Although there's an e-commerce connection to this fraud, we don't believe
that card numbers were intercepted as they travelled over the Internet. That's
hard to do. It is very possible that the perpetrators did steal a large number
of credit card numbers, either by acting as a Merchant Account for other vendors
or by breaking in to an e-commerce site. We also strongly suspect that they used
credit card generation technology.
The true e-commerce connection is more subtle. It has three parts: anonymity,
selling information, and networked transactions.
The current e-commerce environment allows credit card numbers to be used
without identifiers. This has privacy advantages, but it also enabled this
fraud. It would be a lot harder to generate credit card numbers if identifiers
were required.
The alleged criminals (KT et al) used a "legitimate business", transactions
in adult images (pornography), as a cover. This business deals in "pure"
information (an intangible good with an extremely low cost for each additional
customer). Vendors and purchasers of information goods do not need physical
addresses. In addition, the vendor assumes very little risk with the
transaction. If the buyer doesn't pay, the vendor's loss is almost unmeasurably
small. Compare this to selling computers online.
Since the vendor assumes little risk in this form of e-commerce, they have a
great incentive to minimize transaction costs and inconvenience. They will
accept large "losses" in return for not inconveniencing paying customers.
Similar incentives applies to Banks, Visa/MC, and to Processors.
This shift in risk assumption provides fertile ground for this type of fraud.
The absence of a physical address and assets makes it much harder to locate and
penalize the perpetrators. They can easily move their funds into sheltered
overseas accounts.
Networked e-commerce allows criminals to test credit card numbers across the
Merchant Account system in high volume. This makes credit card number generation
technology far more powerful. They can also attack a very large number of
victims in a widely distributed manner with small transactions, thereby delaying
detection and reducing the incentive for prosecution.
The current Visa/Master Card transaction system is flawed. Designed for a
world of 'card present' transactions, it is unsuited to e-commerce. The need for
reform is urgent, but Banks and Visa/MC may be slow to act. Consumers will have
to push for change. Micro-commerce solutions are unlikely to emerge in the
United States, given the political and economic clout of Visa/MC, but there is
hope that they will emerge elsewhere. Japan may
lead the way in
e-commerce, just as Europe leads in net privacy.
These are pretty much generic recommendations for any fraud of this sort.
Victims of the J K Publications fraud should go to
Litigation and
Regulatory (below). I've kept the full set of entries here for reference in
other frauds.
Consider switching to American Express,
such as the
American Express Blue Card. Amazon.com, for example,
accepts AmEx. American Express centralizes its transaction verification and
Merchant Account tracking, which makes it far more fraud resistant. Also,
since Visa/MC rule the market, AmEx is going to be a less worthwhile target.
(I've no reports of Discover Card charges, but I don't know anything about
their security procedures.) In one case report of an American Express fraud,
the victim was reimbursed by AmEx immediately and without question. American
Express also seems to have much more customer-friendly procedures for
handling questionable transaction than Visa International. As of 2002
they've added the
AMEX
PrivatePayments service providing disposable credit card numbers
(one-time use).
See
Litigation and
Regulatory for the firm handling refund requests. They seem to have been
appointed by the Federal agencies investigating the fraud.
You may have to cancel your credit card and change
banks. The
FTC's Action against Taves et al should reduce the risk of new charges
appearing against your original credit card. However, if new charges do
appear, most banks are unable to block the transactions. In addition, if
your new card is from the same bank as your original card, many banks will
automatically carry the transactions over to your new card. Lastly, there is
a risk that your credit card number has been widely circulated amongst other
practitioners of credit card fraud. If you have a bank with very good
service, and if they are able to block charges from known fraudulent
Merchant accounts, it may not be necessary to cancel your card. I cancelled
mine.
Phone the
FTC Hotline
that has been setup to deal with this fraud: 202-326-3144 for updated
information (messages only). Fill out the online form at
http://www.ftc.gov/ftc/complaint.htm so you are eligible for
reimbursement.
This is fraud. Some, less worthy, banks (such as US Bank)
may refuse to reimburse for charges that occurred more than 60 days prior to
submitting a claim. If this occurs, state that the charges were fraudulent
and should be handled by the fraud office. Let me know how your bank
treats you, so I can update the
Bank Hall of
Fame and Shame record. You can also report particularly unhelpful banks
(thanks, NL):
Every ]US] bank should have an examining authority.
For nationally chartered banks that would be the National Bank
Examiners. For state chartered FDIC insured, the examiners would be from
both the state and the FDIC. I don't know much about current operations,
but bank credit card operations are subject to examination and I suspect
the examiners have never thought about this issue. To mail a complaint,
ask your bank for a copy of their Community Reinvestment Act notice. It
should have include the name and address of the relevant agency. Also,
try calling the state banking commission; they can be surprisingly
helpful sometimes.
Use as few credit cards as possible. Eliminate any debit or
other cards that you don't really use. Minimize transactions so you can
detect irregularities. Notify bank immediately so you don't miss any 60 day
rule. (Note, however, that
using checks is not an
answer!)
Request your credit reports from
credit bureaus for all open
and closed cards. This should be free. State that you've been a victim of
fraud. Tell them you want a security alert added to your credit record.
Typically (experian) they'll put on a 90 day alert. To get a 7 year alert,
they'll want a copy of a phone bill to connect a phone number to an address
and resident. You may need to send a copy of a driver's license as well if
the phone bill doesn't have your name on it. For seven years you will be
phoned if anyone requests a credit card for your identity and/or a note will
be added to credit reports stating that phone confirmation is required. This
service should be free. If you change your phone numbers or address you have
to contact the credit bureau and notify them.
When you get the report, look for new addresses and signs of
new cards being issued. These are the credit bureau numbers you want as of
8/10/1999, usually you must call during "business hours".
Equifax: 800-525-6285, PO Box 105069 Atlanta, GA 30348. Voicemail
only for report requests.
Experian: 888-397-3742. You have to wade through voice mail. In
general, you want the last option for each menu. As of 8/10 the
security alert addition to your file is requested by voice mail only.
Trans Union: 800-301-7195 (or? 800-680-7289). They'll put a
temporary alert in place for 3 months, a 7 year alert requires a
confirmatory letter.
Link to this page and distribute it to anyone who you think
might make a difference: banks, credit card companies, journalists, anyone.
Complain to Visa/MasterCard international about the flimsy
transaction validation practised by your bank. Visa: 800-847-2911.
Send a complaint to the Consumer Affairs Division for the
state where the fraud occurred. In this case, that is Nevada.
consumer@govmail.state.nv.us
Send the division a signed staement describing your complaint. Be sure to
include a copy of the billing, your name & address as well as the business
name & address.. Send all of the above information to Consumer Affairs
Division; 1850 E. Sahara Ave, #101, Las Vegas, NV 89104.
Bill Tkach, Compliance/Audit Investigator III
Visa and MasterCard must require, and their
franchisees (the Banks) and Processors, must support, the use of proper
validation systems by merchant accounts. Possibilities include PIN numbers,
the SET (secure electronic transaction) standard, the commonly used AVS and
the minimalist expiration date. As of late 2002 disposable (one-time-use)
credit card numbers are emerging as a strong solution.
To be fair, we must note all of these have problems.
Expiration Date is very simple, but since it changes as
often as once a year, it's a real pain for Merchant Account holders who
do recurrent charges (such as Internet Service Providers).
AVS, which uses some card holder address information, is
a validation system that does appear to work, but it's possible for a
merchant bank to "cheat" it. (Of course such cheating is presumably
illegal.)[5]
In Jan 1999, Macintouch reported extensive problems with
credit card validation at the Apple Store, caused by problems with their
new "SAP-based" system.
In the words of one expert: SET, a secure
credit-card transaction system ... was intended to fill the gap you've
identified. It's this hideous over-engineered monstrosity that has
remained largely unimplemented due to its bulk.
One-time-use (disposable) credit card numbers have the
advantage that it might be possible to make them work with the current
infrastructure. The numbers don't have to be one-time-use, they could
instead have limited lifespans. The main problem is these systems
require significant end-user changes. Credit card holders get a
persistent identifier that is not a credit card number, but
that can be used with another identifier to generate a credit card
number. One can imagine many variants on this idea, but the limited
lifespan of the credit card number is key. These techniques overlap with
the much-missed eCash efforts. See
AMEX PrivatePayments
Higher standards for allowing companies vendors to use a
credit card. Far more rapid elimination of merchants processing fraudulent
charges; currently Visa may take 3-5 months before shutting down a bad
merchant account. Prevent 'name switching' by dropped merchants. See
Spammers and
Merchant Accounts.
Better statements! Statements should have vendor address
information. They should show the name associated with the vendor providing
goods or services, not just the billing organization.
