In Which Vengeance is Contemplated

[Shkspr]

So my wife's credit card # got stolen and unauthorized purchases started showing up on the bill. We noticed a $30 charge from an Internet outlet we'd never done business with, and after I checked her previous statement, we saw a $165 charge to the same company, with another $30 charge that hadn't hit our statement yet. We called the bank, disputed the charge, and the fraud department called us back to let us know that there had been almost $10,000 charged to the card in a three day period that the CC company had denied.

So here's the thing. I just got in a set of documents that the Internet company claim were the purchase order for the items that made it onto our statement. The bill to and ship to address are to the same guy, who lives in Miami, Florida. I was able to find the guy on Facebook and LinkedIn, and I'm fairly certain it's him...especially since he shows off an item that I believe to be the fraudulent purchase ON HIS FACEBOOK PAGE. Apparently he's really getting rock hard abs from his new diet regimen.

So is the CC company, who sent me the information, going to go after this guy once we sign the affidavit that we didn't authorize the purchase? Do WE need to decide to call a lawyer/attorney general? Apparently this guy had to put in the CC# each time he charged something to the card, and needed the CVV each time, so I doubt that he's going to be able to claim a typo or anything. Or is the guy pretty much going to skate? Does anybody know a Colombian drug lord? Or a former espionage agent who has been burned by his country? I'm not picky about who takes this guy out.

[JediKooter]

This dude needs to get burnt bad.

How did your wife's CC# get stolen? You have a virus on your computer?

[k0ruptr]

I can't understand people that steal credit cards, I just don't get why you would and then use it? I mean are they really that dumb to use there home shipping address and shit, that just seems to dumb to be true lol. obviously they are gonna get caught, do they not think so?

[molson]

I wish I lived in Miami.....

Who knows what the CC company is going to do, but I'd contact the police department in Miami first. They probably have an identity theft division or something. If you get the total run-around, let me know via pm, and I can probably make a couple of calls to at least find the right people to talk to (I have the right job title for people to at least listen to me about stuff like this, it's come in handy a time or two) You never know if anyone will actually prosecute, but it's important to report this stuff so law enforcement authorities have accurate data on how widespread this stuff is.

If you lose any money out of pocket from this, I'd contact the Florida State Bar and ask for an attorney that specializes in identity theft civil suits. It might not cost too much. It may or may not be worth the money, but a lawyer could give you an idea of what's possible.

[Marc Vaughan]

I've had repeated problems with credit cards since I relocated to florida; according to the people I've dealt with in the bank its fairly common for crooks to put machines on gas pump pay points to capture your card details and then reuse them.

Unfortunately the banks I've been involved with (Wamu & Wachovia) will freely admit that they don't prosecute the criminals for these acts, I know as I've tried to persuade them that I'd like them to and would be willing to help in any way possible .... tbh if the criminals know they won't ever get prosecuted for the offense then theres very little to discourage them imho.

PS - The problems I've had haven't been with individuals its been malicious companies which make fake charges to the cards - such as "PURCHASE MVQ*TWENTY4PROPLUS"; if you google on them they appear to be a company which exists to falsely charge credit cards ... but the banks refuse to prosecute them or indeed simply block them from charging my accounts repeatedly .... grrr, I have (so far) got all the money charged refunded but the hassle factor is considerable.

[Shkspr]

Quote:

Originally Posted by JediKooter

How did your wife's CC# get stolen? You have a virus on your computer?

Right now I'm leaning towards one of three vectors:

a) Keylogger. We run AVG scans every week and I had seen a few hits, but nothing major. My wife generally visits a very few specialized websites, so any infection likely came in under a banner ad. I found enough in MalwareBytes to have the guys who built her computer wipe the HD and wash the files. We took advantage of the wipe to upgrade RAM and OS to Windows 7, so we laid out a few bucks.

b) Infected business site. The only transactions my wife does online are to purchase e-books. Most of the vendors she uses are small sites likely run out of someone's home, with business conducted via e-mail. Someone could easily have slipped something into their site to harvest addresses, I suppose. This dovetails into

c) Fraudulent business site. Since these e-book publishers have small sites, I wouldn't necessarily trust that one of the operators themselves help themselves to their "customers" information and either charge fraudulent purchases themselves or sell the CC#s to someone disreputable. I admit to a tinge of paranoia myself whenever I buy a game online via CC direct from a one-man publishing house. Except for you, Jim.

