×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Rogue Anti-Virus Victims Rarely Fight Back

kdawson posted more than 3 years ago | from the price-you-pay-for-being-had dept.

Crime 173

krebsonsecurity writes "One big reason why rogue anti-virus continues to make major bucks for scam artists: relatively few victims ever ask their credit card company or bank to reverse the charges for the phony security software — even when the victims don't even receive the worthless software they were promised. I recently found several caches of data for affiliates of a rogue anti-virus distribution program, and the data showed that in one set of attacks only 367 out of more than 2,000 scammed disputed the charge. A second rogue anti-virus campaign scammed more than 1,600 people, and yet fewer than 10 percent fought the charges."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

173 comments

Too busy (1)

suman28 (558822) | more than 3 years ago | (#33051762)

That's probably because people are too busy or too lazy. I would vote most as lazy, but probably busy to see the Cc to see whether they were scammed, if they are smart enough to realize that they have been scammed in the first place.

Re:Too busy (3, Insightful)

LWATCDR (28044) | more than 3 years ago | (#33051804)

Actually some claimed that tried but got the run around.
What I would like to see is the CC companies pro actively shut down these people. After one person makes a claim on them it should be easy to check and see who else did and then start reversing charges.

Re:Too busy (2, Insightful)

Anonymous Coward | more than 3 years ago | (#33051864)

After one person makes a claim on them it should be easy to check and see who else did and then start reversing charges.

Ah, there's just no way to abuse this!

Re:Too busy (0)

Anonymous Coward | more than 3 years ago | (#33053188)

I use Linux.

Re:Too busy (0)

Anonymous Coward | more than 3 years ago | (#33053244)

You expected more from his armchair, 5-minutes-of-thought, genius answer to solve the problem?

Re:Too busy (1)

interkin3tic (1469267) | more than 3 years ago | (#33051884)

After one person makes a claim on them it should be easy to check and see who else did and then start reversing charges.

This seems like such a good idea I found myself saying "Surely they already do that" before remembering, oh yeah, this is the credit card industry we're dealing with here, and there's probably no law forcing them to do that.

Re:Too busy (1, Interesting)

gcatullus (810326) | more than 3 years ago | (#33051952)

They can't "just" reverse it because the customers' cards weren't stolen, the customers initiated the transaction, and they received the "merchandise".

If anytime a customer felt wronged by a company he could just reverse the charges, it would be chaos. This is no different than using a credit card at a casino and losing your money there. Or using your credit card at a psychic, and being upset when you don't meet a tall dark stranger.

Taken to absurdity, this would be like trying to reverse the charges for buying Norton AV, when you do get infected.

These are all valid charges - now the customers should have spent a few hundred dollars more and taken their pcs to someone who could disinfect them, and spend a hundred or so more to buy proper av software. But this way they spent $80.

Re:Too busy (4, Informative)

r0b!n (1009159) | more than 3 years ago | (#33051996)

Wrong. This is like making a purchase for a product online and the product is not delivered or making a purchase online and the product does not perform the task for which it was purchased. Both of these circumstances are/should be covered by some form of protection.

Re:Too busy (1)

gcatullus (810326) | more than 3 years ago | (#33052092)

But the bogus product did "fix" the pcs. Now if their browser was still hijacked after paying the money it would be fraud, but here they got their pcs fixed for $80.

Re:Too busy (4, Informative)

Thansal (999464) | more than 3 years ago | (#33052638)

No, they don't. The scammers don't 'fix' anything, they just take the money. They might give them an 'anti-virus software' (read, more malicious software), but they aren't going to remove their damn malicious software just because you gave them $80.

Even if they did, extortion is illegal, and thus a perfectly viable charge reversal.

Sorry, but your apparent argument of "people are dumb and should pay for getting scammed" doesn't really float. Basically the entire point of charge reversals is to deal with scammers.

Re:Too busy (2, Insightful)

paeanblack (191171) | more than 3 years ago | (#33052668)

They can't "just" reverse it because the customers' cards weren't stolen, the customers initiated the transaction, and they received the "merchandise"

Apparently you have a shitty credit card provider. If you have a good provider, it works like this:

-You complain about the charge
-CC company takes the charge off your bill
-CC company does the legwork resolving the issue with the merchant
-CC company apologizes to you for your inconvenience

If your credit provider isn't willing to fight for you, why are you doing business with them?

Re:Too busy (1, Interesting)

Cylix (55374) | more than 3 years ago | (#33052844)

That is a bit too many steps in my case.

I had a hotel toss me out for some issues. We had a bit of a disagreement regarding noise and my suggestion was to move either my room or my neighbor. Well they wanted to be smug about the whole thing and that is fine. However, you don't get to keep my money and throw me out.

Douche-bag night manager decided he would be really clever and charge my card regardless. I noticed the charge a few days later and called up my credit card provider. Turns out they had several instances already just like mine. They said they would reverse the issue and told me to have a nice day.

Literally it was a minute call to initiate a reverse. The hotel itself wasn't exactly cheap either and I suspect senior douchiness had pulled this scammed many times.

Re:Too busy (1)

Mr. Freeman (933986) | more than 3 years ago | (#33052116)

"What I would like to see is the CC companies pro actively shut down these people."

Yeah, but that's a lot of work. These charges mean greater credit card bills which means more money (in the form of interest paid) for the CC company. If they deal with this in an efficient and ethical manner then they make less money. If it were up to the credit card companies, they wouldn't even have to tell you their credit rating EVER. As it is they only have to inform you ONCE PER YEAR.

Without regulation, this won't get fixed. Thus, the only way to get this fixed is to make sure that the identity of senators gets stolen so that they're encouraged to start passing laws with stricter regulations on data security.

Re:Too busy (4, Interesting)

Runaway1956 (1322357) | more than 3 years ago | (#33052890)

I hear the runaround thing. I was looking at one of those federal grant sites some time ago. Had to pay $1 or so to get access to some stuff, so I paid. I THOUGHT that I had read everything, I paid the small fee, downloaded some documents, read them decided the place wasn't what I was looking for. The following month, I had a charge of about $40 on my card.

The credit card company refused to halt the transaction! Utter asswipes! They claim to be concerned with security, but when a customer calls in to say, "I'm being ripped off!", they do nothing.

I got better response from the scammers when I called them. One call was all it took for them to agree NOT to charge me any more.

Re:Too busy (0)

Anonymous Coward | more than 3 years ago | (#33053268)

These type of sites make it extremely hard to find the terms and conditions, but by law, the credit card companies can't generally reverse the charge if it's within the stated terms and conditions of the business you dealt with. And, as far as the credit card company is concerned, you're not being "ripped off" if you buy a service or product and get charged within the terms and conditions that you signed up under (even if you did not read them or could not locate them).

I used to work at a call center handling such disputes, and I would get calls all the time about these "free trial" scams where they hide in the fine print that you only have 14 days from the order to cancel, or you're set up for recurring shipments and billing. The only thing I could do was to advise the customer to contact the company IMMEDIATELY, and to cancel with them, ask them for a confirmation of cancellation, and make a note of the date of cancellation. Sometimes the company would be nice enough to give a one month refund, but if they did not, there was nothing we could do. Now, if the customer had documentation of cancellation on a certain date, and charges were still made on the card AFTER that date, then we could file a dispute on those.

Re:Too busy (1)

RJFerret (1279530) | more than 3 years ago | (#33053280)

When I was a kid buying back to school supplies I always wondered why I could buy an entire pack of pens for $1 that had a rebate for $1.

I'd get pens for the cost of a stamp.

How did the pen companies make money offering that?

Years later I learned.

People take rebate forms, but never send in the info.

I'm not surprised people don't want to make a phone call, use a menu system, wait to talk to the kind reps who easily contest charges.

The credit card companies make it easier than mailing a rebate form, but that's more effort than using the remote to turn on TV, I mean heck, people won't even walk a few feet across the room to turn on a TV anymore!

It's the same reason people will pay extra for those internet/TV/phone bundled packages, rather than pay less for the services separately.

They have "better things to do" than fill out rebate forms or sit on hold calling companies.

Re:Too busy (3, Interesting)

painandgreed (692585) | more than 3 years ago | (#33052040)

That's probably because people are too busy or too lazy. I would vote most as lazy, but probably busy to see the Cc to see whether they were scammed, if they are smart enough to realize that they have been scammed in the first place.

Probably more like too ashamed. If they don't figure it out pretty quick, when they eventually get somebody like me to see why their problem is not going away or explain to them that they bought snake oil, they are usually too embarrassed to do anything more. I know I have lost my money before to an outright (non-internet) con and a large reason I didn't go try and get it back was for feeling stupid for falling for it to begin with. Actually, now I don't actually miss that money and look at it as $20 well spent. Every time since then that somebody comes up to me and proposes something I think is a con (several times, the exact same scam), I can remember back to that $20 I lost in college, laugh and dismiss them without feeling bad (which is a prime motivator they use many times). Many times when I explain to people what has happened, I tell them to think about that money any time they are asked to pay for any transaction they didn't initiate to begin with and not fall for it again. Sure, that let's those people get to keep the money, but even if they did get it back and shut that person down. There would just be another and there are always more people to scam. Most internet scams were scams long before the internet and run via snail mail or even going door to door. It's probably better for them to lose that money once in a lesson that they will never repeat, than feel safe that they can get that money back otherwise.

Because CC issuers don't give a flying f_ck. (0)

Anonymous Coward | more than 3 years ago | (#33052102)

Any amount under $50 they would ignore, since by law they can pass that onto their customers. I've complaint about a $20 unidentified charges before (YES, I AM TALKING ABOUT YOU, DISCOVER!) and their basic response was "We're satisfied it's a legitimate charge. If you have an issue, take it up with the merchant."

Re:Too busy (1)

selven (1556643) | more than 3 years ago | (#33052634)

Probably not too busy/lazy to fight the charges, but too busy/lazy to even read the entire credit card bill in the first place.

Many aren't smart enough. Or rather, (4, Interesting)

aussersterne (212916) | more than 3 years ago | (#33052842)

they don't understand enough about technology / computing to figure it out. I've helped several people with Windows reinstalls (just did it again this weekend, in fact, on a really nice, new Dell laptop that this person was ready to trash and replace after just a year) who fell for this sort of thing and fully thought that through the magic of internets and computers, their "purchase" had done SOMETHING for their computer, but it just wasn't enough to outweigh the terrible destruction already wrought by Teh V1rus!

In this particular case, the person got a fakeAV popup that installed malware that generated popups. This caused him to start searching his email for "antivirus," remembering a SPAM he'd seen, and he ended up with AV fakeware Cc: charges. He didn't actually realize this, assuming that the AV fakeware had silently, invisibly done its best but the original virus was "too strong" (two pieces of malware now spitting popups at an alarming rate and disabling various things) and he went out into Googleland looking for fixes, all of which were no doubt too technical for him and all of which he attempted to follow to a 'T' deleting a bunch of random files from C:\WINDOWS\SYSTEM and C:\WINDOWS\SYSTEM32 in the process and borking his system entirely.

When he came to me saying "So-and-so tells me you can fix computers, so I thought I'd bring mine to you before I throw it out, it's been completely destroyed by a virus..." he was sure that it was all down to the horrible virus he'd "caught" and that he'd been valiantly battling it for a week, rather than single handedly destroying his own Windows install at a record pace.

It was too f'ed up for system rescue, so I just wiped and reinstalled. He was AMAZED that I brought it back to life, and in just an hour or so. He was sure that I was the absolute best virus fighter in the universe. Told me I should go work for the Best Buy Geek Squad (uhh, thanks...) because they need people like me.