Merchants can use better validation software with online
fraud prevention, such as
ClearCommerce's products. Visa/MC can require this of their net based
Merchant Accounts. Merchants should also review
Rahm's excellent article
on AVS and other protective mechanisms
More rapid, centralized, blocking functions. Visa and
MasterCard are a single monopolistic company. They should be able to provide
consistent blocking procedures. It is unacceptable that Webtel/N-bill was
able to carry out its fraud for several months.
Visa and MasterCard need to reexamine the policies for fraud
management that their franchisees (Banks) are supposed to use. They appear
to be very unfriendly to customers. Until better fraud prevention systems
are in place, the onus is on the Banks and Visa/MC to presume the customer
is innocent.
The banks who held J K Publications merchant account,
Charter Pacific and Heartland Bank seem to
have been extremely slow to terminate them, despite stated Visa/MC
standards. We know some of the
Charter Pacific Bank
story. A Heartland Bank representative claims that they investigated the
chargebacks and notified the FTC. Unlike Charter Pacific, there are
no FDIC actions recorded against Heartland Bank. Heartland Bank may not
have had any participation in the fraud; they may be victims of J K
Publications themselves.
The FTC is very interested in this type of crime. They will review
reports from foreign victims when the operation is US based. Complete the online
form at
http://www.ftc.gov/ftc/complaint.htm so you are eligible for reimbursement.
They usually act when they receive many complaints.
The US Secret Service has jurisdiction over credit card and access device
crimes if the credit card is underwritten by a US bank. However, they consider
the Bank to be the injured party, and not the card holder (who is theoretically
reimbursed by the bank). They are also not set up to deal with many small
losses. In the words of one authoritive source:
Due to the size of most losses, the federal agencies (FBI and
Secret Service) tasked with investigating credit card fraud are unable to do
anything. Regardless of the crime, they generally don't have the manpower to
go after anything less than $100,000. Local law enforcement agencies
generally don't understand the problem and therefore are reluctant to get
involved. Additionally, since the merchant generally is the loser, not the
cardholder (the merchant takes the loss 99+ percent of the time) there is
frequently a jurisdictional issue.
Over the past three years many alternatives to credit cards for e-commerce
transactions have been proposed or tested. None have succeeded. This experience
underscores the need for a modern alternative to the antiquated and insecure
credit card transaction system. Anyone proposing an alternative to credit cards,
such as a micro-commerce network, should use this experience in marketing and
planning. In the meantime, Banks and Visa/MC have many ways to improve
transaction security and fraud management.
I think this is a fascinating story, though it's usually misrepresented (in
my opinion) as an "Internet" scandal.[11] I
really believe this is primarily a finance and banking scandal, and a dramatic
example of the fragility and unreliability of our current credit card
transaction system.
Here are some "talking points" for use by journalists, or in writing a letter
to a newspaper:
The fraud consists of creating fraudulent recurring
e-commerce transactions on Visa credit and debit cards around the world.
There have been a large number of reports from the US, Japan and Europe. We
believe the number of persons affected is in the tens to hundreds of
thousands.
Charges typically appear with the company names N-Bill,
Webtel and MJD Services. These companies also handle accounts for
pornographic web sites; this has resulted in embarrassment and employment
problems for some victims.
This fraud is affecting persons who've never used their
credit card numbers on the Internet. We suspect it involves both the
theft of credit card numbers and the use of software that generates "well
formed" credit card numbers.
Banks that handle MasterCard and Visa accounts often have
almost no transaction validation for small transactions. Many times a credit
card number alone, even a number for a closed account, is sufficient to
create a recurring transaction of $19.95 or so.
Banks want to get a piece of the emerging e-commerce
marketplace, but the existing Visa/MasterCard system, as implemented by many
banks, is not suitable for e-commerce. They prefer not to have this weakness
widely known. Most customers have had Visa cards, there has been one report
of an American Express charge.
Many banks have treated their customers very poorly, and
have been very slow to reimburse for the fraudulent changes. They have also
been unable to block new transactions occurring. See
Bank Hall of
Fame and Shame.
Banks put the burden of reviewing transactions on customers,
but they don't provide enough information in typical credit card statements
to make transaction review feasible.
Information on the fraud has been gathered through the
creation of web sites in Japan and the US, which in term have received
hundreds of reports from victims around the world. The simultaneous work of
hundreds or thousands of victims, using the Internet for research, has
allowed a remarkably detailed picture to emerge.
