Slashdot Mirror
Reporting Stolen Credit Card Lists?
harlows_monkeys asks: "I just received a spam, at both home and work, both sent through trojaned Windows machines, offering to sell me a credit card database stolen from camcontacts.net.
Included was a link to a sample of the database (no, I'm not providing a link!). I downloaded the sample, and it appears legit. There are 13000 numbers. I picked one of the Visa numbers, went to Visa's web site, and entered it in a form to sign up for fraud protection, and it accepted it, and identified the issuing bank. It was accepted. All indications are that this stuff is real.
So, the question arises--what is the correct way to deal with this?
"I called Visa, and after they spent a while figuring out what department was responsible, all they could suggest was call local law enforcement, and if I wanted to talk to Visa's security people, call back at 9am when they get in.
American Express didn't even suggest calling local law enforcement. They just suggested calling back when their security people got in in the morning.
I then called the FBI. They said to call the Secret Service and gave the number.
At the Secret Service, I ran into an answering machine that gave their office hours.
It seems to me that there should be -someone- who would be interested in a widely-sent spam that links to 13000 credit card numbers, with expiration date and customer name and zip code, so as to stop these from being fraudulently used, but it escapes me who that would be--I struck out with all my candidates.
Is it just me, or does the indifference of Visa and Amex to this shock anyone else?"
American Express didn't even suggest calling local law enforcement. They just suggested calling back when their security people got in in the morning.
I then called the FBI. They said to call the Secret Service and gave the number.
At the Secret Service, I ran into an answering machine that gave their office hours.
It seems to me that there should be -someone- who would be interested in a widely-sent spam that links to 13000 credit card numbers, with expiration date and customer name and zip code, so as to stop these from being fraudulently used, but it escapes me who that would be--I struck out with all my candidates.
Is it just me, or does the indifference of Visa and Amex to this shock anyone else?"
That should do the trick.
But seriously, either the secret service, the credit card companies OR the Unites States Postal Service (I believe it's a crime to "mail" stolen items).
..........FULL STOP.
If you were calling them outside business hours its no surprise they were unresponsive. I'm not saying that I condone their handling of it they should jump on it in an instant however if their security people are not available chances are there is no one there with the knowledge to help.
Everyone is stupid, it is just the degree that varies
I'm extremely trustworthy and will NOT do anything wrong with the numbers. I'll be a witness to this horrible theft, and I'll send out mass mailings with sections of the database to ensure that such deeds are not gone unnoticed by the general public.
Er... wait...
Bust them by following this link, Reporting Economic Crime On Line YMMV
Perhaps you need to find out who your local FBI contact is. If the FBI doesn't handle this (as in counterfeiting going to the Secret Service) then you need to find out who else to contact (maybe your gool ol' local sherriff could send you in the right direction).
Vote in November. You won't regret it.
Yes, and they've already told you who they are: the various security departments, who will be reporting to work at 9 in the morning.
What, you thought investigative agents hang around 24 hours a day? No, they value sleep.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
What you've got is stolen credit card numbers being transported across state lines. That makes it a federal matter. You call the FBI.
Who was the email from?? (the forged email address, name, whatever)
;)
What was the subject of the email???
I recieve 100+ spams a day, that email may still be in my spam folder now!!
You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.
You're too much of a busy body. Use a spam filter and just toss the spam like everyone else.
Nowadays stolen card numbers are not a problem for the customers because you can always call your bank and have a fraudulent charge removed. The banks always remove the charge first and the the business has to prove the charge is not fraudulent.
So the ones that get hurt are the businesses that accept stolen cards. But any decently run business should be able to verify the authenticity of the sale by checking the billing address and security numbers on the card.
BTW, calling the card companies and police in the middle of the night and then being shocked by the unresponsivenes is unfair or pain dumb.
Of the credit card companies. They don't give a rat's ass about credit card fraud. Why? Because they don't loose money on it. They chargeback the merchant that accepts the stolen card.
That's the way the system works. I know firsthand. Every merchant that does non face-to-face transactions will eventually get bit and when it happens, all the credit card company cares about is getting their money back from the merchant. They are not interested in fraud investigation. Why should they? That costs money. It's much easier to make the merchant cover the costs. He has to in order to keep his account.
It's a terribly broke system, but the people with the gold make the rules. Sorry I sound so bitter, but I learned a $1700 lesson on this one...
"Eve of Destruction", it's not just for old hippies anymore...
I'm not a lawyer. On the other hand, I have enough relatives who are judges, prosecutors and ex-cops to have a decent idea of how the system works.
First off: find your state Attorney General's office and email them. Almost every state AG office has an email address, and many of them give timely responses. Don't wait until morning: do this tonight.
Second off: tomorrow look up the Federal District Attorney's phone number. Call first thing in the morning (9:00am sharp!) and ask to speak to the Financial Crimes Division. Someone in that office is tasked with financial crimes, believe you me, and that's the person you want to talk to. Get that person's name and phone number. Make an appointment as soon as possible--this is the entire reason for calling early in the morning, since their schedules are more open then. Make sure to tell them that you've received a solicitation to purchase stolen credit card numbers, and the numbers appear real.
Third: call the Secret Service during regular business hours. Again, ask for Financial Crimes. They may not have an office in your area. If they don't, they'll pass the buck back, perhaps to the FBI, perhaps to some other Treasury department. If they do this, ask the Secret Service agent for a particular agent to call, and ask the Secret Service agent to let this particular agent know you'll be calling. Federal law-enforcement tends to pay more attention to you if you're directly referred by another law-enforcement type than if you say "yeah, the Secret Service told me I needed to call you guys..."
Fourth: contact your local bank. As in, the bank you do business with. Calling the credit-card companies will be a fool's errand; there are tons of them and you have no clue how many of these numbers are Visa, how many are Mastercard, how many are Discover/Novus, etc. Your bank most probably has business relationships with all of them. Call your bank and ask for an appointment with whoever's responsible for fraud control.
At this point, you've covered your bases pretty well. Banks, prosecutors, FBI/Secret Service, state attorney general's office. Take a breather. You've done good. Wait for them to get back in touch with you.
Tomorrow, call the news media. Make sure to tell them which agencies got back in touch with you and which agencies didn't, which agencies took it seriously and which agencies couldn't be bothered to give a damn.
try calling at some time other than 2 am?
-- 'The' Lord and Master Bitman On High, Master Of All
This comment sums everything up nicely.
To offer some personal experience, I've reported credit card fraud to the police and been told by the investigating officer: "I have a pile of drugs cases that will take a year to investigate. This report will go to the bottom of that pile."
Credit card fraud isn't taken seriously. The reason is that credit card companies *profit* from fraud, so they don't make a fuss. If someone uses a stolen credit card number to make a $100 purchase then all the credit card company does is take the $100 back from the retailer and charge them $15+ for the privilege.
If the retailer doesn't like it then they have two options, either (1) shut up or (2) stop accepting credit cards and close their business.
It beggars belief that the mainstream media hasn't covered this, but I guess it all boils down to it being "business vs business" (credit card companies vs retailers) so as long as consumers aren't getting hurt, the media doesn't have an audience to tell the story to.
Last year, Visa introduced a $375 annual charge for Internet merchants that want to accept Visa payments. They even had the cheek to charge double the first year. The stated reason was to cover the costs of fraud. Following the introduction of the annual charge, the fines imposed upon merchants went UP. Internet merchants cannot prevent fraudulent charges because that is the responsibility of the credit card companies, but merchants are now paying an annual charge to cover any fines, as well as still paying the fines which are higher than ever. Credit card companies continue to do practically nothing to prevent fraud. Again, every time someone commits credit card fraud, the card company gets richer.
If you think you've ever had a raw deal as a consumer, you should try working with credit card companies. They -- especially Visa -- are the personification of corporate evil. They operate with practically no accountability and no appeals procedure, imposing new rules and charges whenever they choose and merchants have little choice but to agree to them. Some merchants do not even have any way of knowing which company they have been fined by! Think of credit card companies as PayPal at their worst, multiplied by a thousand.
One idea I've had, inspired largely by the "full disclosure" ethos of the software security community, is to write a text file explaining the very simple way to make credit card payments for services over the Internet without (1) ever having to pay for the service, or (b) breaking the law in a way that can be prosecuted. I'd then post the document on a server in a country with a zero censorship policy and distribute the link. The hope, perhaps foolish, would be that *widely* disclosing a known loophole would cause credit card fraud to go through the roof and, amid a flood of bad publicity, force the card companies to change their policies.
The only reason I haven't done this yet is because -- and I know it's selfish -- my business accepts credit cards over the Internet so I'd be committing financial suicide.
Someone's going to do it, though, sooner or later.
just send them to me and I will tell you :-)
So, the question arises--what is the correct way to deal with this?
No doubt, prepare to go to jail now. The theft of the numbers causes VISA no ill effect. At worst, if they are used to purchase things, the stores themselves will have to eat the cost. VISA, on the other hand, has MUCH to lose if you let the world know how shoddy thier security is. You did sign up for fraud protection with a valid number, something that will probably add some small annual fee to the guy's card, so you are probably now guilty of credit card fraud. It seems to me in Corporate America these days, the correct way to handle the situation will be to shut you up by having charges filed as soon as possible and sealing the court records.
About a month ago, I received a similar email from a trojaned Earthlink account. I contacted Earthink abuse first and they basically said not our problem, not our customer doing it. They maintained that since someone else was controlling the account, not the customer, they weren't interested. I responded saying that it was their IP address and they should alert their customer but got no response. Likely, it was a low level support person answering the email but you'd think that they'd forward it on to someone in authority.
I got no response from the credit card companies that I contacted or a nice remark about "if _your_ card is affected...". I didn't even bother with the feds since in the past they've only been interested in large dollar amounts affecting large companies. And local cops are not the answer to an internations credit card number theft ring.
I'm usually too busy to deal with this sort of crap and I let it drop since I'd too much to do (yea, yea, I know). Didn't remember until this came up.
A card of mine was one of the million plus stolen from the old onsale.com database breakin several years ago. I noticed a $10 charge by a "Moscow Telecom" and notified my bank. They responded that their had been a theft and they were immediately replacing cards (via ground mail) that showed activity like this and that my card was one of the affected cards. They actually said that they had a list of all of their cards that were affected but were only replacing cards showing suspicious activity! I was floored. They also said that small transactions were being posted against the cards because most people failed to check their statements or if the did figured that since it was small, it must be right and they didn't remember. $10 times 1 million plus cards is a lot of scratch every month.
"World's Largest Credit Union" indeed. Acted more like a big bank not wanting to get stuck with a big expense.
Maybe next time, I'll forward it to Interpol first but they are also a bureacracy too.
This is not a security problem, it's an operational issue. block the card.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
Call the FBI as soon as possible.
Co-founder and designer at Music Nearby: http://musicnearby.com
post an "Ask Slashdot" question.
Oh, wait...
ebay?
For the Secret Service - call the Dept. of Homeland Security Office of Inspector General Hotline (800) 323-8603.
For the FBI - call the Dept. of Justice Office of Inspector General Hotline (800) 869-4499.
When you call, remind both of them that active stolen credit cards can be used by terrorists to purchase things like AIRPLANE TICKETS, and that you do not find it acceptable that these agencies responses were not prompt and definitive.
These Hotlines must come to some final resolution for every reported allegation. That should provide you some assurance that even if they decide to not pursue the matter it is being documented that decision was made by law enforcement.
Work for Change & GET PAID!
But here is their reply to my direct inquirery:
Gimii gimmi gimmi!
Or just donate beer to me..
It's past 9am, you've had plenty of time to call them. Did you call them? Or were you too busy trying to find another cage to rattle for your next slashbot submission?
Comment removed based on user account deletion
Comment removed based on user account deletion
Order a TV set delivered to the vacant house in the next neighborhood over. (Can even do it on your own card!) Put a little notecard saying it's OK for UPS to leave the package without a signature. Pick up the set when delivered, and (if using your card) do a chargeback.
How do I know this? Well, after being repeatedly defrauded by one person to the tune of $2000 (he was/is using a list of stolen cards, bouncing off a different unsecured proxy each order), I called our merchant bank, exasperated, and said "how can I stop this guy? How can I stop you fining me for all his charges?"
Their reply: "Oh, you think you have it bad - here's what some merchants are getting hit with," and described the scheme above.
The same person is still defrauding me, and I'm powerless to stop it.
Why is everyone blaming the credit card companies???? Shouldnt the website that was exploited in order to 'steal' the list of numbers be held responsible? It seems to me that the author of the insecure software, or even the sysadmin, is more accountable than the credit card companies.