Reporting Stolen Credit Card Lists?

harlows_monkeys asks: "I just received a spam, at both home and work, both sent through trojaned Windows machines, offering to sell me a credit card database stolen from camcontacts.net. Included was a link to a sample of the database (no, I'm not providing a link!). I downloaded the sample, and it appears legit. There are 13000 numbers. I picked one of the Visa numbers, went to Visa's web site, and entered it in a form to sign up for fraud protection, and it accepted it, and identified the issuing bank. It was accepted. All indications are that this stuff is real. So, the question arises--what is the correct way to deal with this? "I called Visa, and after they spent a while figuring out what department was responsible, all they could suggest was call local law enforcement, and if I wanted to talk to Visa's security people, call back at 9am when they get in.

American Express didn't even suggest calling local law enforcement. They just suggested calling back when their security people got in in the morning.

I then called the FBI. They said to call the Secret Service and gave the number.

At the Secret Service, I ran into an answering machine that gave their office hours.

It seems to me that there should be -someone- who would be interested in a widely-sent spam that links to 13000 credit card numbers, with expiration date and customer name and zip code, so as to stop these from being fraudulently used, but it escapes me who that would be--I struck out with all my candidates.

Is it just me, or does the indifference of Visa and Amex to this shock anyone else?"

Credit card fraud is good for card issuers

[Andy+Smith]

This comment sums everything up nicely.

To offer some personal experience, I've reported credit card fraud to the police and been told by the investigating officer: "I have a pile of drugs cases that will take a year to investigate. This report will go to the bottom of that pile."

Credit card fraud isn't taken seriously. The reason is that credit card companies *profit* from fraud, so they don't make a fuss. If someone uses a stolen credit card number to make a $100 purchase then all the credit card company does is take the $100 back from the retailer and charge them $15+ for the privilege.

If the retailer doesn't like it then they have two options, either (1) shut up or (2) stop accepting credit cards and close their business.

It beggars belief that the mainstream media hasn't covered this, but I guess it all boils down to it being "business vs business" (credit card companies vs retailers) so as long as consumers aren't getting hurt, the media doesn't have an audience to tell the story to.

Last year, Visa introduced a $375 annual charge for Internet merchants that want to accept Visa payments. They even had the cheek to charge double the first year. The stated reason was to cover the costs of fraud. Following the introduction of the annual charge, the fines imposed upon merchants went UP. Internet merchants cannot prevent fraudulent charges because that is the responsibility of the credit card companies, but merchants are now paying an annual charge to cover any fines, as well as still paying the fines which are higher than ever. Credit card companies continue to do practically nothing to prevent fraud. Again, every time someone commits credit card fraud, the card company gets richer.

If you think you've ever had a raw deal as a consumer, you should try working with credit card companies. They -- especially Visa -- are the personification of corporate evil. They operate with practically no accountability and no appeals procedure, imposing new rules and charges whenever they choose and merchants have little choice but to agree to them. Some merchants do not even have any way of knowing which company they have been fined by! Think of credit card companies as PayPal at their worst, multiplied by a thousand.

One idea I've had, inspired largely by the "full disclosure" ethos of the software security community, is to write a text file explaining the very simple way to make credit card payments for services over the Internet without (1) ever having to pay for the service, or (b) breaking the law in a way that can be prosecuted. I'd then post the document on a server in a country with a zero censorship policy and distribute the link. The hope, perhaps foolish, would be that *widely* disclosing a known loophole would cause credit card fraud to go through the roof and, amid a flood of bad publicity, force the card companies to change their policies.

The only reason I haven't done this yet is because -- and I know it's selfish -- my business accepts credit cards over the Internet so I'd be committing financial suicide.

Someone's going to do it, though, sooner or later.

Re:Credit card fraud is good for card issuers

[Andy+Smith]

The person I reported for fraud (I'm in the UK too, btw) was a repeat offender who was targeting me specifically.

After I'd done everything I could to prevent him from using his credit card on my site, which basically came down to wildcard blocking, he started trying to pay by cheque and even sent me two cheques, both of which were made out incorrectly. I assumed they would bounce so I didn't even try to pay them into my bank, I just gave the police the details.

The info I gave to the police was:

1. The guy's e-mail address from a major ISP that charges a monthly fee, which should mean they have his correct name and address on file, a valid card number, or at the very least a record of his phone number.

2. Several aliases and alternative e-mail addresses that he used.

3. His bank account number and branch address.

4. And I offered to supply copies of all e-mails he had sent me, including headers, but these weren't wanted.

So far, nearly 18 months later, the result has been precisely nothing.

The situation with credit card fraud on the Internet gets me so mad. I have seriously considered committing fraud against a bank or a major retailer and then reporting myself to the police, just to create a 'newsworthy' story for the media to cover, to raise awareness of the larger issue.

I couldn't really give a damn about the money. I get by from day to day, not rich, not poor, and that's fine for me. But the principle makes my blood boil. I believe in FAIRNESS and credit card companies are NOT fair. They treat merchants like their own personal piggybanks, taking money whenever they feel like it because of their own slack security, and then they tell the public that they're committed to preventing fraud. They aren't preventing fraud at all, at least not from where I'm sitting -- they're just reaping the rewards by allowing merchants to be ripped off and then fining them.

Same run around

[Halvard]

About a month ago, I received a similar email from a trojaned Earthlink account. I contacted Earthink abuse first and they basically said not our problem, not our customer doing it. They maintained that since someone else was controlling the account, not the customer, they weren't interested. I responded saying that it was their IP address and they should alert their customer but got no response. Likely, it was a low level support person answering the email but you'd think that they'd forward it on to someone in authority.

I got no response from the credit card companies that I contacted or a nice remark about "if _your_ card is affected...". I didn't even bother with the feds since in the past they've only been interested in large dollar amounts affecting large companies. And local cops are not the answer to an internations credit card number theft ring.

I'm usually too busy to deal with this sort of crap and I let it drop since I'd too much to do (yea, yea, I know). Didn't remember until this came up.

A card of mine was one of the million plus stolen from the old onsale.com database breakin several years ago. I noticed a $10 charge by a "Moscow Telecom" and notified my bank. They responded that their had been a theft and they were immediately replacing cards (via ground mail) that showed activity like this and that my card was one of the affected cards. They actually said that they had a list of all of their cards that were affected but were only replacing cards showing suspicious activity! I was floored. They also said that small transactions were being posted against the cards because most people failed to check their statements or if the did figured that since it was small, it must be right and they didn't remember. $10 times 1 million plus cards is a lot of scratch every month.

"World's Largest Credit Union" indeed. Acted more like a big bank not wanting to get stuck with a big expense.

Maybe next time, I'll forward it to Interpol first but they are also a bureacracy too.