Schneier on Security
A blog covering security and security technology.
« VBootkit Bypasses Vista's Code Signing Mechanisms |
| Breaking WEP in Under a Minute »
April 4, 2007
Story of a Credit Card Fraudster
A two-part story from The Guardian: an excerpt from Other People's Money: The Rise And Fall Of Britain's Most Audacious Credit Card Fraudster.
The first time I did the WTS, it was on a man from London who was staying in a £400 hotel room in Glasgow. I used my hotel phone trick to get his card and personal information -- fortunately, he was a trusting individual. I then called his card company and explained that I was the gentleman concerned, in Glasgow on business, and had suffered the theft of my wallet and passport. I was understandably distraught, lying on my bed in Battlefield and speaking quietly so my parents couldn't hear, and wondered what the company suggested I do. The sympathetic woman at the other end proposed I take a cash advance set against my account, which they could have ready for collection within a couple of hours at a wire transfer operator.
Posted on April 4, 2007 at 6:25 AM
• 16 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Quite a read! It's amazing how much you can get by using a phone - i guess human factor will always be the weak link in any security system.
The young man portrayed in the article comes across as an utterly amoral, self-centred individual, who never gave a moment's thought to the effect of his actions upon his victims.
And this is different from any other criminal ... how?
And this is different from the Goverment ... how?
It's interesting to see how the non-1099/W2 security researchers work. I remember reading Catch Me If You Can a long time ago and finding many of the tactics outdated, but very informative.
What I find the most intriguing is how little interest the financial institutions have in preventing these types of fraud. It's just too easy to offload the cost of the fraud on the consumers either by making them pay directly for it, or through very high interest rates justified by the amount of fraud.
The problem is people become dependent on thier credit cards; whats more the issuing and aquiring companies like it this way.
I like it this way! How often have you set out on a business trip with nothing but loose change and a couple of credit cards? I know I have.
The problem is when cards get refused for whatever reason. I used to be mortified by this, but, now treat it as an inconvienence
However most people are not so blase about it, and, having been refused once are reluctent to depend on the card take lots of cash with then, use trvelers cheques, pay in advance by bank transfer etc. all of which results in loss of business for the credit card companies. So much so that they would rather accespt a fairly high rate of fraud rather than refuse legitmate requests.
I might add that having helpled out someone who had just lost thier passport , credit cards etc. I was extremly impressed by the helpfull reaction of the credit card companies.
The incidence of fraudulent claims over real ones is just to low to reject a desparate sounding customer.
OT but very interesting
just stumbled over this: crack WEP in under 60 seconds
submitted by a workgroup at a german university, department for computer science
had no time so far to have a serious look at it, though - sorry
One of the key issues here was that the credit card holders did not authenticate the "John from the reception" that started asking security questions, and then willingly gave their information. Social engineering at its finest.
I'm sure that credit card companies now monitor replacement cards that are ordered within minutes of an address change. In his earlier adventures, the fraudster was asking to be arrested by having cards issued in his real name.
They would rather accept a fairly high rate of fraud rather than refuse legitmate requests.
I suspect it depends on the issuer. I just had a major bank decline a moderate-size purchase because it was a "duplicate" to a just-previous transaction that had been cancelled by the clerk, as the terminal appeared "frozen", and re-entered.
Naturally, the "security person" for whom I had to wait for some 15 minutes at international roaming rates seemed to be just fine with the notion that re-submission of a (technically) failed transaction trigger such a thing. I would have hoped that _someone_ in their I.T. department would know what a "transaction" is, but I'm probably just behind the times.
At least the credit card companies cover your losses when you are hit by fraud. Many people have far more money at stake in their retirement savings accounts, which are "protected" by trivia like mother's maiden name and home address. The company holding your life savings is probably not obligated to cover your losses if someone posing as you is able to empty your account. Until they are, the authentication will not be adequate to protect that kind of asset.
I don't know what country you are in. But in most I have lived in, the bank is liable. They can't give the money to the wrong person and claim it was your falt.
There is one exception. PIN numbers. Thats why even my wife does not know mine. Thats my part of the bargen. The bank then must cover anything after the first $50NZ.
Even in cases where the elderly person was tricked into giving there PIN away, the bank has covered it, for PR reasons. In NZ anyway.
"At least the credit card companies cover your losses when you are hit by fraud."
As a merchant in the U.S. I know who covers the losses when you are hit by fraud and it isn't the credit card companies. Every month I get to deal with a stack of charge backs; most from people who claimed to have never purchased our products.
I don't think that all credit card companies will cover your losses, as always it depends on the situation. Regardless, just never give your information to anybody without first being able to verify their job position and/or motive.
The credit card industry is going to come under more pressure from Washington to clean things up. It seems like the same type of people who were running the failed subprime mortgage businesses that fell apart are managing the credit card industry.
A) he got caught. B) he had repeated close calls, demonstrating considerable luck. That means he's probably pretty rare C) we don't have much evidence that the card holders suffered D) even during his run of fun, there's an example of security mesures being introduced which made his life more difficult. E) in the end they call the police and F) they make it stick.
There are a couple of troubling things: he's able to change an address and then get a card sent out without triggering a fraud alert; he's able to order second cards which don't seem to go through any decent security checks. In the end however, I don't think people in IT security should be criticising an industry where security seems to actually be more or less working. When was the last time you had the person behind an attack on your web server actually arrested?
Kirby wrote on April 5, 2007 09:28 AM
>"At least the credit card companies cover your losses when you are hit by
>As a merchant in the U.S. I know who covers the losses when you are hit
>by fraud and it isn't the credit card companies. Every month I get to deal
>with a stack of charge backs; most from people who claimed to have
>never purchased our products.
Kirby, I wonder if you are a member of non-profit Merchant911? There is an ongoing discussion about this very subject there, with possible class-action, regarding at least cards that were coming from known data breaches.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.