Category Archives: Articles

Resolving Credit Card Fraud

In December 1999, the Wall Street Journal ran an article about generals, admirals, and other military personnel who experienced identity theft and Internet fraud. An invisible party was able to secure enough information to obtain credit cards in the names of unsuspecting individuals. In turn, this Internet thief ordered thousands of dollars in merchandise with fraudulent, new cards. To make matters worse, this party used the Internet to inform other online thieves how they could steal using this technique.

Do you believe this is an isolated incident? Hundreds of times per day, the new online shoplifter is using his new abilities to obtain other’s credit information and steal from the many new companies conducting
e-commerce. A survey by the National Consumers League reveals Internet fraud has increased over 600% in the past year alone. The Internet and the Titanic are in the same class. The thieves and the iceberg have something in common — only a small percentage will of each are seen. The collision is inevitable. The world knows about the Titanic tragedy. Unfortunately, Internet companies have only began to shout, “Iceberg.” Will the knowledge needed to stop this collision come in time, or will companies continue to be blinded by the drive to make one more sale?

It is unlikely that an average world citizen will ever dealing with Internet fraud. When a thief decides to use someone else’s credit information to steal from e-commerce companies, the victim’s and the e-commerce company’s worlds change forever. Who is the victimized party here? The company who lost? Or the victim who had her credit information compromised? Both parties are the victims of the crime. The one who feels the greatest loss is the victim whose credit information was compromised. The victim will do her best to explain to the company that she did not place an order. The victim may be angry that more precautions were not taken before the order was fulfilled. The company may be angry that the victim did not take greater precautions with her credit information. The anger of both is justified. Since both parties have to blame someone, they blame each other. Consumers need to take steps quickly reduce their liability.

First, as a consumer you should make sure family members or friends did not use your credit information. If someone other than a family member has compromised your credit information, contact your bank or credit card company. The steps for handling and solving this problem are outlined on your statement and original credit card agreement. Follow the instructions carefully in order to avoid future problems. The merchant contacts are listed on your credit card statement. Never assume that your financial institution or credit card company will do this for you. File requested forms for disputes as instructed by the merchant, your financial institution or the credit card company.

You should also file a police report. It is not a waste of time. Many law enforcement agencies will investigate this new form of crime. If the merchant has the proper software and personnel, they will provide law enforcement agencies that contact them with the equivalent of an Internet fingerprint. The information captured should provide law enforcement enough information and documentation to obtain a subpoena to serve upon the domain administrator. The phone number and address from where the order was placed and the credit information given can be obtained.

You may not realize someone has obtained credit in your name. Thieves will do anything to steal or obtain your credit information including searching your garbage. Skimming is becoming popular. Skimming is the process of capturing of your credit card information in a small electronic device that stores the information from your magnetic strip. The information can be downloaded to a computer and used to steal merchandise worldwide. It can also be sold and someone can steal from merchants worldwide. Additionally, thieves can set up a computer to automatically run algorithms programs to order merchandise from e-commerce merchants. When an order is accepted, the program will automatically start the order process with another merchant.

This nightmare is what the e-commerce craze has imposed upon law-abiding citizens. Until safeguards are put in place and attention to this crisis increases, victims will be violated and the unsuspecting merchants will have goods stolen.

Financial institutions and credit companies need to develop communication channels to notify customers of purchases within a few minutes after a purchase. Individuals need to quickly verify mistakes on the credit statement. E-commerce merchants need to use the most advanced equipment and software to screen information with equipment and trained personnel. Consumers, companies, and agencies need to cooperate to slow the thieves down.

If you suspect that your credit card or other forms of credit have been compromised, the following steps should be taken as soon as possible: (1) call your financial institution or credit card company and review all previous suspected charges; (2) cancel the affected account; (3) follow the financial institution’s instructions, but remember merchants may have additional rules; (4) call the merchant(s) and ask them the procedures(s) needed to resolve fraudulent purchases; and (5) file a police report and ask the police if they investigate Internet fraud.

Merchants need to take a few simple suggestions: (1) listen when a consumer calls about Internet fraud; (2) explain how your company handles fraudulent purchases; (3) send necessary forms or paperwork to the consumer; and (4) fully-cooperate with the law enforcement agencies.

The problem of Internet fraud is in its infancy and the growth rate is alarming.Companies need to make the investment to slow Internet shoplifters. Since most consumers are innocent victims, companies need to take the burden of obtaining the proper software, security, and qualified personnel to maintain a safe and secure e-commerce order process.

Consumers should remember the merchant has not only lost the product, but also the money involved in purchasing the lost product.Merchants need to remember the consumer is the victim of a crime and the security we all need to have has just been taken away.

Al Cameron

Purchasing over the Internet- Is it Safe?

Everyday we hear newscasts and read stories about hackers stealing credit information from Internet companies. Hackers have the ability and knowledge to steal millions of pieces credit information by exploiting weaknesses in software programs used by unprepared e-commerce companies. E-commerce companies about the newest software or shopping cart being used to make us feel comfortable about venturing onto the Internet to shop make claims daily. Internet companies have convinced us to come shop at their site and purchase products using our most valued information — our credit information. Yet, only a very small number of these companies have taken adequate steps to ensure the safety of that information. This has made it difficult for all firms selling online.

I understand completely the ease and danger of purchasing products and services over the Internet. I also understand that e-commerce merchants face more fraud problems than their brick-and-mortar counterparts. Thieves from around the world will try to order products and services by using someone else’s credit information. This affects not only the merchants, but also the consumers. Merchants face mounting losses in their attempts to do business over the Internet. Consumers are protected under various federal and state laws when their credit card information is used to make a fraudulent purchase. As a result, one of the biggest irritations for consumers is dealing with the unexpected charge rather than financial loss.

Think of the advantages of shopping online. People all over the world spend a large part of their life shopping. Think of the Internet as the world’s largest open-air market. Items from all over the world can be purchased at the click of a mouse. What once was available to a privileged few now can be purchased by the world’s masses. Online buyers can shop in Hong Kong, London, Paris, New York, Bangkok, and any other city in the world where goods are for sale. Instead of people wishing they could purchase a special gift for someone or for themselves, the dream is now possible. A few minutes of your time plus some basic personal and credit information and the item is yours. Even the basics of life, can now be purchased over the Internet. Click and you shall receive.

There are millions of people and businesses using the Internet to purchase goods and services each day. Thousands more are beginning to explore this new found freedom to do comparative shopping and purchase from merchants worldwide. Ask these people what they think about when they enter their credit and personal information into web page forms make a purchase, and the majority will say they worry about having their credit information compromised by some unknown party or company. Airlines for many years have convinced us to fly with them to get to someplace because, all things considered, it is more dangerous to walk down a street than to fly. Likewise e-commerce companies are trying to convince the e-commerce shopper that their site is secure from all preying eyes. I take more precautions when I give my credit information to make hotel reservations, car reservations, or purchase items over the phone, than when I order over the Internet.

Most e-commerce companies are safe and are beginning to take extraordinary measures to make sure that the thieves of the world will not get your credit information. This extra effort being made by companies comes on the heels of the daily articles that are being written and read about hackers stealing credit information from a few e-commerce sites. Some e-commerce companies, such as Digital River, a global e-commerce provider, were concerned about security from the day they started assisting companies sell products over the Internet. Just like most brick-and-mortar companies, some e-commerce companies found they needed tighter security since they would be selling in high-risk geographic areas.

The consumer also shares in the responsibility to take a few precautions when ordering over Internet. If you are new to online buying, the first thing you should do is make sure that you are only ordering from secure sites. An easy way to tell if you are in a secure site is to look for a padlock or a key someplace on the screen. If the padlock is open or the key is broken it is not a secure site. If you are unsure if a site may actually be secure, send the company an e-mail requesting information on how to secure your transaction. If you do not receive a reply from the company, you should find a merchant that offers a secure shopping environment. Use a single credit card for all your Internet purchases. Make sure to keep track of your purchases. The purchase confirmation e-mails that you receive should be kept in a special folder that you can set up in your e-mail box. Use one piece of credit information for all your purchases. Make sure that you use only the billing address that is on the credit card statement. Using consistent information when making a purchase will assist the merchant in verifying and fulfilling your orders. This will also allow you to make sure that it was a legitimate order if there is a need to check on the order status.

Treat Internet purchasing like you would any new shopping experience. I do not believe that you would travel to a foreign land and shop at an open-air market without making sure your cash or credit cards were secured. Like most people, I like to browse through shopping malls and open air markets. Today I use the Internet. No pesky sales people, no lines to wait in, and you can still bargain to get a lower price. I can find what I want, when I want it, and my eyes are the only thing that gets tired. With just a few simple precautions, buying over the Internet can be fun and exciting.

Al Cameron

My Houston Problem

I call this my “Houston Problem,” although the proper name should be my Houston/Germany problem. The Houston Problem centers around Internet credit card fraud that appeared to be taking place Houston, Texas; however, my investigation would take me to the other side of the world to find the thief.

In January 1999, the Houston Problem thief was testing their skills in Internet theft. The thief were using stolen credit card information to order products and test the system of what would eventually become theft of hundreds of e-commerce merchants worldwide. The thief could steal at the speed of the Internet, but the victimized merchants would not discover the thefts for months. Until an angry customer asking how a thief could purchase something with stolen credit information calls a merchant or the merchant’s financial institution notifies them a credit card charge back had been received, the merchants are unaware merchandise was stolen.

My Houston Problem began slowly. First, the fraud prevention software used by Digital River detected inconsistencies with some orders. The order size was small so I dismissed the inconsistencies to typing errors. Since Internet merchants have their own fraud detection systems, this thief had much to learn. The thief’s thoughts would turn to testing the fraud prevention systems — asking himself, “How much could I steal before the credit information I am using today gets cancelled?” By February 1999, this thief was submitting multiple orders and using several pieces of stolen credit and identity information. Little did this thief realize that the system used by Digital River was designed to guard against this technique. The more he tried to order, the closer he came to getting caught. By the end of February, efforts to stop this thief escalated.

Ten days passed and roadblocks were set in Digital River’s fraud prevention software to spot and
stop this party. However, two more orders got through. I went to Digital River’s development staff who developed the software to stop fraud. It took them a day to put in the final measures in place to stop the thief from stealing from Digital River’s vendors. My investigation intensified to find the guilty party. I knew our system captured more information than any fraud checking system used by other Internet merchant. I provided enough information to numerous worldwide law enforcement agencies to assist them in capturing shoplifters who were not as sophisticated as the perpetrator of the Houston Problem. Law enforcement agencies were amazed at the level of software sophistication used by Digital River.

The first step was to find the information our system had attached to the thief’s information. A cross-check of e-mail addresses, credit card numbers, IP addresses, and the zip codes used by the shoplifter provided a wealth of information. The thief attempted to use over 300 credit card numbers, changed names, addresses, and other information to have the system accept an order. Unfortunately, 15 orders did get through. This information was accumulated in under 10 hours. The search for the thief was my main priority.

During a few weeks looking for the thief, I received a few credit card statements from customers showing fraudulent orders. One credit card statement showed $14,000 worth of purchases in eight days. Another statement had almost an equal amount charged in even less time. Both statements included numerous e-commerce merchants. I tried contacting some of the merchants. When I asked for the fraud departments, not one of the companies I contacted had a fraud or loss prevention department. One of the merchants had almost $7,000 in losses on one statement and was not yet aware of the losses. I left my name and number at each company and have never had a return call. Compared to some of the e-commerce companies involved in this thief’s crime spree, I was relieved Digital River’s fraud software and manual-checking system was capable of stopping everything it did. Additionally, I contacted credit card companies for assistance. After giving them the series of numbers issued from their company, they informed me they would block the numbers, but they could not give me any information regarding the cardholders or companies.

Next, I located the server being used for the fraud attempts in Germany. After locating the information about the domain administrator, I sent an e-mail to request his assistance in locating and contacting the thief responsible for the stealing of our clients’ products. He responded and agreed to forward the party an e-mail I wrote. The e-mail I received back from the thief stated they knew nothing about this. The domain administrator offered assistance to provide further information but only to a law enforcement agency. I began searching for a law enforcement agency in Germany that would get involved. My search led me to a detective from the Aachen, Germany Police Department who agreed to look into the matter. I sent him the same documentation sent to the domain administrator. I received a response stating the alleged thief was residing outside of Frankfurt, Germany, and he was sending the information to the Frankfurt Prosecutors’ Office to proceed.

To date, I have not received any information from the Frankfurt Prosecutors Office concerning the status of the case. No one has contacted me and I wonder what was done considering one amazing thing that did happen. A week after I had sent the documentation to the Detective in Aachen, Germany, I received an e-mail from the domain administrator. He asked about the status of my investigation. I replied I had sent the documentation concerning the fraudulent orders to a detective in Germany. I requested he keep this information highly confidential and thanked him for his assistance. Then came something I never expected. The next morning I received an e-mail from the thief apologizing for stealing and promising to destroy the software and never do it again if the authorities were kept out of it. Here is the apology I received and the response I e-mailed back to the thief:

From the thief:
Very much Geehrte ladies Una sirs
I explain hereby to you that all programs and copies is destroyed is.
And the programs these installed is, are relaxed, and I explain to you that no wider persons use these programs. The addresses, this one are telephone numbers and the names and the credit
card numbers destroyed. I explain and guarantee you that no further tries future in this gives.

Yours Sincerely,

User of Ginko Net

Below is my reply:

We appreciate you finally responding to and acknowledging your participation in the theft of our vendor’s software. It is not the policy of Digital River to ask any law enforcement agency to discontinue their investigation once an investigation has started. However, Digital River has made the law enforcement agencies and courts systems, that have previously investigated and prosecuted crimes against parties that have attempted to perpetrate these type of acts against Digital River and its vendors, aware that the parties involved have cooperated. You must be willing to cooperate in the previous requests for your cooperation and information as follows:

1) Destroy all programs and copies of programs involved in the downloads that took place.
2) Each party must file a letter of destruction on each piece of software downloaded and forward a list of any other party that they may have shared the software with.
3) Share with Digital River, Inc. all programs used in the commission of downloading the software obtained.
4) Share with Digital River, Inc. all programming or other relevant knowledge used in the commission of downloading the software obtained.
5) A written assurance that no future acts of this type will be perpetrated against Digital River, Inc. or any of the vendors involved with Digital River, Inc.
6) You must also identify yourself, all parties involved, complete address for yourself and the parties involved, the phones numbers for yourself and all parties involved, and proper and verifiable e-mail addresses for all parties involved in the next e-mail that you send to my office.

If this is acceptable to you and any other parties involved, please e-mail me. If all parties cooperate, we will do our best to request leniency on any charges that would arise in respect to the crimes against Digital River, Inc. or its vendors.

I am grateful to the parties who assisted my office with the investigation leading to this point. I am curious how far the authorities were able to proceed with the case. Considering the facts pertaining to the case, I estimate the losses for the merchants involved at approximately$500,000 to $900,000.

Al Cameron

Mobile Payments-Boom or Bust

It has been said that the new mobile payment method is like the old American West, growing at a breakneck pace with few boundaries. I compare this new payment method to another piece of history- the California or Alaskan Gold Rush. During that time people from all over the world were rushing to find their fortunes. Now companies from all over the world are rushing to increase their sales and profits by using this new payment method. Unfortunately I believe only a select few will find their fortunes and not suffer major data and financial losses.

Unfortunately, then like now, only a few companies will take the time to take the proper steps to reach their goal and protect their investment. History has taught us the lessons of the perils faced by those early dreamers. Only recently have the stories of the potential dangers of accepting mobile payment started to be told. Today almost all newspapers and magazines around the world are writing something about data losses, fraud, and identity theft but little about mobile payment problems.

Like the men of the old west were blinded by the color of gold, so are today’s companies blinded by the new potential payments markets and their potential profits. Companies are forging ahead without truly looking at the losses associated with current payment methods. Like the gold miners of yester-year, the rush for companies to get their presence in the newest payment method and start accepting the newest methods is blinding the parties to the dangers and costs involved. What happens when the companies say “we now accept”? Have they really thought it all through? Just like a hundred plus years ago, a mistake can be extremely costly.

Credit cards and now mobile payments have brought the start of a new way of life for the people of the planet Earth. They have made the world a smaller place to live in. It has brought out the best some people and companies have to offer and also helped countless millions obtain goods and services that 15 years ago would have been impossible for most to obtain. It has also brought out the worst in some. The thieves’ numbers, who steal from people and companies worldwide, have grown at an incredible rate and the new technology and knowledge needed to properly track these parties has not.

Ask any historian. Those who don’t learn history the first time around are doomed to repeat it. Why? Because knowing what happened in the past will help us understand why things are the way they are now. The thieves rely on companies to continue to use the same techniques and procedures that have been developed to help protect them. Protecting mobile payments using past methods of data and fraud protection may easily result in an ever increasing number of losses and problems for companies and consumers alike.

Al Cameron

Major Company’s-Mobile Phone Data Breach

Well it has finally happened to me. I have received a warning letter from my mobile phone provider stating that my account was one of a number of accounts involved in a data breach perpetrated against the company that provides my mobile phone services. This is my first letter ever, of this type warning me that my data might be in the hands of thieves.

I have written several articles addressing this subject and what companies and individuals should do to protect themselves. My letter states that I may be subject to “phishing” and “smishing” attacks and the reverse side of the letter explains what each of these are as well as other measures I should take. Examples; “Email and text message headers can be easily forged, so the posing sender may not be the real sender.” “Avoid providing or filling out forms via email because data is likely to be unsecured.” “I should realize that internet scammers can create realistic forgeries of websites.”

I wonder how many people actually turn the letter over and read the information. Data breaches have become so common that few people take the time to do more that a cursory glance at letters or information received unless unexpected charges show up.

Because I like to be thorough I did a Google search for a data breach at this company and no surprise, nothing showed up. I would be curious if this data breach involved a few hundred accounts or a few million. Because I have done business with this company for over 40 years, under one name or another, I do not think I will be switching services soon.

As I have previously wrote I do have a hard time with a company that reports a data breach and then expects the customer to shoulder that responsibility of watching out for potential attacks. A properly developed fraud monitoring system can be fine tuned to recognize patterns that are outside of the individuals previous behavior in the use of, in this case, online account management or mobile phone usage. This should be a requirement for any company that has a data breach in the first step of protecting potentially sensitive data from further compromise. Too many companies want individuals to spend their time and effort in protecting against potential threats even though the company themselves screwed up.

The line I enjoyed the most in the letter is “This letter is to advise you that we recently detected an organized and systematic attempt to obtain information on a number of customer accounts, including yours.” This was followed by “We do not believe that the perpetrators of this attack obtained access to your online account or any information contained in that account.”

Several years ago I was required to place some information on the online account in order to register something to do with my mobile phone service. This is why I find the companies statement about “recently detected” as an oxymoron, since I have not used or tried to sign onto that feature in years, any detection system the company may have had in place should have “immediately detected” that something was suspicious.

I am probably safer than most of the affected customers. Not because I have been helping companies understand and fight fraud since 1998 or that I have done a number of seminars on this subject. The main reason is, anytime I have upgraded to a new phone, 2 in over 10 years, I have immediately had the company shutdown the phones abilities to connect to the internet and receive or send text messages. I use my phone as a phone.

The same day and in a nearly identical envelop came a second letter from the mobile phone company. In this letter I was being offered a Free Android Smartphone which would make it easier for me to receive texts and faster web browsing. I know this company is large but I wonder if they should not have waited a few days to send out this promotion since they just informed me that they had been hacked and my data was probably compromised and I could be subject to unsafe texts and potentially harmful web browsing.

Al Cameron

Links Referencing My Work

• http://www.americanbanker.com/btn/14_9/-157578-1.html
• http://mobile.eweek.com/c/a/Mobile-and-Wireless/Digital-Delta/
• http://www.allbusiness.com/accounting/3486797-1.html
• http://www.verifraud.com/images/BCMFeb2004.pdf
• http://800notes.com/Phone.aspx/1-805-275-2235/7
• http://www.ahariri.com/images/OPIM%20220.pdf
• http://www.ahariri.com/images/OPIM%20215.pdf
• http://www.freepatentsonline.com/y2003/0009426.html
• http://www.forius.com/focus/Forius_Focus_2007_Sept_Oct.pdf
• http://www.allbusiness.com/accounting-reporting/fraud/753847-1.html
• http://groups.yahoo.com/group/ciberpac-net/message/99
• http://www.amcea.org/members/NewsandViews/0403/pocket.htm
• http://www.ectnews.com/perl/board/mboard.pl/ecttalkback/thread219/219.html
• http://photomarketing.com/newsletter/ni_WholeWindow.asp?dt=09/17/2003
• http://articles.baltimoresun.com/2000-04-02/news/0004010053_1_credit-card-fraud-card-accounts-charge-card/2
• http://www.paymentcentralinc.com/Fraud/FrdONLINEFRD.html
• http://www.ecommercetimes.com/story/2771.html
• http://www.ecommercetimes.com/story/8287.html
• http://www.ectnews.com/perl/board/mboard.pl/ecttalkback/thread1530/1530.html
• http://www.eweek.com/c/a/Web-Services-Web-20-and-SOA/Foreign-Flimflam/
• http://www.linuxsecurity.com/content/view/107280/1/
• http://www.uspatentideas.com/creditcard/credit-card-139.html
• http://ask.slashdot.org/story/00/05/27/2145231/A-Matter-Of-Trust

Internal Revenue Service Providing Information to help Identity Thieves Steal

There have been a large number of articles and reports about the amount of money the IRS has lost to bogus tax filings. Placing “IRS Identity Theft” in any search engine will result in hundreds of links to articles, news reports, and even to the IRS web site telling about the size and scope of this problem for the IRS.

This is why I am wondering why the IRS is actually providing all the information for the thieves to take over millions of people’s identity.

I believe in having my federal taxes completed as soon as I can each year. Unfortunately this year I owed the IRS a small amount. Since I am one that does not believe in waiting till the last minute to pay things, I sent a check for the amount owed. When I reviewed my banking transactions I saw the check that I sent to the IRS had been cashed. I am not sure why I decided to review a copy, maybe I have been fighting fraud to long, but to my surprise the stamp that the IRS uses for depositing the check contained my Social Security number.

The number was not encrypted, partially blocked, or hidden in any way. Financial institutions have had major breaches over the last few years and anyone with a simple program to recognize key words on electronically stored documents could easily obtain all of the information on the front and back of the checks allowing for identity thieves to steal using the unsuspecting parties’ information including the social security number.

One of the basic rules of protecting your information is never to given out personal information especially your social security number. You can imagine my surprise when I found out this one document contain this information.

I understand why it might be necessary to have an identification number that the IRS or individual party could reference in case of any future disputes occurring but I really believe that something other than a person’s social security number should be stamped on a document that could be intercepted by any number of persons at the various financial institutions or clearing stations that are used to process financial documents.

Alvin Cameron

Identity and Data Theft- Why is it Still Taking Place

This past weekend I read a number of articles pertaining to identity theft and other forms of fraudulent activities happening around the world. Then a gentleman I have known for a number of years stopped by to ask me for some advice. It seems someone had skimmed his American Express card and made a clone so they could begin the process of stealing. American Express called him to see if he had made some recent charges over 2000 miles from where he resides. None of the charges were his so once again someone will have to spend several hours reviewing various items as well as completing forms to make sure this single credit card was the only affected item for him and his family.
I explained to him as I have so many others what steps he should take to protect potential future problems. File a police report, contact all three major credit bureaus and place a notice at the credit bureaus, and also send a written dispute to American Express. It is nearly impossible for individuals to truly protect themselves from many of the annoyances that come with losing their credit card information. Skimming, Phishing, Pharming, Data breaches, and multiple other ways thieves steal information from unsuspecting parties and companies.
Companies and a number of organizations provide information on what steps individuals should utilize to protect their private information and yet companies require individuals to provide this same information without any assurance that the company will actually be able to protect it. The Federal Trade Commission estimates that as many as 9 million Americans have their identities stolen each year. Another article shows; No matter what your industry, fraud is a part of it. Did you know that merchants are paying $139 billion annually in fraud losses alone, according to the 2010 LexisNexis True Cost of Fraud Study? This alone should make people wary of any company’s ability or desire to truly protect them and question what companies are really doing to fight fraud or data breaches.
The loss of information by a number of different means is a world wide problem as outline in a recent article; LONDON (AP) — A hacker claims to have compromised the personal information of more than 350,000 users after breaking into a disused website operated by pornography provider Brazzers. A small sample of the hundreds of thousands of pieces of user data allegedly compromised were posted to the Internet earlier this week. Emails, usernames, and encrypted passwords were divulged, and in some cases it was possible to infer porn users’ full names and country of origin.
I review the reports of losses through multiple means on a daily basis. I also review various companies and organizations recommendations on how people should protect themselves from losses and below is just a fraction of what has been recommended for people to do;
• Do not carry a Social Security card.
• Do not give personal information over the phone.
• Do not give checking account or debit card information over the phone.
• Do not leave outgoing mail in a home mailbox.
• Do not respond to e-mail requesting account information.
Companies who accept credit cards for payment of goods or services use a point of sale device to validate the card and authorize the transaction amount. These companies rely on their payment processors and the banks who issue the cards as well as the credit card companies themselves, to validate the card and that the person using the card is making a valid transaction not a fraudulent one.
My question to companies is, with all of these layers of protection that is suppose to protect individuals why are reports like the following still being written; “The U.S. currently accounts for 47% of global credit and debit card fraud even though it generates only 27% of the total volume of purchases and cash, according to Global Card Fraud, from a recent issue of The Nilson Report, a respected trade newsletter on the payments industry. Payment card fraud losses totaled $3.56 billion last year in the U.S. from all general purpose and private label, signature and PIN payment cards. “The U.S. has a disproportionate percentage of the global total losses for two reasons . . . U.S. banks have been slow to adopt newer technologies such as EMV chip cards, and issuers are reluctant to decline card authorization from merchants because they don’t want to alienate their cardholder,” said David Robertson, publisher of The Nilson Report.”
How does a company protect their customers and their company information? Can this actually be achieved when the crooks are using some of the best stolen equipment available while the companies are using ‘older’ models because of budget constraints? Companies make do with what they have and crooks make do with the newest equipment they can steal
When will a multi-level multi-dimensional protection system be produced? Systems that utilize accurate purchasing patterns as well as, instant notification of purchases, for the individuals that wish it. An example of an extra layer of protect on credit card or mobile payment that could easily be initiated would be a zip code verification the merchant themselves could utilize with the point of sale device. The first three numbers of the zip code could be placed on the mag strip or other encrypted information captured by the point of sale device. If the three digits are outside of a 100 or even 200 mile radius of where the transactions are taking place the merchant could take one more step to protect the cardholder and them selves from any losses. This would eliminate much of the skimmed information from being transmitted to someone several states away and a card being cloned and use.
People believe that fraud will never happen to them but if it does, it can be expensive and very time consuming attempting to take the necessary actions to undo the long term damage it does. When enough people are affected or the reported losses are high enough governments discuss ways to fight the various problems. Sometimes laws are enacted requiring companies to protect the data of their customers. Many times years may go by before companies comply with these laws. It is sometimes easier to argue against the need for the protection than to invest in protecting the customers’ data.
Reading daily reports, I am reminded how little things have changed in over 10 years when it comes to fighting fraud in this new world of technology advances. Below are two excerpts comprised of the beginning and ending of an article I wrote for a publication in August, 2000.
“Imagine sitting on a full plane on the tarmac, delayed for an hour or more due to weather. How does this relate to a story on Internet Fraud? It reminds us that despite the fact that the world continues to get more sophisticated, we remain at the mercy of intangibles. Despite all their advances, the sophisticated systems of an airline and the high-tech capabilities of the Internet can be beaten by the unanticipated. In the case of the airlines, the unanticipated is the weather. In the case of the Internet, it is the new age thief.”
“As we taxied back to the gate after an hour on the tarmac, I could not help but think that no matter how sophisticated the world and machines have become, we are sometimes stopped by the unexpected and the unwanted. In the case of Internet, it is the new age thieves and other unscrupulous parties that cause problems for companies and individuals trying to adjust to a new way of doing business.”
Thieves, over the last 10 years, have expanded their methods to included attacking nearly every industry. Data theft, Healthcare fraud, Identity theft, and Bank fraud are some of the largest at this time. Year after year losses grow and year after year companies continue fighting all forms of fraud with reactive solutions instead of investing in proactive solutions. When companies become proactive in fraud fighting there will be little need for their customers to worry about someone obtaining their credit data or stealing their identity.

Alvin Cameron

Holiday Shopping 2000

Will online merchants face the same disasters they did last year? Will this be the year that allows online merchants to shine or receive another black eye? Last season merchants did not anticipate the difference between online sales and traditional brick-and-mortar sales. New and first time Internet shoppers were left with a bitter taste.

This year, companies need to fulfill orders they accept and make sure orders are delivered on schedule; consumers will need to shop early. Additionally, precautions should be taken to verify the company does have the merchandise in stock and can deliver on time. If you purchase an original German cuckoo clock, do not order it on two days before the holidays.

Even though the Internet is the easiest place to find hard-to-find items and an easy place to shop, online merchants must take precautions. If you are selling goods via the Internet, someone out there will may try to steal from you. Internet merchants are faced with 12 times more fraudulent activity than their brick-and-mortar counterparts. Consumers should remember simple rules when shopping online.

Consumers should only purchase from secure sites. Make sure review the online merchants’ purchase and return policies. When entering credit information, make sure the site states information is encrypted as it transmitted. Do not be offended or upset with merchants who follow up your order to confirm that you made the order. Be extremely careful never to give any personal information. Legitimate companies will not ask you more than general information to confirm your order. If in doubt, call the company’s customer service number to find out if a standard practice exists before answering any questions. Remember that companies may do this for your protection.

Consumers and online merchants are hopeful for the 2000 holiday season. Never before has there been such an efficient way to shop. Simultaneously, never before has there been an easier way to shoplift. Thieves will not only disrupt the merchant’s ability to fulfill all the holiday orders, but also there will be many unsuspecting credit card holders that have credit information stolen. The majority of thieves have been stealing credit card numbers from the brick-and-mortar stores through skimming and applying for credit in someone else’s name.

Over a year ago, I started writing about fraud and other credit problems the online world was developing.It took some time before anyone starting listening or taking seriously the problems developing.Today, many newspapers and magazines are writing about online fraud and the problems associated with doing business via the Internet.

The Internet is like the old west. Expanding at a breakneck pace with few boundaries. I parallel the Internet and companies new to the online world to another piece of history — the California gold rush.During that time, people from all over the world rushed to find their fortunes. Now companies from all over the world are rushing to drive revenues, and only a select few find their fortunes. Then, like now, only a few will ever obtain the elusive dream. Few will strike it rich, and few will get out with fortunes intact.The dreams of each era are endless. History has shows the perils faced by early dreamers. Only recently, have the real stories of the dangers of the Internet begun to be told.

Just as the men and women of the old west were blinded by the color of gold, so are companies blinded by the new online markets.Companies are forging ahead and purchasing the latest equipment and hiring personnel at high costs.Like the gold miners of yesteryear, the commercial rush to get products on the Internet and begin selling product is blinding the parties to the dangers and costs involved.What happens when the company is open for business?Have they really thought it through?Fulfillment, customer service, returns, and battling the Internet shoplifter.

Many articles estimate e-commerce sales to be somewhere between $2.5 trillion and $5.2 trillion by 2004. Within the next three years, experts are predicting most companies conducting e-business will not survive. This is like someone telling you, “I have good news and bad news.” If you survive to 2004, you could be one of the few companies that become a success story. Success and money.Every company is hoping for success and money when they being selling goods or services over the Internet. The color of the golden sales is blinding and the ease of selling over the Internet has taken many businesses by surprise. However, the danger of failure is great. One article stated doing business over the Internet would require minimal human intervention. However, it did not take long before companies to discover the opposite was true. Companies needed more personnel for customer service, sales problems, handling packaging and the fulfillment and return of merchandise.

The Internet has created more jobs in traditional areas of law enforcement, office equipment sales, fulfillment companies, the list goes on and on. The Internet is like the Industrial Revolution — the start of a new way of life. The use of the Internet has made the world a smaller place. It has brought out the best people have to offer and helped millions obtain goods. Ten years ago, these goods would have been impossible to obtain. It has also brought out the worst in some. Thieves prey on the weak, the small, and the innocent.

Companies and governments are just beginning to fight back. New departments, organizations, and task forces develop daily to combat Internet thieves and scam artists. Many companies are seeking out information to assist in stopping thieves from stealing merchandise. Law enforcement agencies are becoming more involved and knowledgeable about Internet crimes. Since each computer used to surf the Internet leaves a traceable signature, law enforcement and companies are coming together to stop Internet predators. Just as the Internet has grown at tremendous speed, so is the new technology and knowledge needed to track parties using the Internet for illegal activities.

As in the first few years of the gold rush, people have become aware of the risks and the dangers of conducting business via the Internet. Companies and people are taking precautions when buying and selling over the Internet. The golden glitter has lost some of the shine, but the lure of the golden dream is still alive. The traditional process of assuring the sales of merchandise is safe will soon replace the days of rushing to increase sales via e-commerce. Until that day arrives, consumers must take precautions when placing Internet orders. E-commerce merchants need to exceed brick-and-mortar stores traditional ways of treating consumers. If both parties cooperate, the 2000 holiday season should be joyous and profitable.

Al Cameron

Fraud Scoring Systems- Are They Outdated Part Two

In this part I will also examine what takes place when card information is used and systems fail to recognize the obvious.

Every merchant or company that accepts payments by way of the mentioned methods of Credit Cards, Debt Cards, Mobile Payments, and other similar payment methods are assigned into a Merchant Category Code also know as an MCC number. This allows financial institutions to control what type of merchants and products they will accept payments from. Online gaming, which is illegal in the US, has an MCC code of 7995. This allows all US credit card companies to block all transactions from taking place by stopping all transactions that are attempt from merchants assigned to this MCC code. Credit card companies can block other MCC codes for a variety of reasons.

Credit Card companies and credit card issuers place certain risk factors on the various MCC codes. This is done to protect all parties involved from some losses that could take place. Looking at two MCC codes assigned to merchants and companies who provide the same product but in slightly different manner. MCC code 5541 is assigned to Service Stations that dispense fuel and may have stores where goods or services can be purchased. MCC 5542 is assigned to the same or similar merchant or companies that utilize Automated Fuel Dispensers. MCC 5542 will be used if you pay at the pump and MCC 5541 will be used to recognize the transaction as being used inside the store and a point of sale device being used.

Because there is a greater risk of losses for MCC 5542 the Credit Card Company or financial institutions view the fraud scoring of these transactions differently, or at least the should. I have read reports over the years that cards have been attempted to be used at the pump and when they were rejected they were just dropped on the ground. Some reports have listed dozens of cards that were either stolen or cloned being attempted then discarded when it was rejected.

One case study I performed showed several cards had been subject to skimming. After the people checked out of their hotel the cards were used at several pay at the pump sites to steal over fifty thousand dollars ($50,000.00) in fuel over a long four day weekend. This was done by using modified fuel containers. The difficult thing to understand in this case was these cardholders did not live in the state the cards were being used in. The cards had never been previously used for the MCC 5542 code, automated fuel purchase, and as many as five pumps were authorized within 3 minutes at one station, with a single card. Somewhere in the required steps to validate the card for these purchases one of the fraud scoring systems should have “recognized” a potential problem.

When a party uses a piece of financial information to complete a financial transaction by utilizing a credit card, debt card, the new mobile payment method, or any of the multiple ways companies accept payment for their goods or services certain events take place to authorize the payment method. Examine a Credit Card, Debit card or Mobile payment transaction. The information is captured from the item being used to make payment. The captured information is transmitted to that merchants’ or companies payment processor. The payment processor in turn transmits the information to the financial institution or credit card association for validation of the card information. Because a number of parties are involved in the acceptance and approval process for transactions like the ones above it is difficult for cardholders to understand how or why several transactions were allowed to be completed using their financial information.

Losses like the above example take place everyday. This is one of the reasons I believe the current fraud scoring systems need new ways to recognize and fight fraud. Tomorrow I will examine what some of these tools could be.

Al Cameron