A 24-Year-Old Scammed Apple 42 Times In 16 Different States

← Back to Stories (view on slashdot.org)

A 24-Year-Old Scammed Apple 42 Times In 16 Different States

Posted by timothy on Tuesday July 29, 2014 @03:07AM from the fool-me-42-times-won't-get-fooled-again dept.

redletterdave (2493036) writes "Sharron Laverne Parrish Jr., 24, allegedly scammed Apple not once, but 42 times, cheating the company out of more than $300,000 — and his scam was breathtakingly simple. According to a Secret Service criminal complaint, Parrish allegedly visited Apple Stores and tried to buy products with four different debit cards, which were all closed by his respective financial institutions. When his debit card was inevitably declined by the Apple Store, he would protest and offer to call his bank — except, he wasn't really calling his bank. So he would allegedly offer the Apple Store employees a fake authorization code with a certain number of digits, which is normally provided by credit card issuers to create a record of the credit or debit override. But that's the problem with this system: as long as the number of digits is correct, the override code itself doesn't matter."

35 of 419 comments (clear)

Min score:

Reason:

Sort:

Wow ... by gstoddart · 2014-07-29 03:10 · Score: 3, Interesting

But that's the problem with this system: as long as the number of digits is correct, the override code itself doesn't matter.
Who the hell came up with that idea?
That's no security in any meaningful sense of the word.
I'm betting some lobbyist made it so that the banks didn't really need to do anything concrete, just look like they were.
If that's all that's required, the banks deserve to be getting ripped off.

--
Lost at C:>. Found at C.
1. Re:Wow ... by Anonymous Coward · 2014-07-29 03:14 · Score: 5, Interesting
  
  Except they're not, Apple was. TFA states that since they accepted it even after it was denied, Apple's on the hook for it.
2. Re:Wow ... by netsavior · 2014-07-29 03:21 · Score: 4, Interesting
  
  The truth is that credit card interest is the highest profit gig in the whole world. Because of this, Visa/Mastercard and all the myriad banks that work with them have a vested interest in making credit/debit card purchases VERY EASY.
  Visa wakes up, takes a dump, then wipes its ass with $300,000 dollars. It is nothing compared to the billions they make in clearing fees alone.
  Vendors are not even allowed to do things like require an ID, (I know they do, but it is against the vendor agreement), even though it would make purchases a lot more secure, because EASY trumps everything, EASY makes billions. Secure override codes... Who cares?
3. Re:Wow ... by Sockatume · 2014-07-29 03:28 · Score: 5, Informative
  
  The way it's supposed to work is that the store calls the issuer and requests an override code, and then keys it in themself. The bank can then tally the auth code against the store's call at the end of the day and process the charge. I have never seen a situation where the customer calls up the bank themselves.
  
  --
  No kidding!!! What do you say at this point?
4. Re:Wow ... by hawkinspeter · 2014-07-29 03:35 · Score: 4, Insightful
  
  As the bank didn't provide an override code and have no record of providing an override code, why should they accept liability?
  
  --
  You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
5. Re:Wow ... by the_skywise · 2014-07-29 03:35 · Score: 5, Informative
  
  It's not a unique security code - it's a TRACKING NUMBER. This whole part of the process is designed specifically to work around an issue where the computer records might be incorrect or the computer system is in error and an actual human has to issue an authorization code.
  The actual fault in the system is that the Apple Employees let Sharron make the call and GIVE them the number. Instead THEY should've called Chase directly and gotten the code.
6. Re:Wow ... by Sockatume · 2014-07-29 03:35 · Score: 5, Informative
  
  It's not a security code, it's a reference number. The transaction isn't formally authorised by the bank until the end of the day when they receive that reference number and tally it with the corresponding phone call from the retailer. *Then* the transaction is authorised. (Assuming said phone call included verbal authorisation of the transaction.)
  That the Apple Store didn't know this is how the system works means it was completely open to abuse.
  
  --
  No kidding!!! What do you say at this point?
7. Re:Wow ... by PlusFiveTroll · 2014-07-29 03:53 · Score: 5, Insightful
  
  If you printed your own card and put a number for an issuer that you controlled I don't see what the difference is.
8. Re:Wow ... by naughtynaughty · 2014-07-29 03:58 · Score: 5, Informative
  
  Visa/MC and the banks have security measures in place, merchants who follow the process aren't liable for loss from fraudulent cards. Asking for ID provides no additional protection to merchants and to the extent they rely on it instead of established Visa/MC processes it can lessen security. But you are correct that making customers spend an extra 30 secs digging out their ID and having some clerk eyeball it and hand it back is not easy and in fact that 30 secs times all the legitimate transactions is more costly than the RARE case of credit card fraud that could be prevented by asking for ID (which is easily circumvented). The problem here is not the authorization code but that Apple didn't follow the proper procedure of contacting the bank for an override code themselves. There is no need for a secure override code.
9. Re: Wow ... by Anonymous Coward · 2014-07-29 04:12 · Score: 5, Informative
  
