The Art of the Steal
“We believe an employee where you bank is stealing money,” they tell her. “We’d like you to help us out.”
“Oh, that’s horrible,” the woman says. “But what can I do?”
“We’d like you to go to the bank tomorrow and take out all of your money and bring it home. We’ll pick it up and get it marked. Then we’ll give it back to you to redeposit. If you help us, you’d be doing your government and your bank a tremendous service, and there’ll be a reward for you.”
It sounds like someone would have to be awfully credulous to bite on this one, but this scam has been going on forever and people still fall for it, and usually the people who can least afford to be ripped off.
I get angry at the banks over these schemes, because they don’t take them seriously enough. When I hear about another one going down, I’ll ask a bank officer, “This is an elderly lady. Why would you let her take out twenty thousand dollars or forty thousand dollars in cash?”
Their invariable reply is, “Well, it’s her money. You can’t ask too many questions.”
I don’t buy that. The real issue is that since the bank’s not liable for the loss, it doesn’t care enough to do something about it. As far as I’m concerned, that’s not good enough. I tell banks, if an old person makes a sizable cash withdrawal, have an officer sit down with the customer and ask a few questions. If an officer simply asks, “Did anyone talk to you about marking bills?” that alone can be enough to foil a theft.
As you can see, all these scams are artful dodges meant to part you from your money. There’s nothing occult about them. Once you know how they’re done, they seem so rudimentary, little more than child’s play. But they wouldn’t still be around if they didn’t work. With just a bit of knowledge and a healthy dose of suspicion, you can avoid their temptations.
6
[CARD GAMES]
Outside Miami International Airport, a new rental car franchise opened up a few years ago, begun by several enterprising young men. It was billed as one of those Rent-A-Wreck places that rented less-than-perfect cars at lower rates than the major chains like Hertz and Avis. The deal here was an awfully tantalizing one: a wreck for ten dollars a day, and no mileage charge. People arriving on flights took a look and thought it was a terrific price. The cars moved briskly.
In subsequent weeks, a spate of fraudulent credit card transactions were confounding law enforcement agents and credit card companies. They were on all sorts of cards and dispersed around the country in almost haphazard fashion. The authorities looked in vain for some sort of pattern, some fragile thread that might connect them. One finally emerged. It turned out that every card that had been used in the fraudulent purchases had also been used legitimately by the cardholder at the new Rent-A-Wreck at the Miami airport.
A little more investigation broke the case open. It seems that the young men weren’t really interested in making a living renting cars at extraordinarily low prices. That was simply their cover. Their true business was recording the credit card numbers of everyone who came through and selling them to a ring of credit card thieves. The thieves then used them to make the illegal transactions.
In the world of fraud, it helps to remember that things are never what they seem. In fact, they are often the opposite of what they seem. I’m reminded of that little demonstration in the David Mamet con artist movie, “House of Games.” Two men, one a soldier, are waiting at a Western Union office for money that’s supposed to be wired to them. They don’t know each other. The other man tells the soldier he sure hopes his money comes, and the soldier says the same thing. You know, the man says, if my money comes in first, I’ll give you some of it, because I know you’ll pay it back and I know you’d do the same for me. The soldier is warmed by this generosity. But of course no money is being wired to the man. He’s the scam artist. When the soldier’s money comes, he offers to give some to the other man and he’ll never see it again. At the Miami Airport, people thought they were renting a car and they were actually donating their credit cards to thieves. It could be happening anytime you use your credit card, if you don’t know who you’re dealing with.
CUT THE CARDS
We all understand “sticker shock,” that numb feeling you get when you go shopping for a new car. Well, now there’s “statement shock.” That’s when your credit card has not left your wallet for weeks but you receive your monthly bill and it looks like you spent the entire month shopping on Rodeo Drive. Most likely, you’re a victim of counterfeiters helping themselves to your credit. As I pointed out earlier in the chapter on checks, check fraud far outstrips credit card fraud. But plastic fraud is an accelerating problem, too, and new card tricks keep getting devised to enable crooks to enrich themselves.
Federal law generally limits a cardholder’s liability for use of a stolen credit card to just fifty dollars. If you report the stolen card promptly, the issuer will typically waive that fifty dollars as well, as a goodwill gesture. So it’s not the consumer who is hurt by card theft, but the issuers. All fraud losses, though, get reflected in higher prices, so, one way or another, the money ultimately comes out of everyone’s pocket.
In the 1990s, it became commonplace for forgers to start altering existing credit cards. The simplest thing criminals do is to tell garbage collectors that for every intact card they find in the garbage and turn over to them, they’ll pay them thirty-five dollars. Even though credit card companies repeatedly admonish cardholders to cut up their old cards before discarding them, I’m amazed that most people don’t. They assume that because the card’s expired, it’s worthless, so just toss it in the trash.
