Reporting Stolen Credit Card Lists?

harlows_monkeys asks: "I just received a spam, at both home and work, both sent through trojaned Windows machines, offering to sell me a credit card database stolen from camcontacts.net. Included was a link to a sample of the database (no, I'm not providing a link!). I downloaded the sample, and it appears legit. There are 13000 numbers. I picked one of the Visa numbers, went to Visa's web site, and entered it in a form to sign up for fraud protection, and it accepted it, and identified the issuing bank. It was accepted. All indications are that this stuff is real. So, the question arises--what is the correct way to deal with this? "I called Visa, and after they spent a while figuring out what department was responsible, all they could suggest was call local law enforcement, and if I wanted to talk to Visa's security people, call back at 9am when they get in.

American Express didn't even suggest calling local law enforcement. They just suggested calling back when their security people got in in the morning.

I then called the FBI. They said to call the Secret Service and gave the number.

At the Secret Service, I ran into an answering machine that gave their office hours.

It seems to me that there should be -someone- who would be interested in a widely-sent spam that links to 13000 credit card numbers, with expiration date and customer name and zip code, so as to stop these from being fraudulently used, but it escapes me who that would be--I struck out with all my candidates.

Is it just me, or does the indifference of Visa and Amex to this shock anyone else?"

Report them.

[dan.hunt]

Bust them by following this link, Reporting Economic Crime On Line YMMV

FBI

[El+Micko]

What you've got is stolen credit card numbers being transported across state lines. That makes it a federal matter. You call the FBI.

about stolen cards

[alonsoac]

Nowadays stolen card numbers are not a problem for the customers because you can always call your bank and have a fraudulent charge removed. The banks always remove the charge first and the the business has to prove the charge is not fraudulent.

So the ones that get hurt are the businesses that accept stolen cards. But any decently run business should be able to verify the authenticity of the sale by checking the billing address and security numbers on the card.

BTW, calling the card companies and police in the middle of the night and then being shocked by the unresponsivenes is unfair or pain dumb.

Re:about stolen cards

[Andy+Smith]

But any decently run business should be able to verify the authenticity of the sale by checking the billing address and security numbers on the card.

Wrong. In its simplest terms, the system works like this:

1. Customer fills out a form with name, address, card number, etc.

2. Details are transmitted to banking network.

3. Banking network either gives the go-ahead or declines the charge.

4. Retailer proceeds based on banking network's response.

This system is flawed in several ways:

1. The retailer doesn't have access to the banking network's records, so there is no way for the retailer to perform his own checks. The banking network must be trusted without question. Try this: Pay for something on a web site, giving your legitimate credit card details but a made-up name and address. The charge will probably be accepted. Why? Because the name/address comparison is done loosely to allow for people typing stuff differently from how it is recorded, ie: "14a Halifax Street" is typed as "14 A HALIFAX ST". Bear in mind that credit card companies PROFIT from fraud, you can imagine how loose this comparison is. Some people would allege that there is no comparison done at all.

2. Sometimes the banking network will enter a "default positive" state, during which time ALL charge attempts will be approved. Fraudulent charges accepted during this time, which may only last for a few minutes, will often not be cancelled for several days. The merchant may or may not be fined for these charges.

3. The banking network's block list is based on factors such as reports of stolen cards, police information, etc. As far as I know there is no system in place to allow merchants to report fraudulent charges. A merchant is able to cancel a suspicious charge (and, as a slap in the face for running his business ethically, be fined for doing so) but that's all it is, a cancellation, the banking network will still allow the same fraudster to make another charge on the same card elsewhere.

Believe me, if other retailers are anything like me, they are ultra-paranoid in trying to prevent fraud. But ultimately we don't have access to the data we need, our on-the-ground feedback isn't wanted, and when the banking network lets us down we lose money on the sale and we are automatically fined with no appeals process and no way of knowing who fined us.

Re:about stolen cards

[justMichael]

1. The retailer doesn't have access to the banking network's records, so there is no way for the retailer to perform his own checks. The banking network must be trusted without question. Try this: Pay for something on a web site, giving your legitimate credit card details but a made-up name and address. The charge will probably be accepted. Why? Because the name/address comparison is done loosely to allow for people typing stuff differently from how it is recorded, ie: "14a Halifax Street" is typed as "14 A HALIFAX ST". Bear in mind that credit card companies PROFIT from fraud, you can imagine how loose this comparison is. Some people would allege that there is no comparison done at all.

This is what you should be using AVS for. Yes I agree 100% that the address match is garbage, one of my own cards doesn't validate. If the zip and CVV data match it is a good bet that it is good.

A merchant is able to cancel a suspicious charge (and, as a slap in the face for running his business ethically, be fined for doing so) but that's all it is, a cancellation,

If you get fined by your card processor for cancelling an order and reversing the charge, I strongly suggest you find a better processor. I have never even been questioned for reversing a charge. Are you dealing with one of the 3rd party processing houses or directly with one of the big clearing houses?

Believe me, if other retailers are anything like me, they are ultra-paranoid in trying to prevent fraud. But ultimately we don't have access to the data we need, our on-the-ground feedback isn't wanted, and when the banking network lets us down we lose money on the sale and we are automatically fined with no appeals process and no way of knowing who fined us.

If you are truly ultra-paranoid about accepting credit card purchases online, as you should be. Have you looked into the Maxmind Credit Card Fraud Detection service? It will give you some extra insight into the customers intentions, did they come in through an anonymous proxy? How far is their current physical location from the billing address. And quite a bit more.

As for not knowing who nailed you with a chargeback, again, you may need to find a better processor. If I get a charge back I know who it was as I get a copy of the letter that the customer sent to the credit card company when I get my 15 day appeal letter. Thankfully this rarely happens as I use Maxmind to screen and have no problem requesting a fax with a signature and copy of both sides of the card if I feel the charge warrants it. No fax, the charge gets reversed.

I am in no way affiliated with Maxmind, I am just a very happy customer and recommend them highly.

You've discovered a dirty little secret...

[HotNeedleOfInquiry]

Of the credit card companies. They don't give a rat's ass about credit card fraud. Why? Because they don't loose money on it. They chargeback the merchant that accepts the stolen card.

That's the way the system works. I know firsthand. Every merchant that does non face-to-face transactions will eventually get bit and when it happens, all the credit card company cares about is getting their money back from the merchant. They are not interested in fraud investigation. Why should they? That costs money. It's much easier to make the merchant cover the costs. He has to in order to keep his account.

It's a terribly broke system, but the people with the gold make the rules. Sorry I sound so bitter, but I learned a $1700 lesson on this one...

I am not a lawyer.

[rjh]

I'm not a lawyer. On the other hand, I have enough relatives who are judges, prosecutors and ex-cops to have a decent idea of how the system works.

First off: find your state Attorney General's office and email them. Almost every state AG office has an email address, and many of them give timely responses. Don't wait until morning: do this tonight.

Second off: tomorrow look up the Federal District Attorney's phone number. Call first thing in the morning (9:00am sharp!) and ask to speak to the Financial Crimes Division. Someone in that office is tasked with financial crimes, believe you me, and that's the person you want to talk to. Get that person's name and phone number. Make an appointment as soon as possible--this is the entire reason for calling early in the morning, since their schedules are more open then. Make sure to tell them that you've received a solicitation to purchase stolen credit card numbers, and the numbers appear real.

Third: call the Secret Service during regular business hours. Again, ask for Financial Crimes. They may not have an office in your area. If they don't, they'll pass the buck back, perhaps to the FBI, perhaps to some other Treasury department. If they do this, ask the Secret Service agent for a particular agent to call, and ask the Secret Service agent to let this particular agent know you'll be calling. Federal law-enforcement tends to pay more attention to you if you're directly referred by another law-enforcement type than if you say "yeah, the Secret Service told me I needed to call you guys..."

Fourth: contact your local bank. As in, the bank you do business with. Calling the credit-card companies will be a fool's errand; there are tons of them and you have no clue how many of these numbers are Visa, how many are Mastercard, how many are Discover/Novus, etc. Your bank most probably has business relationships with all of them. Call your bank and ask for an appointment with whoever's responsible for fraud control.

At this point, you've covered your bases pretty well. Banks, prosecutors, FBI/Secret Service, state attorney general's office. Take a breather. You've done good. Wait for them to get back in touch with you.

Tomorrow, call the news media. Make sure to tell them which agencies got back in touch with you and which agencies didn't, which agencies took it seriously and which agencies couldn't be bothered to give a damn.

Re:I am not a lawyer.

[dougmc]

Calling the credit-card companies will be a fool's errand; there are tons of them and you have no clue how many of these numbers are Visa, how many are Mastercard, how many are Discover/Novus, etc.

Actually, you can tell from the number itself which type of card it is. Visa cards start with a 4, Mastercard starts with 5, and I don't know about the rest, but I'm sure somebody else does.

Re:Oh, use your fucking head.

[devphil]

There is no credit card emergency that cannot be handled the next business day.

Hell, the credit card purchases themselves take a couple days before they're finalized. Even then the companies can "undo" purchases if they are later shown to be illegitimate.

So, there is no point to having a ten-minute investigative response time to credit card fraud. Next day, yes, but 3 AM? Waste of money.