Why Is Credit Card Used as an Anti-Fraud Tool?

You have to assume that the Credit Card Bankers have a fairly high-degree of confidence that a credit card owner is who they say they are due to being on the hook for their purchases if they get the identity wrong.

Anti-fraud is all about increasing the cost of the (ab)user so that there's less of it.

Requring a payment method on file that at least superficially works (charge a dollar and it doesn't fail immediately) is very effective because most people don't have access to many payment methods. You do have to be careful though, because prople with access to stolen payment methods are always looking for ways to validate them, and you don't want to reduce abuse of your actual service while promoting abuse of your payment service.

It also shows ability to pay, which is useful too. It's painful to provide a trial and get a user interested only to find out they don't have a way to pay you; perhaps better to narrow the funnel earlier and only pay the cost of the trial for users that can pay.

Because banks have done KYC of the customers before issuing and credit card to the person. If you can do the KYC yourself and establish the identity then you don't need to use credit card as anti-fraud mechanism. SaaS companies already ask credit card for billing so it in a way also became a way for anti-fraud detection.

Here's a page from Google App Engine https://cloud.google.com/appengine/docs/standard/payment-ins...

It didn't use to require a payment method/billing account and the change appears both for compatibility reasons, as the deployment method now relies on a service that does require a payment method, and for fraud reduction which they claim they have evidence for when requiring a payment method.

The way this works with Google App Engine is that they will issue a charge of $0 that you authorize on your credit/debit card mobile application, so it's not just a Luhn credit card number check.

I do not have evidence of how effective it is but, intuitively, it may increase the effort for fraudulent use. It is "KYC by proxy". It is also harder to get a credit card than it is to create a bogus email address in case you have free quotas, and in case there's a pattern of fraudulent usage from an account, they can use the credit card number as a selector to see which accounts are linked to that number and block them, which is harder to do only by email for you have to use more sleuthing and selectors to link accounts to an entity.

If you think of acquiring good users/making a sale as a conversion process in which you try to prevent people dropping off the process or abandoning a cart and you try to increase the conversion percentage at every step, you can think of this effort as an "anti-conversion" process in which you try to reduce the percentage of fraudulent users making it to the next step, you weed out and filter as many as you can at every step of the process.

There will be people who will make it, but they'll leave additional trail and pieces of information you can use later to find them.

One unrelated anecdote from a mistake Reddit made at some point was that they stored passwords in plain text. From a security perspective, this was bad, but the anecdote was that they used this to find and weed out a lot of fake accounts because they all used the same exact password.

My guess is a lot of it is "Credit Score By Proxy": you could pay one of the US' three Credit Score Bureaus directly, all of whom charge for the service about as much as they think they can get away with when you ask for a contract and all of whom have reasons not to trust direct relationships with them. Or you could check that the person has a credit card with any limit above $0 implying some bank is already subscribed to the credit reports on you and still chooses to be in a relationship with you.

A working credit card is harder to acquire than an email address. It lets you outsource some of your anti-fraud to an ecosystem that continually deals with fraud.