Database data loss

Posted on April 23, 2011 by Bambi Vincent

People often share their credit card anxiety with me. They’re afraid their cards will be lost or stolen and huge bills will be run up by a thief, and that their identities will be cloned. “Is it better to just carry cash?” they ask. “Should I follow the waiter when I pay my restaurant bill?” “How safe is it to use a credit card on the internet? Will my identity be stolen?”

So let’s put these questions to rest. Then we can move on to the real risk.

First, yes. Your credit card can be lost or stolen and big debts can be incurred by others. You won’t be responsible—your financial institution takes the hit. But in the grand scheme of things, the odds are not high that your credit card will disappear and be compromised. The risk is higher in some places than in others, and for some people more than for others. But that’s life. Get over it and live.

No. It’s not better to carry cash. Keep some cash for small (or secret) purchases, and use credit cards for the rest.

Yes, shop on the internet with your credit card. If it makes you feel better, get one of those temporary credit card numbers on your account, good for a single transaction or a limited amount. Without internet and a credit card, you’re crippled.

The real risk of identity theft and credit card fraud

It’s big business. The hotels and hospitals we go to, the stores, banks, schools, airlines, doctors, utilities, banks, credit unions we use, and even government organizations. All of these and more store information about us. They all comply with information security regulations to some extent. But how much and how well? Our identities are in the hands of those who store our details.

If our PII (personally identifiable information) is set free, it will most likely be due to an electronic data breach of some sort, in a (probably-large) batch with others’ information.

We used to be concerned that manilla folders containing our records were physically locked up. Who had access to them? How were they discarded? Shredded or dumped in a Dumpster? There’s so much more to worry about now, and so much more than a single set of paperwork. Our most sensitive secrets and deepest dirt are stored electronically on hard drives, on servers, in the cloud, backed up, on laptops, mobile phones, and even on thumbdrives.

Laptops and thumbdrives are lost and stolen every day. Databases are breached every day. This is where the risk is, and it’s out of our hands.

The advantage goes to data thieves like Rogelio Hackett who, until a little slip-up, broke into the computer networks of businesses, downloaded credit card information, and sold it for profit. Big profit.

“The bad news is that banks and businesses have not made great progress in the fight against account takeover fraud,” says The Information Security Media Group in its 2011 Business Banking Trust Study. Bringing institutions to compliance has been a painful process.

Security vulnerabilities are uncovered daily in computer networks everywhere, from the Australian Parliament House to the Pentagon to our water supplies In the 3/28/11 Los Angeles Times, Ken Dilanian wrote that “Impeding the move toward bolstering U.S. infrastructure is the government’s lack of authority to coerce industry to secure its networks and industry’s lack of an incentive to implement such protections.” He was referring to the threat of terrorist cyberattacks, but our personal security is at risk as well.

Read this for the state of cybersecurity:

A new survey reveals that roughly three-quarters of energy companies and utilities experienced at least one data breach in the past 12 months. … Seventy-one percent of respondents said that “the management team in their organization does not understand or appreciate the value of IT security.” Moreover, only 39 percent of organizations were found to be actively watching for advanced persistent threats, 67 percent were not using “state of the art” technology to stop attacks against SCADA (supervisory control and data acquisition) systems, and 41 percent said their strategy for SCADA security was not proactive. The survey also concluded that the leading threat for energy utilities was not external attackers, but rather inside ones—43 percent of utilities cited “negligent or malicious insiders” as causing the highest number of data breaches. …

InformationWeek (04/06/11)

To get a fuller grasp of the number of electronic records lost or stolen, take a peek at the DataLoss DataBase project, which “documents known and reported data loss incidents world-wide.” You can search by type of data lost (Social Security numbers, financial information, credit card numbers, etc.); by the industry sector (business, government, educational institution, etc.) You can see if the breach was by an insider or an outside attacker, and whether it was malicious or accidental. And you can search by many types of breach: improper disposal, a hacked or lost computer, a stolen drive, a web attack, etc. I’m especially fond of the datalossdb Twitter feed, for minute-by-minute reports of data losses, with links to known details. For example:

http://bit.ly/eDcD2s

http://bit.ly/gW2WYs – AllianceBernstein Holding LP – Employee downloaded client files and transactions before resigning

http://bit.ly/dTAmUX – Qdoba Mexican Grill – Customers’ card numbers acquired and misused

http://bit.ly/hdmt25 – Hyundai Capital – Personal credit rating information of 420,000 vehicle loan customers plus 13,000 security passwords acquired by hackers

And on and on. The feed may shock you daily, as it does me. Why is our vital information handled so carelessly?

Well-known and trusted companies like Brookstone, AbeBooks, Ralphs Grocery, Ritz-Carlton, Smith’s Food & Drug, Best Buy, Verizon, etc., assure us they store our information responsibly. Then they farm it out to Epsilon online marketing, a company they do not control. Epsilon got hacked.

