Wednesday, December 29, 2004

Credit Card Fraud: Take Two

Credit Card Fraud Page

In 1988 I was a minor victim of an international credit card fraud scam. The perps had set themselves up as a California bank, then legally purchased a large number of credit cards (banks can do those things). They then ran small fraudulent transactions (fake net porn transactions) against tens of thousands of cards around the world. They were shut down, but I doubt any of the crooks did jail time. The fraud was interesting because it foreshadowed a range of techniques that have since been deployed around the net.

At that time I also learned how very frail our credit card infrastructure is. A system built for physical person-present transactions does not migrate well to the net.

One of the recommendations I made, based on that experience, was to use AMEX and thus take advantage of a more centralized approach to fraud management.

Today, six years later, I discovered another interesting pattern of fraudulent charges on my AMEX account!

On Dec 14th/15th, and again on Dec 23/24th, there appear a series of charges that look like this:

1. DOTREGISTRAR.COM: 69230017 INET-DOMAIN NAME TRANSF
2. NEWEGG COMPUTERS: 6-7 charges of about $550.

So with two sets of the above there's about $7030.00 in fraudulent charges.

So now I'll get to see how well AMEX actually works. Thus far I'm spending a fair bit of time waiting on the phone as my call percolates through their fraud division. More updates to follow.

Update: AMEX took about a half hour to get me through to the person who managed it. They didn't ask me any questions; they marked the transactions as fraudulent and are sending me a new card. Unfortunately when AMEX sends an "expedited" card it's a temporary CC number -- pretty useless for me. So there will be a one week delay -- they should do better.

I'll post later on how well AMEX handles this.

I wonder if the DOTREGISTRAR.COM transaction was to enable a temporary mail redirect. Online vendors often use email to establish "identity". It's a frail system, and suspect the thieves probably used a throwaway domain to defeat the identity management. Looks like a pretty cookie-cutter theft, it might have been done by kids or professionals.

Update 1/17/05: AMEX took a while to answer the phone, but they dealt with the problem very quickly. They asked me about 3 questions and reversed everything. They sent an "affidavit of fraud" but didn't even bother to have me sign it.

Unfortunately even though AMEX can Fedex a card in 24 hours, it's a temporary number and hence useless for my online purchases and subscriptions. It takes them a week to send a permanent card.

Thinking about the scam, it's probably what's known now as an 'eBay operation'. Get the goods and sell them on eBay.

No comments:

Post a Comment