Costados Merchant Information Costados Merchant Information Costados Merchant Information

Costados KnowledgeBase: Minimize risk and maximize profit

Internet Merchants Fight Back

When their pleas for help in fighting credit card thieves in foreign lands fell on deaf ears, Internet merchants Marc Gilbert, Pat LaMastro and Cheryl Faye Schwartz took matters into their own hands. Their tales of international intrigue, online detective work and, in one case, a deadly confrontation in a Eastern European capital would make good fodder for espionage author John LeCarré’s next novel.

Like many other e-business owners who contacted MSNBC in response to a link urging readers to share their e-commerce stories, Schwarz, LaMastro and Gilbert say they felt abandoned by the financial system, even before they knew they had been hit by criminals who had virtually no fear of being caught.

Most said there is no financial incentive for the banks and credit card companies to do anything about the problem becase it is the merchant who, in virtually all cases, ultimately bear the cost of fraudulent Internet purchases.

LaMastro, who runs PC Services, a computer networking business that also sells computer parts over the Internet, out of his home in Manville, N.J., said he was “a little bit nervous” when he received a $15,000 order from Bucharest, Romania.

We’ve tried to contact our credit card authorization company and also the bank that works with the processing company ... to have them determine whether they were fraudulent or not. And they were not able to provide us with any help.”

Finally, LaMastro conducted his own investigation of sorts and concluded, after speaking to the supposed cardholder and having him fax a Romanian driver’s license and other documentation, that the order was legitimate. He shipped it the next day via UPS.

The size of the order finally triggered the bank’s interest, prompting a phone call to request a copy of the invoice, he said.

The bad news arrived first thing next morning.


“We got a call from them saying all the cards that were used for that order were fraudulent,” he recalled.

Fearing he was out 15 grand, LaMastro quickly phoned UPS. The shipping company in turn contacted an agent in Bucharest, who was able to intercept the shipment in the nick of time.

LaMastro got his parts back a week later and considered himself lucky — at least until he took a look at his bank statement.

"Initially we paid for the transaction fees … and when we turned around to credit the credit cards after we found they were stolen, the bank also hit us up for charges,” he said. “… So we got charged for two transactions — a little over $600.”

LeMastro is challenging the fees, but said the bank has given no indication it intends to budge on the matter.

In the meantime, he says, he is much more cautious about sending merchandise overseas.

“If I can’t get a ‘yes’ or ‘no’ answer from either the credit card authorization company or the bank ... I probably wouldn’t do any trading overseas.”


It is doubtful that anyone takes Internet fraud as personally as Gilbert, president of Streamray, Inc., of Nevada, which processes credit-card transactions for an array of adult Web sites.

Appalled by the level of fraud he encountered after taking over the processing business from another company in 1996, Gilbert has instituted a series of cross-checks and risk-analysis procedures to combat the problem of credit card fraud, which is particularly rampant in the online sex industry.

“Probably we’ve eliminated more than 80 percent of what we were experiencing,” he said. Among the practices Gilbert instituted: Checking the IP address for each order to ensure it is coming from the same area where the cardholder resides; cross-checking information provided by the customer to ensure its accuracy; establishing a risk-management program that includes a live operator who intervenes when any suspicious activity occurs.

But that reduction in fraud wasn’t enough for Gilbert, who tenaciously tracks those who make it through his detection system and pay with fraudulent credit cards. In several cases he has managed to track down the criminals and force them to pay up under threat of a civil case, the attentions of a collection agency and possible loss of Internet service.

As part of his crusade, Gilbert said he has compiled evidence of credit card fraud and taken it to the authorities in hopes of bringing the weight of the law down on the perpetrator. Except for the few cases where he has persuaded local law enforcement to get involved, the exercise been futile, he said.


“The cases that we’ve had that we’ve gone to the federal authorities with, in every instance they review what we have, they review how we’ve caught these people and they can’t do anything because … the courts are overloaded and they’re not going to go after someone that just takes hundreds of dollars because they don’t have the resources to do it,” he said.

In one case, Gilbert said, he developed evidence that a fraud ring directed from Poland had defrauded his business and “some fairly large computer companies” out of money and equipment. He said the ringleader in Poland has multiple accomplices in the United States who collect and fence merchandise ordered with fraudulent credit cards.

But when he took the information to the FBI, he said, he was told the losses were insufficient to trigger an investigation.

“They don’t know how to proceed,” Gilbert said of the cases that cross national boundaries. “There’s no case law; they can’t do it.”

In another instance, Gilbert said, he phoned local authorities in Canada and told them that an individual living only miles from the police station was at that moment attempting to run sequential credit card numbers through Steamray’s servers.

“The police up there would not even make a phone call, would not even go to the house,” he said. “They told me that I had to fly up there and post a $10,000 bond to prove that I would show up in court.”
In the face of this perceived indifference by law enforcement, Gilbert said he will continue to conduct his one-man counteroffensive against credit card fraud.

“It’s run many companies on the Internet out of business, and I have no intention of allowing that to happen to us,” he said. “We’re well under the average charge-back rate (the industry term for reimbursements) right now, and I won’t be happy until it’s zero.”


Cheryl Faye Schwartz’s run-in with a credit card fraud artist in Romania was both costly and surreal.

The Pennsylvania woman, who sells natural health supplements and other products on her Web site, admits she “didn’t know how to protect myself” when she received an order for $3,000 worth of merchandise in December from a man in Bucharest, Romania.

The thief, who used the name “Jarrod,” went to great lengths to ensure that Schwartz didn’t get suspicious before he received the goods.
“This guy … was very friendly,” she said. “He was corresponding back and forth. He even sent me his picture and the picture of one of his friends. He seemed very cordial and there was no reason for me to suspect that he was doing anything illegal.”

But when a doctor at a military base in Germany called to complain about a charge on her credit card statement from for products she hadn’t ordered, the thief’s friendly veneer quickly disappeared.

After being told by her bank and federal authorities that they could do nothing to help her, Schwartz was directed to the Web site, which acts as an unofficial portal for news about Romania in the absence of a governmental presence on the Internet.

Staff members there contacted a person in Bucharest with close contacts to the Romanian police, who was quickly able to determine where “Jarrod” lived. The free-lance investigator and a few associates — referred to as “dogs” by staff members in e-mail they sent to Schwartz — then went to pay him a visit and urge him to return the goods or pay the bill.


“Apparently the ‘dogs’ went to this guy’s house and shook him up a bit,” Schwartz said, reciting the account she received from “He denied he was who he was. But then he wrote me a note that if I didn’t call off the ‘dogs’ immediately, he was going to to hack into my server and destroy my business.”

Schwartz said she was assured by the staff that “Jarrod” was bluffing and that their associates in Bucharest would continue to press for payment.

After a series of confrontations on Jarrod’s doorstep — including one in which he was accompanied by a man who identified himself as his attorney — a dramatic incident ended the impasse.

“One day one of the ‘officers’ went over to the house, (where) … the guy was at the time living with his grandmother, and when the grandmother saw the guy at the door, she apparently had a heart attack and died,” Schwartz said. ”(… wrote back and told me the agents were totally freaked out and they weren’t going to pursue it (any further).”

Her account was corroborated by Hans Schneiders, a German citizen who runs the Web site, but could not be independently verified through the U.S. Embassy in Bucharest or Romanian authorities.


Schwartz, $3,000 poorer but wiser for her ordeal, switched credit card processing companies in favor of a firm that helped merchants protect themselves with such measures as IP address verification and a database of bank numbers that enables a merchant to determine where a transaction originated.

Her heightened awareness paid immediate dividends when, a few days before Christmas, she noticed 20 transactions from Romania on her server log using sequential credit cards issued by a single U.S. bank.

