Credit Card Fraud PageFaughnan Home | FPWeb Starter | Contact Info | Glossaries and Links | SiteContents | SearchInternational Net-Based Credit Card/Check Card Fraudwith Small ChargesLast revised: 23 Nov 2007. History has latest changes. Recently revised sections have mm/dd/yyyy beside the name. Thelast real revisions were done in 2000, the current document is disorganized. Preface 1/13/2007 And it goes on and on ... 9/14/2002 Introduction 9/8/2000 The Verdict 9/23/2000 Details Outline 10/27/1999 The International Angle Where the Money Goes Banks, Processors and Credit Card/Check Card Companies 10/27/1999 Charter Pacific Bank and Friends 10/27/1999 The Operators N-Bill, Webtel, Netfill, MJD Services, et al 4/7/1999 KT 5/4/1999 E-Commerce: Connection and Implications Anonymity Selling Information Networked Transactions Conclusion 3/10/1999 What to Do? Victims 10/1/1999 Credit Card Companies, Banks and Merchants 10/27/1999 Law Enforcement E-Commerce Competitors Journalists (talking points) 10/20/1999 Spammers and Merchant Accounts Bank Hall of Fame and Shame 5/4/1999 Journalist: Requests for Interviews 9/8/2000 Notes 6/16/1999 Links Another Personal Experience 12/29/2004 Check Fraud and Identity Theft Litigation and Regulatory 10/1/1999 Publications 9/13/1999 Sibling Sites 9/12/2002 Micropayment Alternatives 3/10/2001 Others 3/10/2001 History Disclaimer and Credits PrefaceThis site was actively maintained in late 1998 and early 1999, but it has not beenupdated since. Some of the sites I link to have disappeared or, worse, been acquired bycrooks. Some of my descriptions on how credit card transactions work and are verified werewrong even in 1999, and the industry has changed since then. Despite those caveats, I doreceive periodic notes of appreciation so the site apparently has some ongoing value. I'llkeep it around for now, but I can't take the time to fit it up. It's an archival site. Letme know of links that now point to crooks and I'll try to remove them, but otherwise it iswhat it is.These scams continue, at least through 2007. The exact same frauds, but with largeramounts of money. Some of the same names associated with the 1998 NetFillscandal were involved in a 2002 scam documented by a new defunctweb site (domain since acquired by scammers).Eventually the public will figure out that only Visa/MasterCardcan fix the problem -- but that will take a while. We may have to wait for campaign finance reform before we'll see any serious governmentalaction. The basic problems underlying this particular scam was that it wascheaper for banks to deal with angry customers, or suffer losses from fraud, than to paythe costs of robust authentication. That hasn't changed, Bruce Schneier routinely documents variations of thisproblem.. On the other hand the banks have improved some aspects of their operations,and crooks have found even more profitable scams -- such as using botnets and spam tomanipulate penny stock prices. The public, I think, will gradually grow to tolerate smallfrauds -- certainly there's been no significant pressure on politicians. We muddle throughrather than reform, which is the way of things.BTW, I often hear from vendors telling me how they also are victimizedby failure of Visa/MasterCard and their franchisees to fix their security problem.Although this site is oriented to customer-victims, the problem is no less severe(or even greater) for vendor-victims. The main thing I can tell them is toosupport use of American Express.If you'd like to know what's been happening since 2002, I'drecommend browsing CryptoGram, theleading security site on the net.And it goes on and on ...This web page is largely archival, but after at least four years of the banks (with thepossible exception of AMEX) failing to implement well-known solutionsI think it's interesting to add occasional links to ongoing scams. Massive credit card heist suspected, 9/13/2002 Slashdot 60,000 Credit Cards Numbers Stolen Online ‘Brute force’ card thieves attack 4/23/2002 Another Personal Experience 12/29/2004IntroductionOver forty million dollars. Somewhere around 900,000 victims across 22 countries. Thebiggest credit card fraud ever. Fraudulent credit card transactions generated using adultweb site merchant accounts.A fascinating story, but not as new as one would think. Since this web site was firstcreated in December of 1998, when I learned I'd had 6 months worth of fraudulenttransactions on a business Visa card, I've learned that this type of fraud has been goingon for years. Criminal merchant account holders collude with shady banks and transactionprocessors -- it's an old story that predates the Internet.What's new is the ability to run this scam across the entire world, and to attackhundreds of thousands of victims in a very short period of time. The Internet has given anold scam new legs. It has exposed the smoldering weaknesses in our credit card processingsystem.This site is dedicated to chronicling this fraud, and to focusing attention onimportant weaknesses in our banking, credit card, and e-commerce systems. Although I focuson the particular scam I was victimized by, the information here will be of interest toanyone who has been victimized by similar frauds or who wants to see e-commerce succeed.J K Publications (alias Webtel, Netfill, etc) ran a sizeable fraud, somewhere in therange of 40-50 million dollars, distributed across about 900,000 credit cards in smallrecurrent charges ($20 US). JK Publications' front companies generated about a third of allcustomer complaints at one major credit card company in late 1998. Their merchantaccounts had a 'chargeback' rate 100 times the national average; each time a merchantaccount was closed by the credit card companies, they opened a new one. In late 1998 theyalone accounted for 4% of all Visa chargebacks.The JK Publications fraud operated under a number of business names. Court filings bythe US Federal Trade Commission refer to 3 principals. Prior tothe filings, from Dec 4-20, 1998 I and many contributors workingtogother over the Net, identified front companies involved in this operation. We alsoidentified an individual, Ken Taves, (KT) who appeared to be active in all of the front companies, and a few others besides. Since that time KT has beennamed in a public inditement by the Federal Trade Commission (FTC). His career isdescribed in more detail in two LA Times articles,this fraud has been well covered in the August 1999 issue of ScientificAmerican.J K Publications was aided in this fraud by the actions of Charter Pacific Bank (San Fernando Valley, California,see InterNicentry and more below). According to an LA Times story reportingon FTC investigations (Jeff Leeds, 9/11/99) CP Bank sold Ken Taves about 900,000 (90%)"of the credit card numbers that he allegedly used to run up $45.7 million in mostlybogus charges against consumers worldwide". [12] CPBank also held J K Publications various merchant accounts, and kept them operating even ascomplaints mounted.Apparently the bank made millions processing credit card transactions for adultindustries. In addition to numbers harvested from the adult entertainment business, theyalso sold numbers from the two-third of the bank's 250 merchant accounts belonging toother merchant accounts including mail-order firms and retailers.In addition to persons who'd used their credit cards online (some who'd used them tobuy adult materials, most who had not), victims included persons who'd never used theircredit card anywhere!Leeds' article also confirmed one of the main allegations of this page -- that banksand processors often accept transactions that lack key identifiers, such as expirationdates and card holder name. The credit card number alone will suffice for smalltransactions.A few sad lessons have been learned during this investigation. The banks who manage thecredit cards have treated many of the victims fairly poorly. The processors who managetransactions do not have the technology for even trivial validation of transactions. Thereare some pretty crooked banks out there. Prosecution for this type of fraud is rare.Visa/MasterCharge, who have the ultimate authority, are not coordinating anti-fraudactivities and are not providing the technology for a better transaction system. Existingcredit card anti-fraud sanctions move extremely slowly, allowing a company to generatefraudulent transactions for at least a year.Lastly, the companies allegedly involved in this fraud managetransactions for "adult" (pornographic web sites). I sympathize with employeeswho have been accused of using corporate credit cards to purchase pornography (severalreports). I am willing to correspond with employers who have any further questions. I can't answer all the email I receive directly, but I try to answer questionsthrough additions to this page. I do read all the messages.The VerdictThe Final JudgementFrom the FTC web site as of September 7, 2000: http://www.ftc.gov/opa/2000/09/netfill.htm.There are links on that page to additional trial related material. NOTE: Astipulated final judgment and order is for settlement purposes only and does notconstitute an admission by the defendant of a law violation. Consent judgments have theforce of law when signed by the judge.The defendants have not admitted guilt and will do no jail time. Also, much ofthe charges are unlikely to be recovered. If they are indeed guilty of fraud this cannotbe considered a triumph of justice. FTC Wins $37. 5 Million Judgment from X-Rated Web Site Operators Bank Sold Defendants Access to Active MasterCard, Visa Card Numbers; More Than 700,000 Consumers Illegally Billed The Federal Trade Commission has won a $37.5 million verdict against a California-based adult Web site operation the FTC charged with operating an illegal billing scam. The agency alleged the defendants repeatedly placed charges on consumers' credit and debit cards for X-rated Internet visits they had not made and services they didn't order. Indeed thousands of those billed for visiting the Web sites did not own computers. At trial, the agency told the court that the defendants bought access to lists from a California bank that provided the account numbers for more than 3 million valid Visa and MasterCard credit cards. Rather than use the lists to confirm that potential customers had valid cards, the defendants debited the cards for Web site services the cardholders had never used. In January 1999, the FTC filed the case against Malibu, California residents Kenneth and Teresa Taves, and Dennis Rappaport and their businesses J.K. Publications, Inc., MJD Service Corp., Herbal Care, Inc., and Discreet Bill, Inc. The complaint charged that the defendants were billing consumers without authorization for alleged visits to adult Web sites. Consumers saw the charges on their bills under the names "Netfill," "N-Bill," "MJD Service Corp," and "Webtel." Based on the preliminary evidence presented by the FTC, a U. S. District Court judge entered an order on January 6, 1999 that temporarily shut down the defendants' business and appointed a receiver, pending trial. According to the FTC, the defendants had purchased access to a database of credit card numbers provided by Charter Pacific Bank of Agoura Hills, California. This database contained card numbers, dates and amounts of sales, for more than 3 million card holders who purchased goods or services from merchants with accounts at Charter Pacific. The FTC argued that the defendants illegally used the account numbers to place charges on the accounts and that over 90 percent of their $49 million a year in "sales," were actually unauthorized charges. The court agreed, saying, "The Court finds that the FTC has proven by a preponderance of the evidence that 90.8 % of the total 'sales' amount the defendants caused to be deposited into their merchant accounts was unauthorized." The FTC showed that the defendants used at least five different merchant accounts and four fictitious business names to process over $40 million in credit and debit card transactions. The timing of each new merchant account application coincided with the impending threat of being placed on VISA USA's "active monitoring" list for excessive "chargebacks" -- amounts debited to cards but disputed by the consumers who were charged. By submitting the charges and debits for processing, the defendants represented to the merchant banks that they had obtained authorization from the cardholders for the charges and debits. But thousands of consumers who were charged said they did not incur the charges and, according to U. S. District Court Judge Audrey B. Collins, "A shocking 40% to 50% of the calls received by the defendants were from people who said they did not have a computer and had not given their card numbers to anyone." Judge Collins concluded "[T]he only reasonable inference the Court can draw from the corporate defendants' access to the Charter Pacific Positive Database and the time of the defendants' fraudulent billing practices is that the defendants stole and processed Visa and MasterCard numbers from the database." The court concluded that the defendants had processed bogus charges totaling more than $43 million. The $37.5 million damages verdict represents the illegal charges minus the amounts that consumers already received through chargebacks and credits. Two other defendants in this case, Gary Mittman and Adult Banc, Inc., settled FTC charges in June 1999. That settlement bars them from making false representations that customers have agreed to purchase goods; bars billing or receiving money or assisting others to do so without consumer authorization; requires that they obtain express verifiable authorization from consumers before billing them; requires that they maintain adequate staff to respond to consumer complaints or inquires; and requires that they promptly credit the accounts of consumers who request refunds. Consumers wishing to make claims can contact the Court-appointed receiver in the following manner: by email at rea@robbevans.com or by regular mail at Robb Evans & Associates, Receiver, PO Box 880, Sun Valley, CA 91353 and submit the following information (1) consumer's name (2) the credit card number that was wrongfully billed, (3) the amount of the wrongful bill(s), and (4) a currently-valid credit card number through which the consumer can receive a refund. Consumers without computers can contact the receiver by calling (818) 768-8869. Consumers will hear a recorded message which will instruct them to contact the receiver at the P.O. Box listed above. The Receiver expects a great volume of calls in the first weeks after the judgement, and urges callers who are met with a busy signal to be patient and to try calling again at a different time. The FTC has identified in excess of $20 million in defendant's assets. It is not clear that the total of $37.5 million ordered by the Judge will be available for consumer redress. The Initial ActionFrom a Jan 12 FTC Press Release: The agency named Kenneth H. Taves, a/k/a Kenneth Till, Teresa Callei Taves, Gary [Neal] Mittman, all of California, and their companies, J. K. Publications, Inc., MJD Service Corp., and Net Options, Inc., in its complaint. The complaint alleges that the defendants also use the business names Netfill, N–Bill, Webtel, and Online Billing ... Consumers, many of whom were billed repeatedly over successive months, appealed to credit card companies for help, but were told by them that they could not block future charges to the cards. Many consumers canceled their credit card accounts to avoid the charges, the FTC alleged. The FTC has asked the court to permanently bar the illegal billing practices and award redress to consumers. Consumers who believe they have been deceptively billed by the defendants can call an FTC Hotline at 202-326-3144 for more information.DetailsOutlineThis is an outline of the general fraud. I'll discuss some interesting variationsbelow. You may wish to refer to the following image as you review the text. [3]Some of this material is speculative; quotes are from authoritative sources. (Thanksto security experts (GM, NJ, WFE, RLB, DB), and my hacker colleagues (WH, SD), forbackground information.)  This sketch has been updated as of Oct 1999 to include the role of Charter Pacific Bank. This is a complex operation. The current consensus is that the operationswe know of (N-Bill, Webtel, MJD Services, XBC.COM) are all operations of J KPublications/Netfill.Netfill's original business was handling transactions for web sites selling "adultcontent" (usually pornography). Netfill began to acquire a "bad reputation"in the pornography world, possibly for reusing the credit card numbers they were handling.They went through several aliases, and then, we suspect, began running transactionsagainst credit card numbers that they'd obtained (see CP Bank).During this time Netfill appears to have gone through various Merchant Accounts,perhaps as Banks and Processing centers began to block transactions.Below is a step-by-step description of how this type of fraud might operate. If it isproperly done (see #2), it is hard to see how they can ever get caught. The thief needs credit card numbers. They do not need anything else. Credit card processing companies do not mandate the use of additional validation information: "... the system was designed for 'card present' transactions and has no real way to tell whether [an expiration date] is correct or not ...". There is an early system in place to do some validation based on zip codes and addresses (AVS), but "it only works with US cards and is not totally reliable yet". Some banks do check expiration dates, but many don't. (See [5] for Netfill's alleged misuse of AVS.) Charges can also be issued against cancelled cards, or non-existent accounts, if the computer of the card issuing bank is not available during the transaction. There are several ways the thieves could have obtained the numbers, but in fact they purchased most of them (legally?!) from Charter Pacific Bank. In addition the geographic distribution of victims, and the reports of fraud on cards that have never been used anywhere, suggest that at least some of the time either Taves, CP Bank, or other operators software to generate "well formed" credit card numbers. [13] It's likely that they have also stolen a set of credit card numbers, possibly with validating information. (There is a way that they might have been unwittingly using generated credit card numbers. [2]) Credit card numbers can also be stolen from a vendor site or a processor site. It is not that hard for a hacker to steal numbers from many e-commerce sites. Matt Beer has written a December 13, 1998 San Francisco Examiner article on the 9/10 success rate of IBM's "ethical hacker" team [1]. Netfill and its aliases (N-Bill, Webtel, etc) have Merchant Accounts. The thief could be generating credit card transactions directly through Netfill. It would be much safer, however, for the thief to funnel the transactions through a pornography vendor, (such as XXXPERTS.COM) which could be a willing or unwilling collaborator. This would give Netfill deniability -- they could say (plausibly) that they were only processing "someone else's" transactions. Of course, they would be making money on the transactions that weren't caught. If the thief was working with both Netfill and the pornography web site, then the money would come to the thief through both sources. The Merchant Account holder sends the transaction on to a "Processor". The Processor applies the checksum algorithm; the credit card number will pass this test. The Processor then attempts to check the number against the bank that issued the card. Sometimes they will be unable to complete this test; in that case the number is passed by default. If they can complete the test, a non-existent number will fail. A valid number will pass, and a recurring charge can then be set up. The role of the banks in authorizing transactions is yet another serious weakness in Visa/MC security. Some banks have excellent IT resources and anti-fraud measures, others are completely overwhelmed by e-commerce. I wonder if this might relate to the apparent high attack rate in Japan. (See American Express.) At this point a recurring charge will go through every month. Charges are small, usually USD $19.95, are are thereby less likely to get attention. If victim notices, victim can do a 'charge-back' through credit card company. However many banks only go back 60 days, so you may be out some money. Since the total for 2 months is < $50, the credit card company is not obligated to refund everything. If the victim doesn't notice, then the scam works. Eventually the Merchant Account will be closed, and a new one will have to be created under another name. (See spammers and merchant accounts.) The International Angle I've received victim reports from 22 countries: Canada, France, Eire (Ireland), England, Scotland, Australia, New Zealand, Norway, Germany, Mexico, Brazil, Portugal, Belgium, Japan, Sweden, Finland, Switzerland, Austria, South Korea, El Salvador, South Korea, and across the USA. The situation in Japan was particularly severe. There are Japanese sites similar to this one. Visa International's fraud office received hundreds of notices from Japan's largest bank. Japanese victims may have been particularly embarrassed by the connection to pornography sites; many more may be remaining silent. TT reports some German banks (eg HYPO) have very rigorous security for CC transactions. I've heard from relatively few German victims.Where the Money GoesConsider what happens when the fraud is undetected or detected.If the fraud is undetected, money goes to the holder of the Merchant Account.If a Merchant Account were "factoring" (consolidating transactions, forbidden byVisa/MC) the transactions of a (possibly collaborating) pornography vendor, then the twowould share the money. Money also goes to the Processor and the banks.If the fraud is detected, then the banks may repay the credit cardowner (the "victim"). However, note that the amounts are less than the <$50amount banks are obligated to repay. Many banks, particularly in Europe, seem reluctant topay up. The victim has lost time. The transaction processing center appears to still havemade money, they do not appear to suffer for processing a fraudulent transaction. TheMerchant Account holder is supposed to pay a fine and refund the money. As losses mountthe Merchant Account is closed to reopen with a new name.Banks, Processors and Credit Card/Check Card CompaniesThe thieves are guilty, but they're playing on a weak system. The Visa/MC transactionsystem was designed for traditional transactions of physical goods with a physical vendorand a physical card. Mail order stretched that system, but e-commerce blows it wide open.(See also: e-commerce implications).In the reports and comments I receive, the Processors point fingers at the Banks, theBanks point at Visa/MC international and their transaction handling regulations, and Visa claims there's no problem [8]. Jeff Leeds' articlessuggest misbehavior or incompetence on the part of the banks holding J K Publicationsmerchant accounts (see Credit Card Companies, Banks and Merchants).The FTC's investigation also exposed the role of a shady bank -- CharterPacific.I suspect everyone's a bit guilty, and that real problems arise when the weaknesses ofeach of the players reinforce one another.The Processors don't have the technology to do any significant verification. The banksvary widely in their expertise. Some are very savvy, others have little IT ability andminimal fraud protection. Some banks are being very supportive of victims, others arebasically accusing them of trying to cheat on their alleged pornographic purchases. Thebanks are slow to bring cases to the attention of the authorities, possibly becausethey're very worried about exposing their vulnerability.The distributed nature of the Visa/MC system, with each bank managing its own"business", is a weakness. Visa International does not have access orcontrol to Merchant Account information. Only the banks have that information. Onewonders what a crooked bank could do with Merchant Accounts. (I wrote that last sentencebefore the CP Bank scandal broke). It is this clumsy system that hasallowed the Netfill operations (N-Bill, Webtel, etc) have been able to operate MerchantAccounts for so long, with so many "charge backs".In the paraphrased words of one expert and industry insider, who must remain anonymous: Your description of the process from the card end is mostly accurate with only some details not quite right. In my opinion your user tips are spot on to 'the real world', however a financial organisation involved would most certainly not agree. The fact is that the real future of making money illegally is no longer bank robbery. The criminal organisations of this world naturally know this too... I don't want to sound ominous but at this stage I rather don't want to say any more than this.Charter Pacific Bank and FriendsTaves et al (see Operators) were aided in this endeavor by theactions of Charter Pacific Bank (San Fernando Valley,California, see InterNicentry). According to an LA Times story reporting on FTC investigations (Jeff Leeds,9/11/99) CP Bank sold Ken Taves about 900,000 (90%) "of the credit card numbers thathe allegedly used to run up $45.7 million in mostly bogus charges against consumersworldwide". [12]Apparently the bank made millions processing credit card transactions for adultindustries. In addition to numbers harvested from the adult entertainment business, theyalso sold numbers from the two-third of the bank's 250 merchant accounts belonging toother merchant accounts including mail-order firms and retailers.This bank has had a shady past, and it's not alone. In the words of an industryinsider: .. the focus should be on the banks or other card processing companies that willingly deal with the 'adult content' companies that are home to card fraud. ... [a 1990 investigation by a reputable bank found] a loosely connected ring of operators that, contrary to their documents submitted to open their accounts, were actually in porn & related businesses. This was sufficient reason for us to sever the accounts, but in the process of this investigation we discovered that their real business was processing fraudulent charges ... Even then their pattern was to open and close accounts frequently ... the law enforcement folks advised that even the business we were dealing with were really fronts for ... organized crime. This Taves fellow is a carbon copy of several we uncovered. He probably gets a cut of the cash but most of it passes on to others offshore. As noted in one of your hyperlinks, the FTC has only been able to trace a small