Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

The Economy of Online Crime 119

hdtv writes "You might call the thugs or thieves, but on their own closed forums and referral-only Web sites, they value honesty and reputation. Fortune magazine looks into the black market for stolen credit card numbers and identities. What's interesting is that so few of the criminals retrieve their information via breaking into online stores." From the article: "Gaffan says these credit card numbers and data are almost never obtained by criminals as a result of legitimate online card use. More often the fraudsters get them through offline credit card number thefts in places like restaurants, when computer tapes are stolen or lost, or using 'pharming' sites, which mimic a genuine bank site and dupe cardholders into entering precious private information. Another source of credit card data are the very common 'phishing' scams, in which an e-mail that looks like it's from a bank prompts someone to hand over personal data."
This discussion has been archived. No new comments can be posted.

The Economy of Online Crime

Comments Filter:
  • pharming? (Score:3, Informative)

    by ergo98 ( 9391 ) on Saturday May 13, 2006 @09:40PM (#15327502) Homepage Journal
    Isn't pharming when DNS is actually hacked in some manner? How many cases of this actually happening have been documented? Simply setting up a website that mimics a legitimate financial institution or pertinent party (e.g. Ebay), is, and has always been, phishing. The phishing emails are just lures to the bait of the phishing websites.
    • by Aardpig ( 622459 ) on Saturday May 13, 2006 @10:45PM (#15327731)
      In fact, I thought 'pharming' referred to genetic manipulation of animals and plants to produce pharmaceutical products. For instance, one might produce a strain of cows that express Viagra in their milk. Of course, they'd be a right bugger to milk...
      • Of course, they'd be a right bugger to milk...

        Here's a hint; if it only has one teat instead of four ... don't try to milk it. Just stop and walk away, before you owe it dinner.

    • pharming? rare? (Score:2, Interesting)

      by wjsroot ( 732775 )
      Its very easy to do on wireless networks. There is a program called KARMA which will make a wifi card mimic an AP. It waits for computers to probe for a SSID and then mimics an AP with that SSID. once they think your computer is an AP its amazingly easy to phish them for data. Makes you wonder about all of those places with free wireless (St*rbucks, P@nera)...
      • Makes you wonder about all of those places with free wireless (St*rbucks, P@nera)...
        It doesn't make me wonder. I check the SSL certificate to make sure it matches the site I want to communicate with (and not wjsrootsKARMAap). A simple technological solution, backed by mathematical properties, to the problem.
    • DNS can be hacked pretty easily on windows machines by sending unsuspecting users malicious code that modifies their host file records. It can make any website address "appear" to be the correct site when in fact that domain is pointing to an entirely different IP address.
      • DNS can be hacked pretty easily on windows machines by sending unsuspecting users malicious code that modifies their host file records. It can make any website address "appear" to be the correct site when in fact that domain is pointing to an entirely different IP address.

        If you have malicious code on their machine, then the rest is easy game anyways. Changing hosts files seems to be one of the least likely scenarios, and it'd be much easier, and more powerful, and likely to succeed, to simply keylog when t
    • Yes. Pharming is when DNS is subverted to direct traffic intended for legitimate sites towards other sites. On a real computer, you need to be root {because of privilege separation} in order to create bogus zonefiles and reconfigure the local nameserver to make it appear to be authoritative for those domains. On a toy computer, however, there is no local nameserver. Instead, there is a file called "hosts" which is checked before DNS queries are sent to the outside world. In the absence of privilege se
  • Is there a source that even tried to identify online stores as a source of credit card numbers? I wouldn't have ever thought that someone would try to use them as a large source.
    • They aren't. Most organizations these days have the sense not to store complete card numbers in the first place. They don't want the liability. And with "reference" transactions, there's really no need.
  • by Opportunist ( 166417 ) on Saturday May 13, 2006 @09:51PM (#15327540)
    No kidding. We're seeing an incredible increase in phishing attacks, either in the form of fake pages (and the corresponding spam mails telling you to go there), or in the form of trojans that hook into the browser.

