Recent cases of online fraud raise questions over the safety of shopping on the Internet.

The dark side of online shopping

Trail of fraud leads from Amazon.com to Thailand

By Molly Masland
MSNBC

June 24 --  When Internet investigator Don Garlock's bank account was mysteriously cleaned out in early June, the last thing he expected was that the search for the culprit would take him on a shadowy trail through cyberspace. The clues began at online retail giant Amazon.com and led to a ring of alleged hackers in Bangkok, Thailand. Along the way, Garlock picked up crucial lessons about the perils of online shopping, even at sites that claim to be "100 percent safe."
 

'We know a tremendous amount of personal, professional, and business type information on these people now from our investigations here in little old Bedford County.'

-- SHERIFF MICHAEL BROWN

A CONSULTANT for the Bedford County Sheriff's Department in Bedford, Va., Garlock works for Operation Blue Ridge Thunder, a program aimed at stopping crimes against children on the Internet. Garlock has logged hundreds of hours hunting down pedophiles and child pornographers online. 

So when his personal bank account was suddenly emptied in early June, Garlock put his online tracking skills to the test. But even he was surprised by what he discovered.

FRAUDULENT CHARGES AT AMAZON
According to Mainstreet Bank Group, Garlock's bank, someone had purchased nearly $1,400 worth of merchandise at Amazon.com and charged it to his debit card account.  When the mysterious charges at Amazon.com appeared, Garlock immediately suspected fraud and called the online retailer of books and music to find out who was responsible.  But Garlock was astonished to find that Amazon.com would not release any information to him about his account.   A customer of several years, Garlock had placed modest orders in the past, spending a total of $160, and had never had an unpleasant shopping experience at the online retailerís site.  But Amazon.com would neither release the name of the individual who had purchased the goods using his debit card number or tell Garlock what specific merchandise had been bought or where it had been shipped. 

Amazon.com spokesman Paul Capelli said the company makes it a policy to release detailed information about an account only to a customerís bank, which can then release the details to their client. "We want to take reasonable steps to protect our customers' privacy," said Capelli. "We need to know we're dealing with the real customer, not someone calling on the phone who could be anyone."

As a result, the only information Garlock received directly was a hint accidentally leaked over the phone by a customer service representative.  "They let slip the first half of the e-mail address, and then they realized what they had done and put me on hold. They came back and read me a prepared response to the effect that they could not divulge any additional information to me," said Garlock.

TRAIL TO THAILAND
Frustrated, Garlock was determined to proceed with his own investigation. While his bank began an official inquiry into the case with Amazon.com, Garlock went to work.  Using the limited information he had obtained from Amazon.com, he uncovered a path of clues leading to a ring of alleged computer hackers in Bangkok, Thailand. The first part of the e-mail address given to him contained "an unusual word and turned out to be what is a very common first name in that part of the world," he said. 

Garlock was able to uncover a wealth of personal information about the individuals who had used his card.  With the help of ordinary search engines, he uncovered their home addresses, phone numbers and where they attended college. Garlock also found that in addition to having multiple e-mail addresses and Web sites touting their hacking skills, the alleged thieves held legitimate Web development jobs. 

"We know a tremendous amount of personal, professional and business-type information on these people now from our investigations here in little old Bedford County," said Sheriff Michael Brown.

Eventually Amazon.com released the shipping address and fraudulent e-mail address used by the credit card thieves to Garlock's bank, but by then the information only confirmed the data he had already uncovered. 

Because the sheriff's office has no jurisdiction in Thailand, the department turned the case over to Interpol, the international crime investigation agency that works with federal law enforcement agencies and national police forces.  Garlock's case is under review and, according to Brown, will most likely be turned over to the FBI, U.S. Customs or the Secret Service. 

MORE CASES OF FRAUD

'From the time there has been credit cards, there has been credit card fraud. Bad things can happen any place and the Internet is no different.'

-- PAUL CAPELLI
Amazon.com spokesman

In an e-mail sent to Garlock, Amazon.comís investigations department confirmed that the charges made to his credit card were indeed "the result of unauthorized use."

Mainstreet Bank Group, where Garlock keeps his personal checking account, said an investigations officer at Amazon.com admitted that the same group in Thailand had set up a number of other stolen credit card numbers for use at the retailer's site. 

