Reporting Stolen Credit Card Lists? 78
harlows_monkeys asks: "I just received a spam, at both home and work, both sent through trojaned Windows machines, offering to sell me a credit card database stolen from camcontacts.net.
Included was a link to a sample of the database (no, I'm not providing a link!). I downloaded the sample, and it appears legit. There are 13000 numbers. I picked one of the Visa numbers, went to Visa's web site, and entered it in a form to sign up for fraud protection, and it accepted it, and identified the issuing bank. It was accepted. All indications are that this stuff is real.
So, the question arises--what is the correct way to deal with this?
"I called Visa, and after they spent a while figuring out what department was responsible, all they could suggest was call local law enforcement, and if I wanted to talk to Visa's security people, call back at 9am when they get in.
American Express didn't even suggest calling local law enforcement. They just suggested calling back when their security people got in in the morning.
I then called the FBI. They said to call the Secret Service and gave the number.
At the Secret Service, I ran into an answering machine that gave their office hours.
It seems to me that there should be -someone- who would be interested in a widely-sent spam that links to 13000 credit card numbers, with expiration date and customer name and zip code, so as to stop these from being fraudulently used, but it escapes me who that would be--I struck out with all my candidates.
Is it just me, or does the indifference of Visa and Amex to this shock anyone else?"
call the local news media (Score:5, Insightful)
Re:call the local news media (Score:4, Funny)
Re:call the local news media (Score:2)
Each day delayed in shipment means a delay of when the real card owner gets "notified".
-Grump
Re:call the local news media (Score:5, Insightful)
Yeah, and they'll answer their phones in the middle of the night, too...
Good grief! The poster is calling companies in the middle of the night expecting them to have crack 24-hour teams ready to deal with the information he has? Surprise! The vast majority of people work during business hours.
SO CALL THEM DURING BUSINESS HOURS! Both credit card companies offered to have you talk to their security people, so give 'em a call.
Even talking to the police, nobody is going to want to take a statement from you or have any detectives talk to you, except during the work day.
(I'm posting at 4am local time -- I know what insomnia is; that doesn't mean I expect to be able to conduct normal business right now)
- Peter
Shopping spree? (Score:2, Funny)
But seriously, either the secret service, the credit card companies OR the Unites States Postal Service (I believe it's a crime to "mail" stolen items).
Re:Shopping spree? (Score:4, Funny)
Re:Shopping spree? (Score:3, Funny)
Fast, reliable, friendly.
1 sheet 4in*24in toilet paper. Lightly soiled, stolen from public bathroom. Starting bid $0.99. $20.00 shipping fee (biohazard)
1 used condom, stolen from slut next door. Bid Now(she's really cute!) Staring big $13.95 + $10.00 ship (keep it frozen, dry ice costs money too!)
"Uncontrolled yogurt" aka: rotten milk. Stolen from my roomate's side of the fridge. Starting bid $0.01 + free ship. (I want to get rid of it).
Female
Re:Shopping spree? (Score:2)
no surprise (Score:5, Insightful)
Re:no surprise (Score:4, Insightful)
The telephone reps probably just don't have the authority to override business hours.
Re:no surprise (Score:1)
Re:no surprise (Score:2)
I'm certain the all my bank/credit cards have a 24/7 stolen card phone line you can call up to have your card cancelled.
If they dont have 24 hour staff that can handle larger scale fraud, they should damn well get some.
stolen/lost (Score:1)
Call Me. (Score:3, Funny)
Er... wait...
Report them. (Score:2, Informative)
Re:Report them. (Score:2)
-Grump
Re:Report them. (Score:1)
Re:Report them. (Score:2)
FBI? (Score:1)
Perhaps you need to find out who your local FBI contact is. If the FBI doesn't handle this (as in counterfeiting going to the Secret Service) then you need to find out who else to contact (maybe your gool ol' local sherriff could send you in the right direction).
Re:FBI? (Score:1, Redundant)
Re: (Score:1)
Oh, use your fucking head. (Score:3, Insightful)
Yes, and they've already told you who they are: the various security departments, who will be reporting to work at 9 in the morning.
What, you thought investigative agents hang around 24 hours a day? No, they value sleep.
Re:Oh, use your fucking head. (Score:4, Insightful)
Don't you have shift work in America? We have a system where one set of people go home, and another comes in to replace them. It's very useful for Fire departments, hospitals and security departments. In fact anywhere that needs to be manned 24 hours a day.
Criminals don't knock off at 5pm.
Re:Oh, use your fucking head. (Score:5, Funny)
They do if they're union.
Re:Oh, use your fucking head. (Score:4, Informative)
There is no credit card emergency that cannot be handled the next business day.
Hell, the credit card purchases themselves take a couple days before they're finalized. Even then the companies can "undo" purchases if they are later shown to be illegitimate.
