A French friend of mine recently boasted about his "ultra-secure" credit card issued by his local bank - that card required SMS-based authorization of every transaction. There is nothing secure about SMS-based systems (SMS forwarding attacks were first reported six
years ago), but that's not the point.
I got my iPad out and in less than two minutes bought a book from Amazon (their shopping flow, especially checkout procedures, are world-class) - using that "ultra-secure" card, of course. A minute later, an email from Amazon confirmed that my order was
being prepared for dispatch (the book was shipped within few hours).
It's not only my friend who should be upset with Amazon - apparently, the largest e-tailer in the world ignores the card rules on a frequent basis. Should anyone care?
If you are a consumer and your card was used fraudulently at Amazon who turned a blind eye to security checks, you should - eventually - get your money back. But not before you made several calls to your bank (with the obligatory long "muzak" sessions) and
some form-filling. If you value your time (and you should), the cost of the time you'd wasted on solving the problem that you didn't create in the first place is far from zero. Let's put a value on that unproductive time, say £50.
If you are a bank, you'll get - eventually - the money back from Amazon via chargeback. But not before your customer service personnel wasted their expensive time on dealing with your upset customer. Say, another £50.
If you are Amazon, you care neither about the upset owner of the card which you accepted without due security checks, nor about the chargeback claim from the bank that issued that card - you make more money if you let every customer to pay quickly and easily,
so the current fraud level does not bother you (at all).
If you are a fraudster who bought a DVD with stolen card details, you are enjoying yourself (and cannot wait to buy another DVD, with another stolen card).
My question is: if Amazon was slapped on the wrist by being made liable for those indirect costs and losses (say, £100 per incident), would that change their attitude towards card checks? Class action lawsuit anyone?