Reporting Stolen Credit Card Lists?

harlows_monkeys asks: "I just received a spam, at both home and work, both sent through trojaned Windows machines, offering to sell me a credit card database stolen from camcontacts.net. Included was a link to a sample of the database (no, I'm not providing a link!). I downloaded the sample, and it appears legit. There are 13000 numbers. I picked one of the Visa numbers, went to Visa's web site, and entered it in a form to sign up for fraud protection, and it accepted it, and identified the issuing bank. It was accepted. All indications are that this stuff is real. So, the question arises--what is the correct way to deal with this? "I called Visa, and after they spent a while figuring out what department was responsible, all they could suggest was call local law enforcement, and if I wanted to talk to Visa's security people, call back at 9am when they get in.

American Express didn't even suggest calling local law enforcement. They just suggested calling back when their security people got in in the morning.

I then called the FBI. They said to call the Secret Service and gave the number.

At the Secret Service, I ran into an answering machine that gave their office hours.

It seems to me that there should be -someone- who would be interested in a widely-sent spam that links to 13000 credit card numbers, with expiration date and customer name and zip code, so as to stop these from being fraudulently used, but it escapes me who that would be--I struck out with all my candidates.

Is it just me, or does the indifference of Visa and Amex to this shock anyone else?"

call the local news media

[ceejayoz]

That should do the trick.

Re:call the local news media

[Profane+MuthaFucka]

No no, call Outpost.com and start ordering computers. That's going to be even faster.

Re:call the local news media

[jerde]

call the local news media

Yeah, and they'll answer their phones in the middle of the night, too...

Good grief! The poster is calling companies in the middle of the night expecting them to have crack 24-hour teams ready to deal with the information he has? Surprise! The vast majority of people work during business hours.

SO CALL THEM DURING BUSINESS HOURS! Both credit card companies offered to have you talk to their security people, so give 'em a call.

Even talking to the police, nobody is going to want to take a statement from you or have any detectives talk to you, except during the work day.

(I'm posting at 4am local time -- I know what insomnia is; that doesn't mean I expect to be able to conduct normal business right now)

- Peter

no surprise

[evilkarl]

If you were calling them outside business hours its no surprise they were unresponsive. I'm not saying that I condone their handling of it they should jump on it in an instant however if their security people are not available chances are there is no one there with the knowledge to help.

Re:no surprise

[ceejayoz]

You honestly believe Visa, MasterCard and American Express don't have security folks working around the clock?

The telephone reps probably just don't have the authority to override business hours.

Re:Shopping spree?

[Suhas]

No No No...You need to shop in smaller quatities. It is a pr0n site. NoBody would report a $20-30 transaction because the number was stolen from a pr0n site.

FBI

[El+Micko]

What you've got is stolen credit card numbers being transported across state lines. That makes it a federal matter. You call the FBI.

about stolen cards

[alonsoac]

Nowadays stolen card numbers are not a problem for the customers because you can always call your bank and have a fraudulent charge removed. The banks always remove the charge first and the the business has to prove the charge is not fraudulent.

So the ones that get hurt are the businesses that accept stolen cards. But any decently run business should be able to verify the authenticity of the sale by checking the billing address and security numbers on the card.

BTW, calling the card companies and police in the middle of the night and then being shocked by the unresponsivenes is unfair or pain dumb.

Re:about stolen cards

[Andy+Smith]

But any decently run business should be able to verify the authenticity of the sale by checking the billing address and security numbers on the card.

Wrong. In its simplest terms, the system works like this:

1. Customer fills out a form with name, address, card number, etc.

2. Details are transmitted to banking network.

3. Banking network either gives the go-ahead or declines the charge.

4. Retailer proceeds based on banking network's response.

This system is flawed in several ways:

1. The retailer doesn't have access to the banking network's records, so there is no way for the retailer to perform his own checks. The banking network must be trusted without question. Try this: Pay for something on a web site, giving your legitimate credit card details but a made-up name and address. The charge will probably be accepted. Why? Because the name/address comparison is done loosely to allow for people typing stuff differently from how it is recorded, ie: "14a Halifax Street" is typed as "14 A HALIFAX ST". Bear in mind that credit card companies PROFIT from fraud, you can imagine how loose this comparison is. Some people would allege that there is no comparison done at all.

2. Sometimes the banking network will enter a "default positive" state, during which time ALL charge attempts will be approved. Fraudulent charges accepted during this time, which may only last for a few minutes, will often not be cancelled for several days. The merchant may or may not be fined for these charges.

3. The banking network's block list is based on factors such as reports of stolen cards, police information, etc. As far as I know there is no system in place to allow merchants to report fraudulent charges. A merchant is able to cancel a suspicious charge (and, as a slap in the face for running his business ethically, be fined for doing so) but that's all it is, a cancellation, the banking network will still allow the same fraudster to make another charge on the same card elsewhere.

Believe me, if other retailers are anything like me, they are ultra-paranoid in trying to prevent fraud. But ultimately we don't have access to the data we need, our on-the-ground feedback isn't wanted, and when the banking network lets us down we lose money on the sale and we are automatically fined with no appeals process and no way of knowing who fined us.

You've discovered a dirty little secret...

[HotNeedleOfInquiry]

Of the credit card companies. They don't give a rat's ass about credit card fraud. Why? Because they don't loose money on it. They chargeback the merchant that accepts the stolen card.

That's the way the system works. I know firsthand. Every merchant that does non face-to-face transactions will eventually get bit and when it happens, all the credit card company cares about is getting their money back from the merchant. They are not interested in fraud investigation. Why should they? That costs money. It's much easier to make the merchant cover the costs. He has to in order to keep his account.

It's a terribly broke system, but the people with the gold make the rules. Sorry I sound so bitter, but I learned a $1700 lesson on this one...

I am not a lawyer.

[rjh]

I'm not a lawyer. On the other hand, I have enough relatives who are judges, prosecutors and ex-cops to have a decent idea of how the system works.

First off: find your state Attorney General's office and email them. Almost every state AG office has an email address, and many of them give timely responses. Don't wait until morning: do this tonight.

Second off: tomorrow look up the Federal District Attorney's phone number. Call first thing in the morning (9:00am sharp!) and ask to speak to the Financial Crimes Division. Someone in that office is tasked with financial crimes, believe you me, and that's the person you want to talk to. Get that person's name and phone number. Make an appointment as soon as possible--this is the entire reason for calling early in the morning, since their schedules are more open then. Make sure to tell them that you've received a solicitation to purchase stolen credit card numbers, and the numbers appear real.

Third: call the Secret Service during regular business hours. Again, ask for Financial Crimes. They may not have an office in your area. If they don't, they'll pass the buck back, perhaps to the FBI, perhaps to some other Treasury department. If they do this, ask the Secret Service agent for a particular agent to call, and ask the Secret Service agent to let this particular agent know you'll be calling. Federal law-enforcement tends to pay more attention to you if you're directly referred by another law-enforcement type than if you say "yeah, the Secret Service told me I needed to call you guys..."

Fourth: contact your local bank. As in, the bank you do business with. Calling the credit-card companies will be a fool's errand; there are tons of them and you have no clue how many of these numbers are Visa, how many are Mastercard, how many are Discover/Novus, etc. Your bank most probably has business relationships with all of them. Call your bank and ask for an appointment with whoever's responsible for fraud control.

At this point, you've covered your bases pretty well. Banks, prosecutors, FBI/Secret Service, state attorney general's office. Take a breather. You've done good. Wait for them to get back in touch with you.

Tomorrow, call the news media. Make sure to tell them which agencies got back in touch with you and which agencies didn't, which agencies took it seriously and which agencies couldn't be bothered to give a damn.

Credit card fraud is good for card issuers

[Andy+Smith]

This comment sums everything up nicely.

To offer some personal experience, I've reported credit card fraud to the police and been told by the investigating officer: "I have a pile of drugs cases that will take a year to investigate. This report will go to the bottom of that pile."

Credit card fraud isn't taken seriously. The reason is that credit card companies *profit* from fraud, so they don't make a fuss. If someone uses a stolen credit card number to make a $100 purchase then all the credit card company does is take the $100 back from the retailer and charge them $15+ for the privilege.

If the retailer doesn't like it then they have two options, either (1) shut up or (2) stop accepting credit cards and close their business.

It beggars belief that the mainstream media hasn't covered this, but I guess it all boils down to it being "business vs business" (credit card companies vs retailers) so as long as consumers aren't getting hurt, the media doesn't have an audience to tell the story to.

Last year, Visa introduced a $375 annual charge for Internet merchants that want to accept Visa payments. They even had the cheek to charge double the first year. The stated reason was to cover the costs of fraud. Following the introduction of the annual charge, the fines imposed upon merchants went UP. Internet merchants cannot prevent fraudulent charges because that is the responsibility of the credit card companies, but merchants are now paying an annual charge to cover any fines, as well as still paying the fines which are higher than ever. Credit card companies continue to do practically nothing to prevent fraud. Again, every time someone commits credit card fraud, the card company gets richer.

If you think you've ever had a raw deal as a consumer, you should try working with credit card companies. They -- especially Visa -- are the personification of corporate evil. They operate with practically no accountability and no appeals procedure, imposing new rules and charges whenever they choose and merchants have little choice but to agree to them. Some merchants do not even have any way of knowing which company they have been fined by! Think of credit card companies as PayPal at their worst, multiplied by a thousand.

One idea I've had, inspired largely by the "full disclosure" ethos of the software security community, is to write a text file explaining the very simple way to make credit card payments for services over the Internet without (1) ever having to pay for the service, or (b) breaking the law in a way that can be prosecuted. I'd then post the document on a server in a country with a zero censorship policy and distribute the link. The hope, perhaps foolish, would be that *widely* disclosing a known loophole would cause credit card fraud to go through the roof and, amid a flood of bad publicity, force the card companies to change their policies.

The only reason I haven't done this yet is because -- and I know it's selfish -- my business accepts credit cards over the Internet so I'd be committing financial suicide.

Someone's going to do it, though, sooner or later.

Re:Credit card fraud is good for card issuers

[Andy+Smith]

The person I reported for fraud (I'm in the UK too, btw) was a repeat offender who was targeting me specifically.

After I'd done everything I could to prevent him from using his credit card on my site, which basically came down to wildcard blocking, he started trying to pay by cheque and even sent me two cheques, both of which were made out incorrectly. I assumed they would bounce so I didn't even try to pay them into my bank, I just gave the police the details.

The info I gave to the police was:

1. The guy's e-mail address from a major ISP that charges a monthly fee, which should mean they have his correct name and address on file, a valid card number, or at the very least a record of his phone number.

2. Several aliases and alternative e-mail addresses that he used.

3. His bank account number and branch address.

4. And I offered to supply copies of all e-mails he had sent me, including headers, but these weren't wanted.

So far, nearly 18 months later, the result has been precisely nothing.

The situation with credit card fraud on the Internet gets me so mad. I have seriously considered committing fraud against a bank or a major retailer and then reporting myself to the police, just to create a 'newsworthy' story for the media to cover, to raise awareness of the larger issue.

I couldn't really give a damn about the money. I get by from day to day, not rich, not poor, and that's fine for me. But the principle makes my blood boil. I believe in FAIRNESS and credit card companies are NOT fair. They treat merchants like their own personal piggybanks, taking money whenever they feel like it because of their own slack security, and then they tell the public that they're committed to preventing fraud. They aren't preventing fraud at all, at least not from where I'm sitting -- they're just reaping the rewards by allowing merchants to be ripped off and then fining them.

Same run around

[Halvard]

About a month ago, I received a similar email from a trojaned Earthlink account. I contacted Earthink abuse first and they basically said not our problem, not our customer doing it. They maintained that since someone else was controlling the account, not the customer, they weren't interested. I responded saying that it was their IP address and they should alert their customer but got no response. Likely, it was a low level support person answering the email but you'd think that they'd forward it on to someone in authority.

I got no response from the credit card companies that I contacted or a nice remark about "if _your_ card is affected...". I didn't even bother with the feds since in the past they've only been interested in large dollar amounts affecting large companies. And local cops are not the answer to an internations credit card number theft ring.

I'm usually too busy to deal with this sort of crap and I let it drop since I'd too much to do (yea, yea, I know). Didn't remember until this came up.

A card of mine was one of the million plus stolen from the old onsale.com database breakin several years ago. I noticed a $10 charge by a "Moscow Telecom" and notified my bank. They responded that their had been a theft and they were immediately replacing cards (via ground mail) that showed activity like this and that my card was one of the affected cards. They actually said that they had a list of all of their cards that were affected but were only replacing cards showing suspicious activity! I was floored. They also said that small transactions were being posted against the cards because most people failed to check their statements or if the did figured that since it was small, it must be right and they didn't remember. $10 times 1 million plus cards is a lot of scratch every month.

"World's Largest Credit Union" indeed. Acted more like a big bank not wanting to get stuck with a big expense.

Maybe next time, I'll forward it to Interpol first but they are also a bureacracy too.

Re:Oh, use your fucking head.

[Singletoned]

What, you thought investigative agents hang around 24 hours a day? No, they value sleep

Don't you have shift work in America? We have a system where one set of people go home, and another comes in to replace them. It's very useful for Fire departments, hospitals and security departments. In fact anywhere that needs to be manned 24 hours a day.

Criminals don't knock off at 5pm.

Re:Oh, use your fucking head.

[dr_dank]

Criminals don't knock off at 5pm.

They do if they're union.

Re:Oh, use your fucking head.

[devphil]

There is no credit card emergency that cannot be handled the next business day.

Hell, the credit card purchases themselves take a couple days before they're finalized. Even then the companies can "undo" purchases if they are later shown to be illegitimate.

So, there is no point to having a ten-minute investigative response time to credit card fraud. Next day, yes, but 3 AM? Waste of money.