Skimming: New twists on old scam

Photo by Corinne Nicholson

Photo by Corinne Nicholson

Alice was leery of the restaurant cashier, who eyed her credit card a

little too contentedly and swiped it out of view. Something felt wrong. Alice decided to pore over her bank statement like a riddle when it came in the mail. But her bank called first...

Though Alice still possessed the card, a relic she'd carried for 11 years, its encoded data had been used to buy school books in Arizona -- an uncharacteristic purchase and a red flag her bank immediately picked up on, she said.

Bank officials "told me that thieves will usually try to run through a small amount first .... then they go for the big expenditures," said Alice, an Atlantan who works in Duluth and wished to remain anonymous. "I don't trust anyone anymore."

Alice is convinced she fell victim to "skimming," a surreptitious method of identity theft that's targeted hundreds of victims in metro Atlanta recently -- including some who may not yet know they've been victimized. The crime has existed since the dawn of charge cards, but new variations and criminal hierarchies have authorities on renewed alert.

"It's rampant," said Norcross police Det. Bill Grogan, whose most recent case involves more than 500 card holders who've been bilked of about $100,000. Only about 10 percent of those victims have been alerted, he said last week.

"A lot of times, (thieves) buy clothes, electronics ... or they blow it on drinking and drugs," Grogan said. "They're not putting this stuff away in their 401k."

Fraudsters who skim vary from professional criminals who pipeline stolen banking information overseas, to teenagers at fast-food restaurants looking to make a quick buck. Each incorporates some type of skimmer, devices sometimes smaller than cell phones with slits for swiping charge card data.

"We have a few different flavors," said Assistant U.S. Attorney Larry Sommerfeld, who heads the cyber crime unit.

Police report the more common modus operandi in Gwinnett lately involves face-to-face interactions with unsuspecting customers, often at busy fast-food establishments.

In recent weeks, Gwinnett police have arrested six people for their alleged roles in a skimming ring that preyed on customers buying food with plastic at a Pleasant Hill Road eatery. Grogan said his case, with its hundreds of victims, had roots at the drive-through window of a Norcross McDonald's.

Two years ago, a different strand of data-hungry criminal worked WaMu banks in metro Atlanta, including at least two in Gwinnett.

Police on a stakeout caught three men using book-size skimmers that resembled card swipes at a Duluth branch. The skimmers, like devices sometimes found glued to gas pumps, were used in conjunction with hidden cameras above an ATM's keypad that recorded customers punching in PIN numbers.

The result: A data cocktail potent enough to suck thousands from unsuspecting customers' accounts, racking up penalties with lenders.

Investigators said the Romanian suspects were operatives in an Eastern European crime network that scammed bank patrons across the United States.

Nut and bolts

Step one: Whatever their physical makeup, skimmers serve a common purpose -- to read and store data embedded in a charge card's magnetic strip. Every card has a specific code, otherwise known as a "track." Some skimmers can hold hundreds of tracks.

Step two: Once cards are compromised, fraudsters plug the skimmers into computers, often through common USB connections. The tracks are dumped into a special software program, then transferred to another small device called an encoder.

Lastly, thieves encode the tracks onto cheap gift cards, stolen bank cards or generic "blank" cards. Essentially, they have a clone of the original credit card at this point. And the shopping spree commences.

Favorite targets are "any major corporation where they can get in and out inconspicuously," said Gwinnett police spokesman Cpl. David Schiralli. "A place that's very busy."

Adds Grogan: "They're going into stores where, more often than not, you're allowed to swipe your own card," he said. "Most instances, the suspects will do five to 10 cards at a time, then they'll venture out."

Buying skimmers and encoders isn't difficult. The equipment is legitimate when used in place of credit card terminals at trade events and during door-to-door cosmetic sales, for instance. One online retailer, found via a simple Google search, lists them for between $212 and $399. The encoding software, Grogan said, can be downloaded.

"It's the kind of thing you can get," said Sommerfeld, the Assistant U.S. Attorney. "These types of materials are obtainable together, or in component form, online."

A new hierarchy

Police say young employees at restaurants and retailers are typically more than just thieves -- they're recruits.

Through mutual acquaintances, or in sales pitches in the businesses themselves, ring-leaders talk employees into collecting data and provide them the equipment to do so -- a puppetmaster-pawn relationship.

Grogan said a typical payout is $4 to $6 per track. At stake are felony fraud and theft charges.

"It's a business relationship, that's all it is," Grogan said. "They don't want to be caught together."

Undetected operations can snowball, Schiralli said.

"The more complex (cases) are a multi-level operation," he said. "Basically, there's someone who recruits these kids."

Observation is key

Authorities say the best -- and sometimes only -- defense against skimming is a keen eye, both to watch cards in employees' hands and to diligently check bank statements. Nothing whets thieves' appetites like customers not paying attention.

There are other precautions.

"Contact banks for fraud alerts in case (the card) is used out of state," Schiralli further advised. "Get a credit account with a lower limit, something you might use to buy fast food. The main thing is to be aware, be mindful of where you're using cards."

In general, cardholders have 30 days to catch illegitimate purchases; after 60 days, they're left to deal with a varying percentage of the liability, Zachary Friesen, a Denver-based identity theft expert and educator, told the Daily Post in an interview. He called identity theft the number one crime in America.

Special Agent Jeffrey Gilbert, of the U.S. Secret Service's Atlanta Field Office, said most fraudulent transactions occur within 48 hours of a card's compromise.

"But most cardholders aren't aware they've been victimized until they receive statements," he said.

Grogan, the Norcross detective, warns his extended family to avoid using plastic at any restaurant where the card must leave diners' sight, he said. He advises the public to accompany servers to credit card terminals -- or to pay the old fashioned way, with cash.

"The banks are getting quicker at recognizing fraud, but there's no way to absolutely prevent it," Grogan said. "People are getting wiped out, and they are just beside themselves for weeks"