Dell Doesn’t Care About Fraud – And Neither Do Most Companies

A declined suspicious attempted purchase sheds an ugly light on company apathy regarding fraud

Willie Sutton famously replied to the question, “Why do you rob banks?” with the answer, “Because that’s where the money is.” Same thing with hackers: Why to they target merchants and credit cards? Because it’s cheap, easy and they will almost always get away with it. Why? Because, in many cases, the cost of preventing the fraud—and the cost of investigating it—is simply more than just absorbing the losses. The bad guys know they will get away with it. Because increasingly, the good guys don’t care.

So, this morning I get an e-mail and a telephone call from American Express that there is a suspicious attempted charge on my account of $3,286.52 from DELL BSD ONLINE 12. Amex detected the transaction, declined it and replaced the card (even overnighted the new one). Very cool.

Now the true “victim” of this attempted crime was Dell. Had the charge gone through, the company would have shipped a bunch of computers or other stuff to someone who wasn’t me, I would have declined the charge, and Dell would be out the money and the computers. So you would think that Dell’s fraud department—(866) 383-4713—would be helpful and cooperative in attempting to find and later prosecute whoever was attempting to defraud them. If someone walked into a Dell Computer store (are there such stores?) and tried to carry out more than $3,000 worth or hardware, would the store employees just shrug their shoulders? I think not.

My goal was to find out more information about the internet fraudsters. Did they use my name and telephone number in addition to my credit card number to attempt the fraud? Was the purchase attempted over the phone or over the internet? Did Dell capture a phone number or IP address? What was the address to which the fraudsters attempted to have the order shipped?

If the order was made by phone, was the call “recorded for quality control purposes?” Has the Round Rock, Texas, Police Department—(512) 218-5500—been contacted, or anyone else in law enforcement? In short, can we at least try to catch these internet fraudsters—perhaps ship an empty box to the requested address with a beeper or other locator in it?

Perhaps take this kind of crime seriously?

But no.

Dell’s fraud department claimed that, despite the fact that they notified American Express of the fraud, despite the fact that they knew the precise dollar amount of the attempted fraud, and despite the fact that they knew the methodology of the attempted fraud, they had “no records whatsoever” relating to the attempted fraud. They indicated that if I called the FBI or the Internet Crimes Complaint Center (IC3) and convinced a prosecutor with the U.S. Attorney’s Office to issue a grand jury subpoena to Dell, that there were no records of the fraud. But don’t worry about it—the card was declined, so who cares?

Who cares?

This is not the first time I have been the victim of an attempted credit card fraud. In each case, I have been met with varying degrees of concern or cooperation either by the credit card issuer of the merchant or the police. But in general, companies don’t care about fraud. It’s not worth their time to investigate, particularly attempted fraud. I’m sure that Dell’s general counsel Richard Rothberg would tell you differently, but these fraud cases simply aren’t pursued. It’s not cost-effective, and most cardholder “victims” aren’t interested in finding out who did it.

It is inconceivable that Dell has no records whatsoever relating to the attempted fraud. But would the fraud representative, an agent of the corporation, really make a materially false statement regarding a crime? Would he tell the FBI the same thing? No records? Really? Nowhere in the corporation is there any record? So Amex learned of the fraud how, exactly?

The bad guys know that nobody is on their trail. The hackers know they won’t be investigated. The carders know that nobody will come after them. The fraudsters know that the merchants will do nothing. The thieves know that cardholders won’t pursue the cases. And law enforcement will only go after cases when there is a reasonable chance of a successful prosecution.

So, what’s the message here? For hackers, the message is clear. For Dell shareholders, it’s also clear. It’s not that this isn’t a logical economic decision: Does it make economic sense for Dell to spend money to attempt to find a bad guy when they suffered no direct loss (well, from this attempt, anyway)? But in the aggregate, they are tolerating crime, and looking the other way, and then lying—yes, lying—to crime victims attempting to get a modicum of justice.

For that reason, the hackers will continue to hack. And haters will hate.

Featured eBook
SAP Customer Stories

SAP Customer Stories

Why struggle with IAM, especially when it comes to SAP? One Identity Manager is a comprehensive IAM solution that’s certified by SAP to work seamlessly with the growing portfolio of SAP modules. With Identity Manager, you can dramatically simplify and improve user lifecycle management, governance and authentication for all your SAP implementations. Identity Manager also ... Read More
One Identity
Mark Rasch

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 37 posts and counting.See all posts by mark