Thursday, March 29, 2012

What I do.

The most challenging aspect of my job involves protecting my employer against eCommerce fraud (mostly Card Not Present transactions) and other kinds of payment scams like counterfeit money orders and cashier's checks. The United States loses billions of dollars annually from credit card fraud. In fact, it's become such a rampant problem over the past decade that internet merchants have virtually no legal recourse because the FBI and Secret Service are overburdened and understaffed to investigate the sheer volume of this type of criminal activity. It's a tough job, but someone has got to do it. It's up to merchants to protect themselves.

In the majority of cases eCommerce crooks stage their operations via the internet from overseas; countries like Nigeria, Russia, Latvia, Romania, Bulgaria, etc., and are usually attached to organized crime syndicates. To function, they usually recruit a liaison in the United States who either sells stolen merchandise on eBay or acts as a hub to re-ship packages. (Such work-at-home scams have appeared on Dateline NBC.) Unaware they're an accomplice to criminal activity, the eBay seller collects a commission and wires the rest of the money to the thief after re-shipping to an unsuspecting eBay buyer. You see, these thieves aren't at all interested in the actual product, but the money they can get for it. And what do you suppose they do with the money? Buy themselves nice things, of course. But there is also a nexus between credit card fraud and drug dealing, weapons procurement, and international terrorism.

Companies that sell premium binoculars and spotting scopes are frequent targets of fraud because of how easy it is to move these products via eBay by advertising them at significantly lower prices than what authorized dealers are permitted to sell them at. This is a big red-flag for consumers. See a great optics deal on eBay? If it seems too good to be true, then it probably is and you might end up with stolen merchandise. My job is to prevent this from happening at as many levels and fronts as I can.

Some of what I do is not unlike an aspect of what a Skiptracer does. During the order screening process I look for any suspicious characteristics about the name, billing address, shipping address, email address, phone number, IP address, combination of products, etc. I use various search engines, social media services, blogs, user profiles, on-line databases, IP address lookup, etc., to cross-reference customer supplied information. For example, from an email address, I can usually get a first and last name. I can reverse phone numbers to names and/or street addresses and vice versa. I even use Google Streetview to check out the neighborhood where a package is being shipped. Without contacting the customer, I attempt to prove that the person indicated on the invoice actually exists and authorized the credit card transaction. The CVV code is absolutely worthless today because when these crooks steal your identity, they do it well; they get everything, including your social security number, driver's license, and mother's maiden name. Being provided with the correct 3-digit code on the back of a credit or debit card no longer plays a role in the verification process.

What makes my task supremely difficult is when someone's bank account has been hijacked (account takeover) by a crook. When the credit card transaction is processed, a system called AVS (Address Verification System) compares the customer supplied invoice information with what the card issuing bank has on file. If the numerical part of the street address and zip code match, then AVS returns "Y" code to the merchant. The problem is that if the account has been hijacked, the crook can easily change the billing address (and your phone number, and your email address on file) to the package intercept location or an eBay buyer's address but on someone else's credit card! Hence, the AVS return code is fairly meaningless.

Banks that provide customer convenient access to their accounts give crooks plenty of ways to hack and modify account information. Once the billing address is changed (prior to the purchase), the AVS code generates a valid match. The product, if shipped by the careless merchant, is on its way to a crook, liaison, package interceptor, or unsuspecting eBay buyer. What the crook can't easily change is the first and last name on the account. So sometimes essential to contact VISA, MC, AMX, or DISC Merchant Services and initiate what's called Merchant Name and Address Verification to get the credit card issuer's phone number. Unfortunately, some financial institutions won't perform this service for merchants because they believe it compromises their customer's privacy. The irony here is that these are precisely the financial institutions that crooks target because it puts the merchant at a disadvantage during the verification process. Thus, a bank or credit union that won't cooperate with a merchant actually places their customers at a higher risk for credit card fraud.

Here's how typical credit card scam works:


  1. Crook tells eBay seller which products to advertise (below MAP dealer pricing).
  2. eBay buyer sees advertised product and purchases "great deal" via credit card or PayPal.
  3. eBay seller informs crook of order.
  4. Crook steals third-party credit card.
  5. Crook changes billing address at third-party's bank to eBay buyer's so it AVS matches.
  6. Crook places order at authorized optics dealer to ship to eBay buyer.
  7. Authorized optics dealer emails order confirmation email with tracking number to crook.
  8. Crook emails order confirmation information and tracking number to eBay seller.
  9. eBay seller emails confirmation information and tracking number to eBay buyer.
  10. Authorized optics dealer charges third-party's credit card.
  11. Authorized optics dealer ships product to eBay buyer.
  12. Third-party sees charge on credit card statement and contacts bank.
  13. Third-party's bank issues chargeback against authorized optics dealer.
The goal of my mission is to catch and cancel all fraudulent orders but not legitimate "false positive" ones and keep as much of the verification process invisible to the customer as possible. An internet merchant cannot miss a single fraud order. Not one. If you miss even just one and ship it, then your company's website gets published as "cardable" on hacker forums, unleashing hell. What was a manageable problem can quickly spiral out of control. Last year I caught over $65,000.00 in attempted fraudulent orders and if I had missed just one this dollar figure would have been significantly higher. If you do miss one, prepare for the tediously unfair chargeback process and additional scam attempts. Disputing a chargeback is usually not worth the time because, as a merchant, the rules are stacked against you. You can't let your guard down for a moment.

When a legitimate cardholder sees an unauthorized charge on their account, they contact their financial institution to have the charge reversed. Have you ever seen those bank commercials advertising a special or patented fraud protection service? It's 100% bunk. All they do is take the money from the merchant and pass it to the cardholder to cover the loss; it's always the merchant left holding the empty bag. From the bank's point of view, it's the merchant's fault for not taking the necessary steps and precautions to thwart credit card fraud. In short time, such losses can literally destroy a small merchant's business.

There has been some effort to make financial institutions more accountable for credit card fraud, but thus far they've been successful at resisting such pressure and potential legislation. We must protect banks at all costs, don't you know. Merchants are on their own for the time being. There are other tools, methods, and services in my arsenal to combat credit card fraud, but I must keep them confidential because they could potentially become compromised and rendered ineffective by crooks if I made them public.

You might be wondering how crooks obtain cardholder information in the first place. There's hacking, employee dishonesty at financial institutions, email scams, social engineering, and other methods. There are internet forums operating right now that you only need register for a user-id and password to gain access to hundreds of valid credit card accounts, but you can also purchase them by the thousands. Anybody can get them. Google "credit card dumps" and see what you find. Pretty scary, isn't it? Even if you report such a website to the FBI or Secret Service, the second it gets taken off-line, it merely pops right back up on some other domain. Thus, law enforcement usually won't do anything about them.

These scams are insanely profitable and in most cases the crooks are getting away with it, but not with us. It's sweet justice whenever they mess up and I manage to obtain enough information for a potential bust. Credit card fraud has become such an enormous problem that even some of our competitors have joined forces in solidarity to share details about scams as soon as they're discovered. Some of these scams are ingenious, worthy of admiration, and evolve in a variety of forms. Just when I think I've seen everything, something new comes along, so it's critical for me to stay on top of the game. It's a veritable war between thieves and merchants that goes on every day.

"So it is said that if you know your enemies and know yourself, you can win a hundred battles without a single loss. If you only know yourself, but not your opponent, you may win or may lose. If you know neither yourself nor your enemy, you will always endanger yourself."

~ Sun Tzu, The Art of War

No comments:

Post a Comment