[infoshare] An Odyssey of Fraud
- From: "Luis Guerra" <jerseypalisades@xxxxxxxxxxx>
- To: "NYI-L" <nyi-l@xxxxxxxxxxxxx>, "current events" <peeps-current-events@xxxxxxxxxxxxxxx>, "InfoShare" <InfoShare@xxxxxxxxxxxxx>
- Date: Thu, 18 Jun 2009 12:12:47 -0400
The following story is from:
http://blog.washingtonpost.com/securityfix/
An Odyssey of Fraud
Andy Kordopatis is the proprietor of Odyssey Bar
, a modest watering hole in Pocatello, Idaho, a few blocks away from
Idaho State University
. Most of his customers pay for their drinks with cash, but about three
times a day
he receives a phone call from someone he's never served -- in most cases
someone
who's never even been to Idaho -- asking why their credit or debit card has
been
charged a small amount by his establishment.
Kordopatis says he can usually tell what's coming next when the caller
immediately
asks to speak with the manager or owner.
"That's when I start telling them that I know why they're calling, and about
the
Russian hackers who are using my business," Kordopatis said.
odysseybar.jpg
The Odyssey Bar is but one of dozens of small establishments throughout the
United
States seemingly picked at random by organized cyber criminals to serve as
unwitting
pawns in a high-stakes game of chess against the U.S. financial system. This
daily
pattern of phone calls and complaints has been going on for more than a year
now.
Kordopatis said he has talked to the company that processes his bar's credit
card
payments about fixing the problem, but says they can't do anything because
he hasn't
actually lost any money from the scam.
The Odyssey Bar's merchant account is being abused by
online services
that cyber thieves built to help other crooks check the balances and limits
on stolen
credit and debit card account numbers. In April, I wrote about a pet store
in Buffalo,
N.Y., whose merchant account
was being similarly abused by another card-checking service
. In that story, I cited research on this trend by
Lawrence Baldwin
, a security consultant in Alpharetta, Ga., who has been working with
several financial
institutions to help infiltrate illegal card-checking services:
The services are advertised on Internet forums that facilitate identity
theft, and
cater to criminals who wish to buy large numbers of stolen credit and debit
cards.
Using such services, the would-be buyers can quickly verify whether a random
sampling
of the cards is still active, and -- for an additional fee -- the available
balance
on each card. In most cases, the only barrier to new customers signing up at
these
services is the ability to speak and read Russian, and the ability to pay
with one
of several virtual currencies, such as Webmoney.
Baldwin estimates that at least 25,000 credit and debit cards are checked
each day
at three separate illegal card-checking Web sites he is monitoring. That
translates
to about 800,000 cards per month or nearly 10 million cards each year.
Baldwin said the checker sites take advantage of authentication weaknesses
in the
card processing system that allow merchants to conduct so-called
"pre-authorization
requests," which merchants use to place a temporary charge on the account to
make
sure that the cardholder has sufficient funds to pay for the promised goods
or services.
Pre-authorization requests are quite common. When a waiter at a restaurant
swipes
a customer's card and brings the receipt to the table so the customer can
add a tip,
for example, that initial charge is essentially a pre-authorization.
With these card-checking services, however, in most cases the charge
initiated by
the pre-authorization check is never consummated. As a result, unless a
consumer
is monitoring their accounts online in real-time, they may never notice a
pre-authorization
initiated by a card-checking site against their card number, because that
query won't
show up as a charge on the customer's monthly statement.
In fact, in most cases when banks are alerted to the card-checking activity,
it is
because a credit card customer is regularly checking their online statement
or has
signed up with their bank to receive e-mail alerts each time a charge is
initiated
against their account.
The crooks have designed their card-checking sites so that each check is
submitted
into the card processing network using a legitimate, hijacked merchant
account number
combined with a completely unrelated merchant name, Baldwin discovered.
On June 11, Kordopatis heard from Keri Tetlow
, a mother of three from the suburbs of Houston. Tetlow, who watches her
family's
debit account balance like a hawk from their home computer, said she called
Odyssey
Bar because she noticed a $2.77 charge from the establishment. Tetlow said
that after
checking with her husband to make sure he hadn't made the charge, she
decided to
wait and see if the pending charge would clear. It never did.
But a few days later, Tetlow spotted $300 missing from her checking account,
which
she noticed was due to two unauthorized charges at a Office Depot on
Broadway in
New York City. So she called her bank. After confirming neither she nor her
husband
had lost their debit card, she told the bank to cancel the card.
broadfraud.JPG
While Tetlow was still on the phone with her bank, another charge appeared,
for $177,
this time at an Adidas outlet just a few stores down the street from the
Office Depot.
She called both stores, and learned from the managers that -- although each
had video
footage of the perpetrators -- they could only release that footage to the
police.
While she was on the phone with the Adidas store, someone else from her bank
called
to ask whether she really just tried to charge $650 to a Stereo Exchange in
Manhattan.
"I told the lady from her bank about the videos and she said, 'There isn't
anything
we can do with that. That's a matter for the police. Really, we're just
going to
get you your money back,' And then she says, 'In the meantime, I think it
would be
a really good idea for you to get this ID theft protection service that we
offer
for $11.99 a month,'" Tetlow said. "I said, 'Are you kidding me? You haven't
even
given my money back yet, and I was the one who called you up about this!'"
Baldwin said the thieves running the card-checking sites are counting on the
fact
that companies that operate different parts of the financial processing
system --
including issuing and acquiring banks, and the merchant -- traditionally do
not share
fraud data with each other, or even signs of unusual activity. Some, like
Tetlow's
bank, even use the opportunity to sell more services.
"The problem is that the detail of each individual entity's perspective at a
transaction
level is restricted or filtered," Baldwin said. "But if everyone involved
shared
this pre-authorization transaction information, these guys would not be able
to do
these card checks, because the patterns are ridiculously obvious when you
can see
all of the components at once."
By Brian Krebs | June 17, 2009; 7:00 AM ET |
Other related posts:
