Slashdot Mirror
ID Thieves Target Smaller Businesses
wiredog writes, "The Washington Post writes about real-time credit-card theft from small merchants (registration required). An accompanying Security Fix blog commentary from Brian Krebs describes '...10 hours of lurking I did on a variety of underground chat and Web channels frequented by identity and credit card thieves. From that research, Security Fix confirmed recent data breaches at four online merchants that were unaware that hackers had broken into their databases until we contacted them.' Lesson: Don't buy online from the cheapest retailers. Guess where they are cutting costs to be the cheapest?" The article and blog commentary also cast doubt on the efficacy of online "hacker testing" services.
If you're doing this you should make sure that you don't have any overdraft protection on your checking account.
This guy's the limit!
This just flat out makes sense. If I am looking to aquire credit card information for identity theft or fraudulent purposes, I want to get it as easily and un-noticed as possible. Big companies like Amazon.com and the like invest large amounts of money into security and fraud prevention. They have trained staff whose only purpose is to stop the baddies. Small companies aspiring to be an Amazon.com don't have the capital to invest and therefore rely on 3rd party vendors liek Yahoo! Shopping to handle thier credit card management. If theey don't then they are an easy target. As my management likes to say, they are "low hanging fruit" and "easy pickings".
So if I want to steal information, I'm going to go where it is easy to get. It's amazing that it took a study and investigative reporting to "uncover" this whole "conspiracy". Then again, it can apply to brick and mortar stores too where small business can make a dirty habit of tossing credit card signature slips in the trash where an unscrupulous person can make use of them. that's not to say a big chain store wouldn't do that but they might be less likely to so. Maybe The Washington Post should investigate that one too?
and they have deep pockets
This is the most inaccurate idea thrown around about credit card companies. That they have plenty of money and that's how they just forgive various charges on your card when you complain or are defrauded. This is only half true, and that part is that they have plenty of money. Sure, they forgive charges to your cards all the time. But who pays for it? Does anyone really know? Well, any merchant knows that it is the merchant that pays for fraudulent and otherwise disputed charges. That, plus a $30-35 charge just like a returned check fee.
Sure the credit card companies have a clause if you only ship the goods to the billing address, have AVS verification, make sure the CSC matches, AND have a signature required for the delivery, they claim that they will eat the cost and not pass it on to the merchant. Aside from the fact that shipping only to the billing address will cause one to lose business, in actual experience, I have observed multiple instances of credit card companies claiming the signature was forged for one reason or another. The merchant has no recourse. There is no appeal process. The only recourse is to discontinue accepting transactions from a card vendor, or to accept fraud expenses as part of the cost of doing business, and adjust consumer prices accordingly.
And to think the article attempts to paint some shade of altruism on these crooks by saying they make a "donation" to charitable causes to verify the card is useable. These crooks are costing these organizations money for the returned charge fees.
cat