As always during the Christmas season, there is a spike in fraudulent charges.  Most of the time they are quite obvious and easy to spot.  In fact, Music Forte has several safeguards in place to prevent such fraudulent charges.  In fact, we're so anal about keeping the site secure that we've gone above and beyond in stringent security measures and even insured the site for up to $250,000 in identity theft.

Regardless, there can always be an out-of-the-ordinary case where there is no rhyme or reason to the crime, making it more difficult to spot.  Let me explain that.  Quite often, thieves will get a card number, but they may not have all of the matching billing details.  They visit an online shop, and start testing different variations of card data.  In most cases, they test with small amounts, so as not to raise too much alert.  Remember, the purpose is just to discover the correct matching information, and then do the damage where it benefits the crook after the matching data is discovered.

Quite often online sites have a throttle on how many transactions can be tried.  For example, IP addresses may be logged, as well as the card number, and after any set number of declines, everything will automatically fail thereafter.  By doing this, the crook does not know the reason for the failure, and assumes that they have just not been able to come up with the correct matching data.  They may ditch the card number and one person may have been saved as a victim of identity fraud thanks to the efforts of the merchant or retailer.

As with every Christmas season, failed attempts were made at Music Forte.  But this time, someone got through.  He had found several stolen card numbers and even had the verification code from the back of the card, which in many cases, means that they actually have the physical card.  This is almost impossible to detect, unless the criminal makes a mistake elsewhere.  And in this case, he did.

Before I continue, let me set something straight.  None of our users cards were stolen.  In fact none of our users cards ever have been.  We do not even store card numbers.  The victims in these cases are people that have never been to Music Forte in their life, and don't even know what Music Forte is.  Their cards were stolen prior to the crook using them at Music Forte, and anywhere else he may have shopped.

Back to the story… As I mentioned, something did not look quite right.  Something that passed all automated security measures, but not the eyes of our billing department.   So we made two immediate calls.  One to our payment gateway company, and one to our merchant processing company.  They both had a look at the information that was currently available, and said that these charges showed no sign of malicious activity.

Regardless, we could not ignore our suspicions and we wanted to investigate the matter further.  Our immediate attempts to contact the cardholders by phone and email were unsuccessful, and so we took the advice of our bank, who noted that all of the transactions we mentioned were coming from CitiBank cards.  We were given the number of their fraud department, and told that the company would further investigate on behalf of their cardholders (or so we had thought.)

And so the frustrations began. 
We called three times (enjoying a total of at least 60 minutes of hold time.)  There were several transferred calls.  Most importantly, there was a lot of time wasted on something that should follow a simple protocol.  The first two times we called, we were convinced that we only had the misfortune of speaking with someone who was completely dense.  However, after speaking with the third person in the fraud department and receiving the same answer, it became evident that CitiBank employees may not actually be stupid; they might just actually not care about the protection of their cardholders.

We had identified ourselves clearly, and we provided our reasons for suspecting that the charges were fraudulent.   CitiBank did not question our reason for calling at all.  We kindly asked that they call the cardholders that we provided to them and verify their charge.  We explained that we did not want any chargebacks, and we also wanted to provide a courtesy to the cardholders who may potentially have had their cards stolen.  In all three instances we were told that they absolutely do not contact their customers for that reason – but they thanked us for being "pro-active".  We questioned their system on preventing fraud (during our phone discussions) bemused by their security standards. We also pointed out to them that it was quite common for a credit card company or bank to verify a suspicious transaction by calling the cardholder.  I personally have received such calls before (but never from CitiBank).

Again, we were told that they would not contact their cardholders to verify a charge that we were reporting as suspicious.  Does that not completely undermine the reason for setting up a fraud department?  What is the point of having one, if they do so little to prevent it?

As a result, we ended up voiding almost all of the suspicious transactions.  Five of them were left, as we had been assured that they looked to be legitimate, and we did not have (at the time) any conclusive evidence that they were fraudulent.

1 month later…
Boom!  Citibank charges back the amounts, stating that the cardholder's cards had been stolen!   Aside from the fact that this resulted in an unnecessary penalty to merchants such as ourselves, it is much sadder that CitiBank would not use the resources of their fraud department to contact the cardholders and verify the charge as we requested.  We wrapped this up, tied it with a bow, and delivered it on their laps, so that they might do something to prevent the theft before it occurred. Who knows how much damage was done?  Music Forte may have been just a dimple in a slew of charges that preceded or followed. Of course we were charged penalty fees for these chargebacks.  Hmm… I wonder if Citibank made any money from that?

Thank you Citibank, we will be sure to let our readers know of this experience before they decide to bank with you in the future.