s
s
Sections
Sections
Subscribe
You've read 5 of 15 free articles this month.
Get unlimited access to PressDemocrat.com, the eEdition and our mobile app starting at 99 cents per month.
Already a subscriber?
You've read 10 of 15 free articles this month.
Get unlimited access to PressDemocrat.com, the eEdition and our mobile app starting at 99 cents per month.
Already a subscriber?
You've read all of your free articles this month.
Get unlimited access to PressDemocrat.com, the eEdition and our mobile app starting at 99 cents per month.
Already a subscriber?
We've got a special deal for readers like you.
Get unlimited access to PressDemocrat.com, the eEdition and our mobile app starting 99 cents per month and support local journalism.
Already a subscriber?
Thanks for reading! Why not subscribe?
Get unlimited access to PressDemocrat.com, the eEdition and our mobile app starting 99 cents per month and support local journalism.
Already a subscriber?
Want to keep reading? Subscribe today!
Ooops! You're out of free articles. Starting at just 99 cents per month, you can keep reading all of our products and support local journalism.
Already a subscriber?

It's easier to steal a million dollars a dollar at a time than a million dollars once. So goes an old saying.

If the allegations in a civil case filed in a federal court in Chicago hold up, you can even haul off $10 million if you stick to $9 here or 20 cents there.

The suit, filed in March by the Federal Trade Commission, contends that over at least four years, scammers placed more than $10 million in bogus charges on consumers' credit and debit cards.

Then, the suit says, they moved the money to bank accounts in Lithuania, Estonia, Latvia, Bulgaria, Cyprus and Kyrgyzstan. The suit was filed in U.S. District Court for the Northern District of Illinois.

The scammers evaded detection by keeping each charge under $10 and stealing from each cardholder only once, spreading the theft across more than a million cardholders, the suit says.

The identity of defendants has not been discovered; it may have been only a single "John Doe." All the FTC says it knows are the names of shell companies.

"No one has appeared to defend the companies," said Steven Wernikoff, a trade commission staff lawyer overseeing the case.

When the commission filed a motion to seize the U.S. assets of the companies, less than $100,000 was recovered. It hopes to recover sums transferred abroad, but Wernikoff said that "it's going to take some time."

Most of the fraudulent charges that appeared on victims' statements were for $9, but at different times, charges of just 20 cents were favored, Wernikoff said. Maybe the scammers should have stuck with $9: "There were more complaints about the 20-cent charges because they looked really odd," he said.

When the complaints eventually piled up, the trade commission began investigating.

The scheme depended upon the scammers persuading banks that they had a legitimate business so that they could secure merchant accounts through which the credit card charges were routed, the suit says; false storefronts were set up on the Web, pretending to sell electronics or office supplies, in case a bank investigated.

The perpetrators also rented a street address from a company that provided that service and had their mail forwarded to another company that scanned and forwarded it a second time as e-mail, the suit says.

"One thing that the banks can do a better job at is vetting merchants much more carefully," said Avivah Litan, an analyst at Gartner Research. "That's been a weak spot for many years."

Wells Fargo deserves credit for checking merchant references that helped uncover the problem. The perpetrators used stolen identities, with names, Social Security numbers and addresses of seemingly random individuals, the suit says.

Daniel Fuchs, a deputy attorney general in California, was surprised to receive a call one day from Wells Fargo about a merchant account application filed in his name. (When you steal identities, it might be best to stay away from the staff at the attorney general's office.) By law, consumers are liable for no more than $50 in fraudulent charges on a credit card and no more than $500 in fraudulent charges on a debit card, if reported by specified deadlines. But in practice, most major banks offer full protection from losses attributable to fraud. Someone must first identify the fraud, however.

If a credit card is physically swiped in the transaction, the bank that issued the card is on the hook for fraudulent charges. If it is a phone or Internet purchase -- called a card-not-present transaction -- the bank that hosted the merchant account that received the ill-gotten charges must make restitution, said Litan, the Gartner analyst.

That means the bank that issues credit cards has little motivation to be greatly concerned about online fraud. Lisa Westermann, a spokeswoman for Wells Fargo, said her bank used numerous measures to prevent fraud but could not discuss them because "doing so might compromise our ability to prevent/stop fraud."

According to the suit, the scammers used more than 100 names for their merchant accounts, names that might have looked vaguely familiar. If you tried to call the toll-free number that was listed, you would not have reached a human being. But the amount in question was so small that you might have shrugged when you failed to receive a call back after leaving a message.

Credit card companies do not make it easy for consumers to recognize fishy charges. The monthly statements' description of each transaction -- the "merchant descriptor"-- is frustratingly brief.

"We only have 26 to 28 characters to work with" for a business description on a statement, said Debra Rossi, head of merchant business at Wells Fargo. "We're limited by Visa and MasterCard's legacy systems."

A spokeswoman for MasterCard declined to say what prevented her company from expanding merchant descriptors. But Rosetta Jones, a spokeswoman for Visa, said: "If there is marketplace demand and our partners are interested in expanding the merchant descriptor, Visa has the capability to enhance what it provides financial institutions with expanded details and character length for use in cardholder statements."

It is impossible to determine which financial institutions are holding things up, but no one has offered any technical reason why we are not provided with better descriptions. The Web offers the ability for card-issuing banks to provide cardholders with a much fuller portrait of every merchant, including its line of business.

In the government's narrative of events, the scammers in the Illinois case shrewdly understood how little information was provided to cardholders on their statements. A one-time mystery charge of $9 would be met with a shrug, about a million times.

Micro fraud, macro returns.