You May Be Responsible for Fraud Against Your Subscribers

A story about bank fraud in Missouri may want to make you double-check all your online transaction and fraud prevention methods. When a Trojan

A story about bank fraud in Missouri may want to make you double-check all your online transaction and fraud prevention methods.When a Trojan horse was installed on an escrow company’s computer and $440,00 wire transferred from its bank account to an account in Cyprus, a federal magistrate ruled that the escrow company, not the online bank, was at fault.In other words, if money is missing from your online bank account, you, as an online merchant, have no recourse. Moreover, if your computer or database is hacked and someone commits fraud against your subscribers, you can be considered responsible instead of the bank.Online merchants are increasingly being held responsible for online security measures when it comes to online transactions. And digital content and subscription websites have to be the most vigilant since card-not-present, virtual transactions for virtual goods are the most susceptible to fraud.This is a bit illogical, since banks know infinitely more about financial security than online merchants. And the law does mandate “multi-factor” authentication. The problem is that IDs and passwords are considered multi-factor when they should not be, but courts seems to think it suffices since most online banks are using it (a Catch-22 for legal rulings, if ever there was one).”Multi-factor authentication… would typically mandate authentication by something you know (password, ID, etc.) AND something you are (biometric, fingerprint, retina scan) OR something you have (token, device, card, etc.),” writes Mark Rasch in Storefront Backtalk.A good payment processor will often encrypt subscriber credit card numbers and issue a token for each one when conducting online transfers. If you’re using such a system, you’re meeting the requirements for multi-factor authentication for your subscribers. (If not, I suggest you do so as soon as possible.)But be aware that you, the merchant, may not need that much authentication to deposit or pull money out of your own bank account. And some authentication factors — like checking an IP address — are useless when a computer is hacked (the fraudster will obviously be requesting the fraudulent transfer through your IP address). And while banks are held liable for unauthorized fund transfers up to $50 for its consumer clients, there’s no similar law holding them accountable for unauthorized transfers on business accounts.Therefore, online publishers — or any online merchant — should make sure they have alerts set when funds are transferred over a certain amount. Furthermore, they should put more pressure on banks to create adequate security measures for merchants as well as consumers.

Up Next

Register Now For Email Subscription News Updates!

Search this site

You May Be Interested in: