
How scammers get away with fraud - alexbilbie
https://www.theguardian.com/money/2018/jul/07/heres-how-scammers-get-away-with-it
======
cantrevealname
> _because the sum stolen – £40,000 – is deemed not large enough to bother the
> authorities_

There was an investigative news story on TV about a couple who would order
hundreds of thousands of dollars of merchandise over the Internet using stolen
credit card numbers and brazenly have it delivered to their _own_ home. The TV
crew showed their house brimming top to bottom with boxes and boxes of
fraudulently obtained goods that they would resell on eBay. They said no
police ever visited them.

In every one of the frauds the couple committed, the merchant would know that
he shipped to (for example) 1234 Main St, Minneapolis. The credit card issuer,
bank, and defrauded card holder would have the address also. Probably hundreds
of police reports were made, or am I assuming too much? If a single policeman
actually followed up on one of these "too small" thefts of $100 to $1000 they
could have prevented hundreds of thousands of dollars of additional theft.

I imagine that the system breaks down because no one reports the fraud or
pushes to get something done, or because the police don't follow up, or both.

~~~
Waterluvian
It's kind of bizarre. I'm no expert but I feel like tackling petty theft is a
form of preventative medicine for crime. Getting away with crime might
embolden people and reinforce their assumption that you can get away with it.

When I was younger some teens would water balloon my family's house a few
times a week. We called the police when we thought we figured out who it was.
They showed up within an hour, had a chat about it then went to the kids'
houses who promptly confessed. It was all handled outside the legal system.
Later I told a police officer about this story and asked why they were able to
give it so much attention so promptly. He said something along the lines of,
"it's easier to deter them now while they're still afraid of their parents'
wrath."

~~~
dhimes
I wonder if it's just economically more advantageous for the credit card
companies to absorb the debt and simply nudge interest rates up a bit to
recover their losses.

~~~
pakitan
That's exactly what they are doing except the part with "absorbing debt".
Banks and credit card companies don't suffer any losses because it's the
merchants who absorb them. And that's the root of the problem. Majority of CC
fraud is easy to eradicate but banks just have no incentive to do it.

~~~
maxxxxx
Sounds a little like the economics of employer based health insurance. The
parties with negotiating power (companies and health insurance) don't have
much incentive to get a good deal for the patient because the patient is
captive. Same for merchants and credit card companies.

~~~
namibj
It could/should tho be changed so that health insurance up to x% of income is
tax-deductible, but only if freely chosen on a free market by the employee,
with any other constellations being taxed as regular income, without the tax-
deductibility. There can still be plans only offered to employees of a
specific company, but the issue of preventing an employee from shopping
insurance himself is gone.

------
astura
>The police are concerned about the prospect of vans carrying vast amounts of
petrol.

There is a pictures of such trucks here:
[https://krebsonsecurity.com/2015/11/gas-theft-gangs-fuel-
pum...](https://krebsonsecurity.com/2015/11/gas-theft-gangs-fuel-pump-
skimming-scams/)

~~~
jackweirdy
> On Oct. 1, 2015, Visa and MasterCard put in force new rules that can
> penalize merchants who do not yet have chip-enabled terminals. Under the new
> rules, merchants that don’t have the technology to accept chip cards will
> assume full liability for the cost of fraud from purchases in which the
> customer presented a chip-enabled card.

> But those rules don’t apply to fuel stations in the United States until
> October 2017, and a great many stations won’t meet that deadline, said
> Verifone’s Turner.

I'm not from the US though I visit often. It's the only place I ever use the
magnetic stripe on my card. I tend to be able to use the chip when buying
groceries, but in most restaurants & coffee shops its mag stripe all the way.
Realistically is that going to change any time soon?

~~~
adrr
Chips require certification to make sure merchant is sending the right data
over the network. This is why you see chip readers but the merchant only
supports swipe. Visa and other card brands are trying to clean up all the
screwed up data on network, really stupid things like a merchant bought a used
card reader but never bothered to change the old merchant info on it.

~~~
StudentStuff
Pinpads and terminals have to be re-injected with debit keys for the
appropriate bank and reconfigured with the correct software load & merchant
account before you can use hardware that was used by another merchant. If you
don't do that, the other merchant is very likely to receive the funds you
charge your clients cards for, short of their merchant account being closed.

The reason EMV isn't enabled at most merchants is its both more expensive than
standard swipe transactions, and massively slower unless your Costco & Kroger
(who both just got quick chip). 30 seconds of waiting for a card to process,
combined with EMV chip read errors due to partial insertion or
failing/oxidized contacts (especially common on pinpads that aren't mounted to
the table, most often the Pax S300 cause those customers are cheap AF) is a
recipe for long lines.

Grocers are leading the EMV transition as they are the most powerful block of
merchants when it comes to beating down interchange rates and processing fees,
with Walmart repeatedly suing Mastercard, and other large retailers doing the
same to the other card vendors. For that small segment, they've been able to
beat down Visa & Mastercard on the per kilobyte data transmission fee and on
the other BS fees that make processing EMV cards more expensive than
magstripe.

~~~
ACow_Adonis
An honest question: why would the cost of chip processing be prohibitive and
the speed of chip processing be 30 seconds of waiting in the US, when its
essentially rolled out en-mass in AUS and neither of those things (appear) to
applicable, or at the very least they haven't stopped mass adoption?

It certainly doesn't take 30 seconds of waiting to tap and pay here...

~~~
Rjevski
Probably because most US transactions are still done offline, so when an
online EMV transaction is attempted the terminal has to bring up its network
interface, obtain an IP, etc.

