Skip to main content /TECH with /TECH

Manual security procedure aids online fraud arrest


By Dan Verton

(IDG) -- Securing systems and protecting against online fraud is usually a technology-heavy process for companies. But human intervention can also play a role, and that's what led the New York City police to an alleged ring of credit card thieves earlier this month.

On the afternoon of July 13, New York police detective Tommy Hill waited patiently outside a large shipping warehouse in the Astoria section of Queens, posing as a delivery person. He was about to launch a sting set in motion by a new order verification policy put in place by Inc., an Omaha-based online retailer of power tools and construction supplies.

Hill carried a shipping manifest that described the contents of three large boxes containing $2,200 worth of products ordered from ToolBarn's Web site. Initially, nobody at Tiad Trade II, a purported company that didn't really exist, was willing to sign for the packages. But after ToolBarn officials called Tiad Trade II and said its shipment had arrived via "special delivery," the owner of the fake company escorted Hill inside the building. INFOCENTER
Related Stories
Visit an IDG site search

That's when Hill identified himself as a police officer and began what would become an investigation of an alleged online fraud ring involving about 100 stolen credit cards "and a warehouse full of products," Hill said shortly after making two arrests in the case.

Dale Williams, president of ToolBarn, said the sting and resulting arrests originated with the online retailer's policy of verifying with credit-card holders any orders in which the billing address doesn't match the shipping address. In this case, he added, the billing information matched credit card records, but the order included a different shipping address from the usual one.

Williams said there were no reports of lost, stolen or fraudulent activity on the card, nor did the order exceed the cardholder's credit limit, giving the issuing bank no reason to deny the charge. But when ToolBarn tried to call the phone number provided along with the new billing address the number turned out to be invalid, he said.

ToolBarn, a subsidiary of Omaha-based Tighten Co., got the cardholder's phone number from the bank that issued the credit card and contacted him at his home in New York, only to be told that the order was fraudulent. Williams said he then called the New York Police Department to alert it to the alleged crime.

Differences in shipping and information "does not necessarily indicate fraud, but it tells us that we need to validate the transaction with the cardholder and the issuing bank," Williams said. About 25 percent of the orders received by ToolBarn require such validation, he added. "It's nothing specifically we do [that's] IT-related," Williams said. "It's more of a manual procedure on our end to make sure all parties are protected."

A report issued last year by Stamford, Conn.-based consultancy Gartner Inc. concluded that credit card fraud is 12 times more common for online merchants than it is at their brick-and-mortar counterparts. In response to the online fraud threat, credit card issuers have initiated programs to help online retailers verify the validity of electronic orders.

For example, San Francisco-based Visa International Inc. and Visa U.S.A. Inc. rolled out technical specifications designed to support payment authentication services for online credit card transactions during the spring (see "Visa sets technical specifications for online authentication," link below). And American Express Co. last year announced a new service featuring one-time-use-only credit card numbers (see "American Express offers disposable credit card numbers for online shopping," link below).


Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


Back to the top