I just contributed $5 to Barack Obama.
I didn't want to. Ideally, I could have contributed $0.01 and cost them money. But it was the only way to confirm the root cause of the fraudulent micro-donations to the Obama campaign ("Doodad Pro" for $17,300 and "Good Will" for $11,000).
The Obama campaign has turned its security settings for accepting online contributions down to the bare minimum -- possibly to juice the numbers, and turning a blind eye towards the potential for fraud not just against the FEC, but against unsuspecting victims of credit card fraud.
The issue centers around the Address Verification Service (or AVS) that credit card processors use to sniff out phony transactions. I was able to contribute money using an address other than the one on file with my bank account (I used an address I control, just not the one on my account), showing that the Obama campaign deliberately disabled AVS for its online donors.
AVS is generally the first line of defense against credit card fraud online. AVS ensures that not only is your credit card number accurate, but the street address you've submitted with a transaction matches the one on file with your bank.
Authorize.net, the largest credit card gateway provider in the country, lists AVS as a "Standard Transaction Security Setting," recommends merchants use it, and turns it on by default. So, in order for AVS to be turned off, it has to be intentional, at least with Authorize.net.
Authorize.net's website describes it this way:
Bankcard processors implemented the Address Verification Service (AVS) to aid merchants in the detection of suspicious transaction activity. The payment processing network compares the billing address provided in the transaction with the cardholder’s address on file at the credit card issuing bank. The processing network returns an AVS response code that indicates the results of this comparison to the payment gateway. You can configure your account to reject certain transactions based on the AVS code returned. For example, the AVS code “A” indicates that the street address matched, but the first five digits of the ZIP Code did not.
The end result? "Donors" like "Doodad Pro" can submit tons of donations totaling well above the $2,300 limit using different bogus addresses (this does clarify how donations from "Palestine", or PA, got through). And the campaign has no way to reliably de-dupe these donations, besides looking at the last four digits of the credit card number, which with 3.1 million donors is an identifier that could be shared by literally hundreds of donors, and is not as easy to eyeball like a common name or address would be. The ability to contribute with a false address, when the technology to prevent it not only exists but comes standard, is a green light for fraud.
One could understand the oversight if prior to the bogus donor story breaking. But you'd think they would have taken measures to step up their donor security in the aftermath of the revelations. Having AVS turned on would have stopped or significantly deterred the fraudulent donations (or, at a very minimum, made them easily detectable). By turning this basic setting off, the Obama campaign invited this kind of fraud and has taken no steps to correct it.