This morning, I noticed some odd charges on my VISA card. They were attributed to sites such as videosupport1.com, bngvsupport.com, paysupport1.com, bdpayhelp.com. I called up my bank. They gave me the phone number of the company behind these pay sites and told me to ask what the charges were for.

I called the company behind these sites and they were very nice. They listed about a dozen porn sites that I was a member of. (Update: I don’t actually know that they are porn sites. I assume they are. The company behind sites such as videosupport1.com is a large porn company.) Apparently, someone used my name, my card number and email address.

Of course, I never got any email about this. There is no mention anywhere in my inbox that I subscribed to these sites. VISA never checked with me.

I called back my bank as this is a clear case of fraud. There was a pause. Then the agent started arguing with me that fraudsters do not use stolen card numbers for porn sites, and when they do they never use the owner’s name and email address. They told me that even if they tried to declare it as fraud, it would contested and amount to nothing. Basically, they told me that it was my problem. They did not even offer to block my credit card to prevent further transactions.

Effectively, it appears that the burden of proof is on me to show that I did not subscribe to a dozen porn sites. How do you prove such a thing? You do not.

It seems to me that it is backward… they should have to prove that I did, indeed, subscribe to these services.

Note: Christopher Smith pointed out that the fact that it was porn made me less credible. Apparently, lots of men are caught by their significant other buying porn and they then deny having done so.

Update: After two more phone calls, another agent agreed that the charges were suspicious and marked them as fraud. I offered access to my email account (gmail) and pointed out that I never bought porn before (as they can readily verify), and certainly not hundreds of dollars worth.

As a computer scientist, this story troubles me somewhat. One thing that computer scientists are very worried about are protocols that are open to abuse. I knew about the danger of identity theft and online fraud, but I always assumed that credit-card vendor took this seriously. As we transition to an e-commerce economy, such weak security will come back to haunt us.

Update 2: I estimate the fraud to $290. I will recover most of it.

8 Comments »

  1. You should still try to challenge the porn companies. They failed to verify the email address the frauder(s) used. This is a privacy issue. If your country have a consumer privacy organization, file a complaint to them. Let the pron companies know you are a hard cheese, probably they will refund you from their side. Same should be done to your bank too, but banks usually operate according to the law, so it’s hard to bring them to their knees if the law states it’s your responsibility.

    Comment by Elliot — 17/12/2013 @ 11:36

  2. @Elliot

    I don’t know what the law states, but it seems clear that I have limited responsibility. Of course, in this case, the fraud is relatively small (a few hundred dollars).

    I don’t know where the porn companies are based, but the company that accepted payment is in the US and I am Canadian.

    Comment by Daniel Lemire — 17/12/2013 @ 11:44

  3. Posted this on G+ as well.

    Join the club. I was fortunate enough that my card wasn’t used for porn sites, but for far more pedestrian things. I claimed fraud and they started an investigation. It took two months, but they did reach the conclusion that it was indeed fraud and I was reimbursed. Even if they won’t believe fraud, you can make a credible claim that you didn’t receive the goods and therefore demand a charge back.

    My suspicion is that because it was porn sites, they were skeptical, as it isn’t all that uncommon for porn sites to get fraud claims once a significant other or some such sees curious names on the bill. I think it is a trivial amount of work to get the IP addresses tied to the signups/purchases on the sites. If they all correlate back to your home, workplace, or surrounding area, I could understand skepticism on the part of the credit card company. Unless your machine itself was compromised though, I’d expect it is far more likely the IP’s aren’t even tied to the country, so you’ll have an excellent case for demonstrating fraud (you and I may know how to fake that, but it’d be seriously weird to go to that kind of trouble). I’d be curious about user agents too. If the hack was pulled off by compromising your computer, you may have a bit more trouble.

    The other thing that ought to make for a very strong case is the fact that somehow, with no prior like behaviour, you created multiple charges all at once, to one merchant, and no others. This is much more consistent with fraudsters running a stolen card than a real customer.

    As I understand the terms of credit card merchant agreements (and I’ve been on the merchant side of this more than once), if a customer initiates a chargeback, then the burden of proof is actually on the merchant, not the customer. If a bunch of customers all initiate chargeback claims, it gets particularly messy for the merchant. The porn industry folks are used to this stuff, so they may put up a fight more than most, but if you play hard ball with the merchant, they usually will investigate it on their end (probably nothing more than checking IP’s and user agents, but still, that would go a long way) and reimburse you whatever you want rather than risk a chargeback. I would think they could at least share the information and time of day information with you, and close out any accounts associated with your credit card.

