By Raul Vargas
Scammers have found a way to exploit a product financing offer at Apple that issues instant credit for online purchases.
Identity Theft 911, a provider of identity theft resolution services, has received nearly two dozen consumer complaints related to unauthorized purchases made through the online Apple Store by way of an offer to provide instant financing through Barclaycard.
The crime is relatively simple to carry out. All the scammers need are a victim’s name, birth date, address, Social Security number, employer and email address, which are the basic types of information commonly exposed in consumer data breaches.
With this information in hand, the perpetrators go to the online Apple Store, select the items they wish to purchase, and choose an option to receive six-, 12- or 18-month special financing, which redirects them to an application for a Barclaycard-branded Visa.
[Credit Check Tool: Monitor your credit score and activity for free with Credit.com]
After filling in the victim’s personal information, they are notified if they qualify for instant credit approval. If the application is accepted, the perpetrator is returned to the Apple Store where the credit card information is automatically populated, and they are allowed to complete the transaction with the option to have the items shipped immediately.
The process raises several questions, the first of which is exactly how Barclaycard determines if an applicant is qualified for instant credit approval online. It is assumed that the information in the application is cross-checked for validity with credit reporting bureaus or some similar source, and that the address provided in the credit request would need to correspond to the supposed applicant, but representatives at Barclaycard declined to comment on the process.
The next question: Exactly how are the criminals able to have the items shipped to the address of their choosing, assuming it’s not the same one provided on the credit card application? Identity Theft 911 fraud investigator Vicki Volkert, who is looking further into the unauthorized purchase complaints, said it is most likely that the perpetrators are able to enter a shipping address that differs from the victim’s real address when they are completing the purchase order on the Apple Store website.
“We know that our victims are being billed for the items at their home address, and that the product is being shipped to an address controlled by the thief,” Volkert explained. “Online shopping outlets let you input a billing address and alternative shipping addresses, so the thieves could possibly have the product sent to an alternate address, or simply choose to pick it up at a bricks-and-mortar Apple Store.”
Representatives at Apple were contacted and asked to provide details of the purchasing process, specifically if customers are allowed to enter a different shipping address than the one provided for billing in the Barclaycard application.
[Featured Products: Research and compare Identity theft protection plans at Credit.com]
An Apple customer service specialist said that if the purchase was for an iPhone in conjunction with an upgrade offered at a discount for a customer under contract with a specific mobile carrier, the product is required to be sent to the billing address on file with the service provider. Aside from that, they said that they did not know if other products would be subject to similar stipulations. The media relations office at Apple’s corporate headquarters declined to comment on the matter.
So far, it appears that the scammers are targeting high-dollar items in the operation, with the average cost of the fraudulent purchases ranging between $3,000 and $5,000. By the time victims become aware of the fraudulent purchases made in their name, it’s already too late.
The Barclaycard FAQ (frequently asked questions) webpage for the Apple product financing option indicates that some applications for credit may be flagged prior to approval, and that the applicant will be required to go through a secondary verification process. The problem is that Barclaycard does not contact the applicant, but instead provides a phone number for the applicant to call.
Depending on the questions the applicant is required to answer, this secondary validation may prevent some scammers from successfully obtaining credit in the victim’s name. But given that Barclaycard does not directly contact the applicant with the information provided on the credit application form, it is still possible for the identity thieves to complete the process and receive approval.
If Barclaycard would implement a secondary validation with a direct call using the contact information provided on the application, it is likely that the potential for abuse of the instant financing offer could be diminished.
Alternatively, if Apple required that the shipping address be the same as the billing address provided in the Barclaycard credit application, and the information is, in fact, being cross-referenced by Barclaycard with a reliable source, the opportunity to commit fraudulent transactions could similarly be lessened.
This article originally appeared on Identity Theft 911 blog.
Image: Patrick McFall, via Flickr