  No, no one ever contacted the bank. Apple's Point of Sale software was configured to accept any number based on length() of the number string. They held the number until the end of the day or some other convenient time, when they'd process it with the banks. That was stupid, and the scam is common. Retailers are starting to learn to call and verify immediately (before clearing tge transaction), not to wait until the end of the day.
10. Re:Wow ... by idontgno · 2014-07-29 04:30 · Score: 4, Insightful
  
  I understand the long-running and much-honored Slashdot tradition of not reading TFA, but couldn't you at least have read The Fucking Summary?
  When his debit card was inevitably declined by the Apple Store, he would protest and offer to call his bank — except, he wasn't really calling his bank. So he would allegedly offer the Apple Store employees a fake authorization code with a certain number of digits....
  There was ample dumbshittery (and liability) to assign here, but it's all on the Apple Store drones. No bank involved.
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
11. Re:Wow ... by Solandri · 2014-07-29 05:21 · Score: 4, Informative
  
  Visa/MC and the banks have security measures in place, merchants who follow the process aren't liable for loss from fraudulent cards. Asking for ID provides no additional protection to merchants and to the extent they rely on it instead of established Visa/MC processes it can lessen security.
  
  The info on the ID is the security measures Visa/MC have in place. They allow a merchant to enter info like address or phone number, and their computers will tell the merchant whether or not it matches the address/phone they have on file for that card. When you pay for gas with a credit card and the pump asks you to punch in your zip code, it's not collecting marketing information. It's using the zip code as a (rather flimsy) security measure to protect against someone buying gas with a lost/stolen credit card. Yeah you can ask the customer to recite their address, but any burglar who stole the card from a house or mugger who got their victim's entire wallet would know the address. A photo ID with that info, while fairly easy to fake, requires a bit more effort on the part of the thief.
  
  Credit card security is in the dismal state it's currently in because Visa/MC/Amex have successfully transferred all the damage from fraudulent transactions onto the merchants. Since they lose practically no money to fraud, they have very little incentive to improve security. (The exorbitant interest rates are to cover the cost of credit card holders who default on their debt.) For market forces to work correctly, financial penalties for risks which fail must be linked to financial profits when those same risks succeed. What Visa et al have done is decouple the penalties from the profits (profits go to them, penalties to the merchant), leading to a situation where they are not penalized when the risks they take (poor security) fail. Consequently there is no motivation for them to improve credit card security beyond the laughable state it's currently in.
12. Re:Wow ... by Anonymous Coward · 2014-07-29 05:22 · Score: 3, Informative
  
  The store doesn't call the card issuer for approval. The store calls their merchant bank that provided them with card processing facilities. The merchant bank then calls the card issuer to seek approval for the transaction. The merchant bank do not source the phone number of the issuing bank from the card, they use a lookup table provided my Visa or Mastercard.
13. Re:Wow ... by RavenLrD20k · 2014-07-29 05:27 · Score: 4, Informative
  
  Hell, at the retail outlet I used to work at, manager made a blanket policy that if the POS returned a request for an Auth code we just outright declined the transaction, handed the customer an Experian business card and asked if they had another form of payment. If the customer asked if he could call his bank to get an Auth code (Red Flag) we would say that our business system did not allow for manual authorizations (which was true. The system the manager put in place didn't allow for ManAuths, even if the POS did).
14. Re:Wow ... by Serenissima · 2014-07-29 05:50 · Score: 5, Informative
  
  I used to work at The Apple Store. And that's really the way it should work. However, from my time there, we had credit cards declined all of the time. The Apple Store is a huge place for fraudulent purchases and credit cards routinely auto-blocked access when purchases were for Apple and outside of typical purchases. We actually had the VP of BOEING's Business credit card declined. The standard procedure was to have the customer call the bank, validate that they were them, and that they indeed DID want to make the purchase. After about a minute, we could re-run the card and it'd work.
  Now, when the payment device asked for an Override code, it was the job of the EMPLOYEE to got to the back and call up the bank. We're provided special numbers to call and special codes we have to type in. It's a horribly clunky and long process which everyone hated to do, but that was it. So, this is completely the employee's fault - albeit it's really a training issue and the blame rests with Apple. I can totally see why an employee would
  #1) Not want to go through that process when they need to get to the next sale
  #2) Possibly be new and not completely understand the process
  #3) Be susceptible to some clever social engineering - ie: There are some cases where the customer must call the bank. I need an override code from the bank to process this. The customer is calling the bank, so that means I don't have to!
  So it's a big f-up, but I can totally understand how and why it happened.
  
