|BUSINESSWEEK ONLINE : APRIL 3, 2000 ISSUE|
|BUSINESS WEEK E.BIZ -- SPECIAL REPORT
The Net provides fertile ground for credit-card scams
In April, 1998, Daniel Vasiliu zipped onto the Net from a PC in Bucharest, Romania. He ordered a $75.90 seasonal bouquet from FTD's Web site in Downers Grove, Ill., to be sent to Ruxanda Vasiliu, in the Romanian capital. ''That's what parents are for,'' the accompanying card read. The gesture was anything but lovely for David V. Stien, CEO of Crane Federal Credit Union in Crane, Ind., 5,300 miles away. The credit-card number Vasiliu allegedly used belonged to one of Stien's customers--and the bill was just part of a flood of $21,000 in false charges his tiny credit union would sort through over the next six months.
Romanian police say there's no doubt that Vasiliu, who they claim is a mere two years out of high school, is the culprit. ''He clearly is guilty,'' charges Colonel Mircea Alecsa, who says Vasiliu fessed up to the crime when police visited his apartment. And the flower purchase wasn't an isolated prank: Romanian police confirm that Vasiliu used 92 card numbers from Crane, and suspect he hit HSBC's U.K.-based Midland Bank for 120 more card numbers--which likely helped finance the computer equipment, Cuban cigars, and exotic billiard cues they found in his apartment.
Yet Vasiliu has never been charged with a crime, according to Romanian police, who admit they have neither the time nor the legal means to deal with online crimes. Reached by phone in Bucharest, Vasiliu would not comment. His lawyer, Varujan Udrea, also declined to comment except to say that Vasiliu has since returned all the goods to the Romanian police and that the case is closed. So far, U.S. merchants say they haven't received their products. ''We haven't gotten anything back,'' says Debbie Ulrich, a sales manager for True Data Technology in Carlsbad, Calif., which shipped Vasiliu a Sony digital camera and Intel microprocessor worth a total of $1,700.
Amazon, Too. Vasiliu's story is a reminder that as electronic commerce booms, so does online credit-card fraud. Consider online retail giant Amazon.com. In December, the company referred a case to the FBI in which a Russian citizen was suspected of using 63 pilfered card numbers to buy electronics gear worth $70,000. Online fraud numbers are tough to come by, but research company TowerGroup, in Needham, Mass., estimates that .11% of all consumer Internet card transactions are bogus--which would put total Net fraud at about $43 million this year. By comparison, Visa's overall fraud rate (including online and the physical world) was .05% over the past two years--worth a total $911 million. ''People who wouldn't have committed white-collar crime face-to-face or over the telephone are doing it over the Internet,'' says Lynne A. Hunt, section chief of the FBI's financial crimes division. ''It's a wonderful means to commit crime.''
Faceless Victims. The lure is especially great for foreign scammers, particularly those in Eastern Europe and Asia, where legal systems are less equipped to handle the dark side of e-commerce. There's also less motivation to prosecute there, because fraud victims are often faceless foreign corporations. ''There are certain ex-iron-curtain countries where you might as well not ship,'' says Ben Narasin, CEO of fashionmall.com, a retail clothing site. In the strange, urgent logic of Internet retail, knowing the danger isn't always a deterrent, he says: ''Companies take hits because they're rushing to book revenues. They decide to ship it and sort it out later.''
That may be tough to do. One of the rarely mentioned pitfalls for e-tailers is that they are particularly vulnerable to credit-card fraud. Here's why: Conventional merchants are not liable for credit-card fraud if a criminal shows up in a store and charges something--in that case, the bank that issued the card eats the loss. But on the Net, it's different. Merchants assume full responsibility for what are called ''card not present'' transactions, which makes foreign transactions particularly risky.
Stien's travails illustrate the danger. Romanian police suspect that in early 1998 Vasiliu got credit-card numbers by using the Internet to download software called a card-number generator. These are widely distributed computer programs with names such as Credit Wizard that use algorithms to reconstruct valid card numbers. Such algorithm generators are ''the biggest thing that has benefited the fraudster,'' says Malcolm MacDonald, a fraud prevention officer at HSBC in London. And Stien alleges Vasiliu took full advantage: Besides flowers, he used the fraudulent cards to buy $800 in Pentium II computer chips, an $8,000 Swiss watch, and to get on to porno sites in California.
Nasty Rumors. Vasiliu's methods expose another hole in the way U.S. merchants handle foreign credit-card orders on the Net. Inside the U.S., merchants use an Address Verification Service to confirm any U.S. cardholder's name and billing address--an important safeguard against mail fraud. There's no similar system for cards issued by foreign banks, which means U.S. merchants accepting foreign Net orders are authorizing them based solely on a card number and expiration date--all easily duplicated with a number generator and some persistent guessing. ''You get 16 digits flying over the wire, you have no idea where they came from,'' says Steve Herz, Visa's former senior vice-president for electronic commerce.
It was just such a scenario that blindsided Stien. His credit union serves 14,500 members at the tight-knit Crane Naval Surface Warfare Center. When word of the fraud spread, the rumors got nasty. ''What's really destroyed is the confidence of your members,'' he says. In an effort to win it back, the 53-year-old former bill collector set off to solve the case himself.
His first call was to CyberNet Ventures Inc., an Encino (Calif.) porn site that had accepted one of the Crane charges. Stien got an IP address (an Internet Protocol number unique to each computer) from CyberNet and easily traced it back to an Internet service provider in Romania. But then he slammed into a roadblock: Officials at the Net service provider wouldn't hand over any information about their users. Stien flooded Romanian bureaucrats with faxes--but he got no help. According to Stien, the FBI was only slightly more cooperative. Although it agreed to help Stien deal with foreign authorities, its agents would not run the investigation. That was his job.
Stien caught a break in the spring of 1998. After much cajoling, FTD agreed to share records showing that Vasiliu had used both his personal e-mail address and an anonymous Hotmail e-mail account to order the flowers for Ruxanda Vasiliu. According to Stien's complaint with the Romanian police, Vasiliu had used the free Hotmail to test numbers at CyberNet and other sex sites. After they proved valid, he would then log on with a personal account to order goods sent to Romanian addresses (many e-commerce sites won't process orders from customers with ''freebie'' e-mail). Stien said he eventually was able to link Vasiliu to 70 of Crane's 92 compromised numbers that used the same Hotmail address.
Even though Stien had pieced this evidence together by October of 1998, his quest was far from over. He still had to convince domestic and foreign authorities his case was worth taking abroad. That meant months of affidavits, translations, and certifications with the FBI, which eventually cooperated and forwarded his 470-page file to the U.S. Embassy in Romania. Finally, his plight caught the attention of the Romanian Ministry of Interior, which in November, 1998, agreed to investigate. But according to court officials, the ministry never prosecuted Vasiliu. ''It's a rather empty feeling,'' says a dejected Stien. ''It was all a waste of time.''
With the credit-card heist wiped clean from his members' accounts, Stien has returned to the relatively intrigue-free duties of running a credit union. Still, he can't forget what he has been through. ''Maybe people in Romania don't care,'' he says. ''But this guy may live to find out he was wrong.'' If and when he does, Stien is poised to celebrate. Just don't send fresh flowers to congratulate him.
By DENNIS BERMAN
Contributing: Bogdan Preda in Bucharest
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
BACK TO TOP
Fraud on the Net
TABLE: The Top 10 Scams on the Net
CHART: Cyber Fraud on the Rise
TABLE: Anatomy of an Internet Credit-Card Scam
TABLE: Bad Credit
E-Mail to Business Week Online