Schwartz said she alerted the bank in hopes that an investigation would be launched, but was dismayed when the bank responded that it had only closed the affected accounts.

“I wrote back and I said, ‘Is that all you’re going to do?,’ (and the bank replied), ‘That’s all we’re obligated to do.’

Like the others, Schwartz charges that the lackluster response of her bank and the apparent indifference of authorities puts merchants at risk, and ultimately harms consumers as well.

"The thing that bothers me is, if I got burned by this, and you multiply this by a few hundred thousand, you’re talking about a major crime that’s going on and it costs everybody,” she said. “Because the interest rates will go up on credit cards, prices of merchandise will go up, all because of theft. … But it seems like nobody cares.”

Following these guidelines will help protect you from fraud when you shop online:

  1. Use only one credit card online to make it easier to identify fraudulent charges.
  2. Unless your debit card offers purchase protection, use only a credit or charge card for online purchases. Under the Fair Credit Billing Act, consumers are liable for a maximum of $50 if a credit card is used fraudulently and have the right to dispute charges under certain circumstances and temporarily withhold payment while the creditor is investigating them. Debit cards don't have such a blanket rule. Using one online can put your entire checking or savings account at risk. However, several issuers have begun offering the protetcion for debit cards, so check with your issuer.
  3. Check your bills carefully each month and cancel the card immediately if you find any bogus charges.
  4. Assume that any credit card you use online can be stolen. It might not, but that way you’ll have account numbers handy to simplify and hasten the process of canceling the card.
  5. Use caution when using smaller online retail sites, which tend to use off-the-shelf e-commerce software and have fewer resources to devote to security.
  6. Send e-mail to a retail site asking whether users' credit card information is stored by the company. You can ask the company to remove your data from its database. Or, if you like the convenience offered by Web sites that keep your card numbers on file, ask if the site encrypts your personal information before it's stored. If the answer is "no," you should shop elsewhere.
  7. Don’t provide credit card information in response to a solicitation.
  8. Regularly check your credit history through a credit-reporting company.

A Byte out of Cybercrime

High-tech crimefighting:

With so much sensitive information streaming through the Internet, it's no wonder that high-tech crime-fighting units are springing up all over the country to combat digital fraud, theft, and sabotage.

Police sergeant Don Brister of the High Technology Crimes Detail in San Jose, Calif., investigates corporate espionage, among other offenses. Brister warns that with such crimes on the rise, companies should do more than build firewalls to protect their inner systems. They should also keep a sharp eye on what's going on within the organization. Follow these few simple precautions, Brister says, and protect your company from digital mischief.

Since most corporate computer crimes are committed by former and current employees, Brister suggests that companies sever their ties with bad employees immediately. Allowing a recently fired staffer to stick around for the standard two weeks allows that worker to gather all the information and security codes necessary for future hacking. "That's the making of a disgruntled employee who can do a lot of damage," Brister says. "Almost any employee can bring a business to its knees. Managers and owners should look at immediate dismissal as protecting the business early on, even if it means losing a few dollars by not having a person there."

Companies can prevent a lot of trouble, Brister says, if they conduct complete background checks on prospective hires. "We've been involved in many cases in which warehouse people, even people in the financial department, have had criminal records," he says. "Even though that history is public, the company hasn't known that it's available or how important it is. And while many organizations would rather be kindhearted than suspicious, there are people who will go from company to company and continue stealing."

Brister says it's important to call in the law at the first sign of trouble. Don't wait until a series of crimes have occurred. Early reporting means that police can log the incidents and have more leads to follow. Even if there isn't yet a high-tech-crime unit in your city, Brister says, state police departments often have forensic computer labs. And if state agencies aren't able to help, Brister suggests calling the FBI, the Secret Service, the U.S. Customs Service, or even the post office.

