Lately, it seems wherever I turn, there’s a warning about online scams. And not just normal news and information sites, where that’s to be expected, but when I log into bank accounts, utility accounts, shopping sites and elsewhere. That should be no surprise in a connected world where internet bandits can gain access to the inside of your home, business or bank account on whatever internet signal the related devices thrive on.
With content coming in from dozens, if not hundreds of places, and staff fact-checking things that sometimes take us to sketchy internet sites, we’ve been pretty careful at the Gazette.
In retrospect it turns out we’ve just been lucky.
Last Tuesday we started seeing a lot of $5 payments coming in from the credit card processing software installed on our website. Looking further, we discovered many more $5 payments were being rejected. By the end of the day the software showed “10,000-plus” failed and blocked transactions, with under 200 successfully processed.
Our web developer increased the minimum donation amount to $10 and set up stricter CAPTCHA (Completely Automated Public Touring test to tell Computers and Humans Apart) rules to identify those making donations as humans. They also refunded the fraudulent $5 charges that had come through.
The explanation seems to be that credit card thieves do what’s called credit card testing, presumably to identify those that are valid to use for fraudulent purchases. What was happening seems to be that a new Gmail account was created for each card to be tested and payment was attempted using the stolen card information.
Credit card testing fraud is also known as carding or card cracking. Small payments of $5 are testing in the hope of finding good ones and not alerting the cardholder.
Immediately after the payment is either accepted, or rejected, the Gmail account is deleted, thus there’s no way to contact the perpetrator of the fraud. One can assume the fraudster pretty quickly uses or sells the good card numbers. Soon a series of large transactions will likely be processed with a different email address for the purchase of gift cards, or something else difficult to trace.
The names and addresses accompanying the charge in our records are fictitious too. All we have is the last four digits of the credit card number, so there’s nothing we can do to contact the true cardholder. There’s little we can do to resolve the issue if someone calls, except try to match the last four numbers in our records with their card number. But, so far, at least, everyone we’ve heard from has seen a $5 credit soon after the fraudulent $5 charge appeared on their statement. Despite being made whole, we’ve recommended they cancel that card immediately.
That seemed to be the end of it until late this past Monday evening, almost a week later, a charge of several thousand dollars appeared in one of our bank accounts, overdrawing it.
Investigation revealed the fees were from the credit card processor for rejecting the fraudulent payments we’d been receiving. Each fee is just a hair under two pennies, but, in the end there were 165,000 of them. One-hundred and sixty five thousand of almost anything is a lot to deal with.
It took some time to jump through the credit card processor’s hoops to get a human on the phone. I was so relieved to hear a human voice, I wasn’t concerned about a slight language barrier; at least the customer service representative seemed to know what he was doing and wasn’t reading from a recipe book. He agreed with my assessment, noticed it hadn’t happened before, and matched my call up with one our web developer had submitted that was further along in being looked at by a special investigation team.
Thankfully, we work with a local bank branch and they quickly returned the charge. So far it remains that way, though our web developer hasn’t heard back from the processor to confirm they’ll cancel all the fees. And, we’ll still have the fees for the fraudulent $5 charges and refunds, which they will hopefully reverse as well.
The moral of the story seems to be: No matter how careful one is, there’s a criminal out there somewhere looking to perpetrate a crime one hadn’t anticipated.
Paul Fixx, editor
Paul Fixx is editor of The Hardwick Gazette and lives in Hardwick.
