Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Crime Apple

A 24-Year-Old Scammed Apple 42 Times In 16 Different States 419

redletterdave (2493036) writes "Sharron Laverne Parrish Jr., 24, allegedly scammed Apple not once, but 42 times, cheating the company out of more than $300,000 — and his scam was breathtakingly simple. According to a Secret Service criminal complaint, Parrish allegedly visited Apple Stores and tried to buy products with four different debit cards, which were all closed by his respective financial institutions. When his debit card was inevitably declined by the Apple Store, he would protest and offer to call his bank — except, he wasn't really calling his bank. So he would allegedly offer the Apple Store employees a fake authorization code with a certain number of digits, which is normally provided by credit card issuers to create a record of the credit or debit override. But that's the problem with this system: as long as the number of digits is correct, the override code itself doesn't matter."
This discussion has been archived. No new comments can be posted.

A 24-Year-Old Scammed Apple 42 Times In 16 Different States

Comments Filter:
  • Wow ... (Score:3, Interesting)

    by gstoddart ( 321705 ) on Tuesday July 29, 2014 @10:10AM (#47557649) Homepage

    But that's the problem with this system: as long as the number of digits is correct, the override code itself doesn't matter.

    Who the hell came up with that idea?

    That's no security in any meaningful sense of the word.

    I'm betting some lobbyist made it so that the banks didn't really need to do anything concrete, just look like they were.

    If that's all that's required, the banks deserve to be getting ripped off.

    • Re:Wow ... (Score:5, Interesting)

      by Anonymous Coward on Tuesday July 29, 2014 @10:14AM (#47557695)

      Except they're not, Apple was. TFA states that since they accepted it even after it was denied, Apple's on the hook for it.

      • by Krojack ( 575051 )

        If the override code is submitted back to the bank and they accept it then it's on the bank not Apple.

        1. Run card... denied..
        2. Run card again with override code.. accepted..
        3. Leave store with items.

        • Re:Wow ... (Score:5, Insightful)

          by hawkinspeter ( 831501 ) on Tuesday July 29, 2014 @10:35AM (#47557923)
          As the bank didn't provide an override code and have no record of providing an override code, why should they accept liability?
          • Re: (Score:3, Insightful)

            by ddtmm ( 549094 )
            Seems to me Apple should have been the one calling for authentication, not the customer. Definitely Apple's err.
        • Re:Wow ... (Score:5, Informative)

          by Sockatume ( 732728 ) on Tuesday July 29, 2014 @10:35AM (#47557943)

          It's not a security code, it's a reference number. The transaction isn't formally authorised by the bank until the end of the day when they receive that reference number and tally it with the corresponding phone call from the retailer. *Then* the transaction is authorised. (Assuming said phone call included verbal authorisation of the transaction.)

          That the Apple Store didn't know this is how the system works means it was completely open to abuse.

    • Re:Wow ... (Score:5, Interesting)

      by netsavior ( 627338 ) on Tuesday July 29, 2014 @10:21AM (#47557767)
      The truth is that credit card interest is the highest profit gig in the whole world. Because of this, Visa/Mastercard and all the myriad banks that work with them have a vested interest in making credit/debit card purchases VERY EASY.
      Visa wakes up, takes a dump, then wipes its ass with $300,000 dollars. It is nothing compared to the billions they make in clearing fees alone.
      Vendors are not even allowed to do things like require an ID, (I know they do, but it is against the vendor agreement), even though it would make purchases a lot more secure, because EASY trumps everything, EASY makes billions. Secure override codes... Who cares?
      • Re:Wow ... (Score:5, Informative)

        by naughtynaughty ( 1154069 ) on Tuesday July 29, 2014 @10:58AM (#47558161)
        Visa/MC and the banks have security measures in place, merchants who follow the process aren't liable for loss from fraudulent cards. Asking for ID provides no additional protection to merchants and to the extent they rely on it instead of established Visa/MC processes it can lessen security. But you are correct that making customers spend an extra 30 secs digging out their ID and having some clerk eyeball it and hand it back is not easy and in fact that 30 secs times all the legitimate transactions is more costly than the RARE case of credit card fraud that could be prevented by asking for ID (which is easily circumvented). The problem here is not the authorization code but that Apple didn't follow the proper procedure of contacting the bank for an override code themselves. There is no need for a secure override code.
        • Re:Wow ... (Score:5, Informative)

          by Solandri ( 704621 ) on Tuesday July 29, 2014 @12:21PM (#47558905)

          Visa/MC and the banks have security measures in place, merchants who follow the process aren't liable for loss from fraudulent cards. Asking for ID provides no additional protection to merchants and to the extent they rely on it instead of established Visa/MC processes it can lessen security.