We've also added a new CC to be used solely for online purchases, that should help keep the amount of account switching we have to do when an alert like this occurs to a minimum (I should have learned my lesson about that when my CC was possibly compromised in the TJX scandal. No fraud occured, but I had a nasty two weeks of changing CC payment info on utilities, WoW, Steam, etc.). Finally, we bought my wife a Kindle for XMas, and she should be able to get most of her online-only books ordered through the device from here on out without having to resubmit a CC#.

Of those vectors, I'm betting it's the keylogger. The only places other than the Internet she uses that card are Wal-Mart, the gas station, and my store. I know I'm running a closed shop, I doubt Wal-Mart's been hacked without it being front page news, and if a sniffer hit her at the gas pump, I would be shocked if the number went to Miami. I'd expect it to wind up in Dalls, Houston, or points West before Florida.

The big downside is that she's got to get this signed affadavit back to the CC# company by Sunday (Friday, really) or they'll put the charges back on. She just got the packet in the mail today. Don't these people know there isn't going to be mail delivery anymore?

[Marc Vaughan]

Quote:

Of those vectors, I'm betting it's the keylogger. The only places other than the Internet she uses that card are Wal-Mart, the gas station

The 'gas station' was where my bank reckoned they got my wifes cc number from ..... (she never purchases anything online so I know it wasn't related to online activity), peoples first thoughts apparently are 'internet theft' - but apparently the old fashioned approach is still one of the most popular.

[Lathum]

Quote:

Originally Posted by Marc Vaughan

Unfortunately the banks I've been involved with (Wamu & Wachovia) will freely admit that they don't prosecute the criminals for these acts, I know as I've tried to persuade them that I'd like them to and would be willing to help in any way possible .... tbh if the criminals know they won't ever get prosecuted for the offense then theres very little to discourage them imho.
.

Sadly this doesn't surprise me, the amount of money it would cost to prosecute these guys would be way more than what it costs to reimburse the customer.

[Marc Vaughan]

Quote:

Originally Posted by Lathum

Sadly this doesn't surprise me, the amount of money it would cost to prosecute these guys would be way more than what it costs to reimburse the customer.

I actually disagree with this - in theory you're right but if you think about it from the approach that doing nothing encourages this activity repeatedly then you're probably incorrect.

For instance there are literally 1000's of people who have been hit by the company I posted, now each is only affected by say $20 at a time but it mounts up - especially if the scam has been running over several years.

Surely wrapping something like that up from a legal perspective wouldn't take particularly long or cost $x00,000 considering the amount of evidence available to the banks?

Its a bit like being bullied at school, if you let them get away with it then they continue to do it AND other bullies will start picking on you - if you stand up for yourself it might take a bit of effort and a bruising initially, but in the long term it works out best.

[Shkspr]

Quote:

Originally Posted by Marc Vaughan

The 'gas station' was where my bank reckoned they got my wifes cc number from ..... (she never purchases anything online so I know it wasn't related to online activity), peoples first thoughts apparently are 'internet theft' - but apparently the old fashioned approach is still one of the most popular.

If this guy was Mexican, and in Houston, I could easily see that. As I'm given to understand the trafficking patterns in the country, the gangs that generally set the sniffers up funnel those numbers through the drug trade channels. For those of us in Texas, that means Juarez, Houston, Dallas, and north from there. It could just be a random guy who harvests a few spots and passes the info on to some random website, but I'd imagine most of those rackets are pretty well controlled.

But I'll make sure my wife knows how to look for sniffers, and cuts down on the number of different pumps she uses, just in case.

[Marc Vaughan]

Quote:

But I'll make sure my wife knows how to look for sniffers, and cuts down on the number of different pumps she uses, just in case.

