Protect Yourself from Credit Card Fraud
Dozens of small business owners throughout the US are struggling with a tricky problem. Cyber criminals have found a way to hack sites that allow them to take advantage of weaknesses in the authentication processing system that merchants use to place “pre-authorization requests,” a method of placing a temporary charge on a cardholder’s account to make sure that sufficient money is available to pay for promised services or goods. For example, when a server at a restaurant swipes a customer’s card, the initial charge is basically a pre-authorization, allowing for a final amount to be processed after a tip has been added.
Cyber thieves running the scams are banking on the fact that the issuing banks, merchants or acquiring companies are not sharing information about unusual activity or their fraud data with one another.
Lawrence Baldwin, a security consultant in Georgia, says, “The problem is that the detail of each individual entity’s perspective at a transaction level is restricted or filtered. But if everyone involved shared this pre-authorization transaction information, these guys would not be able to do these card checks, because the patterns are ridiculously obvious when you can see all of the components at once.”
Baldwin monitors three separate web sites that are used to check if stolen credit or debit card numbers are still valid, and he estimates that at least 25,000 such cards are checked each on the sites.
The Odyssey Bar in Idaho is a small business that is a pawn in the game played by the credit card scammers. The owner, Andy Kodopatis, knows that Russian hackers are using his business to run pre-authorization checks, but is unable to do anything because his credit card processor says they haven’t actually lost any money as a result of the scan and so cannot take action.
It may seem odd that they haven’t lost any money because of the scammers, but they are really just a small piece of the complex financial manipulations taking place. The card-checking services that are initiating the pre-authorization check are simply monitoring the account, and therefore the actual transactions never take place. Unless a consumer is online monitoring their accounts in real-time they will likely not notice the pre-authorization check. In fact, in most cases when banks are alerted to the card-checking activity, it is because the customer has signed up with their bank to receive e-mail alerts when charges are initiated on their account or because they are regularly checking their online statement.
Baldwin discovered that the criminals have set up their card-checking sites so that each check is submitted into the card processing network using a legitimate, hijacked merchant account number in combination with an unrelated merchant name. The criminals advertise their services via internet forums that promote identity theft, and cater to criminals who are in the market to purchase bulk quantities of stolen credit and debit cards.
Keri Tetlow, shared her story with Baldwin. Keri is vigilant in watching her family’s bank balance online and noticed a very small charge on her account from the Odyssey Bar. She contacted the bar and confirmed that no one in her household had made a purchase at the bar. Only a few days later Tetlow saw more significant unauthorized charges, totalling $300. She called her bank to arrange for cancellation of the card, and while in that process she saw more charges appear, for a further $175 dollars.
Tetlow contacted the stores involved, and was advised that the stores had video footage of the transactions, only the police would be permitted to view it. Her bank was sadly unhelpful, agreeing that they could help get her money back but advising that there was little they could do to protect the family or any customers from such fraudulent situations arising. Tetlow said she told the lady from the bank about the videos and was informed ‘There isn’t anything we can do with that. That’s a matter for the police. Really, we’re just going to get you your money back.’
Consumers looking to protect themselves from such situations will need to be well aware of any transactions on their accounts, debit or credit, and be sure to contact their bank immediately.
