5 Replies Latest reply on Jan 26, 2014 7:10 AM by cYb3rjAx

    Globe Paybill Fraud Potential

    ChitoReyes

      I am posting this to expose a potential vulnerability to Globe's Paybill facility using a credit card (Mastercard/Visa) so the company may make amends and add more security credentials to the site.

       

      All one has to do is to have a copy of anyone's credit card (front and back) and just enter the following to make a valid transaction or list down the following information which is readily available when you give your credit card to other people (merchants, friends, etc):

       

      Name,

      Credit Card Number,

      CSC and

      Expiry date

       

      With just that, you can pay anyone's bill including your own with the credit card  One can supply any email address (including your own) to have the verificaion and receipt delivered to that email address without the true owner of the credit card owner knowing. The true owner would only find out when he receives his credit card statement and if ever he checks his statement (assuming he does), he would be surprised with all the charges and would take some time before anything is reversed.

       

      Globe should include the Credit Card Holder's registered Billing address to add more security. I just wonder why this basic requirement was overlooked by Globe for quite some time... or are they passing on the burden of proof to the credit card holder? It's addtional income on their end anyway

       

       

       

        • Re: Globe Paybill Fraud Potential

          Hi, @ChitoReyes thanks a lot for your insights.

           

          We have actually implemented the 3D secure process. If you are enrolled under 3D secure under your bank, then there is another layer of security (password, security answers, or PIN) that you need to provide prior to completion of transaction.  

           

          In addition, if you pay while logged in, another fraud deterrent measure in place is logging in and adding your wireless/wireline account. For mobile accounts, a verification code sent via SMS should be entered.

          • Re: Globe Paybill Fraud Potential
            WILLfindways

            Hello, chitoreyes.

             

            Welcome to the Globe Community. I am glad you have come to share your Globe life with us.
              
            Before you proceed in reading my reply, please take note of the following:
             
            I don't represent Globe Telecom or any of its Third Party Vendors in any of my message.
            It is my personal belief that we are all created. Therefore, we are all creatures here.
            If you believe otherwise, you may let me know.

             

            And I don't represent any credit card issuers and acquirerfor that matter.


            Moving on with your concern.

             

            I am not sure how you were able to get the idea that merely proving credit card information such as name. credit card number, CSC or CVV and expiry date and an email address authorize any creature other than the card holder himself to transact using his credit card account.

             

            Globe, as an authorized merchant of credit card acquirers, follows a set of guidelines to verify credit card transactions.

             

            And since this is a Card Not Present Transaction, the burden of proof lies on the merchant, which is Globe Telecom, in case of transaction disputes.

             

            We accept the things we think we deserve - The perks of being WILL

              • Re: Globe Paybill Fraud Potential
                ChitoReyes

                Thank you for your insghts Will...

                 

                To answer your question on how I was "able to get the idea that merely proving credit card information such as name. credit card number, CSC or CVV and expiry date and an email address authorize any creature other than the card holder himself to transact using his credit card account." ... the answer is simple... I used the Paybill system both with my card and to validate my suspicion, with somebody else's credit card using the just the basic information written on the card which could readily be accessed by anyone who gets hold of the card.... including but not limited to waiters, cashiers, employees of merchants accepting credit cards, courier services and even friends and relatives. No special machine needed.

                 

                Although "Globe, as an authorized merchant of credit card acquirers, follows a set of guidelines to verify credit card transactions." they have left out a simple yet effective way of verification despite the complicated system that GlennO mentioned a few posts back. The oversight is a PRIMARY security measure which was left out by Globe and a basic component for off site transactions according to the Manual for Merchants given by Credit Card companies to merchants affected.

                 

                I have proven my suspicion through an actual transaction made and anyone can test if my allegations are right or wrong and the reason for my concern. It is also the reason why this is being posted so that everyone may know in the hope that Globe would do something about it.

                 

                I have to disagree with you that the burden of proof is with Globe.

                 

                The Initial and the heaviest burden would actually be on the side of the card owner, the very victim of Paybill -  first in geting surprised that charges were made to their card without them knowing and finding out at least a month after the transaction was made.

                 

                Secondly, in trying to deny, explain and prove that such tranasaction was ever made by them.

                 

                Then and only then can the credit card company in coordination with Globe actually make an ivestigation on the matter in which case, Globe has already used the money that was paid at least a month before and even prolong such investigation resulting in a long period before any reversal could be made if ever. If our experience with the our oridinary problems with Globe would take so many weeks or months to get resolved, what more this?

                 

                All of these are into the assumption that the card owner would find out about the unauthorized charges... then what about those who do not check their credit card bills? well that's another discussion and Globe and the recipient of the payment would all be lucky.

                 

              • Re: Globe Paybill Fraud Potential
                WILLfindways
                @veteran

                So this is now about the 3D Secure Adoption?

                Anyway, I will assume that you have given up your suggestion to add the Cardholder's Billing Address as a "security measure". Thank you very much.

                Ultimately, how would you like to solve this not so novel "flaw" your way, and not * some text missing * Way, if given the chance.?

                Don't bark up the wrong tree.

                I guess the best creatures you should talk to are the think tanks of Card Issuers and Card Network.

                Talk to them. Like them on Facebook. They are waiting for your brilliant ideas.

                Happy Weekend Fellow Creatures.
                • Re: Globe Paybill Fraud Potential
                  cYb3rjAx

                  This is a basic/primary yet a very vital loophole in a system and kudos to you @ChitoReyes for discovering this. I fully understand what your point is and I sympathize with you and your ideas. Now, any updates regarding this? Was an action already made?