Jul 10 2010

FTC Says Scammers Stole Millions, Using Virtual Companies

Category: CybercrimeDISC @ 11:23 pm
Seal of the United States Federal Trade Commis...
Image via Wikipedia

100% Internet Credit Card Fraud Protected

by Robert McMillan
The U.S. Federal Trade Commission has disrupted a long-running online scam that allowed offshore fraudsters to steal millions of dollars from U.S. consumers — often by taking just pennies at a time.

The scam, which had been run for about four years, according to the FTC, provides a case lesson in how many of the online services used to lubricate business in the 21st century can equally be misused for fraud.

“It was a very patient scam,” said Steve Wernikoff, a staff attorney with the FTC who is prosecuting the case. “The people who are behind this are very meticulous.”

The FTC has not identified those responsible for the fraud, but in March, it quietly filed a civil lawsuit in U.S. District Court in Illinois. This has frozen the gang’s U.S. assets and also allowed the FTC to shut down merchant accounts and 14 “money mules” — U.S. residents recruited by the criminals to move money offshore to countries such as Bulgaria, Cyprus, and Estonia.

“We’re going to aggressively seek to identify the ultimate masterminds behind this scheme,” Wernikoff said. According to him, the scammers found loopholes in the credit card processing system that allowed them to set up fake U.S. companies that then ran more than a million phony credit card transactions through legitimate credit card processing companies.

Wernikoff doesn’t know where the scammers obtained the credit card numbers they charged, but they could have been purchased from online carder forums, black market Web sites where criminal buy and sell stolen information.

Small Thefts Overlooked

The scammers stayed under the radar by charging very small amounts — typically between $0.25 and $9 per card — and by setting up more than 100 bogus companies to process the transactions.

U.S. consumers footed most of the bill for the scam because, amazingly, about 94 percent of all charges went uncontested by the victims. According to the FTC, the fraudsters charged 1.35 million credit cards a total of $9.5 million, but only 78,724 of these fake charges were ever noticed. Typically they floated just one charge per card number, billing on behalf of made-up business names such as Adele Services or Bartelca LLC.

As credit cards are increasingly being used for inexpensive purchases — they’re now accepted by soda machines and parking meters — criminals have cashed in on the trend by running this type of unauthorized charging scam.

“They know that most of the fraud detection systems won’t detect anything under $10 and they know that consumers won’t complain about a 20 cent fee,” said Avivah Litan, an analyst with the Gartner research firm who follows bank fraud. “What’s different here is the scale, and that they got away with it for so many years,” she said.

Similar Cases Show Trend

In March Alexsandr Bernik of Roseville, California, was sentenced to 70 months in prison for running a similar scam. He put tens of thousands of charges on Amex accounts, each ranging from $9 to $15. Neither federal authorities nor American Express would explain how Bernik obtained his card numbers.

Bernik made his charges on behalf of a fictional corporation called Lexbay Ltd., but in the FTC case, the scammers would mimic legitimate companies — taking real federal tax I.D. numbers and then setting up fake businesses with nearly identical names that appeared to be located nearby. In a move that apparently tricked credit card processors into granting it a merchant account, Adele Services, for example, was set up to mimic a legitimate Bronx, New York group called Adele Organization.

When the scammers tried to register merchant accounts with credit card processors, the processors would do some investigating, but using tricks like these, the scammers were always one step ahead.

In fact, the FTC’s description of their operation reads like a textbook on how to set up a fake virtual corporation in the Internet age.

The criminals used a range of legitimate business services to make it appear to credit card processors as though they were legitimate U.S. companies, even though the scammers may have never set foot in the U.S.

For example, using a company called Regus, they were able to give their fictional companies addresses that were very close to the companies whose tax IDs they were stealing. Regus lets companies operate “virtual offices” out of a number of prestigious addresses throughout the U.S. — the Chrysler Building in New York for example — forwarding mail for as little as US$59 per month.

Mail sent to Regus locations was then forwarded to another company, called Earth Class Mail, which scans correspondence and uses the Internet to deliver it to customers in pdf format.

They used another legitimate virtual business service — United World Telecom’s CallMe800 — to have phone calls forwarded overseas. To further make it seem as though their companies were legitimate, the scammers would set up fake retail Web sites. And when credit card processors asked them to provide information about company executives, they handed over legitimate names and social security numbers, stolen from ID theft victims.

When they had to log into payment processor Web sites, they would do this from IP addresses that were located near their virtual offices, again evading payment processor fraud detection services.

One of the largest payment processors in the U.S., First Data, was a favorite of the scammers. Of the 116 fake merchant accounts the FTC uncovered, 110 were with First Data. The scammers also set up bogus accounts with Elavon and BBVA Compass.

First Data would not comment on the measures it had taken to improve its merchant vetting process, but the company did confirm that it cooperated with the FTC investigation.

Aided by ‘Mules’

To get the money out of the U.S., the scammers had to recruit money mules. These were U.S. residents who were recruited online, often with spam e-mail messages. Under the impression that they were helping offshore businesses, the money mules set up bank accounts and helped the fraudsters move money offshore.

In a letter to the judge presiding over the case, one of the mules, James P. Smith of Brownwood, Texas, says he worked for one of the scammers for four years without realizing that anything illegal was going on. Smith now says he is “ashamed” to be named in the FTC action, and offers to help catch his former boss, who used the name Alex Moore.

The FTC’s Wernikoff believes that whoever is responsible for this crime lives outside of the U.S., but with the money-cashing operation now busted up, the scammers will have to start again from scratch, if they want to keep bilking consumers. And criminal investigators now have a trail to follow.

“Does it prevent the people from ultimately responsible from building up again from scratch?” he asked. “No. But we do hope that this serously disrupts them.”.

Tags: American Express, Business, Credit card, Federal Trade Commission, First Data, fraud, FTC, United States

May 18 2010

Taking Credit Card Security Seriously

Category: pci dssDISC @ 1:33 pm

NEW YORK - MAY 20:  In this photo illustration...
Image by Getty Images via Daylife

PCI DSS v1.2: A Practical Guide to Implementation

By David F. Carr @ Forbes

The easiest way for small businesses to address the information security requirements imposed by credit card companies is the wrong way. I’m talking about lying and praying.

In 2004 the major credit card companies got together to define a common Payment Card Industry Data Security Standard (PCI DSS, often referred to as just PCI). They are gradually ratcheting up the pressure on merchants of all sizes to comply. Large companies, and some smaller ones that process a large volume of transactions (particularly if they’re doing it on the Web), are required to have an independent review of their processes and systems by a security professional credentialed as a qualified security assessor (QSA). Most small businesses can instead complete a self-assessment questionnaire, where they essentially grade themselves. That’s where the lying comes in. It’s not so hard to check off all the right answers (“Sure, I review my e-commerce server logs on a daily basis.”) without actually making them true.

If you’re lying, you had better also be praying. If caught, you could be fined for non-compliance, to the tune of tens or hundreds of thousands of dollars–enough to put many a small organization out of business. Expect even harsher treatment if someone hacks your systems and downloads card data you claimed you weren’t even storing.

Most of the requirements are basic security, like making sure there is a firewall between your Internet connection and any system that stores credit card numbers. Factory default passwords on your network equipment must be changed, so that no one can log on as user “admin,” password “admin.” And so on. More specifically, you’re responsible for protecting card holder data, and there’s some data you’re never supposed to store–like the full contents of a card’s magnetic strip.

Many small businesses are still under the impression that the rules don’t apply to them because they’re too small, or because they don’t conduct e-commerce. Actually, the rules apply to any business–and even any nonprofit–that takes credit card payments. You can look for ways to lighten the compliance burden, but you can’t get yourself off the hook entirely. Even if no one has yet compelled you to complete a questionnaire or conduct an automated scan of your networks, you’re still supposed to be locking down your systems.

Some businesses complain this all sounds too complicated and expensive. But they are missing the point, says Anton Chuvakin, author of PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance. The PCI rules really represent the minimum security standards businesses must meet to be fair to their customers, who, after all, are trusting the merchant every time they hand over a credit card number. In the wake of a card security breach, a larger business might suffer from the fines, damages and adverse publicity resulting from a card security breach. By contrast, “a small business is more likely to be GONE,” Chuvakin said. “Businesses that endanger their customers really do deserve to die.”

If your organization is not equipped to handle credit card data securely, maybe you should not be handling it at all. Look for ways to shift as much of the burden as possible onto a service provider that specializes in secure payment processing. Services such as PayPal and Authorize.net let you forward customers to their websites for payment processing; credit card numbers never pass through your hands at all

Small businesses such as restaurants that use an older generation of countertop credit card terminals may be breaking the rules inadvertently because the device stores magnetic stripe data or otherwise violates the PCI requirements. So consider upgrading to a payment device that is certified PCI compliant. Basic terminals capable of encrypting Personal Identification Number (PIN) codes and protecting other sensitive information are available for as little as $100 and might even be offered free by merchant account services trying to win your business. The PCI Security Standards Council publishes a list of approved devices. Just remember that using a compliant device is only one element of making your business compliant.

Even if you’re not storing anything explicitly prohibited, you may be storing more credit card data than you need to. Small merchants typically store a day’s worth of credit card numbers on a card swipe terminal, then process all the transactions in a batch at the end of the day. Bigger retailers may record the card numbers in a centralized database so they can track all a customer’s purchases, and so they can retrieve the number if they need to issue a refund. But do you need to retain those numbers at all?

Possible Solutions
Perhaps not. Martin McKeay, a QSA and author of the Network Security Blog, recommends looking at new strategies for using end-to-end encryption and “tokenization.”

For example, payment processor First Data ( FDC – news – people ) and security software firm RSA Security have developed a product called TransArmor that allows merchants to get authorization for a credit card number and then immediately dispose of the card number, replacing it with a token. The token is another number that acts as a stand-in for the credit card number itself. First Data keeps track of which tokens correspond with which credit card numbers. So if you’re executing previously authorized transactions at the end of the day, you send First Data a batch of tokens, and it relays the card numbers on to the bank. But if the tokens are stolen, by themselves they are worthless to anyone else.

“With this, the only time you need the true credit card number is when you do the authorization,” says Craig Tieken, First Data vice president of merchant product management. “The merchant, in our opinion, no longer needs the card number.” TransArmor is still in beta testing, scheduled for release in the summer of 2010.

PCI DSS v1.2: A Practical Guide to Implementation

Tags: Business, Credit card, First Data, Payment Card Industry Data Security Standard, PayPal, Personal identification number, Qualified Security Assessor, Tokenization