Phone service for the deaf becomes a fraud tool
A telephone service designed to help deaf and speech-impaired people communicate is being misused by fraudsters, a PayPal executive said Wednesday.
It's yet another development in what PayPal Senior Director of Risk Management Katherine Hutchison described as an "arms war" between criminals on one side, and the banks and merchants that are trying to stop them.
"The fraudsters found a huge vulnerability to be able to pretend that they're hearing or speech impaired in order to get their orders placed," she said, speaking at the Web 2.0 conference in San Francisco.
Such relay services have been around since 1993 and are mandated by the Americans with Disabilities Act, which requires U.S. telephone companies to provide a way for people with disabilities to communicate. To use them, the caller types a phone number and their message into a browser or an instant message, and an operator at the relay center calls the number and reads the message over the phone, relaying any response back to the caller.
Criminals have used the services to trick merchants into accepting orders placed with stolen credit card numbers, Hutchison said. "The telephone operator could actually realize that this is very likely to be fraud," Hutchison said. "They can be suspicious, but they are legally blocked from saying anything."
"So they call into a call center for a major retailer, doing a telephone order, knowing full well that most likely this is fraud," she added. "But their hands are tied."
Often these services can be accessed via the Web or instant message, giving criminals another way to reach merchants. This is important because in recent years antifraud detection systems have gotten pretty good at looking at the source of online transactions, using geolocation data to determine whether or not a purchase is likely to be legitimate. Sales to U.S. companies from IP addresses in Nigeria -- a common source of fraud -- are routinely blocked, for example.
"The next volley in the arms war is that you can no longer use IP geolocation as an indicator of fraud," Hutchison said. "Until now the fraudsters have been able to hide where they are coming from."
Relay services are just one of many ways that criminals hide their location. They can also use public computer terminals at coffee shops or libraries, or do online orders via proxy, using hacked computers.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
security
Powered by TwitterOn Twitter now
security
Brian Proffitt
Microsoft/Novell: Breaking Down the Coupon Numbers
Esther Schindler
Drupal's Dries Buytaert on Building the Next Drupal
Tom Henderson
Top Ten General Operating Systems Rants
pasmith
PS3 motion controller delayed; goes up against Project Natal
sjvn
Neolithic Windows security hole alive and well in Windows 7
claird
Perl source code comparison makes for good reading
mikelgan
Cell phones don't create stress or interrupt much
Sandra Henry-Stocker
How to: The Unix Interview
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
- Ubuntu advances: Why Ubuntu server installations will surge in 2010
- Social media marketing: How to make friends with benefits
- More...
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
