[Clips] At Online Stores, Sniffing Out Crooks Is a Matter of Survival

R.A. Hettinga rah at shipwright.com
Thu Aug 4 09:35:33 EDT 2005 

--- begin forwarded text


 Delivered-To: clips at philodox.com
 Date: Thu, 4 Aug 2005 09:33:22 -0400
 To: Philodox Clips List <clips at philodox.com>
 From: "R.A. Hettinga" <rah at shipwright.com>
 Subject: [Clips] At Online Stores, Sniffing Out Crooks Is a Matter of Survival
 Reply-To: rah at philodox.com
 Sender: clips-bounces at philodox.com

 <http://online.wsj.com/article_print/0,,SB112311786883304593,00.html>

 The Wall Street Journal

  August 4, 2005
  PAGE ONE


 At Online Stores,
  Sniffing Out Crooks
  Is a Matter of Survival
 Mr. Kugelman Gets Scammed
  By a Web-Site Customer;
  A $3,077 Platinum Chain

 By MITCHELL PACELLE
 Staff Reporter of THE WALL STREET JOURNAL
 August 4, 2005; Page A1


 LYNBROOK, N.Y. -- Six years ago, Neil Kugelman found himself puzzling over
 the very first customer to arrive at the Web site he had launched to sell
 jewelry online.

 The order: a $496 men's diamond ring. The North Carolina address didn't
 match the address tied to the credit card. The shipping address was
 different still. Mr. Kugelman tried to telephone the customer, but the
 number didn't work. His email bounced back. He was no expert on fraud, but
 neither was he born yesterday. He spiked the order.

 "Our first order -- order No. 1 -- was fraudulent," he marvels.

 Since then, as family-controlled Goldspeed.com Inc. grew from a basement
 start-up to a 10-person operation that fills more than 50,000 orders a
 year, Mr. Kugelman has taught himself to regard each and every customer as
 a potential online crook -- and with good reason. He says fraudulent orders
 have risen to a staggering 30% of the total, up from just 5% when he
 started.

 Over the years, Mr. Kugelman, 44 years old, got so good at sniffing out the
 cons that just 0.5% of his sales were lost to fraud. But a run-in he had
 seven months ago with a cagey crook who ordered $8,384 of flashy jewelry --
 and stuck him with his largest fraud loss ever -- has left him worried that
 the bad guys are now gaining the upper hand. The tale of Mr. Kugelman's
 unsuccessful effort to discover the fraud, despite his suspicions, shows
 the increasing perils faced by the burgeoning online retail industry.

 For Mr. Kugelman and other Internet retailers, ferreting out bogus orders
 is a matter of survival. When a crook uses a stolen credit card in a
 traditional store, and the store follows proper procedures, the
 card-issuing bank usually swallows the loss. For online retailers, the
 tables are turned. Credit-card association rules dictate that merchants who
 accept charges from cyberspace, a riskier endeavor, must also shoulder the
 risk of fraud.

 When Mr. Kugelman began peddling everything from pearl earrings to thick
 gold chains over the Internet in 1998, his biggest problem was simple
 credit-card fraud: the use of stolen account numbers. The bogus orders were
 often glaringly obvious. Fraudsters ordered big and requested next-day
 shipping. They left fake phone numbers. They placed odd orders, such as for
 two engagement rings. Mr. Kugelman designed a computer system to screen
 incoming orders for such red flags and to bounce suspicious ones into human
 hands.

 Over time, the crooks got better. More of them stole whole identities,
 using purloined personal information to set up entirely new credit-card
 accounts. They used untraceable cellular phones, and avoided making
 oversized orders. When Mr. Kugelman phoned them with questions, they didn't
 get rattled. He fine-tuned his system, incorporating proprietary scoring
 guidelines based on such information as what kind of jewelry is ordered and
 from what part of the country the order originates.

 Late last year, he says, the fraudsters upped the ante. All of a sudden,
 Goldspeed.com was getting orders that showed no obvious signs of fraud on
 his computer-screening system, but seemed suspicious nonetheless. On Jan.
 9, for example, when a customer placed separate orders on the same day, he
 thought "something looked wrong."

