The Internet has revolutionized commerce by allowing businesses to sell globally, but it also has created what so far appears to be the perfect cybercrime - borderless credit card fraud. An investigation by MSNBC has learned that while criminals based overseas now account for up to a third of all online fraud directed at U.S. e-businesses, there is no evidence that a single one of these crooks has been prosecuted.
“I’m not aware of any (prosecutions),” said Mark Batts, the special agent in charge of the FBI’s Financial Institution Fraud Unit. “That’s not to say there aren’t any out there, but I think I would know about it if it had occurred.”
The issue of international credit card thievery and fraud burst into the public consciousness in January with news of a heist of thousands of credit cards from the CD Universe Web site, allegedly by a teenage hacker from Russia. It continued to make headlines this week with news that Amazon.com had uncovered a Russia-based plot to defraud it and other e-merchants out of more than $70,000 worth of merchandise using stolen credit card information.
It has been known for sometime that organized crime groups and overseas free-lancers were responsible for some of the credit card fraud aimed at Internet merchants in the United States. But after more than a dozen interviews with industry insiders and e-business owners, it is clear that a much larger percentage of the fraud than previously known originates overseas.
U.S. law enforcement stymied
This new breed of international cybercriminals are aided by the fact that the address-verification system used by merchants to compare billing and delivery information in the United States is useless overseas.
It also has emerged that these criminals have thus far proven to be untouchable by U.S. law enforcement, which is hampered by the patchwork of laws on white-collar crime in other countries, jurisdictional questions, the indifference of some governments and the fact that investigation of such crimes is both time-consuming and expensive.
Because consumers are generally not responsible for the fraudulent use of their credit cards online - the $50 they can be charged is usually waived by the issuing bank - and because fraud levels are near historic lows, banks and credit card companies have downplayed the seriousness of the problem. But for e-merchants, particularly those who run small online businesses, these criminals pose a significant threat that could destroy their business.
Batts, who took charge of the FBI’s financial fraud unit late last year, said to his knowledge all investigative attempts that have attempted to track the international fraud artists have run into dead ends.
The Secret Service, which bears the primary responsibility for investigating credit card fraud, did not respond to repeated requests for an interview on the subject. But when informed that MSNBC intended to report that no credit card thieves based overseas have been prosecuted, the agency did not dispute that conclusion.
Neither were the The Justice Department, U.S. credit card companies, banks, credit card processors or Internet merchants able to identify such a case.
The Russian connection
Efforts to gauge the scope of such fraud are even more difficult because of the scarcity of data about online credit card abuse. But anecdotal evidence suggests the international fraud artists are netting many millions of dollars each year.
Robert Aguirre, manager of the special investigations unit for Cardservice International, a credit card processor with a reputation for doggedly pursuing credit card thieves, said that the experience of his team suggests that approximately a third of all fraudulent Internet transactions originate in the former Soviet Union and its erstwhile allies in Eastern Europe. Many of the rings appear to be run by organized crime, he said.
“We’ve had quite a few instances where the activity seemed to be coming out of what would be the old Soviet Union. We’ve had several cases where monies were being created and were being wired to St. Petersburg, Russia. So I can’t help but think that there are some Russian-influenced crime groups that are exploiting this thing.”
Other industry insiders offered higher and lower estimates of the percentage of fraud that originates overseas, but none disputed the contention that it makes up a significant portion of the overall picture.
How cards are stolen
The sophistication the criminals exhibit in harvesting the credit card information needed for their schemes supports his contention.
Betts, the FBI agent, and other experts say most of the credit card information used for the fraudulent online purchases apparently is obtained the old-fashioned way: stolen from mailboxes or “swiped” through a card reader by accomplices working in restaurants or stores.
The stolen credit card information is then transmitted to the thief or thieves overseas, who begin their electronic assault on Internet merchants by charging as much merchandise as they can in as short a time as possible.
In some cases, they will attempt to ship the goods directly to the country they are operating out of, where the credit card address-verification system can’t be used because of stringent privacy laws. In other cases, since many Internet sellers are now leery of shipping expensive merchandise overseas, they will enlist accomplices in the United States who set up “drop sites” in vacant homes or rent living quarters under false names.
By the time the e-merchant realizes the purchase was made using stolen credit cards, the goods - and the crooks - are gone.
While anecdotal evidence suggests online credit card fraud is a growing problem, there’s no way of telling for sure.
No tracking of Net fraud
Officials at Visa and MasterCard said that they are in the process of establishing tracking systems for fraud committed over the Internet and cannot state with certainty what percentage of their overall losses are attributable to criminals based overseas.
