Thieves Using Stolen Credit Cards to Make Donations

JagsLive writes with a link to a Newsday.com article about 'philanthropist identity thieves'. Credit card thieves appear to be donating to charity with their stolen goods. While it may sound like a strange form of generosity, it's really a method to determine whether a stolen card is valid. "The verification method has become popular because the monitoring software at credit-card companies may not question donations to charities, according the Symantec blog. Santoyo said the schemers usually donate less than $10. American Red Cross spokeswoman Carrie Martin said, 'This happens all the time. We have people at the Red Cross who deal with this type of activity.' Last month alone, the Red Cross refunded 700 fraudulent credit-card transactions, Martin said. That figure doesn't include the transactions the charity blocked because they appeared fraudulent."

Just plain thieves

Not only are these scum ripping off the card holders, they are costing charities time and money.

There is no reason to call them philanthropist identity thieves. They are identity thieves or just plain thieves.

Re:Just plain thieves

They are identity thieves or just plain thieves.

Lets just call them plain thieves as the term 'identity theft' is just something invented by the banks to blame us for when their money get stolen.

Actually, a comedy programme I listen to on UK radio had a great little skit on this. A guy being called by his bank who told him his was a victim of 'identity theft' and lost his money. He responded by telling the bank manager that he was sorry to hear that they had been robbed... "No no, you don't understand, this is identity theft!". When it was put like this, it was not only pretty funny, but held a mirror up to how absurd this 'identity theft' thing really is.

It ended with the customer overhearing a bank robbery happening at the bank with the robber shouting... "Put all the money in the bag" and the manager responding... "I think you mean all the *identities*" :oD

Re:Just plain thieves

So if someone steals your SSN and fraudulently obtains a credit card, it's the institution's fault? Who's the victim? You are.

A service provider accepted falsified credentials and assumed an agreement because of fraud by an improperly authorized third party. Why should I be involved, responsible, or at fault? It's completely between the fraudulent third party and the defrauded lender... or, rather, it should be.

The only reason the banks don't get their share of the fault is that performing satisfactory identification of potential borrowers would acutely cut into their margins, so it's called "identity theft", and the "defrauded" third parties are simply assumed to have racked up debts or made agreements based on identification that is obviously too flimsy (given the widespreadness of the problem.)

If the bank made an error on a transaction, would you say they lost their money? Hell no... you would say they lost your money. How is this any different?

The bank lost track of the money you entrusted to them. If the bank uses this to deny you access to that money, then you "lost" the money you entrusted to the bank (by virtue of poorly picking a bank). Still, this isn't even similar-- you were the party that entrusted that money to an incompetent bank. In identity theft, you may have no connection at all to either the service provider or the fraudulent requester.

Re:Just plain thieves

"So if someone steals your SSN and fraudulently obtains a credit card, it's the institution's fault?"

Well, yeah. SSNs were never intended to be secret numbers that only the owner would know, so in theory it shouldn't matter if the whole world knew your SSN. If the institution issues a credit card without doing a sufficient job to verify your identity (which unfortunately is usually the case), it damn well is their fault.

Robin Hood

Steal from the rich and give to the poor.

Not Robin Hood.

1. Less than $10 'donated' per card.
2. Using charities as a confirmation method to make extra money, illegally selling access people's bank accounts.
3. Charities have to refund the money when the credit card is reported stolen.

If criminals such as these were truly charitable or showing a change of heart, $10 or less seems a peculiar way to show it. The fact that these crooks are using charities for their own dirty deeds shows a selfishness that I don't recall Robin Hood having..And, the fact that charities have to refund the money in the end, means that money might be spent that the charity would have otherwise saved in the reserve fund. So it's basically stealing from the charity's perceived pool of funds.

I know we Slashdotteurs have a 'stick-it-to-the-man' attitude and like to see the underdog rise up. But these people are crooks..Nothing of what they're doing is charitable or moral in anyway. The Robin Hood association is definitely inappropriate here. It just diminishes the real work people do for society.

My 2 cents.

I must mention my favourite charity

The Cocaine and Hooker Party for Timesprout Foundation.

Please give what you can.

Sneakers

"In a surprise announcement, the Republican National Committee has revealed it is bankrupt. A spokesman for the party said they had plenty of money in their accounts last week, but today they just don't know where the money has gone. But not everybody is going begging. Amnesty International, Greenpeace and the United Negro College Fund announced record earnings this week, due mostly to large, anonymous donations."

Why reverse charges

Why reverse the charges? The credit card companies make enough from usurious interest rates to absorb the small payments to charity

700 refunds

700 refunds of (probably) less than $10 each? I realize they've just had money stolen from them, but they're asking for a $10 refund from a charity? Nice.

Why refunds?

> Last month alone, the Red Cross refunded 700 fraudulent credit-card transactions, Martin said.

Surely, a fraudulent credit-card transaction is caused (in theory) by the credit-card company fucking up? I would have thought that the credit company would absorb the loss instead of being able to make the receiving party refund the money.

If I buy a $6000 HDTV using a stolen credit card, and I fake the signature on the receipt very convincingly (so the TV shop follows due diligence), when it emerges that the card was stolen is the TV shop out 6k? How can the CC company force the shop to refund the money? Isn't it the CC company's fault for having poor security measures?

Re:Why refunds?

when it emerges that the card was stolen is the TV shop out 6k?

Yep. The merchants absorb the cost of fraud, and the CC companies have very little incentive to create effective fraud-prevention measures.

Re:Why refunds?

Make it so the CC company has to give the money to any merchant that followed the prescribed security procedure as dictated by the CC company. Then we would see some real security in the CC industry.

Re:Why refunds?

"Card Present" and "Card Not Present" transactions are treated very diffently. The latter is what the article is discussing - and yes, the merchant is most always the one liable for bogus charges.

On a related note, there are other *per-transaction* costs of such bogus on-line "test" transactions mentioned in the article that many people aren't aware of, such as:

* Gateway fees
* Authorization fees
* AVS / CVV2 surcharges
* Settlement fees

These are IN ADDITION to the discount fees (ie. ~3% or so) of the dollar amount of sales.

Even if later the transaction is voided / refunded, the merchant typically still pays the above per-transaction fees regardless.

And even worse, depending on the merchant processor, the discount fees may not be refunded either; upon refund it may even be charged again! Doing "auth-only" and hand verifying sales before submitting the batch can help mitigate such refund costs, but is often labor intensive.

One nasty scenerio for an on-line merchant is a carder running thousands of card "tests" on their small business / charity website ... the per-transaction auth fees alone can easily run into many hundreds, or even thousands of dollars.

Large merchants have more favorable merchant agreements / absorb such costs with no problems; often have advanced fraud screening in place to throttle such extraneous transactions. The small merchants, such as charities, are those who really suffer from such card "tests".

Ron

Future headline:

Red Cross Busted in Credit Card Stealing Scheme. Hundreds of non-profit hospitals around the world close due to lack of funding.

Seen this happen...

I've set up and managed online donation systems for various charities, and see this happen all the time. Most of the time, the donor doesn't bother asking for a request, although they may inquire about it. Requiring the CVV2 code [wikipedia.org] (the extra 3 digits on the back of Visa/MC or the extra four digits for AmEx) really does make a difference for fraud prevention: our logs show people attempting to use the same credit card number with wildly different CVV2 codes, failing time after time. They're just guessing and eventually give up.

Sounds like the government

But they do it through taxes. Forced charity causes both resentment in the giver and the receiver.

Charge-backs suck

Credit card companies charge $25 for a charge-back. So if you buy something for $10, then return it and have the money charged back to your card, you get $10 back and the store pays out $35 to recover the $10 item. These fraudulent donations hit the charities up the same way, leaving them poorer in the end; if it's not too much trouble, please do consider telling them to go ahead and keep the money, if it's just a few bucks.

Obligatory

We have reached our goal of $10,000 and its all thanks to one generous caller who didn't leave his name!
But thanks to Insta-trace we've learned it's Homer Simpson of 783 Evergreen Terrace.

Old news

What, has it been like 5 years this has been happening and suddenly it's news? Credit cards authentication is a total joke. The security of credit cards is based on chargebacks to the merchant, placing the burden of fraud prevention almost entirely on the merchant. Banks and processors profit on fraud because of chargeback policy, and consumers are protected by law.

When the merchant is a charity, none of this changes by magic. The charity/merchant is still responsible for dealing with fraud. It's ridiculously naive, and arguably irresponsible, for a charity to accept unverified credit card donations.

IMHO, a real e-cash system like e-gold or moneybookers should be usedq, or better yet as distributed system with no central database, but the governments that print fiat currency don't want to give up their monopoly and use excuses like "think of the children, child porn, terrorism, etc..." to thwart the development of viable e-cash alternatives by imposing
arbitrary requirements on them, or charging them with violations of laws that do not apply to fiat cash, etc....

Costing charity money

So realisticly, this is actually costing charities time & resources they shouldn't otherwise be using ?
That's pretty low, even for thieves.

No one see NBC??

Nobody saw the episode of NBC "To catch a ID thief"?? everytime that these people get a credit card number, the first thing they do is a small donation to verify that the stolen credit card number is right!! not because they are good people but just to see if the information is right!!

Fighting back

Is there any effective methods of fighting back against identity theves?

The tactic that I've recently started involved visiting the sites found in spam e-mails that I receive (for example, the My Canadian Pharmacy [spamtrackers.eu] series of spams), take an identity generated from a fake name generator (that also provides CC and CVV numbers), and place an order. This series of companies tends to queue up the order for processing in 24 hours before shipping.

While fun, it doesn't seem directly productive if I'm the only one doing it (or using a modified Lad Vampire). Thus, is there some other method I can use?

Its been happening for YEARS

2+ years ago I had this happen to me. It is an easy way to validate old card #s that a hacker gets.

thats nonsense

i always donate 10$ to the red cross with my credit card before going on a 10~20 thousand dollar spending spree!

It happend to me

Sometime in October 2001, someone overseas donated 2 grand to some 9-11 fund (Red Cross I think) and purchased ten Palm Pilots using my CC account. Interestingly, this happened a week after purchasing an auto part overseas.

Obviously, I must be a stereo typical "Rich American" in there eyes. If only that were true... None the less, I will NEVER give out my personal information via phone or online to someone overseas. I've been burned once already, I'm not about to be burned a second time.

Damn merchant processors

So it's a slight tangent from the main topic, but I got yet another letter today from my bank, letting me know that my bank card number was amongst those harvested from a compromised card processor, and that my card number would be cancelled and reissued within a few days.

My favorite part? "For privacy reasons, the name of the processor cannot be revealed." I think it should be a fucking law that they have to name the guilty party in these sorts of things, so that we (everyone whose number was compromised) can sue their asses into oblivion. It's a significant inconvenience to change my card number everywhere when I'm home, and it's a *REAL* problem when I'm on a two week trip in Alaska and suddenly, without warning, my card doesn't work and I have only the cash left in my pocket (plus my real credit card, but some places in the far north only take cash...) This is the third time in as many years that they've done this to me.

How I'd love to be able to break out legal whoopass on those stupid card processors that are retarded enough to have their systems compromised, and recover damages for both the hours it takes me to change over all of my auto-bill stuff, as well as some punitive damages for them being dumbfucks.

You're missing the big cost here...

There's one piece of this fraud that isn't being talked about, but it is where the REAL crime is happening.

We have been accepting donations [plkr.org] for several years now using PayPal, and very recently, we've seen this happening with donations being given to our project.

Example: We receive a $5.00 donation from someone through PayPal. Roughly two weeks later, after we've withdrawn the funds to our bank account, the original donator disputes the "charge we made" to their credit card (we make no such charges, and the person who donated the $5.00 had to type that amount into the PayPal form, it's not an automated process).

PayPal investigates the dispute, refunds the $5.00 to the credit card holder, and charges US the extra $10.00 chargeback fee for the reversal. If our bank balance for donations is $0.00, that just cost us $10.00 out of our own pockets. 100 of those in a month, and we're out $1,000, out of our own salaries.

I've disputed this practice with PayPal many times, including logs of the hits, dates, times, bank transaction history, etc. and they just don't seem to care.

Accepting donations to OSS projects has become very risky, because of this exact practice. CCV [wikipedia.org] would eliminate it, but PayPal and similar outfits do not require it.

This happened to me

I noticed a transaction to the British Red Cross in April for 4.00 GBP, which I hadn't made. I thought about it (it's only 4 quid, and it's to a charity, but on the other hand how the hell did it happen?), and decided to phone my bank, who reversed it. A month later, another 4.00 GBP transaction, so I rang my bank and cancelled the card. Later that day, another transaction for the same amount was authorised by my bank (who apparently hadn't processed the cancellation request as quickly as I would have liked). They refunded the money again. I haven't had any more problems.

I wasn't sure it even was the real "British Red Cross". Just because it says so on my bank statement, it doesn't give me any guarantees.

I don't know how they got my card details. I'm quite careful, but I've seen restaurants write down credit card information to guarantee bookings including addresses and security numbers; and then leave that information in plain view. I bought an item over the telephone from a small retailer, and I'm guessing something similar happened.