amount of the $45mm. In summary, it is the bank processor that makes this whole thing work --- they are like the air supply to a scuba diver. The card issuing bank is not the bad guy. Virtually every bank in the country has safeguards in place to prevent them from finding themselves in business with these types of operators. Charter Pacific Bank has knowingly chosen to get in bed with these folks ... the reason naturally is money. Your typical local merchant pays a discount in the area of 2%. I'll bet these guys are paying Charter 5 to 8%.Charter Pacific's history is particularly interesting. Again, from the same source: The LA Times article was factually incorrect when it states that the bank was under an order to tighten controls as a result of bad real estate loans. In fact it was under a FDIC cease and Desist Order owing entirely to its Bank Card operation ... Interestingly, it was lifted in March of this year without comment by the bank as to what it had done to satisfy the many requirements. This past week the bank's CEO issued a letter to shareholders regarding the LA Times article and TV coverage.... Interestingly, he did state that "other news stories may appear" as sort of a forewarning. I reviewed the bank's press releases and noticed that in August they were in the final stages of getting approval to move the Bank Card operation to a separate subsidiary. Undoubtedly they view this as a way to get better treatment from the regulators. For one, it will get the oversight away from the FDIC which only covers state chartered banks. Non-bank subsidiaries are covered by the Fed or OCC, I don't recall which. Also this past week the bank issued a joint press release with a company called MerchantOnLine.com wherein they would be offering state of the art merchant services to online businesses. Since I know how careful banks are (or should be) in choosing partners, I decided to do a bit of digging. WOW! I wouldn't issue these guys a simple credit card, let alone process their cards or, heaven forbid, form a business alliance with them. It [MerchantOnLine.com] is an OTC bulletin board company that became "public" by means of a hocus pocus process involving a Colorado shell company early this year. Their reported sales are around $200k per quarter, they operate at a loss, and have a $400k deficit net worth. ... A typical pattern for these companies. After doing some searches, I found that an investment newsletter thebigbulls.com actually shares the same office and telephone number with MerchantOnLine.com. Other searches on the internet yielded numerous links back to MerchantOnLine.com for setting up internet merchant accounts. It appears that they are nothing more than a marketing operation that aggregates accounts to presumably be processed by Charter. Applications can be completed online. They delicately advise that they are specialists in handling 'off shore transactions', and that everything is "real time". In other words, "we'll connect you to the credit card processing systems and you can initiate any sort of charges you wish, and in the blink of an eye funds will be neatly deposited in foreign accounts."When I first put this page up I thought that Taves et al were heavy users of creditcard generator technology, or that they had stolen cards back when Taves worked processingother merchant accounts. It never occurred to me that a bank would sell Taves credit cardnumbers, or that US banks would operate so close to the edge. (It would be interesting toknow if this bank was related to IN DEED INVESTMENTS.)Below are the InterNic records for Charter Pacific Bank's would be partners: MerchantOnLine.com 1600 S Dixie Highway Boca Eaton, FL 33432 US Domain Name: MOLEMAIL.COM 800-316-1936 Fax- 561-482-5253 thebigbulls.com World Wide Corporate Financial 15760 Ventura Blvd. Suite 1020 Encino, CA 91436 US Charter Pacific Bank 30141 AGOURA ROAD AGOURA HILLS, CA 91301 US This case just keeps on going and going.The OperatorsRemoved 10/2/2000 to reduce my legal exposure. A non-specific summary is pending.The MastermindRemoved 10/2/2000 to reduce my legal exposure. A non-specific summary ispending.E-Commerce: Connection and ImplicationsAlthough there's an e-commerce connection to this fraud, we don't believe that cardnumbers were intercepted as they travelled over the Internet. That's hard to do. It isvery possible that the perpetrators did steal a large number of credit card numbers,either by acting as a Merchant Account for other vendors or by breaking in to ane-commerce site. We also strongly suspect that they used credit card generationtechnology.The true e-commerce connection is more subtle. It has three parts: anonymity, sellinginformation, and networked transactions.AnonymityThe current e-commerce environment allows credit card numbers to be used withoutidentifiers. This has privacy advantages, but it also enabled this fraud. It would be alot harder to generate credit card numbers if identifiers were required.Selling InformationThe alleged criminals (KT et al) used a "legitimate business", transactionsin adult images (pornography), as a cover. This business deals in "pure"information (an intangible good with an extremely low cost for each additional customer).Vendors and purchasers of information goods do not need physical addresses. In addition,the vendor assumes very little risk with the transaction. If the buyer doesn't pay, thevendor's loss is almost unmeasurably small. Compare this to selling computers online.Since the vendor assumes little risk in this form of e-commerce, they have a greatincentive to minimize transaction costs and inconvenience. They will accept large"losses" in return for not inconveniencing paying customers. Similar incentivesapplies to Banks, Visa/MC, and to Processors.This shift in risk assumption provides fertile ground for this type of fraud. Theabsence of a physical address and assets makes it much harder to locate and penalize theperpetrators. They can easily move their funds into sheltered overseas accounts. Networked TransactionsNetworked e-commerce allows criminals to test credit card numbers across the MerchantAccount system in high volume. This makes credit card number generation technology farmore powerful. They can also attack a very large number of victims in a widely distributedmanner with small transactions, thereby delaying detection and reducing the incentive forprosecution.ConclusionThe current Visa/Master Card transaction system is flawed. Designed for a world of'card present' transactions, it is unsuited to e-commerce. The need for reform is urgent,but Banks and Visa/MC may be slow to act. Consumers will have to push for change.Micro-commerce solutions are unlikely to emerge in the United States, given the politicaland economic clout of Visa/MC, but there is hope that they will emerge elsewhere. Japanmay lead the way in e-commerce,just as Europe leads in net privacy.What to Do?These are pretty much generic recommendations for any fraud of this sort. Victims ofthe J K Publications fraud should go to Litigation and Regulatory(below). I've kept the full set of entries here for reference in other frauds.Victims (Credit Card Holders) Consider switching to American Express, such as the American Express Blue Card. Amazon.com, for example, accepts AmEx. American Express centralizes its transaction verification and Merchant Account tracking, which makes it far more fraud resistant. Also, since Visa/MC rule the market, AmEx is going to be a less worthwhile target. (I've no reports of Discover Card charges, but I don't know anything about their security procedures.) In one case report of an American Express fraud, the victim was reimbursed by AmEx immediately and without question. American Express also seems to have much more customer-friendly procedures for handling questionable transaction than Visa International. As of 2002 they've added the AMEX PrivatePayments service providing disposable credit card numbers (one-time use). See Litigation and Regulatory for the firm handling refund requests. They seem to have been appointed by the Federal agencies investigating the fraud. You may have to cancel your credit card and change banks. The FTC's Action against Taves et al should reduce the risk of new charges appearing against your original credit card. However, if new charges do appear, most banks are unable to block the transactions. In addition, if your new card is from the same bank as your original card, many banks will automatically carry the transactions over to your new card. Lastly, there is a risk that your credit card number has been widely circulated amongst other practitioners of credit card fraud. If you have a bank with very good service, and if they are able to block charges from known fraudulent Merchant accounts, it may not be necessary to cancel your card. I cancelled mine. Phone the FTC Hotline that has been setup to deal with this fraud: 202-326-3144 for updated