  --
  Give a man a fire and he'll be warm for a day. But light a man on fire and he'll be warm for the rest of his life.
15. Re: Wow ... by madhatter256 · 2014-07-29 06:01 · Score: 4, Insightful
  
  Not really, I know people who write POS code for a company that competes with NCR. They have no ties to banks. it's all about talking to processors, like VISA, Mastercard, etc.
  I guess people are trying to pin this on the bank because banks are evil. #wallstreet #99% #ideserverwhatyouworkedfor #givemestuff
  
  --
  Previewing comments are for sissies!
16. Re:Wow ... by ddtmm · 2014-07-29 06:09 · Score: 3, Insightful
  
  Seems to me Apple should have been the one calling for authentication, not the customer. Definitely Apple's err.
17. Re:Wow ... by Concerned+Onlooker · 2014-07-29 06:09 · Score: 5, Funny
  
  "Visa wakes up, takes a dump, then wipes its ass with $300,000 dollars."
  This must be the reason that all those money laundering schemes exist.
  
  --
  http://www.rootstrikers.org/
18. Re:Wow ... by idontgno · 2014-07-29 06:24 · Score: 3, Insightful
  
  Other than mentioning that the store declined the debit card (which is by definition an interaction between the POS and the credit/debit clearinghouse).
  But since you've raised the issue, you've shown exactly where you missed the boat.
  The exploit is completely OUTSIDE of the POS<->bank interaction. (Cuz, "debit refused"). The exploit occurs in the "call a fake bank, offer up a fake reference number, have the Apple Store drones accept it as proof of a valid credit/debit transaction" phase AFTER the machine-to-machine part.
  Apparenly, you've fallen for the same trick the Apple Store drones did: fixating on the machine-to-machine debit transaction (which failed as expected) and completely neglecting the social engineering that followed.
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
19. Re:Wow ... by vux984 · 2014-07-29 06:36 · Score: 5, Insightful
  
  it is up to the cashier to hold the card, read the number and call it themselves
  It is up to the cashier to call THEIR OWN BANK.
  They are not supposed to call the number on the back of the customers card -- for reasons that should be pretty bleeding obvious.
20. Re:Wow ... by thinuspollard · 2014-07-29 07:05 · Score: 5, Informative
  Ok, they way it is supposed to work
  
  1. The POS is offline, or the card cannot be "read" by the POS device
  2. The MERCHANT is supposed to call the bank to obtain manual authorisation
  3. The bank actually performs the transaction against the backend, reserves the funds and issues an auth code to the merchant. This auth code is a reference number. A pretty large financial switch supplier I used to work with would use the local time (HHMMSS) as an auth number. Nothing wrong with that, transaction has already been authed online via the call centre.
  4. The merchant enters a manual transaction on the POS device, entering the auth number on the POS device to form part of the transaction.
  5. The POS does not send anything at this point in time to the bank. Remember, in obtaining the auth number, the transaction was already submitted and approved. The POS keeps this transaction in storage with the auth number
  6. End of day, the POS submits all transactions to the bank. This is called Banking the POS or settlement.
  7. Since all online transactions has been performed, these settlement records acts as a reconciliation. At this point the customer's bank account gets debited and the merchant only gets settled for the settlement transactions that were submitted to the bank, not for the online autos. If this settlement transaction does not match exactly with the original auth, the merchant does not get settled for this transaction. (It is slightly more complicated than this, since floor limits allows for the case where there was no original auth and the settlement tran is the only message seen, but for the amount of an Apple Store purchase, this would not come into play)
  So the system is relatively secure, but the MERCHANT should have called the bank, not the customer, that is where it broke down. This system also allows for floor limits, where the merchant is willing to accept a certain level of risk and the POS device approves transactions for an amount less than a set limit. At the end of the day the POS device submits these transactions to the bank and if the cardholder does not have sufficient funds, the merchant loses out.
  All these protocols have been in place for many years and dates from a time where communication between the POS and the bank was relatively expensive and slow. Dialling up for every transactions was not an option, so you would try to batch them together to achieve a lower cost per transaction.
  This is a very high level explanation of the issues involved here, but should convey the general ideas.
  Yes, the Apple Store managers and employees were idiots in this case
in fairness... by Anonymous Coward · 2014-07-29 03:12 · Score: 5, Funny

It might have been 300k retail sales but it only cost Apple 500 bucks.
$7142.85 by NoImNotNineVolt · 2014-07-29 03:20 · Score: 3, Informative

That's over $7142.85 per "scam". How the fuck do you spend that much money at a fucking Apple store?!

