BrainTrust Query: LLBean.com – No Valid Address Required. Oops!
Through a special arrangement, presented here for discussion is a summary of a current article from StorefrontBacktalk, a site tracking retail technology, e-commerce and mobile commerce.
L.L.Bean will let online customers complete a purchase with only a payment card number and expiration date — no name, billing address match or other authentication required. A number-and-expiration-date-only policy for card-not-present transactions could be a major problem today: With huge numbers of consumers walking around with contactless payment cards in their wallets, thieves can brush up against purses and backsides in any crowd and collect card data automatically.
Contactless backers have always pooh-poohed this as a security threat, pointing out that customer names, security codes and other authentication information isn’t transmitted by the cards. But if retailers are only relying on numbers and expiration dates, with one contactless grab – or one well aimed digital picture snap from a mobile — thieves get all they need. And although the e-tailer’s customer-service department insists that card numbers with the wrong name attached should be rejected, a simple experiment made it clear that at least some transactions are approved that way. (Two out of two media tests had transactions approved and shipped.) If it had been fraudulent, it would have been up to the payment-card holder to notice, complain and get the charge reversed.
For more than five years, payment vendors have been arguing that the data leaks created by contactless cards are not a concern, because they generate insufficient information to make a transaction with a major e-tailer.
Incidents such the leaks of e-mail addresses from Epsilon, non-card personal information from Sony’s PlayStation Network and the discovery of widespread PIN pad tampering at Michaels Arts & Crafts are getting large amounts of attention, even though they required plenty of effort on the part of thieves to steal the data.
But with L.L.Bean, there’s no sophistication required — just information from the face of a payment card. That’s easy to acquire. It might come from a thief scooping up numbers from contactless cards in a crowded place. But a thief could more easily snap a photo of the card with a mobile-phone camera when a customer uses the card in line at the checkout. Or if a customer puts the card down momentarily at an ATM. Easiest of all would be to simply get some card numbers and expiries from a cyberthieves’ site on the Internet.
Without a name or ZIP code match, much less a CVV number, the only authentication is the expiration date. That’s no authentication at all.
At a time when politicians are falling all over themselves to berate retailers and service providers for failing to protect non-financial information like the passwords to a free online games network, and when real-time authentication of payment cards is at the center of mobile-payment schemes, authentication should be a baseline requirement for any online transaction. Why wasn’t it here?
Discussion Questions
Discussion Questions: How ready is retail for contactless payments from a security standpoint? What particular security issues do you think challenge further adoption?
L.L.Bean is an honorable company. They reflect a belief in the innate honesty of American consumers. So it is not surprising they they would begin contactless payments.
But skepticism is the first step toward any truth and most retailers are not completely confident that contactless payments for security standpoint is without grief. Yet, as such payment processes are embraced by another respected retailer, the skeptics will get into that boat, stop rocking it, and hope the pirating sharks will turn compassionate.
While the risk for L.L.Bean would seem extremely high, it’s doubtful that they have not evaluated that risk and chosen to go ahead in spite of it. They obviously have enough confidence in the majority of their customers that the good outweighs the risk.
That being said, it doesn’t mean that the risk goes away. It simply means that there is enough demand to forge ahead and work it out along the way. It is absolutely clear that technology is advancing faster than the means to accommodate it. Nevertheless, it is advancing and will continue to advance at even higher rates of speed than it is currently or has been.
In reality, L.L.Bean is simply catching up. All others are woefully behind even further.
Sounds like a great way to use a stolen card!
Gee Frank, any more “how-to” tips??? (Hopefully the honest people who shop at LLB are same type who read RW.)
First free shipping, and now contactless payments. The Bean is on a roll! Wonder what’s next.
One of my websites conducts e-commerce for expensive items in 98 countries, which one would think is absolutely begging for fraud. All orders are placed online and paid by AmEx, Visa, or MC exclusively. Our merchant bank asks for name, address, CC#, and expiration, but they only pay attention to the CC# and expiration. They do not require the security codes on the backs of the cards and, of course, no PIN codes. Hey, if they approve it, it’s cool with me. International orders are occasionally problematic because some foreign banks require cardholders to register their cards for foreign payments, but that’s always been handled by the customer after we inform them. Bottom line, only CC# and expiration really matter to our merchant bank of ten years, and after thousands of transactions we’ve never had a security problem of any kind whatsoever. Even from Nigerian princes! Contactless payments have been around for awhile.
In this discussion we are really only talking about online Bean purchases. In-store purchases require a physical card and PIN. Online purchases require a delivery location, and a location can lead to a card thief if necessary.