Under Development

Posted on 4 Mar 2008 at 14:59

 

Gallery

Card sharp

The big question was how the perpetrator had got hold of Jeff's credit card details. Surely, to spend money online like that, you'd need a name, address, card number, expiry date and CV2 number? And to get all that would require a fair degree of carelessness or a major security breach. Which, in relation to EJ, would be of interest to me, as he'd hold me responsible, and that was not a pleasant prospect.

Jeff cancelled his card and got the card company to issue a new one. He'd have got the "girl" to do it, but credit card companies will only deal with the card holder.

Fortunately, there didn't appear to be any other unauthorised expenditure. Which is actually quite weird. Think about it; if you were a criminal and you had every detail you needed to use someone else's card, you'd be off on a short but spectacular internet spending spree. Particularly with a big credit limit like Jeff's.

Checks of Jeff's PC and the rest of his network revealed no trace of a keylogging program or other spyware. Phew! I don't think Jeff was convinced, though.

He wanted an explanation, so on my next visit we called the card company's security department to see if they could throw any light on it. A man took all the details.

A week later, Jeff got a letter with an apology (of sorts), saying that the four charges - a mere flea bite on Jeff's mighty bank balance - had been refunded. So we called the card security people again.

"Ah," said the man. "I can assure you that this was definitely not done by identity theft."

"So the computer system isn't to blame?" I asked, and he reiterated that it wasn't.

The numbers game

"So how was it done?" I asked, and this is more or less what he told me.

The criminals generate credit card numbers randomly. "What use is that?" I hear you ask. That's what I asked. The man said they test the numbers using certain 'known websites' that have poor security checks. The criminal chooses a website that allows you to put in the credit card details, usually for an online service rather than physical goods. The site then approves the transaction and asks the user to confirm, and the criminal answers 'No'. You now know that the card number works but, having spent no money, you leave no trace.

Apparently about one in a hundred numbers actually gets a positive result. You can then use the known working number to acquire a legitimate service. "But what about the address and CV2 number details?" I asked.

"Well," said the man, "there are quite a number of sites that ask you to enter those details but don't actually check them."

I don't know how true this is, but that's what I was told. If it is correct, I'm amazed that such lax checking is tolerated as it must cost the credit card companies a fortune. It does explain the absence of the spending spree, though, as for most sites with properly structured security the scam wouldn't work.

Still, all's well that ends well, and Jeff is a happy bunny once more. He even bought me dinner, which was perhaps his way of saying thank you without actually uttering the dreaded words. I did notice, however, that he paid in cash!

Author: David Robinson