BBC HomeExplore the BBC

11 July 2009
Accessibility help
Text only

BBC Homepage

Sites near London

Related BBC Sites

Contact Us

Like this page?
Send it to a friend!
 

TV Features

You are in: London > TV > Television > TV Features > Is the Internet a fraudster's paradise?

Keyboard

Is the Internet a fraudster's paradise?

Online shopping has increased dramatically over the past five years. Now Britons spend £30bn a year over the web. But giving over personal information to make those purchases in the comfort of your own home has become a fraudster's delight.

An investigation by Kurt Barling has discovered one of the scams leading to dramatic rise in credit card fraud along with web sales

Carshalton Surrey is a leafy suburb of South London. It's also famous for its lavender.  Danny and Jeannette Stanzl run an independent beauty products shop which has grown from small beginnings and makes full use of the legendary qualities of the lavender on their doorstep.

When Jeannette's husband developed cancer several years ago she sought out lotions which could offer him both respite for his aches and pains and a better quality of life.  Finding nothing she decided to make her own. Shortly before her husband died she set up an Internet business with her son Danny. 'Naturally Thinking' has since added a shop in Carshalton to the successful Internet enterprise.

Internet shopping is booming in Britain. At the last count the average online shopper made 24 purchases a year and in 2006 this translated into 426 million online credit card transactions. It's easy to see why it could be a fraudster's playground.

Customer database

Naturally Thinking has several hundred customers. The reason I know this is because a hacker broke into their secure warehouse website and stole their database of customer information. The secret database had customers' personal information on it. 

The information was the sort most of us give voluntarily in order to purchase items over the Internet. A concerned individual passed the information to BBC London because they thought it was likely to be used for criminal gain.

It's estimated by a fraud expert we've consulted that the information was probably stolen last October. After a short delay to ensure the security breach had not been detected these customers' credit card details were progressively used to make purchases all over the world.   

One customer found a £4000 watch on his credit card bill; he hadn't bought it. A number of other customers we spoke to in confidence had between £600 and £800 unaccounted expenditure on their cards.

Unusual spending patterns

This level of fraud is quite common. It is not too large to flag up fraudulent transactions to the credit card companies who constantly monitor for unusual patterns of credit card transactions. The fraud is often only picked up once the customer has the following month's bill.

Credit Cards

It is estimated there was £428m of fraud in 2006

One of the customers on the list who agreed to be interviewed was Liz Milton. She had only purchased one item in the previous six months where she had needed to give her personal information. That was from the wholesale site at Naturally Thinking. Her credit card was relieved of £750.

Fortunately, she recognised the error on her bill and called her bank at the beginning of February. Her credit card company are likely to reimburse the loss.

Three weeks on from Liz Milton's transaction BBC London called Naturally Thinking after receiving a copy of the database. Our investigation had led us to believe they were the most likely source of the security breach probably from their 24 hour online shopping website.

Danny Stanzl was shell-shocked with the news. To their credit they immediately took their warehouse sales site offline and informed the police. The banks, we discovered, were still unaware of the scale of the fraud, more on that later.

The fraud expert

Andrew Goodwill is a computer fraud expert. A director of the Third Man Group he explained that the most likely source of the information was the database held by Naturally Thinking on its customers. A persistent hacker probably breached the security of their permanent online sales site which was password protected. 

Naturally Thinking was ill-advised not to regularly move their growing customer database periodically offline. This, Goodwill suspects, is a common mistake made by smaller Internet merchants.  This is a real threat to the security of individuals' private information.

Once the hacker has downloaded the information to their hard-drive it becomes extremely valuable. More importantly it can be sold to as many buyers as possible at the click of a mouse.

Goodwill showed me several websites where this kind of information can be sampled, bought and downloaded for anything up to £50 for each customer's information. The information we have seen would have been worth in the region of £5000.

Once sold, our fraud expert Andrew Goodwill estimates each bit of customer information is worth between £1000 and £2000 because that is how much an average stolen card can generate in purchases. With the information that was passed to us that's a value of nearly £200,000.

A live fraud

It is impossible to say how many of the customers on the database we have seen have been defrauded. But within 24 hours of receiving the information it became clear very quickly that some of the Londoners we spoke to were unaware that their card had been compromised. In other words the information that had been passed to us showed we'd come across a live fraud.

That made it imperative that we conclude the initial part of our investigation speedily, at the same time as passing the stolen data on to APACS the UK payments association. It was immediately clear to APACS that BBC London had uncovered a major fraud ring and they have now launched a full police investigation.

