Credit Card Thieves Flood Wikimedia With Pennies
The Wikimedia Foundation, the parent organization of the free online encyclopedia Wikipedia and other open-source projects, recently increased the minimum amount it will accept in donations after scammers apparently began testing the validity of stolen credit cards by sending a series of 1-cent "donations" to the group.
On Nov. 8, Wikimedia saw hundreds of penny donations come in over a very short period of time. In many cases, Wikimedia donors leave messages of support or praise for the organization along with their gift, but all of the fake donations were anonymous and contained no greeting, suggesting their submission may have somehow been automated.
Wikimedia spokesperson Sandra Ordonez said the group wants to keep a low minimum contribution amount so as not to discourage donations from people in countries where a dollar may be a substantial sum and a very generous gift. "But for those one-penny donations, it was costing us more to process them," she said. "We were actually getting negative money back."
Wikimedia has now increased the minimum contribution it will accept to one dollar.
The group receives all of its donations through PayPal, the online payment service owned by eBay. Ordonez said a PayPal rep told her the company wouldn't even process a donation unless it was at least 32 cents.
A spokesperson for PayPal declined to discuss the Wikimedia situation, citing privacy concerns.
Security Fix has written about these types of phony donations before. In the offline world, if a crook steals your credit card, he will often swipe it at a local gas station to see whether the card has been reported stolen. On the Internet, criminals are increasingly targeting organizations that have little in the way of staff or back office fraud detection capabilities, donating small sums at online charities, nonprofits and even political candidate sites to check the validity of stolen cards.
By Brian Krebs |
November 20, 2007; 2:57 PM ET
Fraud
, From the Bunker
, Misc.
Previous: A Fresh Round of Targeted E-mail Attacks |
Next: MPAA University 'Toolkit' Raises Privacy Concerns
Posted by: Andreas Falck | November 21, 2007 5:33 AM
until all credit cards have an id photograph it will not end the fraud related transactions.
Posted by: dr rotberg saul | November 21, 2007 10:47 AM
until all credit cards have an id photograph it will not end the fraud related transactions.
Posted by: dr rotberg saul | November 21, 2007 10:47 AM
Gas station pay at pump devices are popular with fraudsters - they can anonymously check whether a stolen card is valid by swiping it in the reader. If it is denied, there is no risk of them being spotted by a clerk. Really, there needs to be additional security built into point of sale card paymetns and also online payments - eg all cards should have PINs, and also contain security chips for POS
Posted by: Rob Marr | November 21, 2007 12:58 PM
All the online payment providers need to implement 3-D secure (verifief by VISA or SecureCard by master card) This is a way to process your transaction using online security parameters like online PIN or Online passphrase. If this is implemented all such frauds will get eliminated. This should be made compulsory by schemes (especially VISA and Master) unless they enforce this it is difficult to stop these attacks.
Posted by: Krishna Potnis | November 22, 2007 5:16 AM
They should use Vista Commerce Server!
http://fakesteveballmer.blogspot.com
Posted by: Steve Ballmer | November 23, 2007 12:18 AM
Brian: This story is confusing and contradictory. It states that the charity receives all their donations through PayPal, which has a 32-cent minimum. So then, how did they process those 1-cent donations from credit cards? As you know, PayPal and Visa/MasterCard are two completely separate acceptance modes for merchants; but you have mixed them up in this report.
Posted by: Chuck Phipps | November 23, 2007 11:22 AM
Is the Associations like VISA and MASTCARD would require the merchants to ask for cvv2 and AVS, this would help combat this type of fraud.
Posted by: fraud finder | November 23, 2007 1:20 PM
Going back the basics, all merchants should make sure the cardholder has possesion of the card. Simple prevention rules can protect merchants like this....
Posted by: The Fraud Finder | November 23, 2007 1:24 PM
@ChuckPhipps -- My apologies if this story was confusing for you, but I don't think it's contradictory.
Maybe it would help you understand this better if you visited Wikimedia's donation page.
http://wikimediafoundation.org/wiki/Fundraising
You will see that the foundation can accept credit card donations via PayPal. The person donating doesn't even have to have a PayPal account. Click through the various options and I'm confident you'll figure it out.
Posted by: Bk | November 23, 2007 6:56 PM
Uh - maybe just maybe it's the greed of the credit card companies that have put people in this fine mess?
Posted by: Rick | November 26, 2007 12:21 PM
Credit card companies lose so much money each year because of fraud. Does anyone know this amount? There must be more to explain why pin numbers are not used.
In fact it seems a system is already in place to match your card number with the phone number you put on your application. This is now done automatically to activate your card, it could be a temporary fix.
Posted by: Laurence Drell | November 26, 2007 8:35 PM
I wonder why adding a picture to your card would stop fraud? This is an online site, so I dont believe that would help at all. As for PIN's, this is a relatively great idea. I think the biggest detterant would be making sure people report their cards stolen, then they cannot be used at all. This overall is the best method.
Posted by: MC | November 29, 2007 9:52 AM
Some of the card security measures are a joke. AMEX asks for your billing zip code when using it at gas pumps or POS scanners. Now let's think about it, if my card is stolen, it will most likely be in my wallet. Hmmm, my drivers license will be there too. Guess what - usually my billing address and home address are the same!! Anyone want to bet that the crooks have figured that one out?
Posted by: Gary | November 29, 2007 11:31 AM
Laurence stated that the credit card companies lose so much money due to fraud. In most circumstances, it is the issuing bank or the business that accepted the transaction that takes the loss. Rarely is it the credit card company.
Posted by: Dave | November 30, 2007 12:44 PM
.kjiujbiubiujbiujbiubiubiubiubiubi
Posted by: Dominic | December 17, 2007 10:49 PM
.kjiujbiubiujbiujbiubiubiubiubiubi
Posted by: Halo | December 18, 2007 9:56 AM
.kjiujbiubiujbiujbiubiubiubiubiubi
Posted by: Arnie | December 18, 2007 12:24 PM
.kjiujbiubiujbiujbiubiubiubiubiubi
Posted by: Arnie | December 18, 2007 12:24 PM
.kjiujbiubiujbiujbiubiubiubiubiubi
Posted by: Bill | December 19, 2007 5:50 AM
.kjiujbiubiujbiujbiubiubiubiubiubi
Posted by: Diesel | December 19, 2007 10:33 AM
.kjiujbiubiujbiujbiubiubiubiubiubi
Posted by: Neo | December 19, 2007 11:18 AM
.kjiujbiubiujbiujbiubiubiubiubiubi
Posted by: Hero | December 19, 2007 12:46 PM
.kjiujbiubiujbiujbiubiubiubiubiubi
Posted by: Hero | December 19, 2007 12:46 PM
italian news
Posted by: Aron | December 20, 2007 9:52 AM
italian news
Posted by: Aron | December 20, 2007 9:53 AM
italian news
Posted by: Aron | December 20, 2007 9:53 AM
.internet explorer 7 crack
Posted by: Bill | December 20, 2007 11:16 AM
.internet explorer 7 crack
Posted by: Bill | December 20, 2007 11:16 AM
.
Posted by: Arnie | December 22, 2007 10:42 AM
.
Posted by: Arnie | December 22, 2007 10:42 AM
The comments to this entry are closed.
Delayed response makes automated attacks harder
This kind of credit card testing attack relies on the immediate response on whether the entered information (card number, expiry date. etc) is valid or not.
If the response is delayed, then the business model of such an attack is severely limited. Several players, including amazon.com, has adapted such an approach.