About | Buy Stuff | News | Products | Rants | Search | Security
Home » Resources » Rants

Fraud Detection and Prevention

Week of September 1, 2005

Don't let the wrong merchant unlock your store.

Identity theft and fraud are way up on the planet. They've been the most popular crimes for years now. And what with online purchasing gaining momentum, they're creating chaos.

There are three basic ways an online fraud can take place.

  1. The cardholder wants something he can't afford. He purchases it and then immediately notifies his bank that the card has been stolen - either that or he waits until he gets his monthly statement and then simply disavows knowing anything about the transaction.

  2. 'Family fraud': a member of the cardholder's household 'borrows' the card to make the purchase; then when the monthly statement arrives, and whether or not the purchaser keeps silent about what he's done, the cardholder calls his bank and simply says he does not recognise the transaction. This is the most common form.

  3. The cardholder is typically running Microsoft Windows and gets his credit card information stolen, or in some other way shows irresponsibility in taking care of his card.

In all three cases it's the cardholder who's to blame but the way some less conscionable merchants work it, it becomes the vendor who's to blame.

The better merchants will be there for you: they'll have staff continually trained in fraud detection inspecting each transaction manually - even after it's passed through the electronic system with a 'heads up'. Countless frauds are stopped in this way.

The better merchants will absorb any and all chargeback fees because they know it's ultimately their fault that frauds get through. If a card is reported as stolen, a hold goes on the account immediately - as soon as the report is made. Within minutes. Seconds even. The one case where fraud will work is if the cardholder is not aware there's been a theft.

The credit card companies cannot assign chargeback fees simply because their cardholders are idiots - but when it's a case of flagrant negligence on the part of the merchant - such as in the following scenario - they will.

Kagi

Kagi are an online merchant. A respected online merchant even. But few people read the fine print and when disaster hits it's too late.

Kagi don't monitor their transactions. They automate as much as possible to hold their staff costs down. People come into the Kagi office every second or third day to respond to the mail. Whatever goes through the system goes through. If it's a case of clear fraud, Kagi are not there to protect you.

And why should they? You didn't read the fine print, did you? If there are any charges for any mishaps, Kagi pass these expenses onto you - costs they themselves are responsible for.

So why protect the vendors? Why indeed? Unassailable logic - that protects only the pocketbook of Kagi CEO Kee Nethery.


The following three transactions were 'perpetrated' on the unprotected Kagi system. The first attempt at fraud is embarrassingly obvious.

Currency: CAD
Total Amount: 180.19
Register Version: Data-IZ
Purchaser Name: mike oler
Purchaser Email: psycho_idiot_2005@yahoo.com
Products: Extreme_Power_Tools_1_Client-1-139.00
Postal: 34 fuckoff road fw, edmonton manitoba t1k3d4, Canada
Time Stamp: I488851463
Payment Source: woofwoof.kagi.com
Date Processed: 2005-06-04 00:00:06 Etc/GMT
Processor: 70.65.161.0
Payment Method: card
Card Number: XXXXXXXXXXXX2906
Card Expiry: XXXX
Card Name: wayne shearee
CCaddr: 34 fuckoff road fw, edmonton manitoba t1k3d4, Canada
CCzip: t1k3d4
Register Number: rixstepXPT1-0000  ,
Card Type: mastercard
Verified: 244
Transaction ID: CHG57GH22WRS
Note: SSL from 70.65.161.0 via KOOP 4.9.8en for supplier NMF1.

A decent online merchant would have immediately flagged:

  • The credit card number and expiry.
  • The name of the purchaser ('mike oler').
  • The fact that the names are not the same.
  • The name of the cardholder ('wayne shearee').
  • The IP used in the SSL connection (70.65.161.0).

Kagi did none of the sort. Kagi don't have people monitoring their transactions. If someone steals a credit card and uses it to steal your wares, Kagi do not pay - you do. (It's in the contract you didn't read.)

2nd Attempt

This particular hacker was back again - ten minutes later, running on the same IP, using the same name, invoking the same cardholder name, card number and expiry - the works. All he changed was the address. Kagi were not there to stop it. It went through.