          The info on the ID is the security measures Visa/MC have in place. They allow a merchant to enter info like address or phone number, and their computers will tell the merchant whether or not it matches the address/phone they have on file for that card. When you pay for gas with a credit card and the pump asks you to punch in your zip code, it's not collecting marketing information. It's using the zip code as a (rather flimsy) security measure to protect against someone buying gas with a lost/stolen credit card. Yeah you can ask the customer to recite their address, but any burglar who stole the card from a house or mugger who got their victim's entire wallet would know the address. A photo ID with that info, while fairly easy to fake, requires a bit more effort on the part of the thief.

          Credit card security is in the dismal state it's currently in because Visa/MC/Amex have successfully transferred all the damage from fraudulent transactions onto the merchants. Since they lose practically no money to fraud, they have very little incentive to improve security. (The exorbitant interest rates are to cover the cost of credit card holders who default on their debt.) For market forces to work correctly, financial penalties for risks which fail must be linked to financial profits when those same risks succeed. What Visa et al have done is decouple the penalties from the profits (profits go to them, penalties to the merchant), leading to a situation where they are not penalized when the risks they take (poor security) fail. Consequently there is no motivation for them to improve credit card security beyond the laughable state it's currently in.

          • When you pay for gas with a credit card and the pump asks you to punch in your zip code, it's not collecting marketing information. It's using the zip code as a (rather flimsy) security measure to protect against someone buying gas with a lost/stolen credit card

            Sometimes. Other times, it's explicitly used for marketing purposes, and has nothing to do with card security. Gas at the pump is usually security, but any time a cashier is involved it's usually marketing.

      • by lgw ( 121541 )

        The truth is that credit card interest is the highest profit gig in the whole world. Because of this, Visa/MasterCard

        Visa/MasterCard make $0 off of interest. They charge a fee for the convenience of not having to use cash. They're not in the "loaning money" business at all, and of course TFS talks about debit cards, not credit cards.

        Vendors are not even allowed to do things like require an ID, (I know they do, but it is against the vendor agreement), even though it would make purchases a lot more secure, because EASY trumps everything, EASY makes billions.

        Easy is what the customers want. For normal fraud with actual credit cards (nothing to do with this story, of course), it's the merchant who eats the fraud for ID theft. But merchants sign up for that, because they'll have less business if they're inconvenient for their customers.

        Security

      • Re:Wow ... (Score:5, Funny)

        by Concerned Onlooker ( 473481 ) on Tuesday July 29, 2014 @01:09PM (#47559299) Homepage Journal

        "Visa wakes up, takes a dump, then wipes its ass with $300,000 dollars."

        This must be the reason that all those money laundering schemes exist.

    • by xxxJonBoyxxx ( 565205 ) on Tuesday July 29, 2014 @10:24AM (#47557793)

      From TFA:
      >> merchants can be liable for charges if they override a credit or debit card denial in this fashion

      >> In (another) case...after defrauding Victoria’s Secret, Banana Republic, and several other retailers out of $557,690 in the same manner, which is known as a “forced sale” or “forced code.”

      I think the operational problem here is that store managers have the authority to override denials to boost their own sales numbers...while the risk for bad credit decisions may fall on the owners.

    • Re:Wow ... (Score:5, Informative)

      by Sockatume ( 732728 ) on Tuesday July 29, 2014 @10:28AM (#47557841)

      The way it's supposed to work is that the store calls the issuer and requests an override code, and then keys it in themself. The bank can then tally the auth code against the store's call at the end of the day and process the charge. I have never seen a situation where the customer calls up the bank themselves.

      • Re:Wow ... (Score:5, Insightful)

        by PlusFiveTroll ( 754249 ) on Tuesday July 29, 2014 @10:53AM (#47558117) Homepage

        If you printed your own card and put a number for an issuer that you controlled I don't see what the difference is.

        • That would take at least five minutes' more effort than this guy had to put in. Good idea though, I might try that one myself.