information (messages only). Fill out the online form at http://www.ftc.gov/ftc/complaint.htm so you are eligible for reimbursement. This is fraud. Some, less worthy, banks (such as US Bank) may refuse to reimburse for charges that occurred more than 60 days prior to submitting a claim. If this occurs, state that the charges were fraudulent and should be handled by the fraud office. Let me know how your bank treats you, so I can update the Bank Hall of Fame and Shame record. You can also report particularly unhelpful banks (thanks, NL): Every ]US] bank should have an examining authority. For nationally chartered banks that would be the National Bank Examiners. For state chartered FDIC insured, the examiners would be from both the state and the FDIC. I don't know much about current operations, but bank credit card operations are subject to examination and I suspect the examiners have never thought about this issue. To mail a complaint, ask your bank for a copy of their Community Reinvestment Act notice. It should have include the name and address of the relevant agency. Also, try calling the state banking commission; they can be surprisingly helpful sometimes. Look for a bank that has a good service and anti-fraud record. See Bank Hall of Fame and Shame. Use as few credit cards as possible. Eliminate any debit or other cards that you don't really use. Minimize transactions so you can detect irregularities. Notify bank immediately so you don't miss any 60 day rule. (Note, however, that using checks is not an answer!) Request your credit reports from credit bureaus for all open and closed cards. This should be free. State that you've been a victim of fraud. Tell them you want a security alert added to your credit record. Typically (experian) they'll put on a 90 day alert. To get a 7 year alert, they'll want a copy of a phone bill to connect a phone number to an address and resident. You may need to send a copy of a driver's license as well if the phone bill doesn't have your name on it. For seven years you will be phoned if anyone requests a credit card for your identity and/or a note will be added to credit reports stating that phone confirmation is required. This service should be free. If you change your phone numbers or address you have to contact the credit bureau and notify them. When you get the report, look for new addresses and signs of new cards being issued. These are the credit bureau numbers you want as of 8/10/1999, usually you must call during "business hours". Equifax: 800-525-6285, PO Box 105069 Atlanta, GA 30348. Voicemail only for report requests. Experian: 888-397-3742. You have to wade through voice mail. In general, you want the last option for each menu. As of 8/10 the security alert addition to your file is requested by voice mail only. Trans Union: 800-301-7195 (or? 800-680-7289). They'll put a temporary alert in place for 3 months, a 7 year alert requires a confirmatory letter. Link to this page and distribute it to anyone who you think might make a difference: banks, credit card companies, journalists, anyone. Report the fraud to www.fraud.org and other anti-fraud sites (see links). Complain to Visa/MasterCard international about the flimsy transaction validation practised by your bank. Visa: 800-847-2911. Send a complaint to the Consumer Affairs Division for the state where the fraud occurred. In this case, that is Nevada. consumer@govmail.state.nv.us Send the division a signed staement describing your complaint. Be sure to include a copy of the billing, your name & address as well as the business name & address.. Send all of the above information to Consumer Affairs Division; 1850 E. Sahara Ave, #101, Las Vegas, NV 89104. Bill Tkach, Compliance/Audit Investigator III Credit Card Companies, Banks and Merchants Visa and MasterCard must require, and their franchisees (the Banks) and Processors, must support, the use of proper validation systems by merchant accounts. Possibilities include PIN numbers, the SET (secure electronic transaction) standard, the commonly used AVS and the minimalist expiration date. As of late 2002 disposable (one-time-use) credit card numbers are emerging as a strong solution. To be fair, we must note all of these have problems. Expiration Date is very simple, but since it changes as often as once a year, it's a real pain for Merchant Account holders who do recurrent charges (such as Internet Service Providers). AVS, which uses some card holder address information, is a validation system that does appear to work, but it's possible for a merchant bank to "cheat" it. (Of course such cheating is presumably illegal.) [5] In Jan 1999, Macintouch reported extensive problems with credit card validation at the Apple Store, caused by problems with their new "SAP-based" system. In the words of one expert: SET, a secure credit-card transaction system ... was intended to fill the gap you've identified. It's this hideous over-engineered monstrosity that has remained largely unimplemented due to its bulk. One-time-use (disposable) credit card numbers have the advantage that it might be possible to make them work with the current infrastructure. The numbers don't have to be one-time-use, they could instead have limited lifespans. The main problem is these systems require significant end-user changes. Credit card holders get a persistent identifier that is not a credit card number, but that can be used with another identifier to generate a credit card number. One can imagine many variants on this idea, but the limited lifespan of the credit card number is key. These techniques overlap with the much-missed eCash efforts. See AMEX PrivatePayments Higher standards for allowing companies vendors to use a credit card. Far more rapid elimination of merchants processing fraudulent charges; currently Visa may take 3-5 months before shutting down a bad merchant account. Prevent 'name switching' by dropped merchants. See Spammers and Merchant Accounts. Better statements! Statements should have vendor address information. They should show the name associated with the vendor providing goods or services, not just the billing organization. Merchants can use better validation software with online fraud prevention, such as ClearCommerce's products. Visa/MC can require this of their net based Merchant Accounts. Merchants should also review Rahm's excellent article on AVS and other protective mechanisms More rapid, centralized, blocking functions. Visa and MasterCard are a single monopolistic company. They should be able to provide consistent blocking procedures. It is unacceptable that Webtel/N-bill was able to carry out its fraud for several months. Visa and MasterCard need to reexamine the policies for fraud management that their franchisees (Banks) are supposed to use. They appear to be very unfriendly to customers. Until better fraud prevention systems are in place, the onus is on the Banks and Visa/MC to presume the customer is innocent. The banks who held J K Publications merchant account, Charter Pacific and Heartland Bank seem to have been extremely slow to terminate them, despite stated Visa/MC standards. We know some of the Charter Pacific Bank story. A Heartland Bank representative claims that they investigated the chargebacks and notified the FTC. Unlike Charter Pacific, there are no FDIC actions recorded against Heartland Bank. Heartland Bank may not have had any participation in the fraud; they may be victims of J K Publications themselves. Law EnforcementFederal Trade Commission (FTC)The FTC is very interested in this type of crime. They will review reportsfrom foreign victims when the operation is US based. Complete the online form at http://www.ftc.gov/ftc/complaint.htmso you are eligible for reimbursement. They usually act when they receive many complaints.Secret ServiceThe US Secret Service has jurisdiction over credit card and access device crimes if thecredit card is underwritten by a US bank. However, they consider the Bank to be theinjured party, and not the card holder (who is theoretically reimbursed by the bank). Theyare also not set up to deal with many small losses. In the words of one authoritivesource: Due to the size of most losses, the federal agencies (FBI and Secret Service) tasked with investigating credit card fraud are unable to do anything. Regardless of the crime, they generally don't have the manpower to go after anything less than $100,000. Local law enforcement agencies generally don't understand the problem and therefore are reluctant to get involved. Additionally, since the merchant generally is the loser, not the cardholder (the merchant takes the loss 99+ percent of the time) there is frequently a jurisdictional issue.E-Commerce CompetitorsOver the past three years many alternatives to credit cards for e-commerce transactionshave been proposed or tested. None have succeeded. This experience underscores the needfor a modern alternative to the antiquated and insecure credit card transaction system.Anyone proposing an alternative to credit cards, such as a micro-commerce network, shoulduse this experience in marketing and planning. In the meantime, Banks and Visa/MC havemany ways to improve transaction security and fraud management.JournalistsI think this is a fascinating story, though it's usually misrepresented (in my opinion)as an "Internet" scandal. [11] Ireally believe this is primarily a finance and banking scandal, and a dramatic example ofthe fragility and unreliability of our current credit card transaction system.Here are some "talking points" for use by journalists, or in writing a letterto a newspaper: The fraud consists of creating fraudulent recurring e-commerce transactions on Visa credit and debit cards around the world. There have been a large number of reports from the US, Japan and Europe. We believe the number of persons affected is in the tens to hundreds of thousands. Charges typically appear with the company names N-Bill, Webtel and MJD Services. These companies also handle accounts for pornographic web sites; this has resulted in embarrassment and employment problems for some victims. This fraud is affecting persons who've never used their credit card numbers on the Internet. We suspect it involves both the theft of credit card numbers and the use of software that generates "well formed" credit card numbers. Banks that handle MasterCard and Visa accounts often have almost no transaction validation for small transactions. Many times a credit card number alone, even a number for a closed account, is sufficient to create a recurring transaction of $19.95 or so. Banks want to get a piece of the emerging e-commerce marketplace, but the existing Visa/MasterCard system, as implemented by many banks, is not suitable for e-commerce. They prefer not to have this weakness widely known. Most customers have had Visa cards, there has been one report of an American Express charge. Many banks have treated their customers very poorly, and have been very slow to reimburse for the fraudulent changes. They have also been unable to block new transactions occurring. See Bank Hall of Fame and Shame. Banks put the burden of reviewing transactions on customers, but they don't provide enough information in typical credit card statements to make transaction review feasible. Information on the fraud has been gathered through the creation of web sites in Japan and the US, which in term have received hundreds of reports from victims around the world. The simultaneous work of hundreds or thousands of victims, using the Internet for research, has allowed a remarkably detailed picture to emerge. Spammers and Merchant AccountsThere's been a new note to my incoming spam recently. I'mlately seeing advertisements for the ability to create "merchant accounts"through which a vendor can bill Visa and MasterCharge. Spam scams often follow a patternof the spammers first exploiting a scam, and then, once they've skimmed the finestopportunities, they promote the scheme to the "suckers" at large. Spammerpromotion of merchant accounts lends another angle to the Webtel/N-Bill fraud. Again, theonus is on the credit card companies to do some minimal regulation of who gets a merchantaccount. Sloppy regulation of merchant accounts is likely a key component of this scam.Here's a sample spam, edited for brevity ... INCREASE SALES UP TO 50% ACCEPT CREDIT CARDS OVER THE INTERNET ***NO SETUP FEES Good Credit / Bad Credit/ No Credit ***NO PROBLEM*** It Just Doesn't Matter - Everyone Gets Approved We Specialize In Servicing The Following: *Multilevel Marketing *Mail Order/ Phone Sales *Home Based Business *INTERNET BASED BUSINESS *New Business* Small Business Whatever!! We Do It All!!! A fast and reliable way to process credit cards through your web site The Internet's reach is global - it knows no time zones or physical boundaries ... ... lets say a customer visits your web site and decides they want to buy your product(s) or service(s). They would simply enter their credit card information and receive an approval WITHIN 5 SECONDS ... From that point on, the sale is complete and the money will be directly deposited into your business checking account within 24 to 48 hours.So you will have LIQUID ASSETS AVAILABLE ALMOST IMMEDIATELY!!! ... you will be receiving orders and making money in your sleep!!!Bank Hall of Fame and ShameSome banks are treating customers well, others are refusing refunds, are unable toblock continuing charges, accuse victims of being criminals, or generally provide shabbyservice. Here's a partial listing of the Famed and Shamed. Fame (Good Banks) Mixed Shame (Bad Banks) American Express Barclay's UK Beneficial Bank Chevy Chase Bank of MD NationsBank Seafirst Bank Sumitomo Credit Wells Fargo Citibank MBNA US Bank [7] First USA (extra bad) Chase Mellon Bank NICOS (Nippon Shinpan) Charter Pacific Bank [9] Journalist RequestsNone any longer -- this is an old story now!Notes [1] I was misquoted in the article, however. I actually said, in reply to a question, that I didn't feel "shocked or invaded". Somehow this turned into feeling "shocked and invaded", which sounds rather Oprah-ish and is quite unlike me. I'm surprised about the unsuitability of credit card transaction systems for e-commerce, but not about someone misusing my credit card. [2] The FTC's filings suggest they suspected that a credit card generator was used in this case. Later data, however, implicated Charter Pacific Bank.Many persons find it hard to believe that credit card number generators can work. Believe it. I've had verification from the most absolutely reliable sources, including Visa's central security office. Knowledgeable hackers assure me they've been in play since the 80s. (Probably one of the first personal computer commerce applications.) A popular game for teen hackers is to use a generated card number to sign up for a free month, then cancel the subscription before the month ends. In theory the charge holder is never aware of the transaction. Of course if the numbers that teen hackers use were in a batch that was stolen by the Netfill gang, then real transactions would start to appear on the victims credit reports. This is a way that generated numbers might have been unwittingly used by the Netfill gang, when they thought they were using stolen numbers from persons who had signed up at some time for adult web sites. [3] Kragen Sitaker, who knows something of these matters, writes "... this is one of the first documented instances of pseudo-spoofing being used to defeat reputation systems." In Kragen's words (quoted with permission): Spoofing is where you pretend to be someone else who really exists. Pseudo-spoofing is where you pretend to be a multitude of people, none of whom really exist. It's a technique to defeat reputation systems; each of your nyms [jf: assumed names] can vouch for the others, and no nym needs to do evil things more than once -- so even if doing something evil gets you immediately barred from access to the system, that will not deter you if creating new nyms has zero cost. Lawrence Detweiler invented the term in early 1993; he believed that most of the people on the cypherpunks list (including me) were actually the same person, whom he nicknamed "Medusa", and were manipulating the list by giving the appearance of consensus to points of view which, in reality, only "Medusa" held. [4] If you call the phone number on the credit card slip, you get a voice mail line. It is quite difficult to access a human, but some have managed this. By exploring the line you learn that they are selling pornography. You should know, however, that when you call a toll-free number (800/888), the vendor gets your phone number (CNI system). Unlike caller ID, this cannot be blocked. They may also receive additional address information from the phone company monthly, or use a reverse look-up service to acquire address information. This information can then be resold, which may bring a new flavor your junk mail and junk phone calls. [5] This interesting report comes from a knowledgeable source: The owners of Netfill, et al don't use AVS to do basic credit card fraud control on the cards they accept for adult websites. This is because they feel that they would not be able to get anyone to put their credit card "into the slot" because if the customer had to identify their address, the customer would fear junk mail of the adult-variety showing up in their home mailbox! While they have AVS "turned-on" at their bank, they don't actually send it. This fools the bank for a while - at least until the chargebacks come rolling in. AVS failure/decline results are sent back to the merchant with each transaction. Its usually up to the merchant to take the risk as to whether the customer is legit. Since online transactions are always "faceless", ignoring AVS is extremely dangerous. Also, online credit card merchants