    I looked up the whois information for one of the domains and got back BangBros, which is a pretty established porn producer, so it seems unlikely they are directly in on the scam (it is always possible an employee is running their own scam). Since they are in the US, that means this constitutes wire fraud, so you can go to the FBI (who are much more sophisticated about this kind of thing). Particularly if your e-mail address is involved, there is reason to believe that you will next see your personal information sold for identity theft (seriously, once you have an e-mail and a credit card number, how hard do you think it is to get the rest of your information? and in your case there is plenty of public information out there too), so there is good reason for them to at least open a file on your case. If they reach any conclusions, this can obviously be used to validate that this is fraud.

    You should probably call your bank(s), etc. and have them put a hold on any new requests for lines of credit associated with your identity. It make take several months to show up, but odds do not favour this being the last case of fraud from this incident.

    Comment by Christopher Smith — 17/12/2013 @ 12:25

  4. here in Brazil, as oddly as one might think, it is somewhat easy to get the money back. The credit card companies and the comercial establishment have the liability of verifying the transactions.

    If a consumer states a transaction as fraud, he won’t have to pay for it until proven otherwise; which makes more sense.

    Of course the companies don’t make that as simples as it should be, but most cases are solved a lot easier than what you had to stand.

    Comment by Fabricio — 18/12/2013 @ 6:20

  5. Let me re-iterate what Chris says in the last paragraph: you absolutely need to make sure the banks now not to approve credit with your information. Do the same with the large credit bureaus – I know for sure that Experian, Equifax and Trans Union all have Canadian branches. Contact them and block your file with a password or you might find your credit score ruined.

    Comment by Marcel Popescu — 18/12/2013 @ 7:00

  6. Your credit card was probably one of thousands being used for affiliate fraud. The big porn sites have affiliate programs, where people who refer paying customers get paid a percentage. The scam is to steal a lot of credit card numbers and use them to make purchases via these routes, and ideally they will be paid by the program before the owners of the stolen credit cards notice the fraudulent charges and initiate a chargeback. Since time-to-dispute may be as much as 50 days, it’s an effective gamble.

    Comment by Justin Dossey — 18/12/2013 @ 10:53

  7. I do think it’s ridiculous that credit card companies put the burden of proof on their customer, however I understand why. It’s simply more cost effective to make the customer do the leg work than pay someone to do it. At least the first “gate” of the cases is make the customer contest it (There are so many customers that even loosing thousands of customers over various “burden of proof” cases, it might only represent .001% of their revenue).

    I guess it seems a little short-sighted for developers not to have incorporated the storage of both the merchant’s and the purchaser’s IP address on an electronic card transaction (maybe there are legal issues??). That would have made it much easier for the customer service person to see that the purchaser’s IP address is not near your home.

    Comment by David Allyn — 18/12/2013 @ 11:51

  8. “How do you prove such a thing? You do not.”

    Actually, one useful way to prove such things I found in Michael Lewis’s Liar’s Poker. I’ve used the methodology in the past, and it has saved my ass a few times. Lewis did his undergraduate degree in Art History, and the method is similar to how art historians prove provenance of an art piece (used under specific conditions of course). If someone has copied a particular art piece, and you are suspicious that they actually produced the piece, you ask them to re-do a similar piece. Lewis did this while working on Wall Street in the 1980s when someone plagiarized some financial analysis work that was well received by his bosses. He complained about the plagiarization, and the burden of proof was shifted onto Lewis to prove that it was his piece. Via his art history knowledge, he asked the plagiarizer to redo a separate analysis, while he did the same. While it can never show conclusive proof that he did the original analysis, it did show that he had the chops to do a separate piece, while the plagiarizer didn’t.

    Notice how you offered them access to your email account. That’s the sort of thing that mirrors the art history method. Build up a solid history of events (internet history, credit card history, bank history), and show that you didn’t actually partake in the events, and that the event in questions matches a separate “artist”.

    Comment by Daniel — 23/12/2013 @ 22:23

Leave a comment

Warning: When entering a long comment, please ensure that you make copy of your text prior to submitting it. If the server should fail or if you hit a bug, you might lose your work. I am not responsible for your lost effort.

To spammers: I carefully review every single post and make sure that spam gets deleted. You are wasting your time if you are manually entering spam using this form. Read my terms of use to see what I consider to be abusive.

 

« Blog's main page

Powered by WordPress