[nothatscool]

>The customer paid Upwork using someone else's card, he didn't pay the freelancer. So the party that got duped is Upwork.

For me that is the key here. Upwork is the one accepting payment so it's their responsibility to verify that payment. It's actually impossible for the freelancer to do that.

[wpietri]

If the freelancer had taken a credit card directly, he would be in the same situation as now.

[jrochkind1]

Was it literally someone elses name on the credit card? Perhaps the freelancer would have rejected the credit card as payment for this or other reasons if they had taken the card directly. Who knows?

Also they would be fighting with the credit card company against the chargeback -- whether and how much they can take back in situations like this depends on the nature of your agreement with the credit card processor, and whether you followed it -- that is, whether Upwork did. Perhaps the freelancer would lose if they had directly charged, but it would be their fight to have. Instead, they are just told by Upwork they owe Upwork money now, because it was Upwork that took the card, not them. But sure, maybe they'd have ended up in the same place anyway, it's true. They would have at least known they were responsible for vetting the credit card themselves -- which you can't be when you never even see it because Upwork is the one charging it.

[wpietri]

Would the freelancer have even known? Their initial contacts were remote. I just purchased some by-the-hour services from a sole proprietor a few weeks ago; I just gave them the credit card number. They never saw the card.

Bringing up the agreement with the credit card processor is an important point. I suspect that Upwork's agreement like that involves certain protections when freelancers use the timekeeping system to create real-time proof of work. As the freelancer explains, he's only in this pickle because he entered the time later. I get why that didn't seem like a big deal to him at the time, and I'd be very curious to know how clearly Upwork explained the difference. Was it only in their T&C? Did they warn him when he first tried manual entry? Does the manual entry page warn him every time?

[jrochkind1]

Just taking a US credit card number without the name, CVD code, or zip code, is indeed a dangerous way for the person taking a payment to take one, opening them up to more possibility of fraud and chargeback.

In this case, it was Upwork and not the freelancer who decided whether or not to charge a credit card with only the number, if that's what they did.

[wpietri]

I agree it's dangerous. But this guy clearly liked and trusted the client, a client that I'd guess is a fast-talking serial fraudster. So in the hypothetical case of the freelancer working directly, I think it's likely he would not be any better off.

[jrochkind1]

Yes, but in this case it was out of his control entirely, he didn't have the option of verifying the name on the credit card. It was Upwork who (apparently? we don't even know) chose not to do that, not the freelancer. If he was taking the card directly he would have the option of doing it more responsibly; if a hypothetical freelancer read a story like this, they might be more likely to do it next time. Upwork, apparently not?

But if your point is that people taken credit cards get scammed all the time even when taking them directly, I agree, that's a thing that happens.

[ratww]

If the freelancer had taken a credit card directly, they would have been in the position to check with the card holder for proper authorisation beforehand, or to deny in case it looked shady.

Plus, the freelancer would be able to just sue the person they were working for directly, rather than having to sue Upwork, risking his ability to continue working there. If the freelancer didn't know client personally, it would have been impossible.

Back when people used checks, it was common for companies to either deny third-party checks or ask for the buyer sign the check over to someone else. This would put the buyer on the hook in case anything bad happened.

Marketplaces just removed all those protections that sellers could implement, while taking none of the risk.

[wpietri]

As I mentioned elsewhere, I recently purchased by-the-hour services via credit card over Zoom. They never checked the physical card; they just took the numbers and punched them in, with the charge instantly being made (Amex notified me within seconds). There's no reason to suspect that this guy would have done any more verification.

Are we sure the freelancer can't sue the person directly? And if we believe they can't, why could they do it in the case of the credit card company? In both cases, there's a chain of intermediaries; the chain's just one hop longer.

[ratww]

Were you also using a third party credit card like in this case? Are you really 100% sure this freelancer would do the same that the person in your example did? Were you also doing months-long transactions totalling 12k? If this were with me, it would definitely raise red flags.

If the client is really speaking in good faith ("there was someone else's card in my UpWork account"), all this wouldn't have even happened in the first place, and the client would have noticed it himself.

And even if the same thing happened with Upwork, in this case the choice of verifying was completely taken out of the freelancer's hand entirely. There was zero possibility of him checking a name on a credit card.

If it were a direct transaction, the credit card company would be entirely out of the picture in case of fraud. A credit card company is not an intermediate in the same way Upwork is. Also, are we 100% sure Upwork is not trying to collect the amount from the client at the same time? Have them forfeited the fees?

> If the freelancer had taken a credit card directly, he would be in the same situation as now

Point is: it is impossible to claim that one thing or the other would have happened if the situation were different.

EDIT: Added quote.

[wpietri]

> Point is: it is impossible to claim that one thing or the other would have happened if the situation were different.

Then I guess it's a good thing I didn't claim that. If somebody else did, maybe reply to them?

[ratww]

I'm talking about your first post: "If the freelancer had taken a credit card directly, he would be in the same situation as now." part.

It is impossible to claim that.

