From: Tad Cook <tad@ssc.com>
Organization: TELECOM Digest
Date: Mon, 8 Jul 1996 05:30:36 PDT
Newsgroups: comp.dcom.telecom
The Internet is a Source of Wonder, as Well as Fraud
By John Dunbar, The Florida Times-Union, Jacksonville
Knight-Ridder/Tribune Business News
Jacksonville--Jul. 7--The Internet can be a window to a wonderful world.
But remember the next time you look out -- other people are looking in
-- and they may not be so wonderful.
Yvonne Dubois discovered this while surfing the Net late one night in
December.
The cyberspace rookie was approached by a stranger seeking her credit
card and checking account information via an electronic mail message.
The unwanted visitor identified himself as an employee of America
Online Inc. The interloper told her he needed her credit information
to continue her service.
Not knowing she was being scammed, Dubois, a registered nurse, gave up
some financial information.
Later, after discovering someone had changed the address on her
checking account and ordered several credit cards in her name, she
called the police.
She was convinced the event was connected to her AOL session.
What followed was a multi-state investigation and the arrest and
conviction of an AOL employee in Jacksonville.
The scam was disturbing because it originated from an employee of the
online service itself.
And it appeared to target a new subscriber who was still learning the
system.
"It looked very official at that time," Dubois said of the information
request.
"I was new to AOL. They knew my screen name."
Police say the unusual activity involving Dubois' checking and credit
card accounts may or may not be related to her online session.
But the ensuing investigation begun by her telephone call helped lead
police to the doorstep of Justin Shane Morgan, a 20-year-old
Jacksonville resident, who was working for AOL in technical services.
According to police and court records, Morgan befriended a juvenile in
Oklahoma, screen name "Evil," online.
The friendship led to a scheme to get free computer equipment.
Morgan, a hacker who ran his own computer bulletin board, also
implicated two fellow AOL employees who have not yet been charged.
According to Assistant State Attorney Andrew Kantor, Morgan would
obtain screen names and e-mail addresses of new subscribers -- like
Dubois-- and send messages seeking personal financial information.
Once he got the numbers, he would send them to his Edmond, Okla. friend.
"Evil" would order computer equipment from a computer supply company
in New Jersey, using the hijacked credit card numbers, according to
Kantor.
The equipment would be delivered to Jacksonville and Oklahoma.
After $30,000 in computer equipment orders, a suspicious worker with
the company contacted the Jacksonville Sheriff's Office.
Investigators set up a sting operation.
They delivered computer equipment to the three AOL workers involved
in the scam.
Morgan was the only one who signed for the equipment, according to
police records.
He signed a confession and later pleaded guilty to grand theft.
The other two were not charged, and one still works at AOL.
In Oklahoma, the case is still under investigation, according to a
detective there, and charges are pending.
Warding off predators:
Credit card fraud is common in the United States.
Anyone who uses a card to buy anything over the telephone or even at a
retail outlet is taking a certain amount of risk.
But the disturbing thing about the Jacksonville fraud is that it was
cooked up by AOL employees.
The thought of someone infiltrating AOL from the company's home office
and gaining access to its six million subscribers is chilling.
Fortunately, Morgan did not have direct access to customers' personal
financial information.
But he did have enough information to talk several people into
giving up their credit card numbers.
An AOL spokeswoman denies the names were acquired through Morgan's job
access.
"When people are communicating by a service like Prodigy and America
Online, they need to protect themselves," said Kantor.
"Do not give out confidential, personal identifying data, be it bank
account numbers or credit card numbers. It's not like a face-to-face
transaction where you can identify people," he said.
Because the online experience is so new to some people, cautions that
may be observed with other types of transactions tend to be abandoned.
"I believe the perpetrators of these types of frauds prey on those who
are new to the system," Kantor said.
Victims don't realize the significance of giving up their financial
information blindly.
"It's like walking out to a busy street corner in New York City and
yelling out 'here's my bank account number,"' he said.
At AOL, the arrest and firing of Morgan appears to have sparked some
changes.
Since April, the company has been including a warning when subscribers
receive e-mail or messages telling them not to give out any financial
information, even if the person sending the message identifies himself
as an AOL employee.
AOL spokeswoman Kathy Johnson, speaking from the company's Vienna,
Va., headquarters, said she did not know whether the change was a
direct result of what happened in Jacksonville.
"We're trying to make our members aware and warn them not to give out
their information regardless of who they are," Burns said. "Don't give
out any personal information if you don't know who this person is on
the other end of the line."
The company also encourages subscribers to change their password regularly.
Is threat overstated? About 37 million people have access to the
global computer network, and 14 percent of those people have bought
goods or services online, according to the National Consumers League.
As more commerce is conducted, more opportunists are expected to take
advantage of virgin Internet consumers.
But many in the Internet business say the security threat has been
overstated.
The same cautions should be used when ordering something over the
Internet as used in mail-order purchases.
Consumer organizations warn people to be careful what they do with
credit card numbers, regardless of how they are being used.
"We know that at any time, anyone -- whether it's employees in a
retail shop or people who work in a bank -- have access to or can
easily get access to a consumer's personal information," said Susan
Grant, executive director of the National Association of Consumer
Agency Administrators.
She offers a simple piece of advice to people who are being asked for
personal information online: Get a phone number and tell them you will
call back.
Grant, whose organization represents government consumer groups across
the country, says cyberfraud is becoming a bigger problem, and many of
the scams being played out have a familiar ring.
Some of the same solicitations found on the Internet, such as
advertisements for bogus jobs, credit repair and get rich quick
schemes, are also seen in print advertising.
But the new frontier of the Internet is expected to create
opportunities for new types of fraud.
"It's something that everyone's watching very closely to see what
kinds of things are going on," Grant said. "It's kind of like the Wild
West."
ON THE INTERNET:
Visit ConnecT-U, the World Wide Web site of The Florida
Times-Union. Point your browser to http://www.times-union.com
[TELECOM Digest Editor's Note: Persons who were defrauded in this way
while online with AOL should bring suit against AOL since the persons
involved were (or still are, as noted above in one case!) employees
of the service. Furthermore, it is reasonable to assume that unless/
until AOL makes a full public statement about this (so far there has
been none from the company that I am aware of) new users to AOL should
be extremely careful about giving out any financial information at
any point to the company -- even in the signup process -- unless they
wish to risk the possible misuse of their credit card and other banking
information.
This is the very same AOL which was actively involved in the kiddie
porn operation the United States Customs Service operates in south
Florida and the very same AOL which now admits they monitor private
conversations between users (see most recent issue of Computer Privacy
Digest, moderated by Leonard Levine for details) in private rooms they
consider likely places for 'illegal' activities. It is pointed out in
that article that if you so much as even visit one of those rooms and
see what they are talking about you get a threatening letter from AOL
and cancellation of your account. You don't have to speak up in those
rooms or engage in anything illegal. I assume moving your mouse pointer
accidentally to that line and clicking is good enough. This is the
very same AOL which, after you cancel your membership goes ahead and
puts through another charge on your credit card the month following.
If you catch it and complain, 'it was all a mistake'.
Aren't they really something special! Where VISA and Master Card are
concerned, if a merchant or the merchant's employees engage in credit
card fraud -- especially in a 'no signature on file' context -- VISA/MC
are quick to cancel the merchant's account. There are some completely
honest people trying to do business on the World Wide Web that no
matter how hard they try they cannot get VISA/MC merchant status, so
picky are the card issuers about potential fraud when no signature on
file merchandise orders are the norm. AOL is starting to leave a very
bad taste in my mouth, and I don't think I am alone. PAT]
AOL staffers "didn't know"
Main menu