Financial identity is *dangerous*? (was re: Fake companies, real money)
R. A. Hettinga
rah at shipwright.com
Fri Oct 8 16:14:08 PDT 2004
Okay. So I'm coming to the conclusion that book-entry settlement, with its
absolute requirement for both "identity" and float between transactions, is
becoming more and more *un*-safe to use as internet ubiquity increases.
Anyone want to pick up the other side of this and tell me why not?
No bugbears or horsemen need apply...
Fake companies, real money
Elaborate con wrings cash out of stolen credit cards
By Bob Sullivan
Updated: 7:15 p.m. ET Oct. 7, 2004
T-Data, a small New-York based software company, doesn't take credit cards
-- never has in its 20-year history. But a few weeks ago, owner Jeff Duhl
found himself looking over $15,000 worth of credit card charges seemingly
accepted by his store.
A quick investigation revealed most of the charges had been made using
stolen credit cards. Slowly, he caught on: Someone had stolen a batch of
credit card accounts, then stolen his company's name, set up an imposter
version of T-Data, and rung up thousands of dollars worth of fake
purchases. The "profits" were then desposited into checking accounts
controlled by the imposters.
"It is ingenious," said Dan Clements, who operates merchant advocacy site
Duhl wasn't the only victim of this new brand of corporate identity theft:
At least 50 other firms apparently also had their identities stolen in the
scheme. For credit card thieves doing their best to wring money out of a
stash of stolen accounts, it seems like the perfect scam.
How to profit from stolen credit cards
While millions of credit card account numbers are stolen every year -- 60
million last year, and perhaps 120 million this year, according to one
estimate -- turning them into cash can be tricky. Merchandise ordered with
the card must be delivered somewhere, which is risky. Massive cash
withdrawals are quickly spotted by credit card associations.
The scheme Duhl's firm was caught up in is a heady, complex alternative:
First, credit card thieves find a legitimate company unlikely to already be
accepting credit card transactions. They then impersonate that company and
set up accounts with merchant processing providers, whose role it is to
transfer funds between credit card companies and merchants.
Using stolen credit cards, the thieves then start sending small payments,
usually $498 or $598 at a time, to the fraudulent merchant accounts. The
credit card companies send funds to the processors and they in turn send
the funds off to bank accounts controlled by the criminals.
"They are flying under the radar on each transaction unless someone does a
whole lot of work," Duhl said.
A key part of the scheme: The thieves went to the trouble of registering
the domain www.T-datasoftware.com, then set up a fake Web site. The site
looked like a believable business to the merchant processing providers, who
gave the thieves their accounts.
Duhl's imposters were able to set up accounts at seven different payment
processing firms. When Duhl investigated, he discovered some 50 other Web
sites -- most mere imitations of one another -- all sitting on the same
"They got away with $15,000 (in charges) at my company," Duhl said.
"Multiply that by the number of sites, the number of companies, these folks
could be getting away with millions of dollars," he said.
It's not clear how much money the criminals really did get away with in the
end. Many of the processing firms interviewed for this article claimed they
caught on to the fraud after the transactions had cleared, but before the
suspects had withdrawn the money from various checking accounts around the
country. One did concede, however, that the scheme has real potential.
'Hundreds of thousands' over a weekend
"If you don't catch it you could lose hundreds of thousands of dollars over
a weekend," said David Steinberg, chief credit officer at Merchant E
Solutions, one of the processing firms used by the thieves.
Steinberg said his company had never suffered such a loss, but that the
industry is bustling with fraud attempts. Some 5 to 10 percent of all
applications his firm receives are turned away as potentially fraudulent,
Phyllis McNeill, a spokeswoman for Global Payments, another processing firm
hit in the scam, confirmed a fake account had been set up in T-Data's name
with her company. She said the account was actually set up through a
reseller, and was shut down after eight transactions had been performed.
Randy Lobban, director of risk management at North American Bancard, said
the con artists were able to open up an account at his firm and pass eight
charges through the system, but the funds were never released.
