TJX, Polo Data Surfaces In Another Credit Card Bust

Written by Evan Schuman
July 10th, 2007

After more than $75 million in bogus credit card charges, several Cuban nationals in Florida have been arrested with more than 200,000 credit card account numbers, many of which came from the TJX and Polo Ralph Lauren data breaches, according to U.S. Secret Service officials, commenting on Monday’s announced arrests.

The numbers were sent to the Florida defendants?who specialized in manufacturing bogus credit cards complete with embossing, logos, holograms and properly encoded magnetic strips?from a group of Eastern European residents who specialized in collecting the stolen credit card numbers, the Secret Service said.

That Eastern European group of fiduciary Fagans obtained those numbers from many different sources, but many of the numbers were traced back to two specific major retail data breaches: last year’s TJX breach and a 2005 Polo Ralph Lauren breach, said a Secret Service case agent involved in the investigation and who asked that his name not be used.

Credit card numbers from the TJX theft have reportedly found themselves in multiple bogus credit card and giftcard probes, including a major giftfraud probe?which was also in Florida?as well as investigations in Alabama, North Carolina and Virginia.

Beyond the card numbers taken from Polo and TJX, the Florida group also used skimmers at restaurants to steal numbers along with “multiple hacks from the last five years,” said Brian Camerieri, who is the supervisor of the Secret Service group leading the probe as well as the assistant to the special agent in charge of the Secret Service’s Miami field office.

The numbers were quite global, with victims in the U.S., Europe, Asia and Canada, among other places, and impacted “more than 300 banks,” Camerieri said.

Authorities watched as the Florida defendants sent “large amounts of money” to the Eastern Europe team using an Internet payment system called E-Gold, which Camerieri said was considered a company that “didn?t verify anything” in terms of identification and was a good choice “if you wanted to disguise who you are and launder money.”

The defendants “were able to provide fictitious information to set up the account,” said the case agent, who added that the lack of verification meant that, to the defendants, people could “just give (E-Gold) whatever (name and address) you want to give.”

The Secret Service issued a statement that said “more than 200,000 credit card account numbers were recovered in connection with the ring’s activity, which was responsible for fraud losses of more than $75 million. Additionally, agents seized two pick-up trucks, $10,000 cash and one handgun in connection with the case.”

But Camerieri said that dollar amount wasn’t a specific amount and was merely a rough estimate based on a conservative guess that each card could bring $500 of fraud and that the actual number of card numbers the group was charged with having was 172,000. That actually comes to $86 million, but the announced figure was made even more conservative, possibly because not all cards had been used at the time of the arrests. Making the estimate released even more conservative is the fact that, typically, Camerieri said, the fraud on a bogus credit with a stolen credit card number is much higher than $500.

Credit card thieves have to play with various time limitations. If a credit or debit card is physically stolen through deception?such as a pickpocket–the thieves assume they have barely an hour or two before the card owner discovers the theft and alerts their bank to suspend the card. If the card is taken through force?such as during a mugging?thieves assume they have mere minutes.

In both of those physical situations, the objective is to use the card as quickly as possible. Popular approaches are to use it quickly to make an expensive purchase and then discard the card. Buying a high-dollar amount of giftcards right away is also popular because it can buy the thief several additional days to spend the money before authorities can connect the stolen credit card to the stolen giftcards.

But when thieves steal large numbers of credit cards?the TJX breach, for example, involved the thieves accessing the credit card data of some 46 million consumers–the cards are sometimes changed, but they are often not touched until some fraud is discovered. That gives the fraudsters plenty of time to create fake cards and to sell them to other thieves. Once fraudulent activity starts, it keeps going until the credit card company detects a fraudulent pattern and calls the consumer or until consumers receive their next credit card statement and notify their bank.

In the Florida case, the defendants ran a diversified fraud business, Camerieri said, with numbers being sold in addition to various types of credit cards. The credit card plants the defendants ran created full cards?complete with embossing, bank and credit card logos, holograms and properly encoded magnetic stripes on the back?as well as so-called white plastic, which is just a plain card with the properly encoded magstripe.

The white plastic cards are popular because they are cheaper than the full cards (which often sell for between $50 and $100 each). Although they can’t be used when dealing with retail employees, they work well with self-checkout systems such as gas stations and supermarket checkout. “We?ve seen a lot of HomeDepot,” Camerieri said, referring to the home improvement chain’s extensive use of self-checkout lanes. “You can pay at the gas staton all day long with that stuff.”

Other retailers seen repeatedly in this case were Wal-Mart and Lowe’s and “all of the electronics chains,” said the case agent.

Those arrested were Miguel Alegria, 46, of Hialeah, FL; Raynier Pupo, 22, of Miami, FL; Ariel Montero, 32, of Aventura, Florida; Javier Padron-Bravo, 35, of Aventura, FL; Julio Lopez, 30, of Hialeah, FL; and Anett Villar, 26, of Hialeah, FL. Charges against some of the defendants included aggravated identity theft, counterfeit credit card trafficking and conspiracy.

Cuban Nationals Alegria, Pupo, Montero and Padron-Bravo all plead guilty in late June to the conspiracy counts, in exchange for a plea agreement with the government for the other charges to be dropped, Camerieri said.

Alegria, Pupo, Montero and Padron-Bravo are scheduled for sentencing in September, which is when the judge will decide whether to accept the plea agreement.

The probe started with the Secret Service’s Nashville field office and their investigation of Lopez and then Villar, who the Secret Service described as Lopez’s girlfriend. An agent went online while undercover and tried to do business with Lopez, whose screen name was Blinky. Agents borrowed the suspect’s online name for the probe’s codename and Operation Blinky soon had a cooperating?and still unidentified?defendant.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.