National Fraud Information Center/Internet Fraud Watch, Division of the National Consumers League
Tips, examples and statistics debunking common frauds and schemes. Users can submit reports of scams to the Fraud Center for investigation.
National Consumers League, Washington, D.C.-based consumer advocacy group
Reports and guides on common consumer issues, including fraud and the technologies making business (and theft) fraud easier.
FBI Common Fraud Schemes
Federal listing details several ongoing scams, providing examples and tips to detect fraudulent solicitors.
Internet Crime Complaint Center, partnership between the FBI and the National White Collar Crime Center
Victims of Internet fraud can file official complaints, which are referred to authorities at federal, state, local and international levels.
Fighting Back Against Identity Theft.
Federal Trade Commission site instructs victims of identity theft on the steps to take after being scammed, from placing a fraud alert on credit reports to filing reports with local and federal authorities.
The Patriot Ledger
Kathleen Drew is a two-time victim of digital pickpockets. Drew, a jewelry designer from Boston, had a pair of her credit card accounts hacked into during the past three years, and was forced to order replacement cards and set up automatic payments for up to 15 monthly bills.
“It was an aggravation that I didn’t need,” she said.
What’s a hassle for Drew and thousands of other Massachusetts residents each year is a small piece of the picture for the retail and banking industries and their intermediaries, the credit card processors, which handled an estimated $2 trillion in card transactions last year.
“The amount of fraud is such a tiny proportion of the total transactions that the banks and the credit card companies regard it as a cost of doing business,” said Lewis Mandell, a University of Buffalo finance professor.
But now banks, which are liable for absorbing an estimated $2 billion a year in phony charges, are pushing for new state and federal laws and pressuring credit card companies to fine merchants that violate industry security practices.
Nearly 4,000 Bay State residents reported identity thefts in 2005, according to the Federal Trade Commission. Credit card fraud accounted for 34 percent of the cases.
The high-profile nature of recent cases such as the potential theft of millions of TJX Cos. customers’ credit card data has raised new questions about how well retailers safeguard their customers’ information.
“When you’re dealing with electronic systems, there’s such massive information in one place,” said Steve Kenneally, director of payment and technology policy for America’s Community Bankers, “For thieves, it’s a target-rich environment.”
Retailers select a bank that acts as an “acquirer” to process its credit and debit transactions. The banks or subcontractors install the card readers in stores. Information from card swipes - typically the card number and customer’s name - can be stored within the store, at the retailer’s headquarters or on a third-party data provider’s servers.
“Security for retailers is remarkably expensive and the problem is, it is very much akin to a consumer buying life insurance or major medical insurance,” said Evan Schuman, retail technology editor for eWeek.com. “If they go a year without having an accident or major incident, they think, ‘I wasted all that money.’”
Investing in tighter security runs counter to retailers’ strategies of expanding their points of sale, as they experiment with new technologies, such as payments by cell phone.
“There are so many points where someone can get into your system,” Schuman said. “You’ve got to protect all of those points. But you have to allow your consumers to get in.”
Following the 2004 theft of roughly eight million BJ’s Wholesale Club members’ credit or debit card information, the Massachusetts Bankers Association formed a task force that recommended a series of ways to tighten security.
Among them: timely notification of affected customers, liability for retailers, full reimbursement to banks for the cost of reissuing cards, and stronger data encryption standards.
Based upon the recent TJX security breach, it appears few of the steps have been adopted, said Bruce Spitzer, spokesman for the bankers association.
“They need to invest in better encryption and haven’t done that,” Spitzer said.
Among the data that Framingham-based TJX has reported stolen include card expiration dates, as well as names, addresses and driver’s license numbers of customers who were returning merchandise without receipts.
“It wouldn’t have happened if they had not been storing data they shouldn’t have,” Spitzer said. “After a transaction is cleared, it shouldn’t be kept.”
A new standard
Credit card companies have begun to respond to heightened concern about security breaches by penalizing member retailers. In December, Visa said it will spend $20 million in incentives to make members’ banks compliant, and begin fining those banks up to $25,000 if large merchants aren’t compliant by the end of August and smaller merchants by year-end.
Experts recommend that merchants maintain a firewall to protect cardholder data, encrypt all data that’s transmitted across public networks, regularly update antivirus software and monitor access to cardholder data.
“It’s a relatively new standard and our membership has been working very hard to get up to speed,” said Liz Oesterle, government affairs counsel for the National Retail Federation.
But critics say Visa’s penalties don’t come close to covering banks’ losses. Issuing a new card costs up to $20 per card for some banks, and a data breach stemming back to July 2005 may have affected the card data of millions of customers.
While technology has contributed to the spread of credit card fraud, it also offers potential solutions.
Security consultants are pitching upgraded monitoring programs for retailers designed to flag unauthorized releases of data, rather than the earlier emphasis on keeping out hackers.
“There’s a very telling shift between (monitoring) who’s getting in and what’s getting out,” said David Etue, senior security strategist for Fidelis Security Systems, a Bethesda, Md.-based electronic security company.
More than three-quarters of data breaches are caused by an existing employee, Etue said, either through malice or ignorance.
“Half of the violations are someone who doesn’t know any better and doesn’t realize they’re putting data at risk,” he said.
All of which has consumers such as Drew, the jewelry designer from Boston, wary about how they pay for their purchases.
“I’m very afraid of someone accessing my bank account other than the bank,” she said. “It’s really terrible. In the age of technology, every time you turn around someone’s hacking into somebody’s system. You almost want to go back to the old days of stuffing money in your mattress.”
Steve Adams may be reached at firstname.lastname@example.org.