Larry Osterman's WebLog

Confessions of an Old Fogey
Blog - Title

How to lose customers without really trying...

How to lose customers without really trying...

Rate This
  • Comments 25

Not surprisingly, Valorie and I both do some of our holiday season shopping at ThinkGeek.  But no longer.  Valorie recently placed a substantial order with them, but Instead of processing her order, they sent the following email:

From: ThinkGeek Customer Service [mailto:custserv@thinkgeek.com]
Sent: Thursday, November 15, 2007 4:28 AM
To: <Valorie's Email Address>
Subject: URGENT - Information Needed to Complete Your ThinkGeek Order

Hi Valorie,

Thank you for your recent order with ThinkGeek, <order number>. We would like to process your order as soon as possible, but we need some additional information in order to complete your order.

To complete your order, we must do a manual billing address verification check.

If you paid for your order via Paypal, please send us a phone bill or other utility bill showing the same billing address that was entered on your order.

If you paid for your order via credit card, please send us one of the following:

- A phone bill or other utility bill showing the same billing address that was entered on your order

- A credit card statement with your billing address and last four digits of your credit card displayed

- A copy of your credit card with last four digits displayed AND a copy of a government-issued photo ID, such as a driver's license or passport.

To send these via e-mail (a scan or legible digital photo) please reply to custserv@thinkgeek.com or via fax (703-839-8611) at your earliest convenience. If you send your documentation as digital images via email, please make sure they total less than 500kb in size or we may not receive your email. We ask that you send this verification within the next two weeks, or your order may be canceled. Also, we are unable to accept billing address verification from customers over the phone. We must receive the requested documentation before your order can be processed and shipped out.

For the security-minded among you, we are able to accept PGP-encrypted emails. It is not mandatory to encrypt your response, so if you have no idea what we're talking about, don't sweat it. Further information, including our public key and fingerprint, can be found at the following

link:

http://www.thinkgeek.com/help/encryption.shtml

At ThinkGeek we take your security and privacy very seriously. We hope you understand that when we have to take extra security measures such as this, we do it to protect you as well as ThinkGeek.

We apologize for any inconvenience this may cause, and we appreciate your understanding. If you have any questions, please feel free to email or call us at the number below.

Thanks-

ThinkGeek Customer Service

1-888-433-5788 (phone)

1-703-839-8611 (fax)

Wow.  We've ordered from them in the past (and placed other large orders with them), but we've never seen anything as outrageous as this.  They're asking for exactly the kind information that would be necessary to perpetuate an identity theft of Valorie's identity, and they're holding our order hostage if we don't comply.

What was worse is that their order form didn't even ask for the CVE code on the back of the credit card (the one that's not imprinted).  So not only didn't they follow the "standard" practices that most e-commerce sites follow when dealing with credit cards, but they felt it was necessary for us to provide exactly the kind of information that an identity thief would ask for.

Valorie contacted them to let them know how she felt about it, and their response was:

Thank you for your recent ThinkGeek order. Sometimes, when an order is placed with a discrepancy between the billing and the shipping addresses, or with a billing address outside the US, or the order is above a certain value, our ordering system will flag the transaction. In these circumstances, we request physical documentation of the billing address on the order in question, to make sure that the order has been placed by the account holder. At ThinkGeek we take your security and privacy very seriously. We hope you understand that when we have to take extra security measures such as this, we do it to protect you as well as ThinkGeek.
Unfortunately, without this documentation, we are unable to complete the processing of your order. If we do not receive the requested documentation within two weeks of your initial order date, your order will automatically be cancelled. If you can't provide documentation of the billing address on your order, you will need to cancel your current order and reorder using the proper billing address for your credit card. Once we receive and process your documentation, you should not need to provide it on subsequent orders. Please let us know if you have any further questions.

The good news is that we have absolutely no problems with them canceling the order, and we're never going to do business with them again.  There are plenty of other retailers out there that sell the same stuff that ThinkGeek does who are willing to accept our business without being offensive about it.

 

Edit to add:  Think Geek responded to our issues, their latest response can be found here.

  • Whoa....

    And they wanted you to EMAIL that info back to them?

    Somebody needs a lesson in how secure emails are...

    Pardon for the snailmail analogy, but anything you don't feel comfortable writing on a postcard should not be put in a email sent across da interwebs.

  • Actually, this sort of thing is SOP for a lot of retailers, and it's not really their fault. It's what the credit card companies/banks require.

    If there is ANY discrepancy with a billing address, the card issuer will flag that account as a possible fraud. Sometimes they'll just put a hold on the account. In brick-and-mortars, they used to ask the retailer to hold the card if there were any fraud flags.

    In order for the retailer in this case to continue to process the order in a way that makes the card issuer happy, they have to verify this information.

    Given the huge amount of fraud for online retailers, and the fact that they're out a buttload of money in product and work time if they process fraudulent orders (since the card issuers won't actually pay them back for shipped fraud orders), there's no way any online retailer could survive if they didn't do stuff like this.

    It sucks, but this is the cost of convenience.  

    /former card-processing wonk

  • In this case, there was no discrepancy.  And Valorie offered the transaction # for several previous orders we've placed with them, that was not sufficient.

    I wonder what the PCI rules say about asking for this kind of information...

    Erling: They did offer to allow us to use PGP to encrypt the emails :).

  • I have had similar problems ordering from abroad with DVD Empire and DVD Pacific - in one case this was in spite of having faxed the required information when I first placed orders with them. Apparently not placing an order for 12 months was enough for them to expect me to jump through hoops again.

    I crossed ThinkGeek off my supplier list a long time ago when I found that unlike other US suppliers they only offer courier delivery and insist on printing this charge on the invoice. For simple t-shirts other companies will happily send Air Mail which typically takes less than a week for a fraction of the cost. In Think Geek's case I ordered three t-shirts and then had to pay more than twice the price I paid for t-shirt and courier delivery in import duty/VAT/and customs duty. If they'd sent by ordinary Air Mail none of this would have been chargeable. When contacted they had no interest in using Air Mail as so many of their competitors do. Bottom line: for those of us in the UK their t-shirts are about four times as expensive as advertised on their web site.

  • Errr, if you were a bad guy trying to defraud them, how many minutes would it have taken in photoshop to come up with what they asked for?  Just like DRM and security theater at the airport, this is the kind of thing that is trivially bypassed by the bad guys and greatly hinders the innocent.

  • Long ago, I worked for an e-commerce startup and dealt with some of this stuff.

    In a lot of cases, the merchant may not care if you've made up the info you send in for verification. If they've gone through the trouble of verifying, they have a MUCH better chance of winning if a chargeback results. That's the real problem here -- if the merchant accepts a charge that turns out to be fraudulent and they haven't jumped through all of the hoops to verify that the charge is authorized (including contacting the cardholder and asking for more information), they're the ones who are going to eat the loss (including fees from the card issuer and the merchandise they shipped to a fraudster). Unless the card is actually physically present for the transaction (which is obviously impossible for online orders), the merchant is very likely to lose any chargeback represenation. Their only defense is if they've done the verification steps and "confirmed" that the charge was made by the cardholder. This costs a lot of online retailers an astounding amount of money. So there's a huge incentive to retailers to force you to verify this stuff. I'm surprised it happens as rarely as it does, to tell you the truth.

  • If you paid by credit card, I'd complain to your credit card company.  Generally speaking credit card merchant agreements don't allow merchants to refuse valid cards.  I'd do it not such much because you want to do business with Think Geek, but because if you don't push back, more and more companies will try this sort of game.

  • Wow, that is absolutely ridiculous.  Good for you for telling them to go to hell.  I'd stop doing business with tme too.

  • @Larry

    'In this case, there was no discrepancy.  And Valorie offered the transaction # for several previous orders we've placed with them, that was not sufficient.'

    As everyone else said it's the card issuer that is causing this. There will be some magic cash value over which the retailer will need to get more proof of id. You did say that the order was substantial. It's a pain for the customer. It annoyed me when I had to fax a bunch of id proof to KLM when I was buying airline tickets. It really kills the convenience of buying online!

