So why was the credit card slip made out for 15.90 euros? Accident? Or was this a little scam the market man thought he could pull on an idiot tourist? On a hurried customer, one who might not examine the credit card slip.
This was in Rome’s bustling outdoor market in Campo de’ Fiori, at the large kitchenware stand right next to a man pressing pomegranate halves as fast as he could and selling €6 cups of juice to an endless line of customers.
When I called him on it, the salesman wordlessly handed me three euros in coins. Not sheepishly. Just wordlessly.
Like a pickpocket who silently drops the stolen wallet on the ground. Not me… there it is… no harm done, right?
I can’t say for sure that this was a systematic overcharge scam used—perhaps vengefully?—on customers who have the audacity to pay with a credit card. But I have my opinion…
A kid, a computer, and a clever scam that games the system—that’s all it takes to make big bucks, without leaving home. For credit card fraudsters like the teenager who calls himself “d0g,” it’s simply online shopping. He doesn’t handle merchandise, cash checks, or visit drop spots. His butt never leaves his chair, his fingers never leave his keyboard, his eyes never leave his screen.
How fraud with a stolen credit card works
It’s all about shopping, according to Patrick Lambert, who poked around the underground “carder sites” that sell the information from stolen credit cards. Buy one for a few dollars and just go shopping! Well… not quite.
What’s a credit card fraudster to do: buy expensive goods online and have them shipped to his home? Certainly not. In his Interview with a malicious hacker making over $10,000 a week, [Edit 7/8/13: Lambert has taken down his fascinating and instructive article.] Lambert reports how easy it is to find and use these carder sites, and how to turn the hot credit card into hard cash:
So finally, the last question I had was how they manage to get actual, physical goods using that stolen credit card, without having to divulge their address. The way I was explained is that all he has to do is post ads on eBay for popular items that he doesn’t actually have. Then, when someone buys it, he turns around and buys that same item from some online store with the bought CC numbers, and puts the eBay buyer’s address as the shipping location. He makes those stores send the products directly to his buyers, and gets clean cash for them, which he can spend any way he wants. It’s a type of online money laundering. And apparently, the reason why these stolen numbers are sold so cheaply is because a vast majority of them are either already canceled, or maxed out.
Now I’m wondering about the wide-format pro printer I sold on Craig’s List: did I unwittingly sell it to an ID thief and obediently ship it to the innocent third party who supplied the thief with clean money? It could have worked that way, at least if I were a store that accepted credit card payments. In my case, I was paid via PayPal, and the funds cleared. Can a thief fund PayPal with a stolen credit card? I’m not sure…
You can see how this three-way scam works. An innocent and unsuspecting buyer of goods provides clean money in return for real items, and is none the wiser. A merchant sells items and is paid with a stolen credit card. d0g sits in the middle pulling strings and catching the money. Easy!
There’s much more to it though, Lambert learned from d0g. “Doing the crime, getting rich with stolen identities, is really easy. The hard part is covering your tracks, and 90% of the things these people do are for the sole purpose of covering themselves.”
That would include subscribing to a VPN (a secure and anonymous web tunnel), and funding an anonymous online payment system.
This sort of “hacking” (which is not what I would call it) can be done on a large or very small scale, but either way, easily, and causing serious financial damage. If it’s true that one credit card fraudster (like d0g, the teenager) can net over $10,000 a week with a low risk of getting caught, it’s clear that the vocation would attract legions of practitioners. It’s clear, too, that our payment system needs fixing.
* * *
12/22/15 Note to HACKERS: I appreciate when you contribute additional knowledge in the hundreds of comments below, but please realize that this post will not function as a message board for contacting each other. Check it out: all email addresses in the comments below have been deleted. This is done by a human (me), not a robot. So please save yourself (and me) the trouble. Do comment on credit card hacking, but don’t look for business here. Thanks —BV
Later note: Alas, I had to close comments on this post due to soliciting. However, there’s really interesting stuff below. Thanks for all the contributions!
Even later note: Looks like skimmers’ days may be numbered, thanks to the Skim Reaper, a credit card-sized detection device that we can dip into an ATM or POS before using it to determine its safety. Well, we won’t be using it any time soon, at a cost of almost $500, but let’s say maybe bank branch managers will check their machines periodically, and police can check random ATMs.