"They never got any money," Lobban said. He alerted the U.S. Postal
Inspection Service to the incident.
Representatives at First Data and Wells Fargo also confirmed that fake
accounts had been opened at their firms.
An official at Beacon Bank in Minnesota, where one of the checking
accounts used to receive the stolen funds had been set up, confirmed that
he had discussed the situation with Duhl, but would not provide further
Corporate ID theft
Whoever impersonated T-Data were clever enough to throw a few monkey
wrenches in the path of anyone trying to detect them.
When applying for the compulsory credit check needed to obtain the fake
merchant account, for example, the thieves didn't use T-Data's tax ID
number. Instead, they used the name and credit profile of a man unconnected
with the company. Steven Wiencek, who lives on Long Island near the
company, didn't even know his credit had been checked until contacted by
MSNBC.com for this story.
But the application, which listed Wiencek as company president, gives his
Social Security number and driver's license number, suggesting the people
behind this scheme have access to a wide swath of stolen credit cards and
Another attempt at misdirection was foiled by an alert mail carrier.
The application for the merchant account used a slight variation of Duhl's
address -- apparently an attempt to ensure that mail to Duhl would be lost.
But a knowledgeable local postal worker recognized the company name anyway,
leading Duhl to discover the dupe.
"Without that, I may not have found out about this for a long time," he said.
The thieves were also persistent. Using one stolen credit card, they
attempted to steal $2,500 through five separate faked merchant accounts,
according to an affidavit of credit card fraud supplied by Duhl.
Another corporate ID victim, John Bartholomew of Abcom Services, said he
was lucky, because Duhl contacted him just as the scam began.
"We are a management company in long-term health care. We would have no
reason to use credit cards," he said. The firm had been in business for 21
years, and never accepted a single charge -- until the criminals stole his
company's name, Bartholomew said.
True to form, the criminals hijacked his brand name and set up merchants
accounts using his company's name and a similar -- but slightly altered --
The good news is, Bartholomew was able to warn the merchant account
providers soon enough that only about $4,000 in charges were run through
his company's name. The bad news is, some of the providers are still trying
to make him pay the bill for the charges. He figures he's spent about
$5,000 in legal fees trying to clean up the mess.
Who are they working with?
Rob Douglas, a consultant who operates PrivacyToday.com, blames the
merchant account providers for never checking to see if the name on the
account application actually represented a real person who worked at the
"You have to ask what the companies that set up the merchant accounts are
doing?" he said. "Who has the responsibility to do due diligence that they
are in fact working with who they think they are working with when they
open an account?"
But several of the merchant service providers pointed out the difficulty of
stopping all fraudulent applications in a world where identities are so
"For all of us, it's a tough business," Steinberg, of Merchant E Services,
said. "It's a large, large problem."
Duhl himself blames the banks where the money was to eventually wind up --
wondering how the thieves were able to set up accounts in the post-Patriot
Act era. Apparently worried as much about security implications as his
personal loss, Duhl contacted the FBI, the Secret Service and the U.S.
Postal Inspector's Office. None of the agents he spoke to returned phone
calls placed by MSNBC.com.
He says he is frustrated that none of the agencies seem to have taken any
interest in the incident -- particularly because at least one phone call
was placed to Pakistan using the cell phone purchased in his company's
name, and one of the bank accounts used to funnel money was established by
suspects who presented Russian passports as identification, he says his own
"No one in the government seems like they are going to get interested in
establishing a case," Duhl said.
Douglas, who consults with firms trying to deal with the new trend of
corporate identity theft, says there's little small companies like Duhl's
can do to prevent this kind of incident. But one piece of practical advice
he offers larger firms: search the Web once a week for evidence of
"As strange as it sounds, companies need to have one or more people
assigned to surf the Web and see if there are mirror sites out there, just
like we tell parents to surf for their child's name," he said.
Bob Sullivan is the author of Your Evil Twin: Behind the Identity Theft
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
More information about the cypherpunks-legacy