Tag Archives: fraud

How a stolen credit card number makes cash for a fraudster

Posted on by
13

All this talk of “skimming.” Then what? What happens after you’ve swiped your card through a tampered-with ATM, gas pump, or bank entry door?

A kid, a computer, and a clever scam that games the system—that’s all it takes to make big bucks, without leaving home. For credit card fraudsters like the teenager who calls himself “d0g,” it’s simply online shopping. He doesn’t handle merchandise, cash checks, or visit drop spots. His butt never leaves his chair, his fingers never leave his keyboard, his eyes never leave his screen.

It’s all about shopping, according to Patrick Lambert, who poked around the underground “carder sites” that sell the information from stolen credit cards. Buy one for a few dollars and just go shopping! Well… not quite.

What’s a credit card fraudster to do, buy expensive goods online and have them shipped to his home? Certainly not. In his Interview with a malicious hacker making over $10,000 a week, Lambert reports how easy it is to find and use these carder sites, and how to turn the hot credit card into hard cash:

So finally, the last question I had was how they manage to get actual, physical goods using that stolen credit, without having to divulge their address. The way I was explained is that all he has to do is post ads on eBay for popular items that he doesn’t actually have. Then, when someone buys it, he turns around and buys that same item from some online store with the bought CC numbers, and puts the eBay buyer’s address as the shipping location. He makes those stores send the products directly to his buyers, and gets clean cash for them, which he can spend any way he wants. It’s a type of online money laundering. And apparently, the reason why these stolen numbers are sold so cheaply is because a vast majority of them are either already canceled, or maxed out.

Now I’m wondering about the wide-format pro printer I sold on Craig’s List: did I unwittingly sell it to an ID thief and obediently ship it to the innocent third party who supplied the thief with clean money? It could have worked that way, at least if I were a store that accepted credit card payments. In my case, I was paid via PayPal, and the funds cleared. Can a thief fund PayPal with a credit card? I’m not sure…

You can see how this three-way scam works. An innocent and unsuspecting buyer of goods provides clean money in return for real items, and is none the wiser. A merchant sells items and is paid with a stolen credit card. d0g sits in the middle pulling strings and catching the money. Easy!

There’s much more to it though, Lambert learned from d0g. “Doing the crime, getting rich with stolen identities, is really easy. The hard part is covering your tracks, and 90% of the things these people do are for the sole purpose of covering themselves.”

That would include subscribing to a VPN (a secure and anonymous web tunnel), and funding an anonymous online payment system.

This sort of “hacking” (which is not what I would call it) can be done on a large or very small scale, but either way, easily, and causing serious financial damage. If it’s true that one credit card fraudster (like d0g, the teenager) can net over $10,000 a week with a low risk of getting caught, it’s clear that the vocation would attract legions of practitioners. It’s clear, too, that our payment system needs fixing.

© Copyright 2008-2012 Bambi Vincent. All rights reserved.

Unrelated posts:

Summer Scams to Avoid

Posted on by
1

Empty pockets

Are you going to London for the Olympic games this summer? Are you going to Europe? Are you going anywhere? Bob Arno urges you to be on your toes for these five ripoffs, all of which are significantly on the increase.

1. The old pickpocket trick.

Pickpocketing’s been around since loincloths got pockets, but it’s increasing drastically in London and all across Europe. It has become more organized, with gang leaders buying or leasing youngsters under the age of legal responsibility. These kids, under pressure to bring in their “quota,” are more desperate than ever and attempt more brazen thefts.

Remedy: Keep your valuables under your clothing and be extremely vigilant at ATMs. Be sure your Social Security number is not in your wallet.

2. The pigeon poop pickpocket trick.

It’s hard to turn away a kindly good samaritan who wants to help you with a real—and vile—problem. You’ve been dirtied with something disgusting—often “pigeon poop” and lately actual (human?) feces. The con artists who secretly put it on you (or their partners did) use the physical contact of cleaning you off to clean you out. They pick your pocket or, if you set down your bag, run off with it.

Remedy: Sadly, we just can’t trust strangers approaching out of the blue. Antennas up!

3. Smart phone theft.

Smart phones are five times more likely to be stolen than wallets or cameras. (iPads are equally attractive, though harder to steal.) More than 50% of thefts in European capitals this summer are expected to be of smart phones—unless you help change the trend.

