I call this my “Houston Problem,” although the proper name should be my Houston/Germany problem. The Houston Problem centers around Internet credit card fraud that appeared to be taking place Houston, Texas; however, my investigation would take me to the other side of the world to find the thief.
In January 1999, the Houston Problem thief was testing their skills in Internet theft. The thief were using stolen credit card information to order products and test the system of what would eventually become theft of hundreds of e-commerce merchants worldwide. The thief could steal at the speed of the Internet, but the victimized merchants would not discover the thefts for months. Until an angry customer asking how a thief could purchase something with stolen credit information calls a merchant or the merchant’s financial institution notifies them a credit card charge back had been received, the merchants are unaware merchandise was stolen.
My Houston Problem began slowly. First, the fraud prevention software used by Digital River detected inconsistencies with some orders. The order size was small so I dismissed the inconsistencies to typing errors. Since Internet merchants have their own fraud detection systems, this thief had much to learn. The thief’s thoughts would turn to testing the fraud prevention systems — asking himself, “How much could I steal before the credit information I am using today gets cancelled?” By February 1999, this thief was submitting multiple orders and using several pieces of stolen credit and identity information. Little did this thief realize that the system used by Digital River was designed to guard against this technique. The more he tried to order, the closer he came to getting caught. By the end of February, efforts to stop this thief escalated.
Ten days passed and roadblocks were set in Digital River’s fraud prevention software to spot and
stop this party. However, two more orders got through. I went to Digital River’s development staff who developed the software to stop fraud. It took them a day to put in the final measures in place to stop the thief from stealing from Digital River’s vendors. My investigation intensified to find the guilty party. I knew our system captured more information than any fraud checking system used by other Internet merchant. I provided enough information to numerous worldwide law enforcement agencies to assist them in capturing shoplifters who were not as sophisticated as the perpetrator of the Houston Problem. Law enforcement agencies were amazed at the level of software sophistication used by Digital River.
The first step was to find the information our system had attached to the thief’s information. A cross-check of e-mail addresses, credit card numbers, IP addresses, and the zip codes used by the shoplifter provided a wealth of information. The thief attempted to use over 300 credit card numbers, changed names, addresses, and other information to have the system accept an order. Unfortunately, 15 orders did get through. This information was accumulated in under 10 hours. The search for the thief was my main priority.
During a few weeks looking for the thief, I received a few credit card statements from customers showing fraudulent orders. One credit card statement showed $14,000 worth of purchases in eight days. Another statement had almost an equal amount charged in even less time. Both statements included numerous e-commerce merchants. I tried contacting some of the merchants. When I asked for the fraud departments, not one of the companies I contacted had a fraud or loss prevention department. One of the merchants had almost $7,000 in losses on one statement and was not yet aware of the losses. I left my name and number at each company and have never had a return call. Compared to some of the e-commerce companies involved in this thief’s crime spree, I was relieved Digital River’s fraud software and manual-checking system was capable of stopping everything it did. Additionally, I contacted credit card companies for assistance. After giving them the series of numbers issued from their company, they informed me they would block the numbers, but they could not give me any information regarding the cardholders or companies.
Next, I located the server being used for the fraud attempts in Germany. After locating the information about the domain administrator, I sent an e-mail to request his assistance in locating and contacting the thief responsible for the stealing of our clients’ products. He responded and agreed to forward the party an e-mail I wrote. The e-mail I received back from the thief stated they knew nothing about this. The domain administrator offered assistance to provide further information but only to a law enforcement agency. I began searching for a law enforcement agency in Germany that would get involved. My search led me to a detective from the Aachen, Germany Police Department who agreed to look into the matter. I sent him the same documentation sent to the domain administrator. I received a response stating the alleged thief was residing outside of Frankfurt, Germany, and he was sending the information to the Frankfurt Prosecutors’ Office to proceed.
To date, I have not received any information from the Frankfurt Prosecutors Office concerning the status of the case. No one has contacted me and I wonder what was done considering one amazing thing that did happen. A week after I had sent the documentation to the Detective in Aachen, Germany, I received an e-mail from the domain administrator. He asked about the status of my investigation. I replied I had sent the documentation concerning the fraudulent orders to a detective in Germany. I requested he keep this information highly confidential and thanked him for his assistance. Then came something I never expected. The next morning I received an e-mail from the thief apologizing for stealing and promising to destroy the software and never do it again if the authorities were kept out of it. Here is the apology I received and the response I e-mailed back to the thief:
From the thief:
Very much Geehrte ladies Una sirs
I explain hereby to you that all programs and copies is destroyed is.
And the programs these installed is, are relaxed, and I explain to you that no wider persons use these programs. The addresses, this one are telephone numbers and the names and the credit
card numbers destroyed. I explain and guarantee you that no further tries future in this gives.
User of Ginko Net
Below is my reply:
We appreciate you finally responding to and acknowledging your participation in the theft of our vendor’s software. It is not the policy of Digital River to ask any law enforcement agency to discontinue their investigation once an investigation has started. However, Digital River has made the law enforcement agencies and courts systems, that have previously investigated and prosecuted crimes against parties that have attempted to perpetrate these type of acts against Digital River and its vendors, aware that the parties involved have cooperated. You must be willing to cooperate in the previous requests for your cooperation and information as follows:
1) Destroy all programs and copies of programs involved in the downloads that took place.
2) Each party must file a letter of destruction on each piece of software downloaded and forward a list of any other party that they may have shared the software with.
3) Share with Digital River, Inc. all programs used in the commission of downloading the software obtained.
4) Share with Digital River, Inc. all programming or other relevant knowledge used in the commission of downloading the software obtained.
5) A written assurance that no future acts of this type will be perpetrated against Digital River, Inc. or any of the vendors involved with Digital River, Inc.
6) You must also identify yourself, all parties involved, complete address for yourself and the parties involved, the phones numbers for yourself and all parties involved, and proper and verifiable e-mail addresses for all parties involved in the next e-mail that you send to my office.
If this is acceptable to you and any other parties involved, please e-mail me. If all parties cooperate, we will do our best to request leniency on any charges that would arise in respect to the crimes against Digital River, Inc. or its vendors.
I am grateful to the parties who assisted my office with the investigation leading to this point. I am curious how far the authorities were able to proceed with the case. Considering the facts pertaining to the case, I estimate the losses for the merchants involved at approximately$500,000 to $900,000.