The Art of the Steal
Page 14
In so many ways, the Internet has opened up a wide new avenue for crooks to get hold of your card number and use it for nefarious purposes. I’ll discuss this and other computer crimes in further detail in a later chapter on the Internet.
MING’S BOOSTER RING
Account boosting is yet another popular trick of credit card thieves. This is a scheme where criminals acquire legitimate credit cards and accrue balances on them. The criminal then sends the issuer a payment by overnight delivery using a stolen or counterfeit check. The payment exceeds the balance, and thus “boosts” the account’s credit line. Under Federal law, banks have to post card payments before the checks clear and so they have no choice but to credit your account. The next day, the criminal goes to a bank machine and withdraws the excess amount on that card. Later, of course, the check bounces.
A Vietnamese criminal named Minh C. To, also known as Big Ming, headed up a credit card ring that recruited legitimate cardholders to overpay their credit card accounts using counterfeit checks. Once the accounts were boosted by the checks, Big Ming and the recruits would start buying merchandise. Big Ming would fence the goods and split the profits with the recruits. To cap off the scheme, he had the recruits file for bankruptcy so they wouldn’t be liable for the debt. Before Big Ming was stopped, the ring defrauded credit card issuers of more than $100 million.
So it pays for card companies to be very suspicious of any payments that exceed what a cardholder owes.
BANKING ON YOUR EMBARRASSMENT
And there are endless ingenious schemes criminals employ to tack on charges to your credit card. A group of thieves, apparently from Russia, created a phony adult porn website. They then stole 3 million credit card numbers from a computer database, and had the site bill each account ten dollars. Otherwise, they didn’t use the cards. The amount was so small that many customers didn’t even notice it. Others did, but were too embarrassed to report it as being unauthorized to the bank. Those ten dollar charges added up to $30 million in charges. Oddly enough, law enforcement authorities were convinced that the real purpose of this game was to launder money.
DEBIT CARDS—THE DOWNSIDE
A lot of consumers like the idea of using a debit card rather than a conventional credit card. With a debit card, money comes right out of your own bank account when you make a purchase. There’s no bill thirty days later. By using a debit card, you’re deprived of a month’s worth of float, and since we’re a country built on float, most people don’t like them. I’m one of them. But there’s another issue with them that bothers me. Since the money is immediately extracted from your account when you make a purchase, it becomes harder to contest a fraudulent charge. On a credit card, if something is on your statement that you didn’t buy, you refuse to pay for it. With a debit card, the money’s already gone and you’ve got to try to recover it. And the law doesn’t protect you as well. If you don’t report a lost card within two days, you can be liable for up to five hundred dollars. And if you don’t report an unauthorized transaction within sixty days of when your latest statement was issued, there’s no liability limit at all, just the size of your bank balance.
I don’t own a debit card myself. Two of my three sons, though, use them. They tell me they don’t like writing checks and that’s why they have them. Young people, it seems, are bothered by the chore of writing checks, so it may be a generational thing.
SEARCH THAT WAITER
In the last few years, an entirely new approach to credit card fraud has opened up. A case that was reported in Time magazine told about a crook in Miami who had charged more than five hundred thousand dollars against a hundred different American Express cards. American Express had determined that none of the cards had been stolen. That meant they had to be counterfeit. But that was a lot of cards.
American Express ran elaborate computer analyses of the account numbers and their recent activity. What it found was startling. Each of the victimized cardholders had recently eaten dinner at one of two New York restaurants. What did that mean?
Federal agents in New York obtained the cooperation of the owner of one of the restaurants, a Brazilian steak house called The Plantation. He was an honest and reputable owner, and he was as puzzled as anyone about the seeming connection between his restaurant and the fraudulent cards. In short order, after searching the employee dressing room, the agents found the answer in an open locker: a skimmer.
A skimmer is one of the newest and much-prized toys on the frontlines of fraud. It’s a compact, battery-powered black device, not much larger than a hand-held Palm or a cell phone. It has a slit in the front, and Velcro is affixed to the back. When a credit card is swiped through the slit, the skimmer reads and stores all of the data that is embedded on the card’s magnetic stripe—the card number, the cardholder’s name, and the invisible encrypted verification code. The chip in the skimmer can hold information for up to three hundred cards. The data can then be readily downloaded onto a computer and used to make counterfeit cards.
That’s precisely what was going on in The Plantation. A waiter kept a skimmer concealed inside his jacket. When a customer gave him his card, he stealthily swiped it in his skimmer before taking it to the cashier. He did it in a flash. He then sold the numbers to a criminal ring.
This sort of chain has become increasingly common. It goes on in department stores, hotels, and gas stations, as well as restaurants. Card numbers are picked up by the sales help and then e-mailed to card-cloning mills, all for money. Often the mills are run by organized crime syndicates, and they could be anywhere in the world. In essence, these rings operate counterfeit card factories. With a thermal dye printer, they put the colored graphics onto what’s known as “white plastic,” a blank card with a magnetic stripe on the back. Next, an embosser adds the victim’s name and account number. Then an encoder puts the verification code onto the magnetic stripe.
The final touch is to apply a hologram onto the face of the card. Since 1981, credit card companies have used holograms to guard against fraud, but one upshot of this has been the emergence of sizable counterfeit hologram operations in Taiwan, Hong Kong, and China. Smugglers regularly bring fraudulent holograms into the United States, and sell them for five dollars to fifteen dollars apiece. On a legitimate card, the hologram is embedded in the plastic when the card is manufactured. On a counterfeit card, a hologram decal is attached to the card. If you examine the card closely, you should be able to feel a decal protruding slightly above the surface of the card.
Skimming is an immense problem. With stolen credit cards, the criminal has a narrow time frame in which to make purchases, but with skimmed cards nobody knows these cards are out there until a victim gets his statement, which can be more than thirty days after the crime took place. That’s a lot of time to rack up illegal charges.
The skimming threat has worsened because the skimmers have gotten smaller. A few years ago, the forerunners of today’s tiny skimmers were devices the size of portable computers. They would be concealed under gas station counters, where attendants would run cards through them without the customers’ knowledge. The miniature versions came out in early 1999.
Some of the credit card companies are trying to use computer analyses to fool skimmers. Say someone in Taiwan tries to buy something with a card that hours earlier was used in Wisconsin. The computer could be programmed to reject the transaction. But given the gigantic number of cards in circulation, it gets expensive to do this and isn’t practical on a large scale.
THE FUTURE GETS SMART
The technology of the future is Smart Cards. These are credit card–sized plastic cards that contain an integrated circuit chip instead of a magnetic stripe. It’s the chip that makes it “smart.” In essence, it’s a credit card outfitted with a “brain.” The card is actually more powerful than the first desktop computer. That little chip can store a hundred times more information than a magnetic stripe, which is limited to just three lines of information: your name, the account num
ber, and your PIN number.
A Smart Card chip can be configured to include everything a person needs and replace all of his other credit cards, phone cards, and health care cards. For example, you go to a store and buy a turtleneck sweater and hand the clerk a Smart Card. The clerk asks what account do you want it on: Visa, American Express, Macy’s? They’re all on that chip. So your Smart Card is a full-fledged electronic wallet. Someday, we’ll even have a Smart Card driver’s license. When the police stop you, they run the card through a reader and your entire driver’s record will come up. Hawaii has already been experimenting with these.
Smart Cards were invented in France and have been around for about twenty years. Billions of them are already in use throughout the world—in Western Europe, South America, Asia, and Australia—but it’s going to be a few more years before they become widespread in the United States. For that to happen, merchants have to be willing to invest in Smart Card readers and junk their credit card verification equipment. And Americans still like checks and credit cards, so there will have to be a cultural shift.
Are Smart Cards invulnerable? No, nothing is. They’re tougher to defeat than conventional cards, but they can be defeated. Criminals with extraordinary knowledge of encryption have broken the encryption codes. Indeed, computer experts have bragged that there is no chip they can’t penetrate. A graduate student at the University of California at Berkeley used a network of about two hundred and fifty workstations to crack one type of chip. It took him four hours. Other thieves have found that if they can force the chip on the card to make a calculation error, that error can be used to extrapolate the data that validates the card when it gets used. One way to force an error, they found, was by bombarding the card with radiation. Some accomplished this by sticking the card in a microwave oven. Criminals have even popped out the chips and replaced them with their own.
In 1999, a French engineer, after four months of work, managed to make counterfeit French Smart Cards that he used at an automatic machine to buy tickets for the Paris Metro subway system. He offered to sell his technique to the bank consortium that issued the Smart cards for $1.5 million. Instead, the bank chose to have him arrested.
And any card is only as good as the internal controls at the card issuer. If a clerk in charge of encrypting the cards wants to sell the codes for $10,000 to some thieves, it will happen without reliable controls.
No matter what sort of card you have, the most important safeguard is to always carefully check your statements, and that goes for the five dollar charges as well as the five hundred dollar ones. While issuers and con artists continue their taut battle of one-upmanship, it’s the only reliable way to tell if you’re being scammed.
I must admit, there are days when I have to wonder if a criminal needs to even try all that hard. Not long ago, I was shopping in Neiman Marcus with my wife, and I saw a shirt I really liked and decided to buy it. My wife had a Neiman Marcus card, so she told me, “Here, use my card.” It had her maiden name on it and her signature, but if there was a problem I was going to tell the clerk, “My wife’s right over there, it’s her card.”
The clerk rang up the shirt, and put down the sales slip for me to sign. She took the card and flipped it over to look at the signature, my wife’s signature. It wasn’t the same name, no less the same signature. She held up the slip I had signed, held up the card, compared the two, thanked me very much, and handed me my shirt.
7
[BEATING THE MACHINE]
A few years ago, the head of security at Bank of America called me at home at night. I could immediately tell from his tone of voice that he was a little flustered. “Say, we’ve got a really serious problem, and we need your advice,” he said. “We’re losing something like $40,000 a day out of our ATM machines. It’s got to be a ring, but we can’t figure out how they’re doing it.”