Remedy: Don’t leave your phone on a restaurant table or in an easy backpack pocket. Be aware that they are often swiped right out of users’ hands. Try to limit the personal information stored in the phone, and use a passcode.

4. Fake cops.

Naturally, we respect authority. A subset of nasty thieves we call “pseudo-cops” exploit this tendency by flashing fake badges and demanding to examine your cash. They claim to be looking for victims of counterfeiters and will take your cash “for examination,” or take a portion of it without you noticing.

Remedy: Do not show your cash or wallet. Police officers do not check the cash of random passers-by. Ask to take a good look at his badge and police ID. A real cop won’t mind at all. A pseudo-cop will move on to a more gullible mark.

5. Fraudulent websites.

Opportunists are working overtime online offering bogus Olympic tickets and nonexistent accommodations in London. London Metropolitan Police recommend buying Olympic tickets only from the official site, and have reported dozens of known fraudulent websites selling tickets and accommodations.

Remedy: Buy Olympic tickets from official vendors only. Buy accommodations from known and trusted sites or travel agents. Use a credit card to pay for your tickets and accommodations.

For full explanations on thefts, cons, and scams, start at the Thiefhunters in Paradise summary page.

© Copyright 2008-2012 Bambi Vincent. All rights reserved.

Unrelated posts:

Skimmers in bank doors

Posted on by
Reply
Bank door card swipe

After hours, swiping your bank card through the reader (at left) unlocks doors (at right) allowing access to ATMs in the bank’s locked foyer.

Ever use an ATM at a bank after hours? Was it inside a locked vestibule, where you had to swipe your bank card to unlock the door to enter the antechamber?

Chase Bank branches in and around Las Vegas have found card skimmers on their doors, enabling thieves to capture bank card info without tampering with the ATM at all. At the cash machines, all the thieves need are pinhole cameras to record the PINs.

And of course, alone and private in a locked bank foyer, who shields his PIN as it is poked onto the keypad?

Very clever thieves. Expect to find this latest technique at a bank near you.

More on skimmers:
Gas pump skimmers attached in 11 seconds.
Skimmers and credit card fraud.

© Copyright 2008-2012 Bambi Vincent. All rights reserved.

Unrelated posts:

10,000 shipping containers lost at sea each year

Posted on by
1
Cargo ship

Source: http://www.cargolaw.com/2006nightmare_apl_panama.html

10,000 shipping containers are lost at sea each year! From my naive perspective, I’m shocked by this number. Twice, I’ve sent an entire household from one continent to another by sea. To think of my container just…tumbling into the sea in a storm! Or worse, ordered jettisoned by the captain to ensure the safety of the ship.

Five to six million shipping containers are being transported at any given moment, and it’s estimated that one is lost about every hour. A goner. True, the percentage is low; but the number is high. Ten thousand containers and their cargo, every year, sunk to the bottom of the deep blue sea. Or presumably, the rough gray sea.

Containers dropped from cargo ships are never recovered and rarely reported. There are no legal repercussions for the losses; no accountability.

There are other repercussions though. Hazardous materials are leached into the ocean. Artificial habitats are created for aquatic life, strung like stepping stones along shipping routes, possibly giving species an unnatural ability to migrate across oceans. http://www.bbc.co.uk/news/science-environment-12718251

And these cargo containers may float for days or weeks before they sink to the ocean floor. Huge farting boxes the size of houses, invisible just below the surface of the sea, they create a deadly hazard for other ships and yachts. “Very, very dangerous,” a ship’s officer told me. “At night you cannot see them at all.”

While this subject matter doesn’t quite fit my usual categories of Travel or Theft, it interests me mainly in terms of loss and responsibility (and also freak accidents). And there seems to be a huge potential for fraud.

Apparently, expediency in loading cargo ships doesn’t allow for stacking containers logically. Therefore, heavy containers may very well ride on the top layer. On the other hand. I read somewhere that top layer positions go for cheap—or was that a joke?

In a global industry represented by straight-laced and corrupt nations and every banana republic in between, I’m not surprised that:

They overload container vessels on purpose, raising the center of gravity of the ship. If there is smooth sailing, you make millions extra a year. If you hit rough seas, you cut loose your entire top layer of containers, lower your COG, and still come out ahead in the grand scheme of it all.

http://slashdot.org/comments.pl?sid=2070698&cid=35729890

So, if a ship lists or rolls a container or two could go flying. Connecting pins might break or shear off, as they are designed to do at a list of a certain number of degrees. And if a ship is in danger its captain may choose to sacrifice a number of containers in the hope of saving the ship and its remaining cargo.

…essentially the shipping company is not liable for the ‘disposed [of]‘ containers, either. If the shipping company has enough losses on a vessel to declare a “General Average,” then the compensation for the losses (including vessel damage, if any) are assessed against the other *customers* with cargo on that vessel.

Basically, the vessel is carrying the cargo as a courtesy; any risk of loss belongs to the owners of the cargo(s) collectively, NOT to the carrier.
So as a forwarding agent, not only do you get the pleasure of telling someone that their container of goods has been lost, you get to tell them that…¨a) they still have to pay freight shipping costs, AND…¨b) they’re going to be legally liable for their ‘share’ of whatever the general average costs work out to be

http://slashdot.org/comments.pl?sid=2070698&cid=35731376

Other than keeping his average rate of loss low, there doesn’t seem to be much to motivate a captain to deliver his full complement of containers. Would it be an exaggeration to suggest that the odd seaman or two might be induced to “lose” a container now and then?

The potential for foul play intrigues me. I hear the whisper of a thumb gently rubbing two fingertips… The master of a ship turns his head away at the screech of metal scraping metal followed by a mighty splash. What might be in that locked steel box? Incriminating evidence? Treasure, bundled with a GPS transmitter, for later retrieval? Hazardous waste too costly to dispose of properly? A secret marine biology laboratory in which creepy experiments will be activated by contact with water, to be carried out in the cold, dark, compressed environment of the sea floor? Bodies?

© Copyright 2008-2011 Bambi Vincent. All rights reserved.

Unrelated posts:

Ghost in the Wires

Posted on by
2

Ghost in the Wires cover

I thought Kevin Mitnick was a friend of mine—but that was before I read his forthcoming book, Ghost in the Wires. Kevin’s the consummate liar, it seems. He’ll say anything to get what he wants, going to extreme efforts to research, then set up support for elaborate cons. He’ll claim to be a cop, a utility employee, or your colleague from a remote office, if it serves his purpose. A faceless voice on the telephone, he’ll sweet-talk one minute, and command with authority the next. At least he used to do this, before spending five years in federal prison…

To become the boldfaced name in social engineering, Kevin honed a natural knack for people-reading from childhood. He was a telephone Zelig who rarely needed to get out of his sweats. He always found a plausible pretext for his capers and pursued them with outrageous chutzpah. Rarely would he fail to obtain the information he sought.

Can one retire a talent like that? I doubt it, but as I can’t think of what use Bob and I are to Kevin, I prefer to think that we really are his friends.

Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker is Kevin’s third book, to be published in August 2011. I love that title. The book chronicles how Kevin, from an early age, tinkered with communication devices: ham radios, telephones, cellphones, computers, and the software that runs them all. Although he was obsessively compelled to dig deeper and deeper into the gizmo-code, he never tried to make or steal money from his exploits. He did it out of his own curiosity, to learn more, and to challenge himself to do what seemed impossible.

Sometimes, in his relentless pursuit of knowledge, he simply had to break into a company’s computer to get the software, the code, or the user names and passwords that he needed. In an electronic sense, that’s breaking and entering. And when he copied that proprietary information for his own use, well, that’s stealing.

Once he’d gained access to his target computer, he’d usually fiddle with its inner settings just enough to plant a “backdoor,” an easy way in for his next visit. He might read his target’s emails and even copy them, but he never destroyed the files.

Imagine an intruder who breaks into your house, sneaks around and looks into your secret hiding places, rifles your files, and picks through your drawers. Satisfied, he then backs out quietly leaving everything just as it was, sweeps up his footprints and, oh yeah—copies your house key on the way out.

Bambi Vincent, Kevin Mitnick, Bob Arno

I’ve heard Kevin call himself a “non-profit hacker.” Sure, he got himself free phone calls, but throughout his hacking career, he was always gainfully employed. With the information he had at his fingertips, he could easily have enjoyed a life of leisure from credit card fraud. He could have sold proprietary source code in the hackers’ underworld. But no; Kevin lacks a vital attribute. He has nerves of steel and gigantic balls, but he does not possess a criminal core. He was simply educating himself.

That is, until he got himself in trouble for snooping. Then he needed that information to protect himself, so he could make untraceable phone calls, so he could listen in to others. As the Feds closed in on him, he needed to know how much they knew about him, too.

Many times while reading Ghost in the Wires I wanted to smack Kevin. I wanted to shake him and say “you just got out of juvenile detention for doing just this—why are you doing it again?” He makes it clear that his hacking was his idea of fun and entertainment, to see if he could get to the next level. Like an addicted gamer.

It turns out, after all, that Kevin was busy educating himself. From “the world’s most wanted hacker” he has become one of the most wanted security experts in the world. He’s now considered the ultimate social engineer and an “ethical hacker,” one who’s challenge is to break into his clients’ systems, whether electronically or by social engineering. In other words, as Mitnick Security, he’s now paid to do what he loves, and he no longer has to look over his shoulder.

Social engineers are an ominous bugbear to security. A company (or you!) can have the tightest security system in place, but humans are its weakest link. For a hacker like Kevin, it’s easier to simply ask for the key to the front door than to steal it. He simply has to ask in the right way. Because social engineers are basically skillful actors playing a role, they’re an invisible threat and a daunting challenge for businesses.

I’m no hacker, that’s for sure, nor even a programmer. Yet, I found it fascinating to read exactly how Kevin finagled himself into systems and tweaked them to his advantage. Kevin wanted to include more of the nitty-gritty hackery in the book, but his co-author, Bill Simon, saved us readers from too much esoterica. I think they struck an excellent balance. I never felt bogged down by the technical bits.

In fact, some might worry that Ghost is a hackery cookbook, complete with lessons in how to get others to spill their secrets. I worried about this aspect with my own book, Travel Advisory: How to Avoid Thefts, Cons, and Street Scams.

Does an exhaustive explanation of theft techniques actually teach the thieves? Kevin and I obviously came to the same conclusion: no, there’s more to gain by putting all the details out there, the better to protect yourself.

I feel a little sorry for all the good people whose trust Kevin exploited. They bought into his ruses in a good-faith effort to be helpful. No doubt that he used them, and probably got many of them into big trouble. Well, in my line of work too, thiefhunting and training the public to avoid theft, a kernel of cynicism is not a bad seed to plant. Kevin’s patsies will think twice before giving out sensitive information.

Ghost is 400+ pages of tension, broken only by Kevin’s sentimental musings about his mother and grandmother, who are constant supportive figures in his life, and the heartbreaking side-story of his brother. It’s fast reading—a tribute to the clear writing and exciting story.

Yeah, yeah, you think I’m all positive because Kevin’s my friend. He gave me an unedited galley copy of the book (littered with typos), but didn’t ask me to write about it. If I hadn’t liked it, I wouldn’t have written a word.

Or maybe I would have. After all, Kevin might not be a real friend of mine…

© Copyright 2008-2009 Bambi Vincent. All rights reserved.

Unrelated posts:

Database data loss

Posted on by
4

Vault door

People often share their credit card anxiety with me. They’re afraid their cards will be lost or stolen and huge bills will be run up by a thief, and that their identities will be cloned. “Is it better to just carry cash?” they ask. “Should I follow the waiter when I pay my restaurant bill?” “How safe is it to use a credit card on the internet? Will my identity be stolen?”

So let’s put these questions to rest. Then we can move on to the real risk.

First, yes. Your credit card can be lost or stolen and big debts can be incurred by others. You won’t be responsible—your financial institution takes the hit. But in the grand scheme of things, the odds are not high that your credit card will disappear and be compromised. The risk is higher in some places than in others, and for some people more than for others. But that’s life. Get over it and live.

No. It’s not better to carry cash. Keep some cash for small (or secret) purchases, and use credit cards for the rest.

Yes, shop on the internet with your credit card. If it makes you feel better, get one of those temporary credit card numbers on your account, good for a single transaction or a limited amount. Without internet and a credit card, you’re crippled.

The real risk of identity theft and credit card fraud

It’s big business. The hotels and hospitals we go to, the stores, banks, schools, airlines, doctors, utilities, banks, credit unions we use, and even government organizations. All of these and more store information about us. They all comply with information security regulations to some extent. But how much and how well? Our identities are in the hands of those who store our details.

