The Federal Trade Commission has accused two men of attempting to extract more than $10 million from the bank checking accounts of thousands of individuals for phony discount pharmacy cards that consumers never ordered.

In most cases, customers didn't have any contact with Pharmacycards.com and other companies the two men set up and would have noticed they were being charged only when a debit for $139 showed up on their bank statements, according to an FTC complaint filed this week in federal court in Las Vegas. In all, 90,000 people are believed to have been affected, many of whom still aren't aware of what happened.

"Both in terms of the number of people who were victimized and the amount of money, this was an enormous scam," said Claudia Bourne Farrell, an FTC spokeswoman.

Consumer experts said the alleged scam is noteworthy for weaknesses it exposes in laws and practices set up to protect individuals' private financial information in the Internet age.

FTC officials said yesterday that they believe the scheme started with the companies purchasing bank account information from an unidentified third party. Although it's illegal for a financial institution to sell checking account numbers, the law does not apply to other kinds of companies, according to banking privacy experts.

"This gap typifies American privacy law. We have special statutes for financial and medical institutions, but we don't have a comprehensive law to protect personal information, including checking accounts," said Peter P. Swire, a law professor at Ohio State University who served as privacy counselor in the Clinton administration.

Nearly 70 percent of the attempts to take $139 from individual bank accounts were canceled or returned because of bad account numbers, fraud protection measures at the banks or vigilance on the part of bank customers who noticed the fraud and reported it. The operation was shut down within about three months of its start after customers reported the fraud to their banks or to fraud watchdog groups.

According to the FTC's complaint, David Graham Turner of London and Steve Pearson, who used a British driver's license, used two companies, 3rd Union Card Services Inc. of Delaware and HelmCrest Ltd. of Cyprus, to run the Web site and perpetrate the scheme.

After obtaining the list of names with associated checking account information, the FTC said, Turner and Pearson used the Web site to convince three payment processors that theirs was a legitimate business, claiming that WalMart and Target were participants in the discount card program. They hired a customer call center to hear from complaining consumers. Between them, 3rd Union and HelmCrest had addresses in Vermont, Delaware, Canada, the United Kingdom and Cyprus.

"This was a scheme that was truly international in nature and never involved face-to-face contact. It was all done by Internet, facsimile and phone," said Tracy S. Thorleifson, an FTC lawyer.

FTC officials said they have tried to contact Turner and Pearson but have not received a response. A call to Pharmacycards.com's toll free line yesterday was answered by a customer service representative who said his company no longer has any dealings with 3rd Union or HelmCrest.

Thorleifson said the FTC continues to look into the question of how much the three payment processors knew about the debits they were sending to banks. The processors were InterBill Ltd. of Las Vegas, Universal Processing Inc. of Irvine, Calif., and Payment Resources International of Newport Beach, Calif.

3rd Union and HelmCrest were able to get around the fact that they did not have customers' authorization to debit their accounts because written authorizations are not required for certain types of transactions that are one-time and do not originate through telemarketing, Thorleifson said.

The FTC's complaint states that Turner and Pearson received nearly $1 million before the operation was exposed. More than $2 million has been frozen in reserve accounts, and the FTC hopes to have that money returned to bank customers.

Thorleifson said the agency is investigating who sold the checking account numbers in the first place. "The fact that it's not illegal doesn't make it easy to do," Thorleifson said. Legitimate companies that sell customer information "don't traffic in bank account and credit card numbers," she added.

Nessa Eileen Feddis, an attorney with the American Bankers Association, said anyone selling bank account numbers has got to be "fraudulent" and that no reputable banking institution would do that. "It would be suicidal for a bank to sell names and account numbers," she said.

Edmund Mierzwinski, consumer advocate for the U.S. Public Interest Research Group, said the case demonstrates vulnerabilities in the system.

"It's shocking that anyone is selling checking account numbers, but then again our laws are quite weak," he said. "They're exploiting a loophole. Congress has not been interested in passing strong financial privacy laws. But maybe this will change their minds."

Mierzwinski said the Pharmacycards.com scheme should also remind consumers of the importance of checking their bank statements. "The increasing use of electronic transfers and automatic debit where a consumer authorizes access to their checking accounts means this is the tip of the iceberg," he said.

Melissa Rozecki, a church secretary from Delanco, N.J., checked her statement earlier this year and found that she had a $139 charge from Pharmacycards.com, a company she had never heard of. The unexpected charge caused three checks to bounce, she said.

She found a toll-free number for the company and was told by the customer service representative that information about the discount card program had been sent to her and that because she had not canceled the service within 30 days, she had been charged.

The FTC said Pharmacycards.com often sent such notices, but that they were typically mailed after the customer had already been charged. Rozecki said that in her case, the address where the information was allegedly sent was her mother-in-law's house.

"I have no idea how they got that address or my bank account number," said Rozecki, whose bank refunded the $139 and fees for the bounced checks. "It was scary. I didn't know what charges would show up next."

Staff researcher Madonna Lebling contributed to this report.