First Heartland Arrests, With New Twist To Bogus Gift Card Scheme

Written by Evan Schuman
February 14th, 2009

U.S. Secret Service and local law enforcement have confirmed the arrests of three Florida men on hundreds of counts of credit card fraud. The suspects were caught using cards that police said were made using data stolen from credit card processor Heartland Payment Systems. But the arrests revealed a new kind of gift card fraud technique, one where the fraudsters need never use identification and don’t have to pay for the equipment to manufacture bogus cards.

The Tallahassee arrests of Timothy Julsaint Johns, 21, Jeremy A. Frazier, 20, and Tony Acreus, 20, are very far from closing this case. Federal officials are still focusing on an overseas group—apparently in Eastern Europe—that accessed the data from Heartland. It’s not unusual for such groups to then sell the numbers in bulk to various smaller criminal groups, which turn the data into bogus credit cards and false gift cards and then use those cards to purchase goods that are sold for cash.

Just this week, the Secret Service and the FBI issued an alert describing the methodology behind what it termed “a considerable spike in cyber attacks” against E-tailers. That detailed an alert typically means authorities already are tracking the suspects, who most likely are fully aware they are being tracked. Hence, there’s little investigative risk to issuing an alert to try and minimize additional data theft attempts using the same procedures.

Meanwhile, the full impact of the Heartland breach has not been confirmed. But the number of financial institutions that say they have been impacted by the Heartland breach continues to rise, now hitting 440.

Back in Florida, officials said they have been working this breach case for three months in a joint probe by the Secret Service, the Leon County Sheriff’s Office and the Tallahassee Police Department. Authorities said the three men were arrested after being caught on Wal-Mart surveillance video using homemade Visa gift cards. A Florida law enforcement statement didn’t list the dollar value of the thefts associated with the three suspects, other than to say, “the total actual and declined fraudulent transaction in Leon County is currently in excess of $100,000. This amount is expected to be much higher as this investigation continues.”

Sgt. Tony Drzewiecki, of the Leon County Sheriff’s Office, said the three defendants are not suspected of having any involvement in the data breach and that they “were at the end of the line, with these numbers. We’re trying to determine how they came into possession of the numbers.”

A New Twist

What makes this case interesting is that the suspects are accused of having tried a new twist to credit card fraud. Typically, fraudsters take stolen credit card numbers and create bogus documents by stamping out the cards from plastic. In this case, the suspects didn’t have to create bogus credit cards at all. It also meant they weren’t required to show any identification when using the gift cards.

All the suspects did in this case was steal Visa gift cards from retailers and then simply use an electronic coding device to overwrite the data on the magnetic strip, Drzewiecki said, which would have saved them a lot of time and money because it meant that the suspects “didn’t have to have the facilities to make” bogus credit cards or fake gift cards.

The trio was fond of hitting Wal-Marts and purchasing large electronic devices. “Flat-screen TVs, that was a favorite. That can be sold very easily on the outside and converted into cash,” Drzewiecki said.

One of the reasons gift cards are so popular with thieves is that they provide a very easy way to allow fraudulent purchases to happen for a much longer period of time. If a thief grabs a credit card, it’s only a matter of hours—and sometimes minutes—before the theft is discovered and the bank invalidates that card worldwide. But if the thief uses that card to immediately purchase gift cards, it significantly extends their safety timeframe. Even after the credit card is deactivated, the gift cards are still valid. That continues until law enforcement tracks down the purchases and then identifies the specific gift card numbers. Different retailers have different levels of sophistication regarding gift card tracking.

In this Florida case, though, the suspects took such a long time to use all of the stolen credit card numbers that some had already been deactivated and the Wal-Mart gift card system flagged them as unacceptable. That, according to Drzewiecki, was one way the suspects were caught.

“They kept going back to the well. Fortunately, we were getting some red flags from these businesses,” Drzewiecki said.

The probe is not over in Florida, as that statement said: “This investigation is on-going and will likely produce additional charges and additional arrests.”

Technical Legal Note

Even though the accused in this case did not use traditional identification (driver’s license, photo ID, etc.), authorities charged them with fraudulent use of personal identification because they had overwritten the gift card’s identification with the name and numbers associated with one of the consumers whose data was lifted in the Heartland breach, Drzewiecki said. In so doing, they, in effect, were using the gift cards to convince the retailer they were someone else, he said.

Johns was charged with 151 counts of fraudulent use of a credit card, 45 counts of fraudulent use of personal identification, one count of grand theft and one count of fraud to obtain property valued at “$50,000 or more.”

Acreus was charged with 60 counts of fraudulent use of a credit card, 15 counts of fraudulent use of personal identification, one count of grand theft and one count of fraud to obtain property worth $50,000 or more.

Frazier (who was apparently slacking off in the credit card department, at least compared with Johns) was accused of seven counts of fraudulent use of a credit card, seven counts of fraudulent use of personal identification, one count of grand theft and one count of fraud to obtain property worth $50,000 or more.

Johns and Acreus were still being held in the Leon County Jail on Sunday (Feb. 15) evening. Frazier had been released.


3 Comments | Read First Heartland Arrests, With New Twist To Bogus Gift Card Scheme

  1. Deborah Says:

    Nothing new about this trick. I first saw it about 8 years ago, in a well-known, and very well-managed, major national retailer. The perps used stolen cards to purchase gift cards at multiple locations in a single day. The next day, they used the gift cards to buy clothes, again at multiple locations. Later the same day, they returned the most but not all of the purchases, and asked for their credits on – nice touch here – new gift cards. The perps used the retailer to launder the stolen money.

    It was over two weeks before the retailer got the chargebacks for the initial sales transactions. Reason code was fraud. The retailer had an alert chargeback associate who noticed that all of the chargeback amounts were round numbers, mostly $500. Further research revealed first the proximity of the stores, and then the timing, and then the complete trail unwound. Of course, this all came far too late for the retailer to recoup any amount of their >$5,000 loss. The second round of gift cards had all been completely used.

    Skipping over the blame game, let’s ask what are the lessons to be learned here? We helped the retailer identify the one point at which they could have broken the chain: When the stolen card did not scan, the associates key’ed the account number. The retailer implemented a policy that non-scannable cards could not be used as tender for gift cards – and then rapidly implemented that control in their POS. This is, of course, only a partial solution, because a first-class stolen card will scan properly.

    The speed with which the perps worked was essential to their success. Chargeback processing – where these problems emerge – is the very weak link in the system. The system is slow. There are too many parties, too many processes, and way too much time.

    My proposition is that we have a critical information bottleneck at the acquirers / merchant processors. I understand that the legal structure of the credit acceptance system clearly requires that the debt reversal go to the acquirer / merchant processor. And I also understand and appreciate the excellent chargeback defense work that the better acquirers / merchant processors perform for their merchants. Their good work slowed to a trickle the unscrupulous issuer practice of dumping bad debt back to the merchants.

    But we need a re-think to slow this stolen-credit-card-to-gift-card scam to a trickle. It won’t be easy, because retailers need to sell gift cards, and none of us want to make life any harder for retailers than it already is. This requires a joint effort by the three interested parties: the issuers / bankcard associations, the acquirers / merchant processors, and the merchants. Everybody ready to play nice?

  2. jetranger Says:

    Good, let them rot in Prision, give them all 25 year sentences and 10 year probations, and make them pay back all the retailers they cheated and make their names very public always !!!

  3. biz student Says:

    I feel sorry for the credit card companies. They are always looking out for our best interest. They never try to scam the public. They offer a convenient service for a small fee. America is doing great and everything is fine. The young fraudsters should work at WalMart and pay for their own healthcare.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.