Here in the UK pretty much all terminals are always online and so EMV
transactions only take a couple of seconds to authorise.

~~~
gergles
Reverse that. The US has always had online terminals because we didn't get EMV
initially. Taking impressions and filling out charge slips was 'online' (call
the auth center,) swipe transactions were online, and then we just do EMV
online too since every credit card terminal in the country was already online.

In Europe where EMV was first introduced, offline transaction processing was
extremely common because there had been no reason to put terminals online
prior to the EMV rollout and merchants did what merchants do and whined about
the cost of acquiring telecom, so offline mode was required in Europe.

I have literally never seen a fully offline transaction in the US (in fact,
very few US cards even ship the certs necessary to conduct offline
transactions), but several of them in Europe and the UK as recently as last
year.

------
nostalgeek
While customers victim of online scams and identity theft are more or less
protected by big vendors or banks because of regulations, provided they act
swiftly, small merchants are often on hook when a scam happens with very
little options to recoup the money lost. What are the solutions for merchants?
insurances? anti-fraud detection services? What could you recommend to a
merchant that is starting to do business online? restrict with whom one does
business with? use bigger merchants to do transactions? what works, what
doesn't to mitigate risk?

~~~
benmowa
see eCommerce Fraud Prevention. There are a few companies focused on this
space to protect merchants from fraudulent chargebacks. But in short, you can
get pretty complex with multiple vendors being leveraged, but the economics of
fraud vs fraud prevention really depends on your business.

------
cantrevealname
> _In one instance, it froze thousands of pounds that had arrived into an
> account. “We blocked it and contacted the originating bank,” says Blomfield.
> “But that bank [one of the biggest UK players] said it was all fine. Then it
> rang a few days later to say it looked like the customer had been conned.
> Luckily, we were able to return the money.”_

I wonder how often it happens that the bank simply keeps the money it froze,
either telling nothing to the originating bank, or telling the originating
bank that the money has been transferred or withdrawn. For two banks that
rarely deal with each and are in different countries, what can the originating
bank possibly do other than take whatever the receiving bank says at face
value?

------
larkeith
"...and one [scam] so simple we are banned from telling you about it."

Interesting.

------
raincom
I used my chip card in Canada during the last week. I used my visa chip card
heavily for gas, bc ferries, food, etc. I remember giving out my card number,
expiry date and security code to an agency that offers whale seeing tours in
Victoria Island. Next day, I saw two charges: $108.XX from Chick-A-Fil,
Salisbury, MD and $1.00 from Sweden. The card issuer called me right away to
verify what's going on.

I wonder how my cc details were compromised. Was it a skimmer at gas stations?
or one of those credit card scanners in Canada (Canadians seems to use PIN
number with credit cards) or bcferries.com website.

I am not sure.

~~~
user5454
I recently returned from a trip to the USA and was a bit surprised that they
asked for ZIP code instead of PIN for my credit card. While the NY subway
accepted my non-US ZIP code, some gas stations did not as they apparently
checked the entered ZIP code against valid US ZIP codes.

~~~
Kurtz79
To my knowledge, in some machines non-US ZIP codes are accepted up to a cash
limit (can't remember if it's daily or for transaction).

Probably your bill at the gas stations was higher than the one for the subway
tickets.

------
hvo
"because the sum stolen – £40,000 – is deemed not large enough to bother the
authorities"

You just apply broken window theory to everyone of them.Punish swiftly to
discourage bad behavior.

Students who sell their accounts for cash;charge them with conspiracy to
commit fraud and money-laundering.

Some of the criminal activities described in the article are kind of chutzpah

------
turc1656
"These 'mule' accounts are a vital link for crooks moving money around the
banking system."

Indeed. A vast majority of digital financial crimes in some way rely upon
these types of accounts. I really don't understand why I haven't heard of any
of these people who sell their accounts to criminals being charged as
accessories (before the fact). Perhaps because enforcement is low in general.
But I think that a lot of the alleged college students doing this wouldn't
risk ruining their future on felony fraud charges for $200 if we started
prosecuting some of these people. The mere fact that not all of the money was
routed back out and some remained as payment is essentially the smoking gun
that they were knowingly involved. Any decent investigator/detective would be
able to break these students in 15 minutes once presented with that evidence.

------
clubm8
> _Frustratingly, there are few mechanisms for banks to communicate with each
> other. “In the US, there is a web portal for banks to contact each other on
> these issues. Here, it’s just email, Blomfield adds. “Sometimes we are even
> told to use a fax.”_

Interesting. In many ways the Americans are far behind (still writing checks,
lack of chip and pin) but in this arena they have Europe beat.

------
auslander
> because of his ears... ear positions are the most difficult thing to fake

ROFL :)

Credit Card security model, with CVV, is so broken, but also so widespread, it
is cheaper to cover fraud than change it. Especially if card processors (Visa,
MasterCard) can shift damages onto merchants.

------
erikb
I think it depends. If it's a really big bank, even when it's only $100 the
police will probably follow up on it. But with the small competitor banks even
big sums like $40k will not get pursued. And you can't say $40k is not a big
sum. It certainly is.

As a bank one has other options besides the law, though. Lawyers, private
detectives, even deals with gangs. It's not impossible to survive such things
and defend against it.

The only thing stopping the bank is the bank itself. Like most organisations a
bank is probably barely able to achieve what it makes money with and
everything else trailing off into nirvana in an unlimited amount of
bureaucracy.

------
someonenice
Though informative , it felt like an Advertorial for the Monzo bank...

~~~
55555
It was, duh.

~~~
thiscatis
Exactly.