[akudha]

Can you explain why this matters here? The issue is that Upwork was/is responsible for taking payment from the customer, keeping their cut and paying the freelancer. If they got duped, they should eat the loss. Whether the freelancer is or isn't able to collect payments correctly on his own, is irrelevant here.

Freelancing websites go to extreme lengths to monitor freelancers - including installing monitoring software, taking screenshots every minute etc. Why can't they spend some of this effort making sure they aren't duped, and when they are duped (it will happen at some point) why can't they go after the person who cheated them instead of the little guy?

[wpietri]

My point is that Upwork not creating the problem, just passing along the problem.

From what the freelancer says, Upwork would have eaten the loss if the freelancer had actually used that monitoring software. But he chose not to. I get that sucks for him, and I get how he got taken in by a serial fraudster. But I also get why Upwork only covers fraud under specific circumstances.

[CRConrad]

> My point is that Upwork not creating the problem, just passing along the problem.

Yes it is Upwork creating the problem: They didn't vet their client.

> From what the freelancer says, Upwork would have eaten the loss if the freelancer had actually used that monitoring software. But he chose not to.

That's not how I read it. That software is to ensure the freelancer doesn't scam the client. They tried talking about that first, but then the freelancer gave them testimonials from the client that he had indeed performed the work, which AFAICS closed off that avenue.

[nothatscool]

But he would have had the opportunity to manage the payment himself whether that be not accepting credits cards, using a payment processor with charge back insurance or at the very least trying to verify that the credit card actually belongs to the client. As far as I know he can't do any of these things because the client isn't paying him, they are paying upwork and upwork is paying him.

[wpietri]

Sure. And he always had that opportunity. Both in general and specifically with this client when they started meeting in person. He chose to bill through Upwork and then specifically declined to use the time-tracking software under which they would cover fraud.

I get that this was a surprising outcome for him, and I feel bad for him. But as a business consultant working specifically in fintech, I don't feel very bad for him. Looking at the dates, I also suspect he isn't telling us about the fraudulent payments he did get to pocket.

[CRConrad]

> He chose to bill through Upwork and then specifically declined to use the time-tracking software under which they would cover fraud.

That software is for detecting a different kind -- exactly the opposite kind to what happened here -- of fraud.

[Edit to add:]

> Looking at the dates, I also suspect he isn't telling us about the fraudulent payments he did get to pocket.

I thought he mentioned that he had worked for "Robin" for two years? And he never says he was paid with a different credit card for the first eighteen months, does he? So as I read it he does indeed tell us about the fraudulent payments he did get to pocket: Those for those first eighteen months. It's just that the legitimate credit card holder couldn't issue a chargeback for those, so there's nothing for Upwork to try and claw back from him there.

[wpietri]

He did vaguely gesture at it. But I think he hasn't really come to grips with how much he personally profited from credit card fraud. He certainly isn't up front about it.

[tzs]

All that is actually required to charge a credit card is knowing the card number. (Some people think the expiration date is required, but it is not. The expiration date is only checked at the payment processor, and there it is just a simple check that it is in the future. You can just make up any future date when submitting the card and it will work).

However, when submitting the card you can supply name, address, and CSC (and maybe telephone number?) and ask the processor to check those. Those will be checked against what the card company has on file.

Details vary between payment processors, but all will have a way for you to bail out of charging the card if you don't get matches on a subset of those fields you chose.

Like most things with credit cards, those checks aren't free. If you are using a payment processor where you see all the little fees it will cost you a tiny amount to do the checks, but if you are with one of the processors that bundles it all together into tiers the fees for checking will almost always not be enough to bump a given charge up into the next tier.

The only real downside of doing the checks is that the more data you make the customer enter, the higher the chance they will not complete the purchase. If you are doing something that has an extraordinarily low chance of attracting people who are using stolen cards and the transaction isn't for a very large amount it might be worth it to not do the checks.

For everything else, you should do the checks and if things don't check out do not accept the card.

[patrakov]

> The expiration date is only checked at the payment processor, and there it is just a simple check that it is in the future

Wrong, at least for Raiffeisen Bank in Russia. Once I called their support why the payment didn't go through. Their answer: "you made a typo in the expiration date, try again" (and it worked).

[ratww]

Yeah, great point. There's lots of assumptions here from American posters.

This depends heavily on the country where the processing is being made and in the bank that issued the card to the customer. The data is (in the cases I saw) passed down to the card issuer via an API and the issuer gets to decide what to do.

In Europe for example, CVV seems to be required, except when the merchant requests an exception, or when a pre-auth token is used. In Brazil I've had my card rejected because of a typo in my name, although "forgetting" the middle name was alright.

It's not as clear cut and as insecure as in America or as people are making it seem here.

[Macha]

This is true, but surely dealing with these issues is part of what upwork takes their share of the revenue for?

[wpietri]

Maybe! An essential element of designing contracts is figuring out exactly who's taking what risk. From what the freelancer says, it sounds like Upwork is saying, "If you track the time directly with our tool, we'll take the risk of fraud. But if you track time your own way, the risk is on you." I assume that's what the guy actually agreed to, as he didn't say otherwise. So in this case, it sounds like it's something UpWork isn't taking a share of revenue for.