Ever use an ATM at a bank after hours? Was it inside a locked vestibule, where you had to swipe your bank card to unlock the door to enter the antechamber?
Chase Bank branches in and around Las Vegas have found card skimmers on their doors, enabling thieves to capture bank card info without tampering with the ATM at all. At the cash machines, all the thieves need are pinhole cameras to record the PINs.
And of course, alone and private in a locked bank foyer, who shields his PIN as it is poked onto the keypad?
Very clever thieves. Expect to find this latest technique at a bank near you.
People often share their credit card anxiety with me. They’re afraid their cards will be lost or stolen and huge bills will be run up by a thief, and that their identities will be cloned. “Is it better to just carry cash?” they ask. “Should I follow the waiter when I pay my restaurant bill?” “How safe is it to use a credit card on the internet? Will my identity be stolen?”
So let’s put these questions to rest. Then we can move on to the real risk.
First, yes. Your credit card can be lost or stolen and big debts can be incurred by others. You won’t be responsible—your financial institution takes the hit. But in the grand scheme of things, the odds are not high that your credit card will disappear and be compromised. The risk is higher in some places than in others, and for some people more than for others. But that’s life. Get over it and live.
No. It’s not better to carry cash. Keep some cash for small (or secret) purchases, and use credit cards for the rest.
Yes, shop on the internet with your credit card. If it makes you feel better, get one of those temporary credit card numbers on your account, good for a single transaction or a limited amount. Without internet and a credit card, you’re crippled.
The real risk of identity theft and credit card fraud
It’s big business. The hotels and hospitals we go to, the stores, banks, schools, airlines, doctors, utilities, banks, credit unions we use, and even government organizations. All of these and more store information about us. They all comply with information security regulations to some extent. But how much and how well? Our identities are in the hands of those who store our details.
Database data loss
If our PII (personally identifiable information) is set free, it will most likely be due to an electronic data breach of some sort, in a (probably-large) batch with others’ information.
We used to be concerned that manilla folders containing our records were physically locked up. Who had access to them? How were they discarded? Shredded or dumped in a Dumpster? There’s so much more to worry about now, and so much more than a single set of paperwork. Our most sensitive secrets and deepest dirt are stored electronically on hard drives, on servers, in the cloud, backed up, on laptops, mobile phones, and even on thumbdrives.
Laptops and thumbdrives are lost and stolen every day. Databases are breached every day. This is where the risk is, and it’s out of our hands.
The advantage goes to data thieves like RogelioHackett who, until a little slip-up, broke into the computer networks of businesses, downloaded credit card information, and sold it for profit. Big profit.
“The bad news is that banks and businesses have not made great progress in the fight against account takeover fraud,” says The Information Security Media Group in its 2011 Business Banking Trust Study. Bringing institutions to compliance has been a painful process.
Security vulnerabilities are uncovered daily in computer networks everywhere, from the Australian Parliament House to the Pentagon to our water supplies In the 3/28/11 Los Angeles Times, Ken Dilanian wrote that “Impeding the move toward bolstering U.S. infrastructure is the government’s lack of authority to coerce industry to secure its networks and industry’s lack of an incentive to implement such protections.” He was referring to the threat of terrorist cyberattacks, but our personal security is at risk as well.