More than 65 companies have been impacted, to the great risk and inconvenience of their customers. I got emails after the breach from three of the businesses, warning that data on me had been among the stolen records. Security experts now expect a massive increase in “spear phishing,” in which individuals are personally targeted and tricked by spoofs of companies they have a legitimate relationship with. I get plenty of phishing email already, and some of them look damn believable. Expect them to look even better now, addressed to us by name.

I’m not going to address every risk and precaution here. There is much, and it’s all to be read elsewhere on and off this blog. My points are two:

1. Our ordinary everyday activities may expose us to a little risk of credit card fraud and identity theft, but the big risk is out of our hands.

2. Do look at DataLoss DataBase or at least skim its Twitter feed to get an idea of how much information is lost daily.

Hotel room theft by door-pushers

Credit card shimming

Posted on September 2, 2010 by Bambi Vincent

“First there was skimming, now there’s shimming,” says Kim Thomas, former Las Vegas Metro Detective, now an international authority on forgery. Information on this new credit card acquisition technique comes via a Citibank investigator.

Now, looking for parts stuck onto the front of a cash machine, which might indicate fraudulent activity, is not enough. A shimmer does the work of a skimmer, but is housed completely inside the card slot of an ATM. In other words, entirely invisible to users.

Kim Thomas describes the shim-skimmer: “The thief makes a circuit board the size of a credit card, but approximately .1 mm thick. They use a carrier card to insert the device. Basically it is a reader-transmitter. The reader does what the usual credit card skimmer does: capture full track data. The transmitter does what bluetooth does: transmit the track data to a receiver. The technology is pretty sophisticated and will be hard to catch once it goes into mass production.”

According to Jamey Heary, Cisco Security Expert, “effective flexible shims are recently being mass produced and widely used in certain parts of Europe.” He diagrams the physical layout of this “man-in-the-middle” attack as installed inside a card-reader.

I haven’t found anyone who has actually seen one of these shimmers, but no one’s calling it just a proof-of-concept, either. It isn’t clear to me whether or not the shimmer works with U.S. credit cards that lack the chip-and-PIN. Anyone know more about this?

Unrelated posts:

Consorting with thieves

Pickpockets in Durban, South Africa

Thievery in motion

Shoulder-surfing credit-card thief—part 2

Posted on June 12, 2010 by Bambi Vincent

'Hello there, Monsieur Pickpocket. I'm Bob Arno.' Photo Â© Kun Chang 2010.

Bob had just made contact with the shoulder-surfing thief…

Pirouetting, I went to find Kun Chang, our film director, who’d been with us all day, along with his crew. When we’d given chase to our quarry, they’d followed our progress from a distance, eventually taking up a static, central position. Now I stood with Kun & Co. just long enough to get my little video camera turned on, amazed to see Bob and the purse-dip still together.

I went to join them, instantly lowering Bob’s perceived threat, from the thief’s point of view. No longer was it one mysteriously-motivated man against a criminal—it was just a couple! A harmless, curious couple. We moved out of the traffic and huddled next to a vending machine.

The man did not deny his occupation. He did not bolt. He did not raise a fist or deliver a swift kick or practice whatever form of aggression he’s known for. He answered our questions in soft-spoken Arabic-tinged French and repeatedly asked one of his own: Why? Why do you want to know these things?

Our French-speaking film director, Kun Chang, soon joined us, raising the level of our conversation from Bob’s basic French. I glanced down at my camera, a tiny thing the size of my little finger. Packed into its small body are a battery, a chip that stores hours of sound and video, an unnoticeable lens, and a few switches. Gone are the cumbersome wires, remotes, antennas, transmitters, and external storage devices we wrangled while using our old hidden cameras. But this one lacks a viewing device or monitor, and I wasn’t familiar with its capturing angle, or anything else about it.

Bob used a gorgeous little fisheye camera. He took a quick peek to see that it was on, then stashed it in his pocket, recording audio but no video.

Glancing down, I was horrified to see a flashing red light. This is one of the first things I usually disable when thiefhunting. You may as well display a giant neon sign: “I’m recording!” I covered the light with my finger, immobilizing my left hand for the remainder of the encounter.

Bob: “I’m a pickpocket too, like you. For the last 20 minutes, I’ve watched your technique. I can see you’re very experienced.” Bob does the butter-up.

Thief: “You’re probably better than I am.” TouchÃ©.

Bob: “I’m very good on stage.” (And modest, an Italian thief once chided.)

First time using this camera. I didn't aim very well.

Bob, afraid our detainee would soon scoot, suggested coffee together, or dinner. “I need to work, I can’t stop to have dinner with you,” he said. “And beside, I don’t want to be on TV. I can see you’re filming me right now.” He jabbed a finger toward my camera.

Cooly, I pretended not to hear that.