If our PII (personally identifiable information) is set free, it will most likely be due to an electronic data breach of some sort, in a (probably-large) batch with others’ information.

We used to be concerned that manilla folders containing our records were physically locked up. Who had access to them? How were they discarded? Shredded or dumped in a Dumpster? There’s so much more to worry about now, and so much more than a single set of paperwork. Our most sensitive secrets and deepest dirt are stored electronically on hard drives, on servers, in the cloud, backed up, on laptops, mobile phones, and even on thumbdrives.

Laptops and thumbdrives are lost and stolen every day. Databases are breached every day. This is where the risk is, and it’s out of our hands.

The advantage goes to data thieves like Rogelio Hackett who, until a little slip-up, broke into the computer networks of businesses, downloaded credit card information, and sold it for profit. Big profit.

“The bad news is that banks and businesses have not made great progress in the fight against account takeover fraud,” says The Information Security Media Group in its 2011 Business Banking Trust Study. Bringing institutions to compliance has been a painful process.

Security vulnerabilities are uncovered daily in computer networks everywhere, from the Australian Parliament House to the Pentagon to our water supplies In the 3/28/11 Los Angeles Times, Ken Dilanian wrote that “Impeding the move toward bolstering U.S. infrastructure is the government’s lack of authority to coerce industry to secure its networks and industry’s lack of an incentive to implement such protections.” He was referring to the threat of terrorist cyberattacks, but our personal security is at risk as well.

Read this for the state of cybersecurity:

A new survey reveals that roughly three-quarters of energy companies and utilities experienced at least one data breach in the past 12 months. … Seventy-one percent of respondents said that “the management team in their organization does not understand or appreciate the value of IT security.” Moreover, only 39 percent of organizations were found to be actively watching for advanced persistent threats, 67 percent were not using “state of the art” technology to stop attacks against SCADA (supervisory control and data acquisition) systems, and 41 percent said their strategy for SCADA security was not proactive. The survey also concluded that the leading threat for energy utilities was not external attackers, but rather inside ones—43 percent of utilities cited “negligent or malicious insiders” as causing the highest number of data breaches. …

InformationWeek (04/06/11)

To get a fuller grasp of the number of electronic records lost or stolen, take a peek at the DataLoss DataBase project, which “documents known and reported data loss incidents world-wide.” You can search by type of data lost (Social Security numbers, financial information, credit card numbers, etc.); by the industry sector (business, government, educational institution, etc.) You can see if the breach was by an insider or an outside attacker, and whether it was malicious or accidental. And you can search by many types of breach: improper disposal, a hacked or lost computer, a stolen drive, a web attack, etc. I’m especially fond of the datalossdb Twitter feed, for minute-by-minute reports of data losses, with links to known details. For example:

    http://bit.ly/eDcD2s – Blockbuster Video – Employee and applicants’ records containing names, contact details, Social Security and personnel matters found discarded

    http://bit.ly/gW2WYs – AllianceBernstein Holding LP – Employee downloaded client files and transactions before resigning

    http://bit.ly/dTAmUX – Qdoba Mexican Grill – Customers’ card numbers acquired and misused

    http://bit.ly/hdmt25 – Hyundai Capital – Personal credit rating information of 420,000 vehicle loan customers plus 13,000 security passwords acquired by hackers

And on and on. The feed may shock you daily, as it does me. Why is our vital information handled so carelessly?

Well-known and trusted companies like Brookstone, AbeBooks, Ralphs Grocery, Ritz-Carlton, Smith’s Food & Drug, Best Buy, Verizon, etc., assure us they store our information responsibly. Then they farm it out to Epsilon online marketing, a company they do not control. Epsilon got hacked.

More than 65 companies have been impacted, to the great risk and inconvenience of their customers. I got emails after the breach from three of the businesses, warning that data on me had been among the stolen records. Security experts now expect a massive increase in “spear phishing,” in which individuals are personally targeted and tricked by spoofs of companies they have a legitimate relationship with. I get plenty of phishing email already, and some of them look damn believable. Expect them to look even better now, addressed to us by name.

