The Art of the Steal

6

[CARD GAMES]

Outside Miami International Airport, a new rental car franchise opened up a few years ago, begun by several enterprising young men. It was billed as one of those Rent-A-Wreck places that rented less-than-perfect cars at lower rates than the major chains like Hertz and Avis. The deal here was an awfully tantalizing one: a wreck for ten dollars a day, and no mileage charge. People arriving on flights took a look and thought it was a terrific price. The cars moved briskly.

In subsequent weeks, a spate of fraudulent credit card transactions were confounding law enforcement agents and credit card companies. They were on all sorts of cards and dispersed around the country in almost haphazard fashion. The authorities looked in vain for some sort of pattern, some fragile thread that might connect them. One finally emerged. It turned out that every card that had been used in the fraudulent purchases had also been used legitimately by the cardholder at the new Rent-A-Wreck at the Miami airport.

A little more investigation broke the case open. It seems that the young men weren’t really interested in making a living renting cars at extraordinarily low prices. That was simply their cover. Their true business was recording the credit card numbers of everyone who came through and selling them to a ring of credit card thieves. The thieves then used them to make the illegal transactions.

In the world of fraud, it helps to remember that things are never what they seem. In fact, they are often the opposite of what they seem. I’m reminded of that little demonstration in the David Mamet con artist movie, “House of Games.” Two men, one a soldier, are waiting at a Western Union office for money that’s supposed to be wired to them. They don’t know each other. The other man tells the soldier he sure hopes his money comes, and the soldier says the same thing. You know, the man says, if my money comes in first, I’ll give you some of it, because I know you’ll pay it back and I know you’d do the same for me. The soldier is warmed by this generosity. But of course no money is being wired to the man. He’s the scam artist. When the soldier’s money comes, he offers to give some to the other man and he’ll never see it again. At the Miami Airport, people thought they were renting a car and they were actually donating their credit cards to thieves. It could be happening anytime you use your credit card, if you don’t know who you’re dealing with.

CUT THE CARDS

We all understand “sticker shock,” that numb feeling you get when you go shopping for a new car. Well, now there’s “statement shock.” That’s when your credit card has not left your wallet for weeks but you receive your monthly bill and it looks like you spent the entire month shopping on Rodeo Drive. Most likely, you’re a victim of counterfeiters helping themselves to your credit. As I pointed out earlier in the chapter on checks, check fraud far outstrips credit card fraud. But plastic fraud is an accelerating problem, too, and new card tricks keep getting devised to enable crooks to enrich themselves.

Federal law generally limits a cardholder’s liability for use of a stolen credit card to just fifty dollars. If you report the stolen card promptly, the issuer will typically waive that fifty dollars as well, as a goodwill gesture. So it’s not the consumer who is hurt by card theft, but the issuers. All fraud losses, though, get reflected in higher prices, so, one way or another, the money ultimately comes out of everyone’s pocket.

In the 1990s, it became commonplace for forgers to start altering existing credit cards. The simplest thing criminals do is to tell garbage collectors that for every intact card they find in the garbage and turn over to them, they’ll pay them thirty-five dollars. Even though credit card companies repeatedly admonish cardholders to cut up their old cards before discarding them, I’m amazed that most people don’t. They assume that because the card’s expired, it’s worthless, so just toss it in the trash.

Once they’ve got the cards, the thieves can’t go out and use them, because verification machines will reject them as expired. So they need to make a few appropriate modifications. They take a handkerchief and lay it over a card. Then they put a hot iron over the handkerchief. The heat and weight of the iron melts the embossing. In other words, it flattens the raised letters and digits that constitute the name, account number, and expiration date. Putting the card in boiling water will accomplish the same thing. With a card embosser, which is easily and inexpensively obtained from an office supply store, they put on a new, illegally-obtained name, number, and expiration date.

Finally, they turn the card over, and with a paper clip, put a scratch in the magnetic stripe. Thus when they go to use the card, the damaged magnetic stripe won’t work when a clerk swipes it through the verification terminal; instead, he’ll be forced to read the newly-embossed number over the phone to obtain the authorization code. Clerks need to be told to proceed with caution when a card’s magnetic stripe will not operate with their card swipe unit. It may be honestly bad or it may be intentionally bad.

To catch people embossing new numbers on cards that have been ironed flat, card companies have been printing the card number again on the back of the card in small type, often just above or on the magnetic stripe. The number is flat, so an iron won’t melt it off. Sounds good. But crooks have figured that one out, too. They print up little stickers that say, in one instance, “Warning. This card registered” and then showing an American Express logo and a toll-free number to call for assistance. Then they put the sticker right over the account number on the back. It fools clerks every time.

For its credit cards, Citibank came up with the enterprising idea of affixing a person’s picture to the card as an added security measure. As a further precaution, anyone receiving a card has to come into a Citibank branch and get their picture taken there. For the most part, this was a good idea. There’s just one problem. If you live out of state and thus can’t get to a Citibank branch, the bank allows you to mail in your photo. But it has no way of knowing if that is actually your picture. There’s always a loophole.

Criminals even have a way of making invalid cards work overtime. Forgers will replace the magnetic stripe with a test stripe of their own that causes a verification machine to read a dummy approval code without transmitting the information. This instant approval registers on the machine less than a tenth of a second after the card is swiped. One way to identify a fake card is to slowly swipe the card. The approval code, instead of quickly appearing in its entirety, will print out, number by number, in the display window. That’s impossible with a valid card. Newer verification machines can’t be fooled by this maneuver, but there are still a lot of older ones around.

WHAT TO DO

As a consumer, the thing to remember is, don’t toss away an expired card intact, and put the pieces in at least two different garbage receptacles. If I’m traveling, I’ll toss one half in the garbage at the airport I’m leaving from and I’ll carry the other half with me and throw it away in the airport where I land.

ONE PERSON’S TRASH IS ANOTHER’S TREASURE

You must be continually proactive. If you buy a club for the steering wheel of your car to protect it from being stolen, why wouldn’t you do the same thing for your credit? People get notices in the mail every day telling them they’ve been preapproved for a Visa card. They already have a wallet stuffed with plastic, so they throw the whole thing away. The garbage collectors pick them up, open them, take out the coupon and check, “Yes, I want it.” Has the address changed? They check “yes” and write in the new address. And they get your Visa. Rip those envelopes up before you throw them out. Don’t make it so easy for criminals to take advantage of you.

Everyone needs to be a little more circumspect with credit card numbers. Merchants dealing with account numbers lapse into a kind of autopilot and treat them as if they were no more significant than last night’s baseball scores. I was riding in a cab once when the dispatcher’s voice crackled over the radio: “Hey, I didn’t get that last credit card.” “No problem,” the cabbie said. “I’ll read it to you again.” And he proceeded to do just that, while I’m sitting there within earshot. All I had to do was scribble down the information and then start charging things on the phone or the Internet.

Sometimes, credit card companies find it convenient to have you write your account number on the outside of your remittance envelope. Criminals will drive up to your mailbox, look for just those envelopes, and take down your account number. Once they have it, they’ll access your account to get credit. Never write your account number on the outside of an envelope. You might as well take out a newspaper ad advertising your credit to the world.

BEWARE HELPFUL HANK

There are innumerable dodges credit card thieves use to get hold of valid credit card numbers. To try to stamp out fraud, credit card issuers stopped using carbons of card imprints a few years ago, because people would leave these carbons behind, or toss them intact into the garbage, and crooks would get the account numbers off them. Thieves called these carbons “black gold.” But other techniques have been developed to pick up the slack. One familiar approach is to dupe a merchant into giving you a number. That might sound like a lot to ask for. It isn’t. What a criminal will do is call up a small local business—a gas station, a pet store, a florist—anyplace that does steady credit card business. He hopes to get a gullible clerk, and he usually will.

“Hello, this is Joe from MasterCard,” he’ll say. “I’m returning your call.”

“What call?”

“I just got word that there was a problem with your verification machine. Are you encountering any difficulties with it?”

“Uh, no, not that I’m aware of.”

“Well, you know what happens is, when something goes amiss on a transaction, the machine will automatically send out a signal to our central processor indicating that there’s a problem. That must have been what went on here. Did you just do a transaction?”

“Yeah, maybe five minutes ago.”

“Good, that must be the one. Let’s check that transaction. What was the card number?”

He’ll read off the card number from the store’s receipt.

“Now, what’s the expiration date?”

He’ll read that off.

Just to keep the ruse sounding good, the crook will ask for the amount of the purchase, although that doesn’t interest him. He’s already got all that he needs.

Crooks usually pull these little capers in the evening, when there are always a lot of transactions and when the manager has gone home. Managers are a lot less likely to fall for this routine than a clerk, but you’d be surprised how often a manager will bite, too.

WHAT TO DO

It can be that easy. And it can be just as easy to avoid that ever happening. All you have to do is teach your employees that if they ever get a call purporting to be from a credit card company, tell them you’ll call them right back. Then make sure that’s where they’re from. Don’t take someone’s word on the phone for who they are. Often, it’s a con artist, and you know how good his word is.

