Monday, May 07, 2007

Is Target's payment card and new refund procedure stopping retail criminal activity?

Will stricter return policies drive Target's customers, elsewhere? Some are saying their new return policy (which will require a receipt for cash returns of $20 or more) -- isn't very customer friendly --and might do just that. Some are also questioning, whether another policy (how they verify plastic transactions) is enabling fraud to occur within their four walls.

So far as the new refund policy, Target's response is that this will affect a very small amount of its customers. Chris Serres, Star Tribune, Minneapolis - St. Paul gives Target's rationale for this:

Target officials said the new limits affect fewer than 5 percent of its customers. Shoppers who have bought products with credit cards, debit cards or checks can still return them without receipts, without having to worry about the new limits.

"While we expect the changes to ... impact a very small number of guests, our goal is to minimize losses regardless of amount," said Amy von Walter, a Target spokeswoman.

Law enforcement officials have a different take on this:

Target's practice of not checking the IDs of credit card holders has made it a target for more sophisticated fraudsters, said Brandon Deshler, an officer with the Edina Police Department and a detective with the Minnesota Financial Crimes Task Force, a state law enforcement agency. "There is a real inconsistency here," he said.

Sophisticated fraudsters are becoming the norm with data breaches, carder forums, and do it yourself (DIY) crime kits being marketed via the Internet.

I keep reading about how identity theft is tied into methamphetamine use, but in reality, it might also be tied into heroin use, or any other narcotic that people get addicted to. Addicts often turn to retail crime to support their habits, also.

Before the Internet made sophisticated fraud pretty easy to accomplish, addicts did a lot of shoplifting (boosting) to support their habits.

As time went on, retailers got smarter. They started locking up high value (shrink) merchandise and tightened up their return policies. To get past this, many retail criminals use fraudulent payment devices, which are pretty easy to obtain.

Organized criminals now make their "cut" selling the information and devices to less sophisticated crooks, who do all the dirty work for them. Deals are made on the Internet with a click of a mouse, and these devices are (normally) shipped from foreign sources, where it is hard to identify the criminals behind it.


Fraudulent devices are ordered in chat rooms, paid for by wire transfer or PayPal, and shipped to these (questionably) sophisticated criminals UPS, or Fedex, worldwide. Sometimes, they are shipped in bulk to one location and then redistributed. This is another method used to make tracking these devices to their original source, difficult.

Because of the growing availability, retail criminals are using
fraudulent payment devices to obtain and then refund merchandise.

If customers using credit cards, debit cards and checks are still allowed to return them without receipts, I'm guessing a lot of refund fraud will still occur.

I wondered how customers, using payment devices (checks, credit cards, debit cards) could get a refund without a receipt? Just to make sure, I called my local Target and told them I lost my receipt from a credit card purchase. I was told to bring my credit card in and they could look up the information.

In light of the many recent data breaches, such as TJX -- where at least 45 million customers were compromised -- this thought scared me. Even if their systems are completely safe (not sure if any really are), does this mean that a dishonest employee could access my information? Employee dishonesty has long been (and still is) a major problem at most businesses.

The best thought out security can be beat by one person with access to it!

One of the systems compromised at TJX was their refund authorization system. Not allowing easy access, or even maintaining personal and financial information is the recommended way to prevent data theft.


Besides that, I often wonder how accurate the data is in some of these refund systems. These days, crooks use a lot of other people's information.

Since Target relies on electronic authorization systems (they don't even require their staff to check ID) on credit/debit card transactions, the law enforcement official quoted above might have a very valid concern.

But this isn't the only time, I read about this concern in the past week.

An article came out from Washington about an enraged identity theft victim, who after realizing no one was doing anything with her case, decided to beat the pavement (investigate), herself. Working with a reporter, she did her own check of retailers and here is what happened at Target (as reported on KOMOTV.com):


We did the same thing at Target. This time, we included wine in our purchase thinking some stores require an ID check when buying alcohol. At no point during our checkout did the Target clerk even ask to see the credit card. The clerk never asked for an identification check.

In a statement, Target says it does not require its clerks to handle or inspected credit cards.
Instead the store relies on an electronic authorization system where the customer swipes their own credit card through a reader."Electronic authorization is faster and more accurate than relying on visual inspection of verification of written signatures," says Brie Heath of Target.

Even with these systems, where a customer swipes their own card, a lot of retailers require that the clerk check identification AND inspect the card on signature transactions. In fact, a lot of pos (point-of-sale) systems prompt the customer and the clerk to do so.

Counterfeiting payment cards has become so easy to do that it's now
done in garages with hardware that can (unfortunately) be bought over the Internet. Granted, identification can also being counterfeited, but at least visual inspection is going to making it a little harder to commit payment (debit/credit) card fraud.

The truth is that electronic verification systems read data, and in the case of debit and credit card data, it's being transferred (counterfeited) all the time.

Many might ask why Target would rely on an electronic system with so much fraud going on out there? One reason might be that when a card is "swiped" (electronically authorized), it is pretty hard for the bank to charge it back to Target.

When this happens, I'm guessing that Target isn't the one taking the loss, the bank does.


Chargebacks are becoming a huge issue, and many merchants (especially e-commerce merchants) are saying they are unfair to them, also. These merchants claim the rules favor the banks, who are passing off the costs of fraud to them. With the recent TJX data breach, and the realization of how expensive information theft has become, we can expect to see more controversy on this issue.

It's sad that businesses seem to be spending more time going after each other than the criminals behind the activity (my emphasis).

We also need to consider the considerable grief, victims go through in this process. Victims can be held liable for losses, have their credit ruined, and are even charged with crimes they didn't commit. Some of these victims are undoubtedly past, present, or future customers.

