A 24-Year-Old Scammed Apple 42 Times In 16 Different States

redletterdave (2493036) writes "Sharron Laverne Parrish Jr., 24, allegedly scammed Apple not once, but 42 times, cheating the company out of more than $300,000 — and his scam was breathtakingly simple. According to a Secret Service criminal complaint, Parrish allegedly visited Apple Stores and tried to buy products with four different debit cards, which were all closed by his respective financial institutions. When his debit card was inevitably declined by the Apple Store, he would protest and offer to call his bank — except, he wasn't really calling his bank. So he would allegedly offer the Apple Store employees a fake authorization code with a certain number of digits, which is normally provided by credit card issuers to create a record of the credit or debit override. But that's the problem with this system: as long as the number of digits is correct, the override code itself doesn't matter."

Wow ...

[gstoddart]

But that's the problem with this system: as long as the number of digits is correct, the override code itself doesn't matter.

Who the hell came up with that idea?

That's no security in any meaningful sense of the word.

I'm betting some lobbyist made it so that the banks didn't really need to do anything concrete, just look like they were.

If that's all that's required, the banks deserve to be getting ripped off.

Re:Wow ...

[Anonymous Coward]

Except they're not, Apple was. TFA states that since they accepted it even after it was denied, Apple's on the hook for it.

Re:

[Krojack]

If the override code is submitted back to the bank and they accept it then it's on the bank not Apple.

1. Run card... denied..
2. Run card again with override code.. accepted..
3. Leave store with items.

Re:Wow ...

[hawkinspeter]

As the bank didn't provide an override code and have no record of providing an override code, why should they accept liability?

Re:

[ddtmm]

Seems to me Apple should have been the one calling for authentication, not the customer. Definitely Apple's err.

Re: Wow ...

[Anonymous Coward]

No, no one ever contacted the bank. Apple's Point of Sale software was configured to accept any number based on length() of the number string. They held the number until the end of the day or some other convenient time, when they'd process it with the banks. That was stupid, and the scam is common. Retailers are starting to learn to call and verify immediately (before clearing tge transaction), not to wait until the end of the day.

Re:

[metrix007]

The bank supplies Apple's POS software, so the bank is on the hook.

Pretty simple really.

Re:

[parkinglot777]

The bank supplies Apple's POS software

Are you sure about that??? I highly doubt. The software can be from anyone (or merchant). I don't think banks supply POS software. I believe the only thing that bank supply is the validation between the bank and retailers/corporations.

Re:

[jythie]

The bank supplies an API that people connect to, or at minimal the intermediate network provides an API. All the bank does is plug in to the same network.

Re: Wow ...

[madhatter256]

Not really, I know people who write POS code for a company that competes with NCR. They have no ties to banks. it's all about talking to processors, like VISA, Mastercard, etc.

I guess people are trying to pin this on the bank because banks are evil. #wallstreet #99% #ideserverwhatyouworkedfor #givemestuff

Re:Wow ...

[idontgno]

I understand the long-running and much-honored Slashdot tradition of not reading TFA, but couldn't you at least have read The Fucking Summary?

When his debit card was inevitably declined by the Apple Store, he would protest and offer to call his bank — except, he wasn't really calling his bank. So he would allegedly offer the Apple Store employees a fake authorization code with a certain number of digits....

There was ample dumbshittery (and liability) to assign here, but it's all on the Apple Store drones. No bank involved.

Re:

[ericloewe]

The summary does not make it clear whether the stores' POS systems interacted with the banks' systems.

Re:Wow ...

[idontgno]

Other than mentioning that the store declined the debit card (which is by definition an interaction between the POS and the credit/debit clearinghouse).

But since you've raised the issue, you've shown exactly where you missed the boat.

The exploit is completely OUTSIDE of the POS<->bank interaction. (Cuz, "debit refused"). The exploit occurs in the "call a fake bank, offer up a fake reference number, have the Apple Store drones accept it as proof of a valid credit/debit transaction" phase AFTER the machine-to-machine part.

