[ISN] Internet Porn Scam

From: mea culpa (jerichoat_private)
Date: Sat Jan 09 1999 - 14:36:21 PST

  • Next message: mea culpa: "[ISN] White Paper Annoucement: Enterprise Security/Risk Management"

    Forwarded From: jeradonah lives <jeradonahat_private>
    
    http://www.newscientist.com/cgi-bin/pageserver.cgi?/ns/990109/newsstory2.html
    Filthy business
    Jeff Hecht
    
    Fraudsters are exploiting a security loophole in banking systems that lets
    them charge credit card users for fictitious visits to pay-per-view
    Internet sites. The scam leaves victims having to explain themselves to
    spouses who wrongly believe they have been visiting pornographic sites.
     
    The swindlers bill their victims' credit cards a small monthly amount,
    typically $19.95, for visits to sites they've never seen, according to
    John Faughnan, a software developer in St Paul, Minnesota, who
    investigated the scam after falling prey to it.  Since Faughnan set up a
    website to publicise the fraud, more than 200 other victims have contacted
    him from countries including Japan, Britain, Australia, Brazil, Sweden,
    South Korea and France.
     
    Credit card verification is supposed to require a valid name, a valid card
    number and a corresponding expiry date, says Don Zimmerman of the Boston
    office of the Secret Service, which investigates credit card fraud in the
    US. Mail-order firms may also check if the delivery address matches that
    of the account.
    
    However, a spokeswoman for US Bank of Minneapolis says that firms who make
    small recurrent charges ask banks to waive these steps because repeatedly
    asking for expiry dates takes time and annoys customers. But this opens
    the door to crooks who can obtain valid card numbers.
    
    Card numbers alone provide some security because the digits must pass a
    numeric test, called a checksum, but software that generates valid numbers
    is also available on the Net. Most numbers generated don't match valid
    accounts, but those that do can be used to make charges that show up on
    the victim's bill. Racketeers can also steal card numbers used in valid
    transactions, and some lists have been posted on the Net. Extra validation
    steps can block these fraudulent charges, but Zimmerman says that
    additional security " does cost money, and there's always a bottom line"
    for banks, card processors and vendors.
    
    Faughnan blames the fraud on companies that process charges for viewing
    online pornography. Because many people who browse for porn give fake card
    numbers, processors expect high credit charge reject rates and fail to
    investigate. Most fraudulent charges list the same few vendor names, and
    he suspects they come from just one card processing group. The fraudsters
    must generate some numbers randomly, because charges have appeared on
    unused accounts, but they may also have stolen customer card numbers from
    pornographers.
    
    A spokeswoman for US Bank, where Faughnan holds the account that the
    fraudsters billed, says: "If we know a merchant has a lot of fraudulent
    transactions, we immediately report it to the proper authorities." She
    added that customers are not liable for fraudulent transactions.
    
    >From New Scientist, 9 January 1999
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:15:28 PDT