This site was actively maintained in late 1998 and early 1999, but it has not been updated since. Some of the sites I link to have disappeared or, worse, been acquired by crooks. Some of my descriptions on how credit card transactions work and are verified were wrong even in 1999, and the industry has changed since then. Despite those caveats, I do receive periodic notes of appreciation so the site apparently has some ongoing value. I'll keep it around for now, but I can't take the time to fit it up. It's an archival site. Let me know of links that now point to crooks and I'll try to remove them, but otherwise it is what it is.
These scams continue, at least through 2007. The exact same frauds, but with larger amounts of money. Some of the same names associated with the 1998 NetFill scandal were involved in a 2002 scam documented by a new defunct web site (domain since acquired by scammers).
Eventually the public will figure out that only Visa/MasterCard can fix the problem -- but that will take a while. We may have to wait for campaign finance reform before we'll see any serious governmental action. The basic problems underlying this particular scam was that it was cheaper for banks to deal with angry customers, or suffer losses from fraud, than to pay the costs of robust authentication. That hasn't changed, Bruce Schneier routinely documents variations of this problem. On the other hand the banks have improved some aspects of their operations, and crooks have found even more profitable scams -- such as using botnets and spam to manipulate penny stock prices. The public, I think, will gradually grow to tolerate small frauds -- certainly there's been no significant pressure on politicians. We muddle through rather than reform, which is the way of things.
BTW, I often hear from vendors telling me how they also are victimized by failure of Visa/MasterCard and their franchisees to fix their security problem. Although this site is oriented to customer-victims, the problem is no less severe (or even greater) for vendor-victims. The main thing I can tell them is too support use of American Express.
If you'd like to know what's been happening since 2002. I'd recommend browsing CryptoGram. the leading security site on the net.
And it goes on and on.
Over forty million dollars. Somewhere around 900,000 victims across 22 countries. The biggest credit card fraud ever. Fraudulent credit card transactions generated using adult web site merchant accounts.
A fascinating story, but not as new as one would think. Since this web site was first created in December of 1998, when I learned I'd had 6 months worth of fraudulent transactions on a business Visa card, I've learned that this type of fraud has been going on for years. Criminal merchant account holders collude with shady banks and transaction processors -- it's an old story that predates the Internet.
What's new is the ability to run this scam across the entire world, and to attack hundreds of thousands of victims in a very short period of time. The Internet has given an old scam new legs. It has exposed the smoldering weaknesses in our credit card processing system.
This site is dedicated to chronicling this fraud, and to focusing attention on important weaknesses in our banking, credit card, and e-commerce systems. Although I focus on the particular scam I was victimized by, the information here will be of interest to anyone who has been victimized by similar frauds or who wants to see e-commerce succeed.
J K Publications (alias Webtel, Netfill, etc) ran a sizeable fraud, somewhere in the range of 40-50 million dollars, distributed across about 900,000 credit cards in small recurrent charges ($20 US). JK Publications' front companies generated about a third of all customer complaints at one major credit card company in late 1998. Their merchant accounts had a 'chargeback' rate 100 times the national average; each time a merchant account was closed by the credit card companies, they opened a new one. In late 1998 they alone accounted for 4% of all Visa chargebacks.
The JK Publications fraud operated under a number of business names. Court filings by the US Federal Trade Commission refer to 3 principals. Prior to the filings, from Dec 4-20, 1998 I and many contributors working togother over the Net, identified front companies involved in this operation. We also identified an individual, Ken Taves, (KT) who appeared to be active in all of the front companies. and a few others besides. Since that time KT has been named in a public inditement by the Federal Trade Commission (FTC). His career is described in more detail in two LA Times articles. this fraud has been well covered in the August 1999 issue of Scientific American .
J K Publications was aided in this fraud by the actions of Charter Pacific Bank (San Fernando Valley, California, see InterNic entry and more below ). According to an LA Times story reporting on FTC investigations (Jeff Leeds, 9/11/99) CP Bank sold Ken Taves about 900,000 (90%) "of the credit card numbers that he allegedly used to run up $45.7 million in mostly bogus charges against consumers worldwide".  CP Bank also held J K Publications various merchant accounts, and kept them operating even as complaints mounted.
Apparently the bank made millions processing credit card transactions for adult industries. In addition to numbers harvested from the adult entertainment business, they also sold numbers from the two-third of the bank's 250 merchant accounts belonging to other merchant accounts including mail-order firms and retailers.
In addition to persons who'd used their credit cards online (some who'd used them to buy adult materials, most who had not), victims included persons who'd never used their credit card anywhere!
Leeds' article also confirmed one of the main allegations of this page -- that banks and processors often accept transactions that lack key identifiers, such as expiration dates and card holder name. The credit card number alone will suffice for small transactions.
A few sad lessons have been learned during this investigation. The banks who manage the credit cards have treated many of the victims fairly poorly. The processors who manage transactions do not have the technology for even trivial validation of transactions. There are some pretty crooked banks out there. Prosecution for this type of fraud is rare. Visa/MasterCharge, who have the ultimate authority, are not coordinating anti-fraud activities and are not providing the technology for a better transaction system. Existing credit card anti-fraud sanctions move extremely slowly, allowing a company to generate fraudulent transactions for at least a year.
Lastly, the companies allegedly involved in this fraud manage transactions for "adult" (pornographic web sites). I sympathize with employees who have been accused of using corporate credit cards to purchase pornography (several reports). I am willing to correspond with employers who have any further questions.
I can't answer all the email I receive directly, but I try to answer questions through additions to this page. I do read
all the messages.
The Final Judgement
From the FTC web site as of September 7, 2000: http://www.ftc.gov/opa/2000/09/netfill.htm. There are links on that page to additional trial related material. NOTE: A stipulated final judgment and order is for settlement purposes only and does not constitute an admission by the defendant of a law violation. Consent judgments have the force of law when signed by the judge.
The defendants have not admitted guilt and will do no jail time. Also, much of the charges are unlikely to be recovered. If they are indeed guilty of fraud this cannot be considered a triumph of justice.
FTC Wins $37. 5 Million Judgment from X-Rated Web Site Operators
Bank Sold Defendants Access to Active MasterCard, Visa Card Numbers; More Than 700,000 Consumers Illegally Billed
The Federal Trade Commission has won a $37.5 million verdict against a California-based adult Web site operation the FTC charged with operating an illegal billing scam. The agency alleged the defendants repeatedly placed charges on consumers' credit and debit cards for X-rated Internet visits they had not made and services they didn't order. Indeed thousands of those billed for visiting the Web sites did not own computers. At trial, the agency told the court that the defendants bought access to lists from a California bank that provided the account numbers for more than 3 million valid Visa and MasterCard credit cards. Rather than use the lists to confirm that potential customers had valid cards, the defendants debited the cards for Web site services the cardholders had never used.
In January 1999, the FTC filed the case against Malibu, California residents Kenneth and Teresa Taves, and Dennis Rappaport and their businesses J.K. Publications, Inc. MJD Service Corp. Herbal Care, Inc. and Discreet Bill, Inc. The complaint charged that the defendants were billing consumers without authorization for alleged visits to adult Web sites. Consumers saw the charges on their bills under the names "Netfill," "N-Bill," "MJD Service Corp," and "Webtel." Based on the preliminary evidence presented by the FTC, a U. S. District Court judge entered an order on January 6, 1999 that temporarily shut down the defendants' business and appointed a receiver, pending trial.
According to the FTC, the defendants had purchased access to a database of credit card numbers provided by Charter Pacific Bank of Agoura Hills, California. This database contained card numbers, dates and amounts of sales, for more than 3 million card holders who purchased goods or services from merchants with accounts at Charter Pacific. The FTC argued that the defendants illegally used the account numbers to place charges on the accounts and that over 90 percent of their $49 million a year in "sales," were actually unauthorized charges. The court agreed, saying, "The Court finds that the FTC has proven by a preponderance of the evidence that 90.8 % of the total 'sales' amount the defendants caused to be deposited into their merchant accounts was unauthorized."
The FTC showed that the defendants used at least five different merchant accounts and four fictitious business names to process over $40 million in credit and debit card transactions. The timing of each new merchant account application coincided with the impending threat of being placed on VISA USA's "active monitoring" list for excessive "chargebacks" -- amounts debited to cards but disputed by the consumers who were charged. By submitting the charges and debits for processing, the defendants represented to the merchant banks that they had obtained authorization from the cardholders for the charges and debits. But thousands of consumers who were charged said they did not incur the charges and, according to U. S. District Court Judge Audrey B. Collins, "A shocking 40% to 50% of the calls received by the defendants were from people who said they did not have a computer and had not given their card numbers to anyone. " Judge Collins concluded "[T]he only reasonable inference the Court can draw from the corporate defendants' access to the Charter Pacific Positive Database and the time of the defendants' fraudulent billing practices is that the defendants stole and processed Visa and MasterCard numbers from the database."
The court concluded that the defendants had processed bogus charges totaling more than $43 million. The $37.5 million damages verdict represents the illegal charges minus the amounts that consumers already received through chargebacks and credits.
Two other defendants in this case, Gary Mittman and Adult Banc, Inc. settled FTC charges in June 1999. That settlement bars them from making false representations that customers have agreed to purchase goods; bars billing or receiving money or assisting others to do so without consumer authorization; requires that they obtain express verifiable authorization from consumers before billing them; requires that they maintain adequate staff to respond to consumer complaints or inquires; and requires that they promptly credit the accounts of consumers who request refunds.
Consumers wishing to make claims can contact the Court-appointed receiver in the following manner: by email at firstname.lastname@example.org or by regular mail at Robb Evans & Associates, Receiver, PO Box 880, Sun Valley, CA 91353 and submit the following information (1) consumer's name (2) the credit card number that was wrongfully billed, (3) the amount of the wrongful bill(s), and (4) a currently-valid credit card number through which the consumer can receive a refund.
Consumers without computers can contact the receiver by calling (818) 768-8869. Consumers will hear a recorded message which will instruct them to contact the receiver at the P.O. Box listed above. The Receiver expects a great volume of calls in the first weeks after the judgement, and urges callers who are met with a busy signal to be patient and to try calling again at a different time.
The FTC has identified in excess of $20 million in defendant's assets. It is not clear that the total of $37.5 million ordered by the Judge will be available for consumer redress.
The Initial Action
The agency named Kenneth H. Taves, a/k/a Kenneth Till, Teresa Callei Taves, Gary [Neal] Mittman, all of California, and their companies, J. K. Publications, Inc. MJD Service Corp. and Net Options, Inc. in its complaint. The complaint alleges that the defendants also use the business names Netfill, NBill, Webtel, and Online Billing. Consumers, many of whom were billed repeatedly over successive months, appealed to credit card companies for help, but were told by them that they could not block future charges to the cards. Many consumers canceled their credit card accounts to avoid the charges, the FTC alleged. The FTC has asked the court to permanently bar the illegal billing practices and award redress to consumers.
Consumers who believe they have been deceptively billed by the defendants can call an FTC Hotline at 202-326-3144 for more information.
This is an outline of the general fraud. I'll discuss some interesting variations below. You may wish to refer to the following image as you review the text.  Some of this material is speculative; quotes are from authoritative sources. (Thanks to security experts (GM, NJ, WFE, RLB, DB), and my hacker colleagues (WH, SD), for background information.)