It's not that he's a total idiot, but computing in anything but buzzwords and marketing soundbytes remains a specialized set of skills that take time and study (and an awareness of where the right resources can be found) to develop. Most non-geeks just assume it's all due to Teh V1rus!, and the press and their coverage do little to add nuance to this notion, not to mention manufacturers and retailers that are only happy to sell the same person the same system every six months for a fresh $1k after they "got got by Teh V1rus!"

potential reason to not dispute a charge (4, Interesting)

Anonymous Coward | more than 3 years ago | (#33051780)

I recently had a $10 charge from a company I'd never heard of. Slightly different than this story, it was not from a rogue antivirus, but just a plain-old unauthorized charge (out of the blue). I called my bank to dispute it, but they said I'd need to change my charge number if I disputed it. I decided I'd rather eat the $10 charge, than deal with the hassle of updating my card number (and updating everything that auto-bills it).

Re:potential reason to not dispute a charge (5, Insightful)

frieza79 (947618) | more than 3 years ago | (#33051828)

How many months of bogus $10 charges will you tolerate?

Re:potential reason to not dispute a charge (0)

Anonymous Coward | more than 3 years ago | (#33051880)

Once you've had one charge, how likely are you to get more? I dispute ANY charge because someone I didn't give number to has it.

Re:potential reason to not dispute a charge (0)

Anonymous Coward | more than 3 years ago | (#33051892)

My god, what is it with the mods lately? How is this guy "trolling"???

P.S. I myself haven't had any mod points in over a month. Anybody else?

Re:potential reason to not dispute a charge (3, Funny)

retchdog (1319261) | more than 3 years ago | (#33051948)

I'll be happy to sell you my mod points and a subscription to a series of pamphlets detailing many "life hacks" including my patent-pending technique for obtaining 15 mod points a week; and how to get free product out of those 25-cent bubblegum dispensers at shopping malls. Please post your credit card number; verification number; and billing address in a reply.

Re:potential reason to not dispute a charge (0, Offtopic)

biryokumaru (822262) | more than 3 years ago | (#33051962)

I keep getting 15 every few days... also, ACs don't typically get to mod, do they?

Re:potential reason to not dispute a charge (0, Offtopic)

blackraven14250 (902843) | more than 3 years ago | (#33052104)

Nope, they never do. Which is why, even though his comments may be modded up while he posts AC, he isn't getting any points on his account - which in turn affects the number of mod points he gets to use.

Re:potential reason to not dispute a charge (0)

Anonymous Coward | more than 3 years ago | (#33053276)

Is that it? It would be nice if this stuff was written down some place (other than the source code). I switched to AC after getting stalked one too many times. Oh well, I'd rather never get to mod. (different AC from up the thread BTW)

Re:potential reason to not dispute a charge (1)

John Hasler (414242) | more than 3 years ago | (#33052112)

> How many months of bogus $10 charges will you tolerate?

Zero. My wife handles the credit cards and she verifies every single charge. I am required to save and annotate every slip and log every Internet or phone transaction.

Re:potential reason to not dispute a charge (0)

Anonymous Coward | more than 3 years ago | (#33052250)

Wow. Makes me glad I'm not married.

Re:potential reason to not dispute a charge (1)

morari (1080535) | more than 3 years ago | (#33051932)

Don't autobill and you wouldn't have to worry about changing your card number now and then. I'd consider autobilling a huge risk in and of itself, personally.

Re:potential reason to not dispute a charge (5, Insightful)

Mr. Freeman (933986) | more than 3 years ago | (#33052152)

Call back and ask for a supervisor, or their supervisor, or however many people you have to talk to to get to someone who can reverse the charge without changing your number.

Of course, I'd want to change my number. Someone unauthorized clearly has your CC information and can successfully charge money to it. Keeping the same number makes NO FUCKING SENSE. It's like refusing to change your locks after you know that a thief has a copy of your key because last time he broke in he only took $10. HE'LL BE BACK LATER WITH A VAN AND TAKE EVERYTHING IN YOUR FUCKING HOUSE. You're going to end up with some $5000 charge to your card and that's going to be a hell of a lot more difficult to deal with then ten fucking dollars.

Dispute the charge, change your number, and SPEND TEN FUCKING MINUTES UPDATING YOUR AUTO-BILL INFORMATION.

Re:potential reason to not dispute a charge (0)

Anonymous Coward | more than 3 years ago | (#33053128)

Really? Unlike my house, where insurance might have something on negligence--changing the number is up to the credit card company. And it shouldn't be difficult to dispute. You see, their agreement caps my liability at $50. And I'm fine with that. Because after the first unauthorized charge, if it happens again--I've got proof they were negligent in authorizing it.

Got a copy of the receipt with my signature? No. Okay--it's unauthorized.

Got it authorized by proxy (like over phone or via mailin) and I disputed it? Is there proof of delivery of the product via fedex? No? Revoke their merchant account.

I don't care how many people have my ccd #--as long as I authorized it and didn't go handing it out to people I don't intend to use it--it's the card company, and the merchant's problem--not mine. That's the agreement.

Because that $5,000 is damned easy to dispute. You call and dispute it, then send it in writing. Problem solved.

Re:potential reason to not dispute a charge (0)

Anonymous Coward | more than 3 years ago | (#33052186)

I recently had a $10 charge from a company I'd never heard of. Slightly different than this story, it was not from a rogue antivirus, but just a plain-old unauthorized charge (out of the blue). I called my bank to dispute it, but they said I'd need to change my charge number if I disputed it. I decided I'd rather eat the $10 charge, than deal with the hassle of updating my card number (and updating everything that auto-bills it).

Here's something you may not know about credit card auto-billing.

If you have a legitimate recurring auto-bill and then change your card number, the first auto-bill on the old number will fail.

But many banks (particularly amex) will allow the second auto-bill on the old number to go through.

Re:potential reason to not dispute a charge (3, Funny)

rainmouse (1784278) | more than 3 years ago | (#33052208)

Funny how, unlike on the Monopoly Community Chest cards, bank errors never appear to be 'in your favour'.

Re:potential reason to not dispute a charge (1)

John Hasler (414242) | more than 3 years ago | (#33052268)

> Funny how, unlike on the Monopoly Community Chest cards, bank errors never
> appear to be 'in your favour'.

