Thiefhunters in Paradise

In Bangkok, seemingly corrupt police are extorting large sums from foreign visitors. In South Africa, pseudo-cops are stopping drivers and pedestrians, requesting wallets in order to see identification or “search for contraband,” then absconding. In Stockholm, thieves impersonating police lured seniors into give up their PINs at ATMs in the name of “controlling withdrawals.”

This strategy seems to have exploded recently, or at least is being recognized for what it is, or at least making it into the news.

In my book, Travel Advisory: How to Avoid Thefts, Cons, and Street Scams, I categorize thieves as either opportunists or strategists. Fake police are a specific type of strategist. They’re operating in small U.S. towns and cities as well as abroad. And it’s easier than ever to gear up for the job with fake badges and uniforms.

—

THE DUPLICITOUS STRATEGIST

The strategist elite are those who make participants of their victims. Like the Palma claveleras, they’re in your face with a story. Their only goal is to walk away with your wallet. Consummate con artists, they’re the slipperiest, wiliest, and most difficult to detect. Garbed in a counterfeit persona designed to gain your confidence, they lay bait and entrap their prey: usually the unsuspecting traveler.

Pseudo Cops

These strategists concoct ingenious schemes. Who could avoid falling for what happened to Glinda and Greg? They were walking in a foreign park in—well, it could have been anywhere, this is so common—when a gentleman approached them with a camera. He asked if one of them would mind taking his picture, and the three huddled while he showed them how to zoom and where to press. Suddenly two other men arrived and flashed badges. The man with the camera slipped away while the two “officials” demanded to know if the couple had “made any transaction” with him. Had they changed money with him illegally? They would have to search Glinda’s bag; and they did so, without waiting for permission.

“It all happened so fast,” Glinda told me a few days later, “I knew something wasn’t right, but I didn’t have time to think.” The “officials” absconded with Glinda’s wallet, having taken it right under her nose. In variations on this theme, the pseudo cops take only cash saying it must be examined, and they may even offer a receipt. Needless to say, they never return and the receipt is bogus.

On first impression, the pseudo cops’ scam is believable; their trick requires surprise, efficiency and confusion: they don’t allow time for second thoughts. Theirs is a cheap trick, really. They depend on a fake police shield to gain trust; they can’t be bothered to build confidence with an act. Authority is blinding, and that’s enough if they’re fast. It’s a thin swindle, but it works.

Excerpt from Travel Advisory: How to Avoid Thefts, Cons, and Street Scams
Chapter Seven: Scams—By the Devious Strategist

We good citizens are trained from an early age to respect authority. It’s not easy to ask a uniformed policeman for identification, or even a plainclothes officer who flashes a badge. And if we were to request ID, how closely would we scrutinize it? Would we detect a fake? What about identification in a foreign language, Thai for example, or Russian?

What’s the difference, anyway, between a pseudo cop—an impostor—and a legitimate but corrupt official? Both rely on their perceived authority, both act fast (before they’re found out, by the victim or others), both do the shake-down dance in one form or another. We, the good citizens, never see it coming. “It all happened so fast,” one victim told me, “I knew something wasn’t right, but I didn’t have time to think.” We’re more than victims of crime here. We’re victims of our upbringing, we who are taught to follow rules and obey laws.

Bob and I were accosted by pseudo-cops in Russia. I can tell you, it’s frightening, especially when the scene expands to include additional players. Sydney’s had them, and so has Barcelona. Stockholm’s in the news now with pseudo cops stationed at ATMs frequented by seniors, collecting PIN codes under the guise of “regulation.”

BBC News reports a horrific scam that takes place in the Bangkok airport. A number of travelers browsing the duty-free shops have been accused of shoplifting, put in jail holding cells, and forced into negotiations that amount to police extortion in exchange for their release. They’re being tricked into relying on the advice of a man who seems to be a police accomplice.

One of the victims in this report, Stephen Ingram, was taken by airport security to a police office, put in a cell overnight, then given an interpreter. The interpreter took him (and his travel companion) to a police commander who attempted extortion of over US$12,000 and threatened a prison stay of two months before they’d even get their case heard. After paying a portion of the “bail,” Mr. Ingram and his travel partner were put into a hotel and told not to leave, not to contact a lawyer or their embassy, and cautioned that they were being watched. They eventually escaped and got the their embassy, where they learned they’d been victims of a classic Thai scam called the “zig-zag.”

An Irish woman was subjected to the same scam when she made a small purchase at the duty-free shop. She bought an item of makeup, which the shop clerk put in a bag; a customary practice, right? On leaving the shop she was surrounded by security guards shouting ‘You! You! You go jail six months.” The shopping bag contained an item not paid for. Did she steal it? Did the shop clerk plant it? Did the guards? The woman was held overnight “in filthy conditions,” and eventually had to pay up to free herself and her passport.