Once they’ve got the cards, the thieves can’t go out and use them, because verification machines will reject them as expired. So they need to make a few appropriate modifications. They take a handkerchief and lay it over a card. Then they put a hot iron over the handkerchief. The heat and weight of the iron melts the embossing. In other words, it flattens the raised letters and digits that constitute the name, account number, and expiration date. Putting the card in boiling water will accomplish the same thing. With a card embosser, which is easily and inexpensively obtained from an office supply store, they put on a new, illegally-obtained name, number, and expiration date.
Finally, they turn the card over, and with a paper clip, put a scratch in the magnetic stripe. Thus when they go to use the card, the damaged magnetic stripe won’t work when a clerk swipes it through the verification terminal; instead, he’ll be forced to read the newly-embossed number over the phone to obtain the authorization code. Clerks need to be told to proceed with caution when a card’s magnetic stripe will not operate with their card swipe unit. It may be honestly bad or it may be intentionally bad.
To catch people embossing new numbers on cards that have been ironed flat, card companies have been printing the card number again on the back of the card in small type, often just above or on the magnetic stripe. The number is flat, so an iron won’t melt it off. Sounds good. But crooks have figured that one out, too. They print up little stickers that say, in one instance, “Warning. This card registered” and then showing an American Express logo and a toll-free number to call for assistance. Then they put the sticker right over the account number on the back. It fools clerks every time.
For its credit cards, Citibank came up with the enterprising idea of affixing a person’s picture to the card as an added security measure. As a further precaution, anyone receiving a card has to come into a Citibank branch and get their picture taken there. For the most part, this was a good idea. There’s just one problem. If you live out of state and thus can’t get to a Citibank branch, the bank allows you to mail in your photo. But it has no way of knowing if that is actually your picture. There’s always a loophole.
Criminals even have a way of making invalid cards work overtime. Forgers will replace the magnetic stripe with a test stripe of their own that causes a verification machine to read a dummy approval code without transmitting the information
. This instant approval registers on the machine less than a tenth of a second after the card is swiped. One way to identify a fake card is to slowly swipe the card. The approval code, instead of quickly appearing in its entirety, will print out, number by number, in the display window. That’s impossible with a valid card. Newer verification machines can’t be fooled by this maneuver, but there are still a lot of older ones around.
WHAT TO DO
As a consumer, the thing to remember is, don’t toss away an expired card intact, and put the pieces in at least two different garbage receptacles. If I’m traveling, I’ll toss one half in the garbage at the airport I’m leaving from and I’ll carry the other half with me and throw it away in the airport where I land.
ONE PERSON’S TRASH IS ANOTHER’S TREASURE
You must be continually proactive. If you buy a club for the steering wheel of your car to protect it from being stolen, why wouldn’t you do the same thing for your credit? People get notices in the mail every day telling them they’ve been preapproved for a Visa card. They already have a wallet stuffed with plastic, so they throw the whole thing away. The garbage collectors pick them up, open them, take out the coupon and check, “Yes, I want it.” Has the address changed? They check “yes” and write in the new address. And they get your Visa. Rip those envelopes up before you throw them out. Don’t make it so easy for criminals to take advantage of you.
Everyone needs to be a little more circumspect with credit card numbers. Merchants dealing with account numbers lapse into a kind of autopilot and treat them as if they were no more significant than last night’s baseball scores. I was riding in a cab once when the dispatcher’s voice crackled over the radio: “Hey, I didn’t get that last credit card.” “No problem,” the cabbie said. “I’ll read it to you again.” And he proceeded to do just that, while I’m sitting there within earshot. All I had to do was scribble down the information and then start charging things on the phone or the Internet.
Sometimes, credit card companies find it convenient to have you write your account number on the outside of your remittance envelope. Criminals will drive up to your mailbox, look for just those envelopes, and take down your account number. Once they have it, they’ll access your account to get credit. Never write your account number on the outside of an envelope. You might as well take out a newspaper ad advertising your credit to the world.
BEWARE HELPFUL HANK
There are innumerable dodges credit card thieves use to get hold of valid credit card numbers. To try to stamp out fraud, credit card issuers stopped using carbons of card imprints a few years ago, because people would leave these carbons behind, or toss them intact into the garbage, and crooks would get the account numbers off them. Thieves called these carbons “black gold.” But other techniques have been developed to pick up the slack. One familiar approach is to dupe a merchant into giving you a number. That might sound like a lot to ask for. It isn’t. What a criminal will do is call up a small local business—a gas station, a pet store, a florist—anyplace that does steady credit card business. He hopes to get a gullible clerk, and he usually will.
“Hello, this is Joe from MasterCard,” he’ll say. “I’m returning your call.”
“What call?”
“I just got word that there was a problem with your verification machine. Are you encountering any difficulties with it?”
“Uh, no, not that I’m aware of.”
“Well, you know what happens is, when something goes amiss on a transaction, the machine will automatically send out a signal to our central processor indicating that there’s a problem. That must have been what went on here. Did you just do a transaction?”
“Yeah, maybe five minutes ago.”
“Good, that must be the one. Let’s check that transaction. What was the card number?”
He’ll read off the card number from the store’s receipt.
