Sunday, April 22, 2007

Why it's become TOO easy for restaurant workers to skim payment cards

We seem to be seeing a record amount of credit/debit (payment) card fraud recently. The latest is a $3 million scheme -- where restaurant servers were recruited to steal their customer's financial information -- using portable skimming devices, which seem to be easily purchased over the Internet.

Samuel Maull of the Associated Press is reporting:

Thirteen people were indicted Friday on charges stemming from their roles in the credit card fraud, prosecutors said.

The credit card account information was stolen from customers who visited restaurants in Manhattan's Chinatown and other parts of the New York metropolitan area, as well eateries in Florida, New Hampshire, New Jersey and Connecticut.

Full AP story, courtesy of the Washington Post, here.

The Manhattan DA's site has a lot more information on this case, which reveals most of the defendants appear to have worked in Asian restaurants, were extremely organized and traveled the country buying high-end electronics.

The DA press release shows how they were turning the stolen merchandise into cash, which is the goal of most of these criminals:

THOMAS JUNG, JOON HEE KIM, JUN SHOJI, RICHARD LEE, JENG SEAK LEE, PHIL ANG, ALEX KIM and others in small groups to areas within and outside of New York State to purchase high-end electronics merchandise – such as laptop computers, Sony Play Stations, GPS navigation systems, high-end digital cameras and IPods.

PAO provided each shopper with 20 to 40 counterfeit credit cards with the expectation that each “shopper” would make fraudulent purchases in an amount that averaged $1,000 per counterfeit card. If a “shopper” was provided with 30 counterfeit credit cards, the “shopper” was expected to make $30,000 in fraudulent purchases. PAO made the travel arrangements for the “shoppers,” which included airline flights, car rentals, and hotel rooms for shopping trips in New York, New Jersey, Connecticut, Illinois, California, Oregon, Washington, Ohio,
Pennsylvania, and North Carolina.

The “shoppers,” who were paid approximately 15% of the retail value of the merchandise they bought, delivered the merchandise to PAO, who then sold the stolen goods to defendant JOHN DOE. In turn, DOE sold the goods to electronics and computer stores in Queens.

You can read the full press release, here.

Unfortunately, this problem is enabled by portable devices, which are too easy to obtain. A website, I found recently (called Hackers Homepage) seems to openly sell everything a wannabe card skimmer would need to do this. They even sell the high-quality card blanks - with the ability to place holograms on them - right over the Internet!

Of note, this site (which I hope is under surveillance) also sells more sophisticated skimming devices designed to be placed on point of sale systems, and advertises other devices and publications that would appear to enable a lot of different financial crimes.

A lot of this stuff can also be purchased on auction sites (like eBay) as demonstrated, here.

Perhaps, if we want to see a decrease in this activity, we need to enact laws that will control some of the technology, which makes it TOO easy for anyone to do.

This along with DIY (do it yourself) auction fraud and phishing kits, also being sold over the Internet, make it too easy for ANY criminal to commit pretty sophisticated crimes.

Throw in carder forums, which sell all the information being stolen, and there is no wonder why this has become a rapidly growing PROBLEM.

The bottom line is that easily purchased technology is making the problem worse, and the problem is spreading so rapidly, law enforcement has a hard time keeping up with it.

This IS NOT a victimless crime, just ask any of the people having their information stolen, or one of the businesses that have lost money from it. Of course, when businesses lose money, they have to raise prices, which means we are all paying for it.

To watch a pretty telling video on YouTube about how restaurant workers skim payment cards, link here.


Anonymous said...

Waiters stole credit card info, Mmde $3 million in fraudulent purchases! The diners didn't know it, but their credit cards were going to pay for more than their meals! Waiters in about 40 restaurants, in New York and elsewhere, quietly recorded customers' credit card information and passed it on to people who used the information to make more than $3 million worth of worth of illegal purchases.
Do you still think that credit cards are safe?

Anonymous said...

Very good post. I do not think that credit cards are safe. But today we can not imagine our life without them. Unfortunately, we do not safeguard our credit card accounts. We can only use them carefully and believe that banks will develop stronger defence.

Anonymous said...

I agree with the above. What must be done is to go after websites that obviously are catering to criminals.

I was shocked when I looked at it!

Anonymous said...

This article misses the mark. What we need to do is address the root cause of the problem which is the antiquated and inherently insecure magnetic stripe cards.

Instead of mandating that merchants spend millions on PCI Compliance and trying to restrict the the sale of card readers (the criminals will get them anyway), there should be a federal mandate that the card issuing banks scrap magnetic stripe technology and replace it with something secure such as tokenization or chip & pin.

Of course, this is expensive for the card brands and banks to do which is why they've pushed the costs down to the Merchants, ala PCI.

As long as that magnetic stripe is openly readable, credit card fraud will continue to increase.