The Art of the Steal (17 page)

6

[CARD
GAMES
]

O
utside Miami International Airport, a new rental car franchise opened up a few years ago, begun by several enterprising young men. It was billed as one of those Rent-A-Wreck places that rented less-than-perfect cars at lower rates than the major chains like Hertz and Avis. The deal here was an awfully tantalizing one: a wreck for ten dollars a day, and no mileage charge. People arriving on flights took a look and thought it was a terrific price. The cars moved briskly.

In subsequent weeks, a spate of fraudulent credit card transactions were confounding law enforcement agents and credit card companies. They were on all sorts of cards and dispersed around the country in almost haphazard fashion. The authorities looked in vain for some sort of pattern, some fragile thread that might connect them. One finally emerged. It turned out that every card that had been used in the fraudulent purchases had also been used legitimately by the cardholder at the new Rent-A-Wreck at the Miami airport.

A little more investigation broke the case open. It seems that the young men weren’t really interested in making a living renting cars at extraordinarily low prices. That was simply their cover. Their true business was recording the credit card numbers of everyone who came through and selling them to a ring of credit card thieves. The thieves then used them to make the illegal transactions.

In the world of fraud, it helps to remember that things are never what they seem. In fact, they are often the opposite of what they seem. I’m reminded of that little demonstration in the David Mamet con artist movie, “House of Games.” Two men, one a soldier, are waiting at a Western Union office for money that’s supposed to be wired to them. They don’t know each other. The other man tells the soldier he sure hopes his money comes, and the soldier says the same thing. You know, the man says, if my money comes in first, I’ll give you some of it, because I know you’ll pay it back and I know you’d do the same for me. The soldier is warmed by this generosity. But of course no money is being wired to the man. He’s the scam artist. When the soldier’s money comes, he offers to give some to the other man and he’ll never see it again. At the Miami Airport, people thought they were renting a car and they were actually donating their credit cards to thieves. It could be happening anytime you use your credit card, if you don’t know who you’re dealing with.

CUT THE CARDS

We all understand “sticker shock,” that numb feeling you get when you go shopping for a new car. Well, now there’s “statement shock.” That’s when your credit card has not left your wallet for weeks but you receive your monthly bill and it looks like you spent the entire month shopping on Rodeo Drive. Most likely, you’re a victim of counterfeiters helping themselves to your credit. As I pointed out earlier in the chapter on checks, check fraud far outstrips credit card fraud. But plastic fraud is an accelerating problem, too, and new card tricks keep getting devised to enable crooks to enrich themselves.

Federal law generally limits a cardholder’s liability for use of a stolen credit card to just fifty dollars. If you report the stolen card promptly, the issuer will typically waive that fifty dollars as well, as a goodwill gesture. So it’s not the consumer who is hurt by card theft, but the issuers. All fraud losses, though, get reflected in higher prices, so, one way or another, the money ultimately comes out of everyone’s pocket.

In the 1990s, it became commonplace for forgers to start altering existing credit cards. The simplest thing criminals do is to tell garbage collectors that for every intact card they find in the garbage and turn over to them, they’ll pay them thirty-five dollars. Even though credit card companies repeatedly admonish cardholders to cut up their old cards before discarding them, I’m amazed that most people don’t. They assume that because the card’s expired, it’s worthless, so just toss it in the trash.

Once they’ve got the cards, the thieves can’t go out and use them, because verification machines will reject them as expired. So they need to make a few appropriate modifications. They take a handkerchief and lay it over a card. Then they put a hot iron over the handkerchief. The heat and weight of the iron melts the embossing. In other words, it flattens the raised letters and digits that constitute the name, account number, and expiration date. Putting the card in boiling water will accomplish the same thing. With a card embosser, which is easily and inexpensively obtained from an office supply store, they put on a new, illegally-obtained name, number, and expiration date.

Finally, they turn the card over, and with a paper clip, put a scratch in the magnetic stripe. Thus when they go to use the card, the damaged magnetic stripe won’t work when a clerk swipes it through the verification terminal; instead, he’ll be forced to read the newly-embossed number over the phone to obtain the authorization code. Clerks need to be told to proceed with caution when a card’s magnetic stripe will not operate with their card swipe unit. It may be honestly bad or it may be intentionally bad.

To catch people embossing new numbers on cards that have been ironed flat, card companies have been printing the card number again on the back of the card in small type, often just above or on the magnetic stripe. The number is flat, so an iron won’t melt it off. Sounds good. But crooks have figured that one out, too. They print up little stickers that say, in one instance, “Warning. This card registered” and then showing an American Express logo and a toll-free number to call for assistance. Then they put the sticker right over the account number on the back. It fools clerks every time.

For its credit cards, Citibank came up with the enterprising idea of affixing a person’s picture to the card as an added security measure. As a further precaution, anyone receiving a card has to come into a Citibank branch and get their picture taken there. For the most part, this was a good idea. There’s just one problem. If you live out of state and thus can’t get to a Citibank branch, the bank allows you to mail in your photo. But it has no way of knowing if that is actually your picture. There’s always a loophole.

Criminals even have a way of making invalid cards work overtime. Forgers will replace the magnetic stripe with a test stripe of their own that causes a verification machine to read a dummy approval code without transmitting the information. This instant approval registers on the machine less than a tenth of a second after the card is swiped. One way to identify a fake card is to slowly swipe the card. The approval code, instead of quickly appearing in its entirety, will print out, number by number, in the display window. That’s impossible with a valid card. Newer verification machines can’t be fooled by this maneuver, but there are still a lot of older ones around.

WHAT TO DO

As a consumer, the thing to remember is, don’t toss away an expired card intact, and put the pieces in at least two different garbage receptacles. If I’m traveling, I’ll toss one half in the garbage at the airport I’m leaving from and I’ll carry the other half with me and throw it away in the airport where I land.

ONE PERSON’S TRASH IS ANOTHER’S TREASURE

You must be continually proactive. If you buy a club for the steering wheel of your car to protect it from being stolen, why wouldn’t you do the same thing for your credit? People get notices in the mail every day telling them they’ve been preapproved for a Visa card. They already have a wallet stuffed with plastic, so they throw the whole thing away. The garbage collectors pick them up, open them, take out the coupon and check, “Yes, I want it.” Has the address changed? They check “yes” and write in the new address. And they get your Visa. Rip those envelopes up before you throw them out. Don’t make it so easy for criminals to take advantage of you.

Everyone needs to be a little more circumspect with credit card numbers. Merchants dealing with account numbers lapse into a kind of autopilot and treat them as if they were no more significant than last night’s baseball scores. I was riding in a cab once when the dispatcher’s voice crackled over the radio: “Hey, I didn’t get that last credit card.” “No problem,” the cabbie said. “I’ll read it to you again.” And he proceeded to do just that, while I’m sitting there within earshot. All I had to do was scribble down the information and then start charging things on the phone or the Internet.

Sometimes, credit card companies find it convenient to have you write your account number on the outside of your remittance envelope. Criminals will drive up to your mailbox, look for just those envelopes, and take down your account number. Once they have it, they’ll access your account to get credit. Never write your account number on the outside of an envelope. You might as well take out a newspaper ad advertising your credit to the world.

BEWARE HELPFUL HANK

There are innumerable dodges credit card thieves use to get hold of valid credit card numbers. To try to stamp out fraud, credit card issuers stopped using carbons of card imprints a few years ago, because people would leave these carbons behind, or toss them intact into the garbage, and crooks would get the account numbers off them. Thieves called these carbons “black gold.” But other techniques have been developed to pick up the slack. One familiar approach is to dupe a merchant into giving you a number. That might sound like a lot to ask for. It isn’t. What a criminal will do is call up a small local business—a gas station, a pet store, a florist—anyplace that does steady credit card business. He hopes to get a gullible clerk, and he usually will.

