fraud_master - 10:06 pm on Jun 22, 2008 (gmt 0)

"I am very surprised and horrified about this. In Hong Kong, just merely confirming that the person is a customer of the bank would be breaking privacy law. Otherwise, I can see this being used by scammers and other criminal elements with ill intent."

It's this kind of archaeic thought process that makes it so difficult for merchants to perform fraud prevention. In a card-not-present transaction environment you can't get caught up in privacy acts or worried fraudsters will also use a bank verification to their advantage. Fraudsters already are illegally hacking into databases and doing all sorts of other exploits to steal consumer info. A bank confirming the name address and phone on an account is NOT a security risk. The bank should see the pre-authorization with your merchant name and account number and can ask to be provided this information.

Ispy hit it on the nail except for the fact that communicating with a INTL bank to do verification is usually pretty difficult. As already stated, the fact that they followed a large transaction after a small one is a huge red flag. Consider the first order a ping or a test and now that they have their foot in the door they want to open the flood gates. Take my advice and dont process the order.