The most recent articles from Computeract!ve

New fraud reporting centre gets green light

Dinah Greek — 2008-10-09T10:30:00.000Z

Dinah Greek, Computeract!ve, Thursday 9 October 2008 at 10:30:00

Consumers get hotline to the police to report online frauds

Consumers will be able to report online fraud directly to a central police

organisation within months.

Reporting changes introduced last April mean consumers are meant to report

online crimes such as card and cheque fraud to their bank only. However a

new police unit, The National Fraud Reporting Centre, will take reports of

these and other online frauds, such as advanced fee scams, via a dedicated call centre.

How these reports will be handled afterwards will be the remit of another

new organisation, the National Fraud Intelligence Bureau (NFIB). This

organisation will multi-agency.

Reports say this body will decide where information received from the public should be directed within the UK's fraud-investigation forces.

The NFRC will be run by the City of London police and also liaise closely

with another new division, the Police Central E-crime unit (PCEU). This new unit

will be part of the Metropolitan Police.

However there are concerns that the PCEU will be overwhelmed by the task

facing it. It has only received £7m funding over three years.

Although the Home Office has admitted that the PCEU will not provide a single line of reporting for hi-tech crimes from the country’s 44 local forces, it still

has a huge range of responsibilities.

This funding has to cover working not only with the NFRC but also the

National Policing Improvement Agency (NPIA). With the NPIA it aims to help

identify how any e-crime reports, that are made to local forces are handled. It will also work with the NPIA to help train police officers to deal with cybercrimes more effectively.

With this wide remit, Gareth Elliott, policy adviser at the British Chambers of Commerce, said: " It is a step in the right direction but £7m does not seem like very much compared to the cost of cybercrime”; UK consumers lost £302m to card fraud alone in the first six months of this year according to Apacs, the UK’s payments association.

Despite the concerns about the PCEU’s funding, the British Banking Association, Get Safe Online and Apacs welcomed the new initiatives.

Tony Neate, Managing Director, Get Safe Online said “Get Safe Online welcomes the newly formed Police Central e-Crime Unit.

"We believe that any initiative aimed at tackling online fraud is a good idea and we will work alongside the unit and continue our job of educating the public on using

the internet safely.

“It is important that the UK stays one step ahead of internet crime and new initiatives are vital in achieving this.”

The Home Office admitted that “the finer details” of how the new police bodies will work together still have to be worked out. However trials of the NFRC will begin soon according to Metropolitan Police Service detective superintendent Charlie McMurdie. It and the PCEU will launch officially next year. Eventually it is hoped to add online reporting facilities for the NFRC as well as the call centre

Paypal to offer full refunds for fraudulent transactions

Dinah Greek — 2008-10-07T16:22:00.000Z

Dinah Greek, Computeract!ve, Tuesday 7 October 2008 at 16:22:00

Payment provider moves to boost consumer confidence

People using Paypal to buy goods on Ebay will be given a full refund, including postage costs, if they fall victim to fraudsters.

The payment service provider, which is owned by the auction site, has also removed rules capping refunds and stipulating the type of seller that has to be involved for buyers to qualify for a refund.

According to Carl Scheible, UK managing director of Paypal, the new improvements, which came into force on 30 September, have been “driven by user feedback”.

Under the payment provider’s original Buyer Protection scheme, consumers were protected up to a maximum of £500 per transaction from qualifying sellers – those who had received more than 50 feedback responses, of which 98 per cent had to be positive, and who were either a verified Premier or Business Paypal account. The maximum protection for buying from all other sellers was £150.

With more than 20 million users, the online auction site has become a haven for fraudsters; 4,500 crimes were committed on the auction site last year, according to figures released by 36 out of 52 police forces in the UK. However, the figure could be higher as some police forces were unable to supply statistics under the Freedom of Information Act.

Consumers wishing to make a claim must have used the 'Pay Now' buttons on Ebay or have associated the payment with the Ebay item number on the Paypal site.

People must also still raise the dispute within 45 days of payment and a claim must be made within 20 days of the dispute being raised.

To try and resolve the matter quickly, Paypal said it would continue to act as a mediator between the buyer and the seller. However, if matters could not be resolved this way, it would review the claim and decide on reimbursement.

The new protection does not cover 'intangible goods', such as airline tickets, or motor vehicles. Buyers using Paypal to fund purchases from other online retailers will not get the cover.

