September 9, 2005 8:54 AM PDT

Putting the squeeze on credit card fraud

SACRAMENTO, Calif.--About once a week, travel agent Sue Heffner receives a call requesting a booking for an expensive last-minute airline ticket, often departing from far-flung locations in Africa.

The calls appear to come from Nigeria and the callers prefer to use operator-assisted Telephone-Typewriter services meant for the hearing impaired. Heffner, who operates a small travel agency out of the town of Clarksburg, about 30 miles south of state capital Sacramento, doesn't book for these customers. She knows how to spot a scam.

"Fraud is always an issue for the travel industry," Heffner said. "I have been very fortunate because I only do business with clients I know."

Heffner was among a few dozen merchants attending a seminar on credit cards and fraud here on Thursday. With data security breaches, identity theft and credit card fraud often in the headlines, these merchants came to get some tips on what they can do to protect consumer data and their own businesses.

The event, part of a nine-city tour, was hosted by Visa USA and the U.S. Chamber of Commerce. Much of the presentation dealt with credit card industry rules for merchant security. These rules, called the Payment Card Industry Data Security Standard, went into effect earlier this year but have been criticized because of a lack of enforcement.

"Anybody who accepts payment cards can be the target of criminals," Joe Majka, vice president of fraud control at Visa, told the audience. Still, Majka said, merchants who follow the credit card industry's rules are safe.

The PCI Data Security Standard has 12 basic requirements that focus on using secure systems. The rules include installing a firewall, changing default passwords, protecting stored data, using antivirus software and encrypting transmissions of cardholder data across public networks.

While perhaps common sense to technically savvy people, the security rules aren't always as obvious to card-accepting merchants.

"It is amazing how many businesses out there are using the default passwords," Majka said. "We also found some merchants getting into wireless access not realizing they could be creating an entry point for criminals."

Randy Carpadus, director of client development at Bright Hope Designs, helps companies with Web site designs. "My clients are technically illiterate," he said at the event, happy with the overview of security options given by Visa.

Disturbing fact
Majka had a chilling message for the operators of traditional brick-and-mortar businesses. The perception may be that criminals target online stores to steal credit card data, but the reality is that traditional retailers are more popular targets, he said. That's because sellers in offline transactions usually swipe the actual credit card.

"Criminals want the data that is on the card's magnetic stripe," Majka said. "Internet merchants don't have that."

The data on the stripe is used to create counterfeit credit cards that are typically used to buy expensive goods such as electronics, Majka said. Retailers should not store information encoded on the magnetic stripes, but Visa has found that many point-of-sale terminals store all the data anyway, sometimes unbeknownst to the retailer, he said.

"The majority of data security breach incidents reported to Visa have involved retail merchants, not Internet merchants," Majka said. That has shifted from a few years back, when online merchants were the main targets, he said.

Earlier this year, information on more than 1.4 million credit card and 96,000 check transactions was stolen from 108 DSW shoe stores. In another incident, a problem with point-of-sale software at Polo Ralph Lauren compromised the credit card data of as many as 180,000 people.

Retailers should talk to the makers of their cash register software to find out which data is stored for each transaction. Visa recently invited about 35 makers of such software to an event to discuss the issue, Majka said. A list of software that has been shown to comply with Visa's data security standards is available on Visa's Web site.

Still, while fear of identity theft and theft of financial information among U.S. residents is at "an all-time high," the actual amount of fraud is at a low point, Majka said. Of each $100 transacted in the Visa system, 6 cents are fraudulent, he said. "It is hard to believe, because you hear a lot about credit card fraud," Majka said.

Credit card security was also spotlighted in June, when MasterCard International reported that information on more than 40 million cards was stolen from CardSystems Solutions, a payment processor. Intruders were able to exploit software security vulnerabilities to install a rogue program on the CardSystems network, according to MasterCard.

The investigation into the CardSystems case, possibly the largest data security leak to date, is ongoing, according to Majka. Visa, however, no longer allows the processor to handle Visa card payments.

Travel agent Heffner trusts in her instinct and her decision to work only with known customers. The people who call her from Nigeria claim they are from a church and try to help poor people, to the point where the Telephone-Typewriter operator feels sorry for them.

"It is ultimately credit card fraud because you know damn well that the card they are using would not be real," she said.

7 comments

Join the conversation!
Add your comment
Lets put the squeeze on credit card fraud
Lets put the squeeze on credit card fraud
Mr. AT Alishtari, POA and Founder EDI Secure LLLP, says the problem of ID fraud is pandemic today.

Mr. Alishtari knows ID fraud personally since it has been done to him and his family severally but in the end the white hats won.

People and cyber crews from offshore working through various offshore gold debit card companies have beset the world in a continual attack.

There is a logic to their madness. In order for them to get away with anything, they have to either use others sites, others names or their computers without authority.

This methodology called dump and run is proof that they are organized into a cyber mafia with methodologies firmly in place to profit from the continual stealing of ID from the public.

The main thing is the crooks expect to get away because they are operating globally while the police are operating locally.

They have chunkers who work in tandem on various projects without knowing all the facts so they have plausible deniability and they take their ill gotten gains and bring them back onshore as legal investments further complicating the matter.

They will be slowed down by the ID protection of two-factor authentication with an offline device and possibly one of the reasons they target Mr. Alishtari for slander and attack is either to take over that technology or stop its platform in the marketplace.

I pray the Cybercrime Treaty when it goes through the US Senate and Congress that was submitted gives the authorities the teeth to take a serious bite out of this ID theft global pandemic.
Posted by (66 comments )
Reply Link Flag
update to edisecure lllp now that idpixie llc bought it out...
update to edisecure lllp now that idpixie llc bought it out...


A year ago, January 2006, EDI Secure LLLP was purchased by IDPixie LLC which owns the patent US 6,598,031 B1 granted on July 22, 2003 for APPARATUS AND METHOD FOR ROUTING ENCRYPTED TRANSACTION CARD IDENTIFYING DATA THROUGH A PUBLIC TELEPHONE NETWORK from inventor Jeffrey Ice. So to update EDI Secure LLLP's place in the marketplace, I add the above and below data.

My Pledge

I, Mr. Abdul Tawala Ibn Ali Alishtari, pledge my Foundation to halt child slavery activities including his Global Peace Film Festival, Inc., at www.peacefilmfest.org. I pledge moral support of legal, peaceful activities and my non-profit gifts offshore, onshore and globally, primarily with philantrophy from my personal investment to help halt all fraud, violence and scams hurting innocent children, women and families so help me God.
Posted by Abdul Tawala Ibn Ali Ali (53 comments )
Link Flag
Merchants and credit card Fraud.
This artical couldn't be farther frome the truth. I have been an olnine merchant for 5+ years now and I can offically say that the author of this artical has no idea what there talking about. Merchants are 100% liable for credit card fraud over the internet. PEROID. The "credit card rules" are really suggestions. The fact of the matter is whenever the card is not present the merchant is taking 100% liability for it. I do not want to go into further detail because it will only be used as a road map if a would be frauder is reading this thread. But I get hit with around $10,000 worth of credit card fraud online there there isn't a single thing we can do about it (yes we follow all the anti fraud measures). The credit card companies need to get there act together before the real fraud numbers get discovered. Paypal is a much better service for merchants.
Posted by tonysak (3 comments )
Reply Link Flag
Merchants and credit card Fraud.
This artical couldn't be farther from the truth. I have been an online merchant for 5+ years now and I can offically say that the author of this artical has no idea what there talking about. Merchants are 100% liable for credit card fraud over the internet. PEROID. The "credit card rules" are really suggestions. The fact of the matter is whenever the card is not present the merchant is taking 100% liability for it. I do not want to go into further detail because it will only be used as a road map if a would be frauder is reading this thread. But I get hit with around $10,000 worth of credit card fraud online there there isn't a single thing we can do about it (yes we follow all the anti fraud measures). The credit card companies need to get there act together before the real fraud numbers get discovered. Paypal is a much better service for merchants.
Posted by tonysak (3 comments )
Reply Link Flag
Who Pays For CC Fraud
If you want to find out who really pays for CC Fraud, I suggest you do a little experiment. Contact a merchant selling high ticket items. Ask him to sell you one of the items and tell him you are going to deny the charge when it comes in, but you are willing to pay him for the item in cash as well as the fees and bank charges associated with the charge back as long as he can show you a statement which shows the items.

If you perform the experiment I think you will find that the banks/credit card companies don't suffer near as much as they say they do. In fact, you may find out that it is a good business for them where they can actually make money on credit card fraud. If so, you might ask yourself why not much has been done to stop cred card fraud. Could it be that it is just to profitable for the banks and credit card companies.

Have you heard of Merchant 911?
Posted by JohnHarris1958 (1 comment )
Reply Link Flag
An online Merchant
if somone offered that to me I wouldn't touch it.

I am a member of merchange 911. Its a start but it really needs to make the jump to actually start being proactive and voicing itsself as being an authuority. All I ever see it is talk about nigierian order and pass around articals.
Posted by tonysak (3 comments )
Link Flag
You just need to find a good website that is <a href="http://www.payvision.com/index.htm">accepting international credit cards</a> as well as domestic credit cards!
Posted by dblake862 (8 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.