Thieves Using Stolen Credit Cards to Make Donations

JagsLive writes with a link to a Newsday.com article about 'philanthropist identity thieves'. Credit card thieves appear to be donating to charity with their stolen goods. While it may sound like a strange form of generosity, it's really a method to determine whether a stolen card is valid. "The verification method has become popular because the monitoring software at credit-card companies may not question donations to charities, according the Symantec blog. Santoyo said the schemers usually donate less than $10. American Red Cross spokeswoman Carrie Martin said, 'This happens all the time. We have people at the Red Cross who deal with this type of activity.' Last month alone, the Red Cross refunded 700 fraudulent credit-card transactions, Martin said. That figure doesn't include the transactions the charity blocked because they appeared fraudulent."

Just plain thieves

[by Anonymous Coward]

Not only are these scum ripping off the card holders, they are costing charities time and money.

There is no reason to call them philanthropist identity thieves. They are identity thieves or just plain thieves.

Re:Just plain thieves

[D-Cypell (446534)]

They are identity thieves or just plain thieves.

Lets just call them plain thieves as the term 'identity theft' is just something invented by the banks to blame us for when their money get stolen.

Actually, a comedy programme I listen to on UK radio had a great little skit on this. A guy being called by his bank who told him his was a victim of 'identity theft' and lost his money. He responded by telling the bank manager that he was sorry to hear that they had been robbed... "No no, you don't understand, this is identity theft!". When it was put like this, it was not only pretty funny, but held a mirror up to how absurd this 'identity theft' thing really is.

It ended with the customer overhearing a bank robbery happening at the bank with the robber shouting... "Put all the money in the bag" and the manager responding... "I think you mean all the *identities*" :oD

Re:

[itlurksbeneath (952654)]

So if someone steals your SSN and fraudulently obtains a credit card, it's the institution's fault?

It is when the institutions are the ones leaking data like a sieve. Employee theft, unencrypted data by the megabyte on stolen laptops, lax security on internal networks and external facing systems, etc...

Re:Just plain thieves

[FLEB (312391)]

So if someone steals your SSN and fraudulently obtains a credit card, it's the institution's fault? Who's the victim? You are.

A service provider accepted falsified credentials and assumed an agreement because of fraud by an improperly authorized third party. Why should I be involved, responsible, or at fault? It's completely between the fraudulent third party and the defrauded lender... or, rather, it should be.

The only reason the banks don't get their share of the fault is that performing satisfactory identification of potential borrowers would acutely cut into their margins, so it's called "identity theft", and the "defrauded" third parties are simply assumed to have racked up debts or made agreements based on identification that is obviously too flimsy (given the widespreadness of the problem.)

If the bank made an error on a transaction, would you say they lost their money? Hell no... you would say they lost your money. How is this any different?

The bank lost track of the money you entrusted to them. If the bank uses this to deny you access to that money, then you "lost" the money you entrusted to the bank (by virtue of poorly picking a bank). Still, this isn't even similar-- you were the party that entrusted that money to an incompetent bank. In identity theft, you may have no connection at all to either the service provider or the fraudulent requester.

Re:Just plain thieves

[nwbvt (768631)]

"So if someone steals your SSN and fraudulently obtains a credit card, it's the institution's fault?"

Well, yeah. SSNs were never intended to be secret numbers that only the owner would know, so in theory it shouldn't matter if the whole world knew your SSN. If the institution issues a credit card without doing a sufficient job to verify your identity (which unfortunately is usually the case), it damn well is their fault.

Re:

[Agripa (139780)]

College-Aged Bishop: Richard Nixon's personal checking account is in here!
College-Aged Cosmo: Oh, this is a challenge. Marty, we have to find someone truly worthy to give his money to.
College-Aged Bishop: How about... the National Organization to Legalize Marijuana?
College-Aged Cosmo: Perfect!

Re:

[Afecks (899057)]

Not only are these scum ripping off the card holders, they are costing charities time and money.

I'm sorry but I have a bigger problem with the credit card companies that charge $15 to $30 for each fraudulent charge. Consider the fact that the chargeback fees are several times more than the actual charge. If a donation turns out to be fake it's not a big deal because you are back to where you started, nothing right? Except that's not true, thanks to the fees you get slammed with. Most of the time the merchant loses, sometimes the customer loses but the credit card companies always win and they are the

Re:

[sunwukong (412560)]

Chargebacks cost the store/supplier/seller, not the customer. It's one reason why stores/sellers will sometimes be reasonable when there's a dispute over a credit charge.

