--- begin forwarded text
Delivered-To: [EMAIL PROTECTED] Date: Thu, 4 Aug 2005 09:33:22 -0400 To: Philodox Clips List <[EMAIL PROTECTED]> From: "R.A. Hettinga" <[EMAIL PROTECTED]> Subject: [Clips] At Online Stores, Sniffing Out Crooks Is a Matter of Survival Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] <http://online.wsj.com/article_print/0,,SB112311786883304593,00.html> The Wall Street Journal August 4, 2005 PAGE ONE At Online Stores, Sniffing Out Crooks Is a Matter of Survival Mr. Kugelman Gets Scammed By a Web-Site Customer; A $3,077 Platinum Chain By MITCHELL PACELLE Staff Reporter of THE WALL STREET JOURNAL August 4, 2005; Page A1 LYNBROOK, N.Y. -- Six years ago, Neil Kugelman found himself puzzling over the very first customer to arrive at the Web site he had launched to sell jewelry online. The order: a $496 men's diamond ring. The North Carolina address didn't match the address tied to the credit card. The shipping address was different still. Mr. Kugelman tried to telephone the customer, but the number didn't work. His email bounced back. He was no expert on fraud, but neither was he born yesterday. He spiked the order. "Our first order -- order No. 1 -- was fraudulent," he marvels. Since then, as family-controlled Goldspeed.com Inc. grew from a basement start-up to a 10-person operation that fills more than 50,000 orders a year, Mr. Kugelman has taught himself to regard each and every customer as a potential online crook -- and with good reason. He says fraudulent orders have risen to a staggering 30% of the total, up from just 5% when he started. Over the years, Mr. Kugelman, 44 years old, got so good at sniffing out the cons that just 0.5% of his sales were lost to fraud. But a run-in he had seven months ago with a cagey crook who ordered $8,384 of flashy jewelry -- and stuck him with his largest fraud loss ever -- has left him worried that the bad guys are now gaining the upper hand. The tale of Mr. Kugelman's unsuccessful effort to discover the fraud, despite his suspicions, shows the increasing perils faced by the burgeoning online retail industry. For Mr. Kugelman and other Internet retailers, ferreting out bogus orders is a matter of survival. When a crook uses a stolen credit card in a traditional store, and the store follows proper procedures, the card-issuing bank usually swallows the loss. For online retailers, the tables are turned. Credit-card association rules dictate that merchants who accept charges from cyberspace, a riskier endeavor, must also shoulder the risk of fraud. When Mr. Kugelman began peddling everything from pearl earrings to thick gold chains over the Internet in 1998, his biggest problem was simple credit-card fraud: the use of stolen account numbers. The bogus orders were often glaringly obvious. Fraudsters ordered big and requested next-day shipping. They left fake phone numbers. They placed odd orders, such as for two engagement rings. Mr. Kugelman designed a computer system to screen incoming orders for such red flags and to bounce suspicious ones into human hands. Over time, the crooks got better. More of them stole whole identities, using purloined personal information to set up entirely new credit-card accounts. They used untraceable cellular phones, and avoided making oversized orders. When Mr. Kugelman phoned them with questions, they didn't get rattled. He fine-tuned his system, incorporating proprietary scoring guidelines based on such information as what kind of jewelry is ordered and from what part of the country the order originates. Late last year, he says, the fraudsters upped the ante. All of a sudden, Goldspeed.com was getting orders that showed no obvious signs of fraud on his computer-screening system, but seemed suspicious nonetheless. On Jan. 9, for example, when a customer placed separate orders on the same day, he thought "something looked wrong." A Vincenza Wells of Detroit had ordered a $1,199 Aqua Master men's diamond watch. Four minutes later, the same customer ordered a $1,259 men's diamond and tanzanite ring. The Bank One Visa credit-card number she supplied was good for the full amount, and she had provided the validation code from the back of the card. Visa's address verification system showed a match. But the order's size, and the strange two-step ordering, had Mr. Kugelman's radar up. The next day, he called the card issuer, J.P. Morgan Chase & Co., which had acquired Bank One. He says a bank representative confirmed that the name, address and phone number on the order matched the bank's own account information, except for one small detail about the address. Mr. Kugelman called his customer, who explained the disparity to his satisfaction. Mr. Kugelman called back the bank representative with the revised information. She told him that bank security had phoned Ms. Wells separately, and verified her identity. Still wary, Mr. Kugelman tested the card number again to see if it had been maxed out, a hallmark of identity theft. It hadn't. So he released the watch and ring for shipment. That afternoon, the same customer phoned in a third high-ticket order for a $3,077 men's platinum chain and a $2,849 diamond engagement ring. Again, the Visa card was good for the full amount. Goldspeed shipped both items to Detroit, bringing Ms. Wells's total bill, with shipping, to $8,432. More than 100 miles from Detroit, in Sandusky, Ohio, the real Vincenza Wells, proprietor of the Seacrest Motel, had no idea someone was running up thousands of dollars of bills in her name. Last August, she had received a phone call, purportedly from her cable company, offering her three months of free service if she paid her bill in full a month early. She happily provided credit-card information, her Social Security number and other personal information. The caller was a crook. Shortly thereafter, Bank One alerted her to questionable charges, and she canceled her card. In April, another bank representative called her to inquire about some $15,000 in unpaid credit-card bills. She responded that she didn't even have a card any more. "These people had opened new accounts in my name," she explained recently, expressing astonishment that, given the previous fraud, J.P. Morgan had opened a new account in her name with a new address. To set up the account, the fraudsters apparently used the personal information that she had been tricked into providing over the phone. A spokesman for J.P. Morgan said the bank doesn't discuss individual cardholder situations, but that it has "a financial stake in stopping all fraud before it happens." Michael Cunningham, head of fraud prevention at J.P. Morgan's card division, said: "We take a lot of pride in our ability to detect identity theft. We don't catch 100% of it." On April 7, Mr. Kugelman learned for the first time, from a J.P. Morgan investigator, that the jewelry charges were fraudulent, the result of identity theft. For reasons that weren't made clear to Mr. Kugelman, the bank opted to saddle him with only a portion of the loss, $5,950, the amount of the third order. Days later, Mr. Kugelman's bank credited the money back to J.P. Morgan. Mr. Kugelman protested, citing his discussions about the order with the bank, and J.P. Morgan eventually brought the case to a Visa arbitration panel set up to mediate such disputes. In June, Visa arbitrators ruled that Mr. Kugelman would have to eat the loss. A spokeswoman for Visa declined to comment on the case, but noted that Visa is developing procedures to reduce such charge-backs to online merchants. Mr. Kugelman says his fraud numbers are going up, in part because it's so hard for him to recognize crooks with stolen identities. He says he doesn't know how much the increased vigilance is costing him, but in February, he reassigned a staffer to work exclusively on detecting credit-card fraud. "The job has gotten harder and our systems have gotten more sophisticated," he says. "But it's a cat-and-mouse game. As we get better, they get better." -- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' _______________________________________________ Clips mailing list [EMAIL PROTECTED] http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]