(AVS) to aid merchants in the detection of suspicious transaction
activity. The payment processing network compares the billing address
provided in the transaction with the cardholder's address on file at
the credit card issuing bank. The processing network returns an AVS
response code that indicates the results of this comparison to the
payment gateway. You can configure your account to reject certain
transactions based on the AVS code returned. For example, the AVS code
"A" indicates that the street address matched, but the first five
digits of the ZIP Code did not.

The end result? "Donors" like "Doodad Pro" can submit tons of
donations totaling well above the $2,300 limit using different bogus
addresses (this does clarify how donations from "Palestine", or PA,
got through). And the campaign has no way to reliably de-dupe these
donations, besides looking at the last four digits of the credit card
number, which with 3.1 million donors is an identifier that could be
shared by literally hundreds of donors, and is not as easy to eyeball
like a common name or address would be. The ability to contribute with
a false address, when the technology to prevent it not only exists but
comes standard, is a green light for fraud.

One could understand the oversight if prior to the bogus donor story
breaking. But you'd think they would have taken measures to step up
their donor security in the aftermath of the revelations. Having AVS
turned on would have stopped or significantly deterred the fraudulent
donations (or, at a very minimum, made them easily detectable). By
turning this basic setting off, the Obama campaign invited this kind
of fraud and has taken no steps to correct it.
__________________________________________________
To subscribe/unsubscribe or for help with using the mailing list go to
http://www.rhodes22.org/list
__________________________________________________



More information about the Rhodes22-list mailing list