E-Commerce Information Security

Have you ever wondered where your credit card information goes after you submit it to pay for an online purchase? Although you may think that the data goes directly to the merchant, as it passes over the Internet it actually travels through intermediary networks before it reaches its targeted location. As a result, the Internet is referred to as an ‘open’ system.

Due to that open nature of the Internet, there can be an increased security risk. For instance, when your customers provide their credit card information over the Internet to purchase online, this data is at risk of being intercepted as it travels from a customer’s site to the merchant’s site. If the data is intercepted the order can be stopped, the payment information can be altered or someone other than the cardholder can end up using the credit card information.

Six main security elements are required in an e-commerce transaction. From a consumer’s perspective, they are as follows:

  • Non-repudiation: The consumer cannot deny having made an order.
  • Confidentiality: The consumer’s personal information is protected from unauthorized access as it travels through intermediary networks and computers.
  • Access Control: The consumer’s personal information can only be accessed by those who are supposed to have access.
  • Integrity: The consumer’s personal information is protected from unauthorized modifications.
  • Authentication: The identity of the consumer is verified.
  • Availability: The consumer is assured that the system and data are accessible when needed.

Solutions to manage risk: ENCRYPTION

To aid in the process of protecting sensitive data as it is transmitted over the Internet, encryption techniques are used. Encryption is the transformation of data into unreadable code that is not easily interpreted. Two common encryption techniques include the private (or secret/symmetric) key, and public (asymmetric) key cryptography.

Private Key Cryptography:
In private key encryption, both the merchant and consumer share a private key that is used to encrypt and decrypt the data. Private key systems are simple and fast. Their main drawback is the distribution and management of the keys. Imagine having thousands of customers who require their own key. You would need to devise a method that ensures each person receives a key and that the key is managed appropriately. Hence, private key systems are best for small networks where the parties know each other and can trust each other with the keys.

Public Key Cryptography:
Public key encryption uses two keys, a public key that encrypts the message and a private key that decrypts the message. Both the consumer and the merchant would have their own pair of keys. The public key is stored in a key repository with a certification authority (trusted third party) and is publicly available, while the private key is retained by the user.

For instance, a customer uses his or her credit card to make an online purchase. The merchant’s public key is used to encrypt the customer’s credit card information. When the merchant receives the encrypted data, it is decrypted with the merchant’s private key.

The main advantage of a public key system is that it supports digital certificates and digital signatures, and it provides all the necessary security elements required for an e-commerce transaction. The main disadvantage is that it uses more computer resources than private key cryptography, which means it is slower and more costly to implement.

Public key cryptography provides the ability to use both digital certificates and digital signatures. A digital certificate can be attached to an e-mail or read within a browser, and is used to verify the identity of the certificate’s owner. It also provides proof of credibility, as it is obtained from a certification authority like Verisign. However, it is the discretion of the consumer to understand the process taken to authenticate the certificate owner. There are different certificate levels available which means some certificate owners may not be as trustworthy as others.

A digital signature aims to duplicate the process used for physical signatures by ensuring that a message arrives in its original form. It also validates the identity of the sender.

Solutions to manage risk: SECURE SOCKETS LAYER (SSL)

SSL is an example of an industry-wide encryption method standard used worldwide in e-commerce transactions to protect the online submission of sensitive customer information, such as credit card details. SSL uses public key encryption, including digital certificates.

Today, all web browsers support SSL, which is essentially transparent to users, with the exception of an icon (usually a lock or key) displayed at the bottom of a browser window that indicates when a website is secured.


Secure Electronic Transaction (SET) was launched in 1997 by MasterCard and Visa and is like SSL as it involves the use of public key encryption. The main difference between SET and SSL is that SET uses digital certificates for all involved parties, unlike SSL which has only recently introduced this feature to its latest versions. As a result, SET provides for better security authentication. As well, SET has better overall security. Unfortunately, it does have its drawbacks including a complex implementation and higher costs than SSL.