I experienced one just last month: a $500+ overpayment.

Re:potential reason to not dispute a charge (1)

MasterLock (581630) | more than 3 years ago | (#33052294)

You need a better card.

I dispute anything that doesn't match my records; I've disputed as little as $6 from a local store. I call the credit card company and submit the necessary papers via fax.

I often hear people say, "Oh, it's a just a few dollars off; what's the big deal?" Depending on the business, that "few dollars" may be put on 100, 1000, 10000 different people. Would you say, "Oh, it's just $50,000 off; what's the big deal?" The credit card companies keep track of these disputes; if a company is continually getting hit with them, they will investigate.

Re:potential reason to not dispute a charge (4, Informative)

InfiniteWisdom (530090) | more than 3 years ago | (#33052384)

The small charge could easily be a precursor to a large charge. Thieves will often make small purchases [wikipedia.org] online to test cards before buying something of value. Obviously getting something shipped is not an option if you're using a stolen card, and they wouldn't want to attract attention to themselves in a physical store by using a card that's been reported stolen.

Re:potential reason to not dispute a charge (1)

Belial6 (794905) | more than 3 years ago | (#33052640)

Shipping hasn't been much of a problem for the last ~5 years. They just have it shipped to a vacant house.

Re:potential reason to not dispute a charge (1)

bitingduck (810730) | more than 3 years ago | (#33052592)

I actually had the bank call me about a charge like that once. I'd bought some expensive software by phone and a cell phone earlier in the day, both legitimate but unusual charges for me, so I thought it was about that when the automated fraud call came in. When I called back and talked to a live person, it was about a $9.99 charge for "somethingsoft" (I can't remember exactly what the name was). The CC company told me they'd reverse it and send me a new card. When I googled the fictitious company it turns out that it was some kind of scam thing where they either collect or generate card numbers and just start applying $9.99 charges because most people either won't notice or won't argue about it because it's too small.

Re:potential reason to not dispute a charge (0)

Anonymous Coward | more than 3 years ago | (#33052612)

enjoy your $5000 charge next month.

Re:potential reason to not dispute a charge (0)

Anonymous Coward | more than 3 years ago | (#33052758)

So what do you do when your credit card expires? They do every couple of years...

When working for Dell... (2, Interesting)

Aliotroph (1297659) | more than 3 years ago | (#33051788)

I always encouraged customers to call their credit card company's fraud number as soon as they were done with me if I learned they purchased one of those scams. How many followed up I don't know.

My friend's dad also bought a rogue antivirus one day. He refused to believe it was fake. We quietly removed it and decided to let him deal with the consequences of giving his card number to con artists. Some people are just too much effort.

"Buyer Beware" (4, Interesting)

mcrbids (148650) | more than 3 years ago | (#33051876)

Mostly people think that if they get scammed, that they were stupid or suckers and don't want to admit that they were duped. Calling the Credit Card company to reverse a charge for $40 is embarrassing, and they would rather just pay the "sucker tax" than go thru the effort, confusion, and embarrassment of disputing a charge.

And this is true in those cases where they even know they can dispute a charge - how many card holders even know that they can do this? I probably had a card for at least 5 years before I found this out, and I would consider myself somewhat more informed than the average consumer.

Re:"Buyer Beware" (2, Funny)

morari (1080535) | more than 3 years ago | (#33051994)

Here's what you do:

You start a company called "Arse Ticklers Faggots Fan Club". Put an advert in a gay mag advertising the latest in arse-intruding dildos. You sell it with "Does what no other dildo can do until now! The latest and greatest in sexual technology! Guaranteed results!" All that bollocks.

These dildo cost a few quid a pop... a snip for the pleasure they'll give the recipients. They send their cheques to the other company name. Nothing offensive, "Bobby's Bits" or something, for a few quid. You stick it in the bank until it clears.

This is the smart bit. You send back the cheque for several pounds from the other company name (Arse Ticklers Faggots Fan Club) saying we're sorry, we couldn't get supplies from America... they ran out of stock. You see how many people cash that cheque.

Not a single soul. Who wants their bank manager to know they tickle arse?

Re:"Buyer Beware" (1)

frosty_tsm (933163) | more than 3 years ago | (#33052030)

You're referencing an old scam (not the product, but sending the refund using an embarrassing name). If I recall, the court said that they couldn't use that tactic to prevent cashing of checks.

Re:"Buyer Beware" (1)

Mr. Freeman (933986) | more than 3 years ago | (#33052168)

"the court said that they couldn't use that tactic to prevent cashing of checks."

What? They said that bank customers can't make the decision to NOT cash a check?

Re:"Buyer Beware" (1)

John Hasler (414242) | more than 3 years ago | (#33052756)

> What? They said that bank customers can't make the decision to NOT cash a
> check?

No, that the intent was clearly fraudulent. Except when prevented by loony statutes judges regularly apply common sense.

Re:"Buyer Beware" (0)

Anonymous Coward | more than 3 years ago | (#33053062)

LMAO its a quote from Lock, Stock, and Two Smoking Barrels

Re:"Buyer Beware" (0)

Anonymous Coward | more than 3 years ago | (#33052166)

Lock, Shock and two smoking Barrels

Re:"Buyer Beware" (0)

Anonymous Coward | more than 3 years ago | (#33053402)

And no one replying to this comment gets the reference. Absolutely great movie.

Re:"Buyer Beware" (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33052266)

For GOD's sake, accept that your way of using cards is the problem.

Start using what Europe does - the card has a chip and the chip has to be into a POS/ATM for any transaction to occur. Someone just knowing you card number cannot do anything, even if they try to run it via a payment processor. (That is right - the payments over the net go over payment processors, not between the requesting side and the bank). Oh, yes, and start demanding live real-time SMS for any transaction on the cards. Yes I did have this in Europe - some money are taken, blocked, etc.. an SMS will be on my cell in less than 10 seconds telling me exactly when and where and how much money were taken away. Why do the banks in US oppose it - well, they have interest for you to overdraw, have your money stollen, etc.

It is your own, American way of living that is causing the issue.

Re:"Buyer Beware" (0)

Anonymous Coward | more than 3 years ago | (#33052896)

Posting Anon because I have Mod points in this thread...

I just have to ask you one question... Do you realize how LITTLE power the American people actually have in saying what is the "American way of living"? I swear some entire industries are in cahoots with the Government. "Stupid politicians" would probably actually be a valid argument here.

Re:"Buyer Beware" (0)

Anonymous Coward | more than 3 years ago | (#33053022)

Ok, it's me, the dumb European shmuck..
So I live here (AZ) now, and I am being told that the people elect the government. I know - when there are no other candidates - you always elect the same, however walking into a bank office, and withdrawing money from a human teller is still an option. Then paying all in cache, or pay deliveries to the delivery boy. Even paying for gas inside the shop. I know it is not perfect, no system can be, but that would at least not expose your card.

Let me give you an example - in Europe if I've dined at a restaurant the waiter will bring the pos device to the table. I would personally put my card in, and the teller will input the charge. I will put a tip (or not) and enter my pin. When transaction is completed I will take my card out of the pos. But the whole system in Europe is based on actually wiring money from your account somewhere, that is - you move around credit (I instruct my bank to credit your account X amount). Here in US it is the opposite - you move around debit (the other party instructs my bank to debit my account X amount), and what is worse, you allow that debut to be changed at a later time. The second is inherently insecure - because in the first case the bank trusts me, and not the other parties, in the second case, the bank trusts the other parties and not me.

They Authorised The Charge (4, Informative)

gcatullus (810326) | more than 3 years ago | (#33051886)

Although the company that was given the cc number was shady - the customers actually authorised the charge. When you process a charge back it has to fall into a certain category with the processor. The customer can claim that the card was stolen, the customer can claim that the charge was never theirs, they can claim that they never received the merchandise, etc. But in this case the customers still had their cards, they actually did initiate the transaction, and they received the merchandise, i.e. their pc got "fixed".

There is no chargeback category for this, and as long as these card numbers aren't then resold and used in a traditionally fraudulent manner, nothing will happen.

It would be like trying to reverse the $1,000.00 charges for the champagne room strippers because they were ugly. Just you didn't get what you thought you'd get doesn't mean you can reverse the charges.

Re:They Authorised The Charge (0)

Anonymous Coward | more than 3 years ago | (#33051970)

The difference in this case is that the rogue antivirus is defrauding the customer. In that case, even though the charge was authorized, it can still be disputed.

Re:They Authorised The Charge (1)

gcatullus (810326) | more than 3 years ago | (#33052052)

The rogue antivirus "appears" to be defrauding the customer. This is hair splitting, but it is important. Imagine this scenario, click a link for our super duper antivirus cleaner, customer clicks link, doesn't read fine print that says this is for novelty purposes, that it will change your homepage to goatse, that it will redirect all searches to images of kittens, or whatever. The super duper antivirus cleaner says the pc is infected. The customers pc is now "broken" because their home page shows a gaping ass, and every time they try and use yahoo search they get kittens. They see a link to give their credit card to clean their pc. They cough up $80 and their pc is fixed.

Now is that fraud?

Re:They Authorised The Charge (0)

Anonymous Coward | more than 3 years ago | (#33052502)

It is extortion of the uninformed. Unfortunately there is pretty much nothing that you can do to get it prosecuted. However I highly doubt any one will be in any big rush to show their face to dispute the chargeback. If they do get investigated by the cc company and the cc company quits letting them take ccs they will just have a new company name to charge with in an hour anyway.

Re:They Authorised The Charge (1)

Kojiro Ganryu Sasaki (895364) | more than 3 years ago | (#33052000)

What?

You pay for X and get Y. That. Is. Fraud.

Re:They Authorised The Charge (1)

John Hasler (414242) | more than 3 years ago | (#33052048)

Sure it is, but how does the credit card company know that? They have only your word.

Re:They Authorised The Charge (1)

Mr. Freeman (933986) | more than 3 years ago | (#33052196)

Yes, and that's all that is necessary to reverse a charge. By law, they must remove the charge unless the company offers some proof that the customer authorized the charge. I can't imagine that a scam would be too willing to provide a lot of proof that someone authorized the purchase of a fake product and that they then delivered that fake product.

Re:They Authorised The Charge (1)

John Hasler (414242) | more than 3 years ago | (#33052744)

> I can't imagine that a scam would be too willing to provide a lot of proof
> that someone authorized the purchase of a fake product and that they then
> delivered that fake product.

They might be willing to send out a few bullshit-filled emails designed to baffle the bank for long enough for them to finish the operation, clean out the account, and move on.

Re:They Authorised The Charge (0)

Anonymous Coward | more than 3 years ago | (#33053320)

Actually, in most of these cases you're paying for X and getting X. However, you just thought you were getting Y and didn't read the fine print or do your research about the legitimacy of the product.

Re:They Authorised The Charge (2, Insightful)

NJRoadfan (1254248) | more than 3 years ago | (#33052002)

In cases where the customer never received the software they clearly have a case. Non-delivery of product/services is one of the most (if not #1) reasons one would do a charge back.

Re:They Authorised The Charge (1)

John Hasler (414242) | more than 3 years ago | (#33052028)

> Just you didn't get what you thought you'd get doesn't mean you can reverse
> the charges.

Yes it does. They promised antivirus and failed to deliver it. The problem is in proving it. It's the vendor's word against yours. You did give the vendor your number and they did send you something. Why should the credit card company believe your claim that it wasn't what you ordered? Are you ready to go to court over $50? If so you will probably win.

Re:They Authorised The Charge (1)

gcatullus (810326) | more than 3 years ago | (#33052170)

Depends on what they actually promised, they did "clean" the pcs of the browser hijacker. Even then just try suing a company from Russia in your local small claims court. Now this isn't ethical, but that doesn't mean it is not legal.

Re:They Authorised The Charge (1)

John Hasler (414242) | more than 3 years ago | (#33052724)

> Depends on what they actually promised, they did "clean" the pcs of the
> browser hijacker.

They only removed what they installed, and only after you paid them. Not just fraud: extortion.

> Even then just try suing a company from Russia in your local small claims
> court.

Not the vendor. The card-issuing bank, for refusing to cancel the charge. You might win, but it wouldn't be worth it.

> Now this isn't ethical, but that doesn't mean it is not legal.

Fraud and extortion are not legal.

Re:They Authorised The Charge (2, Informative)

durdur (252098) | more than 3 years ago | (#33052126)

It's actually quite sucky to be a credit-card taking merchant, because all the risk of a transaction going bad is pretty much on your shoulders. The card issuer assumes no risk or liability themselves. Which is why some outfits don't take credit cards.

A consumer can always dispute a charge. They can say the merchandise was defective, which it surely was here. Usually the merchant either works it out with the consumer or if they're a scammer they never respond and they're out the money, plus, as a merchant, if you get too many chargebacks, your card company may decide you are more trouble than you are worth and drop you.

I guess you can abuse the system as a consumer, too. Still the merchants bear the greater risk of having things go wrong, because they process more transactions.

Re:They Authorised The Charge (1)

retchdog (1319261) | more than 3 years ago | (#33052134)

You can reverse the charges if the product doesn't conform to reasonable expectations and is not sold "as is". I did this when I bought a used thinkpad that didn't even POST, and the seller refused to communicate with me. To clarify: it was not sold "as is", and the seller did not even try to disclaim the implied warranty of merchantability [wikipedia.org]. Then again, probably most people expect anti-virus to not work anyway. :-/

The strippers may be more contentious, but if they actually had misleading photographs on display... Most people would probably not try though. ;-)

Re:They Authorised The Charge (1)

gcatullus (810326) | more than 3 years ago | (#33052280)

The chargeback rules haven't caught up with technology. The thinkpad was a tangible piece of merchandise. The credit card processors know how to deal with that, i.e. bought x and x doesn't do what x is supposed to do, and as you said wasn't bought "as is". But what if you pay for a piece of software that only claims to restore your original home page and let you search AOL again. These people bought something that did that. How do you explain to your cc company that you clicked a link you shouldn't have and then you bought this software to fix the pc and it did fix it, but that you were scammed, because the original link was misleading.

As for warranties as I recall most software requires that you sign away just about any rights before you are allowed to use it. It is a slippery slope, try charging back MS Office because it is "broken" because you can't make pivot tables.

Re:They Authorised The Charge (1)

Cwix (1671282) | more than 3 years ago | (#33052450)

Not that I know or really care what a pivot table is, does the box/manual/advertising say it does? If so you can prob chargeback.. that is unless you dont know how to make a piviot table with the software, then its your issue.

Re:They Authorised The Charge (1)

rainmouse (1784278) | more than 3 years ago | (#33052276)

It would be like trying to reverse the $1,000.00 charges for the champagne room strippers because they were ugly.

To put it into a bit more accurate a context, it is a little bit more than strippers being ugly. They would have to convince you they were strippers, then show up after being paid with a lot of clothes on and put even more clothes on. It's false advertising and a scam, don't try using irrelevant metaphors to back them up like I have just done to disagree. Dammit I'm such a hypocrite.

Re:They Authorised The Charge (1)

gcatullus (810326) | more than 3 years ago | (#33052338)

Well they were strippers, just clothed strippers, they happened to be absolutely naked (underneath their clothes), and nothing in the shrink wrap eula that covered the entrance to the champagne room said anything about them actually letting you see them naked without clothes.

Re:They Authorised The Charge (1)

krebsonsecurity (1714228) | more than 3 years ago | (#33052398)

Everything you said is true and makes sense. However, what we are dealing with here are by-design fly-by-night companies that are in existence long enough to snag a few thousand victims, and then they vanish into thin air. There is no recourse in those cases for the victim/customer to obtain redress from the "company" that sold the bogus product: It simply doesn't exist anymore. And it's not like this is an accident: This is all part of the plan. If the so-called businesses spreading rogue anti-virus had to stay in business for more than a few weeks, they'd go broke from all the chargeback fees. The question is, who pays those chargeback fees when the company that incurred them is no more?

Re:They Authorised The Charge (1)

gcatullus (810326) | more than 3 years ago | (#33052642)

If the company closes up shop and disappears then their credit card processor "eats" the chargebacks. But they also grab all the so called "legit" charges. The processor is also getting a much larger percent transaction fee, supposedly to cover the higher chance of fraud for online transactions. So if the company actually skips town the processor is the one that grabs any other transactions to pay off the chargebacks and keeps the rest of the money themselves.

Credit card processing is a dirty dirty business

I work at a computer repair shop (5, Interesting)

Anonymous Coward | more than 3 years ago | (#33052046)

We see a lot of customers coming in with fake antivirus installed on their machines, and the customers sincerely believed they were purchasing a valid piece of software. I think the largest problem when I see people encountering this scenario, is that typically:

1.) They don't realize they've actually been scammed. Pop ups start appearing on their computer, and they receive an offer to purchase "antivirus" and fix the problem. They now think they're protected, but continue to have problems.

2.) They tried calling Visa/MC/Discover and couldn't convey why they were charged for a bogus product. Some of the "EULA" agreements that come with these fake antivirus products actually state in the fine print that the software product does nothing. People click "OK" on anything, and legally agreed to pay for a piece of software that doesn't do anything.

3.) Don't know how / Don't care. Whatever. Take the computer into a shop and have someone fix it, hopefully $60 of fake antivirus is enough to jog my memory into being a little more careful on the internet.

I've even see plenty of customers willingly disabling antivirus / firewall products because they are "inconvenient" when trying to do other things on the computer. Fake antivirus and antimalware really is quite a genius scam, but it doesn't surprise me that a lot of people lose to it, and rarely ask for their money back. Some of these people don't even know what malware IS.