Read this for the state of cybersecurity:
A new survey reveals that roughly three-quarters of energy companies and utilities experienced at least one data breach in the past 12 months. … Seventy-one percent of respondents said that “the management team in their organization does not understand or appreciate the value of IT security.” Moreover, only 39 percent of organizations were found to be actively watching for advanced persistent threats, 67 percent were not using “state of the art” technology to stop attacks against SCADA (supervisory control and data acquisition) systems, and 41 percent said their strategy for SCADA security was not proactive. The survey also concluded that the leading threat for energy utilities was not external attackers, but rather inside ones—43 percent of utilities cited “negligent or malicious insiders” as causing the highest number of data breaches. …
To get a fuller grasp of the number of electronic records lost or stolen, take a peek at the DataLoss DataBase project, which “documents known and reported data loss incidents world-wide.” You can search by type of data lost (Social Security numbers, financial information, credit card numbers, etc.); by the industry sector (business, government, educational institution, etc.) You can see if the breach was by an insider or an outside attacker, and whether it was malicious or accidental. And you can search by many types of breach: improper disposal, a hacked or lost computer, a stolen drive, a web attack, etc. I’m especially fond of the datalossdb Twitter feed, for minute-by-minute reports of data losses, with links to known details. For example:
http://bit.ly/eDcD2s – Blockbuster Video – Employee and applicants’ records containing names, contact details, Social Security and personnel matters found discarded
http://bit.ly/gW2WYs – AllianceBernstein Holding LP – Employee downloaded client files and transactions before resigning
http://bit.ly/hdmt25 – Hyundai Capital – Personal credit rating information of 420,000 vehicle loan customers plus 13,000 security passwords acquired by hackers
And on and on. The feed may shock you daily, as it does me. Why is our vital information handled so carelessly?
Well-known and trusted companies like Brookstone, AbeBooks, Ralphs Grocery, Ritz-Carlton, Smith’s Food & Drug, Best Buy, Verizon, etc., assure us they store our information responsibly. Then they farm it out to Epsilon online marketing, a company they do not control. Epsilon got hacked.
More than 65 companies have been impacted, to the great risk and inconvenience of their customers. I got emails after the breach from three of the businesses, warning that data on me had been among the stolen records. Security experts now expect a massive increase in “spear phishing,” in which individuals are personally targeted and tricked by spoofs of companies they have a legitimate relationship with. I get plenty of phishing email already, and some of them look damn believable. Expect them to look even better now, addressed to us by name.
I’m not going to address every risk and precaution here. There is much, and it’s all to be read elsewhere on and off this blog. My points are two:
1. Our ordinary everyday activities may expose us to a little risk of credit card fraud and identity theft, but the big risk is out of our hands.
[dropcap letter=”F”]irst there was skimming, now there’s shimming,” says Kim Thomas, former Las Vegas Metro Detective, now an international authority on forgery. Information on this new credit card acquisition technique comes via a Citibank investigator.
Now, looking for parts stuck onto the front of a cash machine, which might indicate fraudulent activity, is not enough. A shimmer does the work of a skimmer, but is housed completely inside the card slot of an ATM. In other words, entirely invisible to users.
Shimming
Kim Thomas describes the shim-skimmer: “The thief makes a circuit board the size of a credit card, but approximately .1 mm thick. They use a carrier card to insert the device. Basically it is a reader-transmitter. The reader does what the usual credit card skimmer does: capture full track data. The transmitter does what bluetooth does: transmit the track data to a receiver. The technology is pretty sophisticated and will be hard to catch once it goes into mass production.”
According to Jamey Heary, Cisco Security Expert, “effective flexible shims are recently being mass produced and widely used in certain parts of Europe.” He diagrams the physical layout of this “man-in-the-middle” attack as installed inside a card-reader.
I haven’t found anyone who has actually seen one of these shimmers, but no one’s calling it just a proof-of-concept, either. It isn’t clear to me whether or not the shimmer works with U.S. credit cards that lack the chip-and-PIN. Anyone know more about this?
Pirouetting, I went to find Kun Chang, our film director, who’d been with us all day, along with his crew. When we’d given chase to our quarry, they’d followed our progress from a distance, eventually taking up a static, central position. Now I stood with Kun & Co. just long enough to get my little video camera turned on, amazed to see Bob and the purse-dip still together.
I went to join them, instantly lowering Bob’s perceived threat, from the thief’s point of view. No longer was it one mysteriously-motivated man against a criminal—it was just a couple! A harmless, curious couple. We moved out of the traffic and huddled next to a vending machine.
The man did not deny his occupation. He did not bolt. He did not raise a fist or deliver a swift kick or practice whatever form of aggression he’s known for. He answered our questions in soft-spoken Arabic-tinged French and repeatedly asked one of his own: Why? Why do you want to know these things?
