Credit card thieves steal, shop, swap online worldwide

Hackers gain access to account information on retailers' computers

Data traded in chat rooms

April 02, 2000|By Michael Stroh | Michael Stroh,SUN STAFF

"Have you ever heard of a guy named Boonchard?"

At first, Bruce Cassidy didn't know what the man on the phone was talking about. The call came out of the blue last month, from an online retailer Cassidy had never heard of.

What the voice said next was more unsettling: Did Cassidy really want to charge all those cordless phones and ship them to Mr. Boonchard in Thailand?

Cassidy, who works for the state of Kentucky in Frankfort, hadn't bought any phones and didn't know any Boonchards. So he called the credit union that issued his charge card. Sure enough, the bank turned up more than $3,500 worth of cordless phones, high-end stereos, and other electronic gadgets -- all charged to his account within the week and destined for overseas.

It was a hard way to learn one of the online world's dirty little secrets: The Internet is becoming the place for criminals to steal, swap and shop with stolen credit cards.

Hacked from unsecured computer systems, swiped by crooked waiters or plucked from the trash by Dumpster divers, pilfered account numbers are flowing across the Net every day, many of them traded at online bazaars where teen-agers swap them between homework assignments.

Cassidy's Visa account -- including his name, address, phone number, card number and expiration date -- had scrolled past the eyes of dozens of strangers in an underground, online chat room where card thieves gather. It was one of several stolen accounts The Sun observed while researching this article.

How his card got there, Cassidy doesn't know. "It all happened pretty fast," he says, a bit bewildered. "We were lucky: They caught it."

Unlike other cybercrimes, credit card fraud on the Internet rarely makes headlines. That's because few online merchants are willing to acknowledge that their computers are anything less than secure. Yet fraud experts say it's probably happening more than consumers realize -- or merchants let on.

26,000 numbers stolen

One glimpse came March 24, when U.S. and British law enforcement agents arrested two teens in a small Welsh village.

The teens -- who operated under the pseudonym "Curador" -- are accused of hacking into the computers of several online merchants and making off with more than 26,000 credit card numbers, including, they claim, the account number of Microsoft Chairman Bill Gates. The FBI says losses connected to the thefts could exceed $3 million.

Credit card companies and banks play down the significance of such cases.

Visa U.S.A., the nation's largest credit card association, argues that overall credit card fraud in the United States has dropped to an all-time low: Last year, Americans charged more than $721 billion to their credit card accounts but recorded $433 million in fraudulent charges -- about 6 cents for every $100.

Although the company doesn't break out online credit card fraud, "it's roughly equivalent with what we see in the physical world," says Visa spokesman Sean Healy.

Consumers shielded

Credit card companies also point out that cardholders are shielded. Under the Fair Credit Billing Act, consumers pay a maximum of $50 when a card is used fraudulently. Eager to dispel consumer fears over online shopping, Visa will waive the fee this month.

Despite this financial safety net, having a credit card stolen or account information pilfered isn't trivial.

The burden is on card owners to prove that bogus charges aren't theirs, a tedious and time-consuming process. If the issue is not resolved quickly, or if a criminal uses a stolen credit card to apply for others, a theft can devastate a customer's credit rating, says Dave Gilmore, executive vice president of the Internet Fraud Authority, a firm that helps online merchants beat credit card cheats.

And it's not just consumers who get hurt.

"What we've discovered is that it's really a problem for the merchants," says Audri Lanford, co-editor of the widely read Internet newsletter ScamBusters.

When credit card fraud occurs in a store, the bank that issued the card is typically liable for the transaction. But in so-called "card-not-present" transactions -- which include mail, telephone and Internet orders where no signature is required -- merchants are typically forced to cover loss.

`Merchant's going to eat it'

"If you claim fraud online, the merchant's going to eat it. Period," says Al Cameron, who heads a seven-member anti-fraud squad at Digital River, which manages the cyberstores for companies such as Sega, Symantec and Comp-USA.

Online travel service Expedia, for example, announced last month that it would set aside up to $6 million to cover the cost of tickets purchased with stolen cards during the previous quarter. recently took a Reno, Nev., man to court for allegedly charging more than $70,000 worth of merchandise to 63 fraudulent accounts.

"We block one out of 10 orders as attempted fraud," says Chris Keller of, a small online merchant in Buffalo, N.Y. "I think it's a huge problem."

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.