    It's interesting. Place a person, a very clever person, master degree in commerce or law, with a Ph.D., people who're worth their 6 digits a year, place them in front of a computer and you will be amazed. Something inside this computer turns the smartest person into a gullible idiot.

    Ok, idiot being too hard a word. But it is VERY intriguing to see people who would never ever fall for a con job in real life to fall without even thinking twice for one online.

    And I wonder why. What makes an e-mail more credible than snail mail? If they got a mail from their "bank", telling them to send their CC number or other details, they would NEVER do that. Online? No problem.

    Why? Why are online scams so much more successful than offline?
    • by Anonymous Coward
      I read it on the internet so it MUST be true!
    • Why? Why are online scams so much more successful than offline?

      It's easier to attempt to scam more people at a time online, thus the ratio of suckers is higher.
      Also, and more importantly, most people still don't understand the internet / web / email, etc and how it all works. So they're going to be in a far more vunerable position online. Most people don't think to check to see what web site that link takes them to - it looks like eBay - that's good enough. Most people wouldn't even think to look at that ugly URL bar in the browser and why would they - they can't make sense of it - dozens of letters, numbers and squiggles.

      Learning the internet is like learning another language and another culture in the real world and it can take a great deal of time and experience to get to grips with it. For example, I bet it's much easier to scam a tourist or a new immigrant visiting your local country than it is to scam them in their home country.
      You move to a new country - most people will learn as much as they can about it. You want to use the internet? same thing - but how many people are there who really want to learn about it - most people just want to use it but it doesn't work that way. Well it can, but like in the real world - you end up making yourself more vunerable and more susecptable to making mistakes.
      • Correction: Lots of people DISABLE the ugly URL display bar because, well, it's ugly. I almost wish the URL would be displayed in a little bubble whenever I point to something, but that behavior is relegated to the mostly-useless ALT tag. In fact many sites use Javascript to fudge the status bar URL display anyway, sometimes to mislead, sometimes just for cosmetic purposes (like piping outbound links through a hit counter).
      • Online scams are easier to occur becuase of the design of the clickable interface. In offline cams you would have to actually walk the reply to the postal box or go into the bank.

    • We're talking about people that majored in something other than computer science. They don't know, nor really care, to check the headers to confirm that the email that supposedly came from their bank did in fact come from their bank, and they don't care to look at the URLs to make certain that they are in fact connecting to their bank's site when they click the link, because that's not what they went to school for.

      Online scams are so much more successful simply because any scammer can make themselves look l
    • Why? Why are online scams so much more successful than offline? As far as I understand the mechanisms, there's several at play:
      • The technicalities of spoofing an address are lost on most people. So "if it says it's from my bank and it looks like it is, so it must be".
      • The second problem, to me, is pattern recognition. We've been trained to identify stores or banks by their corporate identity. It is perfectly obvious that the combination of that color and that logo represents that corporation. Nobody else uses these colors, this logo. So everything with these characteristics is automatically associated with that corporation. And since item one is not understood, there's no reason to doubt that assumption.
      • The third problem is that people want to believe. They want to believe that something is done to keep them and their money safe because it is oh so unsafe and dangerous out there. This has a much wider area of applicability, of course, but on topic, the fact that the bank does something to keep my money safe is good. I want to keep my money safe and so do they. If they want my cooperation in doing that, that's fine. It's in my interst as well. And since they do not understand the implications of spoofing, they accept things on face value. You probably know that line of thought.
      • The fourth problem that I see is that we've gotten used to being treated as a number. So a mail that does not correctly identify me with my full name and only states "Dear Sir or Madam" or "Dear Customer" is considered acceptable.
      • The fifth item I think plays a role is the fact that non-technical computer users have become accustomed to do things that they do not understand. If you told them that performing a rain dance every morning over their machine will keep it from crashing, they will do it, because it's no more arcane to them than a sequence of finger-breaking key combinations that they are so accustomed to. This extends to error messages and application failures, etc. Even when there's evidently a problem, the software more often than not does a rotten job at explaning what's wrong. This is why "we have increased the security of your credit card. Please enter all your data." works so fine. It's nonsensical, but it's no more arcane than any number of other messages our machines give us every day.
      • This leads into the last issue of today. Tunnel-vision. I believe that computer users know exactly as much as they need to to perform a specific task. They look neither left nor right. The classic example is people overlooking UI elements that are right next tho those they've been using for years, simply because they do not use them. Once you leave that comfort zone of things that they know and use regularly, all is new, all is strange. And they have learned that it's lots of work to find out what is going on. It's easier to go with the flow. Unfortunately.
      • Insightful post, thank you. I have an alternate view on one of your points: It is somewhat related to posts above, too.

