The Long Beach Police Department (LBPD) is leading a multi-jurisdictional investigation of credit card fraud that ensnared over 20 Idyllwild residents from October through December 2010. The lead investigator, who requested his name not be published, cited cyber hacking of merchant process servers, rather than a locally placed skimmer, as the likely cause.
The investigation, although centered in Southern California counties including San Diego, Los Angeles, Orange and Riverside, has tendrils that reach European banks and a likely Eastern European hacking location, according to the investigator. “This is a very sophisticated ring of individuals,” said the LBPD detective.
In this investigation, Lt. Geoff Raya, Riverside County Sheriff’s Department (RCSD) Hemet Station, said his department works with Long Beach in a support capacity. “There have been several hundred victims,” said Raya, “with Idyllwild having the most in Riverside County.” Hacked credit card information was used to create cloned cards, which were then used to make fraudulent purchases, totaling for Idyllwild victims in excess of $20,000.
The LBPD investigator, part of that department’s identity theft bureau, noted that multiple suspects have been identified and a key arrest has been made. “At this point, the ring has shut down and one major player has been taken down,” he said. “Fifty individuals have been identified and some prosecutions have occurred.” LBPD is taking the time necessary to widen the net to bring down the greatest number of perpetrators, according to the investigator. He noted investigations of this nature could take years to complete because of the complexity and rapidity of dissemination of credit card information. “Banking institutions are being compromised,” he said.
The detective suggested two things consumers can or should do to mitigate credit card identity theft. First, individuals should use new security technology, called EMV chips, whenever possible. They are mandated in Europe, but not widely available in the U.S.
EMV stands for Europay, MasterCard and VISA, a global standard for inter-operation of integrated circuit cards.
EMV “smart cards,” have an imbedded computer chip that replaces the standard magnetic strip used in U.S. cards. Once the chip communicates with a card reader at point of sale or use, the cardholder must then punch in a pin number, which is mandatory for the transaction to proceed.
Minneapolis-based U.S. Bank, Wells Fargo and Chase are beginning to introduce EMV cards. The EMV chip prevents card cloning.
The problem in making EMV technology more available in the U.S., in addition to transition costs, is one of regulation. In Europe, card issuers have more control over the merchant card-processing infrastructure. In the U.S., issuers are separated from the payment processing system, so that card issuers can’t just force merchants to buy the new terminals required for processing chip and PIN cards. As a result, magnetic strip cards in the U.S. remain vulnerable to cloning.
The LBPD investigator also recommended using ATM cards linked to a holder’s bank account sparingly. If an ATM card is compromised, it could expose the holder’s bank balances and, depending on the banking institution’s procedures, tie up funds for a period of time. The investigator said credit cards are actually a safer way to go. Credit card companies generally quickly reimburse illegal charges pending a fraud investigation as part of normal procedures. Use of cash for purchases is probably the safest method.
In an unintended consequence of making card use easier for U.S. holders, some credit card issuers are furnishing cards with radio frequency identification (RFID) that allows a cardholder to simply wave the card at a scanner to complete a purchase (similar to EMV technology but not needing a pin number). Unfortunately, criminal scammers can construct or buy portable scanners, conceal them in a purse or briefcase and scan a card from a distance of several feet. A team of researchers at the University of Massachusetts in Amherst demonstrated that surreptitious scanning could reveal the cardholders’ name, card number and expiration date. RFID cards carry a sonar-like sound wave symbol on the back and identification as a “Blink” card (Chase credit cards).