First Heartland Arrests, With New Twist To Bogus Gift Card Scheme
Written by Evan SchumanU.S. Secret Service and local law enforcement have confirmed the arrests of three Florida men on hundreds of counts of credit card fraud. The suspects were caught using cards that police said were made using data stolen from credit card processor Heartland Payment Systems. But the arrests revealed a new kind of gift card fraud technique, one where the fraudsters need never use identification and don’t have to pay for the equipment to manufacture bogus cards.
The Tallahassee arrests of Timothy Julsaint Johns, 21, Jeremy A. Frazier, 20, and Tony Acreus, 20, are very far from closing this case. Federal officials are still focusing on an overseas group—apparently in Eastern Europe—that accessed the data from Heartland. It’s not unusual for such groups to then sell the numbers in bulk to various smaller criminal groups, which turn the data into bogus credit cards and false gift cards and then use those cards to purchase goods that are sold for cash.
Just this week, the Secret Service and the FBI issued an alert describing the methodology behind what it termed “a considerable spike in cyber attacks” against E-tailers. That detailed an alert typically means authorities already are tracking the suspects, who most likely are fully aware they are being tracked. Hence, there’s little investigative risk to issuing an alert to try and minimize additional data theft attempts using the same procedures.
Meanwhile, the full impact of the Heartland breach has not been confirmed. But the number of financial institutions that say they have been impacted by the Heartland breach continues to rise, now hitting 440.
Back in Florida, officials said they have been working this breach case for three months in a joint probe by the Secret Service, the Leon County Sheriff’s Office and the Tallahassee Police Department. Authorities said the three men were arrested after being caught on Wal-Mart surveillance video using homemade Visa gift cards. A Florida law enforcement statement didn’t list the dollar value of the thefts associated with the three suspects, other than to say, “the total actual and declined fraudulent transaction in Leon County is currently in excess of $100,000. This amount is expected to be much higher as this investigation continues.”
Sgt. Tony Drzewiecki, of the Leon County Sheriff’s Office, said the three defendants are not suspected of having any involvement in the data breach and that they “were at the end of the line, with these numbers. We’re trying to determine how they came into possession of the numbers.”
A New Twist
What makes this case interesting is that the suspects are accused of having tried a new twist to credit card fraud. Typically, fraudsters take stolen credit card numbers and create bogus documents by stamping out the cards from plastic. In this case, the suspects didn’t have to create bogus credit cards at all. It also meant they weren’t required to show any identification when using the gift cards.
All the suspects did in this case was steal Visa gift cards from retailers and then simply use an electronic coding device to overwrite the data on the magnetic strip, Drzewiecki said, which would have saved them a lot of time and money because it meant that the suspects “didn’t have to have the facilities to make” bogus credit cards or fake gift cards.
The trio was fond of hitting Wal-Marts and purchasing large electronic devices. “Flat-screen TVs, that was a favorite. That can be sold very easily on the outside and converted into cash,” Drzewiecki said.
One of the reasons gift cards are so popular with thieves is that they provide a very easy way to allow fraudulent purchases to happen for a much longer period of time. If a thief grabs a credit card, it’s only a matter of hours—and sometimes minutes—before the theft is discovered and the bank invalidates that card worldwide. But if the thief uses that card to immediately purchase gift cards, it significantly extends their safety timeframe. Even after the credit card is deactivated, the gift cards are still valid. That continues until law enforcement tracks down the purchases and then identifies the specific gift card numbers. Different retailers have different levels of sophistication regarding gift card tracking.
In this Florida case, though, the suspects took such a long time to use all of the stolen credit card numbers that some had already been deactivated and the Wal-Mart gift card system flagged them as unacceptable. That, according to Drzewiecki, was one way the suspects were caught.
“They kept going back to the well. Fortunately, we were getting some red flags from these businesses,” Drzewiecki said.
The probe is not over in Florida, as that statement said: “This investigation is on-going and will likely produce additional charges and additional arrests.”
Technical Legal Note
Even though the accused in this case did not use traditional identification (driver’s license, photo ID, etc.), authorities charged them with fraudulent use of personal identification because they had overwritten the gift card’s identification with the name and numbers associated with one of the consumers whose data was lifted in the Heartland breach, Drzewiecki said. In so doing, they, in effect, were using the gift cards to convince the retailer they were someone else, he said.
Johns was charged with 151 counts of fraudulent use of a credit card, 45 counts of fraudulent use of personal identification, one count of grand theft and one count of fraud to obtain property valued at “$50,000 or more.”
Acreus was charged with 60 counts of fraudulent use of a credit card, 15 counts of fraudulent use of personal identification, one count of grand theft and one count of fraud to obtain property worth $50,000 or more.
Frazier (who was apparently slacking off in the credit card department, at least compared with Johns) was accused of seven counts of fraudulent use of a credit card, seven counts of fraudulent use of personal identification, one count of grand theft and one count of fraud to obtain property worth $50,000 or more.
Johns and Acreus were still being held in the Leon County Jail on Sunday (Feb. 15) evening. Frazier had been released.
-Marc
February 19th, 2009 at 12:15 pm
Nothing new about this trick. I first saw it about 8 years ago, in a well-known, and very well-managed, major national retailer. The perps used stolen cards to purchase gift cards at multiple locations in a single day. The next day, they used the gift cards to buy clothes, again at multiple locations. Later the same day, they returned the most but not all of the purchases, and asked for their credits on – nice touch here – new gift cards. The perps used the retailer to launder the stolen money.
It was over two weeks before the retailer got the chargebacks for the initial sales transactions. Reason code was fraud. The retailer had an alert chargeback associate who noticed that all of the chargeback amounts were round numbers, mostly $500. Further research revealed first the proximity of the stores, and then the timing, and then the complete trail unwound. Of course, this all came far too late for the retailer to recoup any amount of their >$5,000 loss. The second round of gift cards had all been completely used.
Skipping over the blame game, let’s ask what are the lessons to be learned here? We helped the retailer identify the one point at which they could have broken the chain: When the stolen card did not scan, the associates key’ed the account number. The retailer implemented a policy that non-scannable cards could not be used as tender for gift cards – and then rapidly implemented that control in their POS. This is, of course, only a partial solution, because a first-class stolen card will scan properly.
The speed with which the perps worked was essential to their success. Chargeback processing – where these problems emerge – is the very weak link in the system. The system is slow. There are too many parties, too many processes, and way too much time.
My proposition is that we have a critical information bottleneck at the acquirers / merchant processors. I understand that the legal structure of the credit acceptance system clearly requires that the debt reversal go to the acquirer / merchant processor. And I also understand and appreciate the excellent chargeback defense work that the better acquirers / merchant processors perform for their merchants. Their good work slowed to a trickle the unscrupulous issuer practice of dumping bad debt back to the merchants.
But we need a re-think to slow this stolen-credit-card-to-gift-card scam to a trickle. It won’t be easy, because retailers need to sell gift cards, and none of us want to make life any harder for retailers than it already is. This requires a joint effort by the three interested parties: the issuers / bankcard associations, the acquirers / merchant processors, and the merchants. Everybody ready to play nice?
February 27th, 2009 at 4:19 am
Good, let them rot in Prision, give them all 25 year sentences and 10 year probations, and make them pay back all the retailers they cheated and make their names very public always !!!
December 20th, 2009 at 8:06 am
I feel sorry for the credit card companies. They are always looking out for our best interest. They never try to scam the public. They offer a convenient service for a small fee. America is doing great and everything is fine. The young fraudsters should work at WalMart and pay for their own healthcare.