And when you’ve handed your card to a salesclerk to make a purchase, take the time to examine it when you get it back. The vast majority of the time, you get the same card back. But not always. Dishonest salesclerks will pocket your card and hand you a fake or expired card, the old “bait and switch” scam, because they know most people will put the card back in their purse or wallet without even glancing at it.

Have you ever gotten home and received a phone call from someone who tells you he found your wallet at the store you just came from and he’ll put it in the mail to you that afternoon? You check, he’s right, and you’re immensely relieved that your wallet was found by such an upright citizen.

You shouldn’t be. Too often, the guy who stole it out of your purse is the one who’s calling, and with that telephone call he’s buying himself time. Now, because he’s called to tell you he’s sending you the wallet, you don’t contact your credit card companies and cancel the cards and he’s got an extra day or two to use them. Never delay in reporting a credit card lost or stolen, or the next pickpocket will take a vacation on you.

SO THAT’S WHAT HIGHER MATH WAS FOR

The number of people who potentially have access to your credit card or credit card number can be mind-boggling. For instance, the job of a worker for Northwest Airlines was to load and unload mail on Northwest flights arriving and departing from Metro Airport in Detroit. He would transport the mail back and forth between the planes and the airport’s postal facility. Not all of the mail made the flights. He would make a point of stealing a certain amount of letters and rummaging through them for credit cards or credit card numbers. He shared his bounty with some associates, who used the cards to purchase merchandise. When he was caught, police found more than six thousand letters in his home and car.

There are cheap dates and there are cheap bribes. Seven clerks who worked in the New York offices of the Social Security Administration were willing to accept between ten dollars and seventy-five dollars to reveal a person’s birth date and mother’s maiden name to a group of Nigerians, ones apparently taking time off from sending out letter scams. The Nigerians needed the information to activate new credit cards they had intercepted before they got to their rightful owners. A common security feature credit card issuers use is the requirement that a cardholder receiving a new card must call a toll-free number and give his mother’s maiden name, date of birth, and other information. Over a relatively short period of time, the Nigerian ring rounded up a breathtaking twenty thousand cards and charged more than $10 million on them.

But it’s not even necessary to steal credit card information. That’s usually for the amateur crook. A true criminal knows exactly where to go to get it, and that’s from what we call a credit card generator. There are maybe a dozen or so websites around the world that are maintained for criminals by other criminals, a nice little service in the intricate fraud network. If you know the code to get into the website, you can get any information that you want. The people who maintain the sites generally charge someone five thousand dollars to ten thousand dollars for regular use. It may sound like a lot, but it’s a bargain considering what you get for your investment.

Once you get onto the home page of the site, you enter a code. That takes you to the next screen. You’re asked what information you want. Do you want an American Express card number, Diner’s Club, Discover Card? Maybe you just want a utility company account number? Whatever you click on brings you to the next page. Say you check Visa. Then you’re invited to select an institution: Citibank, Bank of America, Household Bank. You click on one, and within twenty seconds you get the names, numbers, and expiration dates of valid cards. Number after number after number. Each of these generators contains thousands of card numbers. I’ve checked them out, and I’ve never logged on and not gotten a valid card.

There are also software programs that will essentially pluck valid credit card numbers out of the air. Legitimate card numbers generally end with what’s called a “check digit.” It’s a number added for the purpose of validating the authenticity of the card number. This check digit is derived from the card’s other numbers by what is known as a Luhn formula or Mod-10 algorithm. I’m not going to get into higher math, but suffice to say, a quick way to verify a card number is to run the algorithm and compare the check digit you get with the check digit encoded with the credit card number. As it happens, the Mod-10 algorithm is fairly widely known and assorted computer programs use it to churn out numbers likely to fool authorization checks.

Now, these don’t always prove useful, as the issuing bank will normally confirm the number, expiration, and mailing address when you make an Internet purchase, thus thwarting any software-generated account number. But for inexpensive purchases, generally those under twenty dollars, and often higher amounts overseas, banks commonly run a “stand-in” check, a quick authorization that does nothing more than see that the account number is valid against the “check digit.” Consequently, thieves armed with these computer-generated numbers will log onto online merchant sites and type in number after number until they find one that gets taken, and then they make a blizzard of small purchases.

In so many ways, the Internet has opened up a wide new avenue for crooks to get hold of your card number and use it for nefarious purposes. I’ll discuss this and other computer crimes in further detail in a later chapter on the Internet.

MING’S BOOSTER RING

Account boosting is yet another popular trick of credit card thieves. This is a scheme where criminals acquire legitimate credit cards and accrue balances on them. The criminal then sends the issuer a payment by overnight delivery using a stolen or counterfeit check. The payment exceeds the balance, and thus “boosts” the account’s credit line. Under Federal law, banks have to post card payments before the checks clear and so they have no choice but to credit your account. The next day, the criminal goes to a bank machine and withdraws the excess amount on that card. Later, of course, the check bounces.