I’m not going to address every risk and precaution here. There is much, and it’s all to be read elsewhere on and off this blog. My points are two:

1. Our ordinary everyday activities may expose us to a little risk of credit card fraud and identity theft, but the big risk is out of our hands.

2. Do look at DataLoss DataBase or at least skim its Twitter feed to get an idea of how much information is lost daily.

© Copyright 2008-2011 Bambi Vincent. All rights reserved.

Unrelated posts:

Credit card shimming

Posted on by
1

“First there was skimming, now there’s shimming,” says Kim Thomas, former Las Vegas Metro Detective, now an international authority on forgery. Information on this new credit card acquisition technique comes via a Citibank investigator.

Now, looking for parts stuck onto the front of a cash machine, which might indicate fraudulent activity, is not enough. A shimmer does the work of a skimmer, but is housed completely inside the card slot of an ATM. In other words, entirely invisible to users.

Kim Thomas describes the shim-skimmer: “The thief makes a circuit board the size of a credit card, but approximately .1 mm thick. They use a carrier card to insert the device. Basically it is a reader-transmitter. The reader does what the usual credit card skimmer does: capture full track data. The transmitter does what bluetooth does: transmit the track data to a receiver. The technology is pretty sophisticated and will be hard to catch once it goes into mass production.”

According to Jamey Heary, Cisco Security Expert, “effective flexible shims are recently being mass produced and widely used in certain parts of Europe.” He diagrams the physical layout of this “man-in-the-middle” attack as installed inside a card-reader.

I haven’t found anyone who has actually seen one of these shimmers, but no one’s calling it just a proof-of-concept, either. It isn’t clear to me whether or not the shimmer works with U.S. credit cards that lack the chip-and-PIN. Anyone know more about this?

© Copyright 2008-2010 Bambi Vincent. All rights reserved.

Unrelated posts:

Gas pump skimmers attached in 11 seconds

Posted on by
5

Skimmer (somewhere) inside a gas pump.

Breaking news from Las Vegas Metro’s Kim Thomas, the fraud cop featured in my story on credit card skimmers hidden in gas pumps.

Detective Thomas writes:

I read the post you did with my picture. It was very impressive. At the end you said a thief attached a skimmer in eight minutes. I just wanted to give you a small correction. We found that the one on the side of the gas pump drawer was attached in about 11 seconds, so if you add in opening the door, you’re looking at about 30 seconds (and that’s us fumbling with the key). So here’s the process: put the key in the lock, open the door, slide out the drawer, unplug the two cables from the gas pump connectors (keypad and reader cables), slap on the device, plug the two gas pump cables into the skimmer, plug the skimmer cables into the gas pump connectors, slide the drawer in, close the outside door, turn the key, remove it, test with a known credit card (outside the process of hooking the skimmer because anyone seeing you do that would assume you’ve doing something legitimate. Sounds like a lot, but look at a watch, close your eyes, and envision the process, then look at the watch and see what kind of time you get. It’ll probably amaze you. Now imagine practicing it a bit on your own gas pump either in your storage unit or living room or buddy’s gas pump. Now you’ve gotten faster and smoother, so you’re faster. See?

Thomas continues on the frightening trajectory of credit card fraud:

This type of crime used to be done strictly by hi-tech crews, but now we’re seeing it done by Joe and Julie the tweeker people (common street criminals), the traditional black crews who used to be just check passers and bust-out crooks, and the Hispanic immigrant groups who have always supplied ID documents (to name a few groups). There’s just so much money and property in this.

Hotel loyalty card and data showing on skimmer

A hotel loyalty card and its data showing on a skimmer

I just asked for a warrant on a member of a group of rich college kids (who bought a $7,500.00 watch in a high end Fashion Show Mall store) who have been buying numbers skimmed from American hotel chains in Europe, then using that track data to make counterfeits (this is a good way to do it because the cards are from American customers and less likely to raise a red flag with the bank looking at the transaction since it’s used in the US), which they then use at stores here, in SoCal, and in Arizona. They then take the property and sell it. The kicker is that all these kids are Mexican nationals whose parents are so wealthy they have their kids going to school at American Universities.

© Copyright 2008-2010 Bambi Vincent. All rights reserved.

See our pickpocket summary page.

Unrelated posts:

Phone phishing

Posted on by
4

If you read this blog, you’re probably already security-conscious. But this reminder is worth repeating. Don’t trust anyone.

Sorry.

It’s a shame that’s what the world has come to. Even the good samaritan has to be looked at sideways.

Scammers are now blasting entire towns, phone number by phone number, telling residents that their debit card has been restricted. They target customers of a specific local bank or credit union, name it, and give the customer an 800 number to call in order to correct the situation. If you have a debit card from that financial institution, you just might believe it. Well, other people are believing it. After all, their caller-ID proves that it really is the bank calling.

Or does it? The scammers are able to “spoof” the phone number, so it only appears to be the bank calling. You have no inkling that you’ve been targeted by overseas phishers. If you aren’t a customer of that bank, you probably just hang up and forget it.

If you follow the scammers’ instructions, you’ll give them your card number, pin, and all the other juicy data they need to rack up the charges.

So the tired old reminder worth repeating is this: If you suspect a problem with your bank account or debit card, etc., call your bank’s main number. Call the number on the back of your card or on your bank statement. Especially don’t call a number given to you by the bearer of the news.
© Copyright 2008-2009 Bambi Vincent. All rights reserved.

Unrelated posts:

Beware hotel phone scam

Posted on by
2

phone-credit-card

Heads up, travelers. Beware the clever new scam happening in hotels now. In order to thwart it, proactive properties are placing notes like this one into guest rooms:

Dear Guest:

Lately, scam artists are attempting to secure credit card numbers from guests in hotels. They’re calling guest rooms at random and claiming to be hotel employees needing to verify credit card information. For your own protection, please do not give your credit card number over the telephone while staying in the hotel. …

My regular readers know that I stay in hotels more than 200 nights a year, and I research scams and cons. Yet, even I could very easily have fallen for this perfectly believable trick. It falls into the “pretexting” and “social engineering” categories. I got a chill reading this hotel management’s note, having just received a similar phone call in a different hotel a few days before. It took me a moment to recall that the request was for my frequent stay account number, not my credit card. Whew!

I’ve confirmed this ruse’s widespread existence with police and hotel security chiefs in several countries. Although aware of the ploy, not all properties believe in taking a proactive approach. As always, it’s up to us travelers to look after ourselves.

“Somehow they get the guest’s name, call the room, and explain that they are from either room service or the front desk and need the credit card number again,” the security director of a major hotel group told me.

“We never connect calls if the person calling can’t say the name of the guest he/she is looking for,” said the security manager of another hotel chain.

But a phone-pharming data-miner can sequentially call every room in a hotel once he knows the phone number convention. Most of us, as generally trusting (and/or oblivious) humans, will miss the fact that the data-miner on the phone fails to address us by name. If he’s any good, he’ll get “the name on the card” just as easily as he gets every other useful tidbit, and I’d bet he gathers quite a few “profiles.”
© Copyright 2008-2009 Bambi Vincent. All rights reserved.

Unrelated posts:

How Bernanke’s ID thieves did it

Posted on by
3
Shonya Michelle Young (Credit: U.S. Marshal Service)

Shonya Michelle Young (Credit: U.S. Marshal Service)

Anna Bernanke hung her purse on the back of a chair at Starbucks. It was stolen and, soon after, she and Ben became victims of identity theft.

It’s extremely simple to steal a purse that isn’t attached to a person. It could be on the back of a chair, on an empty chair, or on the floor. Bob’s done it many times for television news shows. Yep, even in busy coffee shops and mall food courts, where you’d think a few people would notice. It has to do with how you drape a coat over the purse.

In her handbag, Anna carried what thieves call a spread: credit card, identification, checks, and her Social Security card (shame on her!). This is the jackpot for a pickpocket and identity theft ring.

Not all pickpockets know how to exploit checks and credit cards. But by now they know at least to sell them. In the old days, some thieves would actually bother to drop them in a mailbox.

Some pickpockets have their own ID theft specialists on staff or on call. When they snag a bag containing a spread, they want to cash a hefty check or two, and they want a fat cash advance on the credit card. They could just buy murch—stuff at a store—but then they’d get just a fraction of its value from a fence. A cash advance is the best, especially in cities with casinos. The thieves can request several advances simultaneously, at different casinos. Each will be approved because none has actually been granted yet. A thief can easily make about $60,000 in an hour with just one credit card.

