Sharron Laverne Parrish Jr. Charged With Apple Credit Card Scam

Business Insider reports Sharron Laverne Parrish Jr. Charged With Apple Credit Card Scam

Here’s how it works: Parrish allegedly visited Apple Stores and tried to buy products with four different debit cards, which were all closed by his respective financial institutions. When his debit card was inevitably declined by the Apple Store, he would protest and offer to call his bank — except, he wasn’t really calling his bank. 

So, the complaint says, he would offer the Apple Store employees a fake authorization code with a certain number of digits, which is normally provided by credit card issuers to create a record of the credit or debit override. (Business Insider, like the Tampa Bay Times, refuses to publish the number of digits ‘so as not to inspire anyone.’)

But that’s the problem with this system: as long as the number of digits is correct, the override code itself doesn’t matter.

‘It does not actually matter what code the merchant types into the terminal,’ the U.S. Attorney’s Office in New Jersey said publicly after a similar case occurred there in February. ‘Any combination of digits will override the denial.’"

It boggles my mind that some bank set up a system where the override code itself is ignored and just the number of digits is what matters.

The US Attorney's Office - District of New Jersey writes:

Ordinarily, when a merchant swipes a credit or debit card, a computerized check is performed to determine whether the account associated with the card is valid. If the account is open and funds are available, the transaction goes through; if the account is closed or funds are unavailable, the transaction is denied. If the transaction is denied, a merchant has two choices: ask the customer for another card, or perform a “forced sale” using the declined card. During a typical forced sale, the merchant calls the card issuer (i.e., the customer’s bank or credit card company) and receives an authorization code. The merchant types the code into the credit card terminal and “forces” the transaction, essentially overriding the denial and allowing the sale to go through. At some later date, the merchant and the card issuer settle the outstanding charge.

But for technical reasons relating to the forced sale process, it does not actually matter what code the merchant types into the terminal. Any combination of digits will override the denial. So long as the customer provides a fake authorization code and convinces the merchant to enter it into the terminal, the transaction will go through. The merchant is unlikely to discover the fraud until days or weeks later.

How is that possible?