As a relatively innocent limey - feel free to let me know how to check for such things also please

[JediKooter]

Quote:

Originally Posted by Shkspr

Right now I'm leaning towards one of three vectors:

a) Keylogger. We run AVG scans every week and I had seen a few hits, but nothing major. My wife generally visits a very few specialized websites, so any infection likely came in under a banner ad. I found enough in MalwareBytes to have the guys who built her computer wipe the HD and wash the files. We took advantage of the wipe to upgrade RAM and OS to Windows 7, so we laid out a few bucks.

b) Infected business site. The only transactions my wife does online are to purchase e-books. Most of the vendors she uses are small sites likely run out of someone's home, with business conducted via e-mail. Someone could easily have slipped something into their site to harvest addresses, I suppose. This dovetails into

c) Fraudulent business site. Since these e-book publishers have small sites, I wouldn't necessarily trust that one of the operators themselves help themselves to their "customers" information and either charge fraudulent purchases themselves or sell the CC#s to someone disreputable. I admit to a tinge of paranoia myself whenever I buy a game online via CC direct from a one-man publishing house. Except for you, Jim.

We've also added a new CC to be used solely for online purchases, that should help keep the amount of account switching we have to do when an alert like this occurs to a minimum (I should have learned my lesson about that when my CC was possibly compromised in the TJX scandal. No fraud occured, but I had a nasty two weeks of changing CC payment info on utilities, WoW, Steam, etc.). Finally, we bought my wife a Kindle for XMas, and she should be able to get most of her online-only books ordered through the device from here on out without having to resubmit a CC#.

Of those vectors, I'm betting it's the keylogger. The only places other than the Internet she uses that card are Wal-Mart, the gas station, and my store. I know I'm running a closed shop, I doubt Wal-Mart's been hacked without it being front page news, and if a sniffer hit her at the gas pump, I would be shocked if the number went to Miami. I'd expect it to wind up in Dalls, Houston, or points West before Florida.

The big downside is that she's got to get this signed affadavit back to the CC# company by Sunday (Friday, really) or they'll put the charges back on. She just got the packet in the mail today. Don't these people know there isn't going to be mail delivery anymore?

Sounds like it could be any of those 3. There's no way someone can get the 3 digit code on the back of the card without typing that in somewhere. Or, do you ever order delivery food with that card and they asked you for the 3 digit code on the back?

The CC company doesn't have this technology that's been around since the 70s called a fax machine?

[Radii]

Quote:

Originally Posted by Shkspr

So is the CC company, who sent me the information, going to go after this guy once we sign the affidavit that we didn't authorize the purchase? Do WE need to decide to call a lawyer/attorney general?

In my experience from finding about 12 accounts opened in my name:

1) Deter. Detect. Defend. Avoid ID Theft

-- Most places you go, putting fraud alerts on your credit reports, police reports, and in some cases to get collections to stop coming after you/getting charges refunded want to see that you've filed a report with the FTC. The process appears to have changed since the last time I did so but hopefully everything you need to do so is there. This is a big step for a lot of these agencies though, shows you're serious about it i guess.

-- Most likely the CC won't go after them in any serious way, and I don't think you'll have any means to find out about it if they do/don't.

-- You shouldn't need to call a lawyer. Maybe I should have since my case got a little complex but the way it was described to me the first time I opened a police report, identity theft leads to criminal prosecution, not a civil matter. You as an individual are not prosecuting the dirty fucking felon, the county/state is prosecuting them(molson or someone else can probably explain that better than me, i'm just repeating what i was told)

-- In my experience, you will be asked to go to your local police department to file a police report should you wish/need to file one. Examples: In 2007, I lived in Cobb County, GA. ID Theft was committed by someone living in Gwinnett County GA, all accounts that were opened had Gwinnett County GA addresses. I was asked to file my police report where I lived, in Cobb County. In 2010, I now live in Wake County, NC. A collection agency came after me for ID theft committed back in 2007(it took them fucking forever to go after their money). When the crime was committed, I lived in Georgia and the crime was committed in Georgia. I was again asked to file my police report in Wake County, NC, where I was living when I found out about it.

