Internet fraud and other tech problems

[BobG]

The last week or so has been really strange. Last week, I started getting packages from Office Depot/Tech Depot for some stranger. The address is mine, but the name on the packages is someone I've never heard of.

I can't believe how hard it is to take care of a problem like this. Their automated voice line has no categories for this sort of thing and it seems to be impossible to get a human even by hitting 0 repeatedly, which was supposedly the trick to get a human, but perhaps I missed my opportunity. It definitely doesn't work once you've gotten into one of the menus.

Plan B was e-mail. I'm beginning to think I'm dealing with a Nigerian e-mail scam. Whoever receives the e-mails merely asks for info such as my account number (I don't have one! I never ordered anything from you!), the address the order was shipped to (did you think to scroll down the page a little bit?! This e-mail contains my entire correspondence with you and your question was asked and answered previously!), etc.

At least Tech Depot disposed of the issue with as little effort as possible. They told me to donate or discard the package and informed me that they were crediting my account for $16.97. Well, I guess that would make me happy if I'd actually paid for the item.

Come to think of it, I've had another problem that I noticed just this weekend. Someone ran up almost $1200 on my credit card over a 10 day period. Fortunately, that's been taken care of and I won't be liable for any of those charges, but...

What a coincidence! One of the charges is for $16.97 and is within a day of the shipping date for the package I didn't order! And there's an Office Depot charge within a day of the shipping date for those two packages. They must have had the billing address in addition to the card number and whoever has my credit card number must have had the package shipped to the billing address instead of their desired address.

Three of the charges are for TOYSRUS. That almost makes me feel bad that some kid's parent is running up charges on a stolen credit card to buy her a present for her birthday. But at least she had a nice pizza party on her birthday, though. Somehow, that just seems really dumb to have a pizza delivered to your house using a stolen credit card number, but I guess it isn't any more incriminating than deliveries of any of the other stuff they ordered.

Of course, I don't even really know if the same person ordered all that stuff. It turns out that the better money is in selling the credit card numbers, not using them. You can find websites where you can buy stolen credit card numbers for as cheap as $1.50 a piece. Of course, stolen cedit cards have a short shelf life, so you probably need more than one to actually have a good chance of purchasing anything, plus you pay extra if you want a credit card number from a particular locality, want other info associated with the number, etc. And, presumably, a credit card number gets sold to more than one person, making it more difficult to track down who stole the number in the first place.

Vendors want it to be as easy as possible to make purchases, so credit card companies already pass up several possible security measures that could reduce the risk. For example, in some states and/or credit card companies, the store isn't even allowed to ask for identification - even if the customer wrote "See ID" on the back of the card (in fact, if you write "See ID" on the back instead of your signature, then the card technically isn't valid, so writing "See ID" on the back of your card is more useful as a survey of how many stores actually follow the few rules in place than as an actual security measure.) Given that they're already accepting some loss (which they just pass on to customers in higher prices), I wonder if credit card companies even bother to go after all of the little purchases made on a stolen credit card.

That probably won't help whoever placed the order with the furniture store. That person will probably be nailed with a felony.

 

[nismaratwork]

It's all a part of trading our privacy for goods and services, or discounts on them. You'd think with PGP being so easy, that we'd be more secure, but there is a strong undercurrent of arrogance and laziness.

I liken it to each group of students at a university, out of which some will not set a windows or router password, and then become part of some twit's botnet. These small actions on a small scale have a new and horrific capacity to snowball; there is a market for trading information like CC #'s, often just for the hell of it.

I sincerely hope that the individual(s) responsible are caught and tried, or at least get a miserable plea deal.

 

[Evo]

Any idea of how they got your card number Bob?

 

[hypatia]

Thats horrible, I hope they find the people responsible. Someone having the billing address is scary.

 

[Proton Soup]

It's all a part of trading our privacy for goods and services, or discounts on them. You'd think with PGP being so easy, that we'd be more secure, but there is a strong undercurrent of arrogance and laziness.

I liken it to each group of students at a university, out of which some will not set a windows or router password, and then become part of some twit's botnet. These small actions on a small scale have a new and horrific capacity to snowball; there is a market for trading information like CC #'s, often just for the hell of it.

I sincerely hope that the individual(s) responsible are caught and tried, or at least get a miserable plea deal.

fortunately, congress put all the onus of dealing with identity theft on the individual instead of corporations managing your data. and that keeps prices low for everyone. :)

 

[Evo]

fortunately, congress put all the onus of dealing with identity theft on the individual instead of corporations managing your data. and that keeps prices low for everyone. :)

Don't ever let a spouse steal your identity, by law, you are financially responsible even if they admit in writing that they forged your name. I will never get married again.

 

[Proton Soup]

Don't ever let a spouse steal your identity, by law, you are financially responsible even if they admit in writing that they forged your name. I will never get married again.

yeah, the older i get, the more attractive leasing options look

 

[nismaratwork]

fortunately, congress put all the onus of dealing with identity theft on the individual instead of corporations managing your data. and that keeps prices low for everyone. :)

Yes, isn't it good to know that Uncle Sam has our best interests at heart? :tongue:

 

[BobG]

Any idea of how they got your card number Bob?

No. I don't use that card very often. In fact, I usually only use it for internet purchases.

It could have been hacked from the company I made a purchase from in Feb. It's a somewhat smaller company, but I've made purchases from them before with no problem.

Or, it could have been hacked earlier. Researching this, credit card numbers often aren't used as soon as they're stolen, since that would be a pretty big red flag leading back to the source. In that sense, if my card was stolen from the business side of things, then mine is one of the cards good for isolating the source since there's very little activity on it (at least until this month when it was stolen).

Or, it was hacked on my end via a keylogger program (malware). That's more worrisome. It's the sort of thing that starts you looking through the logs of whatever security program you're using until it occurs to you that the detected threats aren't the problem - it's the possibility of new malicious software that the security program didn't detect. While this is the first time I've had this particular problem, I'm not the only one that uses my computer and I've had to do a very thorough cleaning of malware/adware a couple times before.

This is where it might have been beneficial to use my security program's option to store my credit card info in the program's password/credit card manager. That way, the information is never typed in - the program automatically inserts the appropriate data.

Or the extra security my military retirement account and my bank account use for logins. The military retirement pay site uses a virtual keyboard that's randomized. The bank account not only requires your account number and pin number, but it also includes selecting the correct image - plus if the account is accessed from a strange IP address, it asks you questions to verifiy your identity. (This part can be tough, since I have to remember which questions I answered wrong when setting them up, but that's not as hard as it would seem since there is a logic to the wrong answers.)

The problem with adding extra security options for credit card purchases is that a lot of people would see it as being too inconvenient to deal with over and over, causing people to make fewer internet purchases. It's a conscious decision by credit card companies/merchants to use less security and the customer usually isn't liable for the losses provided they at least check their accounts once in a while (many companies have some time criteria where they're not going to fully reimburse you for old purchases since the customer's inattention contributed to making the problem bigger than it had to be).

 

[nismaratwork]

Keylogging is time consuming for the sake of just getting someone's information for small purchases. More likely a company was hacked (or inside job) and a bulk of CC and info was released, then used randomly. "Burn and Churn" so to speak, or it may be that the information was held and used in a trade for some favor or software.

 

[AlephZero]

The problem with adding extra security options for credit card purchases is that a lot of people would see it as being too inconvenient to deal with over and over, causing people to make fewer internet purchases.

Don't US e-commerce sites use independent security verification systems like "Mastercard securecode" and "Verified by Visa"? (Google them if you never heard of them)

I would be very suspicions of any online card transaction in the UK that didn't use those systems.

Of course they don't protect you against keylogger software on your own PC, but they do mean there is a level of password protection that is never sent to the vendor's computer system, only to the indepdent verification company (which one might hope was harder to hack into than Joe Klutz's Internet Emporium).

All physical cards in the UK are now chip-and-PIN, so you can't use a stolen card at an ATM or in a store without entering the PIN number, and the card is automatically disabled after 3 wrong guesses.

 

[BobG]

Don't US e-commerce sites use independent security verification systems like "Mastercard securecode" and "Verified by Visa"? (Google them if you never heard of them)

It's entirely voluntary. The customer has to decide to use this option. Merchants have to decide to use this option.

Merchants have a motivation to use it since they wind up being the victim in credit card fraud. They get stuck with a charge back from the credit card company, so neither the credit card company nor the customer suffer from credit card fraud.

Even if they choose to use a verification system, it only works for customers that also chose to use the system. There's generally nothing to motivate the customers aside from any personal sense of invasion they suffer from having their credit card number stolen.

For businesses, credit card fraud is just another expense, the same as shoplifting. The crime will hopefully be investigated, and maybe even solved, but the only real solution for businesses is to include losses due to theft when determining how much they need to charge for products in order to stay in business.

 

[turbo]

My wife's CC company sent her a new card and told her to examine her next statement carefully, because the network of Hannaford (supermarket company) had been hacked, and many tens of thousands of CC#s were compromised. Not a good position for Citi to be in, because of the expense, but it was likely a LOT cheaper than having to pay for fraudulent charges.

 

[TheStatutoryApe]

I was rather upset when my bank killed my debit card with no notice and then wouldn't tell me why except that there was supposedly "suspicious activity" connected with my account.

 

[nismaratwork]

I was rather upset when my bank killed my debit card with no notice and then wouldn't tell me why except that there was supposedly "suspicious activity" connected with my account.

That is a pure dick-move.

I don't mind security, just notify me ASAP so it can be corrected.

@BobG: It's not only voluntary, I've rarely found it used outside of sites that are otherwise dubious in their reputation. I find it odd, because you can use pre-paids, or single-use numbers for your primary card to make these purchases, but people don't.

I get your point, the impetus for consumers is low, but maybe the trick is to add some incentives, like more miles or points or... whatever.

 

[AlephZero]

I get your point, the impetus for consumers is low, but maybe the trick is to add some incentives, like more miles or points or... whatever.

The UK has a very simple "incentive." Using it is not an option, it's compulsory.

It was an option for the few months after it was introduced, but not any more.

But then we don't have the legal right to form a militia and shoot our legislators, like you do

 

[nismaratwork]

The UK has a very simple "incentive." Using it is not an option, it's compulsory.

It was an option for the few months after it was introduced, but not any more.

But then we don't have the legal right to form a militia and shoot our legislators, like you do

Yeah, but I bet you wish you could when Blair was in office...

OK, talk of murder aside, I think compulsory verification is worthwhile, but unlikely to pass into law in the USA. Given that fraud included, CC companies are still making a FORTUNE, incentiving seems the brightest move.