PG Music Home Forums General Discussion Off-Topic It's official! Norton Music has made the big time - Russian Fraudsters are stealing other people's credit card numbers just to get my styles!!!

Well it all started Saturday morning. I had an early gig, and had to leave at noon, but around 9:00AM I checked my e-mail. I do this daily. I noticed 3 consecutive orders made about an hour ago, so I peeked inside to see what they were.

Great! They are big ones. It's going to be a good week!

Then I noticed they all went to the same person, and that some of the disks were ordered more than once. Not many people buy more than one disk of the same title from me. And when they do, it's usually to give a copy to a friend or band-mate (thanks to those who are honest). So something is fishy here.

So I look, they are all from the same person in Texas.

The Authorization company checks the web entry automatically, if the card data matches, the computer approves the customer's instant download and then sends me a copy of the order with the card number deleted. They do include the authorization codes though. Name, address, zip code, expiration date, and security code all gave "matched" code. Then I notice they went to an e-mail address in Russia. Hmmm a guy in Texas but a Russian e-mail address. Something is even fishier here.

I check, he isn't in my database, he never ordered from me or inquired about my products in the past.

So I pick up the phone to call the customer. I figured I should be a good guy and warn him, letting him know that if he didn't place the order, he had better call his credit card company. (I would want someone to do that for me if the situation had been reversed). The phone isn't answered and the message says that the voice-mail hasn't been activated yet. The plot thickens. Obviously a new phone.

So I go to my webhost control panel, notice all the disks have been downloaded, so I cancel the password and username used on the order. If the order is legitimate, he has the software already, if it is not, posting the URL, username, and password on the net won't do any good.

I don't download customer's credit card, I don't want the card numbers on my computer. Although I'm very careful, I know a good hacker is better than I am so if they aren't on my computer, nobody can get them. I also let them expire on the shopping cart's secure server when no longer needed. So I go to the secure shopping cart control panel, check the "whois" of the ISP and it is indeed in Russia, but to a private name, not a commercial host, and I write the credit card number on a scrap of paper so I can report it. (It's since been shredded).

I figure I should be a good guy again and call the credit card authorization company. They tell me to call my Visa/MC Merchant's Account provider.

I call the Merchant's Account and they are clueless. They say call the issuing bank. I ask for the bank and phone number and they say it is the USAA bank and give me a phone number - which when I call is inoperative. I think it's been re-routed as the grammar in the phone message was poor.

Meanwhile I assume they went back to my website, with a new credit card, new address, and g-mail e-mail and ordered and downloaded the disks they didn't get the first time. Quickly I went to the control panel, noticed they have been downloaded already so I cancelled the username and password.

No time to call the banks with the new number, it's time to get ready to go to the gig. When I got home from the gig, I checked, no more action, they got what they wanted.

Yesterday (Wednesday) I get a call from my Merchant's Account letting me know that there is a fraud alert on that credit card. The money will be taken out of my account - it was nice having it there for a few days, but I knew better than to count on keeping it.

The thief or thieves are obviously pros. Doing this on a Saturday morning, opening a new phone number for the customer so I can't call him, and doing something so that I can't call the issuing bank.

So I ask? Why go through all that trouble to steal my disks? They are not really a great resale item. After all musicians are a niche of the general public ... musicians who use computers are a niche of musicians ... musicians who use auto-accompaniment software (including arranger keyboards) are a niche of musicians who use computers ... musicians who use Band-in-a-Box are a niche of musicians who use auto-accompaniment software ... and musicians who buy Norton Music style and fake disks are a niche of people who use Band-in-a-Box. So they aren't going to get rich by stealing my stuff and re-selling it. I'm not getting rich by selling it.

Wouldn't they be able to make more money downloading things that sell to the general public? The risk/benefit ratio of reselling something that is a niche of a niche of a niche of a niche of a niche must not be very good and probably not worth the effort of all that hacking, phone account manipulation and bank phone blocking on a Saturday morning. So they must have wanted my style disks and fake disks very badly for their own personal use.

I've learned long ago that it isn't worth it to lose sleep over people stealing my styles. I don't like software piracy, I don't like it if someone gives a copy to a band-mate or friend without purchasing another one, but I know that I can't stop that.

So I guess I should be flattered that someone went to all that trouble just to steal my styles.

Notes
----♫----
Bob "Notes" Norton Norton Music http://www.nortonmusic.com
Band-in-a-Box 100% MIDI-Super-User-Styles with live entered parts by pro studio/gigging musicians for that live musician feel -- for those of you who can hear the difference.

Nothing new. They were testing the cards and the limits. There will be other transactions.

This has happened to my cards twice. Both times they were swiped at stores, big chain stores, but some one put a device on them, he worked on the cleaning crew. Then he took them off, and the fun began.

At first I got 500 bucks in my account. I checked and it seemed so wrong, they used an account I use once a month, and it gets ONE pension cheque from the Feds. No other deposits. The cash goes out the next day on groceries, and what's left applied to cards.

Then I notify the bank, the next day they withdraw the 500 bucks. They told me that the deposit was to test my account, and then the same people would clean it out. Nipped in the bud so to speak.

In the end, don't spend cash that you don't really have, because they are going to take it back. Just as you said. Fishing for bigger accounts, when they take back the 500, later they go for more.

I changed accounts after that. But the fraud was happening at 3 chain grocery stores and 2 big pharmacies in town where this guy worked. He quit after taking the devices out, and left for parts unknown.

I'm wondering if they were just doing purchases to try and hack into a database to get other folks' credit card and financial info.

There have been 3 times when someone tried to commit fraud using my credit card. Each time it was caught by the bank security people. Yes, they put a hold on my account and if you are out shopping that can be a hassle. However, they notified me via email and phone right away. They issued a new card which was sent to me overnight. I thanked them for their vigilance. So they thanked me since others were really angry that their cards got frozen. Go figure.

I hope that's the end of this problem for you, Bob.

Stan

I feel most sorry for the person who had their card info stolen. Who knows what else they bought with their card. I'm out money that I really never had, the thieves have software that isn't going to do them much good, but the poor person with Identity Theft is in for a frustrating ride. That's why I tried to help.

I'm sure the cardholder won't be liable for the charges, but he is going to have new cards issued, police reports filed, and lots of additional forms to file. Plus he will worry about his other accounts if he has them.

Whenever I do something irregular with my credit card, the fraud department calls me. So I know if I am going to travel out of town, I should call the issuing bank first and let them know when and where I am going. I call them when I'm back too, so they know when to not authorize any more 'foreign' transactions.

I also use one card for Internet transactions and nothing else. It makes it easy to keep tabs on. I treat it as a cash card, paying the balance every month, so I don't have to pay interest on the card. The bank knows my usual purchases and the types of things I buy. So if something is out of line, again, they call me.

I also don't do debit cards. I don't keep much in the bank, but if they steal your debit card info, they can clean out your account and you are out the money. Credit cards are safer, as most have zero liability. If you use them as if they were a cash card, and pay them off every month, you won't have to pay any interest, just the annual fee (if any).

Since my products are a niche of a niche of a niche of a niche of a niche products, the thieves have left me alone until now. I'll keep tabs on it.

I hope the guy in Texas isn't too bruised by the affair.

Notes
----♫----
Bob "Notes" Norton Norton Music http://www.nortonmusic.com
Your one-stop shop for the best BiaB aftermarket products in the world ... from acclaimed musicians like Bob "Notes" Norton, David Bailey, Roy Hawksford, Sherry Mayrent and Jim Wedd - Enjoyed by musicians in over 100 different countries on this planet!

Excellent advice about the debit card. I use mine ONLY at a branch of my bank--nowhere else, and certainly never online.

I use Paypal, but the purchases are billed to one of my credit cards for safety.

I'm not trying to blame anyone about this, but shortly after I bought a BIAB update over the phone a few years ago, an $11,000.00 charge was made to my Amex business card for a Canadian football [soccer] camp. 11k bucks is WAY outside my usual buying habits, so the card folks called me and let me know to confirm, which I did not. They began an investigation and issued me a new card. I find that using a safe online service is safer than talking to a person. And, as I said, I always use a credit card.

It's amazing and very sad to see how many online crooks there are out there.

Eternal vigilance is required.

Notes, on a lighter 'note': If you hadn't already sold to someone in Russia, you add another country to your tag-line of your posts!

Notes -- Be on the lookout for someone posting your software for sale or for free somewhere on the 'net...


--Mac

Or maybe you just have Odessa Russia confused with Odessa Texas..... возможно?

Notes might get to play Whack-a-Mole. It's fun, for about ten seconds.

Yes, on-line sales the sale goes through an authorization company. They verify if the card number, expiration date, security code, address, and zip code match the issuing card. They also check to see if the card has been flagged (fraud, lost, etc.). If it's been flagged, they won't authorize. But if it hasn't been flagged yet, they are not responsible. It's play by our rules or you don't get instant authorization on-line. They charge a small fee for this service, which I suspect I will lose.

But the thieves work fast and charge as much as they can before anyone notices and flags the account.

After authorization the computer sends a signal back to my shopping cart, and the cart software redirects the customer to the page where he/she can download the software and assigns a username and a password from the group I provide (and frequently change).

Meanwhile it goes to my Visa/MC merchant's account provider. They do nothing but charge another percentage and then deposit it into my account. Since the percentage goes by monthly sales, I suppose this will even out.

They are not responsible either. Again, if you want a Visa/MC merchant's account, you will have to play by their rules.

And the bank isn't responsible either. But after so many deposits per month, they start charging me to put money in the bank.

After the charges, the shopping cart rental, the magazine ads, the hiked up insurance because I'm running a business from my home, the county taxing my computers, musical instruments, business furniture, and everything else I use to make a living with, it's a wonder I make any money at this at all. And the money I do make, I pay 15% unemployment tax on and then my income taxes on top of that (I'm definitely in the 99% <grin>). I call all these leeches, my silent partners.

And the bank I use made billions of dollars in profits, but thanks to the generous tax cuts provided to them they haven't paid any federal tax in years, not one cent, not one penny. They are obviously in the 1%

As Mayer Amschel Rothschild once said, "Give me control of a nation's money and I care not who makes the laws." No matter who gets elected, the banks are running the show. They even financed both sides of most wars. The victor pays all the interest.

Fortunately I didn't purchase any products for resale and spend money on shipping. If I had purchased music books at wholesale and paid to ship them I would have lost out-of-pocket money on the deal. Instead, if the software is shared or sold to other people who would have bought it from me, I'm only out future revenue, which isn't good, but not as bad.

Notes

I got a surprise call once from my bank's fraud unit to ask me if a had done a 2 cent charge. Some crooks try that approach thinking that if the amount is very small, no will will check. However, at my bank that's a red flag.

Bob thats a good idea to let your bank know when you travel. The last time I called, this past May, they aske for my complete itinerary. Its also good not to use your debit card on line or over the phone. I only use mine at atm machines.

I shredded my debit card. Never used it.

I have a credit card that I use as if it were a debit card - I pay off the balance every month. I use it for everything I can that I would ordinarily pay cash for, groceries, gas, and so on.

I get frequent flyer miles on the card. When you get enough miles, you get almost free flights, all you have to pay is the airport tax (and extra luggage or whatever).

I flew to Alaska for $14, England for $32 and Hungary for less than $60.

The trick is to never carry a balance, as the interest rate on those affinity cards is very high.

I've also read stories about thieves putting card readers in ATM machines and pinhole cameras to record your PIN number. Truth or urban legend? I don't know and never pursued it since I don't do debit cards, and if they get my credit card info, I'm not liable.

I have had any more multi-thousand dollar orders from Russia or anywhere else. Just the normal small to moderate sales. Too bad the big one got away

With all this ID theft going around, I chose my shopping cart because they have the best security record in the business, and they allow me to delete my customer's credit card numbers from their server when I feel there is no longer a chance for a problem. Since I hired the Internet Authorization company, there is no need for me to see the customer's credit card number, unless there is a problem, so I don't download them. That way if one of my customers has the problem, I know it didn't come from me. If all Internet merchants did the same, it might help a little.

But then, the crooks will only figure out another way to do it.

Notes

Those are good tips. Some online vendors want you to set up an account so they can keep all of your date on file. If I buy something and encounter that requirement at checkout, I just close the window. I do have probably 3 accounts at some select places that I trust and have been dealing with for many years but I refuse to open any more.

Stan

Also cut down on the spam by never supplying a correct address or phone if you MUST fill something out for a download.

Give them jim@jim.com and 234-567-8901 as the phone. Let jim@jim.com get the spam....