Archive for the ‘Fraud Protection’ Category

STEALING A FORTUNE BY CREDIT CARD, PENNY BY PENNY

Tuesday, July 13th, 2010


Why should you make sure your credit and debit card processing system is protected? Because criminals today are incredibly creative. Take one team of criminals, for example, that was caught recently after putting more than one million fake charges on consumer credit cards with amounts so small, most were never even noticed.

A recent article on www.itworld.com shows just how creative criminals can become with stolen credit cards – and how cautious merchants must be to prevent it:

The U.S. Federal Trade Commission has disrupted a long-running online scam that allowed offshore fraudsters to steal millions of dollars from U.S. consumers – often by taking just pennies at a time.

The scam, which had been run for about four years years, according to the FTC, provides a case lesson in how many of the online services used to lubricate business in the 21st century can equally be misused for fraud.

“It was a very patient scam,” said Steve Wernikoff, a staff attorney with the FTC who is prosecuting the case. “The people who are behind this are very meticulous.”

The FTC has not identified those responsible for the fraud, but in March, it quietly filed a civil lawsuit in U.S. District Court in Illinois. This has frozen the gang’s U.S. assets and also allowed the FTC to shut down merchant accounts and 14 “money mules” – U.S. residents recruited by the criminals to move money offshore to countries such as Bulgaria, Cyprus, and Estonia.

“We’re going to aggressively seek to identify the ultimate masterminds behind this scheme,” Wernikoff said. According to him, the scammers found loopholes in the credit card processing system that allowed them to set up fake U.S. companies that then ran more than a million phony credit card transactions through legitimate credit card processing companies.

Wernikoff doesn’t know where the scammers obtained the credit card numbers they charged, but they could have been purchased from online carder forums, black market Web sites where criminal buy and sell stolen information.

The scammers stayed under the radar by charging very small amounts – typically between $0.25 and $9 per card – and by setting up more than 100 bogus companies to process the transactions.

U.S. consumers footed most of the bill for the scam because, amazingly, about 94 percent of all charges went uncontested by the victims. According to the FTC, the fraudsters charged 1.35 million credit cards a total of $9.5 million, but only 78,724 of these fake charges were ever noticed. Typically they floated just one charge per card number, billing on behalf of made-up business names such as Adele Services or Bartelca LLC.

As credit cards are increasingly being used for inexpensive purchases – they’re now accepted by soda machines and parking meters – criminals have cashed in on the trend by running this type of unauthorized charging scam.

“They know that most of the fraud detection systems won’t detect anything under $10 and they know that consumers won’t complain about a 20 cent fee,” said Avivah Litan, an analyst with the Gartner research firm who follows bank fraud. “What’s different here is the scale, and that they got away with it for so many years,” she said.

In March Alexsandr Bernik of Roseville, California, was sentenced to 70 months in prison for running a similar scam. He put tens of thousands of charges on Amex accounts, each ranging from $9 to $15. Neither federal authorities nor American Express would explain how Bernik obtained his card numbers.

Bernik made his charges on behalf of a fictional corporation called Lexbay Ltd., but in the FTC case, the scammers would mimic legitimate companies – taking real federal tax I.D. numbers and then setting up fake businesses with nearly identical names that appeared to be located nearby. In a move that apparently tricked credit card processors into granting it a merchant account, Adele Services, for example, was set up to mimic a legitimate Bronx, New York group called Adele Organization.

When the scammers tried to register merchant accounts with credit card processors, the processors would do some investigating, but using tricks like these, the scammers were always one step ahead.

In fact, the FTC’s description of their operation reads like a textbook on how to set up a fake virtual corporation in the Internet age.

The criminals used a range of legitimate business services to make it appear to credit card processors as though they were legitimate U.S. companies, even though the scammers may have never set foot in the U.S.

For example, using a company called Regus, they were able to give their fictional companies addresses that were very close to the companies whose tax IDs they were stealing. Regus lets companies operate “virtual offices” out of a number of prestigious addresses throughout the U.S. – the Chrysler Building in New York for example – forwarding mail for as little as $59 per month.

Mail sent to Regus locations was then forwarded to another company, called Earth Class Mail, which scans correspondence and uses the Internet to deliver it to customers in pdf format.

They used another legitimate virtual business service – United World Telecom’s CallMe800 – to have phone calls forwarded overseas. To further make it seem as though their companies were legitimate, the scammers would set up fake retail Web sites. And when credit card processors asked them to provide information about company executives, they handed over legitimate names and social security numbers, stolen from ID theft victims.

When they had to log into payment processor Web sites, they would do this from IP addresses that were located near their virtual offices, again evading payment processor fraud detection services.

One of the largest payment processors in the U.S., First Data, was a favorite of the scammers. Of the 116 fake merchant accounts the FTC uncovered, 110 were with First Data. The scammers also set up bogus accounts with Elavon and BBVA Compass.

First Data would not comment on the measures it had taken to improve its merchant vetting process, but the company did confirm that it cooperated with the FTC investigation.

To get the money out of the U.S., the scammers had to recruit money mules. These were U.S. residents who were recruited online, often with spam e-mail messages. Under the impression that they were helping offshore businesses, the money mules set up bank accounts and helped the fraudsters move money offshore.

In a letter to the judge presiding over the case, one of the mules, James P. Smith of Brownwood, Texas, says he worked for one of the scammers for four years without realizing that anything illegal was going on. Smith now says he is “ashamed” to be named in the FTC action, and offers to help catch his former boss, who used the name Alex Moore.

The FTC’s Wernikoff believes that whoever is responsible for this crime lives outside of the U.S., but with the money-cashing operation now busted up, the scammers will have to start again from scratch, if they want to keep bilking consumers. And criminal investigators now have a trail to follow.

“Does it prevent the people from ultimately responsible from building up again from scratch?” he asked. “No. But we do hope that this seriously disrupts them.”

Tags: , , , ,
Posted in Fraud Protection | No Comments »

Tuesday, July 13th, 2010

FRAUD CONTROL

Card-Not-Present

Extra protection when there’s no card

Card-not-present (CNP) merchants must take extra precaution against fraud exposure and associated losses. Anonymous scam artists bet on the fact that many Visa fraud prevention features do not apply in this environment.

Follow these recommendations to help prevent fraud in your card-not-present transactions.

Visa CNP payment acceptance

Take these steps to accept Visa CNP payments:

  1. Obtain an authorization.
  2. Verify the card’s legitimacy:
  • Ask the customer for the card expiration date, and include it in your authorization request. An invalid or missing expiration date might indicate that the customer does not have the actual card in hand.
  • Use fraud prevention tools such as Visa’s Address Verification Service (AVS), Card Verification Value 2 (CVV2), and Verified by Visa.
  • Learn more about Card-Not-Present fraud prevention tools.
  • Ask for additional information during the transaction (e.g., request the financial institution name on the front of the card).
  • Contact the cardholder with any questions.
  • Confirm the order separately by sending a note via the customer’s billing address rather than the “ship to” address.
  1. Look for general warning signs of fraud (listed below).
  2. If you receive an authorization, but still suspect fraud:

To report suspicious activity, contact your merchant financial institution.

12 potential signs of CNP fraud

Keep your eyes open for the following fraud indicators. When more than one is true during a card-not-present transaction, fraud might be involved. Follow up, just in case.

  1. First-time shopper: Criminals are always looking for new victims.
  2. Larger-than-normal orders: Because stolen cards or account numbers have a limited life span, crooks need to maximize the size of their purchase.
  3. Orders that include several of the same item: Having multiples of the same item increases a criminal’s profits.
  4. Orders made up of “big-ticket” items: These items have maximum resale value and therefore maximum profit potential.
  5. “Rush” or “overnight” shipping: Crooks want these fraudulently obtained items as soon as possible for the quickest possible resale, and aren’t concerned about extra delivery charges.
  6. Shipping to an international address: A significant number of fraudulent transactions are shipped to fraudulent cardholders outside of the U.S. Visa AVS can’t validate non-U.S., except in Canada and the United Kingdom.
  7. Transactions with similar account numbers: Particularly useful if the account numbers used have been generated using software available on the Internet (e.g., CreditMaster).
  8. Shipping to a single address, but transactions placed on multiple cards: Could involve an account number generated using special software, or even a batch of stolen cards.
  9. Multiple transactions on one card over a very short period of time: Could be an attempt to “run a card” until the account is closed.
  10. Multiple transactions on one card or a similar card with a single billing address, but multiple shipping addresses: Could represent organized activity, rather than one individual at work.
  11. In online transactions, multiple cards used from a single IP (Internet Protocol) address: More than one or two cards could definitely indicate a fraud scheme.
  12. Orders from Internet addresses that make use of free e-mail services: These e-mail services involve no billing relationships, and often neither an audit trail nor verification that a legitimate cardholder has opened the account.

Visa CNP fraud prevention tools

Appropriate preventive action can help reduce fraudulent transactions and potential customer disputes. Make use of these Visa tools and controls to verify the legitimacy of the Visa cardholder and the card in every card-not-present transaction.

Tool Description
Address Verification Service (AVS) Allows card-not-present merchants to check a Visa cardholder’s billing address with the card Issuer. The merchant includes an AVS request as part of the authorization and receives a result code indicating whether the address given by the cardholder matches the address on file with the Issuer.
Card Verification Value 2 (CVV2) Is a three-digit number imprinted on the signature panel of Visa cards to help card-not-present merchants verify that the customer has a legitimate card in hand at the time of the order. The merchant asks the customer for the CVV2 code and then sends it to the card Issuer as part of the authorization request. The card Issuer checks the CVV2 code to determine its validity, then sends a CVV2 result back to the merchant along with the authorization. CVV2 is required on all Visa cards.

To protect CVV2 data from being compromised, Visa U.S.A. Inc. Operating Regulations prohibit merchants from keeping or storing CVV2 numbers once a transaction has been completed.
Verified by Visa (VbV) Enables e-commerce merchants validate a cardholder’s ownership of an account in real-time during an online Visa card transaction. When the cardholder clicks “buy” at the checkout of a participating merchant, the merchant server recognizes the registered Visa card and the “Verified by Visa” screen automatically appears on the cardholder’s desktop. The cardholder enters a password to verify his or her identity and the Visa card. The Issuer then confirms the cardholder’s identity.

Code 10

When you suspect fraud

If you’re suspicious of a card or cardholder at any time during a transaction authorization process, you will need to make a Code 10 authorization request.

What is Code 10?

The Code 10 authorization request alerts the card issuer to the suspicious activity—without alerting the customer. During a Code 10 call, you will speak to the card issuer’s special operator, who will provide instructions on any necessary action. This type of authorization request is the most likely to result in a call to law enforcement.

Code 10 steps

If you receive an electronic authorization, but still suspect fraud, do the following:

  • Keep the card in hand to quickly respond to questions.
  • Call your voice authorization center and say “I have a Code 10 Authorization Request.”The call will first be received by your merchant bank who may need to ask you for some merchant and/or transaction details. You will then be transferred to the card Issuer and immediately connected to a special operator. A series of yes/no questions will be asked to determine whether you are suspicious of the card or cardholder.
  • When connected to the special operator, answer all questions calmly and in a normal tone of voice.
  • Follow all operator instructions.

If the operator asks you to retain the card, comply with this request only if it is safe to do so.

Tags: , , ,
Posted in Fraud Protection | No Comments »