It's pretty easy for me to understand law enforcement officials and identity theft victims might be a little frustrated with Target's policies.

There is no doubt that the amount of refund and payment device fraud is growing. Businesses do have the right to protect themselves, but passing the financial loss to another business, and ultimately (all of us) does little to stop the problem. In fact, it might be one of the reasons this type of fraud is growing.


It would be unfair to single out Target on these issues. Other retailers need to be looking at them, also. Retailers are sold expensive security technology and too often (my emphasis) find that someone has figured out a way to exploit it.

Systems get defeated by human beings all the time. The best defense against this are other human beings. Removing human interface from the equation makes it easier to commit fraud (my emphasis).

Star Tribune article, here.

KOMOTV.com article about the identity theft victim doing her own investigation,
here.

8 comments:

Jeremy Scoville said...

I think you nailed it on the head with this one -- until it becomes finacially burdensome for Target, they are not going to bother with verifying credit card owner. Right now there is no incentive for them to be cautious with this, no reason to avoid the potential for fraud.

Anonymous said...

Quite frankly, NO retailer has any obligation to check any cards from anyone. Particularly if they have those swipe it yourself readers- that removes them from liability completely, not to mean they would be liable to begin with...

If a card is lost or stolen, that is your and your banks problem. Retail employees should not be expected to be a cashier and a fraud detection analyst at the same time!

Anonymous said...

If Target is going to eliminate returns without a receipt, they need to extend their 90-day policy. I recently tried to return an unopened, unused, brand new microwave for which I have the receipt... however, I CANNOT under any circumstances return it to Target because the receipt is dated over 90 days. Target stuck me with the product. Never in my life has a store forced me to keep a new product for which I had receipt. Unbelievable!

Anonymous said...

So with the whole credit fraud thing...not sure what target you all are shopping at but at the target I work at, all of the cashiers are trained to check all identification cards and credit cards....now with the whole return issue, maybe if we did not have so many customers who take advantage of our return policy we would of not have to change it. we have guests who come into target who return clothes that are stained with god only knows what, we have people who sew their own clothes and return them....really the problem here is not target it is the consumer!!!

Ed Dickson said...

I checked three Targets and used a credit card each time. My ID wasn't checked once and the card never left my hand - it could have been a hotel key.

I do agree with the anon person's comments about refund fraud, but the overall problem will not cease until everyone (the good guys) start working together.

Since fraud instruments are being used to purchase merchandise and chargebacks do occur (along with damaged items being returned) banks and retailers both suffer losses from this.

shannon said...

"at the target I work at, all of the cashiers are trained to check all identification cards and credit cards.."

the statement up there was RELEASED BY TARGET CORPORATE saying that NO ONE TRAINED YOU to check credit cards. don't waste your time defending them when the company themselves says that they don't require you to check.

i, too, have noticed this credit card transaction system at target and have also become leery. you slide your card in, enter your number or scribble your name, and the card pops right back out. to test it, i have taken in my cards, my boyfriend's cards, and my mother's and father's cards trying to see if they'd let them all go through... and they did. i'll tell you, if i ever decide to steal a credit card and go shopping, i'm going straight to target!!!

Anonymous said...

I can understand Target or any retailer trying to protect itself from fraudulent returns. However, Target's new policy is unfair to a particular segment of their customer base. That is those customer's who use gift registry. I recently registered at Target and only target for my baby shower. Of the 35 or so guests, only 4 people did not shop for me at Target. I received hundreds of dollars in gifts and gift cards. As expected I received some duplicates, and a few items (6 to be exact) that I decided to upgrade upon receipt. Of the 6 items I only had receipts for 2. I was aware of the new policy but figured that I would have no trouble exchanging the items because my registry indicated the item requests had been fulfilled. To my great disappointment I was told that without a receipt I would have to keep the items. Of course I was outraged because I had just given Target 30 or so customers and nearly $1000 worth of sales and they would not make any consideration in my case. As a matter of fact I was given the in store run around. No manager would come and talk to me although the associates claimed to call them. When I asked for the district manager's contact information, I was given an incorrect phone number. When I called customer I was again regurgitated the new policy.

The result here is that Target has lost a loyal customer based on this new policy and they don't seem to care. Once I spend my gift cards I am done with Target. They are not the only game in town. I will shop at Walmart, Babies R US, Costco or wherever I feel that I am appreciated as a customer. In addition, I will be advising everyone I know that Target is not the place to register for any thing weddings, births or otherwise because they will gladly take your business then treat you like criminal in the end.

Anonymous said...

I had another problem with Target and credit cards. When my credit card didn't work in the card reader. I handed it to the sales associate. He typed in my numbers by hand, I signed the card reader pad and then he printed two receipts. He gave me one and took my card and scratched the front of my card on his copy of the receipt with a pencil. When I said I would show him ID instead of him having my credit card number. He replied, I don't need your ID, store policy is to scratch your card. Then, he opened an unlocked drawer under the register and proceeded to put my credit card number in it. When I commented on it. He again replied, this is store policy. When I asked for a manager. One came over and I stated that I didn't want my credit card number floating around in their store. And that the transaction had been completed through their cash register (the last 4 digits were on my reciept as usual). I also stated that my card number is now in an unlocked door. I was told that she would put it in her locked desk. But, I wasn't getting my info back. I called Target corporate and was told, I'm out of luck in getting that receipt back. The guy at corporate even laughed and questioned how I could have a problem with my credit card info in an unlocked drawer.
So beware, Target's store policy on an unscannable card is to keep your credit info in an unlocked drawer under the registers. No more Target for me. I can't afford having my credit ruined.