No one broke into Doug and Sandy Roth’s tiny Seattle office. There are no signs that computer hackers rifled through their systems. But somehow, criminals managed to impersonate the couple’s Prosynergy Corp. well enough to convince Bank of America Merchant Services to ship some $52,000 in credit card credits to various bank accounts based in Spain. And the Roths knew nothing about it until Bank of America called a few days ago and handed them the bill.
THE SCAM IS SILENT, stealthy, and nearly perfect. The simple but ingenious “credit-back” scheme essentially lets a criminal turn a merchants’ credit card terminal into a printing press for money. It exploits a fundamental flaw in some credit card processors which allows consumers to buy merchandise with one credit card, then allows them to return the merchandise and receive a credit on a different card. So, for example, in some situations a consumer can buy an item with an American Express card, then return it, and get the credit on their Visa card.
Stealing money from a stolen credit card this way can be easy — the criminal uses a stolen credit card, buys a $100 item, then returns it, gets a $100 debit card credit, then withdraws that cash from an ATM. To perform the scam on a wider scale, criminals need control of a large body of stolen credit cards, several debit card accounts, and they need to somehow seize control of a merchant’s credit card account — and use that account to issue the credits and charges in rapid fire.
Computer criminals have been using the “credit-back” tactic to raid banks and small companies for at least 10 months now and the scam was described in an MSNBC.com story in February. It’s really just an Internet-age variation of an old-fashioned con in which thieves break into a small store late at night and physically run charges through the store’s credit card terminal. The modern version is much less risky — hackers can virtually impersonate merchants, even from overseas, and move money between banks and merchant accounts remotely.
COMPANY’S ACCOUNT FROZEN
That’s what happened to Sandy and Doug Roth, who run a tiny dental consulting company in Seattle.
On a good week, perhaps three or four charges are run through their simple credit card terminal software.
Between Nov. 12 and Nov. 20, someone impersonating their company ran 520 charges through their Bank of America Merchant Services account, totaling $52,000.
On Nov. 24, the couple learned that account had been hijacked. The $29,000 the couple had in its Bank of America account was immediately frozen “in connection with the fraudulent transactions,” the bank said in a letter to Prosynergy.
It was all a shock to Sandy Roth, who, like many merchants, had no idea that she could be held financially liable for any fraud that was connected to her account — in this case, up to $104,000. (That amount is what the bank initially told the Roths they owed. The amount is twice what was actually charged to their account, because there are two sets of victims in this fraud: the holders of the credit cards to which the $52,000 was initially charged, and the banks which doled out the refund charges to the debit cards.)
“I frankly broke out in tears — $30,000 for a small business like mine is huge,” Sandy Roth said. “We had money in there to pay my staffers Christmas bonus, and for payroll.”
On Friday, bank officials told MSNBC.com that the Roths’ money had been released. Still, the Roths’ story is a cautionary tale for merchants who may not realize the ability to accept credit card payments can come with a dramatic cost — since banks can hold merchants responsible for any fraud connected to their accounts. At least temporarily, the Roths lost everything they had to a crime that they seemingly had nothing to do with them.
And the Roths think they are not alone — Sandy Roth says a bank official told her some 30 merchants were hit recently by a similar scam, and that some 300,000 stolen credit cards are being used.
“I got calls from a sheriff in North Carolina, the state police in Texas. ... I got an e-mail from someone in Australia. There’s been 50 to 60 telephone calls from people opening their statement, then calling and saying ‘Who are you?’ ”
Bank of America spokesperson Angela Ashley confirmed the Prosynergy incident, but declined additional comment other than to say the FBI was investigating. She added that the Roths’ frozen assets had been returned.
The Roths are still confused about how anyone would have electronically convinced Bank of America to move money in their name. But merchant advocate Dan Clements, who operates CardCops.com, said in other similar scams, impersonating a merchant is as easy as obtaining a stolen login name and password. Criminals can then connect electronically to a merchant’s payment gateway processor — the go-between which acts as air traffic controller for credit card transactions, moving money between banks — and pose as the merchant.
It might not seem fair that Prosynergy’s accounts were seized because of what could be considered a bank mistake, but Clements said such seizures are common.
“The merchants are often hung out to dry,” Clements said.
While federal law limits consumers’ credit card liability to $50, no such law protects merchants. Merchants are 100 percent liable for cases of fraud that involve so-called “card not present” transactions, where a customer’s signature can not be obtained. That would include virtually all telephone and online transactions.
But the Roths’ case involved the hijacking of their merchant account, which Clements called “uncharted waters.”
“But the agreements probably say that liability would cover misuses of merchant accounts,” he said.
While banks frequently agree to return seized assets in controversial cases like this, as in the Roths’ case, Clements claims that just as often, merchants are left holding the bag. Another merchant Clements knows recently closed her business and sold her condominium after she got a fraud bill for $20,876 from her bank.
“The bank can do whatever it wants unless the merchant gets a very good lawyer.”