We learned that our man considers himself best at stealing from handbags and backpacks. It’s best to do it when the person is moving, in motion, he explained, and you have to concentrate on the person while you’re doing it. Puffing up a little, he invited us to follow him and watch.

Looking up at Bob Arno, who is much taller.

I suddenly noticed how much fringe from my scarf was falling in front of the camera. I swept it away. But maybe that was why the thief had seemed to forget about it. I wondered what kind of image I was getting. And what about sound? Was my finger over the microphone? I didn’t know.

The thief told us that he doesn’t know how to work in a gang, he never has. And he said stealing is a hundred times more difficult on the street, as compared to the stage. Bob agreed, though he believes otherwise. When a criminal fails, he walks away and tries again. When a stage pickpocket fails, he has hundreds or thousands of witnesses, and a reputation dependent on success.

Throughout, the man stood calmly, gesturing rarely, jacket zipped to his chin. Built like a flyweight boxer, exuding confidence and arrogance, he seemed in no hurry to leave us, despite his professed need to work. (We actually see this behavior often: thieves seem to enjoy an opportunity to brag, to tell their sob stories, to talk to someone willing to listen.)

The pickpocket explained the importance of getting the cardholder-victim’s PIN, and that he had no trouble memorizing the four digits. He said he uses the credit cards himself, he never sells them to others. Then he dropped the bombshell—to me, the most interesting revelation:

He doesn’t steal money—only credit cards. He never takes people’s cash because it’s not insured. What he steals from their credit cards, they get back from the bank.

Really? A thief with a heart?

Bob begged again for a dinner together, or another meeting. The thief said sure, maybe tomorrow, and took our phone number. He made sure we had his name spelled correctly, and suggested some possible times. Shaking hands all around, he turned and slipped into the turbulent crowd. Back to work.

A cheese, mushroom, and egg crepe.

* * *
Did we go to the Eiffel Tower, you wonder? Did we visit Notre Dame, or the Louvre? No, no time for any of that this time. But we did eat well.

How to spot a thief in a crowd

Italians petition against "Pickpocket King" documentary

Shoulder-surfing credit-card thief

Posted on June 7, 2010 by Bambi Vincent

Gare de Lyon, Paris

We started early at Gare de Lyon in Paris, on the hunt for a particular thief. He’s known for a specific M.O., and for his violent nature.

He stands in line at train station ticket machines and watches as passengers purchase tickets with credit cards. Most credit cards issued outside of the U.S. require a PIN code, which must be entered on a keypad. The large keypads on the train station ticket machines make it easy for anyone interested to learn a cardholder’s PIN. Rarely do people bother to hide the numbers they enter.

A man enters his PIN while buying Metro tickets with a credit card.

The man we sought takes note of the PIN—he shoulder-surfs—and watches where the credit card is put away. Then he follows the mark. He has any number of methods of stealing the credit card; the train and Metro station is full of opportunities-in-the-making.

He could let a partner stall the mark in a turnstile, on an escalator, or getting onto a train. But that would mean splitting the proceeds of the risky business with the partner. Our man prefers to work alone.

With crowds like these, who needs to split proceeds with a stall?

His favored victim is a woman. Why? It’s infinitely easier to steal from a handbag rather than a pocket. A purse has no nerve-endings. It’s slung on the woman’s back, it’s gaping open, it has an easy zipper, or a flap. The woman is busy, distracted, she has luggage, or a child. She’s in high heels, she’s “minding the gap.”

Bambi on the hunt.

We spent hours speeding through Gare de Lyon, fastwalking up and down stairs and escalators, through the train station and Metro station, past numerous banks of ticket machines, around and around. Who said thiefhunting is easy work?

Our irregular behavior might have raised the suspicion of station surveillance officers, had the police not been aware of our activities. But Bob Arno’s reputation precedes him and the anti-bandit detail of the Paris police force tolerated our pursuit.

Shoulder-surfing at the ticket machines.

When we first laid eyes on our prey, he was checking out the people waiting to buy tickets at the machines. He sussed them out quickly; the same way Bob and I look for thieves in a crowd. He turned on his heel and strode off at high speed, as if late for a train.

I was struck by his choice of clothing. He wore a shiny black jacket with wide white stripes down the arms, and a beige beret; both of which made him easy to pick out of a crowd. Bob and I, trailing him from a moderate distance, often lost him in the mobs of moving people. But he always surfaced again, easy to spot in his signature style. Had he worn a dull shirt, or a black sport coat like Pierre, like a good percentage of the businessmen hurrying through the terminal, we’d have lost him.

Okay, it's a bad picture. This is a small detail cropped from a fisheye video framegrab. The thief is in the center.

Bob and I split up for the chase. We made wide arcs around the thief, we got ahead of him, we hung back, we lingered behind columns and vending machines. I felt conspicuous in my beige coat. Bob was a striking beanstalk, a full head above the rest of the crowd. The guy had to notice us… any second.