“Hello, this is Joe from MasterCard,” he’ll say. “I’m returning your call.”

“What call?”

“I just got word that there was a problem with your verification machine. Are you encountering any difficulties with it?”

“Uh, no, not that I’m aware of.”

“Well, you know what happens is, when something goes amiss on a transaction, the machine will automatically send out a signal to our central processor indicating that there’s a problem. That must have been what went on here. Did you just do a transaction?”

“Yeah, maybe five minutes ago.”

“Good, that must be the one. Let’s check that transaction. What was the card number?”

He’ll read off the card number from the store’s receipt.

“Now, what’s the expiration date?”

He’ll read that off.

Just to keep the ruse sounding good, the crook will ask for the amount of the purchase, although that doesn’t interest him. He’s already got all that he needs.

Crooks usually pull these little capers in the evening, when there are always a lot of transactions and when the manager has gone home. Managers are a lot less likely to fall for this routine than a clerk, but you’d be surprised how often a manager will bite, too.

WHAT TO DO

It can be that easy. And it can be just as easy to avoid that ever happening. All you have to do is teach your employees that if they ever get a call purporting to be from a credit card company, tell them you’ll call them right back. Then make sure that’s where they’re from. Don’t take someone’s word on the phone for who they are. Often, it’s a con artist, and you know how good his word is.

And when you’ve handed your card to a salesclerk to make a purchase, take the time to examine it when you get it back. The vast majority of the time, you get the same card back. But not always. Dishonest salesclerks will pocket your card and hand you a fake or expired card, the old “bait and switch” scam, because they know most people will put the card back in their purse or wallet without even glancing at it.

Have you ever gotten home and received a phone call from someone who tells you he found your wallet at the store you just came from and he’ll put it in the mail to you that afternoon? You check, he’s right, and you’re immensely relieved that your wallet was found by such an upright citizen.

You shouldn’t be. Too often, the guy who stole it out of your purse is the one who’s calling, and with that telephone call he’s buying himself time. Now, because he’s called to tell you he’s sending you the wallet, you don’t contact your credit card companies and cancel the cards and he’s got an extra day or two to use them. Never delay in reporting a credit card lost or stolen, or the next pickpocket will take a vacation on you.

SO
THAT’S
WHAT HIGHER MATH WAS FOR

The number of people who potentially have access to your credit card or credit card number can be mind-boggling. For instance, the job of a worker for Northwest Airlines was to load and unload mail on Northwest flights arriving and departing from Metro Airport in Detroit. He would transport the mail back and forth between the planes and the airport’s postal facility. Not all of the mail made the flights. He would make a point of stealing a certain amount of letters and rummaging through them for credit cards or credit card numbers. He shared his bounty with some associates, who used the cards to purchase merchandise. When he was caught, police found more than six thousand letters in his home and car.

There are cheap dates and there are cheap bribes. Seven clerks who worked in the New York offices of the Social Security Administration were willing to accept between ten dollars and seventy-five dollars to reveal a person’s birth date and mother’s maiden name to a group of Nigerians, ones apparently taking time off from sending out letter scams. The Nigerians needed the information to activate new credit cards they had intercepted before they got to their rightful owners. A common security feature credit card issuers use is the requirement that a cardholder receiving a new card must call a toll-free number and give his mother’s maiden name, date of birth, and other information. Over a relatively short period of time, the Nigerian ring rounded up a breathtaking twenty thousand cards and charged more than $10 million on them.

But it’s not even necessary to steal credit card information. That’s usually for the amateur crook. A true criminal knows exactly where to go to get it, and that’s from what we call a credit card generator. There are maybe a dozen or so websites around the world that are maintained for criminals by other criminals, a nice little service in the intricate fraud network. If you know the code to get into the website, you can get any information that you want. The people who maintain the sites generally charge someone five thousand dollars to ten thousand dollars for regular use. It may sound like a lot, but it’s a bargain considering what you get for your investment.