Skip to main content

The ridiculously simple con that allowed a fraudster to take Apple for $309k

fraud

You wouldn’t think it would be easy to use a debit card on a closed account to scam an Apple Store out of around $7200’s worth of kit, but that’s what a 24-year-old fraudster is alleged to have done not just once but a total of 42 times – netting a total haul worth $309,768.

The Tampa Bay Times reports that the East Tampa resident Sharron Parrish used an absurdly simple method to persuade Apple Store staff to override payment terminals after his transactions were declined … 

When a card transaction is declined by a bank, sales clerks have the option of phoning the bank to see whether they will authorize the transaction. If the bank agrees, they issue the clerk with an override code they can tap into the terminal to allow the transaction to go through.

The problem is: the system doesn’t check this code – only the number of digits. This crazily lax-sounding security shouldn’t normally matter, as the clerk should only ever override a declined transaction after speaking with the bank on the phone. But what Parrish did was to pretend to call his bank, then tell the clerk they’d okayed it and asked them to tap in the code – which Parrish simply made up.

Some Apple Store staff refused to do it, and Parrish left other stores without any goods when staff grew suspicious, but on 42 occasions the clerks did as asked and forced the transaction through.

A Secret Service criminal complaint charges Parrish with wire fraud, alleging that he tricked Apple clerks in 16 states into accepting meaningless override codes. He is accused of hitting the Brandon store twice, along with stores in Orlando, Wellington and Boca Raton […]

The Tampa charge was filed by Secret Service Special Agent Bryan Halliwell, with assistance from investigators for Apple and Chase Bank. John Joyce, special agent in charge of the Secret Service in Tampa, said the solution is for merchants to not permit hand-keyed overrides.

Unfortunately for Apple, because they broke bank rules by forcing through the transaction without speaking to the bank, the company will have to bear the losses.

Apple declined to comment, but we would expect that store staff have been reminded of the correct procedure for following-up on declined transactions. Parrish has been held in custody

(via ComputerWorld)

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. jrox16 - 10 years ago

    What a stupid system that doesn’t actually check the code, just the number of digits, which apparently are often very easy to guess and consistent if he managed this trick so many times. The banks were just asking for this to happen someday.

    • Ben Lovejoy - 10 years ago

      It is indeed the same number of digits every time – I didn’t include the info on how many as I don’t want to encourage similar frauds.

    • Jon Exner - 10 years ago

      How is this the problem of the bank? So any retailer can be retarded and it’s simply the bank’s fault?

      • Derek Wildstar - 10 years ago

        Because the bank owns the system that allows the approval using any approval code, instead of the system checking for a real authorization code. The retailer want’s the customer to have a smooth transaction, they are there to sell stuff, not to make sure the back-end baking system is correctly accepting random authorization codes. However, the retailer should have made the call, and not trusted the customer for the code — but it goes hand in hand with the root cause which is the back end system will allow any random authorization code to override the denial.

  2. b9bot - 10 years ago

    He still got caught so that’s the end of that. It seems the banks need to beef up that over ride code so it actually means something. If you can just make up a bunch of random numbers and have it approved there’s still something wrong here.

  3. Wyn Naylor - 10 years ago

    How do you allow a customer to call a bank. The clerks are supposed to call the bank. i have been declined at stores for my checks of a trust account and they call the check clearing agency or the bank themselves to get the okay. All those Apple employees should be fired and they should be responsible for the money. STUPID IS AS STUPID DOES.

    • Tim Jr. - 10 years ago

      Most are just kids, part time jobs, trying to put it on them wouldn’t do anything as they likely couldn’t pay for it…. lol That would be a massive waste of time.

      Honestly, I’m surprised it wasn’t Apple policy to require a supervisor to override a charge. THAT is a hole.. A super usually isn’t intimidated like some kid just trying to get through collage and would limit point of failure. Ahh well, soon it will all be digital and malware will own us all! MUHAHAHAHA!

      • dcj001 - 10 years ago

        ” I’m surprised it wasn’t Apple policy to require a supervisor to override a charge. THAT is a hole.”

        There is no hole. Apple’s policy is to not contact the bank when a card is declined. Employees are supposed to ask for another form of payment.

      • dcj001 - 10 years ago

        ” I’m surprised it wasn’t Apple policy to require a supervisor to override a charge. THAT is a hole.”

        There is no hole. Apple’s policy is to not contact the bank when a card is declined. Employees are supposed to ask for another form of payment.

        The hole is that some Apple employees used poor judgment when they took the scammer’s word for calling the bank and getting an actual override code.

