There's been a new note to my incoming
spam recently. I'm lately seeing
advertisements for the ability to create "merchant accounts" through which a
vendor can bill Visa and MasterCharge. Spam scams often follow a pattern of the
spammers first exploiting a scam, and then, once they've skimmed the finest
opportunities, they promote the scheme to the "suckers" at large. Spammer
promotion of merchant accounts lends another angle to the Webtel/N-Bill fraud.
Again, the onus is on the credit card companies to do some minimal regulation of
who gets a merchant account. Sloppy regulation of merchant accounts is likely a
key component of this scam. Here's a sample spam, edited for brevity ...
INCREASE SALES UP TO 50% ACCEPT CREDIT CARDS OVER THE INTERNET
***NO SETUP FEES Good Credit / Bad Credit/ No Credit ***NO PROBLEM*** It
Just Doesn't Matter - Everyone Gets Approved
We Specialize In Servicing The Following: *Multilevel Marketing
*Mail Order/ Phone Sales *Home Based Business *INTERNET BASED BUSINESS *New
Business* Small Business Whatever!! We Do It All!!!
A fast and reliable way to process credit cards through your web
site The Internet's reach is global - it knows no time zones or physical
boundaries ...
... lets say a customer visits your web site and decides they want
to buy your product(s) or service(s). They would simply enter their credit
card information and receive an approval WITHIN 5 SECONDS ...
From that point on, the sale is complete and the money will be
directly deposited into your business checking account within 24 to 48
hours.So you will have LIQUID ASSETS AVAILABLE ALMOST IMMEDIATELY!!! ... you
will be receiving orders and making money in your sleep!!!
Some banks are treating customers well, others are refusing refunds, are
unable to block continuing charges, accuse victims of being criminals, or
generally provide shabby service. Here's a partial listing of the Famed and
Shamed.
Fame (Good Banks)
Mixed
Shame (Bad Banks)
American Express
Barclay's UK
Beneficial Bank
Chevy Chase Bank of MD
NationsBank
Seafirst Bank
Sumitomo Credit
Wells Fargo
I was misquoted in the article, however. I
actually said, in reply to a question, that I didn't feel
"shocked or invaded". Somehow this turned into feeling "shocked and
invaded", which sounds rather Oprah-ish and is quite unlike me. I'm
surprised about the unsuitability of credit card transaction systems for
e-commerce, but not about someone misusing my credit card.
The FTC's filings suggest they suspected
that a credit card generator was used in this case. Later data, however,
implicated Charter Pacific Bank.
Many persons find it hard to believe that credit card number
generators can work. Believe it. I've had verification from the most
absolutely reliable sources, including Visa's central security office.
Knowledgeable hackers assure me they've been in play since the 80s.
(Probably one of the first personal computer commerce applications.) A
popular game for teen hackers is to use a generated card number to sign
up for a free month, then cancel the subscription before the month ends.
In theory the charge holder is never aware of the transaction. Of course
if the numbers that teen hackers use were in a batch that was stolen by
the Netfill gang, then real transactions would start to appear
on the victims credit reports. This is a way that generated numbers
might have been unwittingly used by the Netfill gang, when they
thought they were using stolen numbers from persons who had signed
up at some time for adult web sites.
Kragen Sitaker, who knows something of these matters, writes "...
this is one of the first documented instances of pseudo-spoofing being
used to defeat reputation systems." In Kragen's words (quoted with
permission):
Spoofing is where you pretend to be someone else who
really exists. Pseudo-spoofing is where you pretend to be a
multitude of people, none of whom really exist. It's a technique to
defeat reputation systems; each of your nyms [jf: assumed names] can
vouch for the others, and no nym needs to do evil things more than
once -- so even if doing something evil gets you immediately barred
from access to the system, that will not deter you if creating new
nyms has zero cost. Lawrence Detweiler invented the term in early
1993; he believed that most of the people on the cypherpunks list
(including me) were actually the same person, whom he nicknamed
"Medusa", and were manipulating the list by giving the appearance of
consensus to points of view which, in reality, only "Medusa" held.
If you call the phone number on the credit
card slip, you get a voice mail line. It is quite difficult to access a
human, but some have managed this. By exploring the line you learn that
they are selling pornography. You should know, however, that when you
call a toll-free number (800/888), the vendor gets your phone number (CNI
system). Unlike caller ID, this cannot be blocked. They may also receive
additional address information from the phone company monthly, or use a
reverse look-up service to acquire address information. This information
can then be resold, which may bring a new flavor your junk mail and junk
phone calls.
This interesting report comes from a
knowledgeable source:
The owners of Netfill, et al don't use AVS to do basic
credit card fraud control on the cards they accept for adult
websites. This is because they feel that they would not be able to
get anyone to put their credit card "into the slot" because if the
customer had to identify their address, the customer would fear junk
mail of the adult-variety showing up in their home mailbox!
While they have AVS "turned-on" at their bank, they don't
actually send it. This fools the bank for a while - at least until
the chargebacks come rolling in. AVS failure/decline results are
sent back to the merchant with each transaction. Its usually up to
the merchant to take the risk as to whether the customer is legit.
Since online transactions are always "faceless", ignoring AVS is
extremely dangerous. Also, online credit card merchants must
maintain a 1% chargeback limit. This is hard for any merchant to do,
let alone one who purveys promiscuous material. This explains why
victims are only seeing adult online merchants showing up on their
statements.
The undated (probably Sept/Oct 1998) fax
from Online
Billing was forwarded by our Japanese contact (Yakei). Though it was
written by Americans to a foreign bank, it has several spelling errors
and poor grammar. Two paragraphs are interesting. The first is a cute
smear against the victims of this fraud. The second suggests they were
trying to avoid chargebacks. Chargebacks will eventually shutdown a
merchant account, reguiring a new alias.
Due to the nature of our adult sites, many people deny
ever having joined the sites, most of which have a monthly
subscription charge ... most have a three month minimum ... In the
spirit of good customer service, we are willing to credit the last
month on their bill without going to chargeback ...
US Bank is my own bank. They eventually
did make up all the fraudulent charges, even the ones they initially
said they wo.0000000uldn't pay (more than 60 days old). This moved them
form the Shame to Mixed category. On the other hand they were quite
disorganized, and their fraud division and customer service departments
didn't seem to be talking to one another. If you have to work with them,
try to go directly through the Fraud Division (800-260-8469) and forget
customer service.
In the
MSNBC story a Visa
spokesperson was quoted as saying that the security concerns expressed
on this page are quite incorrect. I certainly hope that's true! On the
other hand, even if Visa is unable to outline all the security
precautions they allegedly take, I think they ought to be able to tell
us how this scam was able to go on for so long, and what will prevent
similar scams in the future.
From a purely personal perspective, this
was rather dreadful. I'm looking down and to the left because I was told
to look to my interviewer, and that's where she sat. Next time I'm
reviewing the camera angles myself!
Journalists share some common vices with
physicians. We all tend to construct a "narrative" pretty quickly, and
we don't like revising it. With patients we physicians tend to develop a
diagnosis very quickly, and we may disregard contradictory evidence or
ignore seemingly irrelevant data. Journalists do the same thing. Most of
the time I'm interviewed it's very clear what I'm supposed to
say. If I don't cooperate the journalist will often repeat a question in
various forms, evidently hoping that sooner or later I'll give them the
response they want.
"Well formed" credit card numbers will
pass the checksum and other tests used by processors. Software to
generate these well formed numbers is available on hacker sites; the
algorithms have been a part of several shareware packages for years (see
http://www.creditnet.com/ccs/ccn-shareware.html for examples). I
have some Credit Card
Generators screen shots for review as well.
[2]
U.S. CRACKS DOWN ON NET PORN FRAUD
(E-Commerce
Times 24 Aug 2000, this summary was printed in
Newsscan)
The Federal Trade Commission has filed a lawsuit against Crescent
Publishing Group and 64 affiliated companies that operate adult Web
sites, accusing them of charging customers for services advertised as
"Free Tour Web Sites." Like many adult sites, the Crescent sites
requested that users supply credit card information to verify they were
of legal age to view pornographic material. Customers who'd been
promised a free online peep show say they were then billed for recurring
monthly membership fees ranging from $20 to $90. Included among the
complainants were some people who said they'd never visited the
sites at all -- in fact, one woman who'd been charged a recurring fee
for several months didn't even own a computer. To add to the
confusion, the charges were made under different company names.
Instead of finding a charge from Highsociety.com on their statements,
consumers would find charges from "Online Forum," or "Hoot Owl," or
"Knock Knee." The FTC has classified the scam as one of the largest it's
ever seen on the Internet, generating $141 million in
the first 10 months of 1999 alone.
