This website is best viewed with CSS and JavaScript enabled.

Lessons for online donation services after fraudsters hit Diocese of Qu’Appelle’s website

Posted on: February 12, 2019 11:50 AM
Photo Credit: Typography Images / Pixabay
Related Categories: Canada, Crime, funding, money, Qu'Appelle, security

[Anglican Journal, by Tali Folkins] An officer with the Anglican Church of Canada’s diocese of Qu’Appelle is warning parishes, dioceses and any other church bodies whose website has an online donation feature to make sure it’s protected from fraudulent use. The warning follows an episode last winter in which someone used the diocese’s “Donate” button to test thousands of stolen credit card numbers. Amanda Sather Page, the diocese’s Financial Officer, says that in early February 2018, fraudsters attempted to make more than $90,000 [CAD, approximately £53,000 GBP] in credit card transactions using the feature, a matter of days after it had been launched.

The transactions were all for small amounts – between $2.50 and $5.00, suggesting that whoever was behind the incident was trying to test the card numbers to see whether they worked. The high volume of transactions suggested an automated process was used.

“They were just using us as a testing point,” Sather Page says. “The whole thing was done with the intention of just establishing the fact those cards were active and working. So it was just, ‘Pound it through, pound it through,’ make sure the card worked and if it did, then they would use it on other sites.”

Most of the transactions failed to go through, she says, and the diocese quickly refunded the ones that did, but the episode was time-consuming, frustrating and troubling, and prompted the diocese to quickly change its payment processor over security concerns.

The incident occurred in two waves. On 5 February 2018, she says, the diocese was contacted by Moneris, the company it had hired to process payments made through the button. The company told the diocese it had noticed an unusual amount of activity on its account, and suspected fraud.

The diocese then looked into its records, to find that more than $88,000 in transactions had been attempted, about $5,000 of which had been successfully processed.

The diocese contacted the police and began refunding the transactions that had gone through, which it was able to do within two days using a process for refunding in large batches.

Concerned by the incident, the diocese decided to purchase more security features for its “Donate” button from Moneris – only to experience another onslaught of very small transactions within 24 hours of the button being re-launched, and only a few days after the first wave.

This time, there were far fewer attempted transactions; they totalled about $3,000, some $600 of which got through successfully. But that was scant consolation to the diocese, which expected the button’s new enhanced security features would protect it from such attacks, Sather Page says.

“It was right after we went live again, so it was quite ridiculous,” she says. “We were quite up in arms about it.”

Again, the diocese reported the incident to the police, and refunded the successful transactions. But its troubles weren’t over yet.

A little later, Sather Page discovered Moneris had placed chargeback fees – fees for reversed credit card payments – of $25 each on at least 15 of the successful transactions. She had to contest each chargeback with Moneris – a process involving phone calls and time-consuming paperwork – and the experience, she says, has made her completely lose patience with the company.

“I had to phone and contest it with Moneris every time, saying, ‘You were the fault of the fraud happening on the account – reverse the charge. Reverse the charge’”, she says.

Sather Page estimates that dealing with the incident cost the diocese probably the equivalent in time of three people working full-time for a week. And it still had to pay at least $150 in chargeback fees Moneris refused to waive, she adds.

Soon thereafter, the diocese switched to PayPal, another transaction provider, she says, and has not experienced any such incidents since.

The diocese initially informed the Regina Police Service about the incident, but was told city police did not have the resources to investigate it further. It then reported the transactions to the Canadian Anti-Fraud Centre - a law enforcement body that is managed jointly by the Royal Canadian Mounted Police (RCMP), the Competition Bureau and the Ontario Provincial Police – but has not heard back from them, she says.

Reached by the Anglican Journal, Moneris declined to comment on Sather Page’s concerns. “Moneris takes issues of fraud seriously and we cannot discuss details surrounding merchant accounts for confidentiality reasons,” Moneris spokesperson Darren Leroux said in an email; adding that the company actively provides its clients with information for avoiding fraud.

“When a merchant starts working with Moneris, we provide documentation on proper card acceptance and online processing procedures as part of the merchant agreement and Operating Manual,” he said, adding that the company also provides resources for identifying possible incidences of fraud.

Moneris, formed in 2000 by the Royal Bank of Canada and the Bank of Montreal, is Canada’s largest payment processor, according to its website.