Preface | The Verdict | Details | Pacific Bank | e-Commerce | Spammers | Links | History | Dsclaimer

Details

Outline

This is an outline of the general fraud. I'll discuss some interesting variations below. You may wish to refer to the following image as you review the text. [3] Some of this material is speculative; quotes are from authoritative sources. (Thanks to security experts (GM, NJ, WFE, RLB, DB), and my hacker colleagues (WH, SD), for background information.)

This sketch has been updated as of Oct 1999 to include the role of Charter Pacific Bank.

This is a complex operation. The current consensus is that the operations we know of (N-Bill, Webtel, MJD Services, XBC.COM) are all operations of J K Publications/Netfill.

Netfill's original business was handling transactions for web sites selling "adult content" (usually pornography). Netfill began to acquire a "bad reputation" in the pornography world, possibly for reusing the credit card numbers they were handling. They went through several aliases, and then, we suspect, began running transactions against credit card numbers that they'd obtained (see CP Bank).

During this time Netfill appears to have gone through various Merchant Accounts, perhaps as Banks and Processing centers began to block transactions.

Below is a step-by-step description of how this type of fraud might operate. If it is properly done (see #2), it is hard to see how they can ever get caught.

1. The thief needs credit card numbers. They do not need anything else. Credit card processing companies do not mandate the use of additional validation information: "... the system was designed for 'card present' transactions and has no real way to tell whether [an expiration date] is correct or not ...". There is an early system in place to do some validation based on zip codes and addresses (AVS), but "it only works with US cards and is not totally reliable yet". Some banks do check expiration dates, but many don't. (See [5] for Netfill's alleged misuse of AVS.)

   Charges can also be issued against cancelled cards, or non-existent accounts, if the computer of the card issuing bank is not available during the transaction.

   There are several ways the thieves could have obtained the numbers, but in fact they purchased most of them (legally?!) from Charter Pacific Bank. In addition the geographic distribution of victims, and the reports of fraud on cards that have never been used anywhere, suggest that at least some of the time either Taves, CP Bank, or other operators software to generate "well formed" credit card numbers. ^[13] It's likely that they have also stolen a set of credit card numbers, possibly with validating information. (There is a way that they might have been unwittingly using generated credit card numbers. ^[2])

   Credit card numbers can also be stolen from a vendor site or a processor site. It is not that hard for a hacker to steal numbers from many e-commerce sites. Matt Beer has written a December 13, 1998 San Francisco Examiner article on the 9/10 success rate of IBM's "ethical hacker" team [1].

2. Netfill and its aliases (N-Bill, Webtel, etc) have Merchant Accounts. The thief could be generating credit card transactions directly through Netfill. It would be much safer, however, for the thief to funnel the transactions through a pornography vendor, (such as XXXPERTS.COM) which could be a willing or unwilling collaborator. This would give Netfill deniability -- they could say (plausibly) that they were only processing "someone else's" transactions. Of course, they would be making money on the transactions that weren't caught. If the thief was working with both Netfill and the pornography web site, then the money would come to the thief through both sources.

3. The Merchant Account holder sends the transaction on to a "Processor". The Processor applies the checksum algorithm; the credit card number will pass this test. The Processor then attempts to check the number against the bank that issued the card. Sometimes they will be unable to complete this test; in that case the number is passed by default. If they can complete the test, a non-existent number will fail. A valid number will pass, and a recurring charge can then be set up.

   The role of the banks in authorizing transactions is yet another serious weakness in Visa/MC security. Some banks have excellent IT resources and anti-fraud measures, others are completely overwhelmed by e-commerce. I wonder if this might relate to the apparent high attack rate in Japan. (See American Express.)

4. At this point a recurring charge will go through every month. Charges are small, usually USD $19.95, are are thereby less likely to get attention.

5. If victim notices, victim can do a 'charge-back' through credit card company. However many banks only go back 60 days, so you may be out some money. Since the total for 2 months is < $50, the credit card company is not obligated to refund everything. If the victim doesn't notice, then the scam works. Eventually the Merchant Account will be closed, and a new one will have to be created under another name. (See spammers and merchant accounts.)

The International Angle

• I've received victim reports from 22 countries: Canada, France, Eire (Ireland), England, Scotland, Australia, New Zealand, Norway, Germany, Mexico, Brazil, Portugal, Belgium, Japan, Sweden, Finland, Switzerland, Austria, South Korea, El Salvador, South Korea, and across the USA.

• The situation in Japan was particularly severe. There are Japanese sites similar to this one. Visa International's fraud office received hundreds of notices from Japan's largest bank. Japanese victims may have been particularly embarrassed by the connection to pornography sites; many more may be remaining silent.

• TT reports some German banks (eg HYPO) have very rigorous security for CC transactions. I've heard from relatively few German victims.

Where the Money Goes

Consider what happens when the fraud is undetected or detected.

If the fraud is undetected, money goes to the holder of the Merchant Account. If a Merchant Account were "factoring" (consolidating transactions, forbidden by Visa/MC) the transactions of a (possibly collaborating) pornography vendor, then the two would share the money. Money also goes to the Processor and the banks.

If the fraud is detected, then the banks may repay the credit card owner (the "victim"). However, note that the amounts are less than the <$50 amount banks are obligated to repay. Many banks, particularly in Europe, seem reluctant to pay up. The victim has lost time. The transaction processing center appears to still have made money, they do not appear to suffer for processing a fraudulent transaction. The Merchant Account holder is supposed to pay a fine and refund the money. As losses mount the Merchant Account is closed to reopen with a new name.

Banks, Processors and Credit Card/Check Card Companies

The thieves are guilty, but they're playing on a weak system. The Visa/MC transaction system was designed for traditional transactions of physical goods with a physical vendor and a physical card. Mail order stretched that system, but e-commerce blows it wide open. (See also: e-commerce implications).

In the reports and comments I receive, the Processors point fingers at the Banks, the Banks point at Visa/MC international and their transaction handling regulations, and Visa claims there's no problem ^[8].  Jeff Leeds' articles suggest misbehavior or incompetence on the part of the banks holding J K Publications merchant accounts (see Credit Card Companies, Banks and Merchants). The FTC's investigation also exposed the role of a shady bank -- Charter Pacific.

I suspect everyone's a bit guilty, and that real problems arise when the weaknesses of each of the players reinforce one another.

The Processors don't have the technology to do any significant verification. The banks vary widely in their expertise. Some are very savvy, others have little IT ability and minimal fraud protection. Some banks are being very supportive of victims, others are basically accusing them of trying to cheat on their alleged pornographic purchases. The banks are slow to bring cases to the attention of the authorities, possibly because they're very worried about exposing their vulnerability.

The distributed nature of the Visa/MC system, with each bank managing its own "business", is a weakness. Visa International does not have access or control to Merchant Account information. Only the banks have that information. One wonders what a crooked bank could do with Merchant Accounts. (I wrote that last sentence before the CP Bank scandal broke). It is this clumsy system that has allowed the Netfill operations (N-Bill, Webtel, etc) have been able to operate Merchant Accounts for so long, with so many "charge backs".

In the paraphrased words of one expert and industry insider, who must remain anonymous:

Your description of the process from the card end is mostly accurate with only some details not quite right. In my opinion your user tips are spot on to 'the real world', however a financial organisation involved would most certainly not agree. The fact is that the real future of making money illegally is no longer bank robbery. The criminal organisations of this world naturally know this too... I don't want to sound ominous but at this stage I rather don't want to say any more than this.