How to lose customers without really trying...
Not surprisingly, Valorie and I both do some of our holiday season shopping at ThinkGeek. But no longer. Valorie recently placed a substantial order with them, but Instead of processing her order, they sent the following email:
From: ThinkGeek Customer Service [mailto:custserv@thinkgeek.com]
Sent: Thursday, November 15, 2007 4:28 AM
To: <Valorie's Email Address>
Subject: URGENT - Information Needed to Complete Your ThinkGeek Order
Hi Valorie,
Thank you for your recent order with ThinkGeek, <order number>. We would like to process your order as soon as possible, but we need some additional information in order to complete your order.
To complete your order, we must do a manual billing address verification check.
If you paid for your order via Paypal, please send us a phone bill or other utility bill showing the same billing address that was entered on your order.
If you paid for your order via credit card, please send us one of the following:
- A phone bill or other utility bill showing the same billing address that was entered on your order
- A credit card statement with your billing address and last four digits of your credit card displayed
- A copy of your credit card with last four digits displayed AND a copy of a government-issued photo ID, such as a driver's license or passport.
To send these via e-mail (a scan or legible digital photo) please reply to custserv@thinkgeek.com or via fax (703-839-8611) at your earliest convenience. If you send your documentation as digital images via email, please make sure they total less than 500kb in size or we may not receive your email. We ask that you send this verification within the next two weeks, or your order may be canceled. Also, we are unable to accept billing address verification from customers over the phone. We must receive the requested documentation before your order can be processed and shipped out.
For the security-minded among you, we are able to accept PGP-encrypted emails. It is not mandatory to encrypt your response, so if you have no idea what we're talking about, don't sweat it. Further information, including our public key and fingerprint, can be found at the following
link:
https://www.thinkgeek.com/help/encryption.shtml
At ThinkGeek we take your security and privacy very seriously. We hope you understand that when we have to take extra security measures such as this, we do it to protect you as well as ThinkGeek.
We apologize for any inconvenience this may cause, and we appreciate your understanding. If you have any questions, please feel free to email or call us at the number below.
Thanks-
ThinkGeek Customer Service
1-888-433-5788 (phone)
1-703-839-8611 (fax)
Wow. We've ordered from them in the past (and placed other large orders with them), but we've never seen anything as outrageous as this. They're asking for exactly the kind information that would be necessary to perpetuate an identity theft of Valorie's identity, and they're holding our order hostage if we don't comply.
What was worse is that their order form didn't even ask for the CVE code on the back of the credit card (the one that's not imprinted). So not only didn't they follow the "standard" practices that most e-commerce sites follow when dealing with credit cards, but they felt it was necessary for us to provide exactly the kind of information that an identity thief would ask for.
Valorie contacted them to let them know how she felt about it, and their response was:
Thank you for your recent ThinkGeek order. Sometimes, when an order is placed with a discrepancy between the billing and the shipping addresses, or with a billing address outside the US, or the order is above a certain value, our ordering system will flag the transaction. In these circumstances, we request physical documentation of the billing address on the order in question, to make sure that the order has been placed by the account holder. At ThinkGeek we take your security and privacy very seriously. We hope you understand that when we have to take extra security measures such as this, we do it to protect you as well as ThinkGeek.
Unfortunately, without this documentation, we are unable to complete the processing of your order. If we do not receive the requested documentation within two weeks of your initial order date, your order will automatically be cancelled. If you can't provide documentation of the billing address on your order, you will need to cancel your current order and reorder using the proper billing address for your credit card. Once we receive and process your documentation, you should not need to provide it on subsequent orders. Please let us know if you have any further questions.
The good news is that we have absolutely no problems with them canceling the order, and we're never going to do business with them again. There are plenty of other retailers out there that sell the same stuff that ThinkGeek does who are willing to accept our business without being offensive about it.
Edit to add: Think Geek responded to our issues, their latest response can be found here.
