> - The person or persons using these stolen cards had all the correct > information (such as address and even phone number, which is how we were > able to contact each cardholder). Just because the credit card thief can pass Address Verification Service with the right house number and zip code that doesn't mean you should trust them enough to ship your goods to a different address than the one that matched AVS. You should also ask your customers for the card identification number that appears next to the embossed card number. Even when this matches with the records of the card issuer, you must use common sense and only ship to the validated billing address as confirmed by AVS unless you have good reason to trust the customer. Repeat customers, for example, could earn the right to purchase gifts from your business for shipment to a third-party. Few others should be allowed to do so. The reason law enforcement just doesn't care and won't get involved is that credit card theft is a risk of doing business that every merchant accepts. Either you know how to manage that risk, and you survive, or you don't, and you go out of business. Law enforcement will see your appeal for help as a bit silly, since you're the one who asked for the credit card information in the first place... Unless you've uncovered some new threat vector for credit card fraud that law enforcement should do something to stop, you're complaining about being asked to take risk. If you don't want the risk, stop taking that form of payment. Sincerely, Jason Coombs jasoncat_private -----Original Message----- From: Jonathan A. Zdziarski [mailto:jonathanat_private] Sent: Wednesday, July 10, 2002 3:24 AM To: incidentsat_private Subject: Re: Stolen Card Purchases Hi, Thanks for all the emails I received. Just to make a few points of clarification in regards to our specific situation... - The credit cards being used were not stolen on the Internet, as not all of the cardholders involved in these related incidents had made purchases on the Internet. - The person or persons using these stolen cards had all the correct information (such as address and even phone number, which is how we were able to contact each cardholder). - We traced at least one of these incidents back through some proxies to a residential DSL line in the US, and I'm sure the Internet provider could furnish whomever [under subpoena] with name and address. I'm going to contact a few of the people who emailed me, but it sounds like from the other half of the emails I received, very few law enforcement agencies are interested in making arrests these days. If this is the case, I'm wondering what reporting this to the media would do. A story about how the government lets theifs run free sounds like it'd be enough to get some government organizations to shape up. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 10 2002 - 14:39:50 PDT