 |
| This sketch has been updated as of Oct 1999 to include the role of Charter Pacific Bank. |
Faughnan Home | Contact Info | Site Contents | Search
Last revised: 23 Nov 2007. History has latest changes. Recently revised sections have mm/dd/yyyy beside the name. The last real revisions were done in 2000, the current document is disorganized.
This site was actively maintained in late 1998 and early 1999, but it has not been updated since. Some of the sites I link to have disappeared or, worse, been acquired by crooks. Some of my descriptions on how credit card transactions work and are verified were wrong even in 1999, and the industry has changed since then. Despite those caveats, I do receive periodic notes of appreciation so the site apparently has some ongoing value. I'll keep it around for now, but I can't take the time to fit it up. It's an archival site. Let me know of links that now point to crooks and I'll try to remove them, but otherwise it is what it is.
These scams continue, at least through 2007. The exact same frauds, but with larger amounts of money. Some of the same names associated with the 1998 NetFill scandal were involved in a 2002 scam documented by a new defunct web site (domain since acquired by scammers).
Eventually the public will figure out that only Visa/MasterCard
can fix the problem -- but that will take a while. We may have to wait for campaign finance reform before we'll see any serious governmental
action. The basic problems underlying this particular scam was that it was
cheaper for banks to deal with angry customers, or suffer losses from fraud, than to pay
the costs of robust authentication. That hasn't changed, Bruce Schneier routinely documents variations of this
problem.. On the other hand the banks have improved some aspects of their operations,
and crooks have found even more profitable scams -- such as using botnets and spam to
manipulate penny stock prices. The public, I think, will gradually grow to tolerate small
frauds -- certainly there's been no significant pressure on politicians. We muddle through
rather than reform, which is the way of things.
BTW, I often hear from vendors telling me how they also are victimized by failure of Visa/MasterCard and their franchisees to fix their security problem. Although this site is oriented to customer-victims, the problem is no less severe (or even greater) for vendor-victims. The main thing I can tell them is too support use of American Express.
If you'd like to know what's been happening since 2002, I'd recommend browsing CryptoGram, the leading security site on the net.
This web page is largely archival, but after at least four years of the banks (with the possible exception of AMEX) failing to implement well-known solutions I think it's interesting to add occasional links to ongoing scams.
Over forty million dollars. Somewhere around 900,000 victims across 22 countries. The biggest credit card fraud ever. Fraudulent credit card transactions generated using adult web site merchant accounts.
A fascinating story, but not as new as one would think. Since this web site was first created in December of 1998, when I learned I'd had 6 months worth of fraudulent transactions on a business Visa card, I've learned that this type of fraud has been going on for years. Criminal merchant account holders collude with shady banks and transaction processors -- it's an old story that predates the Internet.
What's new is the ability to run this scam across the entire world, and to attack hundreds of thousands of victims in a very short period of time. The Internet has given an old scam new legs. It has exposed the smoldering weaknesses in our credit card processing system.
This site is dedicated to chronicling this fraud, and to focusing attention on important weaknesses in our banking, credit card, and e-commerce systems. Although I focus on the particular scam I was victimized by, the information here will be of interest to anyone who has been victimized by similar frauds or who wants to see e-commerce succeed.
J K Publications (alias Webtel, Netfill, etc) ran a sizeable fraud, somewhere in the range of 40-50 million dollars, distributed across about 900,000 credit cards in small recurrent charges ($20 US). JK Publications' front companies generated about a third of all customer complaints at one major credit card company in late 1998. Their merchant accounts had a 'chargeback' rate 100 times the national average; each time a merchant account was closed by the credit card companies, they opened a new one. In late 1998 they alone accounted for 4% of all Visa chargebacks.
The JK Publications fraud operated under a number of business names. Court filings by the US Federal Trade Commission refer to 3 principals. Prior to the filings, from Dec 4-20, 1998 I and many contributors working togother over the Net, identified front companies involved in this operation. We also identified an individual, Ken Taves, (KT) who appeared to be active in all of the front companies, and a few others besides. Since that time KT has been named in a public inditement by the Federal Trade Commission (FTC). His career is described in more detail in two LA Times articles, this fraud has been well covered in the August 1999 issue of Scientific American.
J K Publications was aided in this fraud by the actions of Charter Pacific Bank (San Fernando Valley, California, see InterNic entry and more below). According to an LA Times story reporting on FTC investigations (Jeff Leeds, 9/11/99) CP Bank sold Ken Taves about 900,000 (90%) "of the credit card numbers that he allegedly used to run up $45.7 million in mostly bogus charges against consumers worldwide". [12] CP Bank also held J K Publications various merchant accounts, and kept them operating even as complaints mounted.
Apparently the bank made millions processing credit card transactions for adult industries. In addition to numbers harvested from the adult entertainment business, they also sold numbers from the two-third of the bank's 250 merchant accounts belonging to other merchant accounts including mail-order firms and retailers.
In addition to persons who'd used their credit cards online (some who'd used them to buy adult materials, most who had not), victims included persons who'd never used their credit card anywhere!
Leeds' article also confirmed one of the main allegations of this page -- that banks and processors often accept transactions that lack key identifiers, such as expiration dates and card holder name. The credit card number alone will suffice for small transactions.
