|
|
||
|
|
| |
|
| ||
    |
  |
 |
 | ||||||||||||||||||
| |||||||||||||||||||||
 |
 |
|||
 |
||||
 | |
 |
 |
 |
 |
 |
|||||
| |||||||||
| |||||||
|
|||||||
|
GETTING CREDIT
card numbers has never been hard for Internet criminals — chat rooms are
full of thousands of such numbers, lifted from various unsecured Internet
sites. But the numbers themselves have very little value. Using them to
buy merchandise is risky, for example, as it involves a shipping address,
which can be traced. But MSNBC.com has learned that computer criminals armed with stolen card numbers and access to a Web merchant’s payment processing system — the virtual equivalent of the card-swipe terminals that sit at real-world cash registers — have found a new way to turn stolen numbers into cash. In one example demonstrated to MSNBC.com, a criminal made off with more than $5,000 in minutes. At the root of the scheme is a merchant’s ability to issue credits, which are effectively payments from merchant to consumer. In some cases, merchants can issue credits to account numbers that differ from the account that was originally charged — and that’s how the criminals move money from one stolen credit card to a second card, then liquidate the balance on that card. |
||||||||||||||||||||||||||||||||||||||||||||||||
|
|
It’s known as a credit-back scheme, and it once was a popular
strategy for real-world criminals. In 1997, a tiny Toronto frame shop was
bilked out of $248,000 this way, according to published reports. In that
case, criminals broke into the store and manually refunded hundreds of
legitimate store charges to their own debit cards during one frantic late
night. They raced to refund nearly every charge the store had billed in
recent months. But criminals using a virtual merchant terminal operate with considerably less time restriction; that’s one reason the tactic is becoming popular, according to a 14-year-old New York City resident who demonstrated it for MSNBC.com. The source, who requested anonymity, spoke to MSNBC.com after he contacted CardCops.com to warn merchants about the fraud scheme. CardCops.com offers amnesty to anyone wishing to reveal details of ongoing Internet fraud. |
||||||||||||||||||||||||||||||||||||||||||||||||
“This is passing around a lot. I have friends who are doing it. They
better close it out fast, or they’re going to lose a lot of money,” he
said. “People doing $1,000, even $3,000 at a time. They don’t see there’s
risks anymore.” Another reason the scam is popular is that criminals have discovered several ways to access powerful merchant accounts that route charges through Prakash Kondepudi, the executive vice president of Infospace, said his company routinely screens out refunds to credit card accounts without an associated charge. But in some cases, acquiring banks allow such refunds, and that may be why isolated thefts occur. Even then, Kondepudi said, the transactions are flagged and usually the acquiring bank “arrests” the transaction. Still, sources MSNBC.com spoke with said theft attempts were successful. Only a user name and password protect Authorize.net merchant accounts, and hackers have figured out that merchant user names are revealed in the source code of “checkout pages” when Web sites use Authorize.net to process payments. Kondepudi admits that’s true, but only for a minority of merchants who use the least secure method for implementing Authorize.Net payment processing. “We try to educate them on the risks ... but there are some, maybe hundreds or even thousands who may use (less-secure) methods,” he said. “We have large number of resellers, they might not communicate this to the merchants.” Armed with the login name, intruders merely have to guess at the correct password, which is trivial if the password is a word that’s in a dictionary. |
|||||||||||||||||||||||||||||||||||||||||||||||||
|
“My friend made a
cracker program that cracks Authorize passwords,” the 14-year-old source
said. In some cases, the password is the same as the login name, he said, and then demonstrated his ability to access a merchant account for “Superhero2000.com” that way. Attempts to reach representatives of Superhero2000.com were unsuccessful. One real-world victim of the credit-back scheme, Maryland resident Chuck Sinkoske, said his wife found four surprise charges for $600 on her Visa bill in early January. Her bank simply asked that she challenge those charges but didn’t cancel the card. Two weeks later, Visa called and said a suspicious $1,500 charge had been rung up on the card. That charge had been made, and then refunded to a different card, at SuperHero2000.com. “It’s turned me off to this whole Internet thing,” Sinkoske said. “I’m very leery of the whole thing. And I was the one who said to my wife, ‘Don’t worry about it.’ If they can’t control this, it’s a serious problem.” |
||||||||||||||||||||||||||||||||||||||||||||||||
For proof, he points to a week-old white paper published by the company, which recommends using “password required mode.” “When an account is designated as Password Required no transaction can be processed without providing the password. This mode prevents transactions from being done with only the login ID,” the paper says. Kondepudi said he couldn’t immediately comment on that procedure. Clements contacted Authorize.net on Feb. 3 to express his concerns, but the company hasn’t yet responded. Since only Web merchants — and not the payment processor — are liable for credit-back fraud, he thinks Authorize.net has been sluggish to address its security problems. Two years ago, the company was criticized as slow to fix a security flaw that revealed merchant login names and passwords in URL addresses as merchants browsed the Authorize.net site. “I think it would be brutally expensive for them to fix this,” he said. “We come out with flaws, and companies stonewall and deny. Then a newbie merchant who has an account for two months is going to get screwed.” |
|||||||||||||||||||||||||||||||||||||||||||||||||
| |
|||||||||
.gif){kind=spacer}
|
|||||||||
| |
|||
|
|
 | |||||||||||||||
  | |||||||||||||||||
| |||||||||||||||||
| |||||||||||||||||
 | |||||||||||||||||
|
Advertisement |
|||||||
 | |||||||
 VirusScan 6.0 (Windows) $34.95 Dell |
|||||||
|
|||||||
Intel plans ultrasmall memory chip
.gif){kind=small}