My credit card and the Washington Secretary of State site used in credit card fraud
It was 0730 in the morning and my wife, Kathy, calls down from her office and asks what the $200 charge was on her credit card to the Washington Secretary of State. She had seen the charge come through on 09 November for a billing on 08 November. I told her I would check, but that it might be an automated charge made in error, as I had closed out all the corporate and nonprofit accounts to which we were associated many months/years prior.
When I couldn’t find the information via searching our own records, I reached out to the Secretary of State’s office and reached Tina. Tina is a pro!
With the credit card number and our name, she was able to find the transaction on 08 November where someone used Kathy’s credit card to create an LLC in the state of Washington.
A new Washington State LLC
The devil is always in the details, once the UBI number was in hand, we were able to pull up and review together the names used, the company name used, and contact information for the principals. As the entire transaction was conducted online. We assess that one of the many vendors with whom we have done business over the past month had been compromised. It also appeared, that the cybercriminal was in Europe, for reasons which will become clear as we dig into the data available.
The Secretary of State’s site showed us that a company called “HM Best Fashion Supplies LLC.” H&M is a Swedish fashion entity. The fraudulent company’s phone number was an eastern-Nebraska phone number in the 402-area code, using a physical address in Olympia, WA. The physical address provided resolves to an Izzy’s pizza place, while a PO Box in Olympia accompanied. The name used, Marc Hayes, a clever homonym, as Mark Heyes is a famous Scottish fashion journalist. This Marc used a physical address for himself, also in Olympia, which resolved to a rural address.
What’s going on?
To sell a credit card number on the dark web is relatively easy and a criminal can get a few dollars for a card. To sell a credit card that is validated as being used at least once without issue is a valuable card. The use of the card, for $200, wasn’t outrageously large as to be eye catching, as grocery shopping for the week’s food can easily top that but was enough to provide the criminal with evidence that the card wasn’t maxed out.
Now the criminal can sell that card for many more dollars than they would otherwise be able to do so. They weren’t counting on the owner of the card, my wife, being vigilant and check transactions via phone or online daily. Most check the transactions at the end of the month when the bill arrives and then begins contesting a flurry of fraudulent charges with the credit card provider.
An alternative criminal analysis would lead the more paranoid among us, to believe that the corporation was being created to provide an anchor from which to perpetrate criminal activities against unsuspecting businesses or consumers, with the only link to a real person being, the owner of the credit card.
In this instance, my wife called the credit card provider, explained what had transpired, how she caught it, the results of the conversation with the office of the Washington Secretary of State and they canceled the transaction, canceled the card, and reimbursed the charge.
Time spent cleaning up the mess?
All in, we invested about 5 hours of our time to clean up the mess. The Washington Secretary of State personnel invested their time as well helping us figure out the charge, about an hour. The card provider also spent about an hour of their time. Then when the card was replaced, we then spent another two hours working with our autopayments to change and update the billing data and those vendors also spent time with us taking care of changes.
When it was all said and done, about 11-14 manhours across multiple entities were expended to sleuth out the crime, replace the cards, and put our financial life back in order. Think of this within the laws of large numbers and you have a better feel for how this affects the economy in general – figure $15/hour which is $165-$210 per credit card. How many millions are compromised and replaced each year? This is a real expense drain on the nation’s economy.
Criminals identified?
It would have been nice if the credit card fraud algorithm had questioned the charge, but they didn’t have enough information to determine that the charge wasn’t like prior ones to Washington State. The Washington Secretary of State had seen that credit card before, so the fact the criminals did a bit of business research on the name on the card, saw the name was associated with a Washington corporation and a non-profit, no doubt pointed them to the site as a viable low-risk means to validate the card as “still active.”
The likelihood that the entity which was breached or the criminals trying to use the card being identified is low. Coordination between the Washington Secretary of State and the credit card company would have to occur, logs checked and compared and then assessments made. It is far easier to write it off than to invest time to find. Which brings us to what the consumer can do.
Consumer & Business teaching moment?
The teaching moment, the fraud would have been larger, but still removable by the credit card company, had the charge not been caught the day it occurred.
Nonetheless, when the banks eat the fraud, the rates increase, the fees increase, and by doing our own part to reduce fraud, we are doing our pocketbooks a favor as well.
Check those credit cards daily, fight fraud, push the equation a little closer to the criminal so that they are the loser.
Update: As of 27 November 2018, the corporation is listed as inactive.