This is a totally theoretical post, so if you are looking for something concrete, skip this post. I had an interesting, albeit pedantic thought on the way into the office today. One of my clients has a problem with people getting into their system, but ultimately there’s no way to really stop it since they must allow random people from the Internet to sign in using credit cards. Sure they could use other factors of authentication (Eg: authentify) to prove they are the card holders, but bear with me for a second. So I was thinking, what if somehow they were able to knock off the bad guys after ten minutes of activity. Even if it’s a magical blackbox process, it doesn’t matter, the bad guys can only be online for 10 minutes and then they get booted. That would actually cause another interesting scenario.
Let’s say those same bad guys had access to other merchant accounts (maybe their own) and knew which ones were low value due to chargebacks. That is, they don’t want to mess up their own merchant account by processing those credit cards for illicit activity. However, the ones that they received charge backs on, are fair game to use however they chose. Sure, they only last ten minutes, but who cares? They are worthless anyway. Meanwhile, the processing explosion occurs, while the bad guy does their ten minutes of bad things (whatever they are).
Now let’s say after a month of this the upstream bank that’s doing the merchant processing notices a huge uptick in chargebacks. Suddenly those accounts are costing the merchant money in fines. Another month passes and the bank tells them to fix the problem or they’re getting cut off. The next month their business is no longer authorized to clear. Denial of service via merchant charge backs! Weird, eh? Of course the merchant does have one piece of recourse and that is to immediately refund the charged card once they realize the account has been used for illicit activity. But it’s an interesting thought.