Apparenly, you've fallen for the same trick the Apple Store drones did: fixating on the machine-to-machine debit transaction (which failed as expected) and completely neglecting the social engineering that followed.

Re:

[Chas]

Because, apparently, the banks system accepted the transaction.

No. An override code is a local thing. It doesn't communicate back to the bank.

Re:Wow ...

[RavenLrD20k]

Hell, at the retail outlet I used to work at, manager made a blanket policy that if the POS returned a request for an Auth code we just outright declined the transaction, handed the customer an Experian business card and asked if they had another form of payment. If the customer asked if he could call his bank to get an Auth code (Red Flag) we would say that our business system did not allow for manual authorizations (which was true. The system the manager put in place didn't allow for ManAuths, even if the POS did).

Re:Wow ...

[vux984]

it is up to the cashier to hold the card, read the number and call it themselves

It is up to the cashier to call THEIR OWN BANK.
They are not supposed to call the number on the back of the customers card -- for reasons that should be pretty bleeding obvious.

Re:Wow ...

[Sockatume]

It's not a security code, it's a reference number. The transaction isn't formally authorised by the bank until the end of the day when they receive that reference number and tally it with the corresponding phone call from the retailer. *Then* the transaction is authorised. (Assuming said phone call included verbal authorisation of the transaction.)

That the Apple Store didn't know this is how the system works means it was completely open to abuse.

Re:Wow ...

[netsavior]

The truth is that credit card interest is the highest profit gig in the whole world. Because of this, Visa/Mastercard and all the myriad banks that work with them have a vested interest in making credit/debit card purchases VERY EASY.
Visa wakes up, takes a dump, then wipes its ass with $300,000 dollars. It is nothing compared to the billions they make in clearing fees alone.
Vendors are not even allowed to do things like require an ID, (I know they do, but it is against the vendor agreement), even though it would make purchases a lot more secure, because EASY trumps everything, EASY makes billions. Secure override codes... Who cares?

Re:Wow ...

[naughtynaughty]

Visa/MC and the banks have security measures in place, merchants who follow the process aren't liable for loss from fraudulent cards. Asking for ID provides no additional protection to merchants and to the extent they rely on it instead of established Visa/MC processes it can lessen security. But you are correct that making customers spend an extra 30 secs digging out their ID and having some clerk eyeball it and hand it back is not easy and in fact that 30 secs times all the legitimate transactions is more costly than the RARE case of credit card fraud that could be prevented by asking for ID (which is easily circumvented). The problem here is not the authorization code but that Apple didn't follow the proper procedure of contacting the bank for an override code themselves. There is no need for a secure override code.

Re:Wow ...

[Solandri]

Visa/MC and the banks have security measures in place, merchants who follow the process aren't liable for loss from fraudulent cards. Asking for ID provides no additional protection to merchants and to the extent they rely on it instead of established Visa/MC processes it can lessen security.

The info on the ID is the security measures Visa/MC have in place. They allow a merchant to enter info like address or phone number, and their computers will tell the merchant whether or not it matches the address/phone they have on file for that card. When you pay for gas with a credit card and the pump asks you to punch in your zip code, it's not collecting marketing information. It's using the zip code as a (rather flimsy) security measure to protect against someone buying gas with a lost/stolen credit card. Yeah you can ask the customer to recite their address, but any burglar who stole the card from a house or mugger who got their victim's entire wallet would know the address. A photo ID with that info, while fairly easy to fake, requires a bit more effort on the part of the thief.

Credit card security is in the dismal state it's currently in because Visa/MC/Amex have successfully transferred all the damage from fraudulent transactions onto the merchants. Since they lose practically no money to fraud, they have very little incentive to improve security. (The exorbitant interest rates are to cover the cost of credit card holders who default on their debt.) For market forces to work correctly, financial penalties for risks which fail must be linked to financial profits when those same risks succeed. What Visa et al have done is decouple the penalties from the profits (profits go to them, penalties to the merchant), leading to a situation where they are not penalized when the risks they take (poor security) fail. Consequently there is no motivation for them to improve credit card security beyond the laughable state it's currently in.

Re:

[EvilJoker]

When you pay for gas with a credit card and the pump asks you to punch in your zip code, it's not collecting marketing information. It's using the zip code as a (rather flimsy) security measure to protect against someone buying gas with a lost/stolen credit card

Sometimes. Other times, it's explicitly used for marketing purposes, and has nothing to do with card security. Gas at the pump is usually security, but any time a cashier is involved it's usually marketing.

Re:

[lgw]

The truth is that credit card interest is the highest profit gig in the whole world. Because of this, Visa/MasterCard

Visa/MasterCard make $0 off of interest. They charge a fee for the convenience of not having to use cash. They're not in the "loaning money" business at all, and of course TFS talks about debit cards, not credit cards.

Vendors are not even allowed to do things like require an ID, (I know they do, but it is against the vendor agreement), even though it would make purchases a lot more secure, because EASY trumps everything, EASY makes billions.

Easy is what the customers want. For normal fraud with actual credit cards (nothing to do with this story, of course), it's the merchant who eats the fraud for ID theft. But merchants sign up for that, because they'll have less business if they're inconvenient for their customers.

Security

Re:Wow ...

[Concerned Onlooker]

"Visa wakes up, takes a dump, then wipes its ass with $300,000 dollars."

This must be the reason that all those money laundering schemes exist.

This is an Apple/retailer fail

[xxxJonBoyxxx]

From TFA:
>> merchants can be liable for charges if they override a credit or debit card denial in this fashion

>> In (another) case...after defrauding Victoria’s Secret, Banana Republic, and several other retailers out of $557,690 in the same manner, which is known as a “forced sale” or “forced code.”

I think the operational problem here is that store managers have the authority to override denials to boost their own sales numbers...while the risk for bad credit decisions may fall on the owners.

Re:Wow ...

[Sockatume]

The way it's supposed to work is that the store calls the issuer and requests an override code, and then keys it in themself. The bank can then tally the auth code against the store's call at the end of the day and process the charge. I have never seen a situation where the customer calls up the bank themselves.

Re:Wow ...

[PlusFiveTroll]

If you printed your own card and put a number for an issuer that you controlled I don't see what the difference is.

Re:

[Sockatume]

That would take at least five minutes' more effort than this guy had to put in. Good idea though, I might try that one myself.

Re:

[Anonymous Coward]

The store doesn't call the card issuer for approval. The store calls their merchant bank that provided them with card processing facilities. The merchant bank then calls the card issuer to seek approval for the transaction. The merchant bank do not source the phone number of the issuing bank from the card, they use a lookup table provided my Visa or Mastercard.

Re:Wow ...

[Serenissima]

I used to work at The Apple Store. And that's really the way it should work. However, from my time there, we had credit cards declined all of the time. The Apple Store is a huge place for fraudulent purchases and credit cards routinely auto-blocked access when purchases were for Apple and outside of typical purchases. We actually had the VP of BOEING's Business credit card declined. The standard procedure was to have the customer call the bank, validate that they were them, and that they indeed DID want to make the purchase. After about a minute, we could re-run the card and it'd work.

Now, when the payment device asked for an Override code, it was the job of the EMPLOYEE to got to the back and call up the bank. We're provided special numbers to call and special codes we have to type in. It's a horribly clunky and long process which everyone hated to do, but that was it. So, this is completely the employee's fault - albeit it's really a training issue and the blame rests with Apple. I can totally see why an employee would

#1) Not want to go through that process when they need to get to the next sale

#2) Possibly be new and not completely understand the process

#3) Be susceptible to some clever social engineering - ie: There are some cases where the customer must call the bank. I need an override code from the bank to process this. The customer is calling the bank, so that means I don't have to!

So it's a big f-up, but I can totally understand how and why it happened.

Re:Wow ...

[the_skywise]

It's not a unique security code - it's a TRACKING NUMBER. This whole part of the process is designed specifically to work around an issue where the computer records might be incorrect or the computer system is in error and an actual human has to issue an authorization code.

The actual fault in the system is that the Apple Employees let Sharron make the call and GIVE them the number. Instead THEY should've called Chase directly and gotten the code.

Re:

[Roskolnikov]

Well, maybe, but maybe the fault lies with the criminal, they printed credit cards that looked and felt real enough to fool a store clerk who handles them every day, what are the odds that clerk called the bank with the phone number on the back of the card? I have worked in retail, the check/credit card fraud was amazingly simple back then and still they got away with it, the rule of more secure less convenient does come into play but Apple understands this, each sales person is also a 'register' and the t

Re:

[lgw]

The customer didn't print special cards here - they're just normal, expired cards.

The store doesn't call the number on the back of the card - the store calls their own merchant bank.

This was just straightforward grift (a con game), not some glaring flaw in the banking system. The sales clerks got suckered, perhaps due to lack of training by Apple, or perhaps the con-man was just that good.

Re:

[medv4380]

Oh, blame the lobbyist? Is your "Free Market" soul hurt? This is a process by the Credit Card companies and the Banks. Lobbyists have next to nothing to do with it. Apple screwed up by not contacting the bank themselves. Apple screwed up by allowing a bully customer to steamroller them. Most companies don't even allow their employees to do this process because doing so says you're absolutely sure you've followed the process, and will accept the charges. It's typically only done on big ticket purchases were

Re:Wow ...

[thinuspollard]

Ok, they way it is supposed to work

• 1. The POS is offline, or the card cannot be "read" by the POS device
• 2. The MERCHANT is supposed to call the bank to obtain manual authorisation
• 3. The bank actually performs the transaction against the backend, reserves the funds and issues an auth code to the merchant. This auth code is a reference number. A pretty large financial switch supplier I used to work with would use the local time (HHMMSS) as an auth number. Nothing wrong with that, transaction has already been authed online via the call centre.
• 4. The merchant enters a manual transaction on the POS device, entering the auth number on the POS device to form part of the transaction.
• 5. The POS does not send anything at this point in time to the bank. Remember, in obtaining the auth number, the transaction was already submitted and approved. The POS keeps this transaction in storage with the auth number
• 6. End of day, the POS submits all transactions to the bank. This is called Banking the POS or settlement.
• 7. Since all online transactions has been performed, these settlement records acts as a reconciliation. At this point the customer's bank account gets debited and the merchant only gets settled for the settlement transactions that were submitted to the bank, not for the online autos. If this settlement transaction does not match exactly with the original auth, the merchant does not get settled for this transaction. (It is slightly more complicated than this, since floor limits allows for the case where there was no original auth and the settlement tran is the only message seen, but for the amount of an Apple Store purchase, this would not come into play)

So the system is relatively secure, but the MERCHANT should have called the bank, not the customer, that is where it broke down. This system also allows for floor limits, where the merchant is willing to accept a certain level of risk and the POS device approves transactions for an amount less than a set limit. At the end of the day the POS device submits these transactions to the bank and if the cardholder does not have sufficient funds, the merchant loses out.

All these protocols have been in place for many years and dates from a time where communication between the POS and the bank was relatively expensive and slow. Dialling up for every transactions was not an option, so you would try to batch them together to achieve a lower cost per transaction.

This is a very high level explanation of the issues involved here, but should convey the general ideas.

Yes, the Apple Store managers and employees were idiots in this case

in fairness...

