Network News

X My Profile
View More Activity

An Odyssey of Fraud

Andy Kordopatis is the proprietor of Odyssey Bar, a modest watering hole in Pocatello, Idaho, a few blocks away from Idaho State University. Most of his customers pay for their drinks with cash, but about three times a day he receives a phone call from someone he's never served -- in most cases someone who's never even been to Idaho -- asking why their credit or debit card has been charged a small amount by his establishment.

Kordopatis says he can usually tell what's coming next when the caller immediately asks to speak with the manager or owner.

"That's when I start telling them that I know why they're calling, and about the Russian hackers who are using my business," Kordopatis said.

odysseybar.jpg

The Odyssey Bar is but one of dozens of small establishments throughout the United States seemingly picked at random by organized cyber criminals to serve as unwitting pawns in a high-stakes game of chess against the U.S. financial system. This daily pattern of phone calls and complaints has been going on for more than a year now. Kordopatis said he has talked to the company that processes his bar's credit card payments about fixing the problem, but says they can't do anything because he hasn't actually lost any money from the scam.

The Odyssey Bar's merchant account is being abused by online services that cyber thieves built to help other crooks check the balances and limits on stolen credit and debit card account numbers. In April, I wrote about a pet store in Buffalo, N.Y., whose merchant account was being similarly abused by another card-checking service. In that story, I cited research on this trend by Lawrence Baldwin, a security consultant in Alpharetta, Ga., who has been working with several financial institutions to help infiltrate illegal card-checking services:

The services are advertised on Internet forums that facilitate identity theft, and cater to criminals who wish to buy large numbers of stolen credit and debit cards. Using such services, the would-be buyers can quickly verify whether a random sampling of the cards is still active, and -- for an additional fee -- the available balance on each card. In most cases, the only barrier to new customers signing up at these services is the ability to speak and read Russian, and the ability to pay with one of several virtual currencies, such as Webmoney.

Baldwin estimates that at least 25,000 credit and debit cards are checked each day at three separate illegal card-checking Web sites he is monitoring. That translates to about 800,000 cards per month or nearly 10 million cards each year.

Baldwin said the checker sites take advantage of authentication weaknesses in the card processing system that allow merchants to conduct so-called "pre-authorization requests," which merchants use to place a temporary charge on the account to make sure that the cardholder has sufficient funds to pay for the promised goods or services.

Pre-authorization requests are quite common. When a waiter at a restaurant swipes a customer's card and brings the receipt to the table so the customer can add a tip, for example, that initial charge is essentially a pre-authorization.

With these card-checking services, however, in most cases the charge initiated by the pre-authorization check is never consummated. As a result, unless a consumer is monitoring their accounts online in real-time, they may never notice a pre-authorization initiated by a card-checking site against their card number, because that query won't show up as a charge on the customer's monthly statement.

In fact, in most cases when banks are alerted to the card-checking activity, it is because a credit card customer is regularly checking their online statement or has signed up with their bank to receive e-mail alerts each time a charge is initiated against their account.

The crooks have designed their card-checking sites so that each check is submitted into the card processing network using a legitimate, hijacked merchant account number combined with a completely unrelated merchant name, Baldwin discovered.

On June 11, Kordopatis heard from Keri Tetlow, a mother of three from the suburbs of Houston. Tetlow, who watches her family's debit account balance like a hawk from their home computer, said she called Odyssey Bar because she noticed a $2.77 charge from the establishment. Tetlow said that after checking with her husband to make sure he hadn't made the charge, she decided to wait and see if the pending charge would clear. It never did.

But a few days later, Tetlow spotted $300 missing from her checking account, which she noticed was due to two unauthorized charges at a Office Depot on Broadway in New York City. So she called her bank. After confirming neither she nor her husband had lost their debit card, she told the bank to cancel the card.

broadfraud.JPG

While Tetlow was still on the phone with her bank, another charge appeared, for $177, this time at an Adidas outlet just a few stores down the street from the Office Depot. She called both stores, and learned from the managers that -- although each had video footage of the perpetrators -- they could only release that footage to the police. While she was on the phone with the Adidas store, someone else from her bank called to ask whether she really just tried to charge $650 to a Stereo Exchange in Manhattan.

"I told the lady from her bank about the videos and she said, 'There isn't anything we can do with that. That's a matter for the police. Really, we're just going to get you your money back,' And then she says, 'In the meantime, I think it would be a really good idea for you to get this ID theft protection service that we offer for $11.99 a month,'" Tetlow said. "I said, 'Are you kidding me? You haven't even given my money back yet, and I was the one who called you up about this!'"

Baldwin said the thieves running the card-checking sites are counting on the fact that companies that operate different parts of the financial processing system -- including issuing and acquiring banks, and the merchant -- traditionally do not share fraud data with each other, or even signs of unusual activity. Some, like Tetlow's bank, even use the opportunity to sell more services.

"The problem is that the detail of each individual entity's perspective at a transaction level is restricted or filtered," Baldwin said. "But if everyone involved shared this pre-authorization transaction information, these guys would not be able to do these card checks, because the patterns are ridiculously obvious when you can see all of the components at once."

By Brian Krebs  |  June 17, 2009; 7:00 AM ET
Categories:  Fraud , Web Fraud 2.0  | Tags: pre-authorization scam  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Top Security Minds Urge Google to Encrypt All Services
Next: iPhone 3.0 Includes 46 Security Updates

Comments

Don't the merchants require authentication credentials in addition to the merchant # to do pre-authorization checks? No credentials required? Well, I suppose that the processor makes money off the transaction fees from those 100 million pre-auth transactions per year, and there is no motivation to add authentication security checks to the process.

Posted by: moike | June 17, 2009 8:53 AM | Report abuse

@moike -- it very much depends on the processor or network. if you're doing pre-auths, there's no consummation of that charge, so hence no loss. i guess that's why many of the companies that operate the back-end systems for these networks choose not to employ fraud detection.

at most, i think they do monitor the volume of transactions coming through, but if you look at the earlier link to the services I reference in the post above, you'll notice those services are built to stay just below that threshold, so as not to burn merchant accounts.

Posted by: BTKrebs | June 17, 2009 9:00 AM | Report abuse

Anti-Phishing requires Two Factor Authentication:

According to research firm, Gartner, banks, online payment organizations and other financial institutions are bearing most of the financial cost of phishing attacks. (A survey of nearly 4,000 US consumers revealed a 40% increase in the number of phishing victims in 2008 over the year before to five million.) “The findings underline the fact that the war against phishing is far from over,” said Avivah Litan, analyst at Gartner. Yes, the very same Avivah Litan who says “never” enter your PIN on the Internet unless it’s hardware based.

Posted by: anthonymfreed | June 17, 2009 10:21 AM | Report abuse

I've been the victim of identity theft and I was infuriated that the financial institutions involved didn't want to vigorously lobby law enforcement to investigate. I filed police reports and notified federal authorities as well. However, my local police department didn't do anything--purchases were made outside their jurisdiction. I never got any feedback from federal authorities so I presume they did nothing. Until there's a federal law mandating that financial institutions report all fraud to federal law enforcement and federal law enforcement agencies aggressively investigate, we're doomed to this problem growing. The scale is getting to the point of being dangerous (rivals the foreign-counterfitted supernote) and let's face it, the funds are being used to finance international organized crime, including the favorite catch phrase du jour--terrorism. When will someone see this as a national security issue? The fact that we may have to seek extradition of criminals shouldn't cause us to turn a blind eye to this problem. With hard data in hand, produced during thorough federal criminal investigations, we at least would have usable intelligence for senior policy makers should the political establishment not have the courage to approach foreign governments and demand action. (Russia is not our friend and I really wonder if their government is doing more than just turning a blind eye to this activity.)

Posted by: leaveoff | June 17, 2009 12:42 PM | Report abuse

Re: "According to research firm, Gartner, banks, online payment organizations and other financial institutions are bearing most of the financial cost of phishing attacks." It would be naive to think that the financial institutions are not passing these costs on to the customer. They're not doing as much as they could to stop this activity precisely because they're not losing money.

Posted by: ZenMan1 | June 17, 2009 1:25 PM | Report abuse

Seems like the real problem is that the banks and card processors don't care about fraud. They're making too much money with the current system to really clamp down, because they know that if, say, Visa really gets serious about fraud, people will switch to MasterCard because it will be easier to use.

Maybe the new cybersecurity czar can get some good ole fashioned regulation to help clean up this mess.

Posted by: strohminator | June 17, 2009 2:09 PM | Report abuse

Wow - how do you find these stories? Magnificent? One question: how did they get Tetlow's CC info if she insists she didn't lose any of her cards?

Posted by: Rixstep | June 17, 2009 3:14 PM | Report abuse

While others are tripping over themselves to give us breathless coverage of the iPhone and Twitter, Brian "Mr. Security" Krebs is shining light on subjects of import.

No, I am not a relative :)

Posted by: Dawny_Chambers | June 17, 2009 4:13 PM | Report abuse

The moral of this story:
------------------------

* Avoid using any debit cards with a Mastercard or VISA logo.

* The only card you should use with your checking account is a plain vanilla straight ATM card that requires a PIN for all transactions.

Nasty side effect:
------------------
* The pre-authorization can cause you to overdraft your checking account since the money blocked off by the authorization isn't available to you for 3-5 business days.

To cut your overall fraud risk,
Use credit cards instead of debit cards:
---------------------------------------

* The problem is not as acute with credit cards because you get to review the billing statement prior to shelling out your own money.

* With a Mastercard/VISA debit card, the fruadsters have already made off with your money and now you have to wait for the bank to do an investigation.

Posted by: taskforceken | June 17, 2009 4:37 PM | Report abuse

brian,

interesting article. i've often wondered about these pre-auths. your reply to the first comment wasn't clear to me. are you saying that some processors require pre-auths to be authenticated and some do not? in that case, would it be prudent for a merchant to choose a processor that requires pre-auths to be authenticated?

Posted by: user4733 | June 17, 2009 4:56 PM | Report abuse

>>>

Wow - how do you find these stories? Magnificent? One question: how did they get Tetlow's CC info if she insists she didn't lose any of her cards?

Posted by: Rixstep | June 17, 2009 3:14 PM<<<

Probably from an insider somewhere Tetlow visited or patronized. She would need to retrace her steps to determine where the problem started. I've heard of this problem before with another person (this person was hit for $1000 after someone used the debit card). After the person retraced the placed where the debit was used, the person realized that the trouble started after using the debit card at a local McDonald's.

Posted by: ldsw | June 17, 2009 6:51 PM | Report abuse

Rixstep wrote:

"One question: how did they get Tetlow's CC info if she insists she didn't lose any of her cards?"


There are several ways. The person may have used the card online, in which case hackers intercepted the information, possibly through spyware on the computer. In another scenario, thieves may have attached a card skimming device to an ATM that allowed them to read the card information as the card was inserted or swiped. Also possible is that the thieves were running a scam at a store with an insider employee who helped them steal the card information. In other cases, cameras have also been used to steal information from the face of a card when people pull it from their wallets or purses. There are lots and lots of ways to have information stolen without ever losing the card.

Posted by: blert | June 17, 2009 7:21 PM | Report abuse

Debit cards have never made any sense, really.

Why would you want a piece of plastic or number in your wallet that everyone has that can drain money from your account? Debit cards don't even have the same legal safeguards as credit cards.

I understand why the banks love them; they don't have to pay for the float on the money, but as a consumer, why would you care?

As for how the cards are gotten, that's trivial. It's not a James Bond thing, the easiest way is to go to some employee at a credit card company and ask them to give you 10,000 number and pay them $200.

Or go to a guy who works at a restaurant and offer him to pay for 100 numbers.

There are easy ways to prevent this kind of fraud, but they would cost about $30-50 per account holder. And based on the math of it, they're better off taking the loss and you your credit.

Posted by: Ombudsman1 | June 17, 2009 10:24 PM | Report abuse

It's amazing to read Brian's articles. I can't believe that the crooks keep getting more and more sophisticated. Shouldn't the banks be getting some blame? Can't we tell the banks to fix this problem with their technology.

When I go to a bank and cash my paycheck, if the teller gives me $10 too much the bank will spend a week tracking down the lost $10 of cash from the drawer and finally withdraw their lost funds back from my checking account. If the bank loses their money, they will not stop looking for that $10 until it is back in their account, tellers will be fired, I will be accused of not reporting the $10 extra and for $10 heads will roll.

However, when their bank database is hacked and credit card data is lost which is 100% their fault, what happens to them? (**Breaches at banks and financial institutions were responsible for 93 percent of all such records compromised last year, Verizon) Does anyone get blamed, fired or chastised? No, NOTHING HAPPENS and no one to blame, they pass card losses on to the consumer in higher fees. As long as the bank is not losing their money it's ok. They hide their fraud losses by not reporting them as crimes and projecting cards accounts as safe. After, all they can just issue a new card and pass that cost along too.

It is 100% their fault they lose data but no one is to blame because they pass this on as a 'cost of doing business'. (it's acceptable, it happens, it's ok) Consumers should be fired up with the bank passing on these cost in fees and high rates. UK banks don't even report card fraud as a crime if it is just a small amount. You call to report $70-100 illegal charge and the police say call your bank and tell them, we don't accept that as a criminal complaint anymore. Those small crimes don't make it into the reported data on card theft. That is just wrong and as Brian points out, it just gets worse and worse. Call the bank, tell them to fix their product. After all Credit Cards were not designed to even be used online.
Nice article Brian.
Mark
Herpel
editor@dgcmagazine.com
http://twitter.com/dgcmagazine

Posted by: panama1 | June 18, 2009 11:37 AM | Report abuse

@strohminatior:

Compared to balance sheet losses fr/ the Financial Meltdown, losses fr/ online theft are insignificant, not to mention predictable. Don't expect the banks to allocate much attention to a minor debit fr/ their balance sheet.

Posted by: featheredge99 | June 18, 2009 6:37 PM | Report abuse

@strohminator:

PS: Not to mention that $11.99/month protection, excuse me insurance, fee they charge. They've 'monetized' the problem. Enough to make Tony Soprano smile (-:.

Posted by: featheredge99 | June 18, 2009 6:41 PM | Report abuse

Your article makes me sooooo happy I never got a debit card. The banks like them because they can use funny money instead of real money, along with all those fees. When I take out cash... well, it's cash that the bank can't leverage any more. And they don't know what I'm doing with it!
I could be buying chocolate, or bacon, or any of a dozen things, foods, services that an insurance company down the road might not approve of.

I just don't like being tracked, so cash is king with me. My friends and family laugh at me and say I'm paranoid believing that at some point insurance companies are going to get this information and use it to ascertain what to charge in order to grant us the very great privelege of their services.

Posted by: ladym1 | June 19, 2009 7:36 PM | Report abuse

While reading Brian’s article, I read this:

The Odyssey Bar's merchant account is being abused by online services that cyber thieves built to help other crooks check the balances and limits on stolen credit and debit card account numbers.

So, I didn’t get that any hints that Brian is saying debit cards are worst than credit cards. However, from reading the comments, one would tend to believe that debit cards are the worst.

Secondly, my bank does show pre-authorizations. After dealing with a really nasty salesperson, I decided I no longer wanted my purchase while at the counter. The receipt printed out, but the retailer tried to say the charges didn’t go through. I called my financial institution, which confirmed the charges; I also saw the pre-auth charge when I pulled up my account online. I made the head manager of the retailer print out a copy of the pre-auth charge. He didn’t act surprised that it did indeed exist.

Therefore, I believe retailers know about the pre-auth crooks, but just don’t care. The debit card saves me from going to the bank or carrying wads of cash. The convenience of it is why I carry it.

Posted by: ummhuh1 | June 22, 2009 2:49 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company