 A Vincenza Wells of Detroit had ordered a $1,199 Aqua Master men's diamond
 watch. Four minutes later, the same customer ordered a $1,259 men's diamond
 and tanzanite ring. The Bank One Visa credit-card number she supplied was
 good for the full amount, and she had provided the validation code from the
 back of the card. Visa's address verification system showed a match.

 But the order's size, and the strange two-step ordering, had Mr. Kugelman's
 radar up. The next day, he called the card issuer, J.P. Morgan Chase & Co.,
 which had acquired Bank One. He says a bank representative confirmed that
 the name, address and phone number on the order matched the bank's own
 account information, except for one small detail about the address.

 Mr. Kugelman called his customer, who explained the disparity to his
 satisfaction. Mr. Kugelman called back the bank representative with the
 revised information. She told him that bank security had phoned Ms. Wells
 separately, and verified her identity.

 Still wary, Mr. Kugelman tested the card number again to see if it had been
 maxed out, a hallmark of identity theft. It hadn't. So he released the
 watch and ring for shipment.

 That afternoon, the same customer phoned in a third high-ticket order for a
 $3,077 men's platinum chain and a $2,849 diamond engagement ring. Again,
 the Visa card was good for the full amount. Goldspeed shipped both items to
 Detroit, bringing Ms. Wells's total bill, with shipping, to $8,432.

 More than 100 miles from Detroit, in Sandusky, Ohio, the real Vincenza
 Wells, proprietor of the Seacrest Motel, had no idea someone was running up
 thousands of dollars of bills in her name. Last August, she had received a
 phone call, purportedly from her cable company, offering her three months
 of free service if she paid her bill in full a month early. She happily
 provided credit-card information, her Social Security number and other
 personal information. The caller was a crook. Shortly thereafter, Bank One
 alerted her to questionable charges, and she canceled her card.

 In April, another bank representative called her to inquire about some
 $15,000 in unpaid credit-card bills. She responded that she didn't even
 have a card any more. "These people had opened new accounts in my name,"
 she explained recently, expressing astonishment that, given the previous
 fraud, J.P. Morgan had opened a new account in her name with a new address.
 To set up the account, the fraudsters apparently used the personal
 information that she had been tricked into providing over the phone.

 A spokesman for J.P. Morgan said the bank doesn't discuss individual
 cardholder situations, but that it has "a financial stake in stopping all
 fraud before it happens." Michael Cunningham, head of fraud prevention at
 J.P. Morgan's card division, said: "We take a lot of pride in our ability
 to detect identity theft. We don't catch 100% of it."

 On April 7, Mr. Kugelman learned for the first time, from a J.P. Morgan
 investigator, that the jewelry charges were fraudulent, the result of
 identity theft. For reasons that weren't made clear to Mr. Kugelman, the
 bank opted to saddle him with only a portion of the loss, $5,950, the
 amount of the third order. Days later, Mr. Kugelman's bank credited the
 money back to J.P. Morgan. Mr. Kugelman protested, citing his discussions
 about the order with the bank, and J.P. Morgan eventually brought the case
 to a Visa arbitration panel set up to mediate such disputes.

 In June, Visa arbitrators ruled that Mr. Kugelman would have to eat the
 loss. A spokeswoman for Visa declined to comment on the case, but noted
 that Visa is developing procedures to reduce such charge-backs to online
 merchants.

 Mr. Kugelman says his fraud numbers are going up, in part because it's so
 hard for him to recognize crooks with stolen identities. He says he doesn't
 know how much the increased vigilance is costing him, but in February, he
 reassigned a staffer to work exclusively on detecting credit-card fraud.

 "The job has gotten harder and our systems have gotten more sophisticated,"
 he says. "But it's a cat-and-mouse game. As we get better, they get better."


 --
 -----------------
 R. A. Hettinga <mailto: rah at ibuc.com>
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 _______________________________________________
 Clips mailing list
 Clips at philodox.com
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list