I had two video cameras on me, but neither was my trusty Sony, the one I can work upside-down and blindfolded and shoot from the hip. I didn’t turn them on.

Keep an eye on the pickpocket…

The man was short but his bereted head rode among the crowd’s like a piece of litter on a choppy sea. He darted among the throng in a manner that Bob and I soon found predictable. He dashed from one queue to the next, scanned the potential marks, moved on. He was focused.

But he had tunnel vision. After all this time, he was oblivious to us. Bob and I got closer and more overt, closing in from opposite sides. I fiddled with my camera, afraid to look at its switches for fear of losing the bobbing beige beret.

But I did look at the camera. And when I looked up again, Bob was face to face with the shoulder-surfing pickpocket, and I knew it was all over. In a moment, he’d flee.

Or not… Part 2

Unrelated posts:

Pickpocket justice

A thief at the theater

Revelations of a Rolex Thief

Gas pump skimmers attached in 11 seconds

Posted on March 15, 2010 by Bambi Vincent

Skimmer (somewhere) inside a gas pump.

Breaking news from Las Vegas Metro’s Kim Thomas, the fraud cop featured in my story on credit card skimmers hidden in gas pumps.

Detective Thomas writes:

I read the post you did with my picture. It was very impressive. At the end you said a thief attached a skimmer in eight minutes. I just wanted to give you a small correction. We found that the one on the side of the gas pump drawer was attached in about 11 seconds, so if you add in opening the door, you’re looking at about 30 seconds (and that’s us fumbling with the key). So here’s the process: put the key in the lock, open the door, slide out the drawer, unplug the two cables from the gas pump connectors (keypad and reader cables), slap on the device, plug the two gas pump cables into the skimmer, plug the skimmer cables into the gas pump connectors, slide the drawer in, close the outside door, turn the key, remove it, test with a known credit card (outside the process of hooking the skimmer because anyone seeing you do that would assume you’ve doing something legitimate. Sounds like a lot, but look at a watch, close your eyes, and envision the process, then look at the watch and see what kind of time you get. It’ll probably amaze you. Now imagine practicing it a bit on your own gas pump either in your storage unit or living room or buddy’s gas pump. Now you’ve gotten faster and smoother, so you’re faster. See?

Thomas continues on the frightening trajectory of credit card fraud:

This type of crime used to be done strictly by hi-tech crews, but now we’re seeing it done by Joe and Julie the tweeker people (common street criminals), the traditional black crews who used to be just check passers and bust-out crooks, and the Hispanic immigrant groups who have always supplied ID documents (to name a few groups). There’s just so much money and property in this.

A hotel loyalty card and its data showing on a skimmer

I just asked for a warrant on a member of a group of rich college kids (who bought a $7,500.00 watch in a high end Fashion Show Mall store) who have been buying numbers skimmed from American hotel chains in Europe, then using that track data to make counterfeits (this is a good way to do it because the cards are from American customers and less likely to raise a red flag with the bank looking at the transaction since it’s used in the US), which they then use at stores here, in SoCal, and in Arizona. They then take the property and sell it. The kicker is that all these kids are Mexican nationals whose parents are so wealthy they have their kids going to school at American Universities.

Unrelated posts:

Barcelona street crime

Confronting muggers in Panama

Bob Arno and Bambi in a den of thieves—16

Beware hotel phone scam

Posted on December 15, 2009 by Bambi Vincent

Heads up, travelers. Beware the clever new scam happening in hotels now. In order to thwart it, proactive properties are placing notes like this one into guest rooms:

Dear Guest:

Lately, scam artists are attempting to secure credit card numbers from guests in hotels. They’re calling guest rooms at random and claiming to be hotel employees needing to verify credit card information. For your own protection, please do not give your credit card number over the telephone while staying in the hotel. …

My regular readers know that I stay in hotels more than 200 nights a year, and I research scams and cons. Yet, even I could very easily have fallen for this perfectly believable trick. It falls into the “pretexting” and “social engineering” categories. I got a chill reading this hotel management’s note, having just received a similar phone call in a different hotel a few days before. It took me a moment to recall that the request was for my frequent stay account number, not my credit card. Whew!

I’ve confirmed this ruse’s widespread existence with police and hotel security chiefs in several countries. Although aware of the ploy, not all properties believe in taking a proactive approach. As always, it’s up to us travelers to look after ourselves.

“Somehow they get the guest’s name, call the room, and explain that they are from either room service or the front desk and need the credit card number again,” the security director of a major hotel group told me.

“We never connect calls if the person calling can’t say the name of the guest he/she is looking for,” said the security manager of another hotel chain.

But a phone-pharming data-miner can sequentially call every room in a hotel once he knows the phone number convention. Most of us, as generally trusting (and/or oblivious) humans, will miss the fact that the data-miner on the phone fails to address us by name. If he’s any good, he’ll get “the name on the card” just as easily as he gets every other useful tidbit, and I’d bet he gathers quite a few “profiles.”

Unrelated posts:

The flower gift lift—Part 3 of 3

Stolen purse leads to worse

Hotel oddity #18

How Bernanke’s ID thieves did it

Posted on September 2, 2009 by Bambi Vincent

Shonya Michelle Young (Credit: U.S. Marshal Service)

Anna Bernanke hung her purse on the back of a chair at Starbucks. It was stolen and, soon after, she and Ben became victims of identity theft.

It’s extremely simple to steal a purse that isn’t attached to a person. It could be on the back of a chair, on an empty chair, or on the floor. Bob’s done it many times for television news shows. Yep, even in busy coffee shops and mall food courts, where you’d think a few people would notice. It has to do with how you drape a coat over the purse.

In her handbag, Anna carried what thieves call a spread: credit card, identification, checks, and her Social Security card (shame on her!). This is the jackpot for a pickpocket and identity theft ring.

Not all pickpockets know how to exploit checks and credit cards. But by now they know at least to sell them. In the old days, some thieves would actually bother to drop them in a mailbox.

Some pickpockets have their own ID theft specialists on staff or on call. When they snag a bag containing a spread, they want to cash a hefty check or two, and they want a fat cash advance on the credit card. They could just buy murch—stuff at a store—but then they’d get just a fraction of its value from a fence. A cash advance is the best, especially in cities with casinos. The thieves can request several advances simultaneously, at different casinos. Each will be approved because none has actually been granted yet. A thief can easily make about $60,000 in an hour with just one credit card.

I wrote of this in a forum a few years ago, and someone asked:

How can they get a cash advance without showing an ID matching their face to the name on the card? Whenever I’m in Vegas I get asked for ID when using credit cards even for a 5.00 purchase.

That’s where the pickpocket’s staff comes in. These thieves have a covey of accomplices on standby. “A blonde, a brunette, an Asian, an older woman with gray hair, and a heavy-set,” a practitioner of this business told me. They call them look-alikes. When the pickpocket gets a check or credit card with ID, he phones the accomplice who looks most like the victim (and that doesn’t have to be much!). The accomplice practices the victim’s signature a time or two, then goes to collect the cash advance (which the thief applied for at a machine.) At this point, the accomplice is referred to as a writer. She writes the check or signs for the cash advance. The harried teller or cashier takes a quick glance, sees a vague resemblance (maybe thinks: oh, honey, you’re having a bad day), and doles out the cash under pressure to serve the next person in line.

The suddenly-infamous George Lee Reid was [allegedly] the identity theft ring’s writer of one of Bernanke’s checks, at a bank in Maryland. The ring’s main writer, Shonya Michelle Young (pictured above), has just been captured. In her possession, she had fake ID, credit cards in the name of others, and “wigs worn while cashing fraudulent checks.”

Unrelated posts:

Stalking a moving target

Bob Arno and Bambi in a den of thieves—14

The Heart of a Thief

A typical ATM skimmer scam

Posted on August 25, 2009 by Bambi Vincent

A tiny skimmer removed from an ATM way back in 2006.

A reader wrote of an ATM experience which, soon after, led to $9,000 in fraudulent withdrawals. He was abroad, but this happens at ATMs everywhere; and so frequently that I think it’s worth posting as a reminder.

As I was using an atm at a money exchange kiosk, I received the cash I wanted but was unable to get my card back. The man in back of me told me I had to enter my pin number again in order to have the card returned. He even reached in front of me and hit some buttons and told me to enter my pin. I did so and after a slight wait, the card came back. The experience was unsettling because I had never heard of entering a pin number a second time to get your card back after a transaction and no one had ever brazenly reached in front of me to assist me at an atm. Since I received my cash and finally my card, I felt everything was fine. But that was the day the mysterious withdrawals began.

I called my bank as soon as I realized there was a problem. The woman I spoke with immediately closed the credit card account linked to my atm card. Within a couple weeks, the bank had deposited the total of the disputed withdrawals into my account.

There are two essential goodies the card fraudster needs: the info on your card and your PIN. Info on the card can be gained in many ways. A snapshot can be taken of it with a cellphone camera, an imprint can be made, or a skimmer can be attached to the ATM itself. Nowadays, skimmers can be tiny and imperceptible. The vital PIN can be easily obtained by the crafty thief’s strategy. The example above is a classic: the false samaritan. The fraudster offers help in order to gain what he needs. Sometimes these “samaritans” even make cellphone calls to helplines, handing the phone to the mark; but the person on the other end of the phone call is the fraudster’s colleague, who pretends to be a bank official.

