CRM Chutzpa: Best Buy Credit Card Thief Sought Loyalty Rewards

Written by Evan Schuman
November 27th, 2008

A group of credit card thieves in Seattle tried to maximize their profits by using their stolen credit card data to open a loyalty card account with Best Buy, where they could get could extra benefits along with their stolen products, according to a federal probable cause document filed Nov. 19. One had tried a similar rewards scam with a Home Depot reward card and a Sears gift card.

According to a probable cause document, the defendants’ lack of discretion may have done them in. Best Buy regional loss prevention officer Steve Castillo "noticed a strange pattern of purchase activity," according to the federal filing. How strange? The reward card was linked to 77 different credit card accounts between April 2007 and June 2008. And it was used to make 125 separate credit card purchases totaling $252,000, the filing said.

A few inquiries quickly established that at least 44 of the credit cards associated with the reward card had been reported stolen and federal authorities expected that number to rise sharply as more people are contacted, the filing said.

The two defendants, Gabriel K. Lang and Billy Morris Britt, were charged with the crowbar type of credit card thefts. Specifically, they are accused of physically breaking into gym lockers and stealing credit cards and then using that data to create bogus credit cards and identification documents with their headshots.

The credit cards and ID were then used to purchased "high-end electronic equipment, including notebook computers, digital cameras, televisions and iPods," which would then be sold through EBay.

Thus far, it’s fairly traditional, even down to using EBay as a convenient laundry. (New tagline: "Ebay: Fence to the most elite street gangs in America.") But it’s when they applied for a Best Buy rewards card that things get interesting.

Best Buy and a federal investigator traced the Yahoo E-mail address used to open the Best Buy rewards account and then subpoenaed the IP address history of any attempts to access that account. The most frequent IP address used was owned by Comcast Cable and another subpoena delivered the address.

Stakeouts and other techniques—using video surveillance of the person using that gift card—resulted in the arrests. But Best Buy’s Castillo was running his own probe as well.

Castillo started searching on EBay "looking for sellers who were using the site to sell items with the same model numbers of the high-dollar items that were being purchased using" the suspect rewards card and were in the Seattle area, the probable cause document said. He then found that items purchased with that loyalty card quickly went up on the site under the name of an Ebay seller called Nexusi. An investigation of Nexusi lead to the same suspects, the document said.

One big tip-off came when one of the suspects tried to sell some Apple hardware. "The Apple computers sold through this account were listed for sale at $100 below the normal retail prices for these computers and iPods sold through the account were listed for $50 less than the normal retail prices for the iPods," the filing said. But given that Apple never discounts—other than a one sale a year for students—Castillo suspected something improper. Apple then confirmed that the suspect’s company was not an authorized Apple reseller.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.