It's easier to steal a million dollars a dollar at a time than a million dollars once. So goes an old saying.
If the allegations in a civil case filed in a federal court in Chicago hold up, you can even haul off $10 million if you stick to $9 here or 20 cents there.
The suit, filed in March by the Federal Trade Commission, contends that over at least four years, scammers placed more than $10 million in bogus charges on consumers’ credit and debit cards. Then, the suit says, they moved the money to bank accounts in Lithuania, Estonia, Latvia, Bulgaria, Cyprus and Kyrgyzstan. The suit was filed in United States District Court for the Northern District of Illinois.
The scammers evaded detection by keeping each charge under $10 and stealing from each cardholder only once, spreading the theft across more than a million cardholders, the suit says.
The identity of defendants has not been discovered; it may have been only a single “John Doe.” All the F.T.C. says it currently knows are the names of shell companies.
“No one has appeared to defend the companies,” said Steven M. Wernikoff, a trade commission staff lawyer overseeing the case.
When the commission filed a motion to seize the United States assets of the companies, less than $100,000 was recovered. It hopes to recover sums transferred abroad, but Mr. Wernikoff says that “it’s going to take some time.”
Most of the fraudulent charges that appeared on victims’ statements were for $9, but at different times, charges of just 20 cents were favored, Mr. Wernikoff said. Maybe the scammers should have stuck with $9: “There were more complaints about the 20-cent charges because they looked really odd,” he said.
When the complaints eventually piled up, the trade commission began investigating.
The scheme depended upon the scammers persuading banks that they had a legitimate business so that they could secure merchant accounts through which the credit card charges were routed, the suit says; false storefronts were set up on the Web, pretending to sell electronics or office supplies, in case a bank investigated.
The perpetrators also rented a street address from a company that provided that service and had their mail forwarded to another company that scanned and forwarded it a second time as e-mail, the suit says.
“One thing that the banks can do a better job at is vetting merchants much more carefully,” said Avivah Litan, an analyst at Gartner Research. “That’s been a weak spot for many years.”
Wells Fargo deserves credit for checking merchant references that helped uncover the problem. The perpetrators used stolen identities, with names, Social Security numbers and addresses of seemingly random individuals, the suit says.
Daniel Fuchs, a deputy attorney general in California, was surprised to receive a call one day from Wells Fargo about a merchant account application filed in his name. (When you steal identities, it might be best to stay away from the staff at the attorney general’s office.)
By law, consumers are liable for no more than $50 in fraudulent charges on a credit card and no more than $500 in fraudulent charges on a debit card, if reported by specified deadlines. But in practice, most major banks offer full protection from losses attributable to fraud. Someone must first identify the fraud, however.
If a credit card is physically swiped in the transaction, the bank that issued the card is on the hook for fraudulent charges. If it is a phone or Internet purchase — called a card-not-present transaction — the bank that hosted the merchant account that received the ill-gotten charges must make restitution, said Ms. Litan, the Gartner analyst.
That means the bank that issues credit cards has little motivation to be greatly concerned about online fraud. Lisa B. Westermann, a spokeswoman for Wells Fargo, said that her bank used numerous measures to prevent fraud but could not discuss them because “doing so might compromise our ability to prevent/stop fraud.”
According to the suit, the scammers used more than 100 names for their merchant accounts, names that might have looked vaguely familiar. If you tried to call the toll-free number that was listed, you would not have reached a human being. But the amount in question was so small that you might have shrugged when you failed to receive a call back after leaving a message.
Credit card companies do not make it easy for consumers to recognize fishy charges. The monthly statements’ description of each transaction — the “merchant descriptor”— is frustratingly brief. Consumers may regard some charges suspiciously, but they soon learn that being overzealous, reporting legitimate transactions at unrecognized merchants, wastes time and brings a measure of embarrassment.
“We only have 26 to 28 characters to work with” for a business description on a statement, said Debra B. Rossi, head of merchant business at Wells Fargo. “We’re limited by Visa and MasterCard’s legacy systems.”
A spokeswoman for MasterCard declined to say what prevented her company from expanding merchant descriptors. But Rosetta Jones, a spokeswoman for Visa, said: “If there is marketplace demand and our partners are interested in expanding the merchant descriptor, Visa has the capability to enhance what it provides financial institutions with expanded details and character length for use in cardholder statements.”
It is impossible to determine which financial institutions are holding things up, but no one has offered any technical reason why we are not provided with better descriptions. The Web offers the ability for card-issuing banks to provide cardholders with a much fuller portrait of every merchant, including its line of business.
In the government’s narrative of events, the scammers in the Illinois case shrewdly understood how little information was provided to cardholders on their statements. A one-time mystery charge of $9 would be met with a shrug, about a million times. Micro fraud, macro returns.
Randall Stross is an author based in Silicon Valley and a professor of business at San Jose State University.