Credit Card Fraud

[michael_aos]

Back in September, some unauthorized charges showed up on my credit-card bill.

HTTP://WWW.SKYPE.NET INTERNET GBR

HTTP://WWW.SKYPE.NET INTERNET GBR

YAH*YAHOO MAIL 408-349-5151 CA

1ST CLASS SOFTWARE MISSISSAUGA CAN

WWW.SHAREITINFO.COM COLOGNE DEU

PROXYCONN8005053387 IRVINE CA

2CO.COM 877-294-0273 OH

Now, beginning on 12/23, there are several unauthorized charges on an entirely different card.

Paypal

MP3.com

iBills.com

Yahoo Wallet

SWSELL

ePayment

Google Answers

I just can't figure out where they're getting my numbers! I was thinking maybe a site I purchased something from was hacked, but I hadn't even used the first card in months. My recent purchases on this card were:

Brassman Brass

BrianEnos.com

Powder Valley

Midway USA

Sportsmans Guide

Lowes

Brigade Quartermasters

TiVO

Mike

[LPatterson]

I've had similar problems with a card I use only on the internet.

WP-HOST LIMITED LEICESTER GBH

ISCOM INC NEW YORK

CNP WWW.IBILLCS.COM PHL

TALENTUS GMBH DEU

MMI*WWW.MUSICMATCH.COM CA

IBL*IBILLCS.COM

Purchases within 90 day prior to the fraud include.

Glockmeister

Brownells

Integrated Systems Management

Brianenos.com

Para Ordnance

Safariland Ltd

Blade-Tech

Sportsmans Guide

Arrendondo

Max s Choice

Aluma grips

E Arthur Brown Company

Wilson Combat

Cheaper Than Dirt

In September a web site that I don't rember the name of was advertising the sale of LE marked Glock magazines which I ordered from and haven't had a response from.

[Merlin Orr]

I've had similar problems with a card I use only on the internet.

WP-HOST LIMITED LEICESTER GBH

ISCOM INC NEW YORK

CNP WWW.IBILLCS.COM PHL

TALENTUS GMBH DEU

MMI*WWW.MUSICMATCH.COM CA

IBL*IBILLCS.COM

Purchases within 90 day prior to the fraud include.

Glockmeister

Brownells

Integrated Systems Management

Brianenos.com

Para Ordnance

Safariland Ltd

Blade-Tech

Sportsmans Guide

Arrendondo

Max s Choice

Aluma grips

E Arthur Brown Company

Wilson Combat

Cheaper Than Dirt

In September a web site that I don't rember the name of was advertising the sale of LE marked Glock magazines which I ordered from and haven't had a response from.

and what can be done to prevent this type of theft?

[michael_aos]

Sportsmans Guide has somewhat lax security, but I don't save my credit-card info online for later purchases.

They do have my CC number on-file for the "4-pay" plan, but I'm pretty certain its not them.

I don't save my CC info at Brownells either.

BE doesn't appear to even have a mechanism for that, nor MidwayUA.

I was hoping a pattern would develop here.

Mike

[robomanusa]

Atleast you guys keep close tabs on your charges, alot of folks do not. The problem is not online security issues or so called "hackers". It's the employees at these places of online business that do the dirty deeds and can happen anywhere.

Buying online with a credit card is no more/less safe than you handing the waiter or waitress at a restuarant your card to go off and ring up the bill, you have no idea what he/she is doing with that card while there gone with it.

[shred]

Btw, people with credit-report access can see all your CC #'s-- this may be why other cards are getting charged. I remember a month or so ago there was a big bust of somebody doing this.

[schmitz]

I dumped my credit-card! and went back to cash. This means I have to travel al lot more these days.

Better this than being robbed!

[BritinUSA]

Here's an example of how this occurs..

http://www.brianenos.com/forums/index.php?...topic=16493&hl=

Don't forget, many companies use a 'clearing house' for credit card purchases, so they could have accessed your CC as a result of any number of purchases.

[Rob Boudrie]

I dumped my credit-card! and went back to cash. This means I have to travel al lot more these days.

Better this than being robbed!

What procedure do you use for renting cars?

