Forwarded From: jeradonah lives <jeradonahat_private> http://www.newscientist.com/cgi-bin/pageserver.cgi?/ns/990109/newsstory2.html Filthy business Jeff Hecht Fraudsters are exploiting a security loophole in banking systems that lets them charge credit card users for fictitious visits to pay-per-view Internet sites. The scam leaves victims having to explain themselves to spouses who wrongly believe they have been visiting pornographic sites. The swindlers bill their victims' credit cards a small monthly amount, typically $19.95, for visits to sites they've never seen, according to John Faughnan, a software developer in St Paul, Minnesota, who investigated the scam after falling prey to it. Since Faughnan set up a website to publicise the fraud, more than 200 other victims have contacted him from countries including Japan, Britain, Australia, Brazil, Sweden, South Korea and France. Credit card verification is supposed to require a valid name, a valid card number and a corresponding expiry date, says Don Zimmerman of the Boston office of the Secret Service, which investigates credit card fraud in the US. Mail-order firms may also check if the delivery address matches that of the account. However, a spokeswoman for US Bank of Minneapolis says that firms who make small recurrent charges ask banks to waive these steps because repeatedly asking for expiry dates takes time and annoys customers. But this opens the door to crooks who can obtain valid card numbers. Card numbers alone provide some security because the digits must pass a numeric test, called a checksum, but software that generates valid numbers is also available on the Net. Most numbers generated don't match valid accounts, but those that do can be used to make charges that show up on the victim's bill. Racketeers can also steal card numbers used in valid transactions, and some lists have been posted on the Net. Extra validation steps can block these fraudulent charges, but Zimmerman says that additional security " does cost money, and there's always a bottom line" for banks, card processors and vendors. Faughnan blames the fraud on companies that process charges for viewing online pornography. Because many people who browse for porn give fake card numbers, processors expect high credit charge reject rates and fail to investigate. Most fraudulent charges list the same few vendor names, and he suspects they come from just one card processing group. The fraudsters must generate some numbers randomly, because charges have appeared on unused accounts, but they may also have stolen customer card numbers from pornographers. A spokeswoman for US Bank, where Faughnan holds the account that the fraudsters billed, says: "If we know a merchant has a lot of fraudulent transactions, we immediately report it to the proper authorities." She added that customers are not liable for fraudulent transactions. >From New Scientist, 9 January 1999 -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:15:28 PDT