Slashdot Mirror
Corporate Identity Theft on the Rise
prostoalex writes "As millions of Americans lose their identities to online and offline thieves, a new kind of crime has been cooked up by the criminals who are not bothering with doing pesky credit card charges. They steal entire companies, opening up merchant accounts for existing businesses and running up charges from aforementioned stolen credit card numbers. What's worse, is that the hole the criminals exploit seems to be built into the system. According to Bob Sullivan from MSNBC, "Many of the processing firms interviewed for this article claimed they caught on to the fraud after the transactions had cleared, but before the suspects had withdrawn the money from various checking accounts around the country. One did concede, however, that the scheme has real potential.""
I wonder if Microsoft accepts credit cards.....
Ashton was quoted saying, "Dude where's my company."
All you would need is a legit FEIN, and real or forged Articles of Formation. Maybe an operating agreement. Open a bank account and VOILA!
I hate it when the mass media call it "identify theft." If someone impersonates me, he's not taking away my identity, he's committing fraud.
Repeat after me... intangible and intellectual "property" cannot be "stolen." It can only be used in unauthorized ways.
If stupidity got us into this mess, then why can't it get us out? - Will Rogers
I love these articles that outline great ways to break the law. Like the one a while back about how to open a kryptonite U-Lock with a pen. It used to be hard to come up with great criminal schemes...now you just have to watch the news.
on the subject of questionable ethics, does anyone else wonder about the guy who said "One did concede, however, that the scheme has real potential"? Potential? Potential? Maybe "potential for abuse" would be ok, but the way that's phrased at the moment... I can see the cogs turning over in this guys head for companies to target!
-- james
And so - the Crimson Permanent Assurance was launched upon the high seas of international finance!
For some reason this just does not generate the sympathy in my heart that stories of personal identity theft does... I wonder why?
check out the link http://www.iwks.com/features/default.asp?pagetypei d=2&articleid=31496&subsectionid=655
this type of theft is well known; just not as reported as personal id theft. From other stories is seems the average is 30,000 or more per theft. Seems that perhaps the victum in this story came out lucky.
However since you have to provide ID and would get captured on camera setting up a checking account, keeping your real ID does seem to be a challenge.
I'd say it's legitimate to call Identity Theft "theft" under the circumstances, whatever your opinions are on the "proper" wording for piracy.
You are not alone. This is not normal. None of this is normal.
Problem is, they do target ma and pa businesses. Indeed, apparently their scheme only works if the victim does not yet have a merchant account on his own (or else the fraudulent account would be easily flagged as duplicate...). Thus the perfect victim is a company too small to be accepting credit cards. Sorry, Microsoft will unfortunately never be the target of these gentlemen;-(
You only use 2% of your DNA
Does anyone else have a problem with the level of detail in the article? They not only report on the scam, but tell exactly how it was carried off. They've even provided the names of the merchant transaction companies which can be suckered.
It's good to use your head, but not as a battering ram.
...every time some "paranoid" person starts talking about security. You know who I'm talking about.
They're everywhere. Nobody thinks worrying about security is cool or fun, it seems like a waste of money, a sign of mental instability, even a kind of obsessive behavior.
Everyone much prefers to be surprised and wave their hands when things go wrong. "It's out of control. You can't stop hackers/criminals/etc."
People have a terrible problem understanding scale. Nobody understood at Microsoft that the computer wasn't a little house in the country where you could leave the doors unlocked so occupants wouldn't have to fumble with the keys. When engineers there raised the problems they were scoffed at, disciplined. "Keep your priorities straight. Don't be paranoid." Nobody got it when the first spam was sent and we were all outraged... "What's wrong with a little spam?" How about what's wrong with 300 spam a day? It's just the "logical conclusion" - which is not logical anymore to people who don't like to be bothered thinking deeply about their responsibilities.
The many systems our financial institutions use for identifying and tracking "consumers" are ridiculously insecure. And although the victims wail and now are allowed a few minutes a month to tell their horrible tails on 60 minutes, we as a whole seem determined to close our eyes and race grinning into the brick wall of scale again. How many hundreds of thousands of people have to have their lives ruined before colleges stop making everyone spout their social security number like it's their first name, and the mother's maiden name loses its appeal? How long before companies stop letting $5 an hour employees handle "meaningless" data (with literally no background checks or security controls) that is worth millions when properly exploited?
This is a cultural change we need to kick off. We need to take security seriously. It needs to become uncool to roll your eyes and mock the security expert.
Want to Know How to Cheat the GPL? Read On!
Never mistake silence for disinterest (or assent, for that matter).
The FBI could be very interested in the Pakistan and Russian connections. However they are very unlikely to be discussing details of the case with regular civilians.
Or they could be disinterested.
Identity theft was covered at this years blackhat in vegas and it was stated the the vast majority of indentity theft is corporate insiders stealing the info and selling it on the web. Hackers/crackers only account for a small about of the current identity theft.
presmike
Like credit cards with SOMEONE ELSES name on them? Like SOMEONE ELSES money or "physical" merchandise? Theft is when you steal something of value. Websters gives examples of both tangible and intagible theft.
Besides, what's your point? Just trying to be argumentative, or perhaps justify something darker?
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
You are damn right the problem is built-in to the system.
The scum create an account, and charge a bunch of crap to it from stolen cards. They then extract the money and run.
The people bilked bitch to the credit card companies.
The card companies attempt to reverse the charges.
The poor business who was impersonated gets stuck with the bill. At best, the company can establish its innocence, and the CC company writes the cost off its taxes.
If the *credit card companies* were the ones who had to suffer the costs of fraud, rather than shifting it to the companies or to the taxpayer, then they would be a HELL of a lot more motivated to add stronger authentication to the system.
As it stands now, if somebody is committing massive credit card fraud in the form of lots of small charges, and you try to bring this to the card company's attention, they blow you off because it just isn't worth their time - it is easier to just charge back to the merchants. A friend of mine who works in the order-processing chain for a large company ran into just that - he detected a fraud ring attempting to rack up a lot of charges, he called the card company and said "I'll give these guys to you with a ribbon tied around them - addresses, names, the works." "Not interested - bu-bye!"
www.eFax.com are spammers
But they do accept souls..
---- Booth was a patriot ----
Why cant you just go and legitimately buy a whole series of off the shelf companies?
Then you get a totally legit and above board merchant account to run your stolen cards through.
Here in the uk you can see ads for pre-created legitimate shell companies that you can buy cheaply and rename to cut out the hassle and legal niceities of creating a limited company from scratch.
another Roadkill on the Information Superhighway
...appears to be by trashing your own credit. This way your credentials will be rejected for new applications.
If you don't have a support contract with MS than the only way to talk to them for support is with your credit card.
If you think it's expensive to hire a professional to do the job, wait until you hire an amateur. --Red Adair
If the *credit card companies* were the ones who had to suffer the costs of fraud, rather than shifting it to the companies or to the taxpayer, then they would be a HELL of a lot more motivated to add stronger authentication to the system.
Except they are the ones who pay for it. They get to deduct a business loss from their taxes, because those losses reduce their earnings.
-- Support a free market in the field of government
Ah, relative morals, don't you just love 'em?
A crook's a crook, no matter his target.
+1 Insightful, -1 Troll. What can I say, I'm an Insightful Troll.
...I've worked in the credit card industry for many years and am friends with a VP at one of the largest ISOs in the US.
Simple fact is, the system is not designed to prevent fraud. It is designed to detect, catch, and prosecute those that do exploit the system. Granted, the industry has slowly started trying to move toward a more proactive stance, while making it a little harder to comit fraud. But the merchants generally complain about efforts to make it harder on criminals and go out of their way to facilitate these types of problems.
Long story short, you may think you're getting away with these types of crimes, but rest assured, it's only a matter of time before you are caught and placed in jail.
... that the company whose identity is misused is seen as being responsible for the losses. It is the merchant service providers and banks that should be held fully responsible -- they are the gatekeepers who failed to mind the gate, never checking the imposters' identies or association with the company.
"For all of us, it's a tough business," Steinberg, of Merchant E Services, said. "It's a large, large problem."
No Shit, Sherlock. It may be a large, large problem, but it is your responsibility to solve it. If you can't solve it or handle the losses, you shouldn't be in the business. Period.
Any suggestions on how to keep the losses on the banks and service providers, instead of the businesses?
Who hasn't read some story or seen some report on TV about "phishing" and those evil "hackers" who sniff your internet conx looking for credit card numbers?
It's not nearly as lurid to talk about joe schmoe, who got pissed at his boss and sold 100,000 customer records to some guy in detroit. Security breaches have always been about 80% inside jobs.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
Who steals my purse steals trash; 'tis something, nothing.
'Twas mine, 'tis his, and has been slave to thousands;
But he that filches from me my good name
Robs me of that which not enriches him
And makes me poor indeed.
-William Shakespeare - Othello the Moor of Venice (Iago at III, iii)
Some mornings it's hardly worth chewing through the restraints to get out of bed.
If you're a legitimate business, and want to accept credit cards, you go to your bank and open a merchant account. They check your financial history, may demand a deposit (on which they pay interest), want to see you in person, may visit your premises, and make you sign a painful contract. Then they charge you about $100 per month, plus 1-3% of the transaction cost. This is the way real companies do it.
If you're a less legitimate business, there are services for you, too. Charge-It-Now is a more or less legitimate one. "Now you can be approved to accept credit cards in as little as two hours and have a live merchant account in 24 hours. Applying online for our Internet processing software has never been easier. The entire application process is done online in less than 10 minutes and with our digital signature approval process; we do not need a physical signature. We deposit funds directly into your existing bank account. ... We accept 98% of applicants". At this tier, the rates are higher and the merchant is more likely to be doing something dodgy. These outfits aren't regulated as banks. They're resellers of banking services. They need to be better regulated.
Further down in the muck, there is the "high risk merchant account" business. "Has PaySystems or other merchant providers shutdown your company, virtually stopping you from processing credit cards? ... Good Credit / Bad Credit okay! ...
We pride our business on the fact we can place just about any business type. Even if you've experienced problems in the past with other processors or have a low credit rating."
This is where your mid-grade spammer gets credit card processing. Most of those operators need to be kicked out of the credit card system.
Down at the bottom, there's "offshore high-risk credit card processing". "Merchant account service for bad credit, high risk, gambling, and adult related business." This is the land of 15% fees, long holdbacks, and processors who disappear suddenly. Here we find companies operating from undisclosed locations, a criminal offense in many jurisdictions. These outfits help crooks and spammers launder their money, evade taxes, and hide from law enforcement. These operators are essentially part of organized crime.
http://dictionary.reference.com/search?q=disint