After writing twice about the deliberate decision by the Barack Obama campaign to avoid validation checks on credit-card contributions, I’ve heard from a number of people in the credit-card industry on how this works. Two explanations in particular explain the depth of deliberation and deception involved in disregarding address and security-code verification. The first explains that Team Obama probably didn’t just opt out of using these verification processes, but more likely rewrote the code on their site to bypass them, emphases mine:
I have over 30 years of experience in investigating Credit Card Fraud and I can tell you, which you may or may not know, that the merchant acquirer that is conducting the collection of credit / debit card for the Obama campaign are responsible for the actions to be taken regarding the Address Verification System responses. The value of the AVS system is that the issuer of the card being used provides back to the merchant acquirer a response based upon the information provided during the authorization process. This response indicates to the merchant acquirer if the card information was validated as to ownership of the account. It is the merchant acquirer that determines what to do when the authorization response is received. In most cases the transaction that comes back with any negative meaning is denied. However, if the merchant acquirer has adjusted their system to accept any response as acceptable the transaction would be completed.
The value of the AVS system is to deny Card Not Present transactions (CNP) which are suspicious. This protects the merchant against charge backs for bad transactions. What is interesting to me is that the merchant acquirer has knowingly violated a basic CNP fraud prevention technique to accommodate a merchant (Obama Campaign). I think that both the Associations (VISA & MasterCard) would be highly interested in looking at the merchant acquirer that was processing these transactions. The value of ignoring the AVS responses is that multiple invalid transactions may be made without fear of being rejected by the authorization systems. This means that the real owner of the credit card account is willing to allow multiple transactions to be made on the account using different names and addresses that under normal conditions would be denied. The merchant acquirer has a complete listing of all transactions done and it would be very interesting to see how many transactions were conducted on the same account number using different names. I would think that this would be a Federal violation under the current campaign funding laws.
Another fraud-prevention veteran notes that Team Obama has at the least provided a testing ground for thieves looking to validate responses:
You may have mentioned this elsewhere, but disabling the security allows would be credit card thieves to “ping” numbers till they get a hit. The number of “pings” should have raised flags at Visa and MasterCard, don’t you think?
I wonder if they warned the Obama campaign, or worse, ignored it.
In other words, a crook could simply type in random numbers until he found one sequence that worked in some fashion. That could give a thief a starting point for committing credit-card fraud. If all they had to do was type nonsense values for names and addresses, such as Doodad Pro, they could quickly determine which numbers were valid — and they could probably program bots to do that kind of work.
Thanks to Team Obama, millions of people now have to wonder whether they’ve been victimized by credit thieves. Some of us wonder if the thieves aren’t really working at Team Obama in the first place.