So, there is no point to having a ten-minute investigative response time to credit card fraud. Next day, yes, but 3 AM? Waste of money.
Re:Oh, use your fucking head. (Score:2)
Only having investigatve agents available during normal business hours is fine, but how about suspending or cancelling the cards? I'd have expected them to be able to handle that 24/7.
Re:Oh, use your fucking head. (Score:2)
Certainly they can be cancelled at any time -- I've had to do it myself -- but that's not what the poster was complaining about.
FBI (Score:3, Informative)
Re:FBI (Score:2)
Definitely. Even if your particular access to the sample is local, as long as the access is not obviously restricted to local, it is assumed to be available interstate. That's FBI jurisdiction.
Depending on circumstances, sometimes the FBI requests you contact local law enforcement and have them file a report first, providing evidence that the FBI should be involved. Not su
Re: (Score:1)
Details! (Score:3, Funny)
What was the subject of the email???
I recieve 100+ spams a day, that email may still be in my spam folder now!!
Re:Details! (Score:1)
about stolen cards (Score:5, Informative)
So the ones that get hurt are the businesses that accept stolen cards. But any decently run business should be able to verify the authenticity of the sale by checking the billing address and security numbers on the card.
BTW, calling the card companies and police in the middle of the night and then being shocked by the unresponsivenes is unfair or pain dumb.
Re:about stolen cards (Score:5, Informative)
1. Customer fills out a form with name, address, card number, etc.
2. Details are transmitted to banking network.
3. Banking network either gives the go-ahead or declines the charge.
4. Retailer proceeds based on banking network's response.
This system is flawed in several ways:
1. The retailer doesn't have access to the banking network's records, so there is no way for the retailer to perform his own checks. The banking network must be trusted without question. Try this: Pay for something on a web site, giving your legitimate credit card details but a made-up name and address. The charge will probably be accepted. Why? Because the name/address comparison is done loosely to allow for people typing stuff differently from how it is recorded, ie: "14a Halifax Street" is typed as "14 A HALIFAX ST". Bear in mind that credit card companies PROFIT from fraud, you can imagine how loose this comparison is. Some people would allege that there is no comparison done at all.
2. Sometimes the banking network will enter a "default positive" state, during which time ALL charge attempts will be approved. Fraudulent charges accepted during this time, which may only last for a few minutes, will often not be cancelled for several days. The merchant may or may not be fined for these charges.
3. The banking network's block list is based on factors such as reports of stolen cards, police information, etc. As far as I know there is no system in place to allow merchants to report fraudulent charges. A merchant is able to cancel a suspicious charge (and, as a slap in the face for running his business ethically, be fined for doing so) but that's all it is, a cancellation, the banking network will still allow the same fraudster to make another charge on the same card elsewhere.
Believe me, if other retailers are anything like me, they are ultra-paranoid in trying to prevent fraud. But ultimately we don't have access to the data we need, our on-the-ground feedback isn't wanted, and when the banking network lets us down we lose money on the sale and we are automatically fined with no appeals process and no way of knowing who fined us.
Re:about stolen cards (Score:3, Informative)
Re: (Score:2)
Re:about stolen cards (Score:2)
You've discovered a dirty little secret... (Score:5, Informative)
That's the way the system works. I know firsthand. Every merchant that does non face-to-face transactions will eventually get bit and when it happens, all the credit card company cares about is getting their money back from the merchant. They are not interested in fraud investigation. Why should they? That costs money. It's much easier to make the merchant cover the costs. He has to in order to keep his account.
It's a terribly broke system, but the people with the gold make the rules. Sorry I sound so bitter, but I learned a $1700 lesson on this one...
Re:You've discovered a dirty little secret... (Score:2)
You're very right, it works like that. I learned it the +/- $30,000 lesson here.
Re:You've discovered a dirty little secret... (Score:2)
We try VERY HARD to educate our non-face-to-face merchants (MOTO, or Mail Order / Telephone Order) on fraud protection. There's an Address Verification Service available for MOTO merchants: for more fraud protection, you check the street address and zip code of where
I am not a lawyer. (Score:5, Informative)
First off: find your state Attorney General's office and email them. Almost every state AG office has an email address, and many of them give timely responses. Don't wait until morning: do this tonight.
Second off: tomorrow look up the Federal District Attorney's phone number. Call first thing in the morning (9:00am sharp!) and ask to speak to the Financial Crimes Division. Someone in that office is tasked with financial crimes, believe you me, and that's the person you want to talk to. Get that person's name and phone number. Make an appointment as soon as possible--this is the entire reason for calling early in the morning, since their schedules are more open then. Make sure to tell them that you've received a solicitation to purchase stolen credit card numbers, and the numbers appear real.
