American Express has judged that I am liable for a US$243 online purchase that I didn't make. Thus began an unwelcome lesson in convenience-centered authentication, the security of e-commerce, and the hot potato of accountability.
The frustrating saga began when, earlier this year, I received a letter from a brick-and-mortar shoe retailer informing me that an employee had made off with its customers' credit card records. I was also informed that the retailer notified the credit card companies. This letter arrived a full month after a fraudulent charge appeared on my bill because, the shoe store explained, it took a few weeks to match my credit information with my address. To exploit my card, the thief used cutting-edge hacker technology along the lines of an AOL account. Meanwhile, American Express did next to nothing.
The instant I saw the fraudulent charge on my bill, I called AmEx to contest the charge. That's that, right? Nope.
I've had to do this a couple of times before. My call kicks off a lightning-quick investigatory process, after which AmEx wipes the charge off my bill. (I've been nailed before by sleazy phone card operators who don't care about chargebacks that stick them with the cost of bogus purchases. Because many victims don't check their bills, the thieves come out ahead.)
In this case, the thief took my card number to a major online electronics merchant who proceeded to get an authorization code from AmEx. By circular logic, a purchase that gets an electronic approval from American Express is de facto valid. When I called to contest the charge a second time, I was told that I must have made the purchase because only the cardholder could have completed the disputed transaction. But it's worse than that. I am required to pay the disputed bill, so my check to AmEx might be seen as a tacit confession that I attempted to scam AmEx into reversing a legitimate charge. Twice. So the call center guy for that second call was running a script for fending off a would-be defrauder, namely, me.
AmEx's electronic transaction authentication relies on a process called AVS, or Address Verification Service. When I go to Target to buy toothpaste and pay with AmEx, I have to sign and show them my driver's license. Target doesn't want to pay chargebacks, and I don't want some fool using my card, so the clerk requests to see my license and they can check my birthmarks for all I care. To buy a US$200 motherboard online and pay US$43 to drop-ship it overnight, however, all the thief needed was my ZIP code to get two e-commerce powerhouses to ignore at least three red flags of fraud.
When striking a balance between security and convenience, I favor security. AmEx briefly offered a system that assigned a single-use card number for online use. I loved it and used it religiously until it was canceled.
It shouldn't be too much to request an online PIN that I can change between purchases. I'd also like to have the ability to set up my account so that the AVS always refuses drop-ship purchases and informs me immediately when someone tries to make one.
I realize many people would wail if they were subject to rigorous authentication for online purchases. Let them. No one should have to pay for all these lax policies.