Forwarded From: jeradonah lives <jeradonah@juno.com>
http://www.newscientist.com/cgi-bin/pageserver.cgi?/ns/990109/newsstory2.html
Filthy business
Jeff Hecht
Fraudsters are exploiting a security loophole in banking systems that lets
them charge credit card users for fictitious visits to pay-per-view
Internet sites. The scam leaves victims having to explain themselves to
spouses who wrongly believe they have been visiting pornographic sites.
The swindlers bill their victims' credit cards a small monthly amount,
typically $19.95, for visits to sites they've never seen, according to
John Faughnan, a software developer in St Paul, Minnesota, who
investigated the scam after falling prey to it. Since Faughnan set up a
website to publicise the fraud, more than 200 other victims have contacted
him from countries including Japan, Britain, Australia, Brazil, Sweden,
South Korea and France.
Credit card verification is supposed to require a valid name, a valid card
number and a corresponding expiry date, says Don Zimmerman of the Boston
office of the Secret Service, which investigates credit card fraud in the
US. Mail-order firms may also check if the delivery address matches that
of the account.
However, a spokeswoman for US Bank of Minneapolis says that firms who make
small recurrent charges ask banks to waive these steps because repeatedly
asking for expiry dates takes time and annoys customers. But this opens
the door to crooks who can obtain valid card numbers.
Card numbers alone provide some security because the digits must pass a
numeric test, called a checksum, but software that generates valid numbers
is also available on the Net. Most numbers generated don't match valid
accounts, but those that do can be used to make charges that show up on
the victim's bill. Racketeers can also steal card numbers used in valid
transactions, and some lists have been posted on the Net. Extra validation
steps can block these fraudulent charges, but Zimmerman says that
additional security " does cost money, and there's always a bottom line"
for banks, card processors and vendors.
Faughnan blames the fraud on companies that process charges for viewing
online pornography. Because many people who browse for porn give fake card
numbers, processors expect high credit charge reject rates and fail to
investigate. Most fraudulent charges list the same few vendor names, and
he suspects they come from just one card processing group. The fraudsters
must generate some numbers randomly, because charges have appeared on
unused accounts, but they may also have stolen customer card numbers from
pornographers.
A spokeswoman for US Bank, where Faughnan holds the account that the
fraudsters billed, says: "If we know a merchant has a lot of fraudulent
transactions, we immediately report it to the proper authorities." She
added that customers are not liable for fraudulent transactions.
>From New Scientist, 9 January 1999
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
Received on Thu Mar 11 16:58:23 1999