This is the first of three posts in which we will explore all the issues around credit card fraud, including how fraudsters steal credit card details, how they use this information, how you are protected and the action you can take to protect yourself. Part one details the techniques that fraudsters employ to maliciously access data and steal money, techniques that we should all be aware of in order to help protect ourselves from such criminality.
Fraud has existed for as long as people have interacted financially, and has developed in parallel to the technologies used to carry out these transactions. As banks, businesses and services create new ways to protect themselves and their customers from fraud, so too criminals have invented new ways to steal information and money. In today's world, with most financial transactions taking place electronically, the focus of this type of crime has fallen on identity theft, credit card fraud and Internet scams.
Skimming a credit card's details is principally the technique of swiping the card through a card reader to copy the details contained in its magnetic strip, information which is ultimately be used to generate cloned cards to be used fraudulently.
Handheld skimmers, as the name suggests, are small devices for skimming that can fit into a criminal's hand and pocket, such as the example we see above. This type of deception takes place when a transaction allows the fraudster to swipe the card out of view of the owner, so potential perpetrators may include waiters and waitresses, bar staff and gas pump attendants.
Cashiers may use sleight-of-hand techniques to swipe a card during a payment. It is also possible for a skilled thief to discreetly steal a credit card from a wallet, swipe the data and return the card to its unsuspecting owner, who only becomes aware of the crime when money is drained from their bank account using a duplicate cloned card.
A handheld skimmer can store the details of hundreds of cards, so the scope for abuse is huge, even through the actions of a single criminal. According to convicted credit card fraudster Dan DeFelippi
, who was found guilty of fraud and ID theft in 2004, once a thief has collected card details "they sell the data online. I'd pay $10 to $50 for the information from one card. Then I'd use an encoder to put that data on a fake card, go into a store and purchase stuff
Credit card details are also illegally copied by means of skimmers deviously attached to ATMs. The skimmer is fitted over the card slot, disguised to appear like a genuine piece of the ATM, and may be used in combination with a pinhole camera to record victims entering their PIN, or a false keypad placed over the real digits to record and wirelessly transmit the numbers to the criminal. The technology used in this type of crime has become incredibly sophisticated and difficult to detect by the untrained eye.
A recent example of this type of fraud is the case of a gang of five Bulgarian men arrested and incarcerated in Montgomery County, Pennsylvania, accused of scanning ATMs
around the district. According to Montgomery County DA Risa Ferman the men used high tech scanning devices to copy victims' card details and proceeded to steal nearly $135,000 from as many as 143 ATM customers. Ferman says the authorities do not always catch this type of fraudster: "It is not until sometime after the fact that victims even learn that they've been compromised. And by that time, the likelihood is that these fellows just completely disappear
set up by criminals to steal victims' details for credit card fraud and identity theft.
This is just one example of fake websites, which are becoming ever-more sophisticated in luring unsuspecting customers to hand over their essential personal information. Convicted fraudster DeFelippi
states that "it is really easy to create a fake online store or to create a store that sells stuff, but its real purpose is to collect credit card information. If a deal is way too good to be true, it's probably a scam and they just want your information
Anyone in possession of an email account will have encountered examples of phishing, messages sent by criminals in the hope of the recipient handing over sensitive information, mistakenly thinking the request for data has come from a genuine source. The name for the practice originates from the mid-1990s when hackers sent false messages to AOL customers, fraudulently posing as staff members to gain access to customer accounts.
Over the years scammers have sent emails under the guise of all types of businesses, often using big banks such as Citibank, Bank of America, or Internet services such as PayPal
as cover. Although it is relativity unusual for a victim to pass their personal details to criminals as a result of phishing, the vast numbers of such emails sent everyday mean that even if a only a small percentage of victims fall for the trick it remains a rewarding enterprise for fraudsters.
Perhaps the most famous and widespread example of phishing is the "Nigerian email scam," which comes in a variety of forms, but usually involves a message of African origin offering a million US dollars in exchange for helping an individual transfer the inheritance form a dead relative. Despite the often-laughable quality of the messages and the impossibility of receiving a single cent, people do continue to give in to their naivety and greed, fall for the scam and lose their savings.
Unauthorized Leaks From Companies and Hackers
Other means for criminals to gain access to victims' sensitive data is through accidental and unauthorized leaks and security breaches by hackers. Customers entrust a huge amount of personal information to an increasing of companies and services. As many people currently perform most of their financial transactions online there are many points at which leaks may occur. A recent high profile case of this was in Australia where Vodafone managed to allow thousands of customers' details including names, credit card details, home addresses and driver's license numbers to become freely available to view on the Internet.
While Vodafone seeks to reassure customers that there data is safe, the Australian Privacy Commissioner is set to investigate whether the leak constitutes a breach of the country's Privacy Act. Such cases should cause us to reflect on the amount of information we trust to supposedly "respectable" companies and the level of care taken in handling our personal data.
Foolish Customer Behavior
Finally, it's worth considering a couple of cases where credit card fraudsters have gained access to bank accounts by the actions of their victims, actions that could be thought of as foolhardy to say the least.
In 2007, Todd Davis, the CEO of identity theft protection company LifeLock
, decided to demonstrate the security of the company's systems by displaying his social security number on Internet and billboard advertising. Apparently the systems were not as reliable as Davis would have liked, and criminals took the ads as an invite to access his bank accounts. The Phoenix New Times reported that between 2007 and May 2010 Davis had his identify stolen and bank account compromised no less than 13 times, a clear lesson in the importance of protecting your personal data.
The second example involves British broadcaster and writer Jeremy Clarkson, who presents a motoring show for BBC Television. In 2007, Clarkson's credit card was cloned after he stopped to fill up at a gas station in California during a trip to the US. Fraudsters emptied around $56,000 from his bank account. The following year, in an act of bravado to prove that money is safe with banks he published his account details in a newspaper article, along with information on how to find his address and what car he drives. Clarkson was forced to concede he was wrong about the level of safety when someone used the data to fraudulently access his bank account. Fortunately for him, the prankster was far more kind-hearted that your usual credit card criminal, only using the information to arrange a direct debit to make monthly payments of £500 from Clarkson's account to a UK charity.
The criminal techniques explored above demonstrate that fraudsters will exploit any possibility to gain access to card user's details by ever-more cunning means, and the increasing importance for us all to protect our essential personal data. In part two of this series we explore how fraudsters use stolen information, and the ways in which your data is protected.
James works with
www.CreditCardCompare.com.au where he contributes articles to their blog and learning
centre. To get in touch, follow @thecreditletter on Twitter.