Internet fraud: credit crooks
and the new economy
Where there's a web,
chances are there's a spider.
Where there's a World Wide Web, there are criminals ready and
able to perpetrate all sorts of havoc, from using your credit card
number to ship dozens of computers overseas on your tab to hacking
into customer databases, obtaining thousands of valid card numbers
and using them to extort fortunes from their stunned corporate victims.
Internet fraud is the dirty little secret of the New Economy. For
every well publicized Ebay or Egghead hacker attack, others go unreported,
the corporate chiefs preferring to quietly pay the ransom rather
than risk scaring off potential online customers with the negative
Nobody wants to cut e-commerce off at the knees just as it's getting
on its feet. Credit card issuers, acquirers, processors, merchants
and consumers alike welcome the convenience of online, real time
The problem is, so do the crooks.
"The criminals are going to go where the money is, and a lot of
money right now is in e-commerce," says Jeff Winter, spokesman for
Secret Service Office of Investigations. "It's anonymous and
it's extraordinarily lucrative.
"Robbing a bank these days is not as appealing. When you go in
and you've got cameras looking at you, you know you're going to
get caught and you're only going to get a couple thousand dollars.
On one stolen credit card alone, on average you can get $3,000 with
a skimming device. In a lot of ways, it's the bank robbery of the
The way crooks steal today will determine in part how we buy and
"Skimming" and "Cloning"
Credit card fraud has been something of a technological
foot race since the first charge cards came into existence 50 years
Over the years, card issuers have added increasingly sophisticated
security measures, from a simple cardholder signature on the first
cards to the embossed account numbers, embedded holograms, magnetic
stripes and card verification code/card verification values on today's
They did their job pretty well, particularly to combat fraud from
lost and stolen cards, which account for more than half of all credit
But many of those anti-fraud measures went out the window when
mail order/telephone order transactions became widespread in the
1980s. The sudden growth that resulted from consumer confidence
in that sales channel more than offset the increased risk of card-not-present
It also opened a lucrative new opportunity for fraud. The bad guys
no longer needed the physical card to pillage your account; a valid
number suffices in most cases.
Computer-savvy crooks soon found quick and easy ways to access
Skimming uses an electronic credit
card reader or "wedge" roughly the size of a pager to collect and
store the information encoded on your card's magnetic stripe. The
device is commonly used in places with high customer traffic such
as retail stores and restaurants where the skimmer can collect card
data without fear of detection. Card readers are widely available
for legitimate purposes for under $300; tampering turns them into
Terminal cloning is a more sophisticated
computer scam in which the software that runs a merchant's point-of-sale
terminal is actually diverted and downloaded to the criminal's computer,
enabling them to, in effect, ring up fraudulent card transactions
on that merchant's account.
Factoring is a scam that typically
targets mom-and-pop merchants. The unsuspecting merchant will be
approached by another vendor who claims to be unable to process
transactions for any number of reasons. The merchant agrees to process
the vendor's sales for a small percentage, the money is wired by
the criminal to another account and the merchant is left with a
pile of chargebacks.
CreditMaster, Credit Wizard and
other notorious Web sites actually generate sequences of 16-digit
credit card numbers from valid Bank Identification Numbers or BIN
numbers, the first six digits of the card number. This enables crooks
to quickly rack up multiple fraudulent sales from online merchants
whose security doesn't block sales to sequential numbers.
Frank D'Angelo, senior vice president and general manager of electronic
funds transfer and card solutions for Metavante
Corp., a Wisconsin-based financial technology company, says
the credit card industry long ago adopted a philosophy of acceptable
loss with regard to fraud.
"It's hard to prevent fraud," he admits. "They're
going to get you for the $25 initial try. Most of the energy is
spent on the detection of fraud and limiting the loss."
Because merchants ultimately take the hit,
Metavante and others continually urge them to watch for these warning
signs of a fraudulent online purchase:
- Unusually large dollar amount or number of sales
to the same card number
- Same dollar amount on multiple or sequential sales
- Same card number on multiple or sequential sales
- Sequential sales orders to accounts with the same
- Shipping and billing address don't match
- Orders shipping to high-risk foreign destinations
- Orders from free e-mail addresses (difficult
"The various providers of credit cards have really been fighting
for market share. They really loosened up their standards to some
extent in penetrating new markets such as college kids to get more
cards on the street," says D'Angelo.
"That created some additional fraud opportunities. The credit card
industry is still very profitable, the debit card industry is still
very profitable, but the opportunity has increased for fraud because
the crooks are just as smart as the good guys."
There have been efforts to shore up security. Merchants are urged
to use the address verification system on card-not-present transactions,
but it doesn't work with foreign cards. Visa came up with a Secure
Electronic Transaction online security protocol in addition to the
more commonplace Secure Socket Layer, but it hasn't caught on with
merchants so far.
Your money or your privacy
As long as fraud losses trail well behind credit card volume, card
issuers are unlikely to do much more than shadowbox with it, according
to David Sorkin, director of the Center
for Information Technology and Privacy Law at John Marshall
Law School in Chicago.
"Transparency is important for consumer confidence. The simpler
the system, the easier it is to make it transparent to people,"
"Right now, businesses as well as credit card issuers are really
going out on a limb to push for acceptance of online transactions
and promote consumer confidence. They are not really charging discount
rates that reflect the increased risk yet because they want consumers
to use their cards online."
Merchants, on the other hand, have a very real stake in knowing
a little more about who's at the other end of that online transaction.
Sorkin says don't be surprised if that online vendor follows up
on your next major purchase with a few additional questions.
"I think that's quite possible," says Sorkin. "Now, in a lot of
cases, you may have to supply a street address and they'll verify
that, where you probably wouldn't need it for a card-present transaction.
It is certainly possible that they'll extend upon that by asking
for a phone number.
"I don't think they'll go so far as to ask for a mother's maiden
name or Social Security number, but it wouldn't surprise me to see
them add to that list."
Wrestling with Mob.com
Federal authorities aren't taking online fraud lightly, either.
The FBI recently teamed with the National
White Collar Crime Center to launch its Internet Fraud Complaint
Center and the Secret Service is building a database to quickly
pinpoint where credit cards are being skimmed.
Their target is neither petty thieves nor malicious hackers.
"The other part of the story is you have inherently
violent criminals now who are getting into what has traditionally
been called white-collar crime," says Winter.
Meaning organized crime?
"No question. Absolutely. That's a big part
of it now. Most of it is organized crime.
"The difficulty with technology, financial
crimes and cybercrime in general nowadays is the traditional venues
of jurisdiction are blurred," he adds. "The crime may be committed
here but then it's sent overseas. Sometimes the crime occurs overseas
but the companies in the U.S. are being hit.
"With the evolution of our payment systems, we've become more and
more involved as an investigative unit. We're beefing up big-time."