ID theft question

Make sure you have documented your unauthorized charge dispute with the bank, and send it in writing to them within the 60 days of the CC statement showing the charge, as required to preserve your rights under FCBA. Send it, even it it is basically a summary of a phone dispute and their agreement to reverse the charge and issue a new number, and send it CRRR, so you can show the bank got it. They may have reversed it based on a phone call, but they can also put it back, and you don't want anyone claiming you are the one stuck just because you didn't dispute in writing, and send it timely. You want them removing it not just because they are doing the right thing, but also because they are legally required to.

Then file a police report. You should do that as a matter of course anyway. CC theft is also by definition id theft, since they used your identity (your name, card number associated with you) to do it. The police probably will not do much further, if the amount is small, but you want it on record, in case the "merchant" tries to claim you actually made the charge, and sells it as a "bad debt". Get a copy of the police report for your files.

As to how you go after a thief, when you don't even know who they are, and AOL is not cooperating, it depends on how far you want to push the matter. If you are not just depending on whether it is worth it for a DA to prosecute something, when the amount may not be significant, and the perpetrator is unknown, and might ultimately be untracable, then you need to find a reason for a private cause of action, to get someone into court.

The reason you need a private cause of action is that until you do, you don't even have standing to sue anyone. Without that, everyone can just ignore you, as AOL will likely do unless you have a way to have a court order them to respond.

Technically, the police report should give you legal rights to demand that AOL forward account information they may have on the fraudulent transaction, under FACTA.

You could also sue "alias John Doe", for damages from id theft, and perhaps get a judge to authorize you to subpoena AOL's records of the transaction. That is what RIAA does when they sue music pirates, and serve subpoenas on the ISPs to determine the identity of the individuals.

In theory, the thief could oppose this, but he would probably have to hire an attorney to do so. That is the dilema in which the RIAA places individuals they sue, whether those individuals actually committed music piracy or not. They can agree to a settlement, paying damages, or they can pay more in legal defense costs. Of course, even if you get what you want, what is the chance you would collect on any judgement?

What's it worth? How much could you do yourself, and at what point would you need an attorney? If AOL put up any opposition, would it be worth it to continue?

Be aware that AOL has had substantial problems over the years with thieves obtaining AOL account information and using it either to hack AOL users' accounts, or to order thru AOL, since AOL has had on-line ordering tied to the account holder's registered CC number. The accounts were hacked by people calling AOL customer service, perhaps claiming they forgot their passwords, and getting AOL customer service, to disclose or issue a new password. Since logging onto AOL is sufficient to buy thru AOL using the same CC number used for their own account billing, your CC is no safer than the safety of your account access.

This may have been what happened with your fraudulent charges.

Note: I am not an attorney. All I know is what I read in the newspapers.

 

You might make more productive use of your time going after the "merchant". There is no shortage of people willing to steal credit cards, but the first line of defense to the integrity of the system is the merchant. Both VISA and MaserCard have an interest in weeding out merchants who have high rates of fraudulent charges, and they push this responsibility down on the bank or CC processor that the merchant has an account with.

"they wanted to mail me a bill"
On a fraudulent charge, where they verified NOTHING? They practically acted as a fence for stolen credit card numbers! Their willingness to put thru a charge with no name confirms their lack of commitment to prevent fraud, as well as the true value they place on their product.

Normal merchants have an interest in making sure they don't make unauthorized charges. They have the cost of their legitimate merchandise at stake, and they verify that name, CCV, and billing address all match. If something is being shipped, they verify that they are shipping to the billing address, and the credit card system is set up to allow them to perform these verification.

"Merchants" selling this type of "product" have no such concerns, since the marginal cost of their "product" is virtually nil. On an economic basis, they could rationally choose to do no verification of any sort, since they have nothing to lose, since if the card is legitimate, they get paid, and if it is stolen, they only have some chargeback fees to deal with, and that only if the consumer catches the charge within 60 days of its appearance on their statement. The only thing they do have to watch out for is if they do have too many chargebacks, they can end up with higher fees, or have their merchant account with the credit card processor closed.

Be aware that there have also been cases in this line of business where MOST of the charges submitted were fraudulent. In one case, $45 million of fraudulent credit card charges were run thru in about a 3 month period, it took years to bring the parties responsible to justice, and most of the money has never been recovered, as it was shuffled between off-shore sites faster than legal action could pursue it.

The banks lost a lot, and many consumers lost also, particularly where they didn't catch the fraudulent small charges within 60 days of the original statements to preserve their dispute rights under FCBA, if their bank did not refund the fraudulent charges. About 90% of the fraudulently used account numbers (hundreds of thousands) were actually obtained from a bank, and then used to submit small charges. See, for example:
http://www.faughnan.com/ccfraud.html

A second area of questionable legality is if the presentation of a credit card is used by the "merchant" to verify that the customer is over 18, to be compliant with federal law, but the merchant is deliberately NOT verifying the legitimacy of the charge, then they have NOT performed any checks to prevent access to their "product" by minors under 18. Since this may be a violation of Federal law, you may want to bring this to the attention of your local US Attorney.

Does this fit the pattern of "small charge" CC fraud, where the merchant might be a party? What were the dollar amounts of the charges, and how many were there, over what period of time?

 

You want to get a police report on file. You will need it to contain any damage that may result from fraudulent accounts either sent to collection, or put on your credit reports.

Id thieves don't deserve privacy. Merchants who protect or profit from them are themselves no better than thieves if they didn't make reasonable efforts to prevent fraud. They don't deserve privacy, either.

Since FACTA specifically gives id theft victims rights to account information tied to acts of identity theft, you should file complaints with your state AG against any merchant, AOL, or whoever, fails to respond properly.

There are no shortage of potential thieves, and many anonymous ways for them to steal. To effectively limit such thefts, the responsibility must be put on merchants who accept credit cards to protect consumers from such thefts. Since, as in this case, the product has no incremental cost to encourage care, you could notify VISA or MasterCard that this merchant has submitted a fraudulent transaction without even verifying name information. Common practice for Internet transactions is to at least verify exact name and billing address. They may want to examine if this merchant is a source of excessive fraudulent transactions.


You may never know specifically how your card was compromised, since anyone at any place you used it had all they need to steal. At least it is not more specific identification, but just one card number that can be blocked and changed.

 

Did the thief use your:
1) credit card such as MC or VISA
2) debit or check card such as MC or VISA, linked to your bank account
3) actual bank checking account routing and account number

What is AOL Qstore? Is it some type of payment intermediary, similar to PayPal?

 

Well said to both of you. If I may be so bold, I have a few years of experiance in the field of collections and when an account came to my desk the number one thing I looked for when deciding to review for closure was consistency. If I had one document I would consider the file, but if I had a chain of supportive events the choice to close was clear. By supportive events I mean an affidavit of fraud or affidavit of identity theft (notorized), a police report, a FTC ID Theft Report number (https://rn.ftc.gov/pls/dod/widtpubl$.startup?Z_ORG_CODE=PU03), and a initial fraud alert on the credit file.

If you are looking for additional resources to pursue the unwelcome theif, I would suggest reviewing to see if any of the correspondence or goods were delivered by mail...if so, unlike the ineffective police, the USPS Postal Inspector service ALWAYS investigates and ALWAYS prosecutes. Plus there is the added fun for the theif, if caught, of doing Federal Prison time; makes the normal maximum security state prison look like a spa.

Please also keep a close eye on your credit--it is all too easy to call and 'confirm' the account information once you have the card number. The creditors are required to not provide that info but I have never been told no when testing the security of one of my own creditors. Good luck.

 

If you Google "AOL Qstore fraud", you will find many reports of unauthorized Qstore charges. You will also see that it is apparently commonplace to use Qstore as an anonymous way to check out the validity of a stolen credit card. What information did AOL use to verify the legitimacy of the original registration of the CC with them? That is the weakest link.

I would still be inclined to call my state AG's office and discuss this. The practice of using Qstore for CC fraud appears to be widespread. Their role as an intermediary in laundering those fraudulent transactions, so the end "merchant" simply "has no knowledge", and therefore no responsibility, for the fraud, is inexcusable. They may be running afoul of the banking laws that require banks to "know their customers", even if they are not technically a bank.