Such a scheme would almost certainly be detected quite easily. If only 1%
of the 500,000 credit card users check their statements every month and
report charges they didn't make (and I imagine that in fact the percentage
is higher than that; you do, don't you? I certainly do), the various credit
card companies will be hit with 5,000 complaints in short order. Each
credit-card company has legions of people and computers looking for patterns
to detect cases of extensive fraud. Furthermore, I imagine that the various
credit-card companies work together in some way to combat fraud, so their
information would be pooled.
Even if the number of customers reporting the bogus charges is low, surely
the credit-card companies' fraud prevention algorithms will be suspicious of
a new merchant suddenly ringing up tens of thousands of dollars in purchases,
at least suspicious enough to flag the merchant's account for a human being
to examine more closely? Merchants do *not* get their money from the
credit-card companies immediately, you know.
Once the fraud is detected, its pattern is usually easy to determine (the
credit-card companies do, after all, have auditable trails of all charges
going back for quite a long time; if the trail isn't auditable, then how
does the "organized crime boss" get his money?) and the credit-card
companies can recover the money from the company which placed the illegal
charges on the cards.
The usual strategy for preventing the bilked customers from complaining is
to give the front company a name that makes it look like a pornographic Web
site or telephone hotline. This is supposed to make most people too
embarrassed to complain about the errant charge. I find it hard to believe
that this is particularly effective, considering that we read about these
failed schemes over and over in the newspapers.
To pull off this kind of fraud successfully, you need to have control over a
large number of mostly legitimate merchants who are willing to launder the
bogus charges for you, you need to make the amounts of the bogus charges
small, and you need to spread them out over time rather than charging them
all at once. All of these restrictions obviously limit the amount of profit
you can successfully reap from such a scheme. And even if you are
successful for a time, there's always a chance that one of the credit-card
companies will catch up with one of the merchants, and there's always a
chance that the merchant will sing like a canary when he's supposed to be
clamming up about where he got those credit-card numbers from.
>[Simson Garfinkel commented:
> I simply do not understand why companies insist on keeping the old
> VISA/MC numbers in their computers.]
Because what the focus groups tell them, over and over again, is that
shopping on-line has to be fast and painless, and the faster and more
painless it is, the more likely it is that customers will keep using your
site. If two sites are equal in all ways except that one of them stores
your credit-card number so you don't have to reenter it and the other one
doesn't, the one with the stored numbers has a competitive advantage.
People care more about saving thirty seconds every once in a while than they
do about the remote chance that their credit-card numbers might be stolen by
a hacker.
I can't say that I particularly blame them. How many people, really, are
damaged by fraudulent charges on their credit cards which can be traced to
numbers stolen from Web sites? How often do such fraudulent charges go
uncaught by the credit-card companies?
I confirm every item on every credit-card statement I receive. Anyone who
does so has nothing to fear from hackers breaking into Web sites and
stealing lists of credit-card numbers. In my opinion, anyone who does *not*
do so is being foolish, regardless of whether they allow their credit-card
numbers to be stored on Web sites.
Jonathan Kamens [Jonathan Kamens via risks-digest Volume 21, Issue 19]
0:00
#
G!
