Skimming and Bust-outs By David H. Press
hen I sat down to discuss device fraud with James Kollar, Assistant to the Special Agent in Charge of the United States Secret Service Los Angeles Field Office, I knew I was in for an education. Many of the schemes that have been prevalent over the last several years continue to grow at a record pace.
Kollar's squad, which consists of 20 full-time agents, is handling nearly 100 cases with an average dollar loss of between $100,000 and $1 million.
Many of the cases involve "skimming," which is the lifting of the magnetic stripe data from a legitimate credit card and placing the encoded information onto "white plastic." This white plastic credit card is then used at a collusive merchant location.
Many of these are businesses set up with the sole purpose of committing credit card fraud. The proceeds from this type of credit card fraud have been tracked overseas to foreign nationals who fund well-known terrorist groups.
There are many places the credit card information can be skimmed, with restaurants being the most prevalent.
A collusive server takes the credit card used to pay the check and runs the card through a second magnetic stripe reader, the "skim" card reader. These readers are small and can fit in the server's pocket.
Once the shift is over, the server can take the reader, attach it to a computer and recover all of the credit card information from the reader. The card information is then magnetically encoded onto fake credit cards that can be used at collusive merchants.
Skimmed credit card information also can be placed on the magnetic stripe of a lost or stolen credit card. These cards can be used at almost any type of merchant location.
Kollar indicated that thieves are getting more and more sophisticated and technologically savvy. There was one scheme where a skimming device was placed on a gas pump; when the customers swiped their credit cards and entered their PIