Author Topic: Tequipment international order requirements :o  (Read 42068 times)

0 Members and 1 Guest are viewing this topic.

Offline LightagesTopic starter

  • Supporter
  • ****
  • Posts: 4316
  • Country: ca
  • Canadian po
Tequipment international order requirements :o
« on: April 16, 2012, 07:38:51 am »
Wow. I can't believe it.

I wanted to buy something from Tequipment as they have something I wanted to purchase, and they have been sponsoring Dave.

What a waste of time. For ANY international order they require a copy of a credit card statement and copies of the front and back of your credit card before they will process your order. This is tantamount to providing a third party with the keys to your bank account. It is ridiculous and completely contrary to their advertising on an international forum. It is also against the agreement you have with your credit card company to ensure that your security information is kept safe.

Too bad they won't get any business from me until they stop assuming that I am a criminal and secondly requiring very personal security information just for the privilege of me giving them my money.

Sorry Tequipment, as Dave would say; "FAIL".
 

alm

  • Guest
Re: Tequipment international order requirements :o
« Reply #1 on: April 16, 2012, 07:55:16 am »
How is this worse than just providing credit card details, including number, verification code, name, expiration date, address and phone number, as you would for any normal CC payment?
 

Offline LightagesTopic starter

  • Supporter
  • ****
  • Posts: 4316
  • Country: ca
  • Canadian po
Re: Tequipment international order requirements :o
« Reply #2 on: April 16, 2012, 08:02:43 am »
Some credit card statements show more details than just what is available on the card, and also show all your other purchases you have made.  I don't want to go into minute details but there can be sensitive information on a credit card statement. If this is what they require to prove you are who you say you are then it can be used by others to prove that they are you. It cannot be argued both ways.  Either it is nothing extra and therefore not needed and ineffective, or it is more personal information required that could not be obtained otherwise to prove in their eyes who you are.
 

Offline Bored@Work

  • Super Contributor
  • ***
  • Posts: 3932
  • Country: 00
Re: Tequipment international order requirements :o
« Reply #3 on: April 16, 2012, 08:03:21 am »
I noticed that some time ago, too, when I considered ordering from them. I took my business elsewhere. In my experience, companies doing things like this are usually not terribly interested in getting my business anyhow, so going elsewhere is a win-win situation for both. We are not in the 90th any more, and if they are really interested in international business they should try to find a credit card processor who is prepared to properly validate cards used for online purchases.
I delete PMs unread. If you have something to say, say it in public.
For all else: Profile->[Modify Profile]Buddies/Ignore List->Edit Ignore List
 

Offline elCap

  • Regular Contributor
  • *
  • Posts: 109
  • Country: jp
Re: Tequipment international order requirements :o
« Reply #4 on: April 16, 2012, 08:44:05 am »
I had the same issue with them. And they don't have or accept any secure way for you to provide the information they want. I tried to send them a password protected zip and then the password in another mail. They didn't understand how to open it... :o They can only accept unsecured plain e-mail.
 
I decided to sent them what they wanted anyway. But as all was in Japanese they didn't accept it... so in the end they made a random deposit to my account and I just reply what amount it was and all was set. Now I buy a lot of stuff from them as I find it convenient even if they are extremely slow in sending out orders.
 

Offline cybergibbons

  • Frequent Contributor
  • **
  • Posts: 400
Re: Tequipment international order requirements :o
« Reply #5 on: April 16, 2012, 09:59:05 am »
How is this worse than just providing credit card details, including number, verification code, name, expiration date, address and phone number, as you would for any normal CC payment?

1. I'd hope that the mechanism that I would send a normal payment by is secure.
2. They shouldn't ever store the CVV code.
3. I'd hope they'd store the details on a payment system in a secure way, it's hard to do that with scans of the front and back of a card.
 

alm

  • Guest
Re: Tequipment international order requirements :o
« Reply #6 on: April 16, 2012, 04:25:30 pm »
Sending unencrypted pictures is not very secure, I'm not very impressed with that. Some other vendors requiring this at least provide a way to upload via HTTPS.

Since CC authentication is purely based on shared secrets, you send the CVV code to the retailer (unless they use an external payment processor like PayPal), you're at the mercy of whoever accepts the CC details anyway. There is no inherent security like with challenge-response systems. The only reason why CC fraud is not more prevalent is because CC companies frown on merchants accepting fraudulent CCs, i.e. they have them pay for the costs of the charge back and will revoke their merchant account if it occurs too often. The CC companies also have fairly sophisticated systems being able to spot suspicious patterns.

3. I'd hope they'd store the details on a payment system in a secure way, it's hard to do that with scans of the front and back of a card.
How do you store them in a secure way? The encryption will have to be reversible, since the same system needs to be able to decrypt the CC details if the user performs another transaction. I'm not convinced that reversible encryption with the encryption keys in the memory and on the disk of the server provides any real security, though I guess it looks good on paper to claim 256-bit military-grade AES encryption.
 

Offline olsenn

  • Frequent Contributor
  • **
  • Posts: 993
Re: Tequipment international order requirements :o
« Reply #7 on: April 16, 2012, 04:43:43 pm »
They don't require verification for Canadian orders either, just outside the US and Canada.
 

Offline saturation

  • Super Contributor
  • ***
  • Posts: 4787
  • Country: us
  • Doveryai, no proveryai
    • NIST
Re: Tequipment international order requirements :o
« Reply #8 on: April 16, 2012, 08:18:57 pm »
Not sure why they require so much, making it less easily for international buyers reduces their chances of making a sale, unless they've been burned by many fake CC.  They do take paypal, IIRC.
Best Wishes,

 Saturation
 

Offline LightagesTopic starter

  • Supporter
  • ****
  • Posts: 4316
  • Country: ca
  • Canadian po
Re: Tequipment international order requirements :o
« Reply #9 on: April 16, 2012, 09:02:11 pm »
I have sent two emails to Tequipment asking for clarification in my case as I am a Canadian living in Chile. It is not clear if I need to provide my life story to get things shipped to Chile or not.
 

Offline ivan747

  • Super Contributor
  • ***
  • Posts: 2046
  • Country: us
Re: Tequipment international order requirements :o
« Reply #10 on: April 16, 2012, 09:41:50 pm »
Does anybody have an US billing address registered in you credit card. I didn't had to send them all that stuff to get it shipped to Miami using a Dominican credit card with US and dominican addresses registered in it.
 

Offline ivan747

  • Super Contributor
  • ***
  • Posts: 2046
  • Country: us
Re: Tequipment international order requirements :o
« Reply #11 on: April 16, 2012, 09:42:42 pm »
I noticed that some time ago, too, when I considered ordering from them. I took my business elsewhere. In my experience, companies doing things like this are usually not terribly interested in getting my business anyhow, so going elsewhere is a win-win situation for both. We are not in the 90th any more, and if they are really interested in international business they should try to find a credit card processor who is prepared to properly validate cards used for online purchases.

Paypal, end of story.  ;)
 

Offline LightagesTopic starter

  • Supporter
  • ****
  • Posts: 4316
  • Country: ca
  • Canadian po
Re: Tequipment international order requirements :o
« Reply #12 on: April 16, 2012, 10:56:48 pm »
Well some people do not like paypal and I understand why given the reports of problems I have seen. I have not had any problems with paypal yet so I have no problem using them. The problem I face is that my paypal account is attached to a Canadian address and I am in Chile. Many companies will not ship to a different address than is on the paypal account.

I received this in an email just now from Tequipment:
"If you wish to pay by credit card, we require all international credit card orders to provide additional documentation for the first purchase. We also accept Paypal and Wire Transfers if you are uncomfortable sending the additional information.

The documentation we need is as follows:

1) Scan/photo/fax of the front and back of the credit card
2) Scan/photo/fax of the billing statement sent to you by the card issuer, showing both the billing address and the credit card number. Of course, you may "blank out" any purchases on the statement. We don't need to see what you purchase, only the billing address and the account number.

You may either email or fax these to us. Keep in mind that faxing produces very low quality images of credit cards and may require you to do it more than once.

This policy is in place to protect both us and our customers from fraud. We hope you understand.

For more details please see:
http://www.tequipment.net/EC.html#international

Please let us know if you need any further information or require any more details."

So they have just confirmed that I cannot do business with them by credit card unless I give them my personal information. They have stated however that it is permitted to blank out sections on the statement I consider private. The problem is I do not get a paper statement, only an electronic one so I cannot provide the information they want even if I wanted to. I am awaiting a response as to whether they will ship to me in Chile while my paypal account is in Canada.

One more kick at the can with them and then they can forget me doing business with them.
 

Offline Monkeh

  • Super Contributor
  • ***
  • Posts: 8073
  • Country: gb
Re: Tequipment international order requirements :o
« Reply #13 on: April 17, 2012, 12:02:11 am »
I'm afraid I don't see the problem.

You need to give them your billing address to use the card.
You need to give them your card number to use the card.
You need to give them your name to use the card.
You need to give them the CVV2 to use the card.

They only want to see the account number as a form of insurance and it's not uncommon for international stuff.
 

Offline Psi

  • Super Contributor
  • ***
  • Posts: 10247
  • Country: nz
Re: Tequipment international order requirements :o
« Reply #14 on: April 17, 2012, 12:50:16 am »
Jameco did the same thing to me once.

They wanted a picture of my visa statement before they would process my order.
Greek letter 'Psi' (not Pounds per Square Inch)
 

Offline ivan747

  • Super Contributor
  • ***
  • Posts: 2046
  • Country: us
Re: Tequipment international order requirements :o
« Reply #15 on: April 17, 2012, 02:24:49 am »
But what about that little 3 digit number on the back of the credit card? Do they ask for that too? If they do, a malicious person could store it somewhere and do their own purchases with YOUR credit card! This doesn't happen with places like Amazon because they are just encrypted and stored in a database where no human can see (or understand) them.

So, is the number allowed to be blanked out? How can they guarantee they won't clone your card in some way?
 

Offline BravoV

  • Super Contributor
  • ***
  • Posts: 7549
  • Country: 00
  • +++ ATH1
Re: Tequipment international order requirements :o
« Reply #16 on: April 17, 2012, 02:28:51 am »
Its obvious they're not serious doing business out of US, or if they're really serious, the policy maker of this rule must be a moronic red neck who thought everybody outside US is a terrorist or scammer, oh yeah, also the central of universe is in US, its so typical.  ;D

Offline LightagesTopic starter

  • Supporter
  • ****
  • Posts: 4316
  • Country: ca
  • Canadian po
Re: Tequipment international order requirements :o
« Reply #17 on: April 17, 2012, 03:00:36 am »
I'm afraid I don't see the problem.

You need to give them your billing address to use the card.
You need to give them your card number to use the card.
You need to give them your name to use the card.
You need to give them the CVV2 to use the card.

They only want to see the account number as a form of insurance and it's not uncommon for international stuff.

I have replied that it is not as much as a problem now that they have agreed that items on the statement can be erased or blocked out and they will still accept this. My personal problem is that I do not receive paper statements.

But lets say that I am a scammer. If they will accept altered documents to prove who I am, they will most certainly be fooled by fake documents too. I know that I could make a "copy" of a statement that no one would be able to see as fake without it being put to document specialist. Even then, it will not be an original but a copy and can be easily faked beyond the possibility of being detected as such.

So they want me to show proof o who I am using information they would not normally have access to and it could easily be faked or also stolen from the same mail box the credit card was stolen from.

It is pointless, ineffective and intrusive.

I am still trying to buy from them but we will see ...........
 

Offline metalphreak

  • Frequent Contributor
  • **
  • Posts: 815
  • Country: au
  • http://d.av.id.au
    • D.av.id.AU
Re: Tequipment international order requirements :o
« Reply #18 on: April 17, 2012, 06:06:51 am »
You will probably find its part of their record keeping requirements with their VISA/MasterCard payment processor. If they don't verify customers properly, and someone uses a fraudulent card, VISA/MasterCard just claw back the money from the business, and it's tough luck. Having to absorb losses from scammers means prices of products go up all for the sake of not having sending some documents? You are already giving them all the info off the card anyway, along with your shipping address... you only need to scan the credit card statement as proof of address - you can leave out the actual purchase history part.

It's not just Tequipment, it's most businesses that ship internationally. For example, ordering anything from ProVantage outside the USA is not possible with a VISA or MasterCard, but you can with an American Express card.

Honestly, I don't see the big deal. In many cases you are lucky they are even willing to ship overseas, with all the extra overhead for customs forms, export restrictions, and whatever. Do you really think they enjoy having to manually process documentation for international orders if they didn't have to? :P

Offline Bored@Work

  • Super Contributor
  • ***
  • Posts: 3932
  • Country: 00
Re: Tequipment international order requirements :o
« Reply #19 on: April 17, 2012, 09:06:54 am »
[Quotes reordered]

But what about that little 3 digit number on the back of the credit card? Do they ask for that too?

This number on the back is a security feature that in practice is a joke. Many sites now ask for it, many sites for sure store it together with your other credit card details, and a hacker stealing their database just gets everything he needs, including the number. It is just a brain dead idea. Whoever came up with the idea of that additional number had no fucking clue. Here are Visa's stupid claims about the number http://usa.visa.com/personal/security/visa_security_program/3_digit_security_code.html

That feature once served a tiny bit of purpose. Remember the days, when your credit card details were copied onto a yellow paper slip? These machines couldn't copy the number on the back. Therefore, anyone with only a copy of the slip didn't have the number on the back. But, a malicious waiter could of course have manually copied the number. And there are still enough shops not asking for the number. So the feature really never added security.

One of many issues with credit card security is that vendors who get your credit card data give a fucking fart about security. They use some rubbish shop system on rubbish Windows, "maintained" by the pimply faced youth from next door, and absolutely don't care about the security of customer data.

Quote
So, is the number allowed to be blanked out? How can they guarantee they won't clone your card in some way?

A shop might not accept your order if you don't give them the number. But because the number IMHO doesn't add any real security, you can give it to the shop. And as you can see from the above VISA  link, credit card companies expect you to give the number to shops.

Quote
If they do, a malicious person could store it somewhere and do their own purchases with YOUR credit card!

Of course they can. Instead of just storing your card number, one just needs to store three more digits. Hardly a security feature. It is just as if your credit card number got a little bit longer.

And not even large credit card processors are immune against getting their data stolen. E.g. just recently http://online.wsj.com/article/SB10001424052702304750404577318083097652936.html

Quote
This doesn't happen with places like Amazon because they are just encrypted and stored in a database where no human can see (or understand) them.

In the rare cases where some vendor uses an encrypted database it still doesn't mean it is absolutely safe. The store system needs to be able to encrypt and decrypt the database. The backend that processes the credit card data needs to be able to encrypt the data. The web front-end sees the data in clear text. So the keys are probably available at a few places in their system. A hacker obtaining the database and the key has everything he needs. A malicious employee with access to the keys is another option.

The main security feature of a credit card is that a credit card company will hold you harmless if things go wrong. At least that's what they claim in their ToS. You'll find out once you have a problem.
I delete PMs unread. If you have something to say, say it in public.
For all else: Profile->[Modify Profile]Buddies/Ignore List->Edit Ignore List
 

Offline ejeffrey

  • Super Contributor
  • ***
  • Posts: 3936
  • Country: us
Re: Tequipment international order requirements :o
« Reply #20 on: April 17, 2012, 10:27:15 am »
You will probably find its part of their record keeping requirements with their VISA/MasterCard payment processor.

I can pretty much guarantee that Visa/Mastercard don't require that businesses ask customers to email them an unencrypted copy of their card and payments statements.  In fact it is explicitly forbidden by the PCI-DSS standard, which they should be required to comply with by their merchant agreements.

All the rules and regulations in the world don't stop people doing stupid things.
 

Offline mariush

  • Super Contributor
  • ***
  • Posts: 5144
  • Country: ro
  • .
Re: Tequipment international order requirements :o
« Reply #21 on: April 17, 2012, 11:57:45 am »
Indeed, it's some stupid rules...

Documents can be faked, I also don't get printed credit card reports but I can generate one as a pdf file as many times as I want from the online interface... you can't really tell if the card is real or not from a photo of it...

When I rented a dedicated server, the company just asked for a copy of my ID (and allowed me to blank out what's here the equivalent of the SSN) and my phone number and a few minutes after I placed the order they called me to confirm all the details of the order... it literally took 3-5 minutes of their time and about 50 cents in skype credits (or whatever they use) and they sorted out more than they could have sorted from some scanned documents.

But you see, it could be very well a pre-paid phone card but generally you can make some determinations based on the user's voice (emotions, how undecided and unsure he is)... the downside is some people are shy and are simply reluctant to talk to human persons.

For renting dedicated servers where a user can do some damage  (spam, use bandwidth) for a week or so until the credit card turns fake or stolen, this additional step worked out great for the company i work with.
 

Offline metalphreak

  • Frequent Contributor
  • **
  • Posts: 815
  • Country: au
  • http://d.av.id.au
    • D.av.id.AU
Re: Tequipment international order requirements :o
« Reply #22 on: April 17, 2012, 03:57:28 pm »
You will probably find its part of their record keeping requirements with their VISA/MasterCard payment processor.

I can pretty much guarantee that Visa/Mastercard don't require that businesses ask customers to email them an unencrypted copy of their card and payments statements.  In fact it is explicitly forbidden by the PCI-DSS standard, which they should be required to comply with by their merchant agreements.

All the rules and regulations in the world don't stop people doing stupid things.

Sending a scan of your card is no different to handing it physically to someone in a store. The PCI-DSS standard is related to the automated processing and digital storage of customer card details. Usually you would obscure part of the number when sending the scan as its basically just proving you have the physical card (so the transmission of an incomplete number isn't an issue anyway).

When I used to work at a telecommunications retailer, we'd have to scan copies of IDs as part of the contract requirements (as well as entering the details into the system). We would just obscure part of the credit/bank card number with the persons driver's licence. The actual information is held securely, and the scan is just a partial part of it to visually match it to a physical ID.

But again, since it's all separate from payment processing, as its the companies own customer verification process, most of the PCI-DSS isn't even applicable.

Like I said earlier, it's mainly to ward off the casual scammers (anyone dedicated enough can fake the requirements). With international fraud, its very difficult to track down criminals due to the limitations of international jurisdiction. My sister works in corporate/business banking so I'll ask her next time we talk and see if she can shed any more light on it :) 

alm

  • Guest
Re: Tequipment international order requirements :o
« Reply #23 on: April 17, 2012, 07:47:35 pm »
Stealing a bunch of credit card numbers and using them to make a bunch of purchases (I'm sure there's software for this) is much easier than photoshopping a credit card for each of the accounts. Since the numbers and name are embossed, you also need to fake the shadows and reflections in most lighting. Automating this is probably not trivial. Not great security by any means, just like a photocopy of an ID that many companies accept. Just some extra trouble the criminals have to go through, and some extra documentation to prove to Visa that you worked really hard to verify the card.

Orders with fake credit card numbers can usually be tracked from the shipping address, but getting someone caught who had the stuff sent to an address in the UK or Australia is much harder. It takes all of one phone call before criminals get delivered to the US on a silver platter ;).

But what about that little 3 digit number on the back of the credit card? Do they ask for that too? If they do, a malicious person could store it somewhere and do their own purchases with YOUR credit card! This doesn't happen with places like Amazon because they are just encrypted and stored in a database where no human can see (or understand) them.
Every online store I've ever seen asks for it. They're not supposed to store it, but I just assume that it's probably published on the companies website as www.example.com/credit_card_numbers.xls. I'm just regularly checking credit card statements and prepared to call my CC company when they get abused.

About the database that no human can see them, I might believe this if it were the NSA, maybe. No way I believe this in a commercial system, where uptime and convenience takes precedence over security. If Amazon is unable to process any payments due to database corruption, does the responsible manager ask the IT people to go through the proper procedures and take their time, or does he say screw this and reach for the decryption code? Does Visa accept hashes of credit card details instead of plain text details? Where is the encryption key stored to decrypt the transactions before sending them to Visa?
 

Offline ciccio

  • Frequent Contributor
  • **
  • Posts: 659
  • Country: it
  • Designing analog audio since 1977
    • Oberon Electrophysics
Re: Tequipment international order requirements :o
« Reply #24 on: April 17, 2012, 08:17:04 pm »
About 8 years ago I bought something from an US company and they asked me to mail them a scan (or a photo) of my passport with my credit card placed over the second page.
I thought it was a "bizarre" request, so I called the credit card customer assistance, and they answered that this is a legitimate request, because it was like personally giving the card to them to look at.
The back security number was not requested.
Strenua Nos Exercet Inertia
I'm old enough, I don't repeat mistakes.
I always invent new ones
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf