The Art of the Steal (18 page)

Once you get onto the home page of the site, you enter a code. That takes you to the next screen. You’re asked what information you want. Do you want an American Express card number, Diner’s Club, Discover Card? Maybe you just want a utility company account number? Whatever you click on brings you to the next page. Say you check Visa. Then you’re invited to select an institution: Citibank, Bank of America, Household Bank. You click on one, and within twenty seconds you get the names, numbers, and expiration dates of valid cards. Number after number after number. Each of these generators contains thousands of card numbers. I’ve checked them out, and I’ve never logged on and not gotten a valid card.

There are also software programs that will essentially pluck valid credit card numbers out of the air. Legitimate card numbers generally end with what’s called a “check digit.” It’s a number added for the purpose of validating the authenticity of the card number. This check digit is derived from the card’s other numbers by what is known as a Luhn formula or Mod-10 algorithm. I’m not going to get into higher math, but suffice to say, a quick way to verify a card number is to run the algorithm and compare the check digit you get with the check digit encoded with the credit card number. As it happens, the Mod-10 algorithm is fairly widely known and assorted computer programs use it to churn out numbers likely to fool authorization checks.

Now, these don’t always prove useful, as the issuing bank will normally confirm the number, expiration, and mailing address when you make an Internet purchase, thus thwarting any software-generated account number. But for inexpensive purchases, generally those under twenty dollars, and often higher amounts overseas, banks commonly run a “stand-in” check, a quick authorization that does nothing more than see that the account number is valid against the “check digit.” Consequently, thieves armed with these computer-generated numbers will log onto online merchant sites and type in number after number until they find one that gets taken, and then they make a blizzard of small purchases.

In so many ways, the Internet has opened up a wide new avenue for crooks to get hold of your card number and use it for nefarious purposes. I’ll discuss this and other computer crimes in further detail in a later chapter on the Internet.

MING’S BOOSTER RING

Account boosting is yet another popular trick of credit card thieves. This is a scheme where criminals acquire legitimate credit cards and accrue balances on them. The criminal then sends the issuer a payment by overnight delivery using a stolen or counterfeit check. The payment exceeds the balance, and thus “boosts” the account’s credit line. Under Federal law, banks have to post card payments before the checks clear and so they have no choice but to credit your account. The next day, the criminal goes to a bank machine and withdraws the excess amount on that card. Later, of course, the check bounces.

A Vietnamese criminal named Minh C. To, also known as Big Ming, headed up a credit card ring that recruited legitimate cardholders to overpay their credit card accounts using counterfeit checks. Once the accounts were boosted by the checks, Big Ming and the recruits would start buying merchandise. Big Ming would fence the goods and split the profits with the recruits. To cap off the scheme, he had the recruits file for bankruptcy so they wouldn’t be liable for the debt. Before Big Ming was stopped, the ring defrauded credit card issuers of more than $100 million.

So it pays for card companies to be very suspicious of any payments that exceed what a cardholder owes.

BANKING ON YOUR EMBARRASSMENT

And there are endless ingenious schemes criminals employ to tack on charges to your credit card. A group of thieves, apparently from Russia, created a phony adult porn website. They then stole 3 million credit card numbers from a computer database, and had the site bill each account ten dollars. Otherwise, they didn’t use the cards. The amount was so small that many customers didn’t even notice it. Others did, but were too embarrassed to report it as being unauthorized to the bank. Those ten dollar charges added up to $30 million in charges. Oddly enough, law enforcement authorities were convinced that the real purpose of this game was to launder money.

DEBIT CARDS—THE DOWNSIDE

A lot of consumers like the idea of using a debit card rather than a conventional credit card. With a debit card, money comes right out of your own bank account when you make a purchase. There’s no bill thirty days later. By using a debit card, you’re deprived of a month’s worth of float, and since we’re a country built on float, most people don’t like them. I’m one of them. But there’s another issue with them that bothers me. Since the money is immediately extracted from your account when you make a purchase, it becomes harder to contest a fraudulent charge. On a credit card, if something is on your statement that you didn’t buy, you refuse to pay for it. With a debit card, the money’s already gone and you’ve got to try to recover it. And the law doesn’t protect you as well. If you don’t report a lost card within two days, you can be liable for up to five hundred dollars. And if you don’t report an unauthorized transaction within sixty days of when your latest statement was issued, there’s no liability limit at all, just the size of your bank balance.

I don’t own a debit card myself. Two of my three sons, though, use them. They tell me they don’t like writing checks and that’s why they have them. Young people, it seems, are bothered by the chore of writing checks, so it may be a generational thing.

SEARCH THAT WAITER

In the last few years, an entirely new approach to credit card fraud has opened up. A case that was reported in
Time
magazine told about a crook in Miami who had charged more than five hundred thousand dollars against a hundred different American Express cards. American Express had determined that none of the cards had been stolen. That meant they had to be counterfeit. But that was a lot of cards.

American Express ran elaborate computer analyses of the account numbers and their recent activity. What it found was startling. Each of the victimized cardholders had recently eaten dinner at one of two New York restaurants. What did that mean?

Federal agents in New York obtained the cooperation of the owner of one of the restaurants, a Brazilian steak house called The Plantation. He was an honest and reputable owner, and he was as puzzled as anyone about the seeming connection between his restaurant and the fraudulent cards. In short order, after searching the employee dressing room, the agents found the answer in an open locker: a skimmer.

A skimmer is one of the newest and much-prized toys on the frontlines of fraud. It’s a compact, battery-powered black device, not much larger than a hand-held Palm or a cell phone. It has a slit in the front, and Velcro is affixed to the back. When a credit card is swiped through the slit, the skimmer reads and stores all of the data that is embedded on the card’s magnetic stripe—the card number, the cardholder’s name, and the invisible encrypted verification code. The chip in the skimmer can hold information for up to three hundred cards. The data can then be readily downloaded onto a computer and used to make counterfeit cards.

That’s precisely what was going on in The Plantation. A waiter kept a skimmer concealed inside his jacket. When a customer gave him his card, he stealthily swiped it in his skimmer before taking it to the cashier. He did it in a flash. He then sold the numbers to a criminal ring.

This sort of chain has become increasingly common. It goes on in department stores, hotels, and gas stations, as well as restaurants. Card numbers are picked up by the sales help and then e-mailed to card-cloning mills, all for money. Often the mills are run by organized crime syndicates, and they could be anywhere in the world. In essence, these rings operate counterfeit card factories. With a thermal dye printer, they put the colored graphics onto what’s known as “white plastic,” a blank card with a magnetic stripe on the back. Next, an embosser adds the victim’s name and account number. Then an encoder puts the verification code onto the magnetic stripe.

The final touch is to apply a hologram onto the face of the card. Since 1981, credit card companies have used holograms to guard against fraud, but one upshot of this has been the emergence of sizable counterfeit hologram operations in Taiwan, Hong Kong, and China. Smugglers regularly bring fraudulent holograms into the United States, and sell them for five dollars to fifteen dollars apiece. On a legitimate card, the hologram is embedded in the plastic when the card is manufactured. On a counterfeit card, a hologram decal is attached to the card. If you examine the card closely, you should be able to feel a decal protruding slightly above the surface of the card.

Skimming is an immense problem. With stolen credit cards, the criminal has a narrow time frame in which to make purchases, but with skimmed cards nobody knows these cards are out there until a victim gets his statement, which can be more than thirty days after the crime took place. That’s a lot of time to rack up illegal charges.

The skimming threat has worsened because the skimmers have gotten smaller. A few years ago, the forerunners of today’s tiny skimmers were devices the size of portable computers. They would be concealed under gas station counters, where attendants would run cards through them without the customers’ knowledge. The miniature versions came out in early 1999.

Some of the credit card companies are trying to use computer analyses to fool skimmers. Say someone in Taiwan tries to buy something with a card that hours earlier was used in Wisconsin. The computer could be programmed to reject the transaction. But given the gigantic number of cards in circulation, it gets expensive to do this and isn’t practical on a large scale.

THE FUTURE GETS SMART

The technology of the future is Smart Cards. These are credit card–sized plastic cards that contain an integrated circuit chip instead of a magnetic stripe. It’s the chip that makes it “smart.” In essence, it’s a credit card outfitted with a “brain.” The card is actually more powerful than the first desktop computer. That little chip can store a hundred times more information than a magnetic stripe, which is limited to just three lines of information: your name, the account number, and your PIN number.

A Smart Card chip can be configured to include everything a person needs and replace all of his other credit cards, phone cards, and health care cards. For example, you go to a store and buy a turtleneck sweater and hand the clerk a Smart Card. The clerk asks what account do you want it on: Visa, American Express, Macy’s? They’re all on that chip. So your Smart Card is a full-fledged electronic wallet. Someday, we’ll even have a Smart Card driver’s license. When the police stop you, they run the card through a reader and your entire driver’s record will come up. Hawaii has already been experimenting with these.

Smart Cards were invented in France and have been around for about twenty years. Billions of them are already in use throughout the world—in Western Europe, South America, Asia, and Australia—but it’s going to be a few more years before they become widespread in the United States. For that to happen, merchants have to be willing to invest in Smart Card readers and junk their credit card verification equipment. And Americans still like checks and credit cards, so there will have to be a cultural shift.

Are Smart Cards invulnerable? No, nothing is. They’re tougher to defeat than conventional cards, but they can be defeated. Criminals with extraordinary knowledge of encryption have broken the encryption codes. Indeed, computer experts have bragged that there is no chip they can’t penetrate. A graduate student at the University of California at Berkeley used a network of about two hundred and fifty workstations to crack one type of chip. It took him four hours. Other thieves have found that if they can force the chip on the card to make a calculation error, that error can be used to extrapolate the data that validates the card when it gets used. One way to force an error, they found, was by bombarding the card with radiation. Some accomplished this by sticking the card in a microwave oven. Criminals have even popped out the chips and replaced them with their own.

In 1999, a French engineer, after four months of work, managed to make counterfeit French Smart Cards that he used at an automatic machine to buy tickets for the Paris Metro subway system. He offered to sell his technique to the bank consortium that issued the Smart cards for $1.5 million. Instead, the bank chose to have him arrested.

And any card is only as good as the internal controls at the card issuer. If a clerk in charge of encrypting the cards wants to sell the codes for $10,000 to some thieves, it will happen without reliable controls.

No matter what sort of card you have, the most important safeguard is to always carefully check your statements, and that goes for the five dollar charges as well as the five hundred dollar ones. While issuers and con artists continue their taut battle of one-upmanship, it’s the only reliable way to tell if you’re being scammed.

I must admit, there are days when I have to wonder if a criminal needs to even try all that hard. Not long ago, I was shopping in Neiman Marcus with my wife, and I saw a shirt I really liked and decided to buy it. My wife had a Neiman Marcus card, so she told me, “Here, use my card.” It had her maiden name on it and her signature, but if there was a problem I was going to tell the clerk, “My wife’s right over there, it’s her card.”

The clerk rang up the shirt, and put down the sales slip for me to sign. She took the card and flipped it over to look at the signature, my wife’s signature. It wasn’t the same name, no less the same signature. She held up the slip I had signed, held up the card, compared the two, thanked me very much, and handed me my shirt.

7

[BEATING
THE MACHINE
]

A
few years ago, the head of security at Bank of America called me at home at night. I could immediately tell from his tone of voice that he was a little flustered. “Say, we’ve got a really serious problem, and we need your advice,” he said. “We’re losing something like $40,000 a day out of our ATM machines. It’s got to be a ring, but we can’t figure out how they’re doing it.”

I asked him if the cash-dispensing machines being targeted were high-profile ones, those found in heavily-trafficked, very visible locations. He said they were. I told him he had shoulder surfers. Go out to some of the machines, I advised him, and look for a van parked within a block of any of them. The culprits were caught the next day.

“Shoulder surfers” is the name that’s been bestowed on criminals who lurk behind you, trying to peek over your shoulder at what you punch into the automated teller machine (ATM) keyboard. However, it’s become something of a misnomer because savvy criminals don’t stay that close anymore. That’s too obvious and too dangerous. They’ve become long-distance surfers who camp out fifty or more yards away, and pick off personal identification numbers (PIN) numbers with a high-powered camera or binoculars. This was a team who would set up in their van across the street from an ATM and then train a video camera on the machine.

In this caper, one of the conspirators would first go and take twenty dollars from the machine under surveillance. He’d examine the receipt, which would show the time of the transaction. Then the video camera in the van would be synchronized to that time. As customers used the machine, the camera would be locked on the keypad and would record their finger movements. The thieves weren’t interested in seeing you, no matter how good-looking you were. They were interested in your fingers. By taping them, they could tell what your PIN was.

After they retrieved their cash, nine out of ten of the people using the machine did the typical thing: they took a quick look at their receipt and tossed it into the wastebasket. At machines where the bank hadn’t provided a wastebasket, the crooks were courteous enough to furnish one of their own. At the end of the day, one of the thieves hustled over to the machine with a garbage bag, emptied the receipts into the bag and took them with him.

When they got back to their house, they dumped the receipts on a table and began to sort them by the time stamped on them. They then stuck the videotape into their VCR, played the tape of all those fingers, and matched the receipts to the fingers. In that way, they attached the account numbers printed on the receipts to their respective PIN numbers. The beauty of the receipts was that they allowed the thieves to see the balances in the accounts. Oh, this guy’s got fourteen dollars left. They’d throw it away. This guy’s got five hundred dollars. That’s a keeper.

Once they had the account numbers and PINs they wanted, they went to an office supply store and bought some blank credit cards. With a hand embosser, also easily acquired, they encoded the cards with the account numbers, took them to ATM machines, and began withdrawing money.

This was one case at one bank, but it goes on all the time.

There’s no denying that the swift growth in ATMs has revolutionized consumer banking. But ever since their introduction in 1973, ATMs have been viewed as attractive targets by criminals, luring everyone from brazen armed robbers to crafty scam artists. Despite all this, I think that ATMs are pretty safe, a lot safer than your checkbook. Generally, you can’t withdraw more than two hundred dollars in a single day from any one account, which is an effective safeguard. In addition, an account holder is only liable for up to fifty dollars if an account and PIN are compromised, and banks typically waive that. ATMs, therefore, are not the problem that fraudulent checks and embezzlement are. Still, the ATM machine is how we get our money every day, and wherever there’s money, criminals lurk.

There have actually been some astounding sums withdrawn with a single card in just a few days of frenzied activity. A woman in Gresham, Oregon, was at a high school football game on a Friday night. She had left her bank card in her purse in her van out in the parking lot. Two men and a woman who were working together broke in and stole it. Leaving it there was mistake No. 1. Mistake No. 2 was that she had scribbled down her PIN number on her Social Security card, which was also in her purse. The thieves, I’m sure, were quite thankful that she was so obliging. They wasted no time in satisfying their needs.

Within minutes, they were at a bank machine a few blocks from the football field. Before the next series of downs was completed, they had made their first withdrawal. They kept on going, traveling at a hundred miles through five counties, stopping pretty much every time they spied an ATM. Even though the standard limit on a withdrawal in a given day on one card is generally a few hundred dollars, there had been a computer program change at the credit union where the victim banked, and there was no limit at all on that particular weekend. In a 54 hour time frame, the thieves made 724 withdrawals from 48 bank machines. They collected $346,770. Talk about being lucky. Before they were caught, largely because of hidden cameras at five of the machines, they even managed to find the time to buy a new pickup truck. So you can see why it’s vital for banks to keep a lid on how much cash can be withdrawn.

THINKING OF GLUE

In terms of ingenuity, one of my favorite ATM scams took place at the Miami Airport. Like a lot of cash machines, the ATMs there used to have little revolving doors on them. Once you punched in your transaction, the door opened and you stuck your hand into this little well and collected your cash. The well had a small light inside it that told the machine that a hand was reaching in there, so don’t close on it. This criminal went and used one of those superglues to glue the door shut. When a customer tried the machine, the door didn’t budge. Assuming the machine was malfunctioning, the customer would press “cancel” and nonchalantly move on to the next machine.

Just because the door didn’t open, however, didn’t mean money wasn’t being dispensed. The cash would get spit out of the bowels of the machine, bounce against the rigid door, and just sit there in the well. Another customer would come; more money would pile up on top of that money, and more and more. After about ten people had used the machine, the guy would come up to it, put his card in, and hit the door with his fist. The door would pop open and reward him with a fat stack of twenties.

So you’ve got all this technology and all these safeguards built into the machine, and yet no one thought of the possibility of a criminal gluing the door shut. These days, new machines are no longer manufactured with doors. They simply have slots that shoot out the money. But there are still plenty of older generation ATMs with doors on them. If a door doesn’t open, don’t shrug it off. Notify security.

Sometimes you’ll put your card into the ATM slot and, tug as you might, it gets jammed and you can’t get it out. So you leave it there, intending to contact the bank when you get to a phone or the next morning if it’s after banking hours. While it might be a broken machine, I wouldn’t bet on it. The odds are it’s a card-withholding scam.

Here’s what happens. A thief puts an adhesive of some sort inside the card slot. He steps aside and waits until someone comes and tries to use it. When someone does, the card gets glued to the slot. Then the crook slips into line behind that person and watches him enter his PIN. Sometimes, just to be on the safe side, the thief will position a sign on the ATM machine that says, “If your card gets stuck, enter your PIN three separate times to retrieve it.” If the thief can’t pick up your PIN number after three tries, he needs to find another line of work.

After you leave, frustrated by the experience, the thief moves in and removes the card with a pair of pliers. He then proceeds to use your card at other ATMs.

In Massachusetts, two men worked a card-withholding scam in ten towns in the Boston area, preying on young women. When a woman’s card got stuck, they would come up and sympathize, meanwhile memorizing her PIN as they tried to help her remove the card. Once she left, the thieves would extract the card using a fingernail file. If they weren’t able to get the PIN, one of the men would later call the customer and pretend to be a bank official or ATM security officer and get the number that way. The men stole more than ten thousand dollars from twelve different women before they were caught.

WHAT TO DO

The tip to remember here is, before you insert your card into a slot, take the time to inspect the card slot for any residue. If you notice any, don’t use it. And if you see a notice on a machine advising you to enter your PIN multiple times, don’t even think of using that machine. Believe me, the bank didn’t put that sign there.

Police in New York arrested a man who had been stealing PINs at ATM machines in Manhattan and then tricking his victims, usually senior citizens, into reinserting their card under the guise of “clearing the machine.” Once the customer did so and left, the thief would linger, punch in the stolen PIN and make additional withdrawals. There’s no need to “clear a machine.” Once your transaction is done, there’s never any reason to insert your card again, no matter who tells you to.

Common sense is always the best defense against any form of crime, but it astounds me how often people neglect to use any sense at all. Consider this con that succeeded in netting its perpetrator a nifty one hundred fifty thousand dollars. The man positioned himself outside the locked door of an ATM enclosure, and posed as a bank security officer. When customers approached the enclosure to use one of the ATMs, he would introduce himself and tell them he needed their assistance in catching a dishonest bank employee who had been driving management crazy. Could they please leave their bank cards under the locked door? He’d personally assure them he would get their cards back to them by the next day.

For those who complied, the con man would then fish the cards out from under the door. The next day, an accomplice would call the cardholder and report that the employee had been apprehended. He wanted to thank him for his help. Then he would point out that since the dishonest employee had come into contact with the card, the bank would have to give the customer a new PIN. Could he please have the old PIN to verify that he was speaking to the actual cardholder?

Incredibly enough, more than three hundred ATM users fell for this ruse. As enthralling as it sounds, I can assure you that a bank is never going to use a customer to assist it in nabbing a crooked employee. It will use a security guard or enlist a police undercover detective. Real life is nothing like the movies.

AND WITH SOME HEAVY EQUIPMENT . . .

Some criminals will physically assault an ATM. A thief in Norfolk, Virginia, broke through the ceiling of an ATM enclosure and used a crowbar and a blowtorch to try to get into the machine and collect the cash inside it. The machine put up a good fight, but it really took a pounding. There were scorch marks on the ATM from the blowtorch. There were scars from the crowbar. The handle of the door was broken off. The combination lock was destroyed.

A crook armed with the proper tools can break into many ATM machines within fifteen minutes. ATMs are actually rated on how resistant they are to physical assault. A certain model may have a TL-15 or a TL-30 rating, the number indicating the time it would take for a skilled thief to break into it with the right tools, and given a suitable environment. But a thief rarely has that much time, because ATMs are outfitted with detectors sensitive to things like vibration and heat. These detectors are usually silent, so the criminal doesn’t know the police are on the way.

There was a mechanical engineer, however, who was very successful at breaking into ATMs. At one time, he used a burning bar on ATM vaults. Later, he used an industrial magnetic drill. Then he manipulated the locks and combinations on the ATM chests. He was ultimately caught, but not before he did a lot of damage and collected a good deal of money.

I always tell banks, keep the ATM area well lit and free from obstruction. Don’t create hiding places with bushes or ornamentation near the machine. Put video cameras in the ATM enclosure to record criminals on tape. There are various types of alarms and time locks and relocking devices. If time locks are used, you can bet that no criminal is going to wait around for the time to elapse.

Generally speaking, it’s not that easy to find an environment where a crook can spend even as little as fifteen minutes with a blowtorch opening up a machine without attracting attention. That’s why crooks who are after the cash inside a machine—a convenience store machine may have as much as ten thousand dollars in it and one at a bank could contain something like seventy-five thousand dollars—will more likely just cart the whole machine off with them. A few years back, two criminals walked into a convenience store and identified themselves to the seventeen-year-old clerk as representatives from the bank. They said the ATM needed to be repaired, and they put it on a dolly and made off with it.

For the most part, though, relatively few thieves bother risking pulled muscles when they can make so much more money by ripping off card numbers.

THERE’S NOTHING LIKE OWNING YOUR OWN

Criminals are pretty nervy, and I’ve learned to never be surprised by what someone will try to get away with. And, given the right circumstances, you can get away with almost anything—up to a point.

The nerviest form of ATM fraud is when the thieves actually set up their very own bank machine. Here’s a case that I still shake my head over. One weekend a few years ago, two men dressed as bank employees arrived and set up a perfectly ordinary-looking ATM in a popular shopping mall in Manchester, Connecticut. Mall officials had swallowed their con that they were from a New Jersey outfit called Electronic Cash Machines. I’m not sure they did any background check on them whatsoever.

In any event, the machine didn’t dispense money. It wasn’t even connected to a phone line that would have enabled it to be linked to a bank network. It was simply plugged into an electrical outlet. What the bogus machine did do was record the card numbers and personal identification numbers of customers who inserted their cards in futile attempts to get some cash. That was all the thieves needed. They then manufactured counterfeit cards with the customers’ numbers, went to working machines in New York, and gradually drained their accounts.