I asked him if the cash-dispensing machines being targeted were high-profile ones, those found in heavily-trafficked, very visible locations. He said they were. I told him he had shoulder surfers. Go out to some of the machines, I advised him, and look for a van parked within a block of any of them. The culprits were caught the next day.
“Shoulder surfers” is the name that’s been bestowed on criminals who lurk behind you, trying to peek over your shoulder at what you punch into the automated teller machine (ATM) keyboard. However, it’s become something of a misnomer because savvy criminals don’t stay that close anymore. That’s too obvious and too dangerous. They’ve become long-distance surfers who camp out fifty or more yards away, and pick off personal identification numbers (PIN) numbers with a high-powered camera or binoculars. This was a team who would set up in their van across the street from an ATM and then train a video camera on the machine.
In this caper, one of the conspirators would first go and take twenty dollars from the machine under surveillance. He’d examine the receipt, which would show the time of the transaction. Then the video camera in the van would be synchronized to that time. As customers used the machine, the camera would be locked on the keypad and would record their finger movements. The thieves weren’t interested in seeing you, no matter how good-looking you were. They were interested in your fingers. By taping them, they could tell what your PIN was.
After they retrieved their cash, nine out of ten of the people using the machine did the typical thing: they took a quick look at their receipt and tossed it into the wastebasket. At machines where the bank hadn’t provided a wastebasket, the crooks were courteous enough to furnish one of their own. At the end of the day, one of the thieves hustled over to the machine with a garbage bag, emptied the receipts into the bag and took them with him.
When they got back to their house, they dumped the receipts on a table and began to sort them by the time stamped on them. They then stuck the videotape into their VCR, played the tape of all those fingers, and matched the receipts to the fingers. In that way, they attached the account numbers printed on the receipts to their respective PIN numbers. The beauty of the receipts was that they allowed the thieves to see the balances in the accounts. Oh, this guy’s got fourteen dollars left. They’d throw it away. This guy’s got five hundred dollars. That’s a keeper.
Once they had the account numbers and PINs they wanted, they went to an office supply store and bought some blank credit cards. With a hand embosser, also easily acquired, they encoded the cards with the account numbers, took them to ATM machines, and began withdrawing money.
This was one case at one bank, but it goes on all the time.
There’s no denying that the swift growth in ATMs has revolutionized consumer banking. But ever since their introduction in 1973, ATMs have been viewed as attractive targets by criminals, luring everyone from brazen armed robbers to crafty scam artists. Despite all this, I think that ATMs are pretty safe, a lot safer than your checkbook. Generally, you can’t withdraw more than two hundred dollars in a single day from any one account, which is an effective safeguard. In addition, an account holder is only liable for up to fifty dollars if an account and PIN are compromised, and banks typically waive that. ATMs, therefore, are not the problem that fraudulent checks and embezzlement are. Still, the ATM machine is how we get our money every day, and wherever there’s money, criminals lurk.
There have actually been some astounding sums withdrawn with a single card in just a few days of frenzied activity. A woman in Gresham, Oregon, was at a high school football game on a Friday night. She had left her bank card in her purse in her van out in the parking lot. Two men and a woman who were working together broke in and stole it. Leaving it there was mistake No. 1. Mistake No. 2 was that she had scribbled down her PIN number on her Social Security card, which was also in her purse. The thieves, I’m sure, were quite thankful that she was so obliging. They wasted no time in satisfying their needs.
Within minutes, they were at a bank machine a few blocks from the football field. Before the next series of downs was completed, they had made their first withdraw
al. They kept on going, traveling at a hundred miles through five counties, stopping pretty much every time they spied an ATM. Even though the standard limit on a withdrawal in a given day on one card is generally a few hundred dollars, there had been a computer program change at the credit union where the victim banked, and there was no limit at all on that particular weekend. In a 54 hour time frame, the thieves made 724 withdrawals from 48 bank machines. They collected $346,770. Talk about being lucky. Before they were caught, largely because of hidden cameras at five of the machines, they even managed to find the time to buy a new pickup truck. So you can see why it’s vital for banks to keep a lid on how much cash can be withdrawn.
THINKING OF GLUE
In terms of ingenuity, one of my favorite ATM scams took place at the Miami Airport. Like a lot of cash machines, the ATMs there used to have little revolving doors on them. Once you punched in your transaction, the door opened and you stuck your hand into this little well and collected your cash. The well had a small light inside it that told the machine that a hand was reaching in there, so don’t close on it. This criminal went and used one of those superglues to glue the door shut. When a customer tried the machine, the door didn’t budge. Assuming the machine was malfunctioning, the customer would press “cancel” and nonchalantly move on to the next machine.
Just because the door didn’t open, however, didn’t mean money wasn’t being dispensed. The cash would get spit out of the bowels of the machine, bounce against the rigid door, and just sit there in the well. Another customer would come; more money would pile up on top of that money, and more and more. After about ten people had used the machine, the guy would come up to it, put his card in, and hit the door with his fist. The door would pop open and reward him with a fat stack of twenties.