Insidious

So my little independent ISP got bought by a honking big ISP, and the customer service mostly went away, and then the honking big ISP got bought by an even bigger honking ISP.

And they stopped charging me for ISP services.

Cool, you say?

Oh, come on. I am a product of the Protestant Guilt Ethic. I can’t help it. When I realized I hadn’t gotten a bill for a couple of months (it was supposed to get paid automagically so I wouldn’t have to pay attention to it; consequently it took me a while to pay attention to it), I called their attention to the fact that I owed them money and they deigned to allow me to set up a way to pay them.

It remains unclear whether they stopped charging me for ISP services because of the successive buy-outs or because my credit card company sold itself to a big honking bank which proceeded to cancel my credit card (which I’d had for fifteen years) and re-issue one from their bank, more or less simultaneously, without any warning, so that when I tried to pay for two dollars’ worth of stamps at the Post Office, my card got declined and I looked like a deadbeat. (Why, you ask, did I pay for $2.00 worth of stamps with a credit card? It beats the hell out of me why the PO prefers to get paid for even small charges with plastic, but it does.)

Anyway, if I’d been in Outer Mongolia, I’d’ve been SOL. (Assuming you can pay for anything with a credit card in Outer Mongolia.)

In the meantime, my bank (Washington Mutual) shot itself in the foot bigtime and ended up being owned by another big honking bank, which turns out to be the same big honking bank that my credit card company sold itself to.

Sigh.

So when my ISP and my domain hosting service (different companies) simultaneously said they weren’t getting paid, I figured it was another Three-Credit-Card-Monte ™ screw-up.

As it happens, though, there is such thing as coincidence, and the two situations were entirely unconnected.

The domain hosting situation was easily cleared up (thanks to SFF Net tech support [they never sleep], who noticed that I’d updated info in one place but not in another, and fixed it.

The ISP situation, not so easy.

Flashback: A week or so ago my phone rang. I usually answer the phone if a human being calls and follows the instructions. What’s so hard about “Leave me your name, leave me your number, leave me a good time to call”? If I’m not home to get the phone, at least you’d have a decent chance of getting me to call back.

“Hello? Hello? HELLO?!” doesn’t cut it.

Nor does an automated robovoice that sounds entirely like a cheesy attempt at the phone version of email phishing. “We’ve detected FRAUD! Call us IMMEDIATELY! Send this warning to everybody you know or you’re all going to DIEEE!”

Or words to that effect.

I got a couple of those a week or so ago.

They didn’t even sound like Stephen Hawking. (The public library’s phone robovoice, letting you know your books on hold had arrived, used to sound like Stephen Hawking’s computer voice. Now they use email, which is probably more efficient but you don’t get to say, “Professor Hawking says my books are here.”)

Also, my bank never uses the phone. They send me email.

Or anyway they used to.

I ignored the robocalls.

(See above, “cheesy attempt at the phone version of email phishing.”)

So when the ISP told me their request for payment to the debit card had been declined, I didn’t think “Eek! I should have answered that cheesy phone call!”

I thought, Oh, crap, another damned screw-up.

So I logged on to the bank’s website… and waited, and waited and waited for the site to respond, and waited and waited and waited for the inbox to appear — was it always as slow as this? — and found that indeed there was a note about possibly fraudulent charges to my debit card.

Which they hadn’t emailed me about.

So I wouldn’t know about the message unless I logged on to the site and looked at the inbox (which I don’t usually do because, see above, “they send me email“).

So I looked at my account: nothing in it looked the least bit suspicious. Virtually every entry in it was a bill payment that had been chugging along automagically for months, if not years.

So I gave up and called the number they told me to call to talk to somebody about fraud charges.

Yeah, you see it coming. I went through the whole routine with the perfectly nice guy on the other side of the fraud division’s phone number (and on the other side of the world), at the end of which recital he said, “I’ll have to transfer you to the fraud division.”

Double sigh.

Repeat all information, wondering if this time I actually was connected to the fraud division.

By this time I had spelled my name four times, not just twice, because nobody, on this side of the world or the other, believes there’s a name as weird as Vonda, and nobody can spell it. (And if the phone banks were in Eastern Europe they still wouldn’t be able to spell it because in Eastern Europe it’s spelled Wanda.)

But now we’re getting somewhere, because the fraud guy reads off three charges that aren’t in my account, from outfits I never heard of, that I have no clue where the charges came from, that I have no idea what they’re for. Not to mention that I didn’t go anywhere, including shopping, on the day of the charges, and I almost never use that particular piece of plastic for casual purchases anyway.

I was mildly annoyed that there was no way to go online and see the charges, because if there were I’d’ve been aware of them a week ago and my ISP wouldn’t be yelling at me that they haven’t been paid.

But here’s the insidious part.

The charges weren’t in the WTF?! range. They were in the “that looks weird — I’ll have to check it out when I get a spare minute” range — $3.95, $4.95, $12.49. If I used my debit card a whole lot, I might overlook a charge like that, or forget to check it.

On the other hand, like most crooks, these guys are stupid and greedy; I might overlook one minor charge, but three? On the same day? Two of whose 800 numbers lead to suspiciously similar companies, both of which make my scam antennae vibrate off their tiny little hinges?

Not bloody likely.

Not bloody likely that I’d sign up for a work-at-home scheme, either, and when I looked up the company names, which are designed to look like they’re associated with a major search engine — they aren’t — they turned out to be work-from-home schemes. When I googled the company names and phone numbers, up popped numerous sites full of complaints about the objects of my search (all three of which I suspect of being the same company), from folks who had fallen for the scam.

You’ve seen it in three of the last ten spams in your junkmail folder, hiding among the seven of ten that were Male Enhancement Products:

“Send us money and we’ll tell you the Sekrit Trick to getting rich
while working 1.3 hours/week in your very own home!”

The folks who had been taken in agreed to a charge of three or four or five bucks — and found their accounts charged, sometimes several times in the same day, for amounts approaching a hundred dollars per pop.

The complaints were pretty heartbreaking, as they clearly came from folks with few opportunities and less education, desperate for some way of surviving, ignoring what must have been their own internal warnings that it must be a scam. But, they said to themselves, what if it isn’t a scam? This is different from all those come-ons telling me I’ve won ten million Euros, or asking me to help smuggle three point five million dollars out of Kabul. They only want five bucks. It might be a better bet than the lottery.

(What isn’t a better bet than the lottery, but never mind…)

And then these folks got hit with a bunch of extra charges they hadn’t agreed to, and now are having trouble getting the charges removed from their accounts.

This isn’t my situation. My scam antennae are excellent (possibly too sensitive, given that I ignored the robovoice fraud call). I never heard of these crooks; the charges to my account are so clearly fraudulent that the bank never even posted them.

So the real question from my point of view is, how the heck did they get my card number?

Maybe they didn’t get it at all. Maybe they flooded the system with random numbers, hoping to get a few hits with each bank, the way spammers create millions of possible email addresses and flood the Internet with their sludge.

Would they have been detected if they’d charged my account once, instead of three times on the same day?

Insidious, stupid, and greedy.

What a combination.

— Vonda


LADeDeDa in Nature

LADeDeDa,” by Ursula K. Le Guin and Vonda N. McIntyre, appears in the “Futures” column of the science journal Nature, in its 12 March 2009 issue. (Requires subscription.)

You can find The Moon and the Sun at Book View Cafe, where a new chapter is featured each Sunday. For print copies of The Moon and the Sun and my other SF novels, visit my website’s Basement Full of Books.

Share

Comments

Insidious — 4 Comments

  1. Totally been there, done that with the ISP being bought so many times you no longer know who they are supposed to be anymore. Also been there done that with getting my card number stolen. It sucks. Most phone reps nowadays are, I think specially selected and trained to be as incompetent as possible.

    Re: the crooks. They have no reason to try random c-card numbers when real stolen card numbers are so easy to obtain. Basically, stolen card numbers (bought in bulk from hackers who run trojan farms) are now so cheap, that instead of using one to steal $1,000, the thieves are now more likely to use 1000 cards and steal $10 from each, increasing profits while reducing risk, because who’s going to go to the cops over $10?

    They steal the numbers from online merchants, obviously, and from banks. You can’t do anything about that. They also steal them from individuals, either through phishing schemes or through infecting personal computers with trojans. And that’s something within your control. Never access your bank from any computer except your own personal machine, and do everything you can to protect that from being infected by trojans. Good luck.

  2. Thanks. The safeguards you mention are all in place, and I seldom use that card for anything outside the bank, so it’s still puzzling where they might have stolen the number from.

    The phone guys weren’t incompetent at all — it was just irritating to be given a number for the fraud line and then to discover that I’d wasted my time and his because the number didn’t actually go to the fraud line; he had to transfer me and the next phone guy, at the fraud line, had to take all my information again.

    That is to say, where the phone number went was out of the hands of the folks who answer the phones.

    One assumes that the bank doesn’t want people calling the fraud line for any reason but discussing fraud… but since the bank both identified the fraud and asked me to call the fraud line, it seemed kind of strange that the number they gave me didn’t go to where the message said it would go.

    A friend of mine points out that being paranoid about using one’s credit card number on line is mildly silly, considering that it’s much easier to steal credit card receipts out of the trash. A lot of merchants have receipts that don’t show the whole number anymore, but some still do.

    The situation where one has given one’s number to a merchant and they use it for unauthorized charges (as happened to the folks I turned up on the Google search, but not to me, since I never had any dealings with the outfit(s?) making the fraudulent charges) sounds like it’s qualitatively different, and more difficult to resolve.

    Vonda

  3. Credit card fraud is a fine example of Darwinian evolutionary theory. It’s a continual arms race between the fraudsters and the credit card security people. And under the constant pressure, new and exotic features develop in the system — holograms on cards, the little black numbers on the back (which in theory keep merchants from reusing your number after you leave the stores). The card companies are perpetually balancing the ease of using the card versus the ease of hijacking a number. We consumers meanwhile wrestle with irritating problems like yours — at some point it becomes easier to just pay cash! And the predators, the fraudsters, are perpetually on the lookout for the weak cards or the weak consumers at the fringes of the herd.