An Odyssey of Fraud
Andy Kordopatis is the proprietor of Odyssey Bar, a modest watering hole in Pocatello, Idaho, a few blocks away from Idaho State University. Most of his customers pay for their drinks with cash, but about three times a day he receives a phone call from someone he's never served -- in most cases someone who's never even been to Idaho -- asking why their credit or debit card has been charged a small amount by his establishment.
Kordopatis says he can usually tell what's coming next when the caller immediately asks to speak with the manager or owner.
"That's when I start telling them that I know why they're calling, and about the Russian hackers who are using my business," Kordopatis said.
The Odyssey Bar is but one of dozens of small establishments throughout the United States seemingly picked at random by organized cyber criminals to serve as unwitting pawns in a high-stakes game of chess against the U.S. financial system. This daily pattern of phone calls and complaints has been going on for more than a year now. Kordopatis said he has talked to the company that processes his bar's credit card payments about fixing the problem, but says they can't do anything because he hasn't actually lost any money from the scam.
The Odyssey Bar's merchant account is being abused by online services that cyber thieves built to help other crooks check the balances and limits on stolen credit and debit card account numbers. In April, I wrote about a pet store in Buffalo, N.Y., whose merchant account was being similarly abused by another card-checking service. In that story, I cited research on this trend by Lawrence Baldwin, a security consultant in Alpharetta, Ga., who has been working with several financial institutions to help infiltrate illegal card-checking services:
The services are advertised on Internet forums that facilitate identity theft, and cater to criminals who wish to buy large numbers of stolen credit and debit cards. Using such services, the would-be buyers can quickly verify whether a random sampling of the cards is still active, and -- for an additional fee -- the available balance on each card. In most cases, the only barrier to new customers signing up at these services is the ability to speak and read Russian, and the ability to pay with one of several virtual currencies, such as Webmoney.
Baldwin estimates that at least 25,000 credit and debit cards are checked each day at three separate illegal card-checking Web sites he is monitoring. That translates to about 800,000 cards per month or nearly 10 million cards each year.
Baldwin said the checker sites take advantage of authentication weaknesses in the card processing system that allow merchants to conduct so-called "pre-authorization requests," which merchants use to place a temporary charge on the account to make sure that the cardholder has sufficient funds to pay for the promised goods or services.
Pre-authorization requests are quite common. When a waiter at a restaurant swipes a customer's card and brings the receipt to the table so the customer can add a tip, for example, that initial charge is essentially a pre-authorization.
With these card-checking services, however, in most cases the charge initiated by the pre-authorization check is never consummated. As a result, unless a consumer is monitoring their accounts online in real-time, they may never notice a pre-authorization initiated by a card-checking site against their card number, because that query won't show up as a charge on the customer's monthly statement.
In fact, in most cases when banks are alerted to the card-checking activity, it is because a credit card customer is regularly checking their online statement or has signed up with their bank to receive e-mail alerts each time a charge is initiated against their account.
The crooks have designed their card-checking sites so that each check is submitted into the card processing network using a legitimate, hijacked merchant account number combined with a completely unrelated merchant name, Baldwin discovered.
On June 11, Kordopatis heard from Keri Tetlow, a mother of three from the suburbs of Houston. Tetlow, who watches her family's debit account balance like a hawk from their home computer, said she called Odyssey Bar because she noticed a $2.77 charge from the establishment. Tetlow said that after checking with her husband to make sure he hadn't made the charge, she decided to wait and see if the pending charge would clear. It never did.
But a few days later, Tetlow spotted $300 missing from her checking account, which she noticed was due to two unauthorized charges at a Office Depot on Broadway in New York City. So she called her bank. After confirming neither she nor her husband had lost their debit card, she told the bank to cancel the card.
While Tetlow was still on the phone with her bank, another charge appeared, for $177, this time at an Adidas outlet just a few stores down the street from the Office Depot. She called both stores, and learned from the managers that -- although each had video footage of the perpetrators -- they could only release that footage to the police. While she was on the phone with the Adidas store, someone else from her bank called to ask whether she really just tried to charge $650 to a Stereo Exchange in Manhattan.
"I told the lady from her bank about the videos and she said, 'There isn't anything we can do with that. That's a matter for the police. Really, we're just going to get you your money back,' And then she says, 'In the meantime, I think it would be a really good idea for you to get this ID theft protection service that we offer for $11.99 a month,'" Tetlow said. "I said, 'Are you kidding me? You haven't even given my money back yet, and I was the one who called you up about this!'"
Baldwin said the thieves running the card-checking sites are counting on the fact that companies that operate different parts of the financial processing system -- including issuing and acquiring banks, and the merchant -- traditionally do not share fraud data with each other, or even signs of unusual activity. Some, like Tetlow's bank, even use the opportunity to sell more services.
"The problem is that the detail of each individual entity's perspective at a transaction level is restricted or filtered," Baldwin said. "But if everyone involved shared this pre-authorization transaction information, these guys would not be able to do these card checks, because the patterns are ridiculously obvious when you can see all of the components at once."
June 17, 2009; 7:00 AM ET
Categories: Fraud , Web Fraud 2.0 | Tags: pre-authorization scam
Save & Share: Previous: Top Security Minds Urge Google to Encrypt All Services
Next: iPhone 3.0 Includes 46 Security Updates
Posted by: moike | June 17, 2009 8:53 AM | Report abuse
Posted by: BTKrebs | June 17, 2009 9:00 AM | Report abuse
Posted by: anthonymfreed | June 17, 2009 10:21 AM | Report abuse
Posted by: leaveoff | June 17, 2009 12:42 PM | Report abuse
Posted by: ZenMan1 | June 17, 2009 1:25 PM | Report abuse
Posted by: strohminator | June 17, 2009 2:09 PM | Report abuse
Posted by: Rixstep | June 17, 2009 3:14 PM | Report abuse
Posted by: Dawny_Chambers | June 17, 2009 4:13 PM | Report abuse
Posted by: taskforceken | June 17, 2009 4:37 PM | Report abuse
Posted by: user4733 | June 17, 2009 4:56 PM | Report abuse
Posted by: ldsw | June 17, 2009 6:51 PM | Report abuse
Posted by: blert | June 17, 2009 7:21 PM | Report abuse
Posted by: Ombudsman1 | June 17, 2009 10:24 PM | Report abuse
Posted by: panama1 | June 18, 2009 11:37 AM | Report abuse
Posted by: featheredge99 | June 18, 2009 6:37 PM | Report abuse
Posted by: featheredge99 | June 18, 2009 6:41 PM | Report abuse
Posted by: ladym1 | June 19, 2009 7:36 PM | Report abuse
Posted by: ummhuh1 | June 22, 2009 2:49 PM | Report abuse
The comments to this entry are closed.