A Vietnamese criminal named Minh C. To, also known as Big Ming, headed up a credit card ring that recruited legitimate cardholders to overpay their credit card accounts using counterfeit checks. Once the accounts were boosted by the checks, Big Ming and the recruits would start buying merchandise. Big Ming would fence the goods and split the profits with the recruits. To cap off the scheme, he had the recruits file for bankruptcy so they wouldn’t be liable for the debt. Before Big Ming was stopped, the ring defrauded credit card issuers of more than $100 million.

So it pays for card companies to be very suspicious of any payments that exceed what a cardholder owes.

BANKING ON YOUR EMBARRASSMENT

And there are endless ingenious schemes criminals employ to tack on charges to your credit card. A group of thieves, apparently from Russia, created a phony adult porn website. They then stole 3 million credit card numbers from a computer database, and had the site bill each account ten dollars. Otherwise, they didn’t use the cards. The amount was so small that many customers didn’t even notice it. Others did, but were too embarrassed to report it as being unauthorized to the bank. Those ten dollar charges added up to $30 million in charges. Oddly enough, law enforcement authorities were convinced that the real purpose of this game was to launder money.

DEBIT CARDS—THE DOWNSIDE

A lot of consumers like the idea of using a debit card rather than a conventional credit card. With a debit card, money comes right out of your own bank account when you make a purchase. There’s no bill thirty days later. By using a debit card, you’re deprived of a month’s worth of float, and since we’re a country built on float, most people don’t like them. I’m one of them. But there’s another issue with them that bothers me. Since the money is immediately extracted from your account when you make a purchase, it becomes harder to contest a fraudulent charge. On a credit card, if something is on your statement that you didn’t buy, you refuse to pay for it. With a debit card, the money’s already gone and you’ve got to try to recover it. And the law doesn’t protect you as well. If you don’t report a lost card within two days, you can be liable for up to five hundred dollars. And if you don’t report an unauthorized transaction within sixty days of when your latest statement was issued, there’s no liability limit at all, just the size of your bank balance.

I don’t own a debit card myself. Two of my three sons, though, use them. They tell me they don’t like writing checks and that’s why they have them. Young people, it seems, are bothered by the chore of writing checks, so it may be a generational thing.

SEARCH THAT WAITER

In the last few years, an entirely new approach to credit card fraud has opened up. A case that was reported in Time magazine told about a crook in Miami who had charged more than five hundred thousand dollars against a hundred different American Express cards. American Express had determined that none of the cards had been stolen. That meant they had to be counterfeit. But that was a lot of cards.

American Express ran elaborate computer analyses of the account numbers and their recent activity. What it found was startling. Each of the victimized cardholders had recently eaten dinner at one of two New York restaurants. What did that mean?

Federal agents in New York obtained the cooperation of the owner of one of the restaurants, a Brazilian steak house called The Plantation. He was an honest and reputable owner, and he was as puzzled as anyone about the seeming connection between his restaurant and the fraudulent cards. In short order, after searching the employee dressing room, the agents found the answer in an open locker: a skimmer.

A skimmer is one of the newest and much-prized toys on the frontlines of fraud. It’s a compact, battery-powered black device, not much larger than a hand-held Palm or a cell phone. It has a slit in the front, and Velcro is affixed to the back. When a credit card is swiped through the slit, the skimmer reads and stores all of the data that is embedded on the card’s magnetic stripe—the card number, the cardholder’s name, and the invisible encrypted verification code. The chip in the skimmer can hold information for up to three hundred cards. The data can then be readily downloaded onto a computer and used to make counterfeit cards.

That’s precisely what was going on in The Plantation. A waiter kept a skimmer concealed inside his jacket. When a customer gave him his card, he stealthily swiped it in his skimmer before taking it to the cashier. He did it in a flash. He then sold the numbers to a criminal ring.

This sort of chain has become increasingly common. It goes on in department stores, hotels, and gas stations, as well as restaurants. Card numbers are picked up by the sales help and then e-mailed to card-cloning mills, all for money. Often the mills are run by organized crime syndicates, and they could be anywhere in the world. In essence, these rings operate counterfeit card factories. With a thermal dye printer, they put the colored graphics onto what’s known as “white plastic,” a blank card with a magnetic stripe on the back. Next, an embosser adds the victim’s name and account number. Then an encoder puts the verification code onto the magnetic stripe.