I wrote of this in a forum a few years ago, and someone asked:

How can they get a cash advance without showing an ID matching their face to the name on the card? Whenever I’m in Vegas I get asked for ID when using credit cards even for a 5.00 purchase.

That’s where the pickpocket’s staff comes in. These thieves have a covey of accomplices on standby. “A blonde, a brunette, an Asian, an older woman with gray hair, and a heavy-set,” a practitioner of this business told me. They call them look-alikes. When the pickpocket gets a check or credit card with ID, he phones the accomplice who looks most like the victim (and that doesn’t have to be much!). The accomplice practices the victim’s signature a time or two, then goes to collect the cash advance (which the thief applied for at a machine.) At this point, the accomplice is referred to as a writer. She writes the check or signs for the cash advance. The harried teller or cashier takes a quick glance, sees a vague resemblance (maybe thinks: oh, honey, you’re having a bad day), and doles out the cash under pressure to serve the next person in line.

The suddenly-infamous George Lee Reid was [allegedly] the identity theft ring’s writer of one of Bernanke’s checks, at a bank in Maryland. The ring’s main writer, Shonya Michelle Young (pictured above), has just been captured. In her possession, she had fake ID, credit cards in the name of others, and “wigs worn while cashing fraudulent checks.”

More on look-alikes later.

Reminder to women: don’t hang your purse on the back of your chair. Don’t put it on the floor unless you put your foot through the strap. Reminder to men: valuables in your coat pockets are vulnerable if you hang the coat on the back of a chair.
© Copyright 2008-2009 Bambi Vincent. All rights reserved.

Unrelated posts:

A typical ATM skimmer scam

Posted on by
3
A tiny skimmer removed from an ATM way back in 2006.

A tiny skimmer removed from an ATM way back in 2006.

A reader wrote of an ATM experience which, soon after, led to $9,000 in fraudulent withdrawals. He was abroad, but this happens at ATMs everywhere; and so frequently that I think it’s worth posting as a reminder.

As I was using an atm at a money exchange kiosk, I received the cash I wanted but was unable to get my card back. The man in back of me told me I had to enter my pin number again in order to have the card returned. He even reached in front of me and hit some buttons and told me to enter my pin. I did so and after a slight wait, the card came back. The experience was unsettling because I had never heard of entering a pin number a second time to get your card back after a transaction and no one had ever brazenly reached in front of me to assist me at an atm. Since I received my cash and finally my card, I felt everything was fine. But that was the day the mysterious withdrawals began.

I called my bank as soon as I realized there was a problem. The woman I spoke with immediately closed the credit card account linked to my atm card. Within a couple weeks, the bank had deposited the total of the disputed withdrawals into my account.

There are two essential goodies the card fraudster needs: the info on your card and your PIN. Info on the card can be gained in many ways. A snapshot can be taken of it with a cellphone camera, an imprint can be made, or a skimmer can be attached to the ATM itself. Nowadays, skimmers can be tiny and imperceptible. The vital PIN can be easily obtained by the crafty thief’s strategy. The example above is a classic: the false samaritan. The fraudster offers help in order to gain what he needs. Sometimes these “samaritans” even make cellphone calls to helplines, handing the phone to the mark; but the person on the other end of the phone call is the fraudster’s colleague, who pretends to be a bank official.

credit card detail

To protect against these scams, first, don’t use an ATM that looks suspicious in any way. Unfortunately, they usually don’t look suspicious, even if they’ve been tampered with. Second, shield your PIN with your hand as you enter it. A wireless video camera may be mounted to capture the entry of your PIN. The illicit video camera, which is only the size of a sugar cube, might be in front of you, so your body won’t block it. Use your hand. Third, if your card gets stuck, get suspicious! Do NOT accept help from a stranger. Walk away from the card if you must, but do not give up your PIN. And lastly, always suspect the stranger who enters your personal sphere. That’s just not natural. He or she is after something—of yours!

It’s sad that we must suspect a friendly stranger, but a look at identity theft statistics is enough to convince anyone that it’s better to be safe than sorry. Ruthless, creative scammers specialize in benevolence, and they’re darn convincing. CONvincing, as in gaining your CONfidence. That’s why they’re called CON artists!

© Copyright 2008-2009 Bambi Vincent. All rights reserved.

Unrelated posts: