[Clips] At Online Stores, Sniffing Out Crooks Is a Matter of Survival
R.A. Hettinga
rah at shipwright.com
Thu Aug 4 09:35:33 EDT 2005
--- begin forwarded text
Delivered-To: clips at philodox.com
Date: Thu, 4 Aug 2005 09:33:22 -0400
To: Philodox Clips List <clips at philodox.com>
From: "R.A. Hettinga" <rah at shipwright.com>
Subject: [Clips] At Online Stores, Sniffing Out Crooks Is a Matter of Survival
Reply-To: rah at philodox.com
Sender: clips-bounces at philodox.com
<http://online.wsj.com/article_print/0,,SB112311786883304593,00.html>
The Wall Street Journal
August 4, 2005
PAGE ONE
At Online Stores,
Sniffing Out Crooks
Is a Matter of Survival
Mr. Kugelman Gets Scammed
By a Web-Site Customer;
A $3,077 Platinum Chain
By MITCHELL PACELLE
Staff Reporter of THE WALL STREET JOURNAL
August 4, 2005; Page A1
LYNBROOK, N.Y. -- Six years ago, Neil Kugelman found himself puzzling over
the very first customer to arrive at the Web site he had launched to sell
jewelry online.
The order: a $496 men's diamond ring. The North Carolina address didn't
match the address tied to the credit card. The shipping address was
different still. Mr. Kugelman tried to telephone the customer, but the
number didn't work. His email bounced back. He was no expert on fraud, but
neither was he born yesterday. He spiked the order.
"Our first order -- order No. 1 -- was fraudulent," he marvels.
Since then, as family-controlled Goldspeed.com Inc. grew from a basement
start-up to a 10-person operation that fills more than 50,000 orders a
year, Mr. Kugelman has taught himself to regard each and every customer as
a potential online crook -- and with good reason. He says fraudulent orders
have risen to a staggering 30% of the total, up from just 5% when he
started.
Over the years, Mr. Kugelman, 44 years old, got so good at sniffing out the
cons that just 0.5% of his sales were lost to fraud. But a run-in he had
seven months ago with a cagey crook who ordered $8,384 of flashy jewelry --
and stuck him with his largest fraud loss ever -- has left him worried that
the bad guys are now gaining the upper hand. The tale of Mr. Kugelman's
unsuccessful effort to discover the fraud, despite his suspicions, shows
the increasing perils faced by the burgeoning online retail industry.
For Mr. Kugelman and other Internet retailers, ferreting out bogus orders
is a matter of survival. When a crook uses a stolen credit card in a
traditional store, and the store follows proper procedures, the
card-issuing bank usually swallows the loss. For online retailers, the
tables are turned. Credit-card association rules dictate that merchants who
accept charges from cyberspace, a riskier endeavor, must also shoulder the
risk of fraud.
When Mr. Kugelman began peddling everything from pearl earrings to thick
gold chains over the Internet in 1998, his biggest problem was simple
credit-card fraud: the use of stolen account numbers. The bogus orders were
often glaringly obvious. Fraudsters ordered big and requested next-day
shipping. They left fake phone numbers. They placed odd orders, such as for
two engagement rings. Mr. Kugelman designed a computer system to screen
incoming orders for such red flags and to bounce suspicious ones into human
hands.
Over time, the crooks got better. More of them stole whole identities,
using purloined personal information to set up entirely new credit-card
accounts. They used untraceable cellular phones, and avoided making
oversized orders. When Mr. Kugelman phoned them with questions, they didn't
get rattled. He fine-tuned his system, incorporating proprietary scoring
guidelines based on such information as what kind of jewelry is ordered and
from what part of the country the order originates.
Late last year, he says, the fraudsters upped the ante. All of a sudden,
Goldspeed.com was getting orders that showed no obvious signs of fraud on
his computer-screening system, but seemed suspicious nonetheless. On Jan.
9, for example, when a customer placed separate orders on the same day, he
thought "something looked wrong."
A Vincenza Wells of Detroit had ordered a $1,199 Aqua Master men's diamond
watch. Four minutes later, the same customer ordered a $1,259 men's diamond
and tanzanite ring. The Bank One Visa credit-card number she supplied was
good for the full amount, and she had provided the validation code from the
back of the card. Visa's address verification system showed a match.
But the order's size, and the strange two-step ordering, had Mr. Kugelman's
radar up. The next day, he called the card issuer, J.P. Morgan Chase & Co.,
which had acquired Bank One. He says a bank representative confirmed that
the name, address and phone number on the order matched the bank's own
account information, except for one small detail about the address.
Mr. Kugelman called his customer, who explained the disparity to his
satisfaction. Mr. Kugelman called back the bank representative with the
revised information. She told him that bank security had phoned Ms. Wells
separately, and verified her identity.
Still wary, Mr. Kugelman tested the card number again to see if it had been
maxed out, a hallmark of identity theft. It hadn't. So he released the
watch and ring for shipment.
That afternoon, the same customer phoned in a third high-ticket order for a
$3,077 men's platinum chain and a $2,849 diamond engagement ring. Again,
the Visa card was good for the full amount. Goldspeed shipped both items to
Detroit, bringing Ms. Wells's total bill, with shipping, to $8,432.
More than 100 miles from Detroit, in Sandusky, Ohio, the real Vincenza
Wells, proprietor of the Seacrest Motel, had no idea someone was running up
thousands of dollars of bills in her name. Last August, she had received a
phone call, purportedly from her cable company, offering her three months
of free service if she paid her bill in full a month early. She happily
provided credit-card information, her Social Security number and other
personal information. The caller was a crook. Shortly thereafter, Bank One
alerted her to questionable charges, and she canceled her card.
In April, another bank representative called her to inquire about some
$15,000 in unpaid credit-card bills. She responded that she didn't even
have a card any more. "These people had opened new accounts in my name,"
she explained recently, expressing astonishment that, given the previous
fraud, J.P. Morgan had opened a new account in her name with a new address.
To set up the account, the fraudsters apparently used the personal
information that she had been tricked into providing over the phone.
A spokesman for J.P. Morgan said the bank doesn't discuss individual
cardholder situations, but that it has "a financial stake in stopping all
fraud before it happens." Michael Cunningham, head of fraud prevention at
J.P. Morgan's card division, said: "We take a lot of pride in our ability
to detect identity theft. We don't catch 100% of it."
On April 7, Mr. Kugelman learned for the first time, from a J.P. Morgan
investigator, that the jewelry charges were fraudulent, the result of
identity theft. For reasons that weren't made clear to Mr. Kugelman, the
bank opted to saddle him with only a portion of the loss, $5,950, the
amount of the third order. Days later, Mr. Kugelman's bank credited the
money back to J.P. Morgan. Mr. Kugelman protested, citing his discussions
about the order with the bank, and J.P. Morgan eventually brought the case
to a Visa arbitration panel set up to mediate such disputes.
In June, Visa arbitrators ruled that Mr. Kugelman would have to eat the
loss. A spokeswoman for Visa declined to comment on the case, but noted
that Visa is developing procedures to reduce such charge-backs to online
merchants.
Mr. Kugelman says his fraud numbers are going up, in part because it's so
hard for him to recognize crooks with stolen identities. He says he doesn't
know how much the increased vigilance is costing him, but in February, he
reassigned a staffer to work exclusively on detecting credit-card fraud.
"The job has gotten harder and our systems have gotten more sophisticated,"
he says. "But it's a cat-and-mouse game. As we get better, they get better."
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
_______________________________________________
Clips mailing list
Clips at philodox.com
http://www.philodox.com/mailman/listinfo/clips
--- end forwarded text
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list