April 01, 2009, 8:14 PM — A telephone service designed to help deaf and speech-impaired people communicate is being misused by fraudsters, a PayPal executive said Wednesday.
It's yet another development in what PayPal Senior Director of Risk Management Katherine Hutchison described as an "arms war" between criminals on one side, and the banks and merchants that are trying to stop them.
"The fraudsters found a huge vulnerability to be able to pretend that they're hearing or speech impaired in order to get their orders placed," she said, speaking at the Web 2.0 conference in San Francisco.
Such relay services have been around since 1993 and are mandated by the Americans with Disabilities Act, which requires U.S. telephone companies to provide a way for people with disabilities to communicate. To use them, the caller types a phone number and their message into a browser or an instant message, and an operator at the relay center calls the number and reads the message over the phone, relaying any response back to the caller.
Criminals have used the services to trick merchants into accepting orders placed with stolen credit card numbers, Hutchison said. "The telephone operator could actually realize that this is very likely to be fraud," Hutchison said. "They can be suspicious, but they are legally blocked from saying anything."
"So they call into a call center for a major retailer, doing a telephone order, knowing full well that most likely this is fraud," she added. "But their hands are tied."
Often these services can be accessed via the Web or instant message, giving criminals another way to reach merchants. This is important because in recent years antifraud detection systems have gotten pretty good at looking at the source of online transactions, using geolocation data to determine whether or not a purchase is likely to be legitimate. Sales to U.S. companies from IP addresses in Nigeria -- a common source of fraud -- are routinely blocked, for example.
"The next volley in the arms war is that you can no longer use IP geolocation as an indicator of fraud," Hutchison said. "Until now the fraudsters have been able to hide where they are coming from."
Relay services are just one of many ways that criminals hide their location. They can also use public computer terminals at coffee shops or libraries, or do online orders via proxy, using hacked computers.
Merchants aren't sitting still, though. They have been improving what's known as "behavior screening" techniques -- looking at buying patterns to decide whether or not a transaction seems legitimate. "Merchants have a really good sense of what's a normal order, and the fraudsters won't look normal to them," she said.
A normal consumer would not, for example, buy 10 computers at a time, or make purchase after purchase in quick succession.
Companies are also working on device fingerprinting and other data analysis techniques to separate the scammers from customers, Hutchison said.
Still, all of these techniques aren't going to help all the time people are using traditional credit cards for online commerce, according to another speaker at the show. They're just too easy to misuse, said Alex Stamos, cofounder of Isec Partners.
Sooner or later, online transactions will need to have some sort of cryptographic signature to ensure that the buyer is really who they claim to be. Relying on easy-to-get data like credit card numbers, addresses and expiration dates isn't going to cut it, said Stamos, whose company consults firms on Internet security vunlerabilities.
"We're going to have to end up with some kind of e-cash or smart card verification system," he said. "The credit card model is dead."
