One of the world’s premiere tech companies apparently fell victim to a low-tech ploy: a numerical bluff.
Sharron Laverne Parrish Jr. allegedly went around to Apple stores in 16 states racking up big purchases and then attempting to “pay” for the goods with a debit card that was linked to a cancelled bank account, the Tampa Bay Times reported.
When the card was invariably declined, the 24-year-old Florida man would pretend to call his bank, police said, and then provide the cashier with an “authorization code” to make the purchase go through.
His technique, known as “force posting,” relied on some amazingly lax security: He could provide any string of numbers, and as long as the fake code contained the right number of digits, the sale would be forced through.
Parrish allegedly did this 42 times since late 2012, stealing $309,768.
“For technical reasons relating to the forced sale process, it does not actually matter what code the merchant types into the terminal,” the U.S. Attorney’s Office in New Jersey stated following another “forced sale” scam earlier this year. “Any combination of digits will override the denial. So long as the customer provides a fake authorization code and convinces the merchant to enter it into the terminal, the transaction will go through.”
TheBlaze, like Business Insider and the Tampa Bay Times, is not reporting the magic number of digits to avoid inspiring future fraud.
Once Apple found out that the codes were a fake, the sale was long over and Apple, not the bank, was left holding the bag.
“Because Apple employees overrode the initial declination against the instructions of Chase Bank [the bank to which Parrish's defunct cards were linked], Apple, not the financial institution, suffered the loss as a result of this fraudulent transaction,” wrote Secret Service Agent Bryan Halliwell in the criminal complaint against Parrish.
In the complaint, which accuses Parrish of wire fraud, is also accused of defrauding rental car services and hotels using the “forced sale” technique.
An expert said that the incident should serve as a cautionary tale to retailers.
“[Parrish] knew that no matter what that code was, the merchant would just have to punch it in and it would get approved,” RJ Toledo, a former FBI agent who now runs a private fraud-fighting company, told WFTS-TV. ”Merchants have to face up to the fact that they sometimes need to deny the transaction and lose the sale in order to avoid being defrauded down the line.”
This story has been updated.
Follow Zach Noble (@thezachnoble) on Twitter