A few sad lessons have been learned during this investigation. The banks who manage the credit cards have treated many of the victims fairly poorly. The processors who manage transactions do not have the technology for even trivial validation of transactions. There are some pretty crooked banks out there. Prosecution for this type of fraud is rare. Visa/MasterCharge, who have the ultimate authority, are not coordinating anti-fraud activities and are not providing the technology for a better transaction system. Existing credit card anti-fraud sanctions move extremely slowly, allowing a company to generate fraudulent transactions for at least a year.
Lastly, the companies allegedly involved in this fraud manage transactions for "adult" (pornographic web sites). I sympathize with employees who have been accused of using corporate credit cards to purchase pornography (several reports). I am willing to correspond with employers who have any further questions.
I can't answer all the email I receive directly, but I try to answer questions through additions to this page. I do read all the messages.
From the FTC web site as of September 7, 2000: http://www.ftc.gov/opa/2000/09/netfill.htm. There are links on that page to additional trial related material. NOTE: A stipulated final judgment and order is for settlement purposes only and does not constitute an admission by the defendant of a law violation. Consent judgments have the force of law when signed by the judge.
The defendants have not admitted guilt and will do no jail time. Also, much of the charges are unlikely to be recovered. If they are indeed guilty of fraud this cannot be considered a triumph of justice.
FTC Wins $37. 5 Million Judgment from X-Rated Web Site Operators
Bank Sold Defendants Access to Active MasterCard, Visa Card Numbers; More Than 700,000 Consumers Illegally Billed
The Federal Trade Commission has won a $37.5 million verdict against a California-based adult Web site operation the FTC charged with operating an illegal billing scam. The agency alleged the defendants repeatedly placed charges on consumers' credit and debit cards for X-rated Internet visits they had not made and services they didn't order. Indeed thousands of those billed for visiting the Web sites did not own computers. At trial, the agency told the court that the defendants bought access to lists from a California bank that provided the account numbers for more than 3 million valid Visa and MasterCard credit cards. Rather than use the lists to confirm that potential customers had valid cards, the defendants debited the cards for Web site services the cardholders had never used.
In January 1999, the FTC filed the case against Malibu, California residents Kenneth and Teresa Taves, and Dennis Rappaport and their businesses J.K. Publications, Inc., MJD Service Corp., Herbal Care, Inc., and Discreet Bill, Inc. The complaint charged that the defendants were billing consumers without authorization for alleged visits to adult Web sites. Consumers saw the charges on their bills under the names "Netfill," "N-Bill," "MJD Service Corp," and "Webtel." Based on the preliminary evidence presented by the FTC, a U. S. District Court judge entered an order on January 6, 1999 that temporarily shut down the defendants' business and appointed a receiver, pending trial.
According to the FTC, the defendants had purchased access to a database of credit card numbers provided by Charter Pacific Bank of Agoura Hills, California. This database contained card numbers, dates and amounts of sales, for more than 3 million card holders who purchased goods or services from merchants with accounts at Charter Pacific. The FTC argued that the defendants illegally used the account numbers to place charges on the accounts and that over 90 percent of their $49 million a year in "sales," were actually unauthorized charges. The court agreed, saying, "The Court finds that the FTC has proven by a preponderance of the evidence that 90.8 % of the total 'sales' amount the defendants caused to be deposited into their merchant accounts was unauthorized."
The FTC showed that the defendants used at least five different merchant accounts and four fictitious business names to process over $40 million in credit and debit card transactions. The timing of each new merchant account application coincided with the impending threat of being placed on VISA USA's "active monitoring" list for excessive "chargebacks" -- amounts debited to cards but disputed by the consumers who were charged. By submitting the charges and debits for processing, the defendants represented to the merchant banks that they had obtained authorization from the cardholders for the charges and debits. But thousands of consumers who were charged said they did not incur the charges and, according to U. S. District Court Judge Audrey B. Collins, "A shocking 40% to 50% of the calls received by the defendants were from people who said they did not have a computer and had not given their card numbers to anyone." Judge Collins concluded "[T]he only reasonable inference the Court can draw from the corporate defendants' access to the Charter Pacific Positive Database and the time of the defendants' fraudulent billing practices is that the defendants stole and processed Visa and MasterCard numbers from the database."
The court concluded that the defendants had processed bogus charges totaling more than $43 million. The $37.5 million damages verdict represents the illegal charges minus the amounts that consumers already received through chargebacks and credits.
Two other defendants in this case, Gary Mittman and Adult Banc, Inc., settled FTC charges in June 1999. That settlement bars them from making false representations that customers have agreed to purchase goods; bars billing or receiving money or assisting others to do so without consumer authorization; requires that they obtain express verifiable authorization from consumers before billing them; requires that they maintain adequate staff to respond to consumer complaints or inquires; and requires that they promptly credit the accounts of consumers who request refunds.
Consumers wishing to make claims can contact the Court-appointed receiver in the following manner: by email at rea@robbevans.com or by regular mail at Robb Evans & Associates, Receiver, PO Box 880, Sun Valley, CA 91353 and submit the following information (1) consumer's name (2) the credit card number that was wrongfully billed, (3) the amount of the wrongful bill(s), and (4) a currently-valid credit card number through which the consumer can receive a refund.
Consumers without computers can contact the receiver by calling (818) 768-8869. Consumers will hear a recorded message which will instruct them to contact the receiver at the P.O. Box listed above. The Receiver expects a great volume of calls in the first weeks after the judgement, and urges callers who are met with a busy signal to be patient and to try calling again at a different time.
The FTC has identified in excess of $20 million in defendant's assets. It is not clear that the total of $37.5 million ordered by the Judge will be available for consumer redress.
From a Jan 12 FTC Press Release:
The agency named Kenneth H. Taves, a/k/a Kenneth Till, Teresa Callei Taves, Gary [Neal] Mittman, all of California, and their companies, J. K. Publications, Inc., MJD Service Corp., and Net Options, Inc., in its complaint. The complaint alleges that the defendants also use the business names Netfill, N–Bill, Webtel, and Online Billing ... Consumers, many of whom were billed repeatedly over successive months, appealed to credit card companies for help, but were told by them that they could not block future charges to the cards. Many consumers canceled their credit card accounts to avoid the charges, the FTC alleged. The FTC has asked the court to permanently bar the illegal billing practices and award redress to consumers.
Consumers who believe they have been deceptively billed by the defendants can call an FTC Hotline at 202-326-3144 for more information.
This is an outline of the general fraud. I'll discuss some interesting variations below. You may wish to refer to the following image as you review the text. [3] Some of this material is speculative; quotes are from authoritative sources. (Thanks to security experts (GM, NJ, WFE, RLB, DB), and my hacker colleagues (WH, SD), for background information.)
|
| This sketch has been updated as of Oct 1999 to include the role of Charter Pacific Bank. |
This is a complex operation. The current consensus is that the operations we know of (N-Bill, Webtel, MJD Services, XBC.COM) are all operations of J K Publications/Netfill.
Netfill's original business was handling transactions for web sites selling "adult content" (usually pornography). Netfill began to acquire a "bad reputation" in the pornography world, possibly for reusing the credit card numbers they were handling. They went through several aliases, and then, we suspect, began running transactions against credit card numbers that they'd obtained (see CP Bank).
During this time Netfill appears to have gone through various Merchant Accounts, perhaps as Banks and Processing centers began to block transactions.
Below is a step-by-step description of how this type of fraud might operate. If it is properly done (see #2), it is hard to see how they can ever get caught.
The thief needs credit card numbers. They do not need anything else. Credit card processing companies do not mandate the use of additional validation information: "... the system was designed for 'card present' transactions and has no real way to tell whether [an expiration date] is correct or not ...". There is an early system in place to do some validation based on zip codes and addresses (AVS), but "it only works with US cards and is not totally reliable yet". Some banks do check expiration dates, but many don't. (See [5] for Netfill's alleged misuse of AVS.)
Charges can also be issued against cancelled cards, or non-existent accounts, if the computer of the card issuing bank is not available during the transaction.
There are several ways the thieves could have obtained the numbers, but in fact they purchased most of them (legally?!) from Charter Pacific Bank. In addition the geographic distribution of victims, and the reports of fraud on cards that have never been used anywhere, suggest that at least some of the time either Taves, CP Bank, or other operators software to generate "well formed" credit card numbers. [13] It's likely that they have also stolen a set of credit card numbers, possibly with validating information. (There is a way that they might have been unwittingly using generated credit card numbers. [2])
Credit card numbers can also be stolen from a vendor site or a processor site. It is not that hard for a hacker to steal numbers from many e-commerce sites. Matt Beer has written a December 13, 1998 San Francisco Examiner article on the 9/10 success rate of IBM's "ethical hacker" team [1].
Netfill and its aliases (N-Bill, Webtel, etc) have Merchant Accounts. The thief could be generating credit card transactions directly through Netfill. It would be much safer, however, for the thief to funnel the transactions through a pornography vendor, (such as XXXPERTS.COM) which could be a willing or unwilling collaborator. This would give Netfill deniability -- they could say (plausibly) that they were only processing "someone else's" transactions. Of course, they would be making money on the transactions that weren't caught. If the thief was working with both Netfill and the pornography web site, then the money would come to the thief through both sources.
The Merchant Account holder sends the transaction on to a "Processor". The Processor applies the checksum algorithm; the credit card number will pass this test. The Processor then attempts to check the number against the bank that issued the card. Sometimes they will be unable to complete this test; in that case the number is passed by default. If they can complete the test, a non-existent number will fail. A valid number will pass, and a recurring charge can then be set up.
The role of the banks in authorizing transactions is yet another serious weakness in Visa/MC security. Some banks have excellent IT resources and anti-fraud measures, others are completely overwhelmed by e-commerce. I wonder if this might relate to the apparent high attack rate in Japan. (See American Express.)
At this point a recurring charge will go through every month. Charges are small, usually USD $19.95, are are thereby less likely to get attention.
If victim notices, victim can do a 'charge-back' through credit card company. However many banks only go back 60 days, so you may be out some money. Since the total for 2 months is < $50, the credit card company is not obligated to refund everything. If the victim doesn't notice, then the scam works. Eventually the Merchant Account will be closed, and a new one will have to be created under another name. (See spammers and merchant accounts.)
I've received victim reports from 22 countries: Canada, France, Eire (Ireland), England, Scotland, Australia, New Zealand, Norway, Germany, Mexico, Brazil, Portugal, Belgium, Japan, Sweden, Finland, Switzerland, Austria, South Korea, El Salvador, South Korea, and across the USA.
The situation in Japan was particularly severe. There are Japanese sites similar to this one. Visa International's fraud office received hundreds of notices from Japan's largest bank. Japanese victims may have been particularly embarrassed by the connection to pornography sites; many more may be remaining silent.
Consider what happens when the fraud is undetected or detected.
If the fraud is undetected, money goes to the holder of the Merchant Account. If a Merchant Account were "factoring" (consolidating transactions, forbidden by Visa/MC) the transactions of a (possibly collaborating) pornography vendor, then the two would share the money. Money also goes to the Processor and the banks.
If the fraud is detected, then the banks may repay the credit card owner (the "victim"). However, note that the amounts are less than the <$50 amount banks are obligated to repay. Many banks, particularly in Europe, seem reluctant to pay up. The victim has lost time. The transaction processing center appears to still have made money, they do not appear to suffer for processing a fraudulent transaction. The Merchant Account holder is supposed to pay a fine and refund the money. As losses mount the Merchant Account is closed to reopen with a new name.
The thieves are guilty, but they're playing on a weak system. The Visa/MC transaction system was designed for traditional transactions of physical goods with a physical vendor and a physical card. Mail order stretched that system, but e-commerce blows it wide open. (See also: e-commerce implications).
In the reports and comments I receive, the Processors point fingers at the Banks, the Banks point at Visa/MC international and their transaction handling regulations, and Visa claims there's no problem [8]. Jeff Leeds' articles suggest misbehavior or incompetence on the part of the banks holding J K Publications merchant accounts (see Credit Card Companies, Banks and Merchants). The FTC's investigation also exposed the role of a shady bank -- Charter Pacific.
I suspect everyone's a bit guilty, and that real problems arise when the weaknesses of each of the players reinforce one another.
The Processors don't have the technology to do any significant verification. The banks vary widely in their expertise. Some are very savvy, others have little IT ability and minimal fraud protection. Some banks are being very supportive of victims, others are basically accusing them of trying to cheat on their alleged pornographic purchases. The banks are slow to bring cases to the attention of the authorities, possibly because they're very worried about exposing their vulnerability.
The distributed nature of the Visa/MC system, with each bank managing its own "business", is a weakness. Visa International does not have access or control to Merchant Account information. Only the banks have that information. One wonders what a crooked bank could do with Merchant Accounts. (I wrote that last sentence before the CP Bank scandal broke). It is this clumsy system that has allowed the Netfill operations (N-Bill, Webtel, etc) have been able to operate Merchant Accounts for so long, with so many "charge backs".
In the paraphrased words of one expert and industry insider, who must remain anonymous:
Your description of the process from the card end is mostly accurate with only some details not quite right. In my opinion your user tips are spot on to 'the real world', however a financial organisation involved would most certainly not agree. The fact is that the real future of making money illegally is no longer bank robbery. The criminal organisations of this world naturally know this too... I don't want to sound ominous but at this stage I rather don't want to say any more than this.
Taves et al (see Operators) were aided in this endeavor by the actions of Charter Pacific Bank (San Fernando Valley, California, see InterNic entry). According to an LA Times story reporting on FTC investigations (Jeff Leeds, 9/11/99) CP Bank sold Ken Taves about 900,000 (90%) "of the credit card numbers that he allegedly used to run up $45.7 million in mostly bogus charges against consumers worldwide". [12]
Apparently the bank made millions processing credit card transactions for adult industries. In addition to numbers harvested from the adult entertainment business, they also sold numbers from the two-third of the bank's 250 merchant accounts belonging to other merchant accounts including mail-order firms and retailers.
This bank has had a shady past, and it's not alone. In the words of an industry insider:
.. the focus should be on the banks or other card processing companies that willingly deal with the 'adult content' companies that are home to card fraud.
... [a 1990 investigation by a reputable bank found] a loosely connected ring of operators that, contrary to their documents submitted to open their accounts, were actually in porn & related businesses. This was sufficient reason for us to sever the accounts, but in the process of this investigation we discovered that their real business was processing fraudulent charges ... Even then their pattern was to open and close accounts frequently ... the law enforcement folks advised that even the business we were dealing with were really fronts for ... organized crime.
This Taves fellow is a carbon copy of several we uncovered. He probably gets a cut of the cash but most of it passes on to others offshore. As noted in one of your hyperlinks, the FTC has only been able to trace a small amount of the $45mm.
In summary, it is the bank processor that makes this whole thing work --- they are like the air supply to a scuba diver. The card issuing bank is not the bad guy. Virtually every bank in the country has safeguards in place to prevent them from finding themselves in business with these types of operators. Charter Pacific Bank has knowingly chosen to get in bed with these folks ... the reason naturally is money. Your typical local merchant pays a discount in the area of 2%. I'll bet these guys are paying Charter 5 to 8%.
Charter Pacific's history is particularly interesting. Again, from the same source:
The LA Times article was factually incorrect when it states that the bank was under an order to tighten controls as a result of bad real estate loans. In fact it was under a FDIC cease and Desist Order owing entirely to its Bank Card operation ... Interestingly, it was lifted in March of this year without comment by the bank as to what it had done to satisfy the many requirements.
This past week the bank's CEO issued a letter to shareholders regarding the LA Times article and TV coverage.... Interestingly, he did state that "other news stories may appear" as sort of a forewarning. I reviewed the bank's press releases and noticed that in August they were in the final stages of getting approval to move the Bank Card operation to a separate subsidiary. Undoubtedly they view this as a way to get better treatment from the regulators. For one, it will get the oversight away from the FDIC which only covers state chartered banks. Non-bank subsidiaries are covered by the Fed or OCC, I don't recall which.
Also this past week the bank issued a joint press release with a company called MerchantOnLine.com wherein they would be offering state of the art merchant services to online businesses. Since I know how careful banks are (or should be) in choosing partners, I decided to do a bit of digging. WOW! I wouldn't issue these guys a simple credit card, let alone process their cards or, heaven forbid, form a business alliance with them. It [MerchantOnLine.com] is an OTC bulletin board company that became "public" by means of a hocus pocus process involving a Colorado shell company early this year. Their reported sales are around $200k per quarter, they operate at a loss, and have a $400k deficit net worth. ... A typical pattern for these companies.
After doing some searches, I found that an investment newsletter thebigbulls.com actually shares the same office and telephone number with MerchantOnLine.com. Other searches on the internet yielded numerous links back to MerchantOnLine.com for setting up internet merchant accounts. It appears that they are nothing more than a marketing operation that aggregates accounts to presumably be processed by Charter. Applications can be completed online. They delicately advise that they are specialists in handling 'off shore transactions', and that everything is "real time". In other words, "we'll connect you to the credit card processing systems and you can initiate any sort of charges you wish, and in the blink of an eye funds will be neatly deposited in foreign accounts."
When I first put this page up I thought that Taves et al were heavy users of credit card generator technology, or that they had stolen cards back when Taves worked processing other merchant accounts. It never occurred to me that a bank would sell Taves credit card numbers, or that US banks would operate so close to the edge. (It would be interesting to know if this bank was related to IN DEED INVESTMENTS.)
Below are the InterNic records for Charter Pacific Bank's would be partners:
| MerchantOnLine.com | 1600 S Dixie Highway Boca Eaton, FL 33432 US Domain Name: MOLEMAIL.COM 800-316-1936 Fax- 561-482-5253 |
| thebigbulls.com | World Wide Corporate Financial 15760 Ventura Blvd. Suite 1020 Encino, CA 91436 US |
| Charter Pacific Bank | 30141 AGOURA ROAD AGOURA HILLS, CA 91301 US |
This case just keeps on going and going.
Removed 10/2/2000 to reduce my legal exposure. A non-specific summary is pending.
Removed 10/2/2000 to reduce my legal exposure. A non-specific summary is pending.
Although there's an e-commerce connection to this fraud, we don't believe that card numbers were intercepted as they travelled over the Internet. That's hard to do. It is very possible that the perpetrators did steal a large number of credit card numbers, either by acting as a Merchant Account for other vendors or by breaking in to an e-commerce site. We also strongly suspect that they used credit card generation technology.
The true e-commerce connection is more subtle. It has three parts: anonymity, selling information, and networked transactions.
The current e-commerce environment allows credit card numbers to be used without identifiers. This has privacy advantages, but it also enabled this fraud. It would be a lot harder to generate credit card numbers if identifiers were required.
The alleged criminals (KT et al) used a "legitimate business", transactions in adult images (pornography), as a cover. This business deals in "pure" information (an intangible good with an extremely low cost for each additional customer). Vendors and purchasers of information goods do not need physical addresses. In addition, the vendor assumes very little risk with the transaction. If the buyer doesn't pay, the vendor's loss is almost unmeasurably small. Compare this to selling computers online.
Since the vendor assumes little risk in this form of e-commerce, they have a great incentive to minimize transaction costs and inconvenience. They will accept large "losses" in return for not inconveniencing paying customers. Similar incentives applies to Banks, Visa/MC, and to Processors.
This shift in risk assumption provides fertile ground for this type of fraud. The absence of a physical address and assets makes it much harder to locate and penalize the perpetrators. They can easily move their funds into sheltered overseas accounts.
Networked e-commerce allows criminals to test credit card numbers across the Merchant Account system in high volume. This makes credit card number generation technology far more powerful. They can also attack a very large number of victims in a widely distributed manner with small transactions, thereby delaying detection and reducing the incentive for prosecution.
The current Visa/Master Card transaction system is flawed. Designed for a world of 'card present' transactions, it is unsuited to e-commerce. The need for reform is urgent, but Banks and Visa/MC may be slow to act. Consumers will have to push for change. Micro-commerce solutions are unlikely to emerge in the United States, given the political and economic clout of Visa/MC, but there is hope that they will emerge elsewhere. Japan may lead the way in e-commerce, just as Europe leads in net privacy.
These are pretty much generic recommendations for any fraud of this sort. Victims of the J K Publications fraud should go to Litigation and Regulatory (below). I've kept the full set of entries here for reference in other frauds.
Consider switching to American Express, such as the American Express Blue Card. Amazon.com, for example, accepts AmEx. American Express centralizes its transaction verification and Merchant Account tracking, which makes it far more fraud resistant. Also, since Visa/MC rule the market, AmEx is going to be a less worthwhile target. (I've no reports of Discover Card charges, but I don't know anything about their security procedures.) In one case report of an American Express fraud, the victim was reimbursed by AmEx immediately and without question. American Express also seems to have much more customer-friendly procedures for handling questionable transaction than Visa International. As of 2002 they've added the AMEX PrivatePayments service providing disposable credit card numbers (one-time use).
See Litigation and Regulatory for the firm handling refund requests. They seem to have been appointed by the Federal agencies investigating the fraud.