[Anonymous Coward]

It might have been 300k retail sales but it only cost Apple 500 bucks.

Re:

[Type44Q]

...but it only cost Apple 500 bucks.

500 bucks plus the lives of three Foxconn employees, the services of one street-cleaning crew and a large, counterfeit bottle of [Chinese-knockoff] Simple Green all-purpose cleaner (not quite as effective as the real thing but still more than adequate for getting reasonably fresh bloodstains off of sidewalks). ;)

Re:

[Anonymous Coward]

... it only cost Apple 500 bucks

If you believe IP == worthless, then yes.

No, Apple believes Chinese children are worthless [qz.com].

And now..

[justcauseisjustthat]

He'll be serving 5-10 yrs. Brilliant.

Re:And now..

[Jason Levine]

Don't worry. He's called the parole board and says that they said he should be released as per override code number 12345.

Re:

[FuzzNugget]

"Hey, I'm actually supposed to be getting *out* of prison today, so..."

"You're in the wrong line, dumbass!"

Re:And now..

[Zero__Kelvin]

Don't forget the free sex!

$7142.85

[NoImNotNineVolt]

That's over $7142.85 per "scam". How the fuck do you spend that much money at a fucking Apple store?!

Cult of Personality

[FutureRobertOverlord]

Have you never been to an Apple store? They charge $20 for a freaking USB to iPod cable. Think different (like everyone else).

Re:

[Zero__Kelvin]

I once went to the Apple website to price my ideal server. It cost well over $10,000.00. It was more like 18 thousand IIRC.

Re:

[NoImNotNineVolt]

... Apple ... ideal server ...

*head asplodes*

Re:

[bobbied]

Nobody questions their quality, just their price for performance. Apple has always sold lower performance hardware at a premium over other kinds of systems. But they have a totally different business model and they sell the Apple branded way of doing things to users who don't mind paying for it.

Re: $7142.85

[LocalH]

> hot under the caller

> ignorant

You must be ignorant about that phrase, ironically. It's "hot under the collar", as if someone is breathing fire down one's neck.

Re:

[bobbied]

I will point out that Apple's quality has not been as stellar of late, they ARE slipping somewhat, but they are still better than your average company. So, I suppose there are SOME folks who complain about Apple's quality so I must revise my statement.

Most knowledgeable people do not question Apple's hardware quality.

Re:

[Zero__Kelvin]

I absolutely agree with that assessment :-)

Re:

[metrix007]

The only ignorant people here are those trying to insist there opinion, having been through Apple's RDF, is somehow objectively correct.

Re:

[NoImNotNineVolt]

Say what you want about Apple, they make great hardware.

Thank you for granting me permission to speak freely.

Apple doesn't make hardware. They buy it and assemble it into consumer products. Overpriced consumer products.

Unless by "hardware" you meant shiny plastic enclosures, not integrated circuits. In which case, yes, Apple does make great hardware.

Re:

[geekoid]

Apples server hardware is horrible. This isn't a secret. They've never been able to do it well, it has never been their primary focus. i.e. core compeanct.

They have finally come to grips with that and partnered with IBM.

Re:

[Zero__Kelvin]

Spoken like a person who never owned a Macbook. I am a Linux guy, and I am by no stretch of the imagination an Apple fan, but misinformed hatred is just a form of ignorance.

Re:

[Immerman]

Most of the technology and electronics are pretty much the same, but the case, screen, keyboard, trackpad, speakers, etc - all the stuff that you directly interact with, tend to be much superior. Often even compared to a comparably-priced PC. Whether or not that is worth the price premium is entirely a personal question.

Re:

[Zero__Kelvin]

Yes, because one abberation equals a norm.

Re:

[jsepeta]

I've worked with Apple gear since 1984, and have worked for 3 Apple VARs. I've only seen 3 power supplies go bad in what, 25 years? Sounds like you need to run some kind of power conditioner / UPS to prevent the strain on your power supplies.