In a memo obtained by MSNBC, Shirley Schoefield, a bank investigations officer at Mainstreet Bank Group, said that "according to the investigations department at Amazon, approximately 20 cards have been set up for use to purchase merchandise to be sent to the following shipping address (in Thailand)." Citing customer privacy restrictions, Schoefield refused to comment on the case. 

Amazon.com's Capelli also refused to comment on the case of the 20 fraudulent credit cards, but acknowledged that there had been instances of credit card misuse at the site. "From the time there has been credit cards, there has been credit card fraud. Bad things can happen any place, and the Internet is no different. Any retailer encounters this problem," he said.

However, he insisted that Amazon.com's security system had never been compromised. Currently Amazon.com is advertising for positions in its fraud investigation department. Under the section "employment opportunities" on its Web site, Amazon.com is looking for a "fraud detection specialist" as well as a "fraud detection manager." 

'DON'T USE A DEBIT CARD'
Garlock's situation was made worse by the fact that his debit card number was stolen instead of a credit card. If his credit card had been used fraudulently, according to federal regulations, he could have easily stopped payment on the account and would have been held responsible for no more than $50. 

But since his debit card was stolen, he temporarily lost everything in his checking account. When a debit card is used, the money is automatically removed from the account when the order is processed. While the bank is still responsible for paying Garlock back, he must wait until the official investigation is complete, a process that can take weeks and sometimes months. 

"One of the biggest lessons I've learned from this is, for God's sake, don't use a debit card on the Internet," said Garlock. 

Amazon.com has a policy of fully refunding unauthorized charges billed to a customer's account and has agreed to pay back Garlock any amount billed to his account that is not covered by his bank. 

Shop safe, shop smart

Check out the following tips for safe shopping online:
 

• Check with the Better Business Bureau to see if a company is in good standing.
• If you're never heard of a company, request a brochure or catalog in the mail first.
• Keep your passwords to all sites private. 
• Always pay by credit card. Never use a debit card or check. 
• Print out a record of your purchase order and confirmation number.
• If a company asks for your Social Security number, find out why before giving it. 
• Make sure the company has a phone number. 
• Check with directory information to make sure the phone number belongs to the company. 

HACKER AND/OR THIEF?
While it is clear that Garlock's debit card number was stolen and used illegally, what remains unknown is whether the thieves first obtained the number by breaking into Amazon.com's site, or whether the numbers were obtained from another source or even generated randomly. 

Amazon.com's Capelli said that hackers have never broken into the company's site or stolen information on individual accounts.  "Our system of storing credit card information has not been compromised, nor has it ever been compromised in any way. Any claims to this effect are not true ó absolutely not true," said Capelli. 

According to Inspector Earl Wismer of the San Francisco Police Department, which handles many cases of Internet fraud, "It's really difficult to pin down where exactly a credit card number was acquired. It is common for credit card numbers to be fraudulently used on the Web, but weíre not able to determine whether the numbers were obtained from the Web or from some other source."

In addition to stealing credit card numbers the old-fashioned way, such as acquiring the number from receipts, there are several sites on the Web where hackers, or anyone else who's interested, can generate legitimate credit card numbers based on algorithms, or mathematical formulas, used by banks. The algorithms generate all the numbers used by a given bank, but the hacker must then systematically try out each number in an effort to find one that is in current use and still has an available credit limit. 

CROSS CHECKS NEEDED
Garlock's case is worrisome because no matter how his debit card number was acquired, the user was still able to charge a hefty amount of merchandise to a debit card account owned by a person living in the Blue Ridge Mountains of Virginia and have it shipped to an address in Bangkok without any alarm bells going off at Amazon.com. 

"Apparently their order confirmation system that would match a card number to a given individual is seriously flawed," said Garlock. 

According to Capelli, the person who fraudulently used Garlock's debit card set up a separate account using the card number, but did not break into Garlock's existing account. 

Capelli dismissed the need for a more thorough cross check of credit card numbers with existing account information adding that "it is very common to have more than one account per card number. For instance, there are husbands and wives with different names who have different accounts but use the same card number. Or parents who let their children use their credit card numbers to set up an account."

As Scambusters, an online consumer advocacy organization, points out, the reality is that it's actually much safer to enter a credit card number on a secure online order form than it is to give a credit card to a waiter at a restaurant. 

But there are important security measures to be worked out before the process is 100 percent safe, despite what many online sites want customers to believe. 

"There is definitely a problem and I think some people in the industry have known that it is a problem. It is not one that's going to be fixed easily," said Sheriff Brown. "Consumers have just got to be careful."