What this also shows up, however, is just how difficult it is for the credit card companies to spot fraud with their existing systems. Despite the fact that several hundred customer details had been taken and dozens of cards had been used fraudulently there is no systematic way at present of verifying this type of fraud until the security breach is identified.

Data security

APACS estimate that there was £428m of fraud in 2006. What is clear is that with the expansion of the number of small Internet merchants a lot of our data is not kept as secure as it needs to be.

"The card issuers say that it is impossible to have a system which is 100 per cent secure"

Kurt Barling

The card issuers say that it is impossible to have a system which is 100 per cent secure and that is why customers, merchants and card companies need to be careful about what personal information is given over or stored. 

The fact that we place our personal information in the hands of so many different people puts us at much greater risk. APACS believes many people don't fully appreciate the importance of protecting their personal information because Internet shopping is still a novelty for most people.

Tracking the organised criminals

The big question is just who is using this stolen information. It is well known that organised criminals have found credit card fraud a good way to launder the proceeds of crime. They buy goods and sell them for 'clean' cash. It is also documented that terrorist groups use credit card fraud in the UK to raise funds to send abroad. It is also clear that the information itself can be used to clone identities.

The scale and nature of the crime has meant that a specialist policing unit has been set up by the credit card companies to investigate this kind of fraud.  It is a unit which has regular contact with MI5. The Dedicated Cheque and Plastic Crime Unit (DCPCU) only investigate financial crimes. It is staffed by police officers and is paid for by the industry precisely because they recognise the scale of the problem they face.

The DCPCU will now use forensic accounting techniques to try and track the fraudulent transactions which match with the data BBC London provided APACS. In short every single credit card transaction is registered. It is also possible to tell where and when the purchase was made and who is taking the delivery. The policing challenge is to link multiple transactions with specific individuals. That's the tough bit.

Protecting consumers

The good news for customers making payments for goods from an Internet merchant is that their credit card company will usually cover the losses. The bad news is it is often the merchant that picks up the cost because they will not be paid for goods dispatched as part of a fraudulent transaction. This level of fraud can push perfectly viable businesses under.

During the course of this investigation it has become clear that the theft of the type of information we received is also providing ample opportunity for criminals to steal people's identity.  

The hard reality of the Internet world of shopping is that no matter how secure the systems IT professionals build, there will always be a way around them. We all need to be more vigilant when we check those credit card statements at the end of the month.

The credit card companies informed the several hundred card holders on the database we were leaked that their cards had been compromised and stopped the fraud in its tracks. The fraudsters are still at large.

A virtual world has not made financial crime any less real.

Useful links:

The BBC is not responsible for the content of external websites

last updated: 15/05/2008 at 17:06
created: 11/03/2008

Have Your Say

The BBC reserves the right to edit comments submitted.

Mr Smith
A question for both the journalist of this piece and the fraud expert Andrew Goodwill, what is their stance on PCI-DSS (Payment Card Industry Data Security Standard) and on-line traders using PCI-DSS certified processing portholes? No mention made here and all seems a bit scare-mongering.Also, no mention made whatsoever of the efforts of the card issuing banks who are driving PCI-DSS throughout the whole industry.

John
It's important to realise that the merchant loses twice in this transaction, They have to refund the cardholder's money as well as losing the stock they've shipped to the fraudster. Many merchants retire from online business due to this double whammy of online liability. The card schemes (Visa, Mastercard etc)only solution results in so many extra steps at the checkout that it impacts the merchants sales to a greater extent than the fraud.

Adam Ficken
I think that your story was a terrible distortion of the truth. As you mentioned 30 million of us used the internet to make purchases last year and the VAST majority of those were done perfectly safely, but this was not mentioned. To dramatise this one example of fraud in such a way you could damage the livelyhood of many people who rely on the internet to trade and have adequate security in place. Your expert should have mentioned practical measures such as that https:// at the begining of a web address means it is secure and you shouldn't enter any financial information into a page not bearing this prefix. People should also look for signs of who the site uses for their transactions, such as high street banks or companies such as Protx.Personally I have spent over a thousand pounds this year alone to make sure I have all of the latest card security and I am livid that in one foul swoop you may have put off thousands of people from shopping online, which is the future of retail.Adam FickenLondon

Brian Angus
presumably there is also a high risk when you give card details over the phone

You are in: London > TV > Television > TV Features > Is the Internet a fraudster's paradise?

BBC London, PO Box 94.9, Marylebone High St. London W1A 6FL.
Tel: 020 7224 2424 | Textphone: (for hearing impaired users) 020 7935 7414
e-mail: yourlondon@bbc.co.uk


About the BBC | Help | Terms of Use | Privacy & Cookies Policy