As someone posted earlier, the credit card companies aren't the ones groaning financially at the cost of fraud ...

I must mention my favourite charity

[Timesprout (579035)]

The Cocaine and Hooker Party for Timesprout Foundation.

Please give what you can.

Re:

[ResidntGeek (772730)]

Sorry, I've already pledged to the Palm Beach Golf and Tennis Resort.

Sneakers

[by Anonymous Coward]

"In a surprise announcement, the Republican National Committee has revealed it is bankrupt. A spokesman for the party said they had plenty of money in their accounts last week, but today they just don't know where the money has gone. But not everybody is going begging. Amnesty International, Greenpeace and the United Negro College Fund announced record earnings this week, due mostly to large, anonymous donations."

Re:

[xtracto (837672)]

Aaaa great movie [wikipedia.org] that one! I think it is one of the few movies which portrait in a credible manner what hacking was all about in those times... of course with a hollywood cut... I used to watch that movie in open TV and 10 years after I didnt remember the name and could locate it after asking in usenet for a movie where there was a deaf guy who recognized a place after simulating the sounds =o)... pretty clever argument!

Why reverse charges

[ghoul (157158)]

Why reverse the charges? The credit card companies make enough from usurious interest rates to absorb the small payments to charity

Re:

[Colin Smith (2679)]

The credit card companies make enough from usurious interest rates to absorb the small payments to charity

WTF? They're bankers.

 

Re:

[TubeSteak (669689)]

I'm not sure if this was your point, but under Federal law, banks are exempt from the usury limit... which means they can charge whatever rate they like.

Re:

[ghoul (157158)]

We could just put them to work on sugarcane plantations to grow ethanol like they do in Brazil. Much more productive than debtors prison

700 refunds

[acidrainx (806006)]

700 refunds of (probably) less than $10 each? I realize they've just had money stolen from them, but they're asking for a $10 refund from a charity? Nice.

Re:

[by Anonymous Coward]

$10 makes a difference for some people who are always at their credit limits. plus, i think Red Cross refunded them because it's the principle of taking money that wasn't really given to them. they don't want to look like cheap ripoffs. it's like having somebody supply you with say, stolen candy. sure, it's seemingly cheap and you could easily eat it, but does that make it ok?

Re:

[stonecypher (118140)]

FTFA, American Red Cross is refunding without being asked, as a matter of principle, and frequently to people who didn't even realize they'd been defrauded.

Re:

[Actually, I do RTFA (1058596)]

Typically, you tell a credit card when the card went missing and what the first fraudulent charge was. You have to sign an affidavit to attesting to those facts under penalty of perjury. Somehow, I don't think the niceness of giving less than $10 to charity is worth a possible 20-year prision term.

IANAL, just a guy whose credit card was once stolen.

Re:

[gordgekko (574109)]

Most charities I would let it slide but not with the American Red Cross, not after some of the games they've been caught playing with donations.

Re:

[Stunning Tard (653417)]

but they're asking for a $10 refund from a charity? Nice.

You're accusing the credit card companies of being cheap but they[visa,mastercard] have donated to the Red Cross [paymentsnews.com] in the past. During the tsunami disaster there was a $1 million donation as well they waived transaction fees for donations. It was a similar story for Katrina.
I won't go so far as to say these corps have morals, these donations were high profile and probably cost less than a short ad campaign. But those donations do dwarf their refund

Why refunds?

[Odiumjunkie (926074)]

> Last month alone, the Red Cross refunded 700 fraudulent credit-card transactions, Martin said.

Surely, a fraudulent credit-card transaction is caused (in theory) by the credit-card company fucking up? I would have thought that the credit company would absorb the loss instead of being able to make the receiving party refund the money.

If I buy a $6000 HDTV using a stolen credit card, and I fake the signature on the receipt very convincingly (so the TV shop follows due diligence), when it emerges that the card was stolen is the TV shop out 6k? How can the CC company force the shop to refund the money? Isn't it the CC company's fault for having poor security measures?

Re:Why refunds?

[qengho (54305)]

when it emerges that the card was stolen is the TV shop out 6k?

Yep. The merchants absorb the cost of fraud, and the CC companies have very little incentive to create effective fraud-prevention measures.

Re:Why refunds?

[geekoid (135745)]

Make it so the CC company has to give the money to any merchant that followed the prescribed security procedure as dictated by the CC company. Then we would see some real security in the CC industry.

Re:Why refunds?

[Ron Bennett (14590)]

"Card Present" and "Card Not Present" transactions are treated very diffently. The latter is what the article is discussing - and yes, the merchant is most always the one liable for bogus charges.

On a related note, there are other *per-transaction* costs of such bogus on-line "test" transactions mentioned in the article that many people aren't aware of, such as:

* Gateway fees
* Authorization fees
* AVS / CVV2 surcharges
* Settlement fees

These are IN ADDITION to the discount fees (ie. ~3% or so) of the dollar amount of sales.

Even if later the transaction is voided / refunded, the merchant typically still pays the above per-transaction fees regardless.

And even worse, depending on the merchant processor, the discount fees may not be refunded either; upon refund it may even be charged again! Doing "auth-only" and hand verifying sales before submitting the batch can help mitigate such refund costs, but is often labor intensive.

One nasty scenerio for an on-line merchant is a carder running thousands of card "tests" on their small business / charity website ... the per-transaction auth fees alone can easily run into many hundreds, or even thousands of dollars.

Large merchants have more favorable merchant agreements / absorb such costs with no problems; often have advanced fraud screening in place to throttle such extraneous transactions. The small merchants, such as charities, are those who really suffer from such card "tests".

Ron

Re:

[Odiumjunkie (926074)]

So, you want to ask someone for a little plastic card with a name on it to make sure that another little plastic card with a name on it is theirs?

Future headline:

[Tatisimo (1061320)]

Red Cross Busted in Credit Card Stealing Scheme. Hundreds of non-profit hospitals around the world close due to lack of funding.

Seen this happen...

[Dekortage (697532)]

I've set up and managed online donation systems for various charities, and see this happen all the time. Most of the time, the donor doesn't bother asking for a request, although they may inquire about it. Requiring the CVV2 code [wikipedia.org] (the extra 3 digits on the back of Visa/MC or the extra four digits for AmEx) really does make a difference for fraud prevention: our logs show people attempting to use the same credit card number with wildly different CVV2 codes, failing time after time. They're just guessing and eventually give up.

Re:

[ghoul (157158)]

3 digits are a thousand codes. Say each website allows turns before freezing. Just trying out 200 charities will give them the cvv2. we need public key encryption

Re:

[SpottedKuh (855161)]

3 digits are a thousand codes [...] we need public key encryption

"Sir, could you please read me the 768-character hexadecimal public key printed on the back of your credit card? ... Yes, sir, the one in the really tiny font."

Re:

[D-Cypell (446534)]

The CV2 code is known only to the cardholder and the issuing bank. To validate a code the the details must be sent to the issuing back for validation. Issuers will block the card after a certain number of failed transactions on the card, so it is not quite as easy as just trying it over and over until you get it right.

Re:

[ozbird (127571)]

The CV2 code is known only to the cardholder and the issuing bank.

And anyone who has checked your signature for an old-fashioned in-store purchase.
Banks warn you not to write your PIN on the card (duh), so why print the verification number on it?

Re:

[Fire Dragon (146616)]

Banks warn you not to write your PIN on the card (duh), so why print the verification number on it?

PIN is there to stop somebody to use your card right after it goes missing. It is a lot easier to know that if your physical card has disappeared than knowing if some online shop has had your creaditcard info stolen. Verifications number shouldn't be stored anywhere else than in the back of the card, online payment methdos can't store this info on their database. Card numbers are stored for various tracking re

Re:

[zCyl (14362)]

The CV2 code is known only to the cardholder and the issuing bank.

Right. How about, the cardholder, the issuing bank, anyone who has looked at the card, and any of the countless businesses that has ever asked for the CVV2 code.

And... The more businesses that ask for the CVV2 code, the more stolen credit card databases will have the CVV2 code as part of them.

Re:

[petermgreen (876956)]

3 digits are a thousand codes. Say each website allows turns before freezing. Just trying out 200 charities will give them the cvv2. we need public key encryption
surely the banks should be able to spot such attempts to brute force the ccv2 number.

Charge-backs suck

[bluefoxlucid (723572)]

Credit card companies charge $25 for a charge-back. So if you buy something for $10, then return it and have the money charged back to your card, you get $10 back and the store pays out $35 to recover the $10 item. These fraudulent donations hit the charities up the same way, leaving them poorer in the end; if it's not too much trouble, please do consider telling them to go ahead and keep the money, if it's just a few bucks.