” “We don’t have any hard-and-fast numbers that say what the international vs. the domestic is at this point,” said Vincent DeLuca, vice president of fraud control at MasterCard International. “It’s only anecdotal from some of our members and from some of the exchange of information that goes on with law enforcement, and things we’ve seen in the media and horror stories we’ve heard from some of our online merchants.”
Stephen Orfei, vice president for electronic commerce and emerging technology at MasterCard, said that the Internet accounts for between 2 and 2.5 percent of total credit card transactions. Using the lower figure and applying it to the bank association’s total fraud losses of $526 million in 1998 yields a loss to online fraud of slightly more than $10.5 million.
Visa USA reported $487 million in fraudulent charges last year, which assuming a 2 percent rate would be approximately $9.75 million.
American Express and Discover Financial Services do not publicly report fraud rates and declined to comment on the subject of Internet credit card fraud except to say that they aggressively attempt to combat it.
Online fraud rates higher
Since e-commerce fraud rates are one-third higher than overall fraud rates, according to Visa’s figures for 1999 (9 cents per $100 on the Net vs. 6 cents per $100 overall), that $20 million figure for Visa and MasterCard alone is most likely on the low side.
The federal government’s main mechanism for tracking economic crimes is the Treasury Department’s Financial Crimes Enforcement Network, known as FinCen, which collects reports on 17 types of “suspicious activities” from U.S. banks and other institutions.
In 1999, the agency received about 120,000 reports, of which 4,900 - or about 4 percent - reflected possible credit card fraud.
But FinCen does not keep track of whether the fraud was committed over the Internet, and its reporting system is structured in a way that guarantees that online fraud - where anonymous criminals frequently attempt to conduct many transactions using multiple stolen cards - is underreported. Banks are required to report only when they can establish an aggregate loss of $5,000 or more and can identify a suspect, or when the loss exceeds $25,000 if no suspect can be identified.
“If you’ve got these little … losses that originate from a foreign country such as Romania and you don’t know if it’s one individual or a group of individuals acting together, it can be difficult (to establish that the fraud warrants investigation),” said Betts, explaining why the FBI collects data on credit card fraud even for small cases that it will likely not pursue unless it establishes a pattern of activity.
Given the gaps in the fraud reporting systems, there is no telling just how hard U.S. e-businesses are being hit by long-distance fraud.
But previous MSNBC stories on credit card fraud asking users to share their e-commerce stories elicited accounts from numerous Internet merchants who said they had been victimized by scams that they later learned were engineered from overseas.
The fraud rings often favor small e-businesses on the assumption that they are less likely to take good security measures. But e-commerce giants like Amazon.com are by no means safe from their predations.
Speed, distance and anonymity
“There’s a big differences between brick-and-mortar fraud and Internet fraud, and that’s the speed of the transaction, the geographical distances and the anonymity of the buyer,” said Tom Holland, director of fraud detection and prevention for the Seattle-based e-retailer.
Holland, who says that his staff analyzes “trends and patterns of behavior” in an attempt to sniff out fraudulent orders, in December pointed the FBI to a Russian citizen who allegedly was part of an elaborate international fraud scheme.
According to court documents, 22-year-old Roustam Kamilievich Mingazov was arrested after electronic goods fraudulently purchased from Amazon were delivered to his apartment in Reno, Nev.
The orders were placed from computers in Cheylabinsk, Russia, using information from 63 different credit cards, most of which were issued to Americans. Investigators have not yet determined how the thieves obtained the information, Assistant U.S. Attorney Steve Schroeder told MSNBC.
While Mingazov faces up to five years in prison if he is convicted on the federal fraud charges, the case illustrates the difficulties investigators and prosecutors face in attempting to get to the masterminds of such a scheme.
Mingazov, who was in the country on a student visa, told investigators that his involvement was limited to an Internet contact with an individual he knew only as “Andrei,” who said he could earn extra money by receiving packages that would be sent to his residence, the documents said.
Online shopping defended
Though recent Internet fraud cases have generated unwelcome headlines and raised questions among consumers about the safety of e-commerce, credit card companies and banks insist that Internet shopping can be as safe or safer than real-world transactions. The key, they say, is for merchants to consider security to be an integral component of their e-business.
At the same time, many of these same insiders are urging financial institutions to hasten the move toward more-secure financial instruments, such as “smart cards” that include encrypted personal information and to speed adoption of such technologies as the Secure Electronic Transaction protocol, software developed jointly by Visa and MasterCard that uses cryptography and other technologies to secure electronic transactions.
“I think it’s fair to say that the Internet fraud that’s being perpetrated right now is getting a lot of attention and it will certainly drive the market to take action,” said Orfei, the MasterCard official. “Right now … when (Internet) transactions are around the 2 percent level, it’s all very manageable. But I think we’re coming very quickly to the realization that we need to take a hard stand here and address this proactively.”