In December, I noticed three charges from Microsoft Xbox Ireland, each for 69.99 Euros on my Mastercard. I do not own an Xbox. I contacted BMO, they cancelled the card, issued me a new one, and credited my account. Then I went through the inconvenient process of providing updated information to merchants for important recurring payments.
In February, two more charges for 69.99 Euros appeared on my Mastercard statement. I contacted BMO again, and in addition to reporting the fraudulent charges from Microsoft, I asked if there was any indication of how my new card number may have been compromised. One obvious scenario is an ongoing compromise at one of the merchants that I pay monthly. To my surprise, BMO indicated there was another possibility: The transaction may have been forced by Microsoft, even though the card number had changed.
According to BMO, the only way to prevent this is to completely close the credit card account and re-apply for a new one. The bank also indicated that they do not have the ability to block charges from a specific merchant. They said they would ask their fraud team to contact Microsoft on a priority basis, but they would also need to cancel and re-issue my card once again.
I also contacted Microsoft in an attempt to directly address this fraud. They were unable to locate information on charges to either card number, and connected me to their Xbox team, who were also unable to find anything. Microsoft acknowledged having a fraud team with access to more complete transaction information, but refused to connect me with them, instead referring me back to my bank.
In response to further inquiries, a Microsoft spokesperson responded, “Credit card fraud impacts all industries, and necessitates banks and card holders to work together to address. Microsoft takes the security of our customers’ data very seriously and employs a team of professionals to monitor and manage the security of the services that process and store customer data.”
Google searches revealed other consumers are clearly frustrated that neither Microsoft nor their card issuer appear capable of stopping unauthorized charges.
According to the Canadian Bankers Association, in 2014, fraud involving Canadian-issued American Express, Visa, and Mastercard totalled $548 million, of which $360 million were Card Not Present transactions (e-commerce, telephone, and mail purchases). Perhaps a loss of only $10 per Canadian per year is not enough to motivate card issuers, especially since it is ultimately merchants who absorb the loss. But that figure is likely a drop in the bucket compared to the cost of investigating and processing chargebacks. It also does not take into account the time consumers spend dealing with the fraud, and the losses incurred when frustrated customers cancel their accounts or move recurring payments to a different card.
There are obvious opportunities for improvement. On a BMO chequing account, customers can configure alerts on deposits and withdrawals with thresholds as low as $10. Account holders can also place stop payments on a single cheque, a series of cheque numbers, and pre-authorized debits. On a BMO Mastercard there is no option to block payments and the only alert available is for electronic statement availability. This unfortunately appears representative of other Canadian credit card issuers.
Financial institutions should implement a feature to decline transactions from a specific merchant at a customer’s request. This could also be a standard response when unauthorized transactions are reported. Every credit card authorization request reaches the issuing bank. It is difficult to understand why transaction notification services would prove more challenging than alerting on chequing account transactions. Notifications help detect compromised cards earlier and decrease fraud losses.
South of the border, Bank of America offers virtual credit card numbers. As described on their web site, “Use the ShopSafe service (there’s no charge, no registration and no commitment) to generate a temporary credit card number that links directly to your real credit card account number.” The service allows consumers to specify a spending limit and number of months (up to one year) for which the virtual card number is valid. Citibank offers a similar service in which the virtual credit card number can only be used by a single merchant; subsequent attempts to use the same number at a different merchant are automatically declined.
Innovation in fraud prevention should provide a competitive advantage. Canadian credit card issuers and merchants must take meaningful action on online fraud to bring an end to this fraud frustration.
Have a security question you’d like answered in a future column? Email email@example.com
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…