Re:

[Zero__Kelvin]

Did I say the price was out of line with the industry? I must have missed that.

Re:

[DJCouchyCouch]

A couple of iPhone cables, iTunes gift cards, iPod socks. Pretty soon it adds up.

Re:

[Thruen]

Seriously? They sell computers. I'm more curious how he didn't spend more in there, you could spend more than that on just one computer there with all the options.

Re:

[NoImNotNineVolt]

I've been buying computers since I was a kid saving up for a 386DX33. The most I've ever spent on a computer was maybe a quarter of that sum. This further confirms, to me, that Apple gear is immensely overpriced.

Re:

[Thruen]

Nice job picking out the only quote in the entire thing that suggests Macs are more expensive. You can buy a PC for less than Dell or anyone else charges too if you buy the components yourself. If you actually read the article (instead of deliberately taking out one quote that runs counter to the rest of it) you'll see that between the comparisons they did, the Mac is equal to one system and $200 less than the other. When the components were priced out separately to build a Mac Pro clone, you could save a w

Re:

[petermgreen]

A 6-core mac pro plus an apple thunderbolt display plus a high end macbook pro for when you are on the road could get to that kind of money pretty easilly without looking too suspiscious (assuming you look rich)

Re:

[JazzHarper]

Eight-core Mac Pro with 27" Cinema Display. Extra memory and hard drives. Plus tax.

Re:

[jsepeta]

you can't buy custom-built machines as a walk-in customer; that's an order that's processed over the internet.

Re:

[jsepeta]

How do you NOT spend that much?

Re:$7142.85

[SydShamino]

A few laptops gets there.

The scam works better with a large purchase. Banks routinely deny transaction over some amount, forcing the retailer to call for an override code. Apparently the denial for "bad account" look identical to the one for "valid account, but that amount is high so give us a call, okay?"

If his card was denied for a $500 purchase, he'd need to convince the retailer that it was a bug in the system, not just a routine check for a large purchase.

Re:

[ogdenk]

You aren't far off, a couple high-end 17" MacBook Pros would easily get there pretty quick.

Re:

[phayes]

High-end 17" MacBook Pros? Really? Haven't entered an Apple Store or browsed store.apple.com in the last 2 years have you.

Apple eliminated the 17" MBPs 2 years ago when they introduced the Retina MacBook Pro.

As for how to spend 7 grand in an Apple store, that's easy: A maxed out Mac Pro with a Promise thunderbolt array & a 32" 4k display will cost you $16,911.00...

Re:

[bobbied]

Surely they don't have all those in the store? Remember this guy had to walk out with hardware in hand because by COB they would figure out they'd been had, so making any special orders would be a no-go option. No, I'm sure he had to buy "in stock" stuff from the store.

shift of blame.

[Antony T Curtis]

Once upon a time, the retailer would have to take the blame for this because it is the retailer who is supposed to make the call to the financial institution on the retailer's own phone line, not using the cardholder's phone or trusting the cardholder's ability to dial the number.

Unfortunately, the retailers are successfully using the police to cover for the incompetence of their staff.

Re:

[Sockatume]

Well, it takes two to tango: the Apple Store to somehow fail to train their employees in the most basic principles of performing a card transaction, and this guy to exploit the error.

Re:

[gstoddart]

No matter how stupid Apple was to fall for this, and how much they disregarded good practice, this is still definitely fraud.

Why wouldn't they call the police?

Re:

[NewWorldDan]

Fraud is fraud. They aren't going after the banks, just arresting the actual criminal.

This scam is nothing new. I fell for it once 20 years ago when I was 18. The customer told me I needed to use the number printed on the card to get an authorization code. Being 18 and not knowing any better, that's what I did. Everything seemed legit during the phone call, I punched it in to the card system, and the scammer walked away with a very nice laptop.

Now that I know how the scam works, I could easily spot it

Re:

[rahvin112]

Given that the claim is they defrauded Apple my guess is the bank told Apple they were going to eat the charge for not following procedures. Apple called the police because they've been defrauded.

Because Genius here used his own name in the transaction it becomes rather trivial for the police to put the guy in prison. Here's a secret, the easiest way to get the police involved in some crime is to make it incredibly easy for them to investigate and get a conviction, particularly with some victim that will dr

42

[Anonymous Coward]

So the ultimate question to life and everything is: "How many times was Apple ripped off by an single individual?"

What a strange title.

[Atzanteol]

Does the fact that the guy was 24 have any bearing on the story what-so-ever? Why not say "scam artist" or something more generic?

Re:

[kwoff]

Maybe it is a steganography key, color #244216

Exploited procedural loophole

[John3]

Based on TFA this scam has been done before to other retailers. When a merchant receives a "decline" they can optionally call the bankcard processor to obtain a verbal authorization code. The merchant can then "force" the sale to go through using the authorization code they received over the phone. The two huge procedural holes that Apple (and the other retailers) left open are:

1: The clerk is the one that should be calling for an approval code, and the call is made not to the cardholder's bank but rather to the bank that processes the cards for the retail store. It doesn't matter what the customer's bank says (or in this case the fake bank) since the approval/authorization code must come from the retailer's bankcard processor.

2: At my store a manager override is required to "force" a bankcard approval. So even if the clerk makes the call and gets a voice approval code a manager/owner must also provide a password to allow the approval to go through. Apparently Apple has no such security check in place and clerks tan type a manual code into the POS system to force the sale to go through.

Amazingly simple scam, but also amazingly simple to prevent if the stores involved had even rudimentary procedures in place.

Re:

[tomlouie]

> 1: The clerk is the one that should be calling for an approval code, and the call is made not to the cardholder's bank but rather to the bank that processes the cards for the retail store. It doesn't matter what the customer's bank says (or in this case the fake bank) since the approval/authorization code must come from the retailer's bankcard processor.

Read again, the clerk should be calling the store's bank, not the customer's bank.

Re:

[Sockatume]

Every time I've done it, it has been the customer's bank on the other end of the line.

Re:

[__aaeihw9960]

Both times I've done it, though, I used my phone to look up the generic number for the credit card company. Don't blindly trust anyone* and use their number on their card. God only knows where that's actually going.

* Except Google, apparently. . . . Yikes.

Re:Exploited procedural loophole

[John3]

A simple work around is to alter the phone number on the card to a number you control.

Then the retailer could call the number receive the code from your accomplice and provide a valid false code.

The retailer doesn't call the number on the card, the retailer call's the merchant service center. For example, customer has a Chase Mastercard and when Apple tries to post a transaction the card receives a decline. Apple would never call Chase, but instead calls their provider (which at my store is First Data Merchant Services). Apple's provider in turn electronically contacts Chase and then provides an approval code back to the clerk. The customer (or scammer) never has an opportunity to change the phone number unless they physically get behind the checkout counter and overwrite the numbers that are posted for the retail clerks to use. So it doesn't matter what phone number is on the card, that number is for the customer's use and not for the merchant's use.

What does his age have to do with it?

[hubie]

I can see putting it in the summary, but what relevance is his age to put it in the headline? If not 24, what age am I supposed to expect for someone who would pull off this kind of scam?

I worked in retail a long time

[singularity]

I worked retail for a long time, including an Apple Store. I cannot remember the policies at Apple when I was working there, but most places will not take a verbal approval code.

If the person on the other end of the phone (generally you get to them by calling the 800 number on the back of the card) has the ability to run the transaction, they have the ability to clear whatever prevented the card from going through the first time. They would have to - they have to clear the hurdle before they can run the transaction themselves.

So policy at most places is that the telephone operator clears the issue (usually it is a daily spending limit that card issuers never mention) and then the store runs the card again. There was no procedure for manually entering a verbal approval code.

My memory of Apple Retail (this was '04-'06), however, is that they had almost every contingency covered. The POS machines all had USB modems attached so that in case the Internet went down at the store, credit cards could still be processed. We even had the old CH-CHUNK imprint devices when everything went pear-shaped. I do seem to remember having the ability to enter a manual authorization code for a credit card transaction. It is Apple Retail - there are supposed to be no hurdles keeping a Specialist from keeping a customer happy.

Who were they calling?

[crow]

So they weren't calling the bank, but obviously they were calling someone. Did the store employee actually speak with someone, or did he manage to fake the call entirely? Presumably he had an accomplice who was pretending to be the bank. Did they track down and arrest that person? I didn't see it in the article.

At the risk of asking the obvious

[NEDHead]

How many digits is that code...?

Beyond stupid

[superdave80]

That Apple even accepts this is ludicrous. Just tell the guy, "Look, we have a whole store full of this shit. It will be here tomorrow. Or the next day. Or the day after that. Come back when you clear your crap up with your bank, and THEN pay for it."

Sharron Laverne?

[fuzznutz]

Should I assume his parents REALLY wanted a girl?

With a name like Sharron Laverne

[sproketboy]

He should just call himself "Sue" and be done with it.

Re:Brilliant...

[Sockatume]

Presumably he was treating it as a source of income rather than a source of Apple hardware.

Re:Brilliant...

[ArcadeMan]

Because.... 42?

Re:

[Jodka]

from your Puffington Host link:

"The participants were first asked about their wealth, schooling, social background, religious persuasions and attitudes to money in an attempt to establish their perceived social class."

Interesting experiment. The methodology is broken.

Because of the possibility that dishonest people will lie about their own income and social status the conclusion that wealthy people are more dishonest is unfounded. According to the description of the experimental methods, subjects categorized as "wealthy" in the study would have included both the genuinely wealthy and the non-wealthy liars. That is, the study misidentifies poor liars as wealthy liars. And with some de

Re:

[rogoshen1]

lowlife as he may be, running this still took some moxy and guile. he could easily fit in with a sales team somewhere (pharma perhaps?). he might need to lower his ethical standards a bit, but that's something they teach on the job methinks.

Re:

[gstoddart]

No kidding, any system which comes down to "I have a number, trust me" is pretty flawed.

Obviously, Apple was doing something wrong since they're on the hook for it, but you'd really think there would have to be some validation inherent to this.

This sounds like it boiled down to "declined, declined, declined, OK, go ahead". That's crazy.

Re:

[Sockatume]

It's more like "well, I don't have any money, but I swear that my bank just sent a cheque to your bank covering the transaction, here's the reference number".

Re:

[hawkinspeter]

The credit card issuers do have some security in place - they confirm the identity of the card-holder with various questions. However, in this case, the credit card company weren't contacted and were obviously unable to confirm or deny the card-holder's identity.

Re:

[VGPowerlord]

It sounds like the real scammers are the credit card issues that have a system in place to override that has ZERO security in place.

The security is supposed to be that the retailer is supposed to call the bank themselves to verify it. Which they didn't do.

Re:

[bobbied]

I walked in once ... and couldn't figure out how to buy something so I left !

Seriously? So I'm to assume you didn't speak English because every time I've been in an Apple store I've been approached multiple times with "How can I help you?" questions from the staff. I'm sure if I said "I'd like to buy an iPad" they'd know what to do with my credit card..

Re:

[Immerman]

As others have said, there is a system to check this - the vendor calls the bank in question and gets an authorization code for the transaction. However, by allowing the scammer to "call his bank" and provide them with an "authorization code" rather than doing it themselves the Apple store employees left themselves wide open to being exploited.

Re:

[jsepeta]

pretty terrible comment there. but if he was African american, then that explains his name. there's a whole chapter on that in Freakonomics.