You may have to cancel your credit card and change banks. The FTC's Action against Taves et al should reduce the risk of new charges appearing against your original credit card. However, if new charges do appear, most banks are unable to block the transactions. In addition, if your new card is from the same bank as your original card, many banks will automatically carry the transactions over to your new card. Lastly, there is a risk that your credit card number has been widely circulated amongst other practitioners of credit card fraud. If you have a bank with very good service, and if they are able to block charges from known fraudulent Merchant accounts, it may not be necessary to cancel your card. I cancelled mine.
Phone the FTC Hotline that has been setup to deal with this fraud: 202-326-3144 for updated information (messages only). Fill out the online form at http://www.ftc.gov/ftc/complaint.htm so you are eligible for reimbursement.
This is fraud. Some, less worthy, banks (such as US Bank) may refuse to reimburse for charges that occurred more than 60 days prior to submitting a claim. If this occurs, state that the charges were fraudulent and should be handled by the fraud office. Let me know how your bank treats you, so I can update the Bank Hall of Fame and Shame record. You can also report particularly unhelpful banks (thanks, NL):
Look for a bank that has a good service and anti-fraud record. See Bank Hall of Fame and Shame.
Use as few credit cards as possible. Eliminate any debit or other cards that you don't really use. Minimize transactions so you can detect irregularities. Notify bank immediately so you don't miss any 60 day rule. (Note, however, that using checks is not an answer!)
Request your credit reports from credit bureaus for all open and closed cards. This should be free. State that you've been a victim of fraud. Tell them you want a security alert added to your credit record. Typically (experian) they'll put on a 90 day alert. To get a 7 year alert, they'll want a copy of a phone bill to connect a phone number to an address and resident. You may need to send a copy of a driver's license as well if the phone bill doesn't have your name on it. For seven years you will be phoned if anyone requests a credit card for your identity and/or a note will be added to credit reports stating that phone confirmation is required. This service should be free. If you change your phone numbers or address you have to contact the credit bureau and notify them.
When you get the report, look for new addresses and signs of new cards being issued. These are the credit bureau numbers you want as of 8/10/1999, usually you must call during "business hours".
Link to this page and distribute it to anyone who you think might make a difference: banks, credit card companies, journalists, anyone.
Report the fraud to www.fraud.org and other anti-fraud sites (see links).
Complain to Visa/MasterCard international about the flimsy transaction validation practised by your bank. Visa: 800-847-2911.
Send a complaint to the Consumer Affairs Division for the state where the fraud occurred. In this case, that is Nevada.
consumer@govmail.state.nv.us
Send the division a signed staement describing your complaint. Be sure to include a copy
of the billing, your name & address as well as the business name & address.. Send
all of the above information to Consumer Affairs Division; 1850 E. Sahara Ave, #101, Las
Vegas, NV 89104.
Bill Tkach, Compliance/Audit Investigator III
Visa and MasterCard must require, and their franchisees (the Banks) and Processors, must support, the use of proper validation systems by merchant accounts. Possibilities include PIN numbers, the SET (secure electronic transaction) standard, the commonly used AVS and the minimalist expiration date. As of late 2002 disposable (one-time-use) credit card numbers are emerging as a strong solution.
To be fair, we must note all of these have problems.
Expiration Date is very simple, but since it changes as often as once a year, it's a real pain for Merchant Account holders who do recurrent charges (such as Internet Service Providers).
AVS, which uses some card holder address information, is a validation system that does appear to work, but it's possible for a merchant bank to "cheat" it. (Of course such cheating is presumably illegal.) [5]
In Jan 1999, Macintouch reported extensive problems with credit card validation at the Apple Store, caused by problems with their new "SAP-based" system.
In the words of one expert: SET, a secure credit-card transaction system ... was intended to fill the gap you've identified. It's this hideous over-engineered monstrosity that has remained largely unimplemented due to its bulk.
One-time-use (disposable) credit card numbers have the advantage that it might be possible to make them work with the current infrastructure. The numbers don't have to be one-time-use, they could instead have limited lifespans. The main problem is these systems require significant end-user changes. Credit card holders get a persistent identifier that is not a credit card number, but that can be used with another identifier to generate a credit card number. One can imagine many variants on this idea, but the limited lifespan of the credit card number is key. These techniques overlap with the much-missed eCash efforts. See AMEX PrivatePayments
Higher standards for allowing companies vendors to use a credit card. Far more rapid elimination of merchants processing fraudulent charges; currently Visa may take 3-5 months before shutting down a bad merchant account. Prevent 'name switching' by dropped merchants. See Spammers and Merchant Accounts.
Better statements! Statements should have vendor address information. They should show the name associated with the vendor providing goods or services, not just the billing organization.
Merchants can use better validation software with online fraud prevention, such as ClearCommerce's products. Visa/MC can require this of their net based Merchant Accounts. Merchants should also review Rahm's excellent article on AVS and other protective mechanisms
More rapid, centralized, blocking functions. Visa and MasterCard are a single monopolistic company. They should be able to provide consistent blocking procedures. It is unacceptable that Webtel/N-bill was able to carry out its fraud for several months.
Visa and MasterCard need to reexamine the policies for fraud management that their franchisees (Banks) are supposed to use. They appear to be very unfriendly to customers. Until better fraud prevention systems are in place, the onus is on the Banks and Visa/MC to presume the customer is innocent.
The banks who held J K Publications merchant account, Charter Pacific and Heartland Bank seem to have been extremely slow to terminate them, despite stated Visa/MC standards. We know some of the Charter Pacific Bank story. A Heartland Bank representative claims that they investigated the chargebacks and notified the FTC. Unlike Charter Pacific, there are no FDIC actions recorded against Heartland Bank. Heartland Bank may not have had any participation in the fraud; they may be victims of J K Publications themselves.
The FTC is very interested in this type of crime. They will review reports from foreign victims when the operation is US based. Complete the online form at http://www.ftc.gov/ftc/complaint.htm so you are eligible for reimbursement. They usually act when they receive many complaints.
The US Secret Service has jurisdiction over credit card and access device crimes if the credit card is underwritten by a US bank. However, they consider the Bank to be the injured party, and not the card holder (who is theoretically reimbursed by the bank). They are also not set up to deal with many small losses. In the words of one authoritive source:
Due to the size of most losses, the federal agencies (FBI and Secret Service) tasked with investigating credit card fraud are unable to do anything. Regardless of the crime, they generally don't have the manpower to go after anything less than $100,000. Local law enforcement agencies generally don't understand the problem and therefore are reluctant to get involved. Additionally, since the merchant generally is the loser, not the cardholder (the merchant takes the loss 99+ percent of the time) there is frequently a jurisdictional issue.
Over the past three years many alternatives to credit cards for e-commerce transactions have been proposed or tested. None have succeeded. This experience underscores the need for a modern alternative to the antiquated and insecure credit card transaction system. Anyone proposing an alternative to credit cards, such as a micro-commerce network, should use this experience in marketing and planning. In the meantime, Banks and Visa/MC have many ways to improve transaction security and fraud management.
I think this is a fascinating story, though it's usually misrepresented (in my opinion) as an "Internet" scandal. [11] I really believe this is primarily a finance and banking scandal, and a dramatic example of the fragility and unreliability of our current credit card transaction system.
Here are some "talking points" for use by journalists, or in writing a letter to a newspaper:
The fraud consists of creating fraudulent recurring e-commerce transactions on Visa credit and debit cards around the world. There have been a large number of reports from the US, Japan and Europe. We believe the number of persons affected is in the tens to hundreds of thousands.
Charges typically appear with the company names N-Bill, Webtel and MJD Services. These companies also handle accounts for pornographic web sites; this has resulted in embarrassment and employment problems for some victims.
This fraud is affecting persons who've never used their credit card numbers on the Internet. We suspect it involves both the theft of credit card numbers and the use of software that generates "well formed" credit card numbers.
Banks that handle MasterCard and Visa accounts often have almost no transaction validation for small transactions. Many times a credit card number alone, even a number for a closed account, is sufficient to create a recurring transaction of $19.95 or so.
Banks want to get a piece of the emerging e-commerce marketplace, but the existing Visa/MasterCard system, as implemented by many banks, is not suitable for e-commerce. They prefer not to have this weakness widely known. Most customers have had Visa cards, there has been one report of an American Express charge.
Many banks have treated their customers very poorly, and have been very slow to reimburse for the fraudulent changes. They have also been unable to block new transactions occurring. See Bank Hall of Fame and Shame.
Banks put the burden of reviewing transactions on customers, but they don't provide enough information in typical credit card statements to make transaction review feasible.
Information on the fraud has been gathered through the creation of web sites in Japan and the US, which in term have received hundreds of reports from victims around the world. The simultaneous work of hundreds or thousands of victims, using the Internet for research, has allowed a remarkably detailed picture to emerge.
There's been a new note to my incoming spam recently. I'm lately seeing advertisements for the ability to create "merchant accounts" through which a vendor can bill Visa and MasterCharge. Spam scams often follow a pattern of the spammers first exploiting a scam, and then, once they've skimmed the finest opportunities, they promote the scheme to the "suckers" at large. Spammer promotion of merchant accounts lends another angle to the Webtel/N-Bill fraud. Again, the onus is on the credit card companies to do some minimal regulation of who gets a merchant account. Sloppy regulation of merchant accounts is likely a key component of this scam. Here's a sample spam, edited for brevity ...
INCREASE SALES UP TO 50% ACCEPT CREDIT CARDS OVER THE INTERNET ***NO SETUP FEES Good Credit / Bad Credit/ No Credit ***NO PROBLEM*** It Just Doesn't Matter - Everyone Gets Approved
We Specialize In Servicing The Following: *Multilevel Marketing *Mail Order/ Phone Sales *Home Based Business *INTERNET BASED BUSINESS *New Business* Small Business Whatever!! We Do It All!!!
A fast and reliable way to process credit cards through your web site The Internet's reach is global - it knows no time zones or physical boundaries ...
... lets say a customer visits your web site and decides they want to buy your product(s) or service(s). They would simply enter their credit card information and receive an approval WITHIN 5 SECONDS ...
From that point on, the sale is complete and the money will be directly deposited into your business checking account within 24 to 48 hours.So you will have LIQUID ASSETS AVAILABLE ALMOST IMMEDIATELY!!! ... you will be receiving orders and making money in your sleep!!!
Some banks are treating customers well, others are refusing refunds, are unable to block continuing charges, accuse victims of being criminals, or generally provide shabby service. Here's a partial listing of the Famed and Shamed.
| Fame (Good Banks) | Mixed | Shame (Bad Banks) |
|---|---|---|
| American Express Barclay's UK Beneficial Bank Chevy Chase Bank of MD NationsBank Seafirst Bank Sumitomo Credit Wells Fargo |
Citibank MBNA US Bank [7] |
First USA (extra bad) Chase Mellon Bank NICOS (Nippon Shinpan) Charter Pacific Bank [9]
|
None any longer -- this is an old story now!
| [1] | I was misquoted in the article, however. I actually said, in reply to a question, that I didn't feel "shocked or invaded". Somehow this turned into feeling "shocked and invaded", which sounds rather Oprah-ish and is quite unlike me. I'm surprised about the unsuitability of credit card transaction systems for e-commerce, but not about someone misusing my credit card. |
| [2] | The FTC's filings suggest they suspected that a credit card
generator was used in this case. Later data, however, implicated Charter Pacific Bank. Many persons find it hard to believe that credit card number generators can work. Believe it. I've had verification from the most absolutely reliable sources, including Visa's central security office. Knowledgeable hackers assure me they've been in play since the 80s. (Probably one of the first personal computer commerce applications.) A popular game for teen hackers is to use a generated card number to sign up for a free month, then cancel the subscription before the month ends. In theory the charge holder is never aware of the transaction. Of course if the numbers that teen hackers use were in a batch that was stolen by the Netfill gang, then real transactions would start to appear on the victims credit reports. This is a way that generated numbers might have been unwittingly used by the Netfill gang, when they thought they were using stolen numbers from persons who had signed up at some time for adult web sites. |
| [3] | Kragen Sitaker,
who knows something of these matters, writes "... this is one of the first documented
instances of pseudo-spoofing being used to defeat reputation systems." In Kragen's
words (quoted with permission):
|
| [4] | If you call the phone number on the credit card slip, you get a voice mail line. It is quite difficult to access a human, but some have managed this. By exploring the line you learn that they are selling pornography. You should know, however, that when you call a toll-free number (800/888), the vendor gets your phone number (CNI system). Unlike caller ID, this cannot be blocked. They may also receive additional address information from the phone company monthly, or use a reverse look-up service to acquire address information. This information can then be resold, which may bring a new flavor your junk mail and junk phone calls. |
| [5] | This interesting report comes from a knowledgeable source:
|
| [6] | The undated (probably Sept/Oct 1998) fax from Online Billing was forwarded by our Japanese contact (Yakei).
Though it was written by Americans to a foreign bank, it has several spelling errors and
poor grammar. Two paragraphs are interesting. The first is a cute smear against the
victims of this fraud. The second suggests they were trying to avoid chargebacks.
Chargebacks will eventually shutdown a merchant account, reguiring a new alias.
|
| [7] | US Bank is my own bank. They eventually did make up all the fraudulent charges, even the ones they initially said they wo.0000000uldn't pay (more than 60 days old). This moved them form the Shame to Mixed category. On the other hand they were quite disorganized, and their fraud division and customer service departments didn't seem to be talking to one another. If you have to work with them, try to go directly through the Fraud Division (800-260-8469) and forget customer service. |
| [8] | In the MSNBC story a Visa spokesperson was quoted as saying that the security concerns expressed on this page are quite incorrect. I certainly hope that's true! On the other hand, even if Visa is unable to outline all the security precautions they allegedly take, I think they ought to be able to tell us how this scam was able to go on for so long, and what will prevent similar scams in the future. |
| [9] | See Charter Pacific Bank story. |
| [10] | From a purely personal perspective, this was rather dreadful. I'm looking down and to the left because I was told to look to my interviewer, and that's where she sat. Next time I'm reviewing the camera angles myself! |
| [11] | Journalists share some common vices with physicians. We all tend to construct a "narrative" pretty quickly, and we don't like revising it. With patients we physicians tend to develop a diagnosis very quickly, and we may disregard contradictory evidence or ignore seemingly irrelevant data. Journalists do the same thing. Most of the time I'm interviewed it's very clear what I'm supposed to say. If I don't cooperate the journalist will often repeat a question in various forms, evidently hoping that sooner or later I'll give them the response they want. |
| [12] | In the US it does not appear to be illegal to sell credit card numbers. Nothing surprises me any more. |
| [13] | "Well formed" credit card numbers will pass the checksum and other tests used by processors. Software to generate these well formed numbers is available on hacker sites; the algorithms have been a part of several shareware packages for years (see http://www.creditnet.com/ccs/ccn-shareware.html for examples). I have some Credit Card Generators screen shots for review as well. [2] |
| [14] | U.S. CRACKS DOWN ON NET PORN FRAUD |
| [15] | There appear to be 3 ways to keep a reasonably controversial web page accessible:
|
See also Litigation and Regulatory.
The opinions expressed here are my own. The information is based on multiple sources, which I cross-reference and independently check as often as possible. I can only describe the persons and organizations that have been associated with this fraud, but I cannot assign guilt.
I am indebted, however, to many, many persons who contributed advice, expertise, personal experience, their own research, and observations. I am particularly indebted to Ric Ford of Macintouch, who brought in a great amount of information by placing references to this page on the popular Macintouch web site. "Yakei", from Japan, has helped a great deal. Mike Brunker of MSNBC wrote a nice piece, which my mother will love. Many other persons prefer to remain anonymous, but their initials and some names are credited above. Ironically, not a few valued contributors are active in the "adult" industry -- this type of fraud strikes at the heart of their business.