s
s
Sections
We don't just cover the North Bay. We live here.
Did You Know? In the first 10 days of the North Bay fire, nearly 1.5 million people used their mobile devices to visit our sites.
Already a subscriber?
iPhone
Wow! You read a lot!
Reading enhances confidence, empathy, decision-making, and overall life satisfaction. Keep it up! Subscribe.
Already a subscriber?
iPhone
Oops, you're out of free articles.
Until next month, you can always look over someone's shoulder at the coffee shop.
Already a subscriber?
iPhone
We don't just cover the North Bay. We live here.
Did You Know? In the first 10 days of the North Bay fire, we posted 390 stories about the fire. And they were shared nearly 137,000 times.
Already a subscriber?
iPhone
Supporting the community that supports us.
Obviously you value quality local journalism. Thank you.
Already a subscriber?
iPhone
Oops, you're out of free articles.
We miss you already! (Subscriptions start at just 99 cents.)
Already a subscriber?
iPhone

It's easier to steal a million dollars a dollar at a time than a million dollars once. So goes an old saying.

If the allegations in a civil case filed in a federal court in Chicago hold up, you can even haul off $10 million if you stick to $9 here or 20 cents there.

The suit, filed in March by the Federal Trade Commission, contends that over at least four years, scammers placed more than $10 million in bogus charges on consumers' credit and debit cards.

Then, the suit says, they moved the money to bank accounts in Lithuania, Estonia, Latvia, Bulgaria, Cyprus and Kyrgyzstan. The suit was filed in U.S. District Court for the Northern District of Illinois.

The scammers evaded detection by keeping each charge under $10 and stealing from each cardholder only once, spreading the theft across more than a million cardholders, the suit says.

The identity of defendants has not been discovered; it may have been only a single "John Doe." All the FTC says it knows are the names of shell companies.

"No one has appeared to defend the companies," said Steven Wernikoff, a trade commission staff lawyer overseeing the case.

When the commission filed a motion to seize the U.S. assets of the companies, less than $100,000 was recovered. It hopes to recover sums transferred abroad, but Wernikoff said that "it's going to take some time."

Most of the fraudulent charges that appeared on victims' statements were for $9, but at different times, charges of just 20 cents were favored, Wernikoff said. Maybe the scammers should have stuck with $9: "There were more complaints about the 20-cent charges because they looked really odd," he said.

When the complaints eventually piled up, the trade commission began investigating.

The scheme depended upon the scammers persuading banks that they had a legitimate business so that they could secure merchant accounts through which the credit card charges were routed, the suit says; false storefronts were set up on the Web, pretending to sell electronics or office supplies, in case a bank investigated.

The perpetrators also rented a street address from a company that provided that service and had their mail forwarded to another company that scanned and forwarded it a second time as e-mail, the suit says.

"One thing that the banks can do a better job at is vetting merchants much more carefully," said Avivah Litan, an analyst at Gartner Research. "That's been a weak spot for many years."

Wells Fargo deserves credit for checking merchant references that helped uncover the problem. The perpetrators used stolen identities, with names, Social Security numbers and addresses of seemingly random individuals, the suit says.

Daniel Fuchs, a deputy attorney general in California, was surprised to receive a call one day from Wells Fargo about a merchant account application filed in his name. (When you steal identities, it might be best to stay away from the staff at the attorney general's office.) By law, consumers are liable for no more than $50 in fraudulent charges on a credit card and no more than $500 in fraudulent charges on a debit card, if reported by specified deadlines. But in practice, most major banks offer full protection from losses attributable to fraud. Someone must first identify the fraud, however.

If a credit card is physically swiped in the transaction, the bank that issued the card is on the hook for fraudulent charges. If it is a phone or Internet purchase -- called a card-not-present transaction -- the bank that hosted the merchant account that received the ill-gotten charges must make restitution, said Litan, the Gartner analyst.

That means the bank that issues credit cards has little motivation to be greatly concerned about online fraud. Lisa Westermann, a spokeswoman for Wells Fargo, said her bank used numerous measures to prevent fraud but could not discuss them because "doing so might compromise our ability to prevent/stop fraud."

According to the suit, the scammers used more than 100 names for their merchant accounts, names that might have looked vaguely familiar. If you tried to call the toll-free number that was listed, you would not have reached a human being. But the amount in question was so small that you might have shrugged when you failed to receive a call back after leaving a message.

Credit card companies do not make it easy for consumers to recognize fishy charges. The monthly statements' description of each transaction -- the "merchant descriptor"-- is frustratingly brief.

"We only have 26 to 28 characters to work with" for a business description on a statement, said Debra Rossi, head of merchant business at Wells Fargo. "We're limited by Visa and MasterCard's legacy systems."

A spokeswoman for MasterCard declined to say what prevented her company from expanding merchant descriptors. But Rosetta Jones, a spokeswoman for Visa, said: "If there is marketplace demand and our partners are interested in expanding the merchant descriptor, Visa has the capability to enhance what it provides financial institutions with expanded details and character length for use in cardholder statements."

It is impossible to determine which financial institutions are holding things up, but no one has offered any technical reason why we are not provided with better descriptions. The Web offers the ability for card-issuing banks to provide cardholders with a much fuller portrait of every merchant, including its line of business.

In the government's narrative of events, the scammers in the Illinois case shrewdly understood how little information was provided to cardholders on their statements. A one-time mystery charge of $9 would be met with a shrug, about a million times.

Micro fraud, macro returns.

Show Comment