A declined suspicious attempted purchase sheds an ugly light on company apathy regarding fraud
Willie Sutton famously replied to the question, “Why do you rob banks?” with the answer, “Because that’s where the money is.” Same thing with hackers: Why to they target merchants and credit cards? Because it’s cheap, easy and they will almost always get away with it. Why? Because, in many cases, the cost of preventing the fraud—and the cost of investigating it—is simply more than just absorbing the losses. The bad guys know they will get away with it. Because increasingly, the good guys don’t care.
So, this morning I get an e-mail and a telephone call from American Express that there is a suspicious attempted charge on my account of $3,286.52 from DELL BSD ONLINE 12. Amex detected the transaction, declined it and replaced the card (even overnighted the new one). Very cool.
Now the true “victim” of this attempted crime was Dell. Had the charge gone through, the company would have shipped a bunch of computers or other stuff to someone who wasn’t me, I would have declined the charge, and Dell would be out the money and the computers. So you would think that Dell’s fraud department—(866) 383-4713—would be helpful and cooperative in attempting to find and later prosecute whoever was attempting to defraud them. If someone walked into a Dell Computer store (are there such stores?) and tried to carry out more than $3,000 worth or hardware, would the store employees just shrug their shoulders? I think not.
My goal was to find out more information about the internet fraudsters. Did they use my name and telephone number in addition to my credit card number to attempt the fraud? Was the purchase attempted over the phone or over the internet? Did Dell capture a phone number or IP address? What was the address to which the fraudsters attempted to have the order shipped?
If the order was made by phone, was the call “recorded for quality control purposes?” Has the Round Rock, Texas, Police Department—(512) 218-5500—been contacted, or anyone else in law enforcement? In short, can we at least try to catch these internet fraudsters—perhaps ship an empty box to the requested address with a beeper or other locator in it?
Perhaps take this kind of crime seriously?
Dell’s fraud department claimed that, despite the fact that they notified American Express of the fraud, despite the fact that they knew the precise dollar amount of the attempted fraud, and despite the fact that they knew the methodology of the attempted fraud, they had “no records whatsoever” relating to the attempted fraud. They indicated that if I called the FBI or the Internet Crimes Complaint Center (IC3) and convinced a prosecutor with the U.S. Attorney’s Office to issue a grand jury subpoena to Dell, that there were no records of the fraud. But don’t worry about it—the card was declined, so who cares?
This is not the first time I have been the victim of an attempted credit card fraud. In each case, I have been met with varying degrees of concern or cooperation either by the credit card issuer of the merchant or the police. But in general, companies don’t care about fraud. It’s not worth their time to investigate, particularly attempted fraud. I’m sure that Dell’s general counsel Richard Rothberg would tell you differently, but these fraud cases simply aren’t pursued. It’s not cost-effective, and most cardholder “victims” aren’t interested in finding out who did it.
It is inconceivable that Dell has no records whatsoever relating to the attempted fraud. But would the fraud representative, an agent of the corporation, really make a materially false statement regarding a crime? Would he tell the FBI the same thing? No records? Really? Nowhere in the corporation is there any record? So Amex learned of the fraud how, exactly?
The bad guys know that nobody is on their trail. The hackers know they won’t be investigated. The carders know that nobody will come after them. The fraudsters know that the merchants will do nothing. The thieves know that cardholders won’t pursue the cases. And law enforcement will only go after cases when there is a reasonable chance of a successful prosecution.
So, what’s the message here? For hackers, the message is clear. For Dell shareholders, it’s also clear. It’s not that this isn’t a logical economic decision: Does it make economic sense for Dell to spend money to attempt to find a bad guy when they suffered no direct loss (well, from this attempt, anyway)? But in the aggregate, they are tolerating crime, and looking the other way, and then lying—yes, lying—to crime victims attempting to get a modicum of justice.
For that reason, the hackers will continue to hack. And haters will hate.