Small Thefts, Big Trouble

Thousands of phony $10 credit card charges reap millions for Internet hackers

January 22, 2001|By Michael James | Michael James,SUN STAFF

If you've ever bought anything online, check your credit card statements. A ring of international hackers may have swindled you out of five or 10 bucks.

Tens of thousands of shoppers worldwide have fallen victim to the thieves, believed to be operating out of Eastern Europe and Panama. Committing small-time fraud on a widespread scale, the scammers are stealing only a few dollars at a time - but they've become a giant headache for banks and credit card clearinghouses who are spending millions to cancel compromised cards and investigate security breaches.

"I don't think anyone is really aware of what an enormous problem it's become," said Patricia Fike, a 34-year-old East Baltimore resident who discovered that a mysterious Russian company had charged $5.10 to her Citibank card on Dec. 20. "The banks and the FBI had better get after the guy who did this, and either arrest him or hire him. He's going to be a legend in the hacking world."

MBNA America, one of dozens of financial institutions hit by the scheme, canceled about 10,000 credit cards this month after discovering the accounts had been illegally charged 277 Russian rubles, or about $10. In each case the charge was listed as coming from one of several Moscow-based companies called Inet, Inetplat, or Global Telecom, all of which claim they made no such charges.

The bank is absorbing all of the costs - more than $100,000 - and sending new cards to the customers whose accounts were compromised. The FBI and the U.S. Secret Service, meanwhile, report no luck in finding the hackers.

"It's very puzzling," said Steve Boyden, an MBNA spokesman. "There doesn't seem to be any common denominator in these accounts to suggest how someone was able to do this. There's no common thread that we've been able to find."

In the shadowy world of credit-card thievery, traditionally the preserve of crooked merchants and waiters in back rooms, card numbers are traded and sold to thieves who run up thousands of dollars in charges before the owners notice the unusual activity on their statements.

But the latest thieves are a new breed, stealing small amounts thousands of times over - often unnoticed by the victims - and effectively staying under the radar of law enforcement agencies that spend most of their time chasing high-profile rip-offs.

"It's almost the perfect crime, because nobody is getting too angry," said Baltimore attorney Andrew C. White, a former federal prosecutor who specialized in cyber-crime cases. White is representing victims in a class-action lawsuit against online credit card processors who, he says, are not properly safeguarding shoppers' confidential information.

"Millions of people each day place their trust in the security of e-commerce, and what they don't realize is that their information is not being adequately protected," White said. "Not only are people at risk of losing money, but also potentially their identities."

The Sun has tracked the hackers, who have left a tantalizing trail across four continents. They have been charging stolen card numbers in Moscow, sending the proceeds via the Internet to a bank in Slovenia, setting up Web sites registered to an office in Panama, and apparently routing phone calls through a high-tech telephone service in California.

Among the company names that have appeared in the fraudulent credit card charges is Skiftelecom, a telecommunications company in the southwestern Russian city of Stavropol. Hundreds, possibly thousands, of Internet shoppers found charges of $10 to $26 on their credit cards late last summer from Skiftelecom.

"We know very well about this. There is a hacker who uses the name of this company," said Boris Milenin, the financial director of a Russian company that took over Skiftelecom's operations. "A lot of letters came between July and September; now we get a few from time to time. In each case we send an e-mail explaining that it was fraud, they have been cheated and the hacker used the name of our company."

Milenin said he has complained to the Russian Interior Ministry's "R-Service," which investigates high-tech crime. "It's their job to find the hacker," he said.

Alexander Doroshenko, who heads the R-Service, said he was aware of the widespread fraud.

"We suspect it's a Russian hacker, and if he is caught he's going to be put on trial here in Stavropol," Doroshenko said.

The chief hacker may well be Russian, as Doroshenko suspects. But whether he operates out of Russia is a different matter. Many of the charges show up in the names of companies that have Web pages printed in Russian, but which list offices in Panama.

One such Russian company with Panamanian roots is Inetplat, which has shown up on thousands of credit card statements and describes itself as "a service for receiving payment through the Internet for Visa and Mastercard."

In an e-mail response to queries from The Sun, a man describing himself as a security official for the firm denied any involvement in credit card fraud.

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.