Refund != Chargeback

[patio11 (857072)]

Allow me to throw my IAAAIM (I Am Actually an Internet Merchant) two cents into the ring here: if somebody buys my product for $24.95 and then either asks me for a refund or I decide to refund it to them for whatever reason, including I suspect that the order was placed in error, that costs me either "nothing" (Paypal/Google Checkout both eat the CC fees) or "very little" (I end up paying the fee I paid for the transaction, in the neighborhood of a buck). The refund shows up right to their credit card stat

Obligatory

[Robber Baron (112304)]

We have reached our goal of $10,000 and its all thanks to one generous caller who didn't leave his name!
But thanks to Insta-trace we've learned it's Homer Simpson of 783 Evergreen Terrace.

Costing charity money

[Joebert (946227)]

So realisticly, this is actually costing charities time & resources they shouldn't otherwise be using ?
That's pretty low, even for thieves.

Fighting back

[Sigma 7 (266129)]

Is there any effective methods of fighting back against identity theves?

The tactic that I've recently started involved visiting the sites found in spam e-mails that I receive (for example, the My Canadian Pharmacy [spamtrackers.eu] series of spams), take an identity generated from a fake name generator (that also provides CC and CVV numbers), and place an order. This series of companies tends to queue up the order for processing in 24 hours before shipping.

While fun, it doesn't seem directly productive if I'm the only one d

Its been happening for YEARS

[nweaver (113078)]

2+ years ago I had this happen to me. It is an easy way to validate old card #s that a hacker gets.

It happend to me

[DigiShaman (671371)]

Sometime in October 2001, someone overseas donated 2 grand to some 9-11 fund (Red Cross I think) and purchased ten Palm Pilots using my CC account. Interestingly, this happened a week after purchasing an auto part overseas.

Obviously, I must be a stereo typical "Rich American" in there eyes. If only that were true... None the less, I will NEVER give out my personal information via phone or online to someone overseas. I've been burned once already, I'm not about to be burned a second time.

Damn merchant processors

[QuasiEvil (74356)]

So it's a slight tangent from the main topic, but I got yet another letter today from my bank, letting me know that my bank card number was amongst those harvested from a compromised card processor, and that my card number would be cancelled and reissued within a few days.

My favorite part? "For privacy reasons, the name of the processor cannot be revealed." I think it should be a fucking law that they have to name the guilty party in these sorts of things, so that we (everyone whose number was compromised

Re:

[Creepy Crawler (680178)]

Steal from the rich and give to MEEE!!!!

Not Robin Hood.

[by Anonymous Coward]

1. Less than $10 'donated' per card.
2. Using charities as a confirmation method to make extra money, illegally selling access people's bank accounts.
3. Charities have to refund the money when the credit card is reported stolen.

If criminals such as these were truly charitable or showing a change of heart, $10 or less seems a peculiar way to show it. The fact that these crooks are using charities for their own dirty deeds shows a selfishness that I don't recall Robin Hood having..And, the fact that charities have to refund the money in the end, means that money might be spent that the charity would have otherwise saved in the reserve fund. So it's basically stealing from the charity's perceived pool of funds.

I know we Slashdotteurs have a 'stick-it-to-the-man' attitude and like to see the underdog rise up. But these people are crooks..Nothing of what they're doing is charitable or moral in anyway. The Robin Hood association is definitely inappropriate here. It just diminishes the real work people do for society.

My 2 cents.

Re:

[geekoid (135745)]

"I cannot steal from people who are comfortable and give to the moderately impoverished; " E-Izzard

Re:

[dunkelfalke (91624)]

Dennis Moore [youtube.com]

Re:

[Stormwatch (703920)]

"It is said that he [Robin Hood] fought against the looting rulers and returned the loot to those who had been robbed, but that is not the meaning of the legend which has survived. He is remembered, not as a champion of property, but as a champion of need, not as a defender of the robbed, but as a provider of the poor. He is held to be the first man who assumed a halo of virtue by practicing charity with wealth which he did not own, by giving away goods which he had not produced, by making others pay for th

Don't Make It Hard For Your Customers

[patio11 (857072)]

Charities accept credit cards for the same reason that I (small merchant selling software on the Internet) accept credit cards: offering people the ability to satisfy their urge RIGHT NOW makes them orders of magnitude more likely to do business with you. If they are accepting them without asking for the CVV code, yes, somebody in their web development group needs to be hit upside the head with a copy of Security Best Practices for Online Merchants, but the sensible default is to accept the vast majority o