[michael_aos]

I'm still not clear on my CC company policy. They closed the account and they said they would "charge back" or maybe it was "try and charge back" the items in dispute.

I'm just glad I didn't used my debit card!

Mike

[Rob Boudrie]

I'm still not clear on my CC company policy. They closed the account and they said they would "charge back" or maybe it was "try and charge back" the items in dispute.

I'm just glad I didn't used my debit card!

Mike

A typical "charge back" is when there is a dispute over services or products, but you actually charged them.

Don't accept a "try to" - if the charges were not made by you, or a person with your authorization, you do not owe them and this is not conditional upon the charge card company being able to recoupe it's loss.

[michael_aos]

It sounded to me like they would credit my account once they recouped from the vendor.

I guess I need to call back and verify exactly how this is going to work.

I poked around on their website, but I couldn't find a policy posted.

Mike

[Rob Boudrie]

It sounded to me like they would credit my account once they recouped from the vendor.

I guess I need to call back and verify exactly how this is going to work.

I poked around on their website, but I couldn't find a policy posted.

Mike

1) Write, do not call. The record will be handy if it does not resolve easily. Be very clear that the charges were not authorized by you.

2) They can't cause you to be liable for fradulent debts outside the very limited scope of federal law ($50 max prior to the time you notified them, and that applies only if you lost your card). This cannot be altered by an assertion of policy.

[MikeFoley]

Btw, people with credit-report access can see all your CC #'s-- this may be why other cards are getting charged. I remember a month or so ago there was a big bust of somebody doing this.

At least one of the credit reporting agencies has truncated the account numbers of credit cards to only show a partial account number.

[benos]

Some cc security reading info from my cart company:

Cartsupport.com Security

Privacy Statement

 

We take security and your privacy very seriously.  At any given time, we have several security audits and several security/fraud investigations underway.  Consequently, our security practices and procedures are under continuous review and testing.  In our 10 year history, none has ever revealed a data compromise from our servers.  There are several good reasons why.

We use 1024 bit RSA encryption ciphers using a 1024-bit bit key in our shopping cart and in our administrative cart control panels.  This is the most powerful 'super-cert' available and is capable of making older browsers with the older 28 and 40 bit encryption behave like they have stronger encryption installed.

Cipher technology is an extremely arcane subject, but we are experts at it with over 10 years of e-commerce design and support to our credit.

But encryption and cipher technology are not enough to do the job properly.   At times, good encryption and cipher technology simply mean that a criminal is receiving the same privacy and cipher protection from observation and compromise that our merchants and shoppers receive.  There has to be more than just good cipher technology.

Database Protection

Our database security is under constant review to detect and thwart attacks.  We have never had a data compromise.  We have automated tools probing and prowling our systems and database for possible attack.  We also have human beings constantly reviewing database access practices and patterns for signs of attack. 

Database Encryption

In the remote event that a database attack is successful, the attackers would get only useless 'junk' -- all critical fields, such as credit card numbers are stored in encrypted form.  A successful attack would yield useless junk characters instead of a useful credit card number.  If our data were ever compromised, the hacker's attack problem would just be beginning - once they have our data, they would have to figure out how to decrypt it so they could use it.

Partnering

We also partner with the security departments of the major credit card companies and gateways, sharing information on practices observed among fraud attempts and helping all our e-commerce partners keep security tight, while optimizing the shopping experience for honest, authorized shoppers.

 

Cartsupport.com's security meets the stringent requirements of Mastercard's SDP program.  The Mastercard SDP Program provides acquiring members with the ability to deploy security compliance programs, ensuring that online merchants and Member Service Providers are adequately protected against hacker intrusions and account data compromises.

Merchant Control

Because merchants have their own workflow practices and their own day-to-day business needs, we place some security settings directly under merchant control.  Merchants, when they visit their cart control panel to pick up orders, are using the same 256-bit super-cipher that their shoppers use to keep their order information private and safe from compromise or observation.

Fraud Control

From time to time you may have a shopper report that payment information given to you was compromised and fraudulent charges were charged to their credit card.  You can use the spreadsheet below as a template for an investigation. The spreadsheet has been developed over years of investigative work and will help you ask all the right questions to determine if your firm of ours was involved in a data compromise.  For instance, recording the ZIP of every reported fraud will help you determine if all reporting shoppers are on the same mail route - if they are, then you should suspect a low-tech 'mail hack' rather than a high tech database attack.

 

 Cartsupport.com's security meets the FBI's stringent requirements for the joint SANS program

Common Consumer Practices Often Equate to Poor Security

Although many consumers regard using the internet as a 'high risk' venue for credit card use, it's actually the safest way to use a credit card, provided that adequate common-sense measures are taken.  Consumers who would never do a transaction on the internet for 'security' reasons often let a waiter or waitress disappear with their credit card for 5-10 minutes.  Other practices that can cause a compromise include using MS Wallet (credit card information is stored on a remote server for multiple use transactions; using web page 'blank auto- fill-in' software such as Gator (again, credit card information is stored on a remote server for convenient use use later without typing in the information again).  Even the use of typical browser features such as 'Inline AutoComplete' built-in to all browsers can enable a child or co-worker to get credit card information from the browser if a web site where a purchase has been made is visited again.  Turning cookies on or off, and clearing history files does NOT remedy these security holes and does not block future compromises.

Low Tech vs. High Tech

Although many folks immediately suspect a high-tech compromise (hacker) when a card fraud event takes place, the opposite is usually true.  Low-tech attacks are much more common.  Consider: smart or clever people who are capable of a high tech attack (a hack) are usually also smart enough to know that they can't get away with it.  They also have valuable skills and are highly paid, so they have no economic motivation to risk that high income on a dubious plot to make some 'easy' money and get caught.  Conversely, poorly paid workers at gas stations and restaurants may more readily think they can get away with credit card fraud scams and their poor pay makes a low-tech undertaking such as a dumpster dive or writing down credit cards numbers seem worthwhile.  These people usually get caught, too.

So the set of people who are motivated and capable of undertaking a low-tech fraud attack is much, much larger than the set of people motivated and capable of undertaking a high-tech fraud attack.  It makes sense to start investigations with the assumption of a low-tech attack -- as that is the avenue of investigation that will most frequently lead to the culprit (or family member in many cases).

Questions to Ask

By far the most common result of reported credit card fraud investigations is the revelation that one spouse made a purchase they did not want the other spouse to know about.  This is followed by children or teenagers making a purchase they did not want a parent to know about.   Once you have investigated a few frauds, you will perhaps become a little skeptical about reported fraud and such skepticism may serve you to some extent.

Here is a list of questions you can ask of a cardholder to begin an investigation:

1.  Did you make the purchase with us from your home, office or a friend's computer?

2.  Do any co-workers, friends, spouses or children have access to that same computer?

3.  Do you have 'Inline AutoComplete' turned on in your  browser?

4.  Do you use Gator or MS Wallet on that computer?

5.  What other companies have you purchased from online? (ask for a list)

6.  Do you auto-pay bills using this same credit card?

7.  Has your credit card been out of your sight (including at a restaurant or store) for any period of time?

8.  Do your use your credit card to pay for gas? 

9.  If so, do you swipe at the pump, or leave the credit card with the attendant while you pump?

10.  Do you ever given your credit card to a child, spouse or friend?

11.  Have you called  the security department at the credit card bank?

12.  Have you asked for your money back from the merchant who charged the fraudulent charge?

13.  Have you asked the bank to return your money on this fraudulent charge? (MUST DO THIS!)

14.  Will the merchant who charged the fraudulent charge talk to you?

15.  Where did the merchant ship the merchandise on this fraudulent charge?

16.  If delivery was electronic (download or site access) what IP address was the download or access delivered to? (ask the merchant)

17.  Did the merchant processing the fraudulent charge require AVS or CVV information to accept the card transaction?

18.  What was the result of a computer scan with Norton Anti-virus? (will identify commonly known spy-ware)

19.  Is your computer password protected, or can anyone who turns it on use it?

20.  Do you shred your credit card bills?

21.  Do you throw your credit card bills away in the trash without shredding them?

22.  If filed, are your credit card bills under lock and key?  Who has keys?

23.  Have any of your other credit cards been compromised?

24.  What is the zip code where your credit card bill is sent?

[Dead Buff]

After reading the above, I checked my and my wife's CC's. This one appeared on my wifes CC:

IBL IBILLCS.COM E

This CC was used to place an order in the BE-store and no where else before or after and no internet purchase, other than BE, ever on this CC.

ibillcs.com seems to be a service provider for internet CC billing. How legit it is for them to take money and charge fees I do not know.

Brian, does your store subscribe to their services? Are they allowed to bill your clients?

[davidwiz]

Credit card companies don't have any leeway once a customer reports a fraudulent purchase. Under Federal law (don't have the cite handy), the card holder has no further responsibility for fraudulent charges. The maximum liability for the card holder is capped at $50.

IMHO, most credit cards don't do very much about fraud, b/c they just charge back the fraudulent purchase to the merchant. In effect, the credit card company has little downside and little incentive for pursuing the person(s) who made the fraudulent purchases.

[D.Hayden]

It sounded to me like they would credit my account once they recouped from the vendor.

If you've reported this as "fraud", it should immediately be moved to disputed, and come off your current bill. When it goes to disputes, you should get an affadavit in the mail, that you must sign and return, to keep things going.

If after checking and research, they decide it's not fraud, they'll re-add it to your charge. Then, you'll need to get more aggresive, but most major compaines should do right by you.

Good luck.. even if it all works out right.. it still sucks.

[benos]

I'm looking into some things...

be

[benos]

Brian, does your store subscribe to their services?

Absolutely not.

Are they allowed to bill your clients?

Of course I would not be involved with any company that was allowed to "just bill my clients."

"My store," and I put that in parenthesis because what would normally be considered "my store" is so complex it's almost impossible to comprehend, does not process or store any customer or credit card information.

When you click to View Cart or Checkout (in my store), you are taken to my cart systems secure checkout page,

https://www.trust1.com/Welcome.pl

which hands off your info and cc number to Authorize.net (my gateway) to approve the transaction. However, the bank that actually handles Authorize's transactions is Global Payments.

In the middle of all that somewhere is my merchant account - Total Merchant Services - who I actually pay to do all this. I just got off the phone with a TMS risk management person, who said they are not in any way involved with ibills.

But I'm still looking...

be

[JFlowers]

IBILLCS.COM is one of the largest credit card processors from adult websites. You can contact them directly as IBILLCS.COM and report a fraudulent charge against your card. They have been helpful in the past when I ran into charges by them on my cards.

At one time American Express was eperimenting with a system where you used a piece of software to generate "One Use" credit card numbers. You could make a purchase with them and they would be approved through the standard credit card merchant processing system, but AE knew how to decode them to re-direct the charges to your account. But a second charge to that number would be rejected. Wonder what happened to that?

[Rob Boudrie]

This is very similar to the USPSA approach (our charges also go through Authorize.net). As a matter of policy, USPSA does not do *any* handling of credit card numbers on our system, as we prefer to let companies which specialize in security handle that for us. I've got plenty of things to spend my time on as is - I don't want to make checking security on uspsa.org and applying patches a major pastime.

[davidwiz]

If you've reported this as "fraud", it should immediately be moved to disputed, and come off your current bill. When it goes to disputes, you should get an affadavit in the mail, that you must sign and return, to keep things going.

If after checking and research, they decide it's not fraud, they'll re-add it to your charge. Then, you'll need to get more aggresive, but most major compaines should do right by you.

If you have a legitimate bona fide billing dispute w/ your credit card company (or any company for that matter), you can aways use Section 3-311 of the Uniform Commercial Code. Most, if not all, states have similar language in their Commercial Codes.

[Dead Buff]

TNX for the info Benos. We have not had feedback from the bank yet and are still trying to sort this out. We have reported the ibillcs.com charges as fraudulent. Their webpage says they will not support a lot of porn sites, but if you google "fraud ibillcs.com" you get more porn hits than when searching for any other term.

[Dead Buff]

Has anyone had any feedback yet on the illegal billings to your CC?