“Now, what’s the expiration date?”
He’ll read that off.
Just to keep the ruse sounding good, the crook will ask for the amount of the purchase, although that doesn’t interest him. He’s already got all that he needs.
Crooks usually pull these little capers in the evening, when there are always a lot of transactions and when the manager has gone home. Managers are a lot less likely to fall for this routine than a clerk, but you’d be surprised how often a manager will bite, too.
WHAT TO DO
It can be that easy. And it can be just as easy to avoid that ever happening. All you have to do is teach your employees that if they ever get a call purporting to be from a credit card company, tell them you’ll call them right back. Then make sure that’s where they’re from. Don’t take someone’s word on the phone for who they are. Often, it’s a con artist, and you know how good his word is.
And when you’ve handed your card to a salesclerk to make a purchase, take the time to examine it when you get it back. The vast majority of the time, you get the same card back. But not always. Dishonest salesclerks will pocket your card and hand you a fake or expired card, the old “bait and switch” scam, because they know most people will put the card back in their purse or wallet without even glancing at it.
Have you ever gotten home and received a phone call from someone who tells you he found your wallet at the store you just came from and he’ll put it in the mail to you that afternoon? You check, he’s right, and you’re immensely relieved that your wallet was found by such an upright citizen.
You shouldn’t be. Too often, the guy who stole it out of your purse is the one who’s calling, and with that telephone call he’s buying himself time. Now, because he’s called to tell you he’s sending you the wallet, you don’t contact your credit card companies and cancel the cards and he’s got an extra day or two to use them. Never delay in reporting a credit card lost or stolen, or the next pickpocket will take a vacation on you.
SO THAT’S WHAT HIGHER MATH WAS FOR
The number of people who potentially have access to your credit card or credit card number can be mind-boggling. For instance, the job of a worker for Northwest Airlines was to load and unload mail on Northwest flights arriving and departing from Metro Airport in Detroit. He would transport the mail back and forth between the planes and the airport’s postal facility. Not all of the mail made the flights. He would make a point of stealing a certain amount of letters and rummaging through them for credit cards or credit card numbers. He shared his bounty with some associates, who used the cards to purchase merchandise. When he was caught, police found more than six thousand letters in his home and car.
There are cheap dates and there are cheap bribes. Seven clerks who worked in the New York offices of the Social Security Administration were willing to accept between ten dollars and seventy-five dollars to reveal a person’s birth date and mother’s maiden name to a group of Nigerians, ones apparently taking time off from sending out letter scams. The Nigerians needed the information to activate new credit cards they had intercepted before they got to their rightful owners. A common security feature credit card issuers use is the requirement that a cardholder receiving a new card must call a toll-free number and give his mother’s maiden name, date of birth, and other information. Over a relatively short period of time, the Nigerian ring rounded up a breathtaking twenty thousand cards and charged more than $10 million on them.
But it’s not even necessary to steal credit card information. That’s usually for the amateur crook. A true criminal knows exactly where to go to get it, and that’s from what we call a credit card generator. There are maybe a dozen or so websites around the world that are maintained for criminals by other criminals, a nice little service in the intricate fraud network. If you know the code to get into the website, you can get any information that you want. The people who maintain the sites generally charge someone five thousand dollars to ten thousand dollars for regular use. It may sound like a lot, but it’s a bargain considering what you get for your investment.
Once y
ou get onto the home page of the site, you enter a code. That takes you to the next screen. You’re asked what information you want. Do you want an American Express card number, Diner’s Club, Discover Card? Maybe you just want a utility company account number? Whatever you click on brings you to the next page. Say you check Visa. Then you’re invited to select an institution: Citibank, Bank of America, Household Bank. You click on one, and within twenty seconds you get the names, numbers, and expiration dates of valid cards. Number after number after number. Each of these generators contains thousands of card numbers. I’ve checked them out, and I’ve never logged on and not gotten a valid card.
There are also software programs that will essentially pluck valid credit card numbers out of the air. Legitimate card numbers generally end with what’s called a “check digit.” It’s a number added for the purpose of validating the authenticity of the card number. This check digit is derived from the card’s other numbers by what is known as a Luhn formula or Mod-10 algorithm. I’m not going to get into higher math, but suffice to say, a quick way to verify a card number is to run the algorithm and compare the check digit you get with the check digit encoded with the credit card number. As it happens, the Mod-10 algorithm is fairly widely known and assorted computer programs use it to churn out numbers likely to fool authorization checks.
Now, these don’t always prove useful, as the issuing bank will normally confirm the number, expiration, and mailing address when you make an Internet purchase, thus thwarting any software-generated account number. But for inexpensive purchases, generally those under twenty dollars, and often higher amounts overseas, banks commonly run a “stand-in” check, a quick authorization that does nothing more than see that the account number is valid against the “check digit.” Consequently, thieves armed with these computer-generated numbers will log onto online merchant sites and type in number after number until they find one that gets taken, and then they make a blizzard of small purchases.