-- Again in my experience, different police departments/officers treat ID theft drastically differently. In Georgia the officer I filed my report with actively tried(successfully) to talk me OUT of prosecuting. In NC, the officer who took my report had no interest in talking to me and was a bit pissed off that I was wasting his time. But later I got a callback from a detective in NC who was very helpful and very interested in my situation and was wililng to talk to me in detail about what would happen if I chose to prosecute.


I would recommend when you go file your police report, take all of the information you have, your FTC.gov report, your affidavit with the CC company, and some sort of proof that you didn't live at the address in question where the charges were coming from/items were being shipped... a utility bill/lease/whatever. If they give a shit about this kind of crime, which as I said many don't, they'll photocopy all of that and attach it to the police report.

And one last thing to think about. You're not the one prosecuting the fuckface criminal, the gov't is, BUT if it ever came down to a court case, your local govt most likely gets someone in miami involved, they end up taking the fuckface criminal to court in miami, and you may end up in Miami testifying. Maybe unlikely for a charge on a credit card, but not impossible.


Hope that helps!

[Radii]

Quote:

The big downside is that she's got to get this signed affadavit back to the CC# company by Sunday (Friday, really) or they'll put the charges back on. She just got the packet in the mail today. Don't these people know there isn't going to be mail delivery anymore?

Call back and ask for a manger on this. The last instance I found out about was a cable bill that took years to get to collections. When I called them and got enough details to know it was ID Theft I explained that I had old police reports and tons of stuff showing that I'd been a victim of ID theft and would do whatever they needed to sort it out. It was Thursday, and the guy I was talking to said that I had until monday to file a new police report, get a copy of said police report(lolol?? the police didn't even have the report available for me to pick up that fast), and jump through a number of other hoops or they were going to ding my credit report. It was basically a big "fuck you I think you're lying" from the asshole at the collection agency. I tried to reason/tried to argue with him for a bit before demanding to speak to manager, and got sent to someone's voice mail. I ended up calling back and getting a different representative who was much more understanding and gave me a 30 day extension on the process.


Just like it seems like a massive crapshoot as to whether you are going to get a police officer who gives a shit about ID Theft or not when you go to file a police report, it seems like just as big a crapshoot as to whether you get someone at the CC company/collection department who is willing to give people the benefit of the doubt for a few extra days or whether they assume you're lying.

[RainMaker]

As someone who runs a few retail stores online, the credit card companies don't care. It was sort of sad at first and angered me, but I guess it's just part of the game.

For instance, we have a good security system in place. We use AVS, match up IP addresses, and a slew of other stuff on orders that raise red flags. Now there are some orders that are so obvious it's laughable. A guy using someone's credit card with a billing address in California and a shipping address in some foreign country (with a totally different name). They moronically order a ton of stuff that throws up a red flag regardless. So we know it's fraud.

We call the credit card company and tell them they have a card holder who has had their number stolen. They say there is nothing they can do about it. We say "well maybe just giving them a call and asking if they made a $2000 purchase at this store". They say they can't. So who knows how many times the card will keep getting banged before the person finds out.

And the reason is because the store will ultimately eat the charge. Whenever there is fraud that slips through, we eat it. So there is little incentive for them to fight it. American Express is the worst as I don't even think they look at your response to chargebacks. There are many times where a wife will order shit and then obviously tell the husband she didn't when he gets mad. They charge it back and win despite us having the correct address, an e-mail and phone number matching, and a delivery signature. You can report it to the local police, but they don't give a shit either.

Credit cards are mostly governed by the stores who process and the people who own them. Law enforcement and the CC companies don't give two shits about fraud.

[RainMaker]

And I'm curious on this. If someone steals your identity and you kill them, is it murder? Can't you simply point out that you killed yourself. :-)

[Marc Vaughan]

Quote:

For instance, we have a good security system in place. We use AVS, match up IP addresses, and a slew of other stuff on orders that raise red flags. Now there are some orders that are so obvious it's laughable. A guy using someone's credit card with a billing address in California and a shipping address in some foreign country (with a totally different name). They moronically order a ton of stuff that throws up a red flag regardless. So we know it's fraud.

That surprises me as I know American CC companies DO monitor the cards for mis-use, after all they block my cards everytime I travel back to the UK and make a £5 purchase for a cup of coffee in starbucks

[Samdari]

I am confused as to why everyone is disappointed that the banks don't prosecute these guys. Banks do not have the power or authority to prosecute criminals.

[Mizzou B-ball fan]

Quote:

Originally Posted by Marc Vaughan

That surprises me as I know American CC companies DO monitor the cards for mis-use, after all they block my cards everytime I travel back to the UK and make a £5 purchase for a cup of coffee in starbucks

I've heard the same thing happens when a British credit card is used in an American dentist's office. CC companies just assume it has to be fraud.

[gstelmack]

Quote:

Originally Posted by Samdari

I am confused as to why everyone is disappointed that the banks don't prosecute these guys. Banks do not have the power or authority to prosecute criminals.

The banks do have the power and authority to stop the practices that make this so trivially easy to do, but often don't because it IS cheaper for them to just pay the fraud charges than to put these in place. Keep in mind these are the same folks who have opened your checking account WIDE open to anyone who can get a number simply because it's cheaper for them.

Not all banks, as some do a decent job of spotting the patterns, but of course many criminals have figured the patterns out and avoid them, so they mostly catch legitimate folks.

There are things like Verified by Visa, but the merchant AND the bank both have to have these in place. Stuff like that needs to be REQUIRED. Unfortunately, consumers demand the convenience of credit cards and won't stand for the extra protections either.

So we're all screwed.

[RainMaker]

Quote:

Originally Posted by Marc Vaughan

That surprises me as I know American CC companies DO monitor the cards for mis-use, after all they block my cards everytime I travel back to the UK and make a £5 purchase for a cup of coffee in starbucks

Not sure how it works for physical locations, only process online. There are declined transactions that may be their fraud system kicking in (or it could be not enough credit availability). I'm just basing it on the ones that go through.

[RainMaker]

Quote:

Originally Posted by Samdari

I am confused as to why everyone is disappointed that the banks don't prosecute these guys. Banks do not have the power or authority to prosecute criminals.

Not disappointed they won't prosecute, disappointed they don't take better steps to fighting fraud. See they used to awhile back but now don't need to. If your card is stolen and $5000 in charges is put on it, they'll wipe it off your bill, send you a new card, and force the retail stores to pay the bill.

There is little incentive for them to fight it. They don't file police reports often, nor help in the investigations whatsoever. It's just disappointing when I have a fraudulent transaction go through, I call up Visa and tell them they should contact the cardholder because it appears their number has been stolen and they say "oh well, nothing we can do about it". So if your card ever gets hit and it causes some hassle, just know that a helpful vendor may have called up to stop it sooner and they told them to fuck off.

[Mac Howard]

Quote:

Originally Posted by RainMaker

I call up Visa and tell them they should contact the cardholder because it appears their number has been stolen and they say "oh well, nothing we can do about it". So if your card ever gets hit and it causes some hassle, just know that a helpful vendor may have called up to stop it sooner and they told them to fuck off.

Yes, I've had that happen. It became obvious someone ordering a game was not the cc holder, By that time I already had the cc number and the delivery address (mail order). I phoned the cc company. Was punted around 5/6 departments. No one wanted to know. One guy even said "the card holder will let us know if his card is misused". Nothing whatsoever was done.

Key loggers. Does anyone know if these merely monitor key presses or if they log the information as it's sent down the line?

The reason I ask is that I always fill in the cc number online in a random order and use the mouse to click into the number for my next entry.

For example: the number 123

I put in say the 3 then click with the mouse before the three and put in the 1 and then click between the two to put in the 2.

That means the key sequence is 312 not 123. So if the key sequence is monitored then it will be wrong. If the number is detected as it's sent then it will be detected correctly.

With a 16 character number you can create considerable confusion and it is recognised for the correct number by the web site.

Am I kidding myself in thinking I'm defeating a possible key logger with ths technique? Anyone know enough about key loggers to know?