Kagi Deposit Group: 34005300
User Purchase Date: 2005-06-04 00:09:19 Etc/GMT
Currency: CAD
Total Amount: 180.19
Register Version: Data-IZ
Purchaser Name: mike oler
Purchaser Email: darken@telus.net
Products: Extreme_Power_Tools_1_Client-1-139.00
Postal: 342 king re, edmonton alberta t1k3e4, Canada
Time Stamp: I488852015
Payment Source: woofwoof.kagi.com
Date Processed: 2005-06-04 00:09:19 Etc/GMT
Processor: 70.65.161.0
Payment Method: card
Card Number: XXXXXXXXXXXX2906
Card Expiry: XXXX
Card Name: wayne shearee
CCaddr: 342 king re, edmonton alberta t1k3e4, Canada
CCzip: t1k3e4
Register Number: rixstepXPT1-0345,
Card Type: mastercard
Verified: 302
Card Processor: Kagi-02SJ
Transaction ID: CHGAMY28PEP3
Note: SSL from 70.65.161.0 via KOOP 4.9.8en for supplier NMF1.

This one went through - it shouldn't have because the first attempt should have flagged almost everything. But Kagi aren't there, and they don't care what happens - it doesn't affect them at all.

And only six minutes later, the same hacker hit again - and again it went through.

3rd Attempt

Kagi Deposit Group: 34005300
User Purchase Date: 2005-06-04 00:15:11 Etc/GMT
Currency: CAD
Total Amount: 232.05
Register Version: Data-IZ
Purchaser Name: mike oler
Purchaser Email: darken@telus.net
Products: Extreme_Power_Tools_Family_Licence-1-179.00
Postal: 1111 11th ave north, lethbridge alberta t1kmt8, Canada
Time Stamp: I488852367
Payment Source: woofwoof.kagi.com
Date Processed: 2005-06-04 00:15:11 Etc/GMT
Processor: 70.65.161.0
Payment Method: card
Card Number: XXXXXXXXXXXX2906
Card Expiry: XXXX
Card Name: wayne shearee
CCaddr: 1111 11th ave north, lethbridge alberta t1kmt8, Canada
CCzip: t1kmt8
Register Number: rixstepXPT1-0346,
Card Type: mastercard
Verified: 302
Card Processor: Kagi-02SJ
Transaction ID: CHZ851DVJXP8
Note: SSL from 70.65.161.0 via KOOP 4.9.8en for supplier NMF1.

That's quite a booty in the space of sixteen minutes. Kee Nethery, Ty Shipman, Jesse, and all the rest (not) at Kagi were at home peacefully asleep.

Two Days Later...

Two days later our own mail to the non-existent address 'darken@telus.net' bounced - there is no such address. First warning light (we have not seen the first attempt at fraud and Kagi aren't telling).

We contact Kagi. Kagi try to use the address. Kagi do not look at the fraud attempts as they should - they don't do anything. They simply wait - and after another day or two, even their mail bounces.

At this stage (at the very latest) a merchant should cancel the purchase. The merchant should also begin checking the logs for possible fraud. Conscionable merchants will in fact inform the vendor and recommend an immediate cancelation.

Kagi do nothing.

Two Months Later...

Two months later Jesse from Kagi writes and tries to explain what's happened. Get a clue: Kagi can at any time waive a chargeback fee - especially if they're at fault - and most good merchants don't have chargeback fees passed on to their vendors anyway.

But most good merchants protect their vendors. Kagi do not. Kagi play high stakes.

Jesse (or one of his associates) will give you the most incredible and elaborate run-around, all in an attempt to get you to accept the fact that you are now going to contribute money to Kagi's employee fund.

When all that's happened is that Kagi let someone steal from you. They did not protect you. They didn't even try. And now, as icing on the cake, they want you to pay their 'negligence' fees.

Read the fine print - and if you can't find it, ask questions. And don't settle for anything not perfectly clear and in print and in public. Make sure of that.

And don't let the wrong merchant unlock your store.

Postscript: Kagi Responds

Kagi's response to these accusations is curt, feeble, and evasive.

We're a small company of twenty five - we can't possibly monitor all transactions.

[All responsible companies monitor all transactions regardless of size. Some are only half the size of Kagi and they still do it.]

At least they admit screwing up.

