Click and trick - and trickery offline, too

Visa's announcement yesterday that it would cease - starting this Saturday - playing a role in what's essentially an Internet scam was heartening, if a little belated. You can read my article in today's Inquirer here about Visa's decision, which it says will clamp down on a practice that it calls data pass but that's probably better named "click and trick."

What's astonishing is that it took this long, even after the  Senate Commerce Committee estimated in November that consumers had lost $35 billion to this trickery over the last decade. I wrote a column last year about some local victims of the scam, in which consumers discover recurring charges on their credit-card bills and don't even know where they came from.

Networks such as Visa's were a linchpin in the scam, because they allowed a website where a consumer might happily fork over a credit-card number, expiration date, and security code (think Fandango or Priceline) to pass along that crucial financial data to a third-party company that purchased an ad on the website - typically with a pitch such as "$10 Cash Back on Your Next Purchase!"

With that data, the third-party company could then lure you to spend money without your ever realizing it. It worked because the new site would never have to ask you to retype that 16-digit credit-card number, or the secret code and expiration date - the crucial steps you're used to taking when you actually choose to spend money at an unfamiliar website.

Will this solve the problem? Committee chair Jay Rockefeller says he still plans to introduce legislation to the end practice, so I'd count him as skeptical. Even more skeptical is one of the leading experts in this field of consumer trickery:  Prentiss Cox, a University of Minnesota law professor and former  head of consumer protection for the Minnesota Attorney General's Office, who testified last year before Rockefeller's committee.

Visa didn't return my request for comment yesterday, and its statement didn't get very specific. As a result, Cox says he can't tell how far Visa's new rules will limit data transfers when it says that consumers will now have to "re-enter their card information to accept a subsequent offer from a third-party merchant." Does that mean they'll have to re-enter all the information usually required for verification, including expiration date, secret code, billing address, and the like, or something less?

"Forcing consumers to enter the entire 16-digit credit-card number is an important thing, and it addresses a huge part of the problem," Cox says. "But requiring them to enter all the same information is a much preferable step." I'll let you know if I can get that clarified.

Even more disturbing to Cox is what the Senate report didn't address: the offline cousin of this smarmy tactic, which is broadly known by broad rubric of  "preacquired account marketing."

Cox has been investigating this practice for more than a decade, and it involves a variety of situations in which consumers can unknowingly bill something to a credit card or a debit card, or can "authorize" a direct debit from their bank accounts.  In all cases, the surprise comes because the alleged purchaser never had to cough up the stream of specific personal and financial data that lets us know when we are making an actual transaction on the net, by phone, or by mail.

In a later post, I'll tell you more about Cox's findings and his proposal for a broader crackdown on preacquired account marketing, which he outlines in an article scheduled to be published next month in the Harvard Journal on Legislation.

Cox says the offline version is actually a larger problem than the online version. He says preacquired-account  marketers sell not just membership clubs but products such as disability insurance, magazine subscriptions and - pause here for the irony - identity-theft protection. (Some of these things may have actual value - let's hope the magazines do - but some smell of scams themselves. Cox mentioned a disability policy sold this way that he says actually excludes "heart attacks and cardiovascular events.")

The linchpin in these offline cases isn't a Visa "data pass" from website to website. It's a deal between the marketers and financial institutions, including some of the biggest such as Bank of America, JPMorgan Chase and HSBC.

"Banks sell the right to charge your bank account," Cox says. He calls the practice "an invisible hand that selectively reaches into the pockets of consumers."

Time for somebody in authority to whack it on the wrist.