Wednesday, February 07, 2007

Is tracking fraudulent refund information effective and could it be putting people at risk of becoming an identity theft victim?

The retail industry loses billions of dollars a year to fraudulent refunds.

Fraudulent refunds occur when retail crooks (shoplifters, bad check writers and credit card fraudsters) bring in stolen merchandise to convert into cash. To protect themselves, merchants have developed refund policies, which require that personal information be maintained in a database to identify retail crooks.

I believe the merchants, who came up with this idea, did so with honorable intentions. But is it possible that these systems are easily defeated and themselves might be attacked (hacked) for information they are storing?

The retail security industry has a new buzz word (organized retail crime). If these crooks are organized, my guess is that they are already using fake identification and other people's identities to return merchandise.

Refund data-bases might be full of information from some of the other data-breaches. Other people's information is used to commit a lot of credit/debit card and check fraud. In the case of fraudulent transactions at retailers - the criminals often refund the merchandise they purchase (with bogus financial instruments) to get what they really want, or cash.

And it wouldn't be very hard for them to get bogus information - personal and financial information is for sale in carder forums and fake identification is getting better and easier to obtain all the time.

Another thing to consider is that besides organized retail criminals, another huge loss factor for retailers happens when insiders (dishonest employees) steal from them. Like the external element, a lot of dishonest employees seek to steal cash, and one of the easiest means to do so is to do fraudulent refunds, themselves.

Given the new refund systems, they will have to come up with an identity to accomplish this. The easiest way to do this is to use a customer already in one of their data-bases, or even make up a name.

TJX (a merchant operating under many different names) recently enabled what a lot of experts believe will be the largest data breach to date. One of the databases compromised was their information on all the people, who had refunded merchandise at their stores.

Unfortunately for TJX and the retail industry - it now appears they were storing financial information that they shouldn't have been.

According to reports, TJX was storing payment card (credit/debit card) information they weren't supposed to be in violation of already established PCI data-protection standards. These standards are established by the payment card industry, themselves.

It seems odd to me that in light of all the data breaches, the industry is being allowed to police themselves. I wonder if an unbiased third-party (with no financial incentive) should be taking a look at the problem?

And even if the merchants bring their data protection standards up-to-par for payment cards - will the data being mined in the refund systems receive similar protection?

Guard My Credit recently published a story about Federated requiring SSNs for refunds (courtesy of a blog post and later conversation with George at Fat Pitch Financials).

Apparently George's wife bought some merchandise off one of their websites with a gift card. She decided to return the jeans (for credit back to her gift-card) and when she went into a Federated store (Macys), she was asked for her driver's license and SSN to complete the transaction.

Please note, she had her gift-card and the receipt for her purchase. George eventually complained loudly enough that a manager relented and allowed the return without a SSN.

My guess is that criminals are furnishing fake SSNs (which are hard to verify) and only the honest customers are providing real ones.

Story, here.

As I stated earlier, tracking refund data was probably a good idea when it was first conceived, but I wonder how effective it is today? The data itself could be posing risks to anyone honest enough to give their real information, and criminals are likely using other people's information.

Sadly enough, recent data- breaches indicate that this (personal information) probably isn't very well protected. It's also sad that after spending millions of dollars to protect themselves with refund databases, the retailers have a product that might not be very effective and could become a customer trust issue.

There needs to be a better way to protect merchants and their customers from theft. Customers and retailers are both being victimized by what seems to be a growing problem.

Here is another post, I wrote on this same issue:

Are Retail Refunds Violating Customer Privacy