RE: Stolen Card Purchases

["Jason Coombs" <jasonc () science org>]

> - The person or persons using these stolen cards had all the correct
> information (such as address and even phone number, which is how we were
> able to contact each cardholder).

Just because the credit card thief can pass Address Verification Service
with the right house number and zip code that doesn't mean you should
trust them enough to ship your goods to a different address than the
one that matched AVS. You should also ask your customers for the card
identification number that appears next to the embossed card number.
Even when this matches with the records of the card issuer, you must
use common sense and only ship to the validated billing address as
confirmed by AVS unless you have good reason to trust the customer.
Repeat customers, for example, could earn the right to purchase gifts
from your business for shipment to a third-party. Few others should be
allowed to do so.

The reason law enforcement just doesn't care and won't get involved is
that credit card theft is a risk of doing business that every merchant
accepts. Either you know how to manage that risk, and you survive, or
you don't, and you go out of business.

Law enforcement will see your appeal for help as a bit silly, since
you're the one who asked for the credit card information in the first
place... Unless you've uncovered some new threat vector for credit
card fraud that law enforcement should do something to stop, you're
complaining about being asked to take risk. If you don't want the
risk, stop taking that form of payment.

Sincerely,

Jason Coombs
jasonc () science org

-----Original Message-----
From: Jonathan A. Zdziarski [mailto:jonathan () networkdweebs com]
Sent: Wednesday, July 10, 2002 3:24 AM
To: incidents () securityfocus com
Subject: Re: Stolen Card Purchases


Hi,

Thanks for all the emails I received.  Just to make a few points of
clarification in regards to our specific situation...

- The credit cards being used were not stolen on the Internet, as not
all of the cardholders involved in these related incidents had made
purchases on the Internet.

- The person or persons using these stolen cards had all the correct
information (such as address and even phone number, which is how we were
able to contact each cardholder).

- We traced at least one of these incidents back through some proxies to
a residential DSL line in the US, and I'm sure the Internet provider
could furnish whomever [under subpoena] with name and address.

I'm going to contact a few of the people who emailed me, but it sounds
like from the other half of the emails I received, very few law
enforcement agencies are interested in making arrests these days.  If
this is the case, I'm wondering what reporting this to the media would
do.  A story about how the government lets theifs run free sounds like
it'd be enough to get some government organizations to shape up.






----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com