Third: call the Secret Service during regular business hours. Again, ask for Financial Crimes. They may not have an office in your area. If they don't, they'll pass the buck back, perhaps to the FBI, perhaps to some other Treasury department. If they do this, ask the Secret Service agent for a particular agent to call, and ask the Secret Service agent to let this particular agent know you'll be calling. Federal law-enforcement tends to pay more attention to you if you're directly referred by another law-enforcement type than if you say "yeah, the Secret Service told me I needed to call you guys..."
Fourth: contact your local bank. As in, the bank you do business with. Calling the credit-card companies will be a fool's errand; there are tons of them and you have no clue how many of these numbers are Visa, how many are Mastercard, how many are Discover/Novus, etc. Your bank most probably has business relationships with all of them. Call your bank and ask for an appointment with whoever's responsible for fraud control.
At this point, you've covered your bases pretty well. Banks, prosecutors, FBI/Secret Service, state attorney general's office. Take a breather. You've done good. Wait for them to get back in touch with you.
Tomorrow, call the news media. Make sure to tell them which agencies got back in touch with you and which agencies didn't, which agencies took it seriously and which agencies couldn't be bothered to give a damn.
Re:I am not a lawyer. (Score:3, Informative)
Re:I am not a lawyer. (Score:2)
Re:I am not a lawyer. (Score:1)
Uhm.. just a suggestion (Score:2, Insightful)
Credit card fraud is good for card issuers (Score:5, Interesting)
To offer some personal experience, I've reported credit card fraud to the police and been told by the investigating officer: "I have a pile of drugs cases that will take a year to investigate. This report will go to the bottom of that pile."
Credit card fraud isn't taken seriously. The reason is that credit card companies *profit* from fraud, so they don't make a fuss. If someone uses a stolen credit card number to make a $100 purchase then all the credit card company does is take the $100 back from the retailer and charge them $15+ for the privilege.
If the retailer doesn't like it then they have two options, either (1) shut up or (2) stop accepting credit cards and close their business.
It beggars belief that the mainstream media hasn't covered this, but I guess it all boils down to it being "business vs business" (credit card companies vs retailers) so as long as consumers aren't getting hurt, the media doesn't have an audience to tell the story to.
Last year, Visa introduced a $375 annual charge for Internet merchants that want to accept Visa payments. They even had the cheek to charge double the first year. The stated reason was to cover the costs of fraud. Following the introduction of the annual charge, the fines imposed upon merchants went UP. Internet merchants cannot prevent fraudulent charges because that is the responsibility of the credit card companies, but merchants are now paying an annual charge to cover any fines, as well as still paying the fines which are higher than ever. Credit card companies continue to do practically nothing to prevent fraud. Again, every time someone commits credit card fraud, the card company gets richer.
If you think you've ever had a raw deal as a consumer, you should try working with credit card companies. They -- especially Visa -- are the personification of corporate evil. They operate with practically no accountability and no appeals procedure, imposing new rules and charges whenever they choose and merchants have little choice but to agree to them. Some merchants do not even have any way of knowing which company they have been fined by! Think of credit card companies as PayPal at their worst, multiplied by a thousand.
One idea I've had, inspired largely by the "full disclosure" ethos of the software security community, is to write a text file explaining the very simple way to make credit card payments for services over the Internet without (1) ever having to pay for the service, or (b) breaking the law in a way that can be prosecuted. I'd then post the document on a server in a country with a zero censorship policy and distribute the link. The hope, perhaps foolish, would be that *widely* disclosing a known loophole would cause credit card fraud to go through the roof and, amid a flood of bad publicity, force the card companies to change their policies.
The only reason I haven't done this yet is because -- and I know it's selfish -- my business accepts credit cards over the Internet so I'd be committing financial suicide.
Someone's going to do it, though, sooner or later.
Re:Credit card fraud is good for card issuers (Score:2)
One online store I've done work for got stung several times by fraudulent credit card transactions. As several have already pointed out, it's the merchant that gets screwed.
Anyway, we reported it to the police here in the UK. They weren't interested and said "it migh
Re:Credit card fraud is good for card issuers (Score:4, Interesting)
After I'd done everything I could to prevent him from using his credit card on my site, which basically came down to wildcard blocking, he started trying to pay by cheque and even sent me two cheques, both of which were made out incorrectly. I assumed they would bounce so I didn't even try to pay them into my bank, I just gave the police the details.
The info I gave to the police was:
1. The guy's e-mail address from a major ISP that charges a monthly fee, which should mean they have his correct name and address on file, a valid card number, or at the very least a record of his phone number.
2. Several aliases and alternative e-mail addresses that he used.
3. His bank account number and branch address.
4. And I offered to supply copies of all e-mails he had sent me, including headers, but these weren't wanted.
So far, nearly 18 months later, the result has been precisely nothing.
