Dubious donations: Theory and practice

We’re trying to make this easy for any serious journalist who wants to dig into this story. Yesterday we posted the story of Bill G., a victim of the kind of credit card fraud that the Obama campaign facilitated in 2008, and is inviting again this year, by rejecting basic verification devices. Today reader Ashley Tate writes from Alpharetta, Georgia to explain:

In December 2009 our Mastercard was illegally charged for a $5 donation to barackobama.com. We complained and the issuer (Capital One) cancelled our cards and issued new ones. They also informed us that a similar charge had been attempted and rejected as fraudulent about 6 months earlier. But they never even bothered inform us of the earlier, rejected charge!

We also know personally at least one other couple who were similarly defrauded. In neither case were the “stolen” credit card numbers used for any other fraudulent purpose. This seems to leave two possible explanations: Either someone has stolen a large number of credit cards solely for the purpose of generating campaign donations for Obama OR the credit card validation on barackobama.com is so incredibly lax (and his payment processor so incredibly forgiving) that someone has been able to generate a large list of potentially valid credit card numbers and slowly, sequentially run them through the barackobama.com site over a long period of time.

I am a software architect who has integrated several web sites with credit card payment systems so I’m familiar with the technology involved here. I am nearly certain that some payment processors will accept credit card numbers for billing with just a single validation step: the card number must pass the Luhn checksum algorithm, which verifies that the number could be a valid credit number. I am 100 percent certain that billing with just two validation steps (Luhn and expiration date) is possible, meaning that it might also be possible to attempt processing the generated list of card numbers against a list of likely expiration dates (say, each month of the year two years in the future). For a fairly intelligent person with understanding of the Luhn validation scheme and some basic programming skills, it would be a trivial task to generate a speculative list of card numbers and submit them automatically using a computer script to barackobama.com.

Finally, it’s important to understand that neither of these scenarios could happen over a such a long period of time without complicity on the part of the Obama campaign, the payment processor(s) used by the barackobama.com campaign site, and the card-issuing banks that deal with the end consumers.

There seems to be a story here somewhere for an enterprising reporter willing to pursue it.

Responses