Sunday, August 22, 2010

Card and Debit Card Scam: $10m in bogus charges made on more than 1m accounts with amounts ranging from 20 cents to $10

Last week Finfacts reported on US justice targeting Eastern European hackers of credit card processing systems. This week, we report on a new angle where $10m in bogus charges on more than 1m consumers’ credit and debit card were made, with amounts ranging from 20-cents to $10.

We were alerted to this story by Randall Stross, an author based in Silicon Valley and a professor of business at San José State University, who writes a column for the New York Times.

Last March, at the request of the Federal Trade Commission, a federal court halted the elaborate international scheme that used identity theft to place more than $10m in bogus charges on consumers’ credit and debit cards, pending a trial. More than a million consumers were hit with one-time charges of $10 or less, and their payments were routed through dummy corporations in the United States to bank accounts in Eastern Europe and Central Asia.

The defendants, using phony company names resembling real companies, and
information taken from identity theft victims in the United States, opened more than 100 merchant accounts with companies that process charges to consumers’credit and debit card accounts, according to the FTC complaint. The FTC believes the defendants may have run credit checks on the identity theft victims first, to be sure they were creditworthy. The defendants also cloaked each fake merchant with a virtual office address near a real merchant’s location, a phone number, a home phone number for the “owner,” a web site pretending to sell products, a toll-free number consumers could call, and a real company’s tax number found on the Internet.

The FTC alleged that with spam e-mail, the defendants recruited at least 14 “money mules” - - people in the United States they paid to form 16 dummy corporations, open associated bank accounts to receive the card payments, and transfer the money overseas. The defendants used debit cards linked to these bank accounts to set up telephone service, virtual addresses, and web sites that helped deceive the card processors, according to the complaint.

The “money mules” responded to spam e-mail pretending to seek a US finance manager for an international financial services company. The FTC has not determined how the defendants obtained the stolen identities or consumers’
credit and debit account numbers. Consumers’ payments were sent to bank accounts in Lithuania, Estonia, Latvia, Bulgaria, Cyprus, and Kyrgyzstan.

None of the consumers affected by the scam had contact with any of the defendants. Most consumers either didn’t notice the charges on their bills or didn’t seek chargebacks because of the small amounts – charges ranged from 20 cents to $10. Consumers who called the toll-free numbers that appeared on their bills either found them disconnected or heard recorded messages instructing them to leave a message, but no calls were returned.

“One thing that the banks can do a better job at is vetting merchants much more carefully,” said Avivah Litan, an analyst at Gartner Research, to The New York Times. “That’s been a weak spot for many years.”

Stross says Wells Fargo Bank deserves credit for checking merchant references that helped uncover the problem. He says the monthly statements’ description of each transaction — the “merchant descriptor”— is frustratingly brief.

Visa and MasterCard's computer systems only allow 26-28 characters.

Steven M. Wernikoff, an FTC lawyer, said maybe the scammers should have stuck with $9: “There were more complaints about the 20-cent charges because they looked really odd,” he said.

Finfacts article: Aug 17, 2010; US justice targets Eastern European credit card system hackers

We are adding news stories to the blog system as  we await a glitch in the news database to be rectified  on Mon, Aug 23rd.

News stories up to Friday Aug 20th are accessible from here:

Finfacts News Home Page