Postscript: Redefining Fine Print

Kagi choose to post their vendor contract not at kagi.com but off-site. Some of the juiciest pieces of this incredibly slimy legalese are the following. Given this much flexibility, what would a vendor have to lose?

6.2

Payment Servicing Fees. You are liable for all 'Payment Servicing Fees'. Payment Servicing Fees may include any amounts incurred by Kagi in handling Customer requests, such as, but not limited to, returned check fees, credit card refunds, credit card chargebacks, fees and penalties associated with chargebacks, long distance phone or fax charges, postage supplies, costs associated with conversion of currency, legal expenses, and document delivery. Payment Servicing Fees may also include any amounts paid by Customers to Kagi for the delivery of written receipts.

6.3

Excessive Customer Support Fees. Kagi has the right to designate no more than one out of every four hundred (400) active Kagi Suppliers as Suppliers whos [sic] product sales generate excessive and unneccessary customer support. Excessive customer support means that in Kagi's opinion, compared to all other Product sales, a very high percentage of all Product sales for a specific Supplier require some after sales interaction between Kagi employees and the purchasing Customer or the Product Supplier. Unneccessary customer support means that in Kagi's opinion, suggestions by Kagi to the Product Supplier that should minimize customer support needs have not been implemented to Kagi's satisfaction. Such designation would be proceeded with two or more communications from Kagi to the Supplier, beginning four (4) weeks prior to the designation, warning of the reasons for this potential designation and actions that can be taken by the Supplier to avoid the designation. A Supplier designated as causing excessive and unneccessary customer support will be charged an additional one percent (1.00%) monthly of all sales until the designation is removed by Kagi at Kagi's sole discretion.

6.4

Effective Date. For existing suppliers, as of December 1, 2005, this Product Supplier Agreement replaces all prior Product Supplier Agreements, including Product Supplier Agreements that may have been modified as set forth in Section 14.7, 'Entire Agreement; Miscellaneous'.

9.1

Limitation on Warranties. Kagi makes the following disclaimers of warranty:

9.1.a
Kagi makes no warranty that the Kagi Services, Kagi Technology or Kagi Sites will meet your requirements, or that the Kagi Services, Kagi Sites or use of Kagi Technology will be uninterrupted, timely, secure, or error free. Kagi makes no warranty as to the results that you may obtain from the use of the Kagi Services, Kagi Sites or Kagi Technology or as to the accuracy or reliability of information obtained through the Kagi Services, Kagi Sites or Kagi Technology.
9.1.b
You understand and agree that there are inherent limitations with secure transaction processing over the Internet, and you agree to determine whether the Kagi Services, Kagi Sites and the Kagi Technology meet your required level of security. Any breaches of security or delays in data transmissions related to the Kagi Services, Kagi Sites or Kagi Technology are at your sole risk and Kagi expressly disclaims any liability as to such a delay or security breach.
9.2
KAGI PROVIDES THE KAGI SERVICES, KAGI SITES AND KAGI TECHNOLOGY AS DESCRIBED IN THIS AGREEMENT 'AS IS' AND ON AN 'AS AVAILABLE' BASIS WITHOUT ANY WARRANTIES OF ANY KIND. YOU EXPRESSLY AGREE THAT YOUR USE OF THE KAGI SERVICES, KAGI SITES AND KAGI TECHNOLOGY IS AT YOUR SOLE RISK. EXCEPT FOR THOSE WARRANTIES WHICH CANNOT BE DISCLAIMED UNDER APPLICABLE LAW, KAGI EXPRESSLY DISCLAIMS ALL WARRANTIES, CONDITIONS AND REPRESENTATIONS OF ANY KIND, WHETHER EXPRESS OR IMPLIED IN FACT OR BY OPERATION OF LAW, STATUTORY OR OTHERWISE, AS TO ANY MATTER WHATSOEVER INCLUDING, WITHOUT LIMITATION, ANY AND ALL WARRANTIES, CONDITIONS AND REPRESENTATIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT WILL WARRANTIES PROVIDED BY LAW, IF ANY, APPLY, UNLESS THEY ARE REQUIRED TO APPLY BY STATUTE NOTWITHSTANDING THEIR EXCLUSION BY CONTRACT. You expressly agree that your use of Kagi Services, Kagi Sites and Kagi Technology is at your sole risk.
About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.