Apple Retail Out Almost $310K in Scam, Suspect Arrested in Florida

| News

Apple lost US$309,768 in merchandise out of its retail stores in 16 states thanks to Sharron Laverne Parrish Jr. and a debit card scam. Authorities have arrested Mr. Parrish, and thanks to his clever social engineering, Apple will likely be left holding the bill.

Apple retail stores lost over $309K in debit card scamApple retail stores lost over $309K in debit card scam

Mr. Parrish tricked Apple employees into letting him walk out of the store without paying by using a forced code scam, according to The Tampa Bay Times.

The scam works by presenting a debit card for payment that's declined. The suspect then insists there's a mistake and acts like they're calling their bank to get an override code to authorize the transaction. The suspect gives the retailer a fake authorization code that lets the transaction complete, and they head out the door without really paying.

There isn't a verification process for the authorization code, so the suspect can make one up without worrying about being denied, but that's only part of making the scam work. It also relies on retailers letting customers make the bank call instead of handling it themselves, and store employees trusting the suspect.

The U.S. Attorney's Office in New Jersey said,

It does not actually matter what code the merchant types into the terminal. Any combination of digits will override the denial. 

In this case, that's exactly what happened and Mr. Parrish was able to make off with thousands of dollars worth of merchandise from Apple stores. Since there weren't any banks involved with the scam, Apple won't be able to recover its losses unless the stolen merchandise is returned.

Mr. Parrish was arrested by Federal agents and has been charged with wire fraud.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

geoduck

It does not actually matter what code the merchant types into the terminal. Any combination of digits will override the denial.

That seems like a fairly obvious, and gaping, security hole. That should have been fixed way before now. Who calls the bank isn’t the problem, though letting the customer do it is asking form trouble. The codes should be generated from a secure algorithm.

gnasher729

Just repeating what has been explained on other sites: If the customer’s card is declined, and the customer claims there must be a mistake, the merchant MUST NOT call the credit card company, the merchant MUST call their own credit card processor, and the phone number of the credit card processor would be usually written on a piece of paper attached to the cash register. The credit card processor will call the credit card company and either allow the sale or not. Done that way, it’s absolutely safe. And quite obviously the merchant MUST NOT let the customer PRETEND to call the credit card company which is what happened here.

The authorisation code is nothing that could be verified at all. The only use of the authorisation code is for the very, very rare case that the credit card processor would authorise the card payment, and later refused to acknowledge this. Which would be either due to a blatant error on the side of the credit card processor, or a blatant error (like giving the wrong credit card number) on the side of the merchant.

gnasher729

Just read in the article: “Apple will most likely change its policies to require employees to call banks on declined cards”. No, not call the banks. Call their payment processor. So there is only ONE phone number to call, and the payment processor is the one responsible for getting money from _any_ bank to the merchant.

nikster

I can see this is a bit problematic. For example, the only reason I was able to buy a MacBook Pro 17 when they first came out is that I was able to call my bank, and they let the transaction go through.

The limit on my debit card was much less than the $3,000 I paid for the computer, although of course my account had enough in it.

Then again - I did not get a authentication code; the bank just let the transaction through while I was live on the phone with them and the store processed the card normally.

Log-in to comment