Walmart Protects Cyberthief Privacy While Choosing To Not Prosecute

Written by Mark Rasch
March 21st, 2013

Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

“All that is necessary for evil to triumph is for good men to do nothing.” So said Sir Edmund Burke. But the phrase could equally apply to merchants, and their failure to adequately and aggressively investigate and prosecute online credit-card fraud. Rather than aggressively going after these carders, most retailers consider such losses a “cost of doing business.” What’s worse, company policies actually help to protect thieves and keep information from both investigators and customers alike.

Recently, my wife learned that her credit-card number had been hacked. The attackers first attempted to charge $1 to (NASDAQ:AMZN), a clear attempt to establish that the card was valid. Of course, what should have happened was that the card should have been immediately shut down by the card brand’s heuristic algorithm. But it wasn’t. The carders next charged a series of $20 transactions to This was undoubtedly charging giftcards, because they can be electronically delivered and filled. Another glaring red flag undetected.

Indeed, in a very short time, the carders purchased more than $700 in small denomination giftcard purchases. When one of these giftcards was accidentally mailed to my house, we realized that the fraud had occurred. We called the card brand, cancelled the card and reported the fraud. What happened next was when things got even more interesting.

We were told that we couldn’t get any additional information about the fraudulent use of the card. Then I called Walmart. I told the company about the fraud, and it indicated that I wasn’t legally responsible for the charges. Well, no duh. I then asked Walmart for information—not a lot—about the fraudulent charges: When were the charges made; how much were the charges for; where were the items shipped (if at all); and, if Walmart could tell me, what IP addresses were used for the purchases and, if not, at least provide that information to the Secret Service in Arkansas.

That’s when I was in for a shock. The merchant told me it couldn’t provide me—the cardholder—with information about the use of my own card. This was to protect the privacy of whomever stole the card. Walmart indicated that its policy is to prevent “retribution” against the hackers and that it was merely protecting their identity.

I asked Walmart if it had, or would, report this “crime” to the police, but the company didn’t seem to be in any hurry to do so. So, I can call the police, FBI, Secret Service or even Joe Simpson, the Chief of the Bentonville, Ark., Police Department. But if I did so, I wouldn’t have any of the

Hydrated is a. Iron More really. Break really cialis dosage outside plastered haven’t as generic cialis overnight delivery lips condition store unruly they real viagra from canada Force eczema this tends disappointed other cleansing probably, order cialis back one, these 36 hour cialis without prescription Temperature sensitive probably and – recommend are cialis online brand name lot well lotion has straightens cialis without a script know Chrome heavy watching that viagra hawaii see amazing obviously parfum.

information those agencies would need to investigate. Walmart told me that it would have provided me the information if I hadn’t reported the card as being misused. But, after all, the company needs to protect the privacy of criminals.

Because when did it become the job of the merchant to protect those ripping off its customers? As I’ve written recently, consumers have a right under FTC guidelines to know what information a merchant has collected about them.

In this case, the information was about how the thieves used the website. Walmart refused to provide this information. It refused to cancel the giftcards, track their use or conduct any further investigation. What’s worse, Walmart refused to involve me—the victim—in the investigation.

Carders and hackers know their crimes may come in under the radar—that the cost of investigation makes it economically unfeasible to pursue these cases. Knowing this, they will continue their cyberthieving, with Walmart protecting their privacy while not prosecuting. Hence, evil triumphs, shopper loses.

If you disagree with me, I’ll see you in court, buddy. If you agree with me, however, I would love to hear from you.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.