How did she get away with this credit card number theft?

Here’s a story that came out today about an American Airlines employee who managed to steal at least 350 credit card numbers and to use them to get over $480,000 in merchandise, without being caught. She was only caught when someone else (possibly an accomplice, I’ve heard that thieves sometimes fall out) informed on her. The article doesn’t say over what span of time this was.

The part that got me curious was this:

So, care to speculate on how she recorded the account numbers? If she was working at the counter, she would have been in full view of any number of other employees. I certainly hope that whatever technology she used is found; otherwise it seems like one would be nearly defenseless against this sort of thing.
Roddy

A very good memory?

Failing that, you can find any number of spy pens and similar pin hole cameras on the web. Any of those would be sufficient to
record a credit card number.

With enough practice, it’s not that hard to memorize a chunck of information quickly. Especially if the mark had a name that was easy for you to remember and spell.

Don’t discount memorization. Reading the printed numbers on the card and writing them down later works just as well. You just need the number and expiration date. She was making counterfeit cards. You’d put whatever name and signature you want on the counterfeit.

350 cards in 3 years is about 116 cards a year, or 2 per week. Her job also exposed her to a lot of cards. Even a 1% success rate (2 out of 200 customers) at remembering the number is more than enough for the volume of customers I think she’d handle in a typical week.

I could be missing something, but couldn’t she have just typed it down when she was getting/entering customer information? Airline workers do like to type away for quite some time, to the point where it’s become a joke.

I can barely remember my 10-digit checking account number, that I’ve had for years; it’s hard for me to believe someone could remember a 15- or 16-digit credit card number on one viewing.

I place more credence on the pinhole or spy camera idea. And now that I think of it, aren’t there scanning pens, where she could have just run the scanning pen over the number and exp. date, and it would be stored electronically for later use?
Roddy

Personally, I’m surprised it took someone ratting her out. I would think with systems like Falcon used by the credit card companies to prevent fraud that they didn’t start to notice a pattern of all these individuals having bought American Airline tickets at the San Jose airport previously even if she held on to the numbers and used them months afterward across numerous states. I would bet if you looked at the purchase history of the 350 victims, that would be the ONLY purchase at the same location they would all have in common.

Maybe I don’t know how this works and I think technology is better than it is but why doesn’t it work this way?:

  1. Look for a common purchase location across all credit card fraud victims using your card. Let’s assume you work for VISA and that 150 of the 350 are VISA card holders. Let’s also assume that there are several tens of thousands of cases open at one time, but still, these 150 all show the same airport in the purchase history and all with the same airline, all of which occur BEFORE the fraud shows up.

  2. Identify multiple Safeway locations where the fraudulent cards were used and compare camera footage to times when the cards were being used to capture the general appearance of the person committing the fraud (i.e. sex, race, hair, approximate weight and height)

  3. Go to the airline at the airport, show them the evidence and ask to look at employee pictures working at that airport with access to customer credit card information and that match the general description from the Safeway.

  4. Question that handful of individuals and/or look into their travel and spending habits to see if they match the criminal activity at the Safeway.

  5. Catch your thief!

As far as how she was skimming the numbers, it could be as simple as her making a manual imprint of the card using scratch paper and a piece of crayon whenever no one was looking. Once they put your card behind that counter, you really can’t see what’s going on. Even if she had a sophisticated skimmer device, just because they didn’t find it doesn’t mean she didn’t use one.

Try it, it’s not that hard. You only have to remember it long enough to write it down.

It’s not hard to catch the thief, it’s a lack of trying.

Do you know how many people refuse to sign their credit cards? Lots, but merchants take them anyway. When those come up as chargeback the merchants lose as they could not have compared signatures.

You don’t have to memorize the whole CC number. The first four digits ID the issuer. So you can say 4XXX is Citibank, you now say “Citibank” and the next twelve numbers A phone numer with area code is 10 digits.

I bought a watch with a camera for only $50 and it works great.

Whenever I get a replacement card, my new credit card always has the same first eight digits. So you only have to memorize or write down eight digits, plus the security code, plus the expiration date, plus my name, and billing address. Sounds like she must have had some way of writing all that down.

But what I’m curious about is where she had the stuff delivered and how that didn’t get found out.

A friend used to work in a field involving credit cards. She looked at one of my cards and said that’s a HSBC card. I said how do you know? She said the first four digits tell you the bank number. I know the second and third do something. I forget what they tell.

So, if you know what the these numbers mean, it’s probably easier to remember and you’d really only be remembering the last for numbers and the name.

It seems for a scam like this, considering how much money it was, she probably got other invovled. Once they were involved enough to get her, she knew they’d be facing jail time, too.

I have a strange feeling the 350 victims don’t pay close attention to their credit card statements…probably the same ones who believe someone couldn’t remember 16-20 digits would never suspect somebody stole their card numbers.

My money would be on some sort of camera or possibly a hardware keylogger installed between the card reader and the workstation.

Almost all barcode scanners and card readers appear to the computer as a keyboard.

ETA: Odds are that if the investigators were looking for a skimmer, a little keylogger wouldn’t be noted.

You don’t need to remember the entire number sequence if you know the basics: http://www.cardbenefit.com/credit-education/credit-card-numbering.htm

Plan B - she used the vast majority of the stolen cards to buy gift cards from Safeway supermarkets according to the story, which is odd because that’s a lot of effort and involves a fair amount of risk when you think about it. It means she had to have a fake credit card printed up and encoded with the stolen information, which had to look right in case a clerk at the market examined the card, and had to present herself (or a co-conspirator) in person where the clerk would see that person and where they would likely be recorded by a security camera. She was smart enough to spread the purchases out over a period of time and use different markets across three states, but I’m still surprised she didn’t get caught before that.