--
Chuuch. Preach. Tabernacle.
1. Re:$7142.85 by DJCouchyCouch · 2014-07-29 03:33 · Score: 3, Funny
  
  A couple of iPhone cables, iTunes gift cards, iPod socks. Pretty soon it adds up.
2. Re:$7142.85 by SydShamino · 2014-07-29 05:34 · Score: 3, Insightful
  
  A few laptops gets there.
  The scam works better with a large purchase. Banks routinely deny transaction over some amount, forcing the retailer to call for an override code. Apparently the denial for "bad account" look identical to the one for "valid account, but that amount is high so give us a call, okay?"
  If his card was denied for a $500 purchase, he'd need to convince the retailer that it was a bug in the system, not just a routine check for a large purchase.
  
  --
  It doesn't hurt to be nice.
Re:Brilliant... by Sockatume · 2014-07-29 03:21 · Score: 3, Insightful

Presumably he was treating it as a source of income rather than a source of Apple hardware.

--
No kidding!!! What do you say at this point?
Re:Brilliant... by ArcadeMan · 2014-07-29 03:21 · Score: 5, Funny

Because.... 42?

--
Get free satoshi (Bitcoin) and Dogecoins
This is an Apple/retailer fail by xxxJonBoyxxx · 2014-07-29 03:24 · Score: 4, Interesting

From TFA:
>> merchants can be liable for charges if they override a credit or debit card denial in this fashion
>> In (another) case...after defrauding Victoria’s Secret, Banana Republic, and several other retailers out of $557,690 in the same manner, which is known as a “forced sale” or “forced code.”
I think the operational problem here is that store managers have the authority to override denials to boost their own sales numbers...while the risk for bad credit decisions may fall on the owners.
42 by Anonymous Coward · 2014-07-29 03:27 · Score: 5, Funny

So the ultimate question to life and everything is: "How many times was Apple ripped off by an single individual?"
What a strange title. by Atzanteol · 2014-07-29 03:28 · Score: 4, Interesting

Does the fact that the guy was 24 have any bearing on the story what-so-ever? Why not say "scam artist" or something more generic?

--
"Ignorance more frequently begets confidence than does knowledge"

- Charles Darwin
Re:And now.. by Zero__Kelvin · 2014-07-29 03:29 · Score: 3, Funny

Don't forget the free sex!

--
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Exploited procedural loophole by John3 · 2014-07-29 03:29 · Score: 5, Informative

Based on TFA this scam has been done before to other retailers. When a merchant receives a "decline" they can optionally call the bankcard processor to obtain a verbal authorization code. The merchant can then "force" the sale to go through using the authorization code they received over the phone. The two huge procedural holes that Apple (and the other retailers) left open are:
1: The clerk is the one that should be calling for an approval code, and the call is made not to the cardholder's bank but rather to the bank that processes the cards for the retail store. It doesn't matter what the customer's bank says (or in this case the fake bank) since the approval/authorization code must come from the retailer's bankcard processor.
2: At my store a manager override is required to "force" a bankcard approval. So even if the clerk makes the call and gets a voice approval code a manager/owner must also provide a password to allow the approval to go through. Apparently Apple has no such security check in place and clerks tan type a manual code into the POS system to force the sale to go through.
Amazingly simple scam, but also amazingly simple to prevent if the stores involved had even rudimentary procedures in place.

--
"We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
1. Re:Exploited procedural loophole by John3 · 2014-07-29 03:58 · Score: 3, Informative
  
  A simple work around is to alter the phone number on the card to a number you control.
  Then the retailer could call the number receive the code from your accomplice and provide a valid false code.
  The retailer doesn't call the number on the card, the retailer call's the merchant service center. For example, customer has a Chase Mastercard and when Apple tries to post a transaction the card receives a decline. Apple would never call Chase, but instead calls their provider (which at my store is First Data Merchant Services). Apple's provider in turn electronically contacts Chase and then provides an approval code back to the clerk. The customer (or scammer) never has an opportunity to change the phone number unless they physically get behind the checkout counter and overwrite the numbers that are posted for the retail clerks to use. So it doesn't matter what phone number is on the card, that number is for the customer's use and not for the merchant's use.
  
  --
  "We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
Sharron Laverne? by fuzznutz · 2014-07-29 04:40 · Score: 4, Funny

Should I assume his parents REALLY wanted a girl?
Re:And now.. by Jason+Levine · 2014-07-29 04:46 · Score: 5, Funny

Don't worry. He's called the parole board and says that they said he should be released as per override code number 12345.

--
My sci-fi novel, Ghost Thief, is now available from Amazon.com.