        ... pattern recognition. We've been trained to identify stores or banks by their corporate identity. [...] So everything with these characteristics is automatically associated with that corporation. And since item one is not understood, there's no reason to doubt that assumption

        I think much of the problem lies in pattern recognition, but in a different way. It may be a lack of pattern r

        • I agree with the statements you make about pattern recognition skills.

          However, I believe that the skillset you describe is too narrow.
          As far as I can tell, most people are well able to distinguish two banks based on their flyers, even if you remove the names of the banks. They don't read the text, they don't look at the offerings, they merely look at the colors, layout and the logo.
          On this level, pattern recognition works just fine for them and it's usually enough.
          And since trademarks prohibit someone e

        • I would argue that most people don't even realise the patterns and sections in a basic URL - so that, say, when a person tries $company.com and finds nothing, the person won't try .net, .org or .info. Cue anecdotal evidence - knowing some computer illiterate people, even after surfing around for half a year they're not able to see patterns like "where's the menu bar usually located" and "what is clickable, what is not" in a web page.

          To be fair to most people, the software they use (e.g. Outlook, MSIE) c
    • It's pretty simple...

      It's relatively easy for scammers to set up a website for a few hours or days, on a computer they don't own, located in a country far away from them, and get a couple of quick hits, with it being somewhat hard for authorities to track down the location that the scammer actually connects to the internet.

      If scammers tried this with snail-mail, they would have to wait a week at least to wait for the responses. Also, while it's probably possible to hide your identity when receiving sna

    • Why are online scams so much more successful than offline?

      Immediate response without time to think about it.

      I once got a phishing email supposedly from Amazon.com. I had had too much to drink, and I had been up for about 20 hours. I clicked the link and gave them my Amazon password, where they had access to my credit card information, address, etc. As I hit enter, the fact that it was fake finally penetrated the fog in my head. I quickly changed the password on my account, and have not had a problem. I

      • Apparently your degrees aren't advanced enough. While they might have had access to your addresses, at no point in time did they have access to your credit card information. When asked Amazon only shows the last four digits of your card, not the complete number. Moreover, should they have attempted to buy something and have it shipped to them, Amazon would have asked for a new number.

        About the worst they could have done was order 500 romance novels in your name and have them delivered to you. The modern equ
    • "Why? Why are online scams so much more successful than offline?"

      Dhamija, R., Tygar, J. D., and Hearst, M. 2006. http://people.deas.harvard.edu/~rachna/papers/why_ phishing_works.pdf [harvard.edu]Why Phishing Works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montréal, Québec, Canada, April 22 - 27, 2006). CHI '06. ACM Press, New York, NY, 601-610

      Wu, M., Miller, R. C., and Garfinkel, S. L. 2006. http://groups.csail.mit.edu/uid/projects/phishing/ chi-security-toolbar.pdf [mit.edu]Do secu
    • Actually, it's quite possible to use snail mail to this day to get compromising information. Phishers just pose them as contest entries, and ask for information like a social security number, birth date, etc. A lot of people are more than willing to jot this down if it looks like a prize is headed their way.

      Some less-than-scrupulous telemarketers do the same thing by calling people and telling them that they just won something, and then asking for a subscription to a magazine or whatnot as almost a side por
    • If they got a mail from their "bank", telling them to send their CC number or other details, they would NEVER do that.

      Oh, I don't know about that. I suspect if someone sent out notices on authentic-looking Bank of America letterhead, stuffed into authentic-looking Bank of America envelopes,
      informing "customers" that there was an "issue" with their accounts and they need to call an authentic-looking 800 number and provide their account information to resolve it, the phone would ring more than a few times.

    • And I wonder why. What makes an e-mail more credible than snail mail? If they got a mail from their "bank", telling them to send their CC number or other details, they would NEVER do that. Online? No problem.

      Are you sure? Granted, I've never seen anyone try this, but I suspect it would work better than you think. Probably not as a mailback though, that would require too much effort, but if it had some "hotline" number to call I bet you could get a ton of CC numbers, especially if the letter is worded in

  • Phishing (Score:5, Insightful)

    by Joebert ( 946227 ) on Saturday May 13, 2006 @10:02PM (#15327595) Homepage
    What if thoose sites are phishing sites setup by law enforcement to catch phishers ?
    What kind of criminal masterminds would fall for their own scams ?!
    • This has happened in the past, with great success. Criminals are taking more care now to protect themselves, and it is becoming harder for law enforcement to infiltrate the groups - parallels with other organised crime (and law enforcement's response to it) are very clear.
  • by omegashenron ( 942375 ) on Saturday May 13, 2006 @10:03PM (#15327598)

    I work at a b&b where we continually get reservations by people wanting to pay with a credit card. Our customers make their bookings over the phone, fax and even e-mail - to process a payment, all we need is the card number and expiry date. When a receipt is printed (from entering the numbers), it actually has the card details on it!

    I have seen many people collect their receipts from us upon checkin and just throw them away, without any thought about the information contained. Anyone willing to stick their hand in the bin would be able to collect these numbers for themselves.

    I often think a better credit card system would be to have a credit card number and require the use of a temporary code for a transaction to take place (similar to my online banking) where we have an electronic device [hsbc.com.au] which has a changing code, of course, this would only be practical for over the phone and website bookings rather than fax/e-mail (although fax/e-mail bookings are insecure now as e-mails may not be deleted from the system and fax's could be just thrown away with the numbers on them).

    • by Anonymous Coward
      I was under the impression that most modern equipment only prints the last 4 numbers of the card on the reciept.
      • in fact, that's becoming the law in many american states...
      • The last four digits are only printed if we physically swipe the card, if we manually enter the numbers (which we usually do as most bookings are made over the phone) then the receipt shows the full credit card number.
        • by 44BSD ( 701309 ) on Sunday May 14, 2006 @12:10AM (#15327979)
          Interesting. IANAL, but it looks like your B+B better get with the program, or it will be breaking a federal law [gpo.gov]:

          Section 605 of the Fair Credit Reporting Act (15 U.S.C. 1681c) is
          amended by adding at the end the following:
          ``(g) Truncation of Credit Card and Debit Card Numbers.--
          ``(1) In general.--Except as otherwise provided in this
          subsection, no person that accepts credit cards or debit cards
          for the transaction of business shall print more than the last 5
          digits of the card number or the expiration date upon any
          receipt provided to the cardholder at the point of the sale or
          ``(2) Limitation.--This <<NOTE: Applicability.>> subsection
          shall apply only to receipts that are electronically printed,
          and shall not apply to transactions in which the sole means of
          recording a credit card or debit card account number is by
          handwriting or by an imprint or copy of the card.
      • Yes and no. On the customer copy you get the last four digits of the card, but the merchant copy gets both. Where you get a problem is when the merchant give the customer a copy of the merchant copy. If you have a signiture line then you have a copy of the merchant slip.
        • No, when you key in the digits manually, the full credit card number prints up on BOTH receipts, the only time it does not is when you swipe the card - for us, when we swipe the card, the last for digits appear on both merchant or customer copies.
    • Here in New Zealand receipts typically miss off six or so digits, so you get something saying that the card used was number 2435 43.. .... 1654. Which is enough to identify whose card it was from a limited set, but not enough to place orders with.

      Of course, the old zip zap machines happily put the entire number on the receipt you get. And people who don't want to pay for mobile EFTPOS [wikipedia.org] equipment, such as some of the shuttle companies, tend to be keen on them...
    • I often think a better credit card system would be to have a credit card number and require the use of a temporary code for a transaction to take place (similar to my online banking) where we have an electronic device [hsbc.com.au] which has a changing code...

      Something similar has already been done to achieve the very goal you're after. It's called the American Express Blue card. The idea was that when you want to shop online, you ran your card through a card reader (some USB device that reads a microchip o
      • As such, temp credit card numbers are no longer used either.

        Actually, they are.

        MBNA has such a program called ShopSafe. I use it all the time.

        It's been quite a while since I did any web transaction with the regular number.

        That did cause some trouble on eBay in early March. I had a temporary number on PayPal with a $25 maximum limit. When I won three bids one day (easy since they were all "Buy It Now"), I created a new temporary number with a maximum high enough to handle all three bids. The total amo

      • Disputing unathorized transactions costs the bank nothing, assuming of course that the card was (mis)used at a vaild merchant. The bank simply EFTs the money back out of the merchant's account. The merchant then has to prove the validity of the sale via a vaild signature. Without a valid signature - the merchant is out of luck.

        To fight a credit card "charge-back" we have supplied the processor with a video showing the person swiping their credit card, their own vehicle license plate clearly visible, at our
        • I lost my wallet several years ago and then had my replacement wallet stolen. The bastard ran up $5000 in charges, maxing out all the cards within 2 hours of the theft. The worst part was the debit card, which cleaned out my checking/savings accounts and racked up an impressive array of overdraft charges.

          While straightening everything out, one of the banks gave me a hard time. Apparently losing my wallet counted as "suspected fraud" and this "suspected fraud" made them cancel my account. A second bank w

  • by Ritz_Just_Ritz ( 883997 ) on Saturday May 13, 2006 @10:06PM (#15327608)
    They are raking in such huge margins on credit card debt that until very very recently, they seemed to more or less wink at online fraud. Only now that it's starting to really cut into their margins are they really taking notice and making half-hearted attempts to deal with the problem.

    As much as I want to blame the "online idiot" who falls victim to phishing and other scams, the banks really bear a lot of blame themselves for making it so damn easy to steal from these people.

    • by Anonymous Coward on Saturday May 13, 2006 @10:19PM (#15327648)
      Why would they care? Banks never EVER lose a dime on fraud, except for a some labor involved in procesing chargeback requests. ALL fraudulent transactions and chargebacks are immediately deducted from the vendor's account. The customer is fully protected. The banks NEVER take a loss. Only the vendors get farked. Over and over again.

      Yes, I am a vendor with my own merchant account. :-(
    • Except the banks aren't responsible for the intellectual capacity of their customers. That's why credit card debt exists in the first place. People aren't smart with their money. It's a given fact of life. Phishing is just another example of this.
    • If the banks at least used SPF records so you could identify legitimate mail, that would let you cut down on a lot of the phishing spam. Phishers would adapt, of course, so you'd see more "chase-bank-credit-cards.com" instead of just "chase.com", but it'd be a good start.

      eBay and PayPal don't use SPF either, and they're technical enough that they should know better. They do ask you to send them copies of phishing, but I suspect that's mostly to cut down on complaints.

      What banks ought to be doing with

  • by Umbral Blot ( 737704 ) on Saturday May 13, 2006 @10:16PM (#15327635) Homepage
    Well it's nice to know that my online shopping is safe, it is somewhat scary to know that real life shopping is less secure. Just one more reason to never leave the room.
    • by Anonymous Coward
      my first credit card theft occured in the mid-80s while living in Indianapolis... i used my Amex card to pay for dinner with friends at a local Japanese restaurant... i rarely used the card (and have never been over my head w/CC debt), but was surprised to see a charge from a florist in Chicago...

      this really ticked me off, so i called the florist, got the order number, product, and phone number and address of the delivery...

      apparently, someone at the restaurant had a girlfriend in Chicago, and used my card
  • Clearly a secret identity is insufficient to protect your money. Debit cards are widely accepted; I wonder what motivates a retailer or credit company to allow signatures as authentication in this day and age, if not to profit from fraudulent purchases.
    • Re:Rumpelstiltskin (Score:5, Informative)

      by rabel ( 531545 ) on Saturday May 13, 2006 @10:43PM (#15327727)
      Remember that you don't sign the receipt as "authentication", you sign it to indicate you agree to the terms of the credit. That's the only purpose. If a store attempts to verify your signature against the back of the credit card, well, that's sort of bonus, but not required by the credit company.

      For reference, see this link [zug.com]

      In my own life, I have my daughter sign the credit card bill (and compute the tip, if necessary) and since she's an art student she has been coming up with some pretty creative signature designs.
    • Well, the thing with debit is there's a fee.

      Credit doesn't have it ON THE SAME CARD.
      • My understanding is that a debit (PIN) transaction typically results in a per-transaction fee, where as a credit (pinless) transaction typically results in a percentage fee.

        That being said, whenever I look up the fees, it still looks like PIN transactions are cheaper most of the time, unless merchants are getting substantially lower rates (approaching 0%)
        • Every "credit" transaction I've made on my debit card has no percentage fee whatsoever... it's just you have to sign for it, unless it's fuel that you're buying...

          Unless you're referring to the interest, but on a debit card (even used as credit), there is no interest as long as you stick with the money in your account.
  • "Don't visit any of these sites. Tapping into them could lead to unpleasant consequences. I only looked at them via the safety of RSA's computers."

    ...ah dammit..
  • by 77Punker ( 673758 ) <spencr04NO@SPAMhighpoint.edu> on Saturday May 13, 2006 @10:34PM (#15327697)
    Honesty my ass. They're all just being extra careful not to get caught.
  • Why so cheap? (Score:3, Interesting)

    by Beryllium Sphere(tm) ( 193358 ) on Saturday May 13, 2006 @10:47PM (#15327737) Homepage Journal
    >$3 per CVV, or $20 for a card number with CVV and the user's date of birth

    For a card which may have a $10,000 credit limit or higher. Either it's hard to turn a stolen card into money, or the supply is more than meeting the demand.

    Contrariwise, why so expensive? Mail theft rings, bribed insiders, credit report lookups by crooked merchants -- there are so many sources that maybe the price should be lower. After all, what's the cost of a botnet PC to a crook who wants to use it?
    • Re:Why so cheap? (Score:3, Informative)

      by patio11 ( 857072 )
      All of the illegal stuff gets *expensive* fast. I lurk over at specialham.com, the spammer forum, to keep abreast of new changes I need to make to the spam filter I'm coding. People want several hundred dollars for a script to verify addresses for one major ISP, etc. And "cashers" have the most dangerous job in the criminal supply chain, since they're the ones that have to associate a physical identity (even a fake or obfuascated one) with the theft to make their money. The guy who just nabs the informa
    • The people who get these numbers don't want to use them. The ones who use them view getting them as drudge work.
  • Now to the stock market. The all ordinaries are up 15 cents, NASDAQ is running smoothly up 10 cents and the incredibly illegal bit torrent file sharing ring has mysteriously and suddenly dissappeared from the market.

    In other news the US government has been superceded by the RIAA in a grant of 'emergency powers'. Among the proposed changes is a rename of the US to the 'United Empire' and the purging of all online music stores. CDs have also reportedly tufwappled in cost.
  • Amazing complexity (Score:5, Informative)

    by iamdrscience ( 541136 ) on Saturday May 13, 2006 @11:15PM (#15327801) Homepage
    I've been to one of these credit card forums (not as a user, I don't have that kind of moral flexibility) and the thoroughness of these forums is quite amazing. The one I went to in particular required that if you wanted sell something, i.e. CC numbers, fake IDs, card skimming equipment (ATM bezels and strip readers), etc. you first had to provide free samples to the administrators of the forum to verify the quality of your product. If your product was found to be satisfactory, you would be allowed to sell your products, but first you had to put up a certain amount of cash (like $500, iirc) to be held by the administrators -- this cash would be used to refund your customers money in case you didn't deliver your products to them.
  • Also, the black market is fed by such bloody morons as Wells Fargo, who messed up the lives of tens of thousands of poor people employed at HP, IBM and other places where they read Slashdot, by losing personal data not just once but twice [theregister.com].

    Such careless imbeciles would really need to lose their contracts at the very least. Why don't IBM, HP and others laugh WF out of the room when their contract comes up for renewal? They are not just WF's customers, they are also employers of the people who got messed up

  • by Zaphod2016 ( 971897 ) on Saturday May 13, 2006 @11:41PM (#15327873) Homepage

    Back in the day, I had a small business where I accepted the "big 4" credit cards. We were selling sporting gear via mail order and the web.

    One day, some kid called up and placed a decent-sized order for about $1,000 worth of gear. Naturally, I demanded to speak with the card holder, and he put his mom on the line who prompty told me "no problem".

    Week later, Dad calls me up furious. You guessed it: divorce. Kid and mom are getting back at a dead beat dad, and he's none too amused about it. Dad calls the CC issuer, demands a chargeback. I get hit for $1,000 refund, plus the fees coming in, plus the fees going out, plus some other "service charges" for the "bad order".

    Of course...I'm still out $1,000 in gear! I call mom and kid, explain that *I* am none too amused either, and that I'd like my gear back. She implies that my parents were never married, and that I might wish to visit Satan.

    Having accepted that this situation could only get worse, I called the police. They explained that no crime had occured: a) mom had "paid" for the goods and b) she had the legal right to use her husband's credit card. I called my bank, and my credit card services, and they each told me it was my own damn fault for selling a quality product at a fair price and that no one could force her to mail back goods because (by then) she was claiming she had never recieved the order in the first place.

    I am sure some merchants have done lousy things, but as one of the "good guys" it simply blows my mind when I think about this, even now years later.

    Epilogue: never got the gear back, but funny enough, I *did* win about a grand from a scratch off ticket the week I closed the business. Save your mod points, I must have some real karma around here somewhere. =)

  • by Anonymous Coward on Sunday May 14, 2006 @12:31AM (#15328058)
    I am one of the people who tries to plug the holes, and build the systems that help our agents fix fraud. So I know my way around some of this stuff, and I'd like to clear up a few things.

    - I don't know how things were "back in the day", but these days, if a family member racks up a credit card bill without permission, and the cardholder won't press criminal charges and file a police report, the cardholder is stuck with the bill. That said, if a merchant just gets approval from "the cardholder's wife", then it's no wonder the merchant got stuck holding the bill and with a penalty to boot. Both are part of the agreement you signed that allowed you to accept credit cards. You did read that, right? Just askin'.

    -Banks are actually very serious about stopping fraud. Not only do banks end up covering a fair amount of the tab because the hoops you have to jump through to get Visa/MC to cover it get harder and harder (and in the world of banking, profits are generated by pennies a transaction, so even $50 of fraud is significant in terms of lost profits), but all the major issuers understand that no one wants to be the next one caught with their security wanting. The bad press associated with lost laptops, wayward tapes and hacked websites is something no one wants - and, in fact, it practically killed CardSystems. We are under major pressure to make sure our bank isn't next - because you do lose a lot of customers from this sort of thing. And reissuing cards to a swath of cardholders is both expensive and time-consuming. The bank I work for hasn't been involved in any of this so far, but we make a point not to brag about it - it just invites trouble.

    -You DO sign the receipt as a verification. Signatures are not necessary for certain types of transactions, or for transactions under a certain fairly low limit, but if there is fraud or a dispute, the merchant has to produce the signature. Or they lose the dispute. This is why many merchants now use the CVV2, although, as you can probably infer from the story, it also is not perfect.

    -Why the cheap price for high-limit cards? Because actually using them is much riskier than stealing them. Either you need your ill-gotten gains shipped somewhere, or you need to show up somewhere in-person. Or you go for fairly small stuff. In any case, it's a lot more risky than the number theft, and if you steal numbers, you probably sell a batch at a time. With the risk goes the reward, so to speak.

    -Phishing, we're working on that too. All the major issuers have places on their websites where you can report phishing activities. Do so, whenever you see it. And the major issuers are also all conducting informational campaigns, trying to teach people what a legitimate communication looks like.

    Overall, though, massive card number theft is unusual. Most people lose their information by losing their wallet, being careless with their info (like with phishing), or by a family member/friend up to no good.
    • I don't know exactly where you are in the chain, but the impression from a merchants point of view is that no one gives a rat's arse about (cardholder not present) fraud except the merchant. We cover 100% of the losses, we even get charged a handling fee on chargebacks!

      I'm not really disagreeing that the merchant should be resposible for most, or even all, of carholder not present losses. I'm just irritated by the complete lack of interest from card issuers, merchant service providers and the police.
      • by Anonymous Coward

        I'm the master of shipping for an internet merchant who slings several million bucks of loot a year. And by "master of shipping", I mean "it's pretty much all my problem".

        I know what a fradulent order looks like, I can successfully pick them out -- but nobody wants to know about this stuff. The credit card companies couldn't care less, I've tried. Police departments? Nobody cares. This is my best effort here, folks -- without actually hiring private detetives and/or ninja, I can't do any more than just pass

    • I took what you were saying seriously right up to that comment "Banks are actually very serious about stopping fraud."

      Nonsense! Given the amount of credit card and phishing schemes which the banks could shut down trivially and protect their customers, and the general ease of stopping most wholesale credit card fraud houses by applying existing law, they're not interested in fraud per se. They're interested in reducing their own fiscal bleeding from fraud: that means a very different set of priorities, such
  • typical phishing email:
    • Dear Customer:
      In order to maintain security of your records, you will need to validate your information or your account may be suspended. Please click the link below and follow the on screen prompts.

    typical gw. bush:

    • In order to maintain national security, you will need to give the nsa any information it asks for. If you do not cooperate, you may be sent to GTMO.

    Hmm. I wonder if the same percentage of americans that think nsa wiretapping makes us more secure - also fall fo

  • There's honor among thieves....
  • It's an easy cop out to say that credit cards only (or in the majority of cases) get compromised by "illigitimate" use. In the eyes of the consumer who falls for it, there's nothing illigitimate about a phishing e-mail, or a pharming site. There's nothing illigitimate about handing a waiter your credit card, even if it ends up being skimmed. The position taken here is "if it weren't for these pesky criminals, there'd be no crime, so it's not our fault we've come up with a system of fraudprevention that can
  • Just because these people are spending other people's money, doesn't mean they aren't nice enough with their own kind. It would never work any other way. For a subculture to work, it must have its own rules.

    Anyway, the only people who lose money are idiots who fall for age-old scams. Phishing? Don't make me laugh. For crying out loud, when you open a bank account, they tell you that they will never ask you for personal details online. How long does it take to ring your bank and ask them whether an e
    • Its actually quite easy to get info at a restaurant till the receipt that the clerk keeps contains name and card number (well here in ireland anyways), and it only takes a split second to remember the 3 digit number on back of card ;) there you go u have enough details now to go shopping....
    • As I understand it, the smartcard based "chip" solutions are substantially more secure as they cannot simply be cloned -- The smartcard is basically a mini CPU itself and can handle basic C/R and onboard encryption.

      In other words, replay attacks are no longer possible, nor can a transaction be completed off-line, the CC company sends a challenge to the card, the card encrypts it and replies, the CC company can then either verify the card is legit or not.

      That being said, with numbers being accepted at most m
      • Oh, please. Just because there's a computer on the card does not mean it can't be cloned. It's technically harder to do so than with the old magstripe cards, but all the information you need is out there. If the legitimate manufacturers can make them, other people can make something else which does the same thing.

        It wouldn't even matter if the "clone card" which is used in the "real" Chip+PIN machine actually has to be attached by an umbilical cord to a laptop or desktop computer, or for that matter ev
  • I wish that when you encountered a phishing site that you could go to a credit card company's anti-fraud site and be issued a card number and verification information that would appear to be legit (and would even be verifiable) but would in actuality be a trojan that would sound fraud alarms if it was attempted to be used.

    The way that I see it, these cards would be very low limit cards so that when a verification was done on them they would pass through but when something of actual value would go through, t
  • What did you expect?

    "Yarrr!"-ing pirates?

Machines that have broken down will work perfectly when the repairman arrives.