To protect against these scams, first, don’t use an ATM that looks suspicious in any way. Unfortunately, they usually don’t look suspicious, even if they’ve been tampered with. Second, shield your PIN with your hand as you enter it. A wireless video camera may be mounted to capture the entry of your PIN. The illicit video camera, which is only the size of a sugar cube, might be in front of you, so your body won’t block it. Use your hand. Third, if your card gets stuck, get suspicious! Do NOT accept help from a stranger. Walk away from the card if you must, but do not give up your PIN. And lastly, always suspect the stranger who enters your personal sphere. That’s just not natural. He or she is after something—of yours!

It’s sad that we must suspect a friendly stranger, but a look at identity theft statistics is enough to convince anyone that it’s better to be safe than sorry. Ruthless, creative scammers specialize in benevolence, and they’re darn convincing. CONvincing, as in gaining your CONfidence. That’s why they’re called CON artists!

Unrelated posts:

Street crime in Buenos Aires

Las Vegas real estate business ethics

The Heart of a Thief

Shoulder-surfers and pseudo-cops in Sweden

Posted on August 6, 2009 by Bambi Vincent

A shoulder-surfer in Stockholm gets seniors' PIN, then steals their ATM card.

I want to wail even in Sweden, because the country has long been perceived as enjoying a relatively low crime rate. And it did. But not any more.

The day I arrived in Stockholm, the paper featured a spread on thieves lurking at ATMs who preyed on the elderly. The scam stars a shoulder-surfer lying in wait for seniors to come use a cash machine. He watches them enter their PINs, then tricks them into allowing their bank card to be physically stolen in one way or another. The thief may ask to change a ten crown note, or may meet the mark at the parking meter and ask for a small coin. Anything to get the mark’s wallet out.

One wallet, many hands.

Then what? “Magic arts,” one victim said. “Finger magic,” said the police. Hard to believe that a bank card can be stolen from a victim’s wallet right under his nose. Yet, Bob and I recognize the trick we call the “flower gift lift,” as practiced by women in Palma de Mallorca (and I’m sure other places, too). It’s forceful, brazen, devious, and it works. I’ve written about that here.

The Stockholm shoulder-surfer was part of an international gang from Romania. He and one other were sentenced to a few years in prison. Police say they’ve operated all over Sweden, targeting the elderly and handicapped. ATM surveillance photos show victims in wheelchairs and using walkers.

At around the same time. a community newspaper warned of “false policemen” also targeting seniors at ATMs. The thieves convinced the seniors that they needed their bank cards and PINs in order to control illegal withdrawals. Police report additional ploys: door-to-door police impostors warn of burglaries in the neighborhood and want to photograph jewelry and valuables. Whatever the ploy, the thief gets in—cash and valuables go out.

Graph from www.bra.se

As I was writing this, the evening news came on. Seems some scammers are knocking on seniors’ doors to give them tips about H1N1. Rather, one scammer knocks and talks. While the senior is occupied, the other slips in and robs the resident.

Meanwhile, last month, police saw for the first time credit cards being skimmed at gas pumps. “So far police have no suspects and haven’t been able to determine how the skimming operation has been carried out.” I have advised them!

Skimmers have been found attached to ATMs at Ikea and a Stockholm Toys R Us store. There was a home invasion in the sleepy suburb where my family lives.
What has Sweden come to?

Unrelated posts:

How to steal a Rolex, Part 2 of 5

Bangkok airport scam and fake police

Las Vegas real estate business ethics

Skimmers and credit card fraud (more)

Posted on July 2, 2009 by Bambi Vincent

Would you notice if a skimmer were attached to an ATM?

Skimmers, officially called magnetic card readers, capture the data on a card’s magnetic strip. Exactly what information is that?

Credit and debit cards have three “tracks” of data. Track 1 stores your name, account number and expiration date, and discretionary data to verify the PIN and security code. This information goes to the point of sale terminal, and allows your receipt to include your name and the last four digits of your account number.

Track 2 stores similar information coded and formatted specifically for the banking industry. This is the data that, from a merchant, goes to the bank via modem. Actually, it goes to an “acquirer,” a middle-man organization that authenticates the account data and guarantees payment to the merchant.

Track 3 was supposed to store biometrics, like a photo and thumbprint, but the banks decided it was too expensive to implement and do not use track 3 at all. It’s sometimes used on non-bank cards: airline cards, hotel and club memberships, etc. Track 3 is also writable.

ATM: sucks data, spits cash.

Legitimate mag-strip readers are everywhere. Illegitimate ones, which I’ll refer to as skimmers, are, too. They may be stuck onto the faces of ATMs or gas pumps (possibly detectable). They may be attached to a merchant’s point-of-sale terminal (undetectable by customer, should be detectable by aware merchant). They have recently been found inside gas pumps (undetectable). Tiny, handheld models are used by waiters and others who swipe credit cards legitimately; they make an additional, criminal swipe through the portable skimmer.