    • Dimitri Kyriakis - 10 years ago

      Yea with what reason tho? You can’t blame a employee meanwhile the company as a whole did not try to prevent this from the start. The employees might just be warned / fired but nothing else. You can not put the blame on them only.

    • macboyproretina - 10 years ago

      Apparently not every Apple Store employee is a genius….

    • Some Dude in NC - 10 years ago

      I suspect that like many of us, the employees assumed that a bank wouldn’t be so stupid as to allow an override code that was meaningless to affect a transaction, and that the code did something on the backend more important than simply being a note to be referred to later. If it were me, I would have assumed that if the system took the code, the code was good.

  4. herb02135go - 10 years ago

    Thus is too funny.

  5. robertvarga79 - 10 years ago

    Just a true fan of Apple products

  6. rafterman11 - 10 years ago

    I have ultra-paranoid Bank of America and they hold almost every Apple transaction in store (but never online strangely enough, where more fraud occurs). And I do call the bank myself, but not for an override code, but the bank clears it on their end, then the Apple store just reruns the transaction. I never heard of this override code stuff in an Apple store.

    • Jon Exner - 10 years ago

      I have been in banking for 14 years and there is no such thing as an “override code”. The card can be limited to a $ amount but as in your case it takes you calling your bank, asking that the transaction be processed, and then the retailer processing it again through their normal channels. If the retailer is taking the gamble and overriding it on their end, they are taking the risk that the bank will pay which it seems Chase didn’t and shouldn’t do.

      • Derek Wildstar - 10 years ago

        If you truly have been banking for 14 years, and if you processed cards through the old fashioned terminals, then you know when the system rejects the card, you call for an authorization number, you fill that number in on the slip (yes the old fashioned slide the carbon paper over the card), then it processes at the bank. This system is still in place today, believe it or not, and used for when the terminal cannot reach the bank for direct digital approval, you call up (usually automated) the merchant services to get an approval code so the transaction is approved via a backup method.

      • Derek Wildstar - 10 years ago

        An example of the voice authorization process

        AUTHORIZATION
        The first step in processing a Transaction is to request Authorization from the Issuer to accept a Card for payment. Merchant must obtain an Authorization Code before completing any Transaction. An Authorization request is made via one of the following two methods:
         Electronic Authorization: The Merchant swipes a Card through or manually enters a Card number into a POS Device. Then, the POS Device sends the Transaction information electronically to the Issuer for Authorization.
         Voice Authorization: The Merchant calls the Voice Authorization Center, which then communicates the Transaction information electronically to the Issuer. An operator or an interactive voice response (IVR) unit provides the Merchant with the Authorization Code given by the Issuer. Voice Authorization toll-free telephone numbers are located on a sticker on your POS Device. If there is not a Voice Authorization sticker on your POS Device, contact Merchant Services.
        Most Authorizations are requested electronically. Voice Authorization is usually used if a Merchant does not have a working POS Device or if the Issuer requests additional information during Electronic Authorization.
        An Authorization request is required for every Transaction to determine if:
         The Card number is valid;
         The Card has been reported lost or stolen; and/or
         Sufficient credit or funds are available.
        Receipt of an Approval Code in response to an Authorization request does not:
         Guarantee that the Merchant will receive final payment for a Transaction;
         Guarantee that the Cardholder will not dispute the Transaction later (all Card Transactions are subject to Chargebacks even when an Approval Code has been obtained);
         Protect you from Chargebacks for unauthorized Transactions or disputes regarding the quality of goods or services; or
         Waive any provision of the Agreement or otherwise validate a fraudulent Transaction or a Transaction involving the use of an expired Card.
        Processing Transactions
        6
        Merchant Operating Guide MOG201402
        Merchant will follow any instructions received during Authorization. Upon receipt of an Authorization Code, Merchant may consummate only the Transaction authorized and must note the Authorization Code on the Transaction Receipt. In any case in which a Transaction is completed without imprinting the Card, the Merchant, whether or not an Authorization Code is obtained, shall be deemed to warrant the true identity of the Customer as the Cardholder.

      • Ben Lovejoy - 10 years ago

        I think what went on here is that the terminals also allow a retailer to override the fact that the card wasn’t authorised, and put through the transaction anyway. I suspect the code is actually for the retailer to record for their own records why they did it, so any code works.

  7. scumbolt2014 - 10 years ago

    Wonder if the Florida penile system has wifi this loser can use Oh, he can’t take his computers with him and he’ll be too busy getting asz raped.

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear