The Fraud – the fact and the conjecture
|
28th May 2010 |
It’s a pleasant place to have a meal before or after the opera. The hotel is busy and around the corner is a "Theatre Pub". The burghers gather on the sidewalks to participate in the bustle of life in a city in West Germany's Ruhr. It’s a pleasant place between the rain showers that often turns it a drab tone. University students flock here to let off a little steam adding to the entertainment. The trade in the rustic restaurant is brisk and the payments for goods and service are continuous throughout the evening. Nobody thinks about serious matters and it’s good to laugh with friends. A short distance away from the main pavement a man enjoys the revelry and he sips a drink while casually checking his iPhone. On screen are streaming the payment records transmitted to it by Wi-Fi wireless broadband connection to the eftpos point of sale (POS) machine at the restaurant. It filters the information into a spreadsheet application to record the compromised credit cards meticulously. Entered are the card expiry dates, and the credit card numbers. The credit card owners’ names are as important but later on these will be filtered out and replaced with new ones. The owners have no idea that their cards are skimmed in a chain of events with disturbingly expensive repercussions days later and half a world away. ‘Card skimming’ is the illegal copying of information from the magnetic strip of a credit or ATM card. Stealing credit card details to access accounts is highly organised activity so I am told. Once scammers have skimmed your card, they can create a fake or ‘cloned’ card with your details on it. The scammer is then able to run up charges on your account when presenting it to merchants who accept credit cards at the point of sale. Card skimming is also a way for scammers to steal your identity (your personal details) and use it to commit identity fraud. By stealing your personal details and account numbers the scammer may be able to borrow money or take out loans in your name before vanishing. An evening of entertainment in West Germany will see the stolen information mal-used another way in a carefully orchestrated sting on a business in Australia. The waiter serves the man once more, accepts cash payment and hands over a receipt on which are the listed names with CSC numbers. The card skimmer types in the three digit numbers in the spreadsheet fields to finalise the records on the iPhone and then he zips an archive and attaches it to an email. No subject line, no body text and then he clicks on the screen to send before casually walking into the evening away from the entertainment. Moments later in an Eastern European country someone connects to a gmail account and the archived file is opened to reveal its array of stolen credit cards destined for a very brief reappearance in the digital ‘unsighted card’ world far away. Online purchases are made 'card unsighted' via web forms regularly used by businesses to sell items they list on the their web sites in shopping carts. Such a shopping cart facility is backed by special arrangements by all major banks like the ANZ in Australia. Earlier that same day an account in a bank at Jakarta in Indonesia was arranged with online administration privileges to deposit and withdraw funds electronically. The account was made from Kuala Lumpur in Malaysia by someone waiting on an email from Eastern Europe that would contain an attachment of clean, as yet unused, credit cards details. They were acquired online via an untraceable gmail account using funds in the Seychelles. The cards purchased this way are pre-tested and are a good buy because no digital foot-print is made like when a scammer buys a parcel via forums that trade in stolen credit cards. |
|
29th of May 2010 |
Using the Indonesian telephone directory the man in Malaysia made a list of names and addresses to allocate to the credit cards. Now that he has the credit cards he makes his choices. He allows himself one credit card that would be used for a small amount to establish trust. A purchase of under $250 and then a larger purchase is the first thing to do. It was time to apply the bait and play the line; a fishing line. He laughs at the ironic idea and the synchronising of everything he plans to proceed with. During the preceding days the man in Malaysia studied the Zaadstra Art Studio web site in Tasmania. He decided it had several methods of trading worth exploiting. Having the ANZ eGate gateway for accepting orders online was a gift and certainly worth exploiting. Obviously the merchant enjoys administration rights taking orders online from 'sight unseen' credit cards customers. The man in Kuala Lumpur will be a customer too. Another advantage is in the trading terms committing the merchant to sending approved transactions straight away. It means that he can time the sting in the three or four weeks open to him before the banking credit card reporting cycle comes around, and he'd be somewhere else by then. Firstly, to make a purchase of a book of art via the Zaadstra Art Studio online purchase form. The purchase order will enter a database on the art studio server and the redirection to the ANZ Egate payment gateway is instant. Then he enters the credit card details as per normal procedures, but a deliberate mistake means he must wait for an enquiry response from the merchant which comes in the same day. Then in reply he’ll email via a gmail account a purchase request for a book of art called The Artist and the Fly Fisher, hinting at his interest in it, and apologise for his purchase entry error. To facilitate a speedy resolve he gives his credit card details and asks the merchant to proceed with the book order. A trust is quickly established with a successful transaction, and, as the purchase is small, it will not draw any attention and he can pretend to enjoy the book, which is conveniently showcased online by the studio. There's an art in scamming for trust. |
|
Early June 2010 |
Instantly, with the actual transaction approval, comes the bank 'authorisation' number for the purchase that is issued to the Zaadstra Art Studio by the ANZ for each credit card sale. The book of art is posted right away on receipt of this bank 'authorisation' notice. It is addressed to a person in Indonesia and no red flags appear. The art merchant feels OK about the deal and having a new client in Indonesia to nurture. The man in Malaysia then proceeds to seed the idea that he’d like to order three books and a limited edition too. It’s for friends of his who are really impressed by the art, and, as he’s expending time can he suggests adding a commission fee. The credit card payment details are emailed and it directs which invoices are to be drawn on the various clients names and addresses supplied. The commission as solicited should be paid into the account in Indonesia. The following Sunday with bank approvals and payment authorisations correctly processed the man in Malaysia says he’s got an enquiry about the original art and that he might be able to sell them for the studio. We suggests emailing digital photographs which may be helpful to see if a satisfactory arrangement can be made to all parties. In a reply email he says there is strong interest in two 'fly fishing' paintings and a price should be supplied to which he would add commission as acting agent in Indonesia. Meanwhile the previous purchases are in Indonesia and the outstanding commission may be paid to him as everyone is happy. |
|
Middle of June 2010 |
Another email from the man in Malaysia then orders a box of books and 4 exclusive editions which should be valued much higher due to their unique value. His fees are the difference asked by the studio and the final asking price. Invoices should reflect the full payments. All freight and insurances are to be added in the total to ensure the merchant is not out of pocket. In the third week of June the man in Malaysia sends another email with various credit cards with Indonesian names of the clients he is representing for the merchant to process. This process goes smoothly and all approvals for the transactions and their authorisation numbers are issued by the ANZ bank. The money arrives in the studio bank account shortly afterwards. Next day the boxes of books are posted and the paintings crated off to Indonesia with a note that all customs duties are for the receiver to take care off as directed by the agent. The Zaadstra Art Studio manages to keep their side of the arrangements in the terms and conditions as stated on the web site, the very terms vetted by the ANZ eGate ecommerce supervising team that originally advised the new merchant when he is given the special privileges to trade online. |
|
Towards the end of June 2010 |
TNT phoned about customs and some issues arising about receivers of the crates of art. It was on a Monday and an email to the agent advising him of the issues at customs received a response that he’d attend to it the next day. From then on the gmail failed and the agent’s phone number was a fax machine somewhere unknown. In Kuala Lumpur the man proceeds to once again administer the Jakarta bank account by transferring all the last of the funds to the Seychelles bank account, an activity he has been doing daily for varying amounts below the $10,000 threshold to avoid flagging the account as suspect. From the Seychelles bank transfers move funds on a daily basis into Eastern Europe by administration of the account routed through a server in Finland. Any trace route enquiry would find itself pointed to a continuous loop around the world from there on. The man in Malaysia checks to find that a payment is made to his personal account and then he receives another archived file of unused credit cards skimmed in another distant city in Europe. He plans to use them on the unsuspecting hospitality operators in the North West of Tasmania. It’ll be easy to do because the merchants are advised by the ANZ and several other banks, and so the businesses are blissfully under educated to their exposure to fraudulent payments and refunds. Merchants simply do not grasp the risks that they daily face of this type of fraud. Scamming is an art. Using a new gmail account he pretends to represent a tour group from the Philippines who will all pay in advance as individuals. He'll say that it is a normal arrangement and part of their customs. Western countries are paranoid of causing offence, especially to Asians and Muslims, so it'll be accepted without question. But unfortunately the group has been quarantined overseas with malaria and could a refund minus expenses and booking fees be made to the agent’s bank in Manila. He’ll refund to his clients and he’s most contrite. Life can deal such cruel blows. Maybe next time it’ll be better for everyone as all love to travel to Tasmania. He chuckles and begins the ruse straight away. It’s the 30th of June and the window for fraud closes in three to four weeks. Scamming is a fine art indeed, he thinks. |
|
Early July 2010 |
1st of July and the ANZ bank raid the trading account of the Zaadstra Art Studio, taking every 'scamming' credit card transaction for the June month. They didn’t need any authorisation to do that and the merchant is not officially informed of their action. The Zaadstra Art Studio is a partnership and one partner has had no communication about any of these issues from anyone. The ANZ bank failure to contact the partner is unconscionable and deeply distressing. As a merchant he feels sullied and soiled as if he's the criminal, both judged and pilloried by a faceless determination within the ANZ banking system. The artworks remain in customs and a huge duty is levied on them. They’ll remain in customs because no funds are available to have them returned. The other merchandise is also lost in the yawning chasms of an Indonesian postal chaos, mailed to persons who might not even exist. The above story actually happened and it is factual in the matters of the Zaadstra Art Studio. The rest is surmising and conjecture based on the 'Geo' Tracker of the studio web site and the 'hit' clusters of visits from Malaysia, Seychelles and Eastern Europe over the month of May and June 2010. The distressed phone calls from Germany made by the skimmed credit card holders are indications that this story is probably true in the skimming details although the actual skimming POS machine may be somewhere else. The web site's Geo Tracker recording a Germany spike on the 1st and 2nd of July 2010 as the bank credit card statements cycle arrived. In writing this story I hope to convey an almost incomprehensible reality; “How can it be possible for this fraud to be so easy to do?” I believe the ANZ bank attempts to control an electronic financial transaction system that is so screwed up that every merchant exposed to it is risking their business and house and marriage and sanity. I know now that as a merchant I have few rights. I feel so violated by my own bank that I am closing down the online account and reassessing the contemporary landscape wondering what to do now. Finally, I can say that our art studio gets solicited to do business overseas every week. We always reject these suspect orders and all approaches until this one came along. This order came to us through the accredited system that was vetted by the ANZ bank that processes online sales. It was very believable and paying commissions to agents is an everyday thing during my 40 years in the art game. And
please note: But the morally twisted know that already, it’s just that I never knew until now. The supposedly affirming relationship of credit card name, card number, card expiry date and security certification numbers with back-end bank authorisations of all transactions is a mess, open to widest abuse, and online merchants can have no confidence in the banking system that encourages such dicey online trading to go on. In my opinion the bank's authorisation of a transaction is worthless dross and not affirmation at all. |
|
9th July 2010 |
Addendum: I have been officially informed by the bank. The merchant is to carry the entire cost. No joy from the investigators either. It seems this is a common crime and that Tasmania is targeted by overseas criminals in a concerted push to extract as much as they can get away with. Nobody I talked to has an answer except to say that it is best to get out of trading online. And that's why I think the bank's are covering up a very dodgy electronic payment system which they encourage onto merchants who get screwed at every turn by simply doing business as honestly as they can. |
|
Conclusion |
This ©Zaadstra story is based on real hard fact and added are imagined scenes to make sense of a hit on our business. We've been conned and hung out to dry by experts hiding the starkest facts that the ordinary merchant is open to every form of abuse by monetary, psychological and physical/emotional means. If perchance you read this and you are a merchant online and continue to trade online then 'God bless' because no-one else will. Story
authored by Pieter Zaadstra©
July 2010 |