Mag-strip readers are easily, legally purchased. The largest distributor is (no surprise) just outside Las Vegas. Bob met with the owner of the business, and bought a skimmer. The owner claims that his largest customers are schools and libraries, which buy in bulk in order to record attendance and keep track of books. I’ve heard from law enforcement that his biggest customer is the FBI, which buys skimmers, encodes them with trackable ID, and lets them fall into the wrong hands.

Our skimmer, pictured below, captures all three data tracks. Bob could have bought one half the size with twice the storage and a bluetooth interface for twice the price. The kind just pulled from the apron of a waiter at a high-end restaurant at Caesar’s Forum in Las Vegas—a restaurant frequented by a celebrity clientele (i.e. high-limit credit cards).

Whether obtained by an employee using a handheld skimmer, or one attached to stationary equipment, card data is gathered and stored, then collected by wired download or wireless transmission. Then what?

Someone called “afterlife” wrote:

Credit card theft is a growing problem but it does not happen the way most people envision it.Â It’s not the lone hacker who goes it alone to compromise one site and sell the credit card numbers to fraudsters.
These days it’s a network of carders who each have a specific role.Â Roman Vega of Boa Factory fame was known for having lawyers, botnet owners, hackers, traffickers, and pushers all on staff.Â These days the professional carder will knock over several merchants and store the information without using it for up to two years.Â Once they have amassed enough information they join the databases together forming a master datasheet on peoples lives.
Once they join databases with your credit card number and others with your e-mail address they can perform ‘spear phishing’ where they send you a targeted e-mail, with your credit card number, asking for your PIN number.

Portable magnetic card reader, aka skimmer.

Credit card fraud is highly organized, en masse. Besides phishing and spear phishing, data is also written to new cards. These new cards can be blank stock, stolen cards (where sometimes the encoded data does not match what is printed—but who notices that?), gift cards, or shared-value cards. Mag-strip writers can be purchased as easily as mag-strip readers; and some models of readers just need a little extra software in order to write.

Everything one needs for credit card fraud can be learned or purchased on “carder sites.” Skimmer “dumps” are sold in lots, with payment made via Western Union. Here’s a typical “ad,” found among Afterlife’s blog comments (link above). This one’s about six months old:

The Best Dumps for a Good Price. Selling USA.
Hello dear friends. I’m a Memfis.
I have USA dumps, and some Asian.…¨I have a good price for it:
USA…¨20 USD CLASSIC, MASTER…¨25 USD VISA GOLD…¨30 USD VISA PLATINUM AND BUSINESS
ASIA…¨80 USD CLASSIC, MASTER…¨100 USD PLATINUM
I have my own base, good approval percent …“ about 90%…¨USA and Asia …“ 101 only. But I dont have EU bins.
USA …“ original track2.…¨Asia …“ both tracks are original, track1 and track2.
Payment is Western Union.…¨I’m sending order only after recieving payment, in 3-24 hours.…¨I have a replace pocily, but i should know what cards declined or holdcall in 24 hours, to replace it, in other time i wont replace.
For real buyers:…¨I can proove my quality, message me my ICQ.

Latest ATM skimmer, with measurement in centimeters.

Here’s a good thing: some of these gizmos hidden in gas pumps cause the pump to fail, so they’re found. But there’s bad news, too. Data from skimmers slyly hidden in gas pumps and other good places is often not used for three or four months. Why ruin a good thing if the skimmer is steadily transmitting account numbers and PINs? When credit card holders start reporting fraud, the common merchant on the victims’ accounts will be investigated and the device will be pulled. Has your card already been skimmed? Has mine?

Unrelated posts:

Lock 'em up!

A typical ATM skimmer scam

H&R Block reneges on promise, cops-out on client

High-tech identity theft today

Posted on June 29, 2009 by Bambi Vincent

LVMPD Detective Kim Thomas

…¢ Identity theft is now the number one crime in the world.
…¢ Las Vegas is number one in the U.S. for ID theft; even though it’s estimated that only 20% of the crimes are reported.
…¢ The FBI estimates that seven out of every ten stolen dollars end up in Las Vegas. There’s more money in Vegas than most places. Hence Vegas’s place at the top of the ID theft heap.

These wispy facts were spit out by Las Vegas Metro Police Department Forgery Detail’s Detective Kim Thomas at the start of his recent identity theft presentation. Then he got to the scary stuff.

I recently wrote about “profiles,” the findable bits of personal information about an individual. A utility bill constitutes a profile, though not as good of one as a loan application. Envelopes, receipts, statements, are others.

Detective Thomas emphasized the importance of shredding all documents before discarding them. Then he pointed out how something as simple as a discarded box can trigger both a burglary and ID theft. He gave the example of a resident getting a new plasma tv. A trawling thief spots the box at the curb on trash day. He watches the house and notes when it’s unoccupied. Then he steals a truck, kicks in the front door (that’s how they break in nowadays, Det. Thomas explained; no finesse involved), grabs the tv—and the pile of bills in the kitchen at the same time. “Even a box has value to someone,” he said. “Cut it up.”

