Bank didn't do enough to prevent online credit card fraud, Montreal merchant says
Vincenzo Lingordo blames bank for security software he says failed to block transactions despite red flags
Credit card fraud forced a Montreal businessman to close his online business, and he blames his bank for letting it happen.
Thieves, using stolen credit cards, bought thousands of dollars worth of cell phone and computer parts from Vincenzo Lingordo's web site, the now-defunct Lingordoiparts.com.
Three months after opening the site, Lingordo had to lay off his employees and shut down his web site.
"I lost everything," said Lingordo.
Originally from Italy, Lingordo said he saved for years to come to Canada and spent months getting his dream business off the ground.
He said its failure sent him spiralling into a depression.
Lingordo said the purchases were approved by TD Canada Trust, even though key information was missing from the online transactions or not entered at all.
"Their system should be able to match the info and be able to pass or decline the transaction, not me," said Lingordo. "So what is secure here?"
By the time the bank notified Lingordo about each fraud — in some cases, weeks later — he'd already shipped the goods.
"You're trusting a good service from a good bank," Lingordo said.
When payments continued to be made with stolen cards which weren't immediately flagged by the bank's transaction software, Lingordo said his bank told him his business was attracting criminals.
He estimates he lost $50,000 in merchandise, refunds, charge-backs and time.
While he blames TD Canada Trust for his losses, a bank spokeswoman said responsibility for the frauds rests with him.
Online security not guaranteed
When TD Canada Trust notified Lingordo about the first fraud, he thought it was a one-off.
The bank asked him to make his web site more secure, so he had the site encrypted.
He said the bank also told him to be more cautious about sending products in cases in which the shipping and billing addresses didn't match.
- More from CBC Montreal Investigates: Montreal student responding to text ends up on hook for $4K in advertising scam
Lingordo said the bank also pointed out ways he could reduce his fraud risk, by going into his merchant profile with the bank and ticking off a few more security features on how transactions were to be approved.
Lingordo said he followed the bank's advice.
Based on the security features Lingordo said he added, transactions weren't supposed to be approved unless the cardholder's proper billing address was entered. That billing information is something fraudsters don't usually have access to.
He said he also chose to make it mandatory for customers to enter the security code on the back of their credit card. It, too, had to be entered correctly before a transaction could clear.
But when Lingordo later looked at his transaction details, 10 purchases, all in the month of January, were approved for more than $13,000 U.S., even though the addresses either weren't provided or didn't match the cardholders' billing addresses.
Another two went through with all the right information entered.
Weeks later, Lingordo said, all twelve of these purchases were flagged as fraudulent.
Lingordo tried to figure out what had gone wrong, running his own tests using TD's software.
He deliberately entered incorrect credit card information or left mandatory fields empty to see what would happen. Each time, he said, the transaction was approved.
"I could put any name, any security code, any number, anything, and they were passing," said Lingordo. Believing the software wasn't working properly, he took his evidence to TD Canada Trust.
The bank denied there were any shortcomings with its credit card-processing software.
However, Lingordo can't believe he's the only business that encountered such problems.
"They have thousands and thousands of customers using their services," said Lingordo.
E-commerce risky for small retailers
The president of the Canadian Federation of Independent Business (CFIB), Dan Kelly, hasn't heard of a case just like Lingordo's before.
But Kelly said fraudulent online payments are a big problem for many small business owners, who are shocked to discover they are on the hook for them.
Many small retailers are "sitting ducks," he said, because there is no way to know for sure that a credit card used online is valid — and because they don't have the financial wiggle room to bounce back from fraud.
The CFIB represents nearly 110,000 merchants across the country, and Kelly said many of them are jumping into e-commerce to stay competitive.
But it's risky, Kelly said.
According to the Canadian Bankers Association, credit card fraud from online sales or phone and mail orders cost banks and merchants nearly half a billion dollars in 2015.
"If you're a small business just getting started in online sales, especially if you have larger purchases, that can be make it or break it for some firms," said Kelly.
E-commerce also costs small merchants more in bank fees than big companies pay, he said, as larger firms are often able to negotiate a better rate to process online transactions.
Kelly thinks for their money, small merchants should be getting better protection.
"That higher cost should actually pay for something," said Kelly. "It should pay for some degree of assurance."
Kelly said the banking industry has to better educate retailers about the dangers of e-commerce and how to protect themselves.
Bank says retailer ultimately responsible
TD Canada Trust would not get into specific details of Lingordo's case, but in an email, Fiona Hirst, a spokeswoman for the bank said this:
"Our system processes the transaction and if incorrect information is entered, these transactions are flagged for the merchant to review. Ultimately, it's the merchant's decision to accept the transactions."
Hirst said fraudulent transactions continued to be accepted by Lingordo without engaging in "additional security measures" which the bank had suggested he take.
Those additional measures include signing up for Verified by Visa or Mastercard SecureCode, which are highly recommended for e-commerce.
Lingordo said those steps were never suggested to him.
New rules needed?
Lingordo appealed to the bank's ombudsman twice, to no avail. Lingordo now feels burned and has no plans to return to e-commerce.
Meanwhile, Kelly is pushing the federal government to change the rules of the game. He sits on a federal finance committee that includes card processors, credit card companies and banks.
He said small businesses that do everything right — including regularly reviewing their transaction history and taking steps to double check if the cardholder's identity — shouldn't be left holding the bag.