Possible Online Fundraising Improprieties by Obama Campaign
Posted by Enrique on 10.23.2008
October surprise
There's an interesting narrative weaving itself on rightwing blogs today about the nuanced features of the donor page on Barack Obama's web site. Apparently, Obama's fraud detection protocols leave much to be desired:
I've read recent reports of the Obama campaign receiving donations from dubious names and foreign locales and it got me wondering: How is this possible?
I run a small Internet business and when I process credit cards I'm required to make sure the name on the card exactly matches the name of the customer making the purchase. Also, the purchaser's address must match that of the cardholders. If these don't match, then the payment isn't approved. Period. So how is it possible that the Obama campaign could receive donations from fictional people and places? Well, I decided to do a little experiment. I went to the Obama campaign website and entered the following:
Name: John Galt
Address: 1957 Ayn Rand Lane
City: Galts Gulch
State: CO
Zip: 99999
Then I checked the box next to $15 and entered my actual credit card number and expiration date (it didn't ask for the 3-didgit code on the back of the card) and it took me to the next page and... "Your donation has been processed. Thank you for your generous gift."
This simply should not, and could not, happen in any business or any campaign that is honestly trying to vet it's donors.
Curious. Obama famously rejected public financing of his campaign when it became clear he could raise huge money on his own. Fair enough, as far as I'm concerned all Americans should be able to donate as much money as they want to any candidate or party.
But if the Obama campaign donation page isn't properly secured, it at least indicates a serious lack of judgment. Anyone who shops online knows there are certain basic security checks in place before your order is processed – your zip code can't be only four digits, your phone number has to be entered correctly, you might have to input your credit card's CIV code, etc. If Obama's online fundraising isn't following routine security procedures, it isn't exactly an indicator of superior executive acumen.
And if the campaign has been deliberately ignoring routine security procedures, that would be change we don't need. Former Bush staffer and online strategist Patrick Ruffini charges:
The Obama campaign has turned its security settings for accepting online contributions down to the bare minimum -- possibly to juice the numbers, and turning a blind eye towards the potential for fraud not just against the FEC, but against unsuspecting victims of credit card fraud.
The issue centers around the Address Verification Service (or AVS) that credit card processors use to sniff out phony transactions. I was able to contribute money using an address other than the one on file with my bank account (I used an address I control, just not the one on my account), showing that the Obama campaign deliberately disabled AVS for its online donors.
AVS is generally the first line of defense against credit card fraud online. AVS ensures that not only is your credit card number accurate, but the street address you've submitted with a transaction matches the one on file with your bank.
Of course, the whole thing could be a simple misunderstanding. I'm sure Obama will clear it up once he's done apologizing for whatever damn fool thing Joe Biden said today. On an amusing note, rightwing blog readers have been so anxious to test Obama's web security for themselves by making fraudulent donations, conservatives pundits have had to ask them to knock it off.
For balance, you can read the NYT coverage of this story here.
I wonder if this Patrick Ruffini guy tried the same thing with McCain's donation page.
Posted By: Brandon Crow (Guest) on October 24, 2008 at 01:42 AM
Thanks for this critical reporting. The campaign of Obama seems so professional that it is a very interesting information to have.
Posted By: Laurent (Guest) on October 24, 2008 at 04:21 AM
"I wonder if this Patrick Ruffini guy tried the same thing with McCain's donation page."
If Patrick Ruffinin did, do you think Enrique would mention it?
Posted By: David (Guest) on October 24, 2008 at 05:51 AM
"I wonder if this Patrick Ruffini guy tried the same thing with McCain's donation page."
Doubtful. In fact, the McCain page looks exactly the same as the Obama page in terms of information fields.
Posted By: J.D. Dunn (Registered) on October 24, 2008 at 10:36 AM
In all seriousness, Obama is likely not responsible for website security protocol any more than McCain is for the Repubs' website. It doesn't seem like something either candidate would have to put their campaigning on hold for, to verify 'does my website donation page use AVS?'
This smacks of desperation in the final eleven days of a campaign.
If the level of donation security on the presidential candidates' websites disturbs you that much, go and steal someone's credit card and donate then. And when you're done, you can try to vote under four different names on election day and see how far that gets you.
Posted By: Bisch (Guest) on October 24, 2008 at 11:32 AM
actually, ruffini and several other bloggers tried to donate the same way to McCain's site and failed. The info fields may be the same, but if the merchant turns the AVS off, you can put whatever you want in the fields as long as the CC number is valid. Also, since the story broke the Obama people turned the AVS on.
The thing I want to know is what idiot thought it was a good idea to exempt donations under 200 bucks from reporting requirements? Did they not think that some people might skirt the donation limits by donating 50 bucks 100 times?
Posted By: Chris Connolly (Registered) on October 24, 2008 at 11:25 PM
STAY CURRENT