    MasterCard offer merchants a service called SecureCode:

     http://www.mastercard.com/us/merchant/security/what_can_do/SecureCode/

    This redirects you to a MasterCard page during the transaction, and requests a password from the buyer before allowing the purchase. It works, but so few sites seem to use it that I struggle to remember what my password is!

    'I wonder what the PCI rules say about asking for this kind of information.'

    I am not familiar with US laws, but surely they can ask for whatever they like? You're equally free to refuse - as you did.

  • James, I often purchase items from other online vendors that have a higher value than this purchase and I've never been challenged in this manner.

    Just last year, Valorie placed an order of comparable magnitude (slightly higher) and the didn't raise an eyebrow.

  • @Larry

    I would imagine that the limit depends on the merchant and what they're selling. Perhaps your purchase is higher than 95% of all purchases (say), then it gets extra scrutiny. I agree it's annoying, but the vendor isn't doing this for fun. If they don't do what the card issuer demands, then they lose out. Sure, they still lose out because you're not going to trade with them. It comes down to a choice:

    Accept everything and lose $X due to fraud

    Obey their master(card)s and lose $Y due to irked customers

    if($Y < $X) {

    obey_masters();

    } else {

    please_customers();

    }

    Aside. I bought an additional Operating System to run on my Mac Book Pro. I want to boot it natively and run it in a virtual machine. The vendor make me jump through hoops - something called 'Activation'. It's quite annoying. Should I buy their stuff again? ;)

  • Never ever happened to me in the UK. Normally when ordering with a new supplier the goods have to go to the registered card address - sometimes the supplier insists that all goods go to the registered card address. But I've never had to, nor heard of having to, provide extra information like this.

    Having goods sent to the registered address can be annoying - the card obviously is registered at my home address and of course I'm not at home during work hours. On one infamous occasion I bought TV equipment and the retailer is required to pass the delivery address to TV Licensing for them to confirm that there's a TV licence for that address (the BBC is funded from the TV licence). Unfortunately my card address didn't exactly match the address on my existing TV licence - because I couldn't actually enter the right address on their website - and I started getting demands for payment as I documented on my blog at http://mikedimmick.blogspot.com/2006/08/tv-licensing-has-serious-issues.html.

  • A lot of the commenters are missing the point entirely.  The point isn't whether TG is trying to protect consumers against fraud (the best possible spin on this), protect themselves against fraud, or even the horrific identity theft potentials that e-mailing this data has.  The point is, THEY'VE LOST A CUSTOMER.

    Larry's expectations are spot on.  Provide some basic information to the vendor, and the transaction should happen.  Anything else represents a complete failure of TG and the Credit Card company.  

    The CC company and the vendors have to (pardon my language) get their shit together, and figure out how to make this easy and secure.  It's THEIR problem to solve, not the consumers.  We can shop elsewhere...

    ----

    In this instance, perhaps, the Credit Card Company can be provided with alternate shipping addresses through other channels (phone, the Card's web site, snail mail).  The vendor can then query the card company, "Is address Y valid for shipping?" and a simple yes/no can be returned.  Solves this problem nicely, and since most people don't ship to many addresses (home, office, and drop-shipping grandma's Christmas present) it's not a major inconvenience to register the new address.

    Under this scheme, TG could have sent a note to Valorie saying "You'll have to register that shipping address with the credit card company, and then we can ship your order."  And the onus of proof-of-shipping-address (one time only!) is put on the Credit Card Company who already holds most of Valorie's sensitive information anyway.  Larry's wife calls, registers the address, and replies "Done" to ThinkGeek and her item ships.  End of story.  

    This would require vendors to lobby the Card Company for changes in THEIR system, and not require outrageous procedures from the consumer.

  • i've had vendors pull this on me.  as you are doing, i've always walked away.  one has to wonder -- if the leading ecommerce sites on the planet, sites like amazon and dell, don't ever have to resort to these measures, why does some minor site feel that they have to?

  • I must be very unknownledgeable about this, but how does having a copy of your electricity bill enable identity theft?

    All the information on it, except your electricity consumption, is public knowledge (name, address, etc) and can be gathered by other means.

    Do banks request your electricity consumption to identify you now?

Page 1 of 2 (25 items) 12