AOL Employees Steal Users Credit Card Numbers

From: Tad Cook <tad@ssc.com>
Organization: TELECOM Digest
Date: Mon, 8 Jul 1996 05:30:36 PDT
Newsgroups: comp.dcom.telecom

The Internet is a Source of Wonder, as Well as Fraud
By John Dunbar, The Florida Times-Union, Jacksonville

Knight-Ridder/Tribune Business News

Jacksonville--Jul. 7--The Internet can be a window to a wonderful world.

But remember the next time you look out -- other people are looking in -- and they may not be so wonderful.

Yvonne Dubois discovered this while surfing the Net late one night in December.

The cyberspace rookie was approached by a stranger seeking her credit card and checking account information via an electronic mail message.

The unwanted visitor identified himself as an employee of America Online Inc. The interloper told her he needed her credit information to continue her service.

Not knowing she was being scammed, Dubois, a registered nurse, gave up some financial information.

Later, after discovering someone had changed the address on her checking account and ordered several credit cards in her name, she called the police.

She was convinced the event was connected to her AOL session.

What followed was a multi-state investigation and the arrest and conviction of an AOL employee in Jacksonville.

The scam was disturbing because it originated from an employee of the online service itself.

And it appeared to target a new subscriber who was still learning the system.

"It looked very official at that time," Dubois said of the information request.

"I was new to AOL. They knew my screen name."

Police say the unusual activity involving Dubois' checking and credit card accounts may or may not be related to her online session.

But the ensuing investigation begun by her telephone call helped lead police to the doorstep of Justin Shane Morgan, a 20-year-old Jacksonville resident, who was working for AOL in technical services.

According to police and court records, Morgan befriended a juvenile in Oklahoma, screen name "Evil," online.

The friendship led to a scheme to get free computer equipment.

Morgan, a hacker who ran his own computer bulletin board, also implicated two fellow AOL employees who have not yet been charged.

According to Assistant State Attorney Andrew Kantor, Morgan would obtain screen names and e-mail addresses of new subscribers -- like Dubois-- and send messages seeking personal financial information.

Once he got the numbers, he would send them to his Edmond, Okla. friend.

"Evil" would order computer equipment from a computer supply company in New Jersey, using the hijacked credit card numbers, according to Kantor.

The equipment would be delivered to Jacksonville and Oklahoma.

After $30,000 in computer equipment orders, a suspicious worker with the company contacted the Jacksonville Sheriff's Office.

Investigators set up a sting operation.

They delivered computer equipment to the three AOL workers involved in the scam.

Morgan was the only one who signed for the equipment, according to police records.

He signed a confession and later pleaded guilty to grand theft.

The other two were not charged, and one still works at AOL.

In Oklahoma, the case is still under investigation, according to a detective there, and charges are pending.

Warding off predators:

Credit card fraud is common in the United States.

Anyone who uses a card to buy anything over the telephone or even at a retail outlet is taking a certain amount of risk.

But the disturbing thing about the Jacksonville fraud is that it was cooked up by AOL employees.

The thought of someone infiltrating AOL from the company's home office and gaining access to its six million subscribers is chilling.

Fortunately, Morgan did not have direct access to customers' personal financial information.

But he did have enough information to talk several people into giving up their credit card numbers.

An AOL spokeswoman denies the names were acquired through Morgan's job access.

"When people are communicating by a service like Prodigy and America Online, they need to protect themselves," said Kantor.

"Do not give out confidential, personal identifying data, be it bank account numbers or credit card numbers. It's not like a face-to-face transaction where you can identify people," he said.

Because the online experience is so new to some people, cautions that may be observed with other types of transactions tend to be abandoned.

"I believe the perpetrators of these types of frauds prey on those who are new to the system," Kantor said.

Victims don't realize the significance of giving up their financial information blindly.

"It's like walking out to a busy street corner in New York City and yelling out 'here's my bank account number,"' he said.

At AOL, the arrest and firing of Morgan appears to have sparked some changes.

Since April, the company has been including a warning when subscribers receive e-mail or messages telling them not to give out any financial information, even if the person sending the message identifies himself as an AOL employee.

AOL spokeswoman Kathy Johnson, speaking from the company's Vienna, Va., headquarters, said she did not know whether the change was a direct result of what happened in Jacksonville.

"We're trying to make our members aware and warn them not to give out their information regardless of who they are," Burns said. "Don't give out any personal information if you don't know who this person is on the other end of the line."

The company also encourages subscribers to change their password regularly.

Is threat overstated? About 37 million people have access to the global computer network, and 14 percent of those people have bought goods or services online, according to the National Consumers League.

As more commerce is conducted, more opportunists are expected to take advantage of virgin Internet consumers.

But many in the Internet business say the security threat has been overstated.

The same cautions should be used when ordering something over the Internet as used in mail-order purchases.

Consumer organizations warn people to be careful what they do with credit card numbers, regardless of how they are being used.

"We know that at any time, anyone -- whether it's employees in a retail shop or people who work in a bank -- have access to or can easily get access to a consumer's personal information," said Susan Grant, executive director of the National Association of Consumer Agency Administrators.

She offers a simple piece of advice to people who are being asked for personal information online: Get a phone number and tell them you will call back.

Grant, whose organization represents government consumer groups across the country, says cyberfraud is becoming a bigger problem, and many of the scams being played out have a familiar ring.

Some of the same solicitations found on the Internet, such as advertisements for bogus jobs, credit repair and get rich quick schemes, are also seen in print advertising.

But the new frontier of the Internet is expected to create opportunities for new types of fraud.

"It's something that everyone's watching very closely to see what kinds of things are going on," Grant said. "It's kind of like the Wild West."

ON THE INTERNET: Visit ConnecT-U, the World Wide Web site of The Florida Times-Union. Point your browser to http://www.times-union.com

[TELECOM Digest Editor's Note: Persons who were defrauded in this way while online with AOL should bring suit against AOL since the persons involved were (or still are, as noted above in one case!) employees of the service. Furthermore, it is reasonable to assume that unless/ until AOL makes a full public statement about this (so far there has been none from the company that I am aware of) new users to AOL should be extremely careful about giving out any financial information at any point to the company -- even in the signup process -- unless they wish to risk the possible misuse of their credit card and other banking information.

This is the very same AOL which was actively involved in the kiddie porn operation the United States Customs Service operates in south Florida and the very same AOL which now admits they monitor private conversations between users (see most recent issue of Computer Privacy Digest, moderated by Leonard Levine for details) in private rooms they consider likely places for 'illegal' activities. It is pointed out in that article that if you so much as even visit one of those rooms and see what they are talking about you get a threatening letter from AOL and cancellation of your account. You don't have to speak up in those rooms or engage in anything illegal. I assume moving your mouse pointer accidentally to that line and clicking is good enough. This is the very same AOL which, after you cancel your membership goes ahead and puts through another charge on your credit card the month following. If you catch it and complain, 'it was all a mistake'. Aren't they really something special! Where VISA and Master Card are concerned, if a merchant or the merchant's employees engage in credit card fraud -- especially in a 'no signature on file' context -- VISA/MC are quick to cancel the merchant's account. There are some completely honest people trying to do business on the World Wide Web that no matter how hard they try they cannot get VISA/MC merchant status, so picky are the card issuers about potential fraud when no signature on file merchandise orders are the norm. AOL is starting to leave a very bad taste in my mouth, and I don't think I am alone. PAT]

AOL staffers "didn't know"
Main menu