Re:I work at a computer repair shop (1)

TheQuantumShift (175338) | more than 3 years ago | (#33053506)

Definitely #1. People are too conditioned to believe that computers just fail and there's nothing that can be done about it.

And for the record, all anti-malware software is snake-oil. A deadbolt on the front door does no good when you leave all the windows open (no pun intended).

There's only one solution for rogue antivirus... (1)

Anonymous Coward | more than 3 years ago | (#33052068)

Only one solution for rogue antivirus vendors: take off and NUKE THEM FROM ORBIT. Seriously - I'm generally opposed to the death penalty, but there's absolutely no reason for the dirtbags who write, deploy or sell those programs to continue breathing.

Who can tell? (4, Insightful)

VGR (467274) | more than 3 years ago | (#33052072)

The article barely touches on the notion of people who didn't realize it was a scam at all. It's obvious to us technical types, but I doubt it's obvious to non-technical people.

Most retail Windows PCs are loaded up with obnoxious adware that nags at every login. I got a brand new PC from Staples last year which had a MacAfee nagger installed in the startup sequence, and while I was eventually able to disable it, it took more than one try and considerably more effort than just one or two clicks. If it was nontrivial for me to banish, I have to believe non-technical users would just give up.

On top of that, anti-virus is pretty low-level, as software goes, so how many non-technical people will even know that it's not doing anything after they pay for it?

The scammers are good at avoiding chargebacks (4, Informative)

spywhere (824072) | more than 3 years ago | (#33052074)

I remove this crap for a living, and I've seen the scam up close.
When the victim pays, the scareware purveyor removes most of the program... which "fixes" the PC. They leave behind a back door, and Registry entries making the machine download .exe files without prompting, but they mostly stop bombarding the victim with warnings... for a month or two.

Then, they attack again, trying to get more money. I've had a few customers who paid for the first attack, then finally called for help when they got hit again; it was easy to see what the first program did, and track down the quick site redirect that brought on the second infestation.

The real criminals here: Visa and Mastercard, for maintaining merchant accounts for these scumbags. Brian Krebs exposed this, and got it shut down... for two weeks or so, and they've back ever since without interruption.

Re:The scammers are good at avoiding chargebacks (2, Interesting)

gcatullus (810326) | more than 3 years ago | (#33052684)

Visa/Mastercard are the cartel bosses, but the credit card processing is being done by ISOs such as First Data, RBS Lynk, etc. Anyone with 20 grand or so can get registered as a merchant processor and start trying to sell merchant processing. Depending on how big a portfolio of business you write, you can get better rates from the credit card networks. Then you can go out and sell a "cost plus" deal that is alledgedly tied to interchange fees. But you can hide a percent in obtuse statements and a couple of points here and there. Then you are making an easy percent just for the privelege of connecting a merchant with a credit card network Credit Card processing actually makes the rogue antivirus software business look ethical.

Banks suck (1)

lavagolemking (1352431) | more than 3 years ago | (#33052158)

Part of the reason might be because of the way credit card companies like to wear you down. At 53 Bank, I had about $600 worth of fraudulent international charges on adult websites. They tried several times to pin it on me, and ultimately the process took about 3 months to resolve (leaving me with no credit to buy textbooks with). It took 4 visits in person (each requiring me to sit in their "waiting room") before they actually did change the numbers (despite saying they did), and then they tried to pin the "international transaction fees" on me because they were from a "closed account" where I had no room to dispute them. After all that, the bank's manager had the nerve to blame "government regulation" because they had "90 days to give me a resolution", which their company policy was to not give me any information until that time. I responded by her logic that they would never respond to complaints without the regulation.

In a separate case, somebody found out my account and routing number (I didn't even know that information, since I never ordered checks and only used an ATM card, but they still claimed I must have entered my information into a "fake website" since their databases are "hacker proof"), and it took (no joke) 4 personal visits before they actually changed the numbers, despite that every single time they said the numbers were indeed changed. They demanded, and said they would not discuss anything whatsoever until I agreed, that I sign a waiver that I admit the decision is ultimately up to the bank, who is under no obligation whatsoever to return the stolen funds, and fill out and sign it for each individual charge. I said no, and the manager said they could not and would not help me until I signed it. Being unable to afford legal aid, I ultimately signed them and got my money back that summer (it happened in February).

Needless to say I have switched banks, but if all banks treat their customers like idiots, pretend they know what they're doing to keep customers quiet, and force them to sign contracts to cover up for their games, then it is no wonder victims never dispute charges and no wonder scammers are so successful.

Bending Over (1)

sexconker (1179573) | more than 3 years ago | (#33052188)

People love to bend over and take it in the ass.

This is why the credit card companies keep shitting on security - they profit off of fraud.

Merchants are forbidden to verify the name on your card, ask to see your ID, verify your signature, ask for a signature for small purchases, etc.

Cards are being shipped with RFID bullshit in a direct attempt to increase fraud - fraud that the user isn't even aware of.

Banks offer rewards for charging purchases to a debit card as credit. Why? Because when charged as credit, you don't need to enter a pin or billing zip code. Get people used to charging purchases as credit, and they won't notice the fraudulent charges on their statement.

Security features such as the extra digits on the back of your card, passwords (such as Verified by Visa) are pointless theater. A merchant has no reason whatsoever to participate in the program other than to say "We're "secure"!". Indeed, many merchants still store the CV2/etc. code on the back of your card, and most merchants will simply default to processing the transaction without the password feature if you fail to enter the proper password.

Hell, I've had Banc of America admit to knowing about "errors" in their system. Said "errors" resulted in them transferring MY money around from Bank of America and Banc of America in a deliberate effort to hit me with overdraft fees.

Neither Bank of America nor Banc of America would do anything to fix it, even when I walked into a physical branch.
I had to tell them to close all of my accounts and give me all of my money back, and file complaints with every regulatory agency under the sun for them to fix it.

The bottom line is - watch your statements, do the math yourself, and never let them get away with even a single fucking penny.