As to where she had merchandise delivered, let me tell you a little story. Back when I was in high school in the 1980s, credit cards were processed quasi-manually and didn’t have the security code numbers on the back. Every credit card processed had a carbon sheet left over, which most clerks just threw in the garbage completely intact. My friend would look for these carbon sheets in dumpsters behind major department stores and music stores. He would then find a mail order operation in a magazine that sold cameras, stereo equipment, porn, etc., call up the number, and order the product. Back then, unlisted numbers were rare, and if the person’s name on the credit card was even remotely unusual, you could look up their address and phone number in the white pages of the phone book for your city. Prior to doing this, which will answer your question, he would look for a vacant house in a nearby neighborhood with a for sale sign in front of it. He would order the product in question, have it shipped next day air (since he wasn’t paying for shipping, who cares?) and then go to the vacant house and place a note on the door. This note would say: “Hey Mr. UPS person, we are moving in and may not be home when you deliver our package from XYZ Corp. Could you please leave the package on the front porch and accept the signature on this note in leiu of one in person?” - signed <cardholder’s name>. About 90% of the time, this worked for him. In cases where it didn’t work, I imagine some UPS people either wouldn’t take the note, or the realtor would show up first and remove the note. That said, other than how the credit card number is procured today, I would think this same scheme would work today. Probably doubly so since so many houses in this economy sit on the market for so long and don’t have regular visits from the realtors.

I wonder if there’s something about Safeway that makes them a particularly easy target for this sort of fraud. We had to close an account this summer because someone used our card number to charge $203 and $103 (or thereabouts) in separate transactions at a Safeway in Colorado.

It was very frustrating since of course I was traveling at the time so canceling the only credit card I carry was very inconvenient (we do the points thing: charge everything to a card, pay it off every month) and I hated the idea that our card was used to rip someone off. I’d love to know what steps, if any, were taken to find the scammer. And since we are such creatures of habit, was this just going to happen again when we used the replacement card wherever the person who must have sold the first number worked?

I would love to know how/who got the number, maybe someday they’ll do an article on a Fred Meyer’s gas station attendant in Medford, OR who was at the center of a multi-state credit card fraud ring. Or something, that’s just my best guess right now.

I shop at Vons, which is a Safeway market, and I can tell you that at those markets, you can buy groceries, gift cards, etc. from the self check-out machines, so my guess is that was what she was doing to avoid the “dealing with a clerk who might remember you” thing. There is still the security cameras though.

I honestly wonder why the credit card companies have so much trouble catching people, especially when it is a mail order scam like what I described above. If you are shipping a product to something other than your home address, then they should have a recording call the number of the credit card holder to at least let them know in case it is a fraud. That should be easy enough to set up, and hardly that big of a pain for the one or two times a year you order a gift delivered to someone else at a different address. Perhaps just do it if the item is shipped in an expedited manner to another address, which I suspect is typical of all frauds.

My credit card has been stolen twice. The first time it happened, someone got into my wallet when I was at the gym. What was interesting was that they didn’t take the cash and they moved another card in its place so I wouldn’t notice it right away. I still discovered it a day later and after verifying no friend was playing a joke on me, I called the credit card company. Indeed, someone had ripped off the card, but here’s the strange part - they used it to pay for an expensive car repair at a nearby auto shop. You know, where they have a record of who you are and your license plate number… Needless to say, they caught that guy, but he was 10 shades of stupid. The second time, it was in Russia at a dicey souvenir shop, and there was nothing the credit card company could do.

Credit card companies wouldn’t have a difficult time, IF they actually went after the crooks.

And they probably do go after a limited number, but it’s easier to write it off and jack up the rates.

For instance, I had my Citibank CC stolen. In 30 minutes they charged up over $2,000.

All of this was online, at grocery stores, Walgreens, movie theatres, things that have cameras and could be traced.

All Citibank required is that I file a police report and submit a notarize statement that I didn’t make those charges. They were taken off in a week, BUT the next month my interst rate went from 1.2% to 21%

So who’s paying? That’s an easy guess.

I live in a building where about half the mailboxes don’t have proper locks. Mine does but others don’t. My landlord gives you a key and if you lose it will charge you $25 to replace it so I’m guessing a lot of people in my building just break in and don’t pay.

So you could easily just have something delivered to one of those flats with a broken mailbox and check it everyday at 2pm. So when the owner comes home from work at 5pm he/she is not even aware she/he is being used

I really don’t believe the credit card companies are purposely NOT going after the crooks. If they want to raise your rates, they can do it without your credit card getting stolen too. For the record, the two times my card was stolen, the events were separated by close to ten years and neither time did I have my rates raised on my Citibank card. I have also had to reverse charges maybe five times in the more than 20 years I’ve owned the card when I got screwed on purchases, but that too had no effect on my rate.

I suspect the real reason they aren’t catching them is one of two reasons:

  1. The software is not as good at identifying pattern as I think it is - after all, the San Jose airport/American Airlines ticket purchase thing is obvious in hindsight, but perhaps it is just background noise given the tons of cases the software likely processes for potential fraud.

  2. Some lame privacy law - With everyone so paranoid about people knowing things about them, it wouldn’t surprise me if the credit card companies are limited in their abilities to actually look at your purchase history. After all, what if some high level conservative politician is buying gay sex toys online. Presumably if you could search his records for fraud, you could also pull up his purchase history in general and abuse that privilege.

Hardly necessary to make it that complicated.

Just hit the Print Screen key after entering the credit card number onto the screen.

Also, nearly every online transaction system I’ve worked on has had a method to go back and review previous screens. So wait till the customer is gone, hit the back arrow to re-display the screen with the credit card number, and write it down.