I have visited the local police department, but they said since I'm not the victim they can't do anything about it (presumably the owners of the stolen credit cards are the victims here, so they have to file a report). They referred me to the FBI. So I filed a complaint with the IC3.gov. After submitting the form, it said that it may be a while before I hear anything since they have limited resources and they receive thousands of complaints each day.
What's really frustrating is that I have the checking account details where the stolen money was sent to! So it seems it would be an easy case to break. The authorities would have to subpena the bank account since I have the bank account number and bank name, it's not like they used bitcoins.
Can anyone with experience in this situation before chime in with some advice? What should I do? Please help, any information would be greatly appreciated.
Why would you as a hobby run a payment site linking credit cards and checking accounts when you appear to not have done any research in to how important loss prevention is in such an activity? If you were not interested why did you start? If you were interested how could you not know what steps to take?
I can think of a number of important business lessons I learned that cost me more time or money. E.g., "be careful picking business partners", "don't start work without a signed contract", or "crazy clients don't get saner". All things I should have known, or could have discovered reading. But had I waited until I had read and appreciated all business lessons, I never would have started anything.
And I appreciate him sharing the lesson with Hacker News. It reminds me of the Despair, Inc poster on mistakes:
http://www.despair.com/mistakes.html
"It could be the purpose of your life is only to serve as a warning to others."
So thanks, eam, for getting a bunch of young entrepreneurs to say, "Hey, maybe I should double-check our fraud prevention."
Ally isn't going to help you in this case. Ally doesn't know you, and you're asking them to give you money from one of their customers.
Who is your payment processor? You can issue an ACH reversal. You would get your money back if the money is still in the recipient's bank account. It's worth a try since they may not be expecting you to reverse the transaction and will still have money in the account.
1) Set up an exchange. 2) Wait for people to deposit >$2000 worth of bitcoin. 3) Run away.
Problem solved.
More seriously, I think you're more or less in a very unhappy place without good options. Chalk it up to experience and consider yourself lucky that you only lost $2k.
Though, a question for the legally-minded: if this project had been done in a corporate structure, could the poster just walk away from it and be insulated from the loss?
That's not necessarily true. There are a number of things which can allow the "corporate veil" protecting stockholders from personal liability to be pierced, including a stockholder that is also a corporate decision-maker engaging in grossly negligent or reckless acts as a corporate decision-maker that produce the corporate liability.
Incorporation provides a shield against personal liability, but it is not an absolute, unconditional shield, especially for stockholders who are also decision-makers in the corporation.
If he provided financial services without a proper license, he might be in a world of hurt.
Through some social engineering, I was even able to get the name and location of the checking account owner and get him on the phone. I was actually quite close to visiting and beating the crap out of him. Turns out he was just some poor rube from Arkansas who answered a craigslist ad. In the end he was actually more of a victim than me (basically had his identity stolen, credit ruined).
Law enforcement at all levels were completely unhelpful (I dealt with CA police, AR police, and feds). Once I located the bank and got them on the phone, they at least were able to freeze the checking account (I believe they are required by law to do this once fraud/cybercrime is reported). That's really only a temporary fix though.
Any time you're doing payment aggregation or money transfers, you have to do as much verification as possible. We learned that the fraudulent charges had very predictable patterns (international cards, fake websites, very specific range of charge amounts, etc.). At a small scale, you should just manually verify all accounts, require phone/address verification, and more. I've seen some bitcoin startups that even require you to submit a photograph of your card + ID via WebRTC. This is what you should do right away. Once fraudsters realize they have to do work, they will move on to the next target. Our chargeback rate is now near zero and never fraud-related.
At scale, you can have in-house people write code to detect fraud patterns. There are also startups like Sift Science with APIs.
Hope that helps.
This means that you're left to defend yourself. Typically, you'll start implementing some basic verification and rules in your code base. For example, "if num_credit_cards_per_destination > 5; flag_as_suspicious()". But, it's tough to be accurate with this approach, so you'll want to manually review activity flagged by rules, so that you don't insult your good customers. As your business grows, it's more challenging to scale these fraud detection rules and manual review operations. While adding more verification helps, it does negatively impact the experience for innocent customers. It's a delicate balance.
I wish I had better news. In some sense, seeing fraud means that you're on the map. Unfortunately that means you'll only attract more and more attention as your business grows. I'm happy to be a resource, even if we don't work together - jason at siftscience dot com.
> Law enforcement at all levels were completely unhelpful (I dealt with CA police, AR police, and feds). Once I located the bank and got them on the phone, they at least were able to freeze the checking account (I believe they are required by law to do this once fraud/cybercrime is reported). That's really only a temporary fix though.
I actually did call the bank 2 days after the transactions. I believe it takes 2-5 days for direct deposits to arrive to destination bank. When I called the bank, the support agent said they could see the deposits and that they would freeze the account. Though they haven't been very cooperative since then and communication has been limited. The bank agent I was assigned to has been difficult to reach and work with, even my processing company has had trouble getting a hold of them. I'm really hoping the account is still frozen and they will fulfill the reversals. That's my only hope.
I'm afraid it's likely you're going to have to put this one down to experience... You haven't gone into specifics, but your side project sounds like a money-launderer's dream.
Did he say that? I thought he was just saying as he had the account number then the bank could easily stop that money; the implication being that someone trying to retrieve the money could be traced.
I was more getting at the fact that the money is probably not retrievable.
—Max Levchin, founder of PayPal
- You are most likely violating OFAC/KYC regulations in the US (Assuming you are in the US with references to the FBI)
- It is easy/cheap to buy on the black market complete combinations of credit cards/cvv/social security info
- People who buy/have these stolen cards want a cash exit
- Verification of both sides of the transaction are really needed for what is essentially a money transfer, to keep fraud down (steps beyond CCV to prove someone is in control of a CC)
- You are lucky, that $2000 was probably an initial probe to see what checks you had in place. Shutting down was the right thing to do. If you had left it open, you could've added three zeros to the damages
- CC's are not secure and the "merchant" is always the loser in fraud. Visa/Mastercard will always make their cut. Additionally ACH/echecks doesn't provide much in the way to claw back funds (any really).
1) You are almost certainly operating a money transmitting service (like Western Union). If you are an intermediary between people giving each other money, there are piles of regulations and compliances you must deal with just to stay out of jail!
2) Anything dealing with money and internet is HARD. This is like complaining that you tried to be a veterinarian on the side and some animals died. There is a minimum amount of knowledge you need just to start. You presently don't know what you don't know in this space. Its dangerous.
Sorry for the downer, but pick a different side project.
I can pretty much guarantee that no one in law enforcement will do anything about your situation. I work for an online retailer and we've been down that road. Everyone will mumble something about jurisdiction and hang up on you.
If you're looking for business advice, I don't think there's any practical or safe way to run a business that allows people to charge a credit card and return cash to a bank account. If that's necessary for the functioning of your site, you may need to rethink your site.
My not-a-lawyer advice? Drop your "side project" as fast as you possibly can, before it destroys you.
This sounds like a grossly irresponsible "side project".
[1] example: See "Laundering" on p. 11, "No Cash Refunds" on p. 13 of https://usa.visa.com/download/merchants/card-acceptance-guid...
Actually- just go talk to a lawyer about getting the wheels of justice moving for you.
Talk to a lawyer. Make sure you haven't been running a financial service.
EDIT: I would also like to add that typically those who dabble in credit card fraud are sophisticated enough NOT to link their own bank details to the cards. What they will do is either buy some unknowing person's account for a few hundred dollars or steal details of an otherwise inactive account. Then all they have to do is use any ATM to withdraw the money, and it can be nearly impossible to catch the culprit without committing significant police resources.
When I was at WePay, we used this to help recover fraud losses. It's not 100% effective (because often the account has already been drained/closed), but it's better than nothing.
In the future, I would also recommend using a PSP like WePay, Stripe, or PayPal that will handle KYC and fraud detection for you. https://www.wepay.com/api/payments-101/preventing-losses-fig...
Most chargebacks are a result of orders from people with stolen credit cards, usually from international IPs. To mitigate this, I ended up using:
1. A service called MaxMind, which includes automated phone verification (e.g., ensuring the person owns a phone number in the a area code matching the credit card zip code).
2. Using payment providers like PayPal or 2CO since they have their own built-in fraud prevention systems.
Of course, this does not prevent chargebacks for non-fraudulent reasons (e.g., unsatisfied customers). For large orders, you may need to get the customer's signature on a credit card authorization form, to enable you to win the chargebacks if they occur.
2. FBI cybercrimes division will eventually want to hear from you but the fraud was small potatoes compared to what they are up against. Your local PD is right, this is out of there league. Most likely this is across county, state, and international borders.
Unless you can swallow the loss.
As an example, some airlines require that you present the Credit Card used in the purchase upon check-in.