In her case, the Irish woman thought she had purchased two items. She paid by credit card but didn’t pay attention to how many hundreds of baht she was charged. Did the shop clerk intentionally charge for only one item, as a set up? Why, otherwise, did security immediately pounce on this customer?

Both of these examples begin with the company called King Power, which runs the airport duty-free shops, and both include collusion by government officials and others. King Power has tried to substantiate some of its accusations with surveillance video, and has three cases “explained” on its website.

In an article in the Irish Daily Mail, Andrew Drummond wrote that in Thailand (where he is based), this is called the “Monopoly scam, ”

not so much because of the high amounts of money involved but the fact that victims…could buy ‘Get out of jail’ cards to escape airport shoplifting charges. These ‘cards’ were letters issued by the local prosecutor and police.

Fake police with false ID at Bangkok airport. How is one to know what's real?

Bangkok airport, it seems, is infested with scammers, corrupt officials, and according to the pictured article, pseudo-cops. There are more horror stories:

Paul Grant and Lynn Ward, both from the UK, separately reported another Bangkok airport scam. In this one, incoming passengers are instructed by a customs officer to put their duty-free items into their checked luggage when they retrieve it from the carousel, and that they should not declare the items, “or they will be prosecuted for smuggling.” When exiting the customs area, other customs agents “discover” the undeclared items, and levy hefty fines or threaten jail. ATMs are conveniently located beside the customs office, or travelers are escorted to machines in order to withdraw the large sums charged.

If you haven’t read this or another warning specifically about the shake-downs in Bangkok’s airport, you haven’t got a chance should you be chosen to be a victim.

In our hotel bathroom.

We had a large and beautiful room at the Corinthia Lisboa Hotel in Lisbon. The business hotel’s casual restaurant, Tipico, is excellent, and features a highly-polished version of Portugal’s mosaic sidewalks on the floor. Our room contained every convenience.

Display at a tourism safety and security conference.

Bed bugs, we read, are living in hotels everywhere, dining on us. As a frequent hotel guest (200+ days a year for 16 years) I’m surprised that I’ve never noticed them. Mosquitos are attracted to me and I react badly to their bites. But bed bugs—I haven’t run into. Or maybe I repel them.

A large display at the recent California Tourism Safety and Security Conference caught my eye. The company provides a bed bug-baking service for any size space. Four hours at 130° does it, they say. Maybe less. Confidentially. So your neighbors (or other hotel guests) don’t know you’ve got bed bugs.
Ick.

A Malvalous dessert.

After twenty years of baking this decadent dessert, which I’ve called by a name I’m quite fond of, I must finally, if fleetingly, commit to its spelling. I’ll take its lovely, ambiguous, oral name, so full of interpretation, possibility, and nuance, and relegate it to a finite, deficient, inadequate written one which prevents the mind from wandering.

Twenty years ago (wow!) Bob and I took a one-year contract in South Africa. We were given an apartment with two servants, a cat, and pesky baboons (another story), and a rudimentary kitchen. At some point I started baking a dessert recipe that I found in the local alternative newspaper, The Weekly Mail. Part of a flour ad, the recipe had a dull, generic name, something like Snowflake Flour Pudding, or Baked Apricot Pudding. I’ve called it Weekly Mail Pudding ever since but, not having written of it, I’ve never had to spell it. I’m sad that I must now, in order to tell the story of the pudding. Bob and I refer to it so casually that, when I serve it to friends, I forget how odd the name sounds.

Cape Town's Table Mountain.

That was the first third of the story. The third third is the recipe itself, at the end. The second third is this. A few months ago in Cape Town, I suddenly came to realize that this dessert is properly called Malva Pudding, and is a South African classic of Dutch origin. (I should also mention that pudding is a generic British term for dessert. This one is a moist cake; not at all a custardy pudding.)

Bob and I stopped at a Cape Town cafe for coffee. I sat down and opened the laptop while Bob looked at the treats on offer. He returned to the table with a gorgeous little cake, not much bigger than a muffin. Its deep brown, shiny surface had large pores and a little buttery froth, like an over-tanned face with a smudge of Coppertone. The cake was not decorated or garnished. It looked moist, and smelled like toasty caramel. Makes my mouth water just thinking of it, even now.

“What’s that?” I asked Bob.

“I don’t know, it just looked good,” he said.

“Looks like Weekly Mail Pudding,” I said.

One bite confirmed it. Examining the cafe’s display case, I saw that the cake was labeled Malva Pudding.

Carmelized comfort.

Subsequent research indicates that apricot jam is one of the dessert’s defining characteristics. I never sense much flavor from the jam. Therefore, I’ve always used whatever jam I have on hand: ginger, orange, raspberry…. I used pomegranate jam in one pictured here.

I give you my scrumptious version of this recipe on the conditions that, if you call it anything at all, you call it by its lovely, ambiguous name; that you refrain from writing its name; and that you forget any spelling of the name that you’ve seen here.

The recipe: Continue Reading »

As usual, you can click the photos for larger versions.

In time, shoes polish the mosaics to a slippery shine.

Would you notice if a skimmer were attached to an ATM?

Skimmers, officially called magnetic card readers, capture the data on a card’s magnetic strip. Exactly what information is that?

Credit and debit cards have three “tracks” of data. Track 1 stores your name, account number and expiration date, and discretionary data to verify the PIN and security code. This information goes to the point of sale terminal, and allows your receipt to include your name and the last four digits of your account number.

Track 2 stores similar information coded and formatted specifically for the banking industry. This is the data that, from a merchant, goes to the bank via modem. Actually, it goes to an “acquirer,” a middle-man organization that authenticates the account data and guarantees payment to the merchant.

Track 3 was supposed to store biometrics, like a photo and thumbprint, but the banks decided it was too expensive to implement and do not use track 3 at all. It’s sometimes used on non-bank cards: airline cards, hotel and club memberships, etc. Track 3 is also writable.

ATM: sucks data, spits cash.

Legitimate mag-strip readers are everywhere. Illegitimate ones, which I’ll refer to as skimmers, are, too. They may be stuck onto the faces of ATMs or gas pumps (possibly detectable). They may be attached to a merchant’s point-of-sale terminal (undetectable by customer, should be detectable by aware merchant). They have recently been found inside gas pumps (undetectable). Tiny, handheld models are used by waiters and others who swipe credit cards legitimately; they make an additional, criminal swipe through the portable skimmer.

Mag-strip readers are easily, legally purchased. The largest distributor is (no surprise) just outside Las Vegas. Bob met with the owner of the business, and bought a skimmer. The owner claims that his largest customers are schools and libraries, which buy in bulk in order to record attendance and keep track of books. I’ve heard from law enforcement that his biggest customer is the FBI, which buys skimmers, encodes them with trackable ID, and lets them fall into the wrong hands.

Our skimmer, pictured below, captures all three data tracks. Bob could have bought one half the size with twice the storage and a bluetooth interface for twice the price. The kind just pulled from the apron of a waiter at a high-end restaurant at Caesar’s Forum in Las Vegas—a restaurant frequented by a celebrity clientele (i.e. high-limit credit cards).

Whether obtained by an employee using a handheld skimmer, or one attached to stationary equipment, card data is gathered and stored, then collected by wired download or wireless transmission. Then what?

Someone called “afterlife” wrote:

Credit card theft is a growing problem but it does not happen the way most people envision it. It’s not the lone hacker who goes it alone to compromise one site and sell the credit card numbers to fraudsters.
These days it’s a network of carders who each have a specific role. Roman Vega of Boa Factory fame was known for having lawyers, botnet owners, hackers, traffickers, and pushers all on staff. These days the professional carder will knock over several merchants and store the information without using it for up to two years. Once they have amassed enough information they join the databases together forming a master datasheet on peoples lives.
Once they join databases with your credit card number and others with your e-mail address they can perform ’spear phishing’ where they send you a targeted e-mail, with your credit card number, asking for your PIN number.

Portable magnetic card reader, aka skimmer.

Credit card fraud is highly organized, en masse. Besides phishing and spear phishing, data is also written to new cards. These new cards can be blank stock, stolen cards (where sometimes the encoded data does not match what is printed—but who notices that?), gift cards, or shared-value cards. Mag-strip writers can be purchased as easily as mag-strip readers; and some models of readers just need a little extra software in order to write.

Everything one needs for credit card fraud can be learned or purchased on “carder sites.” Skimmer “dumps” are sold in lots, with payment made via Western Union. Here’s a typical “ad,” found among Afterlife’s blog comments (link above). This one’s about six months old:

The Best Dumps for a Good Price. Selling USA.
Hello dear friends. I’m a Memfis.
I have USA dumps, and some Asian.
I have a good price for it:
USA
20 USD CLASSIC, MASTER
25 USD VISA GOLD
30 USD VISA PLATINUM AND BUSINESS
ASIA
80 USD CLASSIC, MASTER
100 USD PLATINUM
I have my own base, good approval percent – about 90%
USA and Asia – 101 only. But I dont have EU bins.
USA – original track2.
Asia – both tracks are original, track1 and track2.
Payment is Western Union.
I’m sending order only after recieving payment, in 3-24 hours.
I have a replace pocily, but i should know what cards declined or holdcall in 24 hours, to replace it, in other time i wont replace.
For real buyers:
I can proove my quality, message me my ICQ.

Latest ATM skimmer, with measurement in centimeters.

Here’s a good thing: some of these gizmos hidden in gas pumps cause the pump to fail, so they’re found. But there’s bad news, too. Data from skimmers slyly hidden in gas pumps and other good places is often not used for three or four months. Why ruin a good thing if the skimmer is steadily transmitting account numbers and PINs? When credit card holders start reporting fraud, the common merchant on the victims’ accounts will be investigated and the device will be pulled. Has your card already been skimmed? Has mine?