The situation with credit card fraud on the Internet gets me so mad. I have seriously considered committing fraud against a bank or a major retailer and then reporting myself to the police, just to create a 'newsworthy' story for the media to cover, to raise awareness of the larger issue.
I couldn't really give a damn about the money. I get by from day to day, not rich, not poor, and that's fine for me. But the principle makes my blood boil. I believe in FAIRNESS and credit card companies are NOT fair. They treat merchants like their own personal piggybanks, taking money whenever they feel like it because of their own slack security, and then they tell the public that they're committed to preventing fraud. They aren't preventing fraud at all, at least not from where I'm sitting -- they're just reaping the rewards by allowing merchants to be ripped off and then fining them.
Re:Credit card fraud is good for card issuers (Score:1)
Re:Credit card fraud is good for card issuers (Score:2)
So, how about only telling us here at Slashdot? Oh, and which is your business? 8-)
Re:Credit card fraud is good for card issuers (Score:1)
Re:Credit card fraud is good for card issuers (Score:2)
What the original poster was talking about is essentially identity theft (yes, taking someone's credit card and making charges, pretending that you are them, is ID theft.) As you can see in the US, identity theft, despite now being one of the top financial crimes in the country, with thousands of innocent citizens affected, is not a serious prio
Re:Credit card fraud is good for card issuers (Score:2)
I'm not trying to sound like "the guy with the secret" but it isn't identity theft. It is based on knowing how credit card companies' internal policies differ from their publicly stated policies.
You do something specific when you pay. Then you tell your credit card company something specific in writing. You get your money back. You will be breaking the law but in a way that would not realistically be possible to prove, so there is litt
Re:Credit card fraud is good for card issuers (Score:2)
Actually, you can (Score:2)
How do I know this? Well, after being repeatedly defrauded by one person to the tune of $2000 (he was/is using a list of stolen cards, bouncing off a different unsecured proxy each order), I called our merchant bank, exasperated, and said "
To check if your credit card number is stolen.... (Score:1)
What to do (Score:2)
No doubt, prepare to go to jail now. The theft of the numbers causes VISA no ill effect. At worst, if they are used to purchase things, the stores themselves will have to eat the cost. VISA, on the other hand, has MUCH to lose if you let the world know how shoddy thier security is. You did sign up for fraud protection with a valid number, something that will probably add some small annual fee to the guy's card, so you are probably now
Re:What to do (Score:2)
No, I went through the first step of signing up, which was to enter a Visa number. I didn't complete the sign-up.
Same run around (Score:5, Interesting)
About a month ago, I received a similar email from a trojaned Earthlink account. I contacted Earthink abuse first and they basically said not our problem, not our customer doing it. They maintained that since someone else was controlling the account, not the customer, they weren't interested. I responded saying that it was their IP address and they should alert their customer but got no response. Likely, it was a low level support person answering the email but you'd think that they'd forward it on to someone in authority.
I got no response from the credit card companies that I contacted or a nice remark about "if _your_ card is affected...". I didn't even bother with the feds since in the past they've only been interested in large dollar amounts affecting large companies. And local cops are not the answer to an internations credit card number theft ring.
I'm usually too busy to deal with this sort of crap and I let it drop since I'd too much to do (yea, yea, I know). Didn't remember until this came up.
A card of mine was one of the million plus stolen from the old onsale.com database breakin several years ago. I noticed a $10 charge by a "Moscow Telecom" and notified my bank. They responded that their had been a theft and they were immediately replacing cards (via ground mail) that showed activity like this and that my card was one of the affected cards. They actually said that they had a list of all of their cards that were affected but were only replacing cards showing suspicious activity! I was floored. They also said that small transactions were being posted against the cards because most people failed to check their statements or if the did figured that since it was small, it must be right and they didn't remember. $10 times 1 million plus cards is a lot of scratch every month.
"World's Largest Credit Union" indeed. Acted more like a big bank not wanting to get stuck with a big expense.
Maybe next time, I'll forward it to Interpol first but they are also a bureacracy too.
Re:Same run around (Score:2)
If your bank does not protect your money, then why do they have it? It's their job to protect it!
As noted in this story, when something does happen, bank officials a
Call the FBI ASAP (Score:1)
Re:Call the FBI ASAP (Score:3, Insightful)
The Feds Aren't Doing Their Job - REPORT THEM (Score:2)
For the FBI - call the Dept. of Justice Office of Inspector General Hotline [usdoj.gov] (800) 869-4499.
When you call, remind both of them that active stolen credit cards can be used by terrorists to purchase things like AIRPLANE TICKETS, and that you do not find it acceptable that these agencies responses were not prompt and definitive.
These Hotlines must come to some final resolution for every reported al
Re:The Feds Aren't Doing Their Job - REPORT THEM (Score:2)
business hours (Score:2)