        • Re: (Score:3, Informative)

          by Anonymous Coward

          The store doesn't call the card issuer for approval. The store calls their merchant bank that provided them with card processing facilities. The merchant bank then calls the card issuer to seek approval for the transaction. The merchant bank do not source the phone number of the issuing bank from the card, they use a lookup table provided my Visa or Mastercard.

      • Re:Wow ... (Score:5, Informative)

        by Serenissima ( 1210562 ) on Tuesday July 29, 2014 @12:50PM (#47559147)
        I used to work at The Apple Store. And that's really the way it should work. However, from my time there, we had credit cards declined all of the time. The Apple Store is a huge place for fraudulent purchases and credit cards routinely auto-blocked access when purchases were for Apple and outside of typical purchases. We actually had the VP of BOEING's Business credit card declined. The standard procedure was to have the customer call the bank, validate that they were them, and that they indeed DID want to make the purchase. After about a minute, we could re-run the card and it'd work.

        Now, when the payment device asked for an Override code, it was the job of the EMPLOYEE to got to the back and call up the bank. We're provided special numbers to call and special codes we have to type in. It's a horribly clunky and long process which everyone hated to do, but that was it. So, this is completely the employee's fault - albeit it's really a training issue and the blame rests with Apple. I can totally see why an employee would

        #1) Not want to go through that process when they need to get to the next sale

        #2) Possibly be new and not completely understand the process

        #3) Be susceptible to some clever social engineering - ie: There are some cases where the customer must call the bank. I need an override code from the bank to process this. The customer is calling the bank, so that means I don't have to!

        So it's a big f-up, but I can totally understand how and why it happened.

    • Re:Wow ... (Score:5, Informative)

      by the_skywise ( 189793 ) on Tuesday July 29, 2014 @10:35AM (#47557935)

      It's not a unique security code - it's a TRACKING NUMBER. This whole part of the process is designed specifically to work around an issue where the computer records might be incorrect or the computer system is in error and an actual human has to issue an authorization code.

      The actual fault in the system is that the Apple Employees let Sharron make the call and GIVE them the number. Instead THEY should've called Chase directly and gotten the code.

      • Well, maybe, but maybe the fault lies with the criminal, they printed credit cards that looked and felt real enough to fool a store clerk who handles them every day, what are the odds that clerk called the bank with the phone number on the back of the card? I have worked in retail, the check/credit card fraud was amazingly simple back then and still they got away with it, the rule of more secure less convenient does come into play but Apple understands this, each sales person is also a 'register' and the t

        • Re: (Score:3, Insightful)

          by lgw ( 121541 )

          The customer didn't print special cards here - they're just normal, expired cards.

          The store doesn't call the number on the back of the card - the store calls their own merchant bank.

          This was just straightforward grift (a con game), not some glaring flaw in the banking system. The sales clerks got suckered, perhaps due to lack of training by Apple, or perhaps the con-man was just that good.

    • Oh, blame the lobbyist? Is your "Free Market" soul hurt? This is a process by the Credit Card companies and the Banks. Lobbyists have next to nothing to do with it. Apple screwed up by not contacting the bank themselves. Apple screwed up by allowing a bully customer to steamroller them. Most companies don't even allow their employees to do this process because doing so says you're absolutely sure you've followed the process, and will accept the charges. It's typically only done on big ticket purchases were
    • Re:Wow ... (Score:5, Informative)

      by thinuspollard ( 1093519 ) on Tuesday July 29, 2014 @02:05PM (#47559757)

      Ok, they way it is supposed to work

      • 1. The POS is offline, or the card cannot be "read" by the POS device
      • 2. The MERCHANT is supposed to call the bank to obtain manual authorisation
      • 3. The bank actually performs the transaction against the backend, reserves the funds and issues an auth code to the merchant. This auth code is a reference number. A pretty large financial switch supplier I used to work with would use the local time (HHMMSS) as an auth number. Nothing wrong with that, transaction has already been authed online via the call centre.
      • 4. The merchant enters a manual transaction on the POS device, entering the auth number on the POS device to form part of the transaction.
      • 5. The POS does not send anything at this point in time to the bank. Remember, in obtaining the auth number, the transaction was already submitted and approved. The POS keeps this transaction in storage with the auth number
      • 6. End of day, the POS submits all transactions to the bank. This is called Banking the POS or settlement.
      • 7. Since all online transactions has been performed, these settlement records acts as a reconciliation. At this point the customer's bank account gets debited and the merchant only gets settled for the settlement transactions that were submitted to the bank, not for the online autos. If this settlement transaction does not match exactly with the original auth, the merchant does not get settled for this transaction. (It is slightly more complicated than this, since floor limits allows for the case where there was no original auth and the settlement tran is the only message seen, but for the amount of an Apple Store purchase, this would not come into play)

      So the system is relatively secure, but the MERCHANT should have called the bank, not the customer, that is where it broke down. This system also allows for floor limits, where the merchant is willing to accept a certain level of risk and the POS device approves transactions for an amount less than a set limit. At the end of the day the POS device submits these transactions to the bank and if the cardholder does not have sufficient funds, the merchant loses out.

      All these protocols have been in place for many years and dates from a time where communication between the POS and the bank was relatively expensive and slow. Dialling up for every transactions was not an option, so you would try to batch them together to achieve a lower cost per transaction.

      This is a very high level explanation of the issues involved here, but should convey the general ideas.

      Yes, the Apple Store managers and employees were idiots in this case

  • by Anonymous Coward on Tuesday July 29, 2014 @10:12AM (#47557677)

    It might have been 300k retail sales but it only cost Apple 500 bucks.

    • ...but it only cost Apple 500 bucks.

      500 bucks plus the lives of three Foxconn employees, the services of one street-cleaning crew and a large, counterfeit bottle of [Chinese-knockoff] Simple Green all-purpose cleaner (not quite as effective as the real thing but still more than adequate for getting reasonably fresh bloodstains off of sidewalks). ;)

  • He'll be serving 5-10 yrs. Brilliant.
  • $7142.85 (Score:4, Informative)

    by NoImNotNineVolt ( 832851 ) on Tuesday July 29, 2014 @10:20AM (#47557749) Homepage
    That's over $7142.85 per "scam". How the fuck do you spend that much money at a fucking Apple store?!
    • Have you never been to an Apple store? They charge $20 for a freaking USB to iPod cable. Think different (like everyone else).
    • I once went to the Apple website to price my ideal server. It cost well over $10,000.00. It was more like 18 thousand IIRC.
      • ... Apple ... ideal server ...

        *head asplodes*

    • Re: (Score:3, Funny)

      A couple of iPhone cables, iTunes gift cards, iPod socks. Pretty soon it adds up.
    • by Thruen ( 753567 )
      Seriously? They sell computers. I'm more curious how he didn't spend more in there, you could spend more than that on just one computer there with all the options.
      • I've been buying computers since I was a kid saving up for a 386DX33. The most I've ever spent on a computer was maybe a quarter of that sum. This further confirms, to me, that Apple gear is immensely overpriced.
    • A 6-core mac pro plus an apple thunderbolt display plus a high end macbook pro for when you are on the road could get to that kind of money pretty easilly without looking too suspiscious (assuming you look rich)

    • Eight-core Mac Pro with 27" Cinema Display. Extra memory and hard drives. Plus tax.

      • by jsepeta ( 412566 )

        you can't buy custom-built machines as a walk-in customer; that's an order that's processed over the internet.

    • by jsepeta ( 412566 )

      How do you NOT spend that much?

    • Re:$7142.85 (Score:4, Insightful)

      by SydShamino ( 547793 ) on Tuesday July 29, 2014 @12:34PM (#47559027)

      A few laptops gets there.

      The scam works better with a large purchase. Banks routinely deny transaction over some amount, forcing the retailer to call for an override code. Apparently the denial for "bad account" look identical to the one for "valid account, but that amount is high so give us a call, okay?"

      If his card was denied for a $500 purchase, he'd need to convince the retailer that it was a bug in the system, not just a routine check for a large purchase.

  • shift of blame. (Score:3, Interesting)

    by Antony T Curtis ( 89990 ) on Tuesday July 29, 2014 @10:21AM (#47557765) Homepage Journal

    Once upon a time, the retailer would have to take the blame for this because it is the retailer who is supposed to make the call to the financial institution on the retailer's own phone line, not using the cardholder's phone or trusting the cardholder's ability to dial the number.

    Unfortunately, the retailers are successfully using the police to cover for the incompetence of their staff.

    • Well, it takes two to tango: the Apple Store to somehow fail to train their employees in the most basic principles of performing a card transaction, and this guy to exploit the error.

