Thursday morning, I did what any sane person would do: I went to the Britney Spears online store and ordered a bunch of stuff. Because that’s how I roll. And they have free magnets on orders over $50.
I’ve done that before, to the tune that I have literally hundreds of Britney Spears t-shirts. Literally literally and hundreds plural. Except this time, I got a mail:
The issue lies in the fact that there are people who are trying to commit credit card fraud on our website. With the volume of quantities in the order, we wanted to reach out to you before moving forward with the order. We are trying to do our best to protect our customers like yourself, as well as protecting the company. In an effort to protect all parties involved, we have tightened our security protocols for all of our orders.
Another aspect is that some foreign banks (outside of the United States), do not adhere to the same security protocols that we have in here in the United States. Some of these international transaction, consequently getting flagged. We usually can overcome this situation with the customer verifying certain information.
Should you be willing to provide the necessary information, we should be able to remedy this situation. All we need from you is to verify the name on the card, complete billing address, the last four digits of the credit card used for the transaction (last four digits ONLY), the expiration and CV# on the back.
If you are comfortable moving forward, please provide the above information. Should you not be willing to share the above information needed to move forward, we will unfortunately have to cancel your order. We apologize for the inconvenience.
TL;DR: Your order was triggered because it’s in excess of $1000 or something like that. Please confirm it.
Except, they were asking for a bunch of information that I had already given them. Sure, they do not actually have my full CC number, expiration and CVV (I would presume; that’s not supposed to leave their payment processor), but as for name, address, and the four last digits, it is not only visible under my account information on the store site, it was even in the fricking mail quoted originally.
Not only that, the language of the mail is a bit… let’s just say, it could have been written by a 419 scammer. Keeping with the theme, the mail came from a domain wholly unrelated to my original order.
A bit of research revealed that it came from the domain of a merchandise processor, and could be legitimate. It also quoted a mail that looked legitimate. It likely was legitimate, but it could have been faked. Also, it arrived a few hours after I posted this picture revealing most of the information in the quoted mail (actually the picture was my original order confirmation quoted in the mail).
In other words, the mail probably was legitimate, but could in principle have been spoofed. Also, they should never have sent such a mail. So I did the only reasonable thing, and responded in a nice and condescending manner, and sent them on a bit of a treasure hunt:
I am not going to send such information, much of which I already provided, to an e-mail address that is largely unrelated to the web-shop over an unencrypted connection.
As you can see, I have several times placed large orders on my account associated with e-mail britneyspearsstore@klafbang.eu also from your quoted response.
I can confirm that my name and billing address are as in my site registration. The card used is in my name and the 4 digits you have on file are correct; they are the same as the dollar amount of my only January order minus 107. The CVV is the last 4 digits of what you get if you add the order numbers of my 3 2015 orders and subtract 376. My card expires 5 years and 1 month after my $375.51 order.
There we go. I comply entirely with the request but in a ay so that only a legal sender would be able to piece together the information. Furthermore, I include the very crucial fact that I’m a repeating and very good customer.
I’m not sure whether the excitement of the treasure hunt, the information that can be gleaned by completing the treasure hunt, or the implied threat of the loss of a good customer did the trick, but somehow my order is now on the way and is expected Monday.
Time person of the year 2006, Nobel Peace Prize winner 2012.