Also if a refund is refused, those using credit cards to make payments through Paypal will not be able to apply for a refund from their issuing bank. Section 75 of the Consumer Credit Act will not apply, according to payments association Apacs. This is because the consumer has brought a third party – Paypal – into the transaction.

Paypal has also brought in changes for sellers. Now all UK-registered Ebay sellers will be protected for transactions in all 190 countries supported by Paypal. (This protection has been available only to Ebay Powersellers.) Paypal is also removing the £3,250 annual protection limit for eligible claims.

New e-crime unit funding 'ridiculous'

Andrea-Marie Vassou — 2008-10-03T13:11:00.000Z

Andrea-Marie Vassou, Computeract!ve, Friday 3 October 2008 at 13:11:00

£7m funding for new police unit a "drop in the ocean", say experts

Security firms and business groups have criticised funding levels for the newly formed Police Central e-Crime Unit (PCeU), with one saying the Government is "setting itself up for ridicule".

The 3rd Man, Corporate IT Forum and the British Chambers of Commerce have criticised the £7m allowance, which they say is insufficient to tackle the problem of online fraud.

The PCeU was announced this week by the Home Office, and has been set up to coordinate law enforcement against all online crimes. This includes card not present (CNP) fraud, which the Government says accounts for more than 80 per cent of crime on the internet.

The unit will run in conjunction with the National Fraud Reporting Centre and the National Fraud Intelligence Bureau. It will receive £3.5m of Government funding and £3.9m from the Metropolitan Police Service over three years.

However, security firm the 3rd Man described this funding as a “drop in the ocean”.

Andrew Goodwill, director of the company, said: “The latest fraud figures show that the last amount of card fraud cost £180m and the fact the Government plans to combat this with £7m is ridiculous. It can’t expect to fund a crime unit with £7m."

“The Government is setting itself up for ridicule,” he added.

David Roberts, chief executive of the Corporate IT Forum, agreed, saying: " £7m over three years seems a very small sum for a very large problem."

"We doubt whether it will be enough to tackle an issue that the Home Office itself calls a global menace," he said.

Gareth Elliott, policy adviser at the British Chambers of Commerce, said: " It is a step in the right direction but £7m does not seem like very much compared to the cost of cybercrime".

However, the British Banking Association and the UK Payments Association, APACS, welcomed the new unit. Although neither body would comment on its funding, both said that any initiative to tackle online fraud was a “good idea”.

E-crime Minister Vernon Coaker said: "It is important that we stay one step ahead of criminals who increasingly use sophisticated computer networks and the internet to commit and facilitate crime.”

UK consumers duped into money laundering

Dinah Greek — 2008-09-26T15:34:00.000Z

Dinah Greek, Computeract!ve, Friday 26 September 2008 at 15:34:00

Opportunists are being turned into fraudsters by fake job ads

The number of adverts for ‘money mules’ appearing in UK situations vacant columns has risen by over 200 per cent in three years.

According to Apacs, in 2007, 1,462 fake recruitment ads were found, compared with 472 in 2005. The banking organisation has released guidance to help consumers avoid these scams because they are becoming increasingly sophisticated.

The fraudsters often pose as bona fide companies seeking employees to work from home, handling ‘orders’ and financial transactions. A lot of the ads appear on popular online recruitment sites such as Gumtree and monster.co.uk.

Computeractive also found household names such as Costa Coffee were used by the criminals to give the adverts legitimacy.

Andrew Goodwill, director of the fraud prevention specialist firm 3rd Man group, said he was not surprised at the growth in the number of these fake ads.

“I started issuing warnings about this two years ago. With the economic climate we are entering, I expect to see a large increase in this activity,” he said.

A 'money mule' is someone recruited by fraudsters needing to transfer money from one country to another. The criminals recruit gullible or greedy people in order to launder funds through their bank accounts.

After the money goes into the mule's account he or she withdraws the funds, takes a commission and transfers the balance back overseas using a wire transfer service. However, the funds the mule receives have been stolen from other people's bank accounts or credit cards, or the cheques sent are fake.

So once they have transferred the funds back out of their account, the mules find they are out of pocket and in debt to their bank.

Computeractive investigated this problem back in September 2007 after Mr Goodwill alerted us to the issue.

Although the fraudsters will email these job offers, working alongside Mr Goodwill we found many of the popular free classified advert websites were littered with these spoof job vacancies.

A typical ad could read as a job vacancy seeking a 'UK representative', ‘financial manager' or 'sales manager’. Many used legitimate company names as a smoke screen.

To test how well the owners of these sites monitored for fraudulent ads, Mr Goodwill placed a spoof advert on the website adzozok.

Entitled 'work from home by becoming a money mule', he waited to see if the ad would be taken down.

“Despite repeatedly advising Trinity media group, the publishers of this site, the spoof job ad remained live for weeks. The owners and operators of these job websites have a social responsibility to make sure they protect the public; some will know what they are getting into, others won't because many of these ads pretend to come from legitimate companies," he said.

He also warned of a new twist in the tale; people are also being asked to take in parcels. The fraudsters then arrange to have these picked up or the ‘employee’ send them on to other addresses. However, these goods have been bought with stolen credit card details.

Not only are people risking having their bank accounts drained, they are also party to the fraud.

“The law states quite clearly that ignorance is no defence, so I urge anyone who is thinking about taking this type of employment to make sure they are not going to become a mule,” Mr Goodwill said.

Apacs' advice to consumers is:

• Be cautious about any unsolicited offers or opportunities offering you the chance to make some easy money.

• Be especially wary of offers from people or companies overseas as it is harder for you to find out if they really are who they say they are.

• Take steps to verify any company which makes you a job offer and check their contact details (address, phone number, email address and website) are correct and whether they are registered in the UK.

• Never give your bank details to anyone unless you know and trust them.

Sandra Quinn, director of communications at Apacs, said: “Anyone who has disclosed their bank account details or received funds into their account for what they think could be a money mule scam should contact their bank immediately.”

Second-hand gadgets pose data security risk

Dinah Greek — 2008-09-25T15:28:00.000Z

Dinah Greek, Computeract!ve, Thursday 25 September 2008 at 15:28:00

Sensitive information left on mobile devices could be used by criminals

Around one in five mobile phones and PDAs bought second-hand still contain sensitive information that could be used by criminals.

Researchers from BT, the University of Glamorgan in Wales and Edith Cowan University in Australia bought 161 used gadgets from various places, including Ebay.

These everyday items now contain sophisticated digital memory capable of storing huge amounts of sensitive data. Personal information about the previous owners or the companies they worked for was found on 43 per cent of the items examined.

This included data such as bank account or personal medical details or important company data. Using commercially available software, the researchers were able to extract enough information from the simplest mobile phones to identify the phone’s previous owner and employer.

In the wrong hands, this poses a significant threat to both the individual and their employer. Organisations that had donated some of the devices had also failed to meet their statutory, regulatory and legal obligations.

Dr Andy Jones, head of information security research at BT, who led the survey, said: “Given the level of exposure that the subject of security and identity theft has recently received, and the availability of suitable tools to ensure the safe disposal of information, it is difficult to understand why organisations are not taking the necessary precautions when disposing of handheld devices.”

Many large organisations currently dispose of obsolete handheld devices by donating them to charities.

It was discovered during the course of the research that a number of these charities then pass on a large percentage of these devices to places like China and Nigeria; both of which are regarded as posing a real threat to the security of information.

The devices containing the greatest volume of information were discarded Blackberry devices, which in a number of cases were left unprotected, despite having security features such as encryption built in.

In one example, a Blackberry was examined that had been used by the sales director for Europe, the Middle East and Africa of a major Japanese corporation.

It was possible to recover the call history, the address book, the diary and the messages from the device. Among the information that these provided the researchers were able to read the business plan of the organisation for the next period and customer details.

The sales director’s personal details were also recovered including details of their children, their occupations, movements, his dental and medical care provider, plus bank details; even the make of his car and registration.

Criminals keep PCs under surveillance

Dinah Greek — 2008-09-24T16:03:00.000Z

Dinah Greek, Computeract!ve, Wednesday 24 September 2008 at 16:03:00

Attacks on PCs launched with military precision

Cyber-criminals are carrying out reconnaissance missions on PCs so they can specifically target their victims.

According to security company Prevx, when hackers find a computer that is vulnerable to attack, they download a small piece of malicious software called a downloader. This will initially ‘sniff’ around the victim’s PC, looking at files to analyse.

A demonstration by former hacker Jacques Erasmus, who now works for Prevx, showed graphically how this downloader, of about 1-2kb in size, can set the stage for cyber-criminals to wreak havoc.

"The criminals are taking it to the next level in terms of sophistication," he said.

The downloader can find out which operating system and security software the victim is using. And by identifying the IP address, the software can find out which country the victim lives in, the language used and their internet service provider. It will also look for other vulnerabilities in third-party applications, such as Quicktime, that the criminals can exploit.

Once the analysis is over, the information is sent back to the servers used by the criminals controlling the attack. They can then tweak malicious software such as keystroke loggers and Trojans and download the ones that will work best for them on the compromised PC.

From here on the PC belongs to the criminal and can be used to carry out a variety of attacks and if possible shut down the security software. This software is often what is called polymorphic – it will continually change its ‘signature’ as it tries to outwit security programs.

Personal information, such as bank details, passwords and dates of birth, is gathered by the criminals and can be used for identity theft and to drain bank accounts. The original attackers often use it themselves as well as selling it on to other criminals.

Ed Gibson, a former FBI special agent and now Microsoft's chief security advisor, said people should remember that the criminals are after people's money.

"It's about blackmail and extortion. It's as simple as that," he said.

The hijacked PC will also most likely become part of a botnet. Other criminals can buy the use of a botnet by the hour for further criminal activities such as launching denial of service attacks, sending out spam or distribute more malicious software.

Jacques Erasmus said the criminals have even developed a Trojan that will control a PC’s webcam if it is switched on. Once installed the hacker can stream live pictures from victim's PC back to who ever is controlling it.

Card fraud factory raided

Dinah Greek — 2008-08-13T12:53:00.000Z

Dinah Greek, Computeract!ve, Wednesday 13 August 2008 at 12:53:00

Devices for stealing Chip and PIN card details found by police

Fraudsters have found a way to tamper with retailers’ Chip and PIN readers and steal credit card details, including people’s PINs.

This development could make it harder for people to persuade their bank that they have not been negligent with their PIN but are in fact fraud victims.

The sophisticated operation was uncovered after police raided premises in Birmingham and found equipment needed to steal card details and make counterfeit cards on a massive scale.

A police unit, the Dedicated Cheque and Plastic Crime Unit (DCPCU), said it had found a factory-style setup. Stolen Chip and PIN terminals, card account numbers, a card reader/writer, computer software and fake magnetic stripe cards were taken from the premises.

The DCPCU comprises officers from the Metropolitan and City of London police forces who work alongside banking industry fraud investigators. They tackle cheque and card fraud crime in the UK and said early indications are that these criminals have been tampering with retailers’ Chip and PIN terminals.

A device is put inside the terminals, which can then unscramble information, including transaction data and PINs held by a card. This information is stored by the device until the criminals come back to remove them. It is believed to be the first evidence of a breach of the encryption in a chip and PIN card being broken.

Andrew Goodwill of anti fraud specialists, The Third Man said. "Everyone in the credit card industry knew that this day would arrive, and expected this serious compromise to have happen before now.”

Apacs said the cloned cards could not be used at UK Chip and PIN cash machines or in shops using the system. However, the banking organisation said the details would have been used to create fake magnetic stripe cards that can be used fraudulently in countries that have yet to roll out Chip and PIN. It said cloned cards could be on the streets within hours of the details being stolen.

This type of fraud – known as fraud abroad – increased 77 per cent last year, totalling £207.6m.

Two people were arrested last night in connection with the raid and charged with conspiracy to defraud. Alerts have also been sent to thousands of retailers asking them to inspect their Chip and PIN terminals.

Detective Chief Inspector John Folan, who heads the DCPCU, said: “These arrests are a significant development in our fight against the organised criminal gangs responsible for this type of fraud.

It is not known how many retailers have been targeted but it is thought that many if these devices are coming in from Eastern Europe.

“To date, compromised Chip and PIN terminals have been found in less than 30 retail outlets throughout the UK. Together with the banking and retail industries we are working to ensure this figure is minimised.

“We are sending a very clear warning to fraudsters these crimes will not be tolerated, and that we will continue to target them and disrupt their fraudulent activity."

Andrew Goodwill said consumers should limit their exposure to this crime as much as possible.

"One way would be to use credit not debit cards, as if the card details are compromised the fraudster can only steal the bank's money. By using a debit card a fraudster can clean out your bank account in a matter of minuets.

"It can take anything from 3 to 4 months for a bank to compensate you if your debit card is compromised. In the meantime you will have your bills to pay," he said.

Spam levels continue to rise

Dinah Greek — 2008-08-07T15:20:00.000Z

Dinah Greek, Computeract!ve, Thursday 7 August 2008 at 15:20:00

Most junk email arriving in British inboxes is sent from the UK

Spam sent to UK internet users has nearly quadrupled since the beginning of the year, and most of it was sent from within the UK.

According to Clearmymail, which develops spam filtering software, the UK is first in the list of the top 10 countries sending spam to UK email accounts.

However, these are not home-grown spammers; they are from the US, Russia and China.

The spammers are hijacking PCs and web servers in the UK used to host websites, and then using these as mail servers to send out spam.

Dan Field, Clearmymail’s managing director, said this was a worrying trend.

“The spammers are launching more sophisticated and cleverly targeted attacks. To make these attacks more ‘local’ they are finding vulnerabilities in websites, using these to infiltrate the hosting servers and sending spam through these," he said.

"There is also the problem of botnets; we have seen a huge upturn in the last three months. People are still not updating their security regularly, so malicious software in spam can infect their PCs.

"But another problem for computer users is many attacks are going under the radar. They are not mass attacks and this means security software programs may not have developed the protection until it is too late for some people."

The report showed that on average 30,846 spam emails were blocked per customer in the second quarter of 2008, compared to just 8,156 emails blocked per customer in the first quarter of the same year. The company said the number of spam emails it had blocked increased to approximately 22,690 spam emails in just three months.

These emails show that phishing attacks are increasing, with the Royal Bank of Scotland appearing to be the main company targeted by phishing attacks. Orange customers received the highest percentage of spam of any internet serv ice provider the company surveyed.

Although the UK is now the number one culprit, the USA is still highly ranked at number two. UK internet users are also getting more spam from European countries.

“These statistics are becoming increasingly worrying and for the average amount of spam blocked per person to have nearly quadrupled in the last three months suggests that action desperately needs to be taken,” said Mr Field.

US cracks 'largest ever' ID theft ring

Dinah Greek — 2008-08-06T15:04:00.000Z

Dinah Greek, Computeract!ve, Wednesday 6 August 2008 at 15:04:00

Gang allegedly stole millions of dollars using 40 million stolen credit and debit card numbers

Eleven people, one a US secret service informant, have been indicted by the US Department of Justice (DoJ), in what is thought to be the largest ever case of online credit and debit card fraud.

The defendants are three US citizens, three Ukrainians, two Chinese, an Estonian and a Belorussian, and one individual only known by an online alias.

The accused are alleged to have hacked into the computer networks of nine major US retailers, including TJ Maxx (known as TK Maxx in the UK) and stolen the details of more than 40 million credit and debit cards before using them to siphon off millions of dollars.

It is believed that they managed to hack the wireless computer networks by what is called 'wardriving' – driving around looking for vulnerabilities in wireless networks.

According to the DoJ, once inside the networks the gang installed 'sniffer' programs. These captured card numbers as well as password and account information. The ring then used encrypted computer servers that they controlled in Eastern Europe and the United States to store the information.

The stolen numbers were 'cashed out' by encoding card numbers on the magnetic strips of blank cards. The defendants then used these cards to withdraw tens of thousands of dollars at a time from cash machines.

It is alleged that some of the credit and debit card numbers were also sold on to other criminals in the US and Eastern Europe via the internet. The gang was able to conceal and launder the proceeds of the crimes by using anonymous internet-based currencies in the US and abroad.

An indictment has been brought against Albert 'Segvec' Gonzalez of Miami, the alleged ringleader of the gang. He will face charges of computer fraud, wire fraud, access device fraud, aggravated identity theft and conspiracy before a Boston grand jury.

The grand jury has also brought related charges against Christopher Scott and Damon Patrick Toey, also of Miami.

A San Diego grand jury has indicted alleged participants Maksym 'Maksik' Yastremskiy, of Kharkov, Ukraine, Aleksandr 'Jonny Hell' Suvorov, of Sillamae, Estonia, Hung-Ming Chiu and Zhi Zhi Wang, both of the People's Republic of China, and a person known only by the online nickname 'Delpiero'.

Because of the size and scope of his crimes, the DoJ said Gonzalez, who is in custody in New York, faces a maximum penalty of life in prison if he is convicted of all the charges.

Lords committee calls for shake up on internet protection

Dinah Greek — 2008-07-09T17:33:00.000Z

Dinah Greek, Computeract!ve, Wednesday 9 July 2008 at 17:33:00

Says hand back powers to the police for reporting e-crimes

Peers have said the public must be given more protection against cyber-crime and victims should be able to report such crimes directly to the police.

In its follow on report on Personal Internet Security, the House of Lords Science and Technology Committee also called for legislation to ensure banks cover customer losses incurred through e-crimes and for the introduction of a data breach notification law.

This is not the first time the committee has called for a reversal of the reporting rules and a shake-up of internet security. However, the Government ignored the recommendations when they were first published last year.

The committee, which roundly condemned the Government for this, said it had “at last started to take the risks seriously”. But it expressed regret that "a level of indifference on the part of the Government has now been dispelled only as a result of recent incidents involving serious losses of personal data".

However, the Lords now want the Government to go much further. Specifically they want a reversal of the reporting rules for the public brought in on 1 April 2007. This would mean that members of the public could report e-crime directly to the police rather than through their bank.

The committee pointed out that under the current arrangements, banks may have a commercial incentive not to pass a report to the police. Certainly if 200 people report they are victims of the same scam online, if reported to the police by the bank it is only reported as one crime

Victims of e-crime are also told that they are not actually victims; this status would be given to the bank or the retailer. However, the committee wants to make it easier for consumers to get banks to cover their losses and was not satisfied with the Government's position that the Banking Code offers enough protection for customers.

The committee had received evidence that where a PIN or password is used in an online fraud banks often refuse to refund customers, claiming they must have been negligent or complicit in the fraud. The committee was also told the Financial Services Ombudsman and the courts do not offer an adequate method of redress for customers whose banks refuse to cover their losses.

The third major recommendation was a call for organisations to be able to inform the public about losses of personal data.

Zavvi Direct customers still waiting on refunds

Dinah Greek — 2008-07-02T17:07:00.000Z

Dinah Greek, Computeract!ve, Wednesday 2 July 2008 at 17:07:00

Sussex Police investigate suspected fraud by online retailer

Some customers of Zavvi Direct are still being refused refunds despite investigations by police into suspected fraud by the people who ran the site.

This is despite the fact that, if it is fraud, most people, even if they used a debit card, should be protected by the Banking Code of Practice.

Computeractive reader Matt Parkhouse told us: "My bank are saying as I used my debit card and authorised the payment, they won't credit me."

We began investigating Zavvi Direct three weeks ago following a reader complaint. We found a disturbing level of sophistication in the way this suspected scam had been set up.

The site, which went live on 4 June, had fooled more than 2,500 people into thinking they were dealing with the high street retailer, Zavvi – formerly Virgin Megastores.

Tony Burman told us: "Like a fool I too ordered a Wii Console and a Wii Fit package totalling £229.98. The old saying 'There’s one born every minute' is ringing in my ears."

But Mr Burman wasn't alone – nearly everyone that went to the site found it so convincing that it netted orders for Wii Fits and other devices worth more than £200,000 before the the site was taken down on 13 June. This was carried out by the webhosting company, uk192.com, after it was warned by Zavvi's lawyers that the site was guilty of trademark infringement.

Although Zavvi Direct had been registered at Companies House on 6 February this year, with a Paul Clayton of Hove listed as director, Mr Clayton denied he had any involvement.

His solicitors, Thomson Snell and Passmore, gave us this statement last week: “We have been instructed by Mr Paul Clayton. His details have been fraudulently given to Companies House as a director of a company called Zavvi Direct Limited. Our client has been the victim of identity theft and fraud.”

To complicate matters further, we also discovered a possible link between Zavvi Direct and a scam investigated by Kent Police last year. That fraud involved a company calling itself Best Sports World (BSW). We found that Zavvi Direct had used BSW terms and conditions on a sister site, ZavviSports.co.uk. BSW had also registered itself at Companies House. Again the men listed as directors claimed identity theft.

Although we managed to contact a man calling himself Simon Bishop at Zavvi Direct on a mobile phone number, the phonelines are now dead or go to voicemail and the offices at 20 Old Steine, Brighton are empty.

The Economic Crime (Fraud) Unit of Sussex Police in Brighton have now begun interviewing people whose names have been linked to the company and to its office address. It is not yet known who is behind the site or if police can trace them.

If this is officially proved to be a case of fraud, although it may take the banks some time to untangle the mess, most people should get a refund.

Computeractive has learned that around £50,000 from the company’s Abbey National business account has been frozen. We also discovered that the acquiring bank, which gave Zavvi Direct its merchant credit facilities, had frozen funds in a holding account used for online payments.

Apacs, the payment organisation, said people should also be covered by the Banking Code of Practice. This voluntary code gives bank account holders protection in cases of fraud, no matter what type of card they used.

Police seize thousands from suspect company

Dinah Greek — 2008-06-27T17:44:00.000Z

Dinah Greek, Computeract!ve, Friday 27 June 2008 at 17:44:00

Customers still without Zavvi Direct orders and turning to their banks for refunds

Police have seized around £50,000 from the Abbey National business account of suspected scam website Zavvi Direct.

Further funds have been frozen in a holding account but it is not known where another £24,000 in payments, made via mobile phones, has gone.

With no orders currently fulfilled, people are now anxiously applying for refunds from their banks.

Computeractive began investigating the site two weeks ago after being contacted by a worried reader.

We found that the site, which went live on 4 June, had fooled people into thinking it was run by Zavvi, formerly Virgin Megastores.

Our investigations discovered that Zavvi Direct had taken over 2,500 orders, mainly for the hard-to-get Wii Fits but also other devices such as iPods, before the webhosting company took the site down on 13 June for trademark infringement.

However, the company was still sending out emails and occasionally answering a mobile phone number, telling people that it would have stock on Friday 20 June. It said people who had placed orders would receive their goods between four to five days after this. We got through on the mobile number given and a Simon Bishop confirmed this but we continued with our investigations.

We found that the company had been registered at Companies House on 6 February this year. Current appointments filed at Companies House on 18 June listed a Paul Clayton and a Stephen McClelland, both of Hove, as director and company secretary respectively.

We contacted the Paul Clayton listed but Mr Clayton told us he had no links or involvement with the company. Today his solicitors, Thomson Snell and Passmore, released this statement:

“We have been instructed by Mr Paul Clayton. His details have been fraudulently given to Companies House as a director of a company called Zavvi Direct Limited.

“Our client has been the victim of identity theft and fraud.

“Our client has no connection whatsoever with Zavvi Direct Limited of 20 Old Steine, Brighton, East Sussex BN1 1EL.

“The Paul Clayton referred to on the website operated by Zavvi Direct Limited has no connection with our client. He has had no contact with Zavvi Entertainment Limited and is not connected in any way with that company either.

“In the event that there are any further queries concerning our client, they should be addressed to Martin Varley, a partner of this firm, on +44 (0)1892 510 000.”

During our investigation we also found a link between Zavvi Direct and a scam run in Kent last year. This involved an online site selling sports gear called Best Sports World. Like Zavvi Direct, it was registered as a company at Companies House.

However, when police investigated they found that the men listed as company directors had nothing to do with the site. Kent Trading Standards told us that the police found the fraudsters had stolen the men’s personal details to set up the company and make it look legitimate.

Ben Parsons, a reporter from The Argus, Brighton’s local newspaper, also rang us to say that he had gone around to Suite 16, Pavilion Business Centre, 20 Old Steine, the address given by Zavvi Direct as its business offices, only to find the offices empty and locked up.

No one has had their order fulfilled and Brighton CID is investigating this company. We have given the police all the information we have gathered during our investigation. They are also liaising with Kent police about a possible link to the Best Sports World scam.

Refund hope for Zavvi Direct customers

Dinah Greek — 2008-06-24T16:35:00.000Z

Dinah Greek, Computeract!ve, Tuesday 24 June 2008 at 16:35:00

Brighton police investigating online retailer

Many people who shopped with Zavvi Direct may not have lost their money, Computeractive has learned.

Payment services provider Protx told us that from 8 June, no money from orders has been paid into Zavvi Direct’s business account. This freeze initiated by the acquiring bank means that the money is now in a holding account.

This should mean that refunds can be made to people who placed orders from 8 June onwards.

Suspicions about the company were first raised after Protx had received six complaints on the 6 and 7 June; just three days after Zavvi Direct began trading. Protx raised then escalated these complaints and raised its concerns with the acquiring bank.

“This automatically put a freeze on the account. Although orders could still be placed no money would go into Zavvi Direct’s business account,” a Protx representative said.

He also said that Zavvi Direct should have been aware of this freeze.

Although Zavvi Direct said it would be receiving stock of the Wii Fits on 20 June and people had been told to wait four to five working days to get their order, Computeractive has also learned that the company has not fulfilled orders for less scarce goods, such as iPods.

People who placed orders and do not receive these should contact their card issuer and explain the circumstances; this allows their bank to issue a chargeback mandating Zavvi Direct’s acquiring bank to issue refunds to a card holder’s account.

Brighton police have now begun an investigation into the company. They will interview a number of people believed to have links with the company; including Paul Clayton, who is registered as the company director at Companies House, and the registered company secretary Steven McClelland, both of Hove.

Police ignoring e-crime victims

Dinah Greek — 2008-06-20T15:40:00.000Z

Dinah Greek, Computeract!ve, Friday 20 June 2008 at 15:40:00

'E-victims' left to fend for themselves, says not-for-profit organisation

Police are ignoring victims of online fraud, according to a community group set up to help members of the public who have suffered cyber-crime.

The not-for-profit E-Victims organisation said that since it launched its website six months ago, it has received consistent reports that people who been victims of cyber-crime are being disregarded by the police and other authorities.

Jennifer Perry, the organisation’s communications director, said the Government is “stubbornly” refusing to deal with the issue.

“Cyber-crime is being ignored by the Government, and the low priority that it puts on this problem filters down to the law-enforcement agencies and other authorities. The police just tell people they don’t have the resources or expertise to handle online crime,” she said.

Although some police forces do try to help members of the public, others just ignore victims of e-crime. The situation has not been helped by changes made last April to the reporting laws. Now, instead of contacting the police for a crime reference number, people who have suffered cheque or card fraud online are now only expected to report this to the banks.

“This, of course, has an impact on the crime figures. Say 200 people have been scammed by someone online, if this is reported to the police for investigation it is considered one crime; not 200,” she said.

Mrs Perry also pointed out how difficult it is for people to get their money back.

“People assume all victims get their money back and it isn’t a big deal. Well it is. It can take up to three months and people are put through a lot of stress. Increasingly some banks are not refunding victims, saying it has been their fault.

"When you’re mugged or burgled the police are there to help. E-victims should be treated with same respect. E-crime is not a virtual crime and victim of a crime should be able to report it to the police,” she said.

The E-Victims Organisation provides clear and practical information for victims of e-crime and other online problems.

Cyber criminals find loophole in verification system

Dinah Greek — 2008-06-11T15:41:00.000Z

Dinah Greek, Computeract!ve, Wednesday 11 June 2008 at 15:41:00

Crooks change card holder addresses to make transactions look genuine

Fraudsters have hijacked a system designed to help protect retailers and consumers from credit card fraud, according to fraud protection specialists the 3rd Man.

The company claims that a serious flaw in the Address Verification System (AVS) used by retailers to check the identity and billing address of a card holder allows fraudsters to fake verification.

AVS is often used by internet retailers to check that the billing address the credit card holder gives matches the address on file at the credit card company.

It works by matching the house number and postcode numbers for each card issued. For example, 43 Crooks Close, B10 7GB would result in an AVS number of 43107.

But a 3rd Man investigator discovered that criminals are getting around this check to make fraudulent transactions look genuine.

Andrew Goodwill, director and fraud expert at the 3rd Man, said that fraudsters are compromising and using card details where the genuine cardholder’s address numerals exactly match the address they want delivery to.

“So, not only are they obtaining goods fraudulently, they have them delivered to their chosen address,” he said.

He told Computeractive that the company was initially seeing upwards of 50 fraudulent transactions in a day by criminals who had cottoned on to this loophole. However, Mr Goodwill warned that the the volume of these fraudulent transactions was bound to rise.

“This is serious. It is likely we will soon see this as the biggest problem during the last 20 years regarding card fraud. Fraudsters are starting to exploit the loophole in significant volume. Retailers relying on AVS, or where a retailer will only deliver to the billing address, are facing a potentially huge risk,” he said.

Mr Goodwill also told us that the fraudsters can also compromise the bank’s fraud prevention technologies, Verified by Visa or Mastercard Securecode.

“Criminals are also checking to see if the cardholder has registered their card with either of these security methods. If they haven’t then the fraudster registers the card details using a password of their choice, making it even harder for the retailer to know the card is being used fraudulently.

APACS, the payment industry body said it didn’t dispute the 3rd Man’s findings or that it was possible but said neither it nor the police had evidence that this fraud was happening.

“It is a rather complex way of getting a delivery address and we wonder if criminals would go to those lengths; they prefer easier ways of committing fraud.

"We have had discussions with the 3rd Man and police about criminals using this way of committing fraud. But retailers should never rely on one method of verification,” an Apacs representative said.