Comments
Anonymous
November 15, 2007
The comment has been removedAnonymous
November 15, 2007
The comment has been removedAnonymous
November 15, 2007
In this case, there was no discrepancy. And Valorie offered the transaction # for several previous orders we've placed with them, that was not sufficient. I wonder what the PCI rules say about asking for this kind of information... Erling: They did offer to allow us to use PGP to encrypt the emails :).Anonymous
November 15, 2007
The comment has been removedAnonymous
November 15, 2007
Errr, if you were a bad guy trying to defraud them, how many minutes would it have taken in photoshop to come up with what they asked for? Just like DRM and security theater at the airport, this is the kind of thing that is trivially bypassed by the bad guys and greatly hinders the innocent.Anonymous
November 15, 2007
Long ago, I worked for an e-commerce startup and dealt with some of this stuff. In a lot of cases, the merchant may not care if you've made up the info you send in for verification. If they've gone through the trouble of verifying, they have a MUCH better chance of winning if a chargeback results. That's the real problem here -- if the merchant accepts a charge that turns out to be fraudulent and they haven't jumped through all of the hoops to verify that the charge is authorized (including contacting the cardholder and asking for more information), they're the ones who are going to eat the loss (including fees from the card issuer and the merchandise they shipped to a fraudster). Unless the card is actually physically present for the transaction (which is obviously impossible for online orders), the merchant is very likely to lose any chargeback represenation. Their only defense is if they've done the verification steps and "confirmed" that the charge was made by the cardholder. This costs a lot of online retailers an astounding amount of money. So there's a huge incentive to retailers to force you to verify this stuff. I'm surprised it happens as rarely as it does, to tell you the truth.Anonymous
November 15, 2007
If you paid by credit card, I'd complain to your credit card company. Generally speaking credit card merchant agreements don't allow merchants to refuse valid cards. I'd do it not such much because you want to do business with Think Geek, but because if you don't push back, more and more companies will try this sort of game.Anonymous
November 15, 2007
The comment has been removedAnonymous
November 15, 2007
@Larry 'In this case, there was no discrepancy. And Valorie offered the transaction # for several previous orders we've placed with them, that was not sufficient.' As everyone else said it's the card issuer that is causing this. There will be some magic cash value over which the retailer will need to get more proof of id. You did say that the order was substantial. It's a pain for the customer. It annoyed me when I had to fax a bunch of id proof to KLM when I was buying airline tickets. It really kills the convenience of buying online! MasterCard offer merchants a service called SecureCode: http://www.mastercard.com/us/merchant/security/what_can_do/SecureCode/ This redirects you to a MasterCard page during the transaction, and requests a password from the buyer before allowing the purchase. It works, but so few sites seem to use it that I struggle to remember what my password is! 'I wonder what the PCI rules say about asking for this kind of information.' I am not familiar with US laws, but surely they can ask for whatever they like? You're equally free to refuse - as you did.Anonymous
November 15, 2007
James, I often purchase items from other online vendors that have a higher value than this purchase and I've never been challenged in this manner. Just last year, Valorie placed an order of comparable magnitude (slightly higher) and the didn't raise an eyebrow.Anonymous
November 15, 2007
@Larry I would imagine that the limit depends on the merchant and what they're selling. Perhaps your purchase is higher than 95% of all purchases (say), then it gets extra scrutiny. I agree it's annoying, but the vendor isn't doing this for fun. If they don't do what the card issuer demands, then they lose out. Sure, they still lose out because you're not going to trade with them. It comes down to a choice: Accept everything and lose $X due to fraud Obey their master(card)s and lose $Y due to irked customers if($Y < $X) { obey_masters(); } else { please_customers(); } Aside. I bought an additional Operating System to run on my Mac Book Pro. I want to boot it natively and run it in a virtual machine. The vendor make me jump through hoops - something called 'Activation'. It's quite annoying. Should I buy their stuff again? ;)Anonymous
November 15, 2007
The comment has been removedAnonymous
November 16, 2007
The comment has been removedAnonymous
November 16, 2007
i've had vendors pull this on me. as you are doing, i've always walked away. one has to wonder -- if the leading ecommerce sites on the planet, sites like amazon and dell, don't ever have to resort to these measures, why does some minor site feel that they have to?Anonymous
November 16, 2007
I must be very unknownledgeable about this, but how does having a copy of your electricity bill enable identity theft? All the information on it, except your electricity consumption, is public knowledge (name, address, etc) and can be gathered by other means. Do banks request your electricity consumption to identify you now?Anonymous
November 16, 2007
As I understand it, with your electric bill and the information on the bill, you can apply for a credit card. You can also register to vote, open a bank account, etc.Anonymous
November 16, 2007
Your response was correct.Anonymous
November 16, 2007
My two favorite lines: At ThinkGeek we take your security and privacy very seriously. We hope you understand that when we have to take extra security measures such as this, we do it to protect you as well as ThinkGeek. So, in the first case, does that mean that you will pay restitution if any information that you have about me is misused? And in the second, exactly how is this protecting me? If this were a case of fraud, then it might be protecting the original holder of the card, but in that case, they wouldn't be getting the email, would they?Anonymous
November 16, 2007
I'm surprised -- you'd think that a company is all about geeks would "get it." I love the note about PGP keys, really convenient right?Anonymous
November 16, 2007
The comment has been removedAnonymous
November 17, 2007
The comment has been removedAnonymous
November 18, 2007
An electric bill, along with photo ID can be used to confirm your address (especially where the photo ID doesn't already have you address, like your passport). Generally, the electric bill by itself isn't enough.Anonymous
November 18, 2007
The comment has been removedAnonymous
November 19, 2007
Valorie just received the following email from Think Geek ( in response to our previous issue with themAnonymous
November 19, 2007
Valorie just received the following email from Think Geek ( in response to our previous issue with them