must maintain a 1% chargeback limit. This is hard for any merchant to do, let alone one who purveys promiscuous material. This explains why victims are only seeing adult online merchants showing up on their statements. [6] The undated (probably Sept/Oct 1998) fax from Online Billing was forwarded by our Japanese contact (Yakei). Though it was written by Americans to a foreign bank, it has several spelling errors and poor grammar. Two paragraphs are interesting. The first is a cute smear against the victims of this fraud. The second suggests they were trying to avoid chargebacks. Chargebacks will eventually shutdown a merchant account, reguiring a new alias. Due to the nature of our adult sites, many people deny ever having joined the sites, most of which have a monthly subscription charge ... most have a three month minimum ... In the spirit of good customer service, we are willing to credit the last month on their bill without going to chargeback ... [7] US Bank is my own bank. They eventually did make up all the fraudulent charges, even the ones they initially said they wo.0000000uldn't pay (more than 60 days old). This moved them form the Shame to Mixed category. On the other hand they were quite disorganized, and their fraud division and customer service departments didn't seem to be talking to one another. If you have to work with them, try to go directly through the Fraud Division (800-260-8469) and forget customer service. [8] In the MSNBC story a Visa spokesperson was quoted as saying that the security concerns expressed on this page are quite incorrect. I certainly hope that's true! On the other hand, even if Visa is unable to outline all the security precautions they allegedly take, I think they ought to be able to tell us how this scam was able to go on for so long, and what will prevent similar scams in the future. [9] See Charter Pacific Bank story. [10] From a purely personal perspective, this was rather dreadful. I'm looking down and to the left because I was told to look to my interviewer, and that's where she sat. Next time I'm reviewing the camera angles myself! [11] Journalists share some common vices with physicians. We all tend to construct a "narrative" pretty quickly, and we don't like revising it. With patients we physicians tend to develop a diagnosis very quickly, and we may disregard contradictory evidence or ignore seemingly irrelevant data. Journalists do the same thing. Most of the time I'm interviewed it's very clear what I'm supposed to say. If I don't cooperate the journalist will often repeat a question in various forms, evidently hoping that sooner or later I'll give them the response they want. [12] In the US it does not appear to be illegal to sell credit card numbers. Nothing surprises me any more. [13] "Well formed" credit card numbers will pass the checksum and other tests used by processors. Software to generate these well formed numbers is available on hacker sites; the algorithms have been a part of several shareware packages for years (see http://www.creditnet.com/ccs/ccn-shareware.html for examples). I have some Credit Card Generators screen shots for review as well. [2] [14] U.S. CRACKS DOWN ON NET PORN FRAUD (E-Commerce Times 24 Aug 2000, this summary was printed in Newsscan) The Federal Trade Commission has filed a lawsuit against Crescent Publishing Group and 64 affiliated companies that operate adult Web sites, accusing them of charging customers for services advertised as "Free Tour Web Sites." Like many adult sites, the Crescent sites requested that users supply credit card information to verify they were of legal age to view pornographic material. Customers who'd been promised a free online peep show say they were then billed for recurring monthly membership fees ranging from $20 to $90. Included among the complainants were some people who said they'd never visited the sites at all -- in fact, one woman who'd been charged a recurring fee for several months didn't even own a computer. To add to the confusion, the charges were made under different company names. Instead of finding a charge from Highsociety.com on their statements, consumers would find charges from "Online Forum," or "Hoot Owl," or "Knock Knee." The FTC has classified the scam as one of the largest it's ever seen on the Internet, generating $141 million in the first 10 months of 1999 alone. [15] There appear to be 3 ways to keep a reasonably controversial web page accessible: Host it on a relatively stubborn ISP. (I intend to do that first) Host it yourself (the upstream ISP, however, may be vulnerable to pressure). Put it on Freenet and maintain a static pointer on a public page (that will be my next step) LinksAnother Personal Experience Faughnan's Notes: Credit Card Fraud: Take Two: In 12/2004 I'm hit with a different sort of fraud -- this time on my AMEX card. How well will AMEX handle it?Check Fraud and Identity Theft Check Forgery: Lessons for the Consumer: Alas, checks are not the answer! Links to identity theft resource sites.Litigation and Regulatory Robb Evans & Associates - JK Publications, Inc A regulatory/legal firm handling requests for refunds. Includes links to background material.Publications More work by Jeff Leeds. After a great piece on money laundering and Taves' involvement, the Sept. 11, 1999 LA Times runs an article on how Charter Pacific Bank sold 900,000 credit card numbers to Taves et al! July 1999: Kevin Poulson reviews Ken Tave's audacious career for ZD-TV's Cybercrime/Chaos Theory column - A Criminal Equation. July 1999: Paul Wallich has a piece in Cyberview in the August 1999 issue of Scientific American. This gets a mention in hackernews.com, but not slashdot (yet). Paul is a superb writer, he manages to make a complex story clear and interesting! May 8, 1999: ANN news in Japan shows a quite popular 1 hour documentary on this and other frauds. I get to be on Japanese TV! Jeff Leeds' articles in the LA Times: May 4 & May 5th 1999. Focus is on Ken Taves, but there's some coverage of broader bank and credit card issues. These links require payment to access. There was a third article in the series as well. Jan 15, 1999: MSNBC story on this web site, updates on FTC action and on perpetrators. Jan 13, 1999 MSNBC coverage of FTC action. Refers to this site but provides no names or URLs. Jan 12 FTC Press Release January 9, 1999 New Scientist Article: Filthy Business by Jeff Hecht. Dec 15, 1998 San Diego Union-Tribune Mac Track. (Free registration at SDUT Archives.) December 13, 1998 San Francisco Examiner by Matt Beer on hacking e-commerce sitesSibling SitesSee also Litigation and Regulatory. A web site on an Israeli family that specializes in large volume micro-fraud (activity seems to have been @ 1999 to 2001) There is an extensive Japanese site reporting on Webtel/N-Bill and other credit card frauds - http://www.web110.com/sousa/index.shtml. Yossy reports: "I and other fact-finding committee members are very interested. Over 20 victims mail to our site about fraud from WEBTEL, MJD SERVICE, N-BILL every day." We've received many very valuable contributions from a contributor to that site ("Yakei"). A very nice French translation of this page (Dec 1998 version) by Dimitri Mouffet: http://www.multimania.com/insert01/cc/ccWebtel.html Brief page put up by an Australian victim: http://www.dropbears.com/brough/bb/anz/anz801.htm Warning, this one is related to "adult web sites": http://www.janesguide.com/tips/PaySiteTable2.html#n maintains a page with much of the material we've discovered here. This link skips some of the slightly off-putting graphics. No new information, but ironically it is the "adult web sites" (porn vendors) who appear to be most concerned about Netfill/Webtel/N-Bill's fraud, not the banks.Safer Cards/Disposable Numbers AMEX PrivatePaymentsMicropayment Alternatives PayPal Millicent in Japan Nielsen: Case for Micropayments Nielsen: User Interfaces for Micropayments ComputerWorld: Micropayments Micropayments Future UncertainOthers Russian Mafia uses NT flaws to raid Internet banks (The Register, 09 Mar 2001) - a million credit card numbers stolen FBI security note March 2001 Fasthosts Russian CC Scam (The Register, 11 Aug 2001) E-COMMERCE COMPANIES TACKLE ONLINE FRAUD (E-Commerce Times 26 Sep 2000) The Incomtel Variant (The Register, 2000): A Russian credit card fraud with small ruble charges. Money laundering (NYT Magazine, 10 Dec 2000): How money from this and bigger operations gets cleansed. Also some interesting notes on how one creates a bank that will support directly, or indirectly, illegal operations. "Starting a bank in Nauru is simple and comparatively cheap. If you click on www.anti-taxes.com, you can get one going for just $25,000. (This outfit handles registration and payments to the Nauru Agency Corporation.) Benefits are wide ranging, according to the Web site: you can "improve your image by owning your own bank" while hiding your money from "a vindictive ex-spouse." The pitch is clearly not aimed at the average investor. "Seize your assets before your creditors even think of it," the site recommends." Net credit card fraud pushes up crime figures Register, 1/19/2000. Nice to know we were pioneering victims. Bob Tedeschi on American Express Blue and other Anti-Fraud Measures, NYT Sept. 20, 1999 Michelle M. Rahm. You, the Net, and Credit Card Fraud. InternetDay June 2, 1999. Excellent review from a merchant account perspective, why a legitimate merchant account should use AVS codes, rather than turning them off as J K Publications is alleged to have done. [5] And a very interesting review from a very technical source ... The author likes the AmEx fraud detectors. It's odd to read the objective analysis of this site's evolution. Wired (Craig Bicknell) article on trafficking in credit card numbers, widespread fraud, and generator software. American Express "Blue" Card: smart card security, automated web transactions. Credit Card Generators: Sample Screen Shots Anti-fraud web sites http://www.fraud.org http://www.public.org http://www.cardweb.com http://www.scambusters.org Macintouch tracks net spam and e-commerce fraud. Credit bureau address information reverse lookup: a tool for investigating domainsHistory January 14, 2007: Removed a link to a site which had been acquired by scammers September 12, 2002: Added link to [name removed] which now "carries the torch". September 23, 2000: Page moved due to current location due to legal pressure. This also stimulated more updates and housekeeping, including the final verdict. Oct 29, 1999: Updated section on Heartland Bank. No evidence of their participation in any criminal activities. Oct 27, 1999: Extensive additions from a new source regarding CP Bank and some of its associated enterprises. The net expands ... Oct 20, 1999: More journalist requests, removed sentence indicating my interest in being interviewed! Oct 6, 1999: Charter Pacific Bank allegedly has a history ... Oct 1, 1999: Added section on Litigation and Regulatory. Place to request refunds. Sept 13, 1999: Charter Pacific provided the credit card numbers!! Legally????!!!! Sept 10, 1999: Minor formatting changes, updated journalist request. Added references to the American Express "Blue" Card, not sure yet if it would really prevent this type of fraud by a Merchant Account holder. Aug 14, 1999: Updated security bureau numbers and information. Aug 9, 1999: Added links to check fraud, more on credit bureaus. July 22, 1999: Just as things are pretty quiet, a piece comes out in Scientific American. June 16, 1999: Added links to Rahm's AVS article (thank's Bob), some small attempts at noting which sections of this page are, by now, purely historical. Nihon Denpa news showed their documentary in Japan on May 8th, it was well received. May 5, 1999: incorporate some unsettling background from Jeff Leeds' articles in the LA Times: May 4 & May 5th 1999 May 1, 1999: A local news channel televises an interview I did in January. [10] April 13, 1999: Link to excellent Wired article on credit card fraud. (See links) April 7, 1999: Updated Cybernet Ventures entry, and entered data from available court filings. Cleaned up the introduction a bit. I still get emails every week or so from 'new' victims. Mar 10, 1999: Videotaped interview with Nihon Denpa News. Look for a one hour documentary from Japan on credit card fraud sometime in 1999! Mar 10, 1999: Added micropayment links and comments. Mar 8, 1999: HTML cleanup, validation, doctype fixes. Mar 1, 1999: Scattered updates, corrections, a few more relations identified. Feb 29, 1999: FTC witness request. Feb 17, 1999: Early report from Los Angeles hearing. I'm interviewed by representatives of Nihon Denpa News (NDN). NDN requesting interviews with insiders and victims. There are now few reports of new J K Publication frauds; mostly discoveries of old attacks. Feb 8, 1999: Thought of a new twist on the credit card number generation angle. See [2]. Feb 7, 1999: Lots of catching up on various emails. Continued low level of reports from persons discovering old transactions. FTC hearing on Netfill et al has been rescheduled. Added revision dates to table of contents. Jan 22, 1999: More cleaning up, esp. section on actions by Banks/Visa/MC. Added reference to Apple's problems with their "new" APS validation system. How to report a really unhelpful bank. Jan 20, 1999: Corrected an early count of victim comments (I counted wrong, sorry). Added appeal for input from a tech journalist. Citibank makes it to the Hall of Shame. Steady flow of additional reports and comments which I have to incorporate. Scattered reports of other frauds that appear to be unrelated -- I'll add a section for them soon. Updated section on Banks, Processors, and CC companies. Jan 16, 1999: Interview with MPR's Future Tense. More general clean-up. Revised title, added TAL Services to list of Netfill affiliates. Since Ken Taves was named publicly in the FTC complaint, I switched back to using his name along with the initials KT. Jan 15, 1999: Distributed copies of a credit card generator to selected journalists. Updated page with latest FTC news. Revised and clarified implications for e-commerce and recommendations for victims. Jan 13, 1999: Netfill assets frozen, the FTC Acts. More journalistic interest, interview with Mike Brunker of CNBC. Cleaned up a disorganized subsection. Jan 11, 1999: Added section soliticiting victim references for various international journalists. Removed references to Cybernet and TAL Services as they may have been spurious. More links, including January 9, 1999 New Scientist Article and Union Tribune reference. Jan 7, 1999: Added Bank Hall of Shame and Fame Jan 5, 1999: Fewer changes, some corrections. Daily reports from victims, but volume may be decreasing. Jan 1, 1999: More updates from Yakei. OnLine Billing Fax. New names? Dec 30, 1998: Back from holidays. Fill in a few more details, more KT ventures discovered. Assist Online involvement extended. Netfraud.com domain discovered. BG submits a report to Le Monde through a journalist friend. More on AVS and Netfill. Dec 21, 1998: Increased communication and assistance from Japanese site. French translation pending in Belgium. Added screen shots of a credit card number generator as a second page. Dec 20, 1998: Learned more about other activities by principal actor. Revised understanding of roles of different names for the operation. Dec 18, 1998: Included the GIF outlining the fraud. Roles of merchant account holder vs. vendor are still unclear. Extensive clean up of Vendors section. Dec 16, 1998: Reformatting, additional data from incoming mail, physical address links. Suggestion that American Express may be less vulnerable than Visa/MC to this fraud. Dec 13, 1998: Revised after input from the president of a credit card processor company. Greatly improved accuracy and reduced speculation. Dec 8, 1998: Rapid growth of reported persons affected, now about 100. Still trying to attract attention of the news media or of enforcement officials. Many countries affected. First reports from Japan. Dec 6, 1998: Many more reports, spoke with office of secret service, learn of their lack of interest. More emphasis on negligence of credit card companies. Dec 5, 1998: many reports incoming of persons victimized through Webtel/N-bill. More worrisome details on extreme weakness of credit card authentication procedures, and that even terminating the card may not end the billings. Report that Netfill is another alias for the same company. Dec. 4, 1998: first posted.Disclaimer and CreditsThe opinions expressed here are my own. The information is based on multiple sources,which I cross-reference and independently check as often as possible. I can only describethe persons and organizations that have been associated with this fraud, but I cannotassign guilt.I am indebted, however, to many, many persons who contributed advice, expertise,personal experience, their own research, and observations. I am particularly indebted toRic Ford of Macintouch, who brought in a great amount of information by placing referencesto this page on the popular Macintouch web site. "Yakei", from Japan, has helpeda great deal. Mike Brunker of MSNBC wrote a nice piece, which my mother will love. Manyother persons prefer to remain anonymous, but their initials and some names are creditedabove. Ironically, not a few valued contributors are active in the "adult"industry -- this type of fraud strikes at the heart of their business. Author: John G. Faughnan. The views and opinions expressed in this page are strictly those of the page author. Pages are updated on an irregular schedule; suggestions/fixes are welcome but they may take weeks to years to be incorporated. Anyone may freely link to anything on this site and print any page; no permission is needed for citing, linking, printing, or distributing printed copies. |
|