    • No matter how stupid Apple was to fall for this, and how much they disregarded good practice, this is still definitely fraud.

      Why wouldn't they call the police?

    • Fraud is fraud. They aren't going after the banks, just arresting the actual criminal.

      This scam is nothing new. I fell for it once 20 years ago when I was 18. The customer told me I needed to use the number printed on the card to get an authorization code. Being 18 and not knowing any better, that's what I did. Everything seemed legit during the phone call, I punched it in to the card system, and the scammer walked away with a very nice laptop.

      Now that I know how the scam works, I could easily spot it

    • Given that the claim is they defrauded Apple my guess is the bank told Apple they were going to eat the charge for not following procedures. Apple called the police because they've been defrauded.

      Because Genius here used his own name in the transaction it becomes rather trivial for the police to put the guy in prison. Here's a secret, the easiest way to get the police involved in some crime is to make it incredibly easy for them to investigate and get a conviction, particularly with some victim that will dr

  • 42 (Score:5, Funny)

    by Anonymous Coward on Tuesday July 29, 2014 @10:27AM (#47557823)

    So the ultimate question to life and everything is: "How many times was Apple ripped off by an single individual?"

  • by Atzanteol ( 99067 ) on Tuesday July 29, 2014 @10:28AM (#47557843) Homepage

    Does the fact that the guy was 24 have any bearing on the story what-so-ever? Why not say "scam artist" or something more generic?

  • by John3 ( 85454 ) <john3 AT cornells DOT com> on Tuesday July 29, 2014 @10:29AM (#47557861) Homepage Journal
    Based on TFA this scam has been done before to other retailers. When a merchant receives a "decline" they can optionally call the bankcard processor to obtain a verbal authorization code. The merchant can then "force" the sale to go through using the authorization code they received over the phone. The two huge procedural holes that Apple (and the other retailers) left open are:

    1: The clerk is the one that should be calling for an approval code, and the call is made not to the cardholder's bank but rather to the bank that processes the cards for the retail store. It doesn't matter what the customer's bank says (or in this case the fake bank) since the approval/authorization code must come from the retailer's bankcard processor.

    2: At my store a manager override is required to "force" a bankcard approval. So even if the clerk makes the call and gets a voice approval code a manager/owner must also provide a password to allow the approval to go through. Apparently Apple has no such security check in place and clerks tan type a manual code into the POS system to force the sale to go through.

    Amazingly simple scam, but also amazingly simple to prevent if the stores involved had even rudimentary procedures in place.

  • I can see putting it in the summary, but what relevance is his age to put it in the headline? If not 24, what age am I supposed to expect for someone who would pull off this kind of scam?
  • I worked retail for a long time, including an Apple Store. I cannot remember the policies at Apple when I was working there, but most places will not take a verbal approval code.

    If the person on the other end of the phone (generally you get to them by calling the 800 number on the back of the card) has the ability to run the transaction, they have the ability to clear whatever prevented the card from going through the first time. They would have to - they have to clear the hurdle before they can run the transaction themselves.

    So policy at most places is that the telephone operator clears the issue (usually it is a daily spending limit that card issuers never mention) and then the store runs the card again. There was no procedure for manually entering a verbal approval code.

    My memory of Apple Retail (this was '04-'06), however, is that they had almost every contingency covered. The POS machines all had USB modems attached so that in case the Internet went down at the store, credit cards could still be processed. We even had the old CH-CHUNK imprint devices when everything went pear-shaped. I do seem to remember having the ability to enter a manual authorization code for a credit card transaction. It is Apple Retail - there are supposed to be no hurdles keeping a Specialist from keeping a customer happy.

  • So they weren't calling the bank, but obviously they were calling someone. Did the store employee actually speak with someone, or did he manage to fake the call entirely? Presumably he had an accomplice who was pretending to be the bank. Did they track down and arrest that person? I didn't see it in the article.

  • How many digits is that code...?

  • That Apple even accepts this is ludicrous. Just tell the guy, "Look, we have a whole store full of this shit. It will be here tomorrow. Or the next day. Or the day after that. Come back when you clear your crap up with your bank, and THEN pay for it."
  • by fuzznutz ( 789413 ) on Tuesday July 29, 2014 @11:40AM (#47558533)
    Should I assume his parents REALLY wanted a girl?
  • He should just call himself "Sue" and be done with it.

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...