Virtual Crooks Committing Very Real Crimes

R eal world bad guys have discovered how to put an old scam to work on the Internet. Security holes in the Authorize.net payment processing system enabled hackers to access merchant accounts and steal thousands of dollars in just minutes.

According to MSNBC.com, the virtual thieves broke into the online merchant accounts using only a password to "virtually" return merchandise. The funds are issued as credits to fraudulent debit cards and then can be withdrawn at ATMs. In some instances, credits have been issued to account numbers that differ from the account that originally was charged, allowing criminals to move large sums of money from one stolen credit card to a second card, then liquidate the balance.

Authorize.net is the largest Internet payment-processing company, and the flaws in its security system made the 120,000 merchants it represents particularly vulnerable. Only a user name and password are needed to access those accounts, and for motivated hackers, it doesn't take long to figure out how to put that information to work for them.

The scam has been used by criminals for years. It's called a credit-back scheme and, back in the old days, the criminals had to physically break into a store and manually refund that merchant's legitimate charges to their own debit cards. They then would have to hurry to ATMs to access the cash before the merchant discovered the losses.

The Internet has made life a little simpler in some ways, and that goes for those who live a life of crime as well. Using online virtual merchant accounts to run the credit-back scam makes things considerably more convenient and anonymous - the time constraint for running the online version of the scam is not as restrictive, and tracing the origin of the action is difficult.

It's much less risky than using bad credit cards to buy merchandise online, which then requires an address for shipping and can be traced.

The MSNBC.com report said that CardCops.com, a Web resource covering Internet fraud issues, was contacted by a 14-year-old from New York City who warned about the scheme. The boy said he has friends who are able to fraudulently access $1,000 to $3,000 with very little risk.

Authorize.net recently processed 8 million transactions valued at $600 million for its merchant accounts in a three-month period.

A study released in early March 2002 by GartnerG2, a research service for business strategies, said online fraud losses for 2001 were 19 times higher than fraud losses incurred from offline purchases.

Fraudulent online sales cost merchants $700 million, equivalent to 1.14 percent of total annual online sales of $61.8 billion for the year. The study also reported that one in 20 consumers has been a victim of credit card fraud in the past year and that one in 50 has been a victim of identity theft.

VISA and MasterCard both are offering card-protection programs for their consumer cardholders. With the Verified by VISA program, cardholders must use a password with the card number when making online purchases, making the card number useless without it. MasterCard's system requires consumers to download a special software key that merchants use to verify their identity.

The GartnerG2 study recommended that the card companies lower their fees to merchants to gain more widespread adoption of the systems.