The final touch is to apply a hologram onto the face of the card. Since 1981, credit card companies have used holograms to guard against fraud, but one upshot of this has been the emergence of sizable counterfeit hologram operations in Taiwan, Hong Kong, and China. Smugglers regularly bring fraudulent holograms into the United States, and sell them for five dollars to fifteen dollars apiece. On a legitimate card, the hologram is embedded in the plastic when the card is manufactured. On a counterfeit card, a hologram decal is attached to the card. If you examine the card closely, you should be able to feel a decal protruding slightly above the surface of the card.

Skimming is an immense problem. With stolen credit cards, the criminal has a narrow time frame in which to make purchases, but with skimmed cards nobody knows these cards are out there until a victim gets his statement, which can be more than thirty days after the crime took place. That’s a lot of time to rack up illegal charges.

The skimming threat has worsened because the skimmers have gotten smaller. A few years ago, the forerunners of today’s tiny skimmers were devices the size of portable computers. They would be concealed under gas station counters, where attendants would run cards through them without the customers’ knowledge. The miniature versions came out in early 1999.

Some of the credit card companies are trying to use computer analyses to fool skimmers. Say someone in Taiwan tries to buy something with a card that hours earlier was used in Wisconsin. The computer could be programmed to reject the transaction. But given the gigantic number of cards in circulation, it gets expensive to do this and isn’t practical on a large scale.

THE FUTURE GETS SMART

The technology of the future is Smart Cards. These are credit card–sized plastic cards that contain an integrated circuit chip instead of a magnetic stripe. It’s the chip that makes it “smart.” In essence, it’s a credit card outfitted with a “brain.” The card is actually more powerful than the first desktop computer. That little chip can store a hundred times more information than a magnetic stripe, which is limited to just three lines of information: your name, the account number, and your PIN number.

A Smart Card chip can be configured to include everything a person needs and replace all of his other credit cards, phone cards, and health care cards. For example, you go to a store and buy a turtleneck sweater and hand the clerk a Smart Card. The clerk asks what account do you want it on: Visa, American Express, Macy’s? They’re all on that chip. So your Smart Card is a full-fledged electronic wallet. Someday, we’ll even have a Smart Card driver’s license. When the police stop you, they run the card through a reader and your entire driver’s record will come up. Hawaii has already been experimenting with these.

Smart Cards were invented in France and have been around for about twenty years. Billions of them are already in use throughout the world—in Western Europe, South America, Asia, and Australia—but it’s going to be a few more years before they become widespread in the United States. For that to happen, merchants have to be willing to invest in Smart Card readers and junk their credit card verification equipment. And Americans still like checks and credit cards, so there will have to be a cultural shift.

Are Smart Cards invulnerable? No, nothing is. They’re tougher to defeat than conventional cards, but they can be defeated. Criminals with extraordinary knowledge of encryption have broken the encryption codes. Indeed, computer experts have bragged that there is no chip they can’t penetrate. A graduate student at the University of California at Berkeley used a network of about two hundred and fifty workstations to crack one type of chip. It took him four hours. Other thieves have found that if they can force the chip on the card to make a calculation error, that error can be used to extrapolate the data that validates the card when it gets used. One way to force an error, they found, was by bombarding the card with radiation. Some accomplished this by sticking the card in a microwave oven. Criminals have even popped out the chips and replaced them with their own.

In 1999, a French engineer, after four months of work, managed to make counterfeit French Smart Cards that he used at an automatic machine to buy tickets for the Paris Metro subway system. He offered to sell his technique to the bank consortium that issued the Smart cards for $1.5 million. Instead, the bank chose to have him arrested.

And any card is only as good as the internal controls at the card issuer. If a clerk in charge of encrypting the cards wants to sell the codes for $10,000 to some thieves, it will happen without reliable controls.

No matter what sort of card you have, the most important safeguard is to always carefully check your statements, and that goes for the five dollar charges as well as the five hundred dollar ones. While issuers and con artists continue their taut battle of one-upmanship, it’s the only reliable way to tell if you’re being scammed.

I must admit, there are days when I have to wonder if a criminal needs to even try all that hard. Not long ago, I was shopping in Neiman Marcus with my wife, and I saw a shirt I really liked and decided to buy it. My wife had a Neiman Marcus card, so she told me, “Here, use my card.” It had her maiden name on it and her signature, but if there was a problem I was going to tell the clerk, “My wife’s right over there, it’s her card.”

The clerk rang up the shirt, and put down the sales slip for me to sign. She took the card and flipped it over to look at the signature, my wife’s signature. It wasn’t the same name, no less the same signature. She held up the slip I had signed, held up the card, compared the two, thanked me very much, and handed me my shirt.