We can shred.

We can break down our discarded boxes, or take them to dumpsters.

We cannot control how businesses store and discard our data. (My own little example: I went to a health clinic where patients are given forms on clipboards to fill out and return to the desk. When I returned to the unattended desk with my completed forms, I stood staring at other patients’ medical histories and Social Security numbers on the clipboards they’d left on the desk as instructed.)

Credit card data skimmer: the size of a Bic lighter.

But here’s the big thing now: skimmers. Wait! You think you know, but I’m about to describe the very latest in skimmers; not the deck-of-cards-sized box in a waitress’s apron, not the big old multi-part plastic set-ups of yesterday stuck onto ATMs. If you’re not sure exactly what a skimmer is, read the three little paragraphs of my previous post. In the old days (not very long ago), waiters and store clerks were given skimmers to swipe credit cards through and they were paid for the data they collected. But a waiter might talk if caught. A store clerk will be watched if suspected, leading police to the skim-master. And how many cards can they skim in a day, anyway?

Skimmer with keypad taken off ATM.

Old news: nowadays, skimmers are attached to the fronts of ATMs and gas pumps. Yeah, we know. But you probably don’t know how impressive the latest version is. It’s tiny: 3.5 inches long, by a half inch by a quarter inch. It’s almost impossible to detect. It contains batteries charged by an induction plate and stores data on a camera memory card. It attaches to a thin number pad overlay to capture PINs, and as a secondary method, also has a motion-activated video camera (jury-rigged from a high-end mobile phone) which is time-tagged to match up with the right credit card info. It has a bluetooth transmitter that allows remote, anonymous downloads, which means the skim-master doesn’t have to go near the scene of the crime, once the thing is installed.

About 40 of these tiny self-contained data-collectors have been recovered in Las Vegas in the past month. Probably more by now. Certainly more still out there, too.

Where do you get your gas?

Skimmer (somewhere) inside a gas pump.

Yes, they’re still stuck onto the fronts of ATMs. But they’re also put inside gas pumps. How do you open a gas pump? Use the same key that opens an RV storage locker, five bucks online. LVMPD found that one of these skimmers can be installed in eight minutes flat. Which, they figure, means the skim-master can probably do it in seven.

Edited 3/15/10 to add: Detective Kim Thomas explains how skimmers are hidden inside gas pumps in about 11 seconds. Yes, 11 seconds!

Yes, there’s more to tell.

Unrelated posts:

One man

Bambi's bagsnatch

A pickpocket cab scam

Skimmers for credit card fraud

Posted on June 26, 2009 by Bambi Vincent

A little background, as reference for my next post:

A skimmer is a battery-operated device smaller than a deck of cards with a slot for swiping credit cards. It reads and stores data embedded in the magnetic strip on the back of the card. Restaurant waiters are the typical recruit, given the contraption and requested to swipe each credit card as they take customers’ payments. At the end of the shift, the data collector shows up with a computer and downloads the skimmer’s memory, which might hold the information from a hundred or more cards.

This is effective data collection; and the waiters—for the data collector solicits many of them—may not even understand the purpose of the exercise for which they receive a nice little tax-free chunk of change. Restaurant and service station employees are reportedly earning over $100 for each credit card they skim.

Meanwhile, the customer has no way of knowing that his credit card has been skimmed. Some privacy advocates and security experts recommend that you never let your credit card out of your sight. I find this advice impractical to the point of impossible, but it’s a question of compromise: convenience in exchange for risk. Each of us must decide where to live along that scale. While I might hand my credit card over to a waiter for processing, you might decide to follow him to the charge machine and supervise the transaction.

Excerpt from Travel Advisory: How to Avoid Thefts, Cons, and Street Scams
Chapter Nine: You’ve Got a Criminal Clone

…¢ …¢Â …¢Â Yeah. That was then. Wait ’til you read about now!

Unrelated posts:

Russian Rip-off: pickpockets and thugs

Street crime in Lisbon

How to smuggle diamonds

Thiefhunters in Paradise

Pickpockets, Con Artists, Gangsters, Thieves, and Travel

Category Archives: Credit card fraud

Database data loss

The real risk of identity theft and credit card fraud

Unrelated posts:

Credit card shimming

Unrelated posts:

Shoulder-surfing credit-card thief—part 2

Unrelated posts:

Shoulder-surfing credit-card thief

Unrelated posts:

Gas pump skimmers attached in 11 seconds

Unrelated posts:

How Bernanke’s ID thieves did it

Unrelated posts:

Skimmers and credit card fraud (more)

Unrelated posts:

High-tech identity theft today

Unrelated posts:

Skimmers for credit card fraud

Unrelated posts: