Obama for America does not require online credit card donors to input Card Verification Value data to confirm that a political donor is legally authorized to charge contributions to a given credit card. GAI said CVV data consists of “a three or four digit number generally imprinted on the back of the card” in order “to verify that the person executing the purchase physically possesses the card.”
GAI notes that the Obama campaign’s failure to use such security measures in its online donation system likely costs it “millions of dollars in additional fees” because “card processors charge higher transaction fees for campaigns that fail to use the CVV.”
The group estimates that Obama’s 2008 campaign, which raised over $500 million, likely “paid at least an additional $7.25 million in fees to the banks that it could have avoided if it were to have used the CVV,” assuming the campaign paid typical rates for processing credit card transactions.
The Obama campaign claims it has its own methods of confirming the legitimacy of credit card transactions. But it does require CVV data from credit card purchasers of hats, t-shirts and other campaign merchandise.
GAI also determined that the Obama re-election campaign has selected a particularly weak Address Verification System (AVS), a computerized means of comparing house numbers and ZIP codes provided by a donor with the corresponding numbers on file with a credit card issuer.
Different AVS systems “can be set to accept multiple degrees of error,” according to GAI’s report.
“[D]epending on the degree of error the Webmaster allows for the AVS, a transaction might not be flagged as potentially fraudulent if the purchaser mistyped the address associated with the card,” GAI reported. “While all major U.S. credit card issuers are AVS compliant, many foreign card issuers are not.”
Sukhia said that “the AVS error settings the [Obama] campaign appears to have chosen would not provide meaningful protection against fraudulent or foreign contributions.”
These “vulnerabilities” in the Oama campaign’s online credit card processing system, GAI contends, “are not difficult to fix.”
“In addition to the CVV and a strong AVS system, the campaign could make use of geo-location on the campaign websites so that if a visitor comes from a foreign IP [Internet Protocol] address, he or she would be alerted of the relevant federal laws and asked for a passport number or military ID in order to proceed to the donation page,” GAI said.
In addition to fundraising practices employed at “my.barackobama.com,” another website — “Obama.com” — directs Web traffic to pages where the president’s campaign fills its coffers, GAI concluded.