Network News

X My Profile
View More Activity

Modern Mischief and the Digital Prankster

As a teenager, I played my share of lame practical jokes and stupid pranks. I can remember a spate of midnight ring-and-run missions, and more than a few prank calls -- usually involving heavy breathing or asking if there was a John in the house. But as technology makes it easier than ever to reach out and annoy someone, it's also easier than ever to cross the line between immature stunts and criminal acts.

Yesterday, I heard from Leslie, a Security Fix reader in Washington who recently had more than $200 worth of pizza delivered to her house from two different local establishments. Naturally, she had not ordered the pies, and proceeded to quiz the managers at the respective pizza places as to the source of the orders. In each case, the managers said the orders had been placed via IP relay services -- Internet-based call services used by the deaf and hard of hearing.

Last month I wrote about how the government is trying to figure out how to cut down on the growing amount of fraud and abuse being perpetrated with the help of these taxpayer-funded services, but that's not the focus of this column. While Leslie was on the phone with the pizza joint, her credit card company called, asking if she approved the purchase of all the pizzas. She explained that she hadn't, but then was taken aback at how the pranksters obtained her credit card information in the first place. Switching back to the pizza place, she was told that someone from her residence had ordered pizza from there before, and so the establishment had simply stored her credit card number in their database. So when the pranksters ordered the pizzas, they were automatically charged to her card.

I wonder how many companies store credit card numbers like this? On the one hand, the business may see storing such information as a convenience for the customer -- but on the other hand, not having to protect and safeguard that data would seem like an attractive option for businesses in an era when hackers are trying harder than ever to break in solely to steal that information.

Some companies online will ask you if you want them to store your credit card information for future purchases. One of my favorite online stores -- Newegg.com -- does this, and even though I am fiercely loyal to their excellent customer service and great bargains, I've never asked them to store my data. It would be nice if more companies gave customers this option; my gut tells me that most companies who do not are simply storing the numbers in a database somewhere.

Anyway, back to the story. So Leslie had just gotten the delivery guys to take back what she never ordered, and asked Visa to remove the charges from her account. Meanwhile, the pizza stores were out a lot of dough from the orphaned pies that were now congealing in a mass of cold grease. A few hours later, while at the supermarket, Leslie received a call on her cell phone from her daughter. Apparently, a suggestively clad woman answering to the name of "Precious" was at the door asking for her son by name.

Leslie said she then called Gerald -- we'll generously call him the "human resources manager" at the escort service that employed Precious -- and learned that Precious had also been summoned to her address through the very same IP relay service out of Minneapolis that was used in the pizza fiasco. (Thankfully, the escort service did not also have her credit card number on file from a previous transaction.) Needless to say, Gerald was none too pleased to hear that Leslie's son would not be needing an escort, a precious waste of time indeed at $220 an hour.

Gerald also was interested in finding out who might have been responsible for the phony order, but alas he was at a loss for what to do other than contact the police. Leslie said she filed a report with the cops, but added she is not sanguine that anything will come of it. She thinks the person responsible might be a reclusive local boy who may harbor a grudge against her son.

"I suspect it is another kid, one who knows my son, and I want whoever it is to know that I know who he is, and subsequently his parents and the school, as well," Leslie said.

At any rate, this type of fraud certainly ranks below cyber crime, cyber stalking, and even cyber bullying (the US-CERT this week put up a set of tips on how to deal with cyber bullies). I don't know if there's already a term for this type of behavior (cyber harassment?), but nonetheless it is certainly illegal on a number of levels.

Does any of this sound familiar? Have you, your family, or anyone you know been the target of cyber harassment? Drop us a line in the comment section below.

By Brian Krebs  |  June 1, 2006; 12:35 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Redmond Derby: Microsoft Meets NASCAR
Next: Circuit City Support-Site Hack Installed Spamming Program

No comments have been posted to this entry.

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company