Re:Bending Over (1)

Rashkae (59673) | more than 3 years ago | (#33052754)

Woa... tighten that tin foil hat there. Here's some quick information for you, not that you're likely to believe truth.

CC companies do not profit from fraud. In most cases, they get left holding the entire bag, since the card holder is, by law, not liable for fraudulant charges (fraudulant charges being charges not authorized by the card holder. It's more complicated when the customer authorizes a charge to a fraudster. Think of it much like handing the fraudster cash.)

Cards are being shipped with RFID and other chip technologies because Mag stripe cloning techniques have been so ubiquitous and sophisticated, banks are getting reamed up the arse eating all the fraudulent charges, and are desperate to get rid of mag stripes as fast as possible. Although, I'm not at all convinced that RFID won't be worse once crime cartels start upgrading their tech to clone those.

Banks offer rewards to use their cards because they charge the merchant a percentage of the purchase. Bank rewards you 1%, charge the merchant 2%, there's 1% profit for them right there before you even go into debt. and increase their profit 100 fold with interest charges.

Merchants are not at all forbidden from verifying your signature and ID... Indeed, I've been asked for my photo id several times since the signature stripe on my CC is worn off. Though it's true most merchants don't bother. However, if the merchant can not produce a signed purchase authorization when a transaction is disputed, it's the merchant who doesn't get the money.

Why scam? (3, Interesting)

hendrikboom (1001110) | more than 3 years ago | (#33052366)

What puzzles me is why the scammers don't download onto their "customer"'s machine one of the open-source, free antivirus programs. Then the customer can't complain that they got nothing. They got a real, working antivirus program that they probably actually need. Or are the scammers determined to do nothing that could be called legit?

Re:Why scam? (4, Insightful)

Cwix (1671282) | more than 3 years ago | (#33052484)

Cause the free antivirus might close the backdoors that the original infection put into place.

Re:Why scam? (1)

westlake (615356) | more than 3 years ago | (#33052588)

What puzzles me is why the scammers don't download onto their "customer"'s machine one of the open-source, free antivirus programs.

You really, really, don't want this to happen.

Because the scammer can now trade on the reputation of the legitimate open-source AV
or he can release malicious code into the wild that - to the user - will look exactly like the legitimate package.

They do. (1)

Erikderzweite (1146485) | more than 3 years ago | (#33052700)

I have encountered the very tactic you mention. Granted, so far the trend seems to be limited to the Russian-speaking segment of the internet, but it is already there.
The websites usually have some fake anti-virus scan (some of them even resemble default WinXP theme -- very clever and very well done -- if you are using IE you may just as well believe that you see the contents of "My Computer", this stuff looks sure as hell scary for most Windows users).
If they manage to scare a victim to pay, the latter receives a copy of ClamWin.
The site usually has some fine print saying that ClamWin is a free (as in beer) product (no mention about it being free as in speech or open-source though). They even state that the whole is a game and you pay to receive educational materials about computer security.

I know this because I always enjoy watching those scanners finding some viruses on my system in C:\Windows\system32. They don't bother to include UA detection yet which gives any Linux user a good laugh.

related- (4, Interesting)

Trailer Trash (60756) | more than 3 years ago | (#33052778)

I once read an article about a guy who "sold" penis enlargement pills through spamming. I put "sold" in double quotes because he said he never shipped a product, and didn't even have any to ship if he wanted to. His reason? "Who's going to call their credit card company and tell them they didn't get their penis enlargement pills that they ordered?"

While not at the same level, I'd hazard a guess that it's the same here.

Actually I am researching this for an eBook (1)

Orion Blastar (457579) | more than 3 years ago | (#33052808)

one I will make FOSS or if published for a low price so it is affordable if my FOSS eBook ideas don't work out.

Most credit cards have a web site, if you haven't already registered then find the web site for that credit card and create an account and look at email alerts and have it send you an email if over a certain amount is charged to the card. Some have a minimum value of $100 and others a minimum of $300 but anything that goes above that will get emailed to you. If you didn't charge it and someone else on your account didn't charge it chances are it got stolen. Also check to see if there are other alerts like a week before the payment is due it sends you an email on the balance and maybe a list of charges, if not log in and look at the list of charges at least every week if not twice a week to see if any of them are fraud.

While my identity was stolen 13 times, it was always because my son allowed his cousins to use his account on my system and then they chatted with some guy on some chat channel how to get around the user setting for the account and run a program to change to administrator and give him access to fix the game they are playing Roblox or Runes of Magic that had some stupid update and then their character is messed up and not animated or floats instead of walking, usually means a video card driver needs updating or the last update no longer works with the video card and they will fix it later. So now my new computer has no account for my son and I can avoid that and not let his cousins get on my new PC. My brother had to remove the RAM from their PCs back home because they did even worse stuff and without RAM the system will not work.

But I logged into each credit card account and bank to check, found the fraud charges, called the credit card company, got a fraud report and a list of recent charges and check each box that was a fraud charge and mail it back after signing it and make sure I used certified mail. The charges were gone and in some cases they even gave me a lower APR interest rate to make up for it and a new credit card with a different account number on it, and cut up and throw away the hacked credit cards.

Why am I writing an eBook on this? To help educate people because most don't know what to do, and they are always targeted because they never file charges and never notice they are being ripped off until the credit cards are maxed out, they are being sued by banks to pay the credit cards and they lose their house and car because they cannot make payments on it.

Look in most cases you just need to talk to the bank or credit card company and then get a fraud report and fill it out. This is free, no lawyer nor accountant needed and no credit company or loan company either. But if I make this book FOSS and in PDF eBook format it can be downloaded by anyone who has a relative that has no idea what to do and read it to them or print out the eBook or maybe if people don't know how to download a PDF just publish it into a paper book for as low a price as I can get, and then they find it in a book store or a friend or relative buys it for them to help them out.

Also via the web site of the bank or credit card company they can assign you an alternative credit card number and code to use on web sites and goes to the same account as the original credit card number, and if that gets stolen they cancel that alias number and issue you a new one.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...