Our French-speaking film director, Kun Chang, soon joined us, raising the level of our conversation from Bob’s basic French. I glanced down at my camera, a tiny thing the size of my little finger. Packed into its small body are a battery, a chip that stores hours of sound and video, an unnoticeable lens, and a few switches. Gone are the cumbersome wires, remotes, antennas, transmitters, and external storage devices we wrangled while using our old hidden cameras. But this one lacks a viewing device or monitor, and I wasn’t familiar with its capturing angle, or anything else about it.
Glancing down, I was horrified to see a flashing red light. This is one of the first things I usually disable when thiefhunting. You may as well display a giant neon sign: “I’m recording!” I covered the light with my finger, immobilizing my left hand for the remainder of the encounter.
Bob: “I’m a pickpocket too, like you. For the last 20 minutes, I’ve watched your technique. I can see you’re very experienced.” Bob does the butter-up.
Bob: “I’m very good on stage.” (And modest, an Italian thief once chided.)
Bob, afraid our detainee would soon scoot, suggested coffee together, or dinner. “I need to work, I can’t stop to have dinner with you,” he said. “And beside, I don’t want to be on TV. I can see you’re filming me right now.” He jabbed a finger toward my camera.
Cooly, I pretended not to hear that.
We learned that our man considers himself best at stealing from handbags and backpacks. It’s best to do it when the person is moving, in motion, he explained, and you have to concentrate on the person while you’re doing it. Puffing up a little, he invited us to follow him and watch.
I suddenly noticed how much fringe from my scarf was falling in front of the camera. I swept it away. But maybe that was why the thief had seemed to forget about it. I wondered what kind of image I was getting. And what about sound? Was my finger over the microphone? I didn’t know.
The thief told us that he doesn’t know how to work in a gang, he never has. And he said stealing is a hundred times more difficult on the street, as compared to the stage. Bob agreed, though he believes otherwise. When a criminal fails, he walks away and tries again. When a stage pickpocket fails, he has hundreds or thousands of witnesses, and a reputation dependent on success.
Throughout, the man stood calmly, gesturing rarely, jacket zipped to his chin. Built like a flyweight boxer, exuding confidence and arrogance, he seemed in no hurry to leave us, despite his professed need to work. (We actually see this behavior often: thieves seem to enjoy an opportunity to brag, to tell their sob stories, to talk to someone willing to listen.)
The pickpocket explained the importance of getting the cardholder-victim’s PIN, and that he had no trouble memorizing the four digits. He said he uses the credit cards himself, he never sells them to others. Then he dropped the bombshell—to me, the most interesting revelation:
He doesn’t steal money—only credit cards. He never takes people’s cash because it’s not insured. What he steals from their credit cards, they get back from the bank.
Really? A thief with a heart?
Bob begged again for a dinner together, or another meeting. The thief said sure, maybe tomorrow, and took our phone number. He made sure we had his name spelled correctly, and suggested some possible times. Shaking hands all around, he turned and slipped into the turbulent crowd. Back to work.
* * *
Did we go to the Eiffel Tower, you wonder? Did we visit Notre Dame, or the Louvre? No, no time for any of that this time. But we did eat well.
We started early at Gare de Lyon in Paris, on the hunt for a particular thief. He’s known for a specific M.O., and for his violent nature.
He stands in line at train station ticket machines and watches as passengers purchase tickets with credit cards. Most credit cards issued outside of the U.S. require a PIN code, which must be entered on a keypad. The large keypads on the train station ticket machines make it easy for anyone interested to learn a cardholder’s PIN. Rarely do people bother to hide the numbers they enter.
The man we sought takes note of the PIN—he shoulder-surfs—and watches where the credit card is put away. Then he follows the mark. He has any number of methods of stealing the credit card; the train and Metro station is full of opportunities-in-the-making.
He could let a partner stall the mark in a turnstile, on an escalator, or getting onto a train. But that would mean splitting the proceeds of the risky business with the partner. Our man prefers to work alone.
His favored victim is a woman. Why? It’s infinitely easier to steal from a handbag rather than a pocket. A purse has no nerve-endings. It’s slung on the woman’s back, it’s gaping open, it has an easy zipper, or a flap. The woman is busy, distracted, she has luggage, or a child. She’s in high heels, she’s “minding the gap.”
We spent hours speeding through Gare de Lyon, fastwalking up and down stairs and escalators, through the train station and Metro station, past numerous banks of ticket machines, around and around. Who said thiefhunting is easy work?
Our irregular behavior might have raised the suspicion of station surveillance officers, had the police not been aware of our activities. But Bob Arno’s reputation precedes him and the anti-bandit detail of the Paris police force tolerated our pursuit.
When we first laid eyes on our prey, he was checking out the people waiting to buy tickets at the machines. He sussed them out quickly; the same way Bob and I look for thieves in a crowd. He turned on his heel and strode off at high speed, as if late for a train.
I was struck by his choice of clothing. He wore a shiny black jacket with wide white stripes down the arms, and a beige beret; both of which made him easy to pick out of a crowd. Bob and I, trailing him from a moderate distance, often lost him in the mobs of moving people. But he always surfaced again, easy to spot in his signature style. Had he worn a dull shirt, or a black sport coat like Pierre, like a good percentage of the businessmen hurrying through the terminal, we’d have lost him.
Bob and I split up for the chase. We made wide arcs around the thief, we got ahead of him, we hung back, we lingered behind columns and vending machines. I felt conspicuous in my beige coat. Bob was a striking beanstalk, a full head above the rest of the crowd. The guy had to notice us… any second.
I had two video cameras on me, but neither was my trusty Sony, the one I can work upside-down and blindfolded and shoot from the hip. I didn’t turn them on.
The man was short but his bereted head rode among the crowd’s like a piece of litter on a choppy sea. He darted among the throng in a manner that Bob and I soon found predictable. He dashed from one queue to the next, scanned the potential marks, moved on. He was focused.
But he had tunnel vision. After all this time, he was oblivious to us. Bob and I got closer and more overt, closing in from opposite sides. I fiddled with my camera, afraid to look at its switches for fear of losing the bobbing beige beret.
But I did look at the camera. And when I looked up again, Bob was face to face with the shoulder-surfing pickpocket, and I knew it was all over. In a moment, he’d flee.
I read the post you did with my picture. It was very impressive. At the end you said a thief attached a skimmer in eight minutes. I just wanted to give you a small correction. We found that the one on the side of the gas pump drawer was attached in about 11 seconds, so if you add in opening the door, you’re looking at about 30 seconds (and that’s us fumbling with the key). So here’s the process: put the key in the lock, open the door, slide out the drawer, unplug the two cables from the gas pump connectors (keypad and reader cables), slap on the device, plug the two gas pump cables into the skimmer, plug the skimmer cables into the gas pump connectors, slide the drawer in, close the outside door, turn the key, remove it, test with a known credit card (outside the process of hooking the skimmer because anyone seeing you do that would assume you’ve doing something legitimate. Sounds like a lot, but look at a watch, close your eyes, and envision the process, then look at the watch and see what kind of time you get. It’ll probably amaze you. Now imagine practicing it a bit on your own gas pump either in your storage unit or living room or buddy’s gas pump. Now you’ve gotten faster and smoother, so you’re faster. See?
Thomas continues on the frightening trajectory of credit card fraud:
This type of crime used to be done strictly by hi-tech crews, but now we’re seeing it done by Joe and Julie the tweeker people (common street criminals), the traditional black crews who used to be just check passers and bust-out crooks, and the Hispanic immigrant groups who have always supplied ID documents (to name a few groups). There’s just so much money and property in this.
I just asked for a warrant on a member of a group of rich college kids (who bought a $7,500.00 watch in a high end Fashion Show Mall store) who have been buying numbers skimmed from American hotel chains in Europe, then using that track data to make counterfeits (this is a good way to do it because the cards are from American customers and less likely to raise a red flag with the bank looking at the transaction since it’s used in the US), which they then use at stores here, in SoCal, and in Arizona. They then take the property and sell it. The kicker is that all these kids are Mexican nationals whose parents are so wealthy they have their kids going to school at American Universities.
Heads up, travelers. Beware the clever new scam happening in hotels now.
In order to thwart it, proactive properties are placing notes like this one into guest rooms:
Dear Guest:
Lately, scam artists are attempting to secure credit card numbers from guests in hotels. They’re calling guest rooms at random and claiming to be hotel employees needing to verify credit card information. For your own protection, please do not give your credit card number over the telephone while staying in the hotel. …
Hotel phone scam
My regular readers know that I stay in hotels more than 200 nights a year, and I research scams and cons. Yet, even I could very easily have fallen for this perfectly believable trick. It falls into the “pretexting” and “social engineering” categories. I got a chill reading this hotel management’s note, having just received a similar phone call in a different hotel a few days before. It took me a moment to recall that the request was for my frequent stay account number, not my credit card. Whew!
I’ve confirmed this ruse’s widespread existence with police and hotel security chiefs in several countries. Although aware of the ploy, not all properties believe in taking a proactive approach. As always, it’s up to us travelers to look after ourselves.
“Somehow they get the guest’s name, call the room, and explain that they are from either room service or the front desk and need the credit card number again,” the security director of a major hotel group told me.
“We never connect calls if the person calling can’t say the name of the guest he/she is looking for,” said the security manager of another hotel chain.
But a phone-pharming data-miner can sequentially call every room in a hotel once he knows the phone number convention. Most of us, as generally trusting (and/or oblivious) humans, will miss the fact that the data-miner on the phone fails to address us by name. If he’s any good, he’ll get “the name on the card” just as easily as he gets every other useful tidbit, and I’d bet he gathers quite a few “profiles.”
Anna Bernanke hung her purse on the back of a chair at Starbucks. It was stolen and, soon after, she and Ben became victims of identity theft.
It’s extremely simple to steal a purse that isn’t attached to a person. It could be on the back of a chair, on an empty chair, or on the floor. Bob’s done it many times for television news shows. Yep, even in busy coffee shops and mall food courts, where you’d think a few people would notice. It has to do with how you drape a coat over the purse.
In her handbag, Anna carried what thieves call a spread: credit card, identification, checks, and her Social Security card (shame on her!). This is the jackpot for a pickpocket and identity theft ring.
Not all pickpockets know how to exploit checks and credit cards. But by now they know at least to sell them. In the old days, some thieves would actually bother to drop them in a mailbox.
Some pickpockets have their own ID theft specialists on staff or on call. When they snag a bag containing a spread, they want to cash a hefty check or two, and they want a fat cash advance on the credit card. They could just buy murch—stuff at a store—but then they’d get just a fraction of its value from a fence. A cash advance is the best, especially in cities with casinos. The thieves can request several advances simultaneously, at different casinos. Each will be approved because none has actually been granted yet. A thief can easily make about $60,000 in an hour with just one credit card.
I wrote of this in a forum a few years ago, and someone asked:
How can they get a cash advance without showing an ID matching their face to the name on the card? Whenever I’m in Vegas I get asked for ID when using credit cards even for a 5.00 purchase.
That’s where the pickpocket’s staff comes in. These thieves have a covey of accomplices on standby. “A blonde, a brunette, an Asian, an older woman with gray hair, and a heavy-set,” a practitioner of this business told me. They call them look-alikes. When the pickpocket gets a check or credit card with ID, he phones the accomplice who looks most like the victim (and that doesn’t have to be much!). The accomplice practices the victim’s signature a time or two, then goes to collect the cash advance (which the thief applied for at a machine.) At this point, the accomplice is referred to as a writer. She writes the check or signs for the cash advance. The harried teller or cashier takes a quick glance, sees a vague resemblance (maybe thinks: oh, honey, you’re having a bad day), and doles out the cash under pressure to serve the next person in line.
The suddenly-infamous George Lee Reid was [allegedly] the identity theft ring’s writer of one of Bernanke’s checks, at a bank in Maryland. The ring’s main writer, Shonya Michelle Young (pictured above), has just been captured. In her possession, she had fake ID, credit cards in the name of others, and “wigs worn while cashing fraudulent checks.”
More on look-alikes later.
Reminder to women: don’t hang your purse on the back of your chair. Don’t put it on the floor unless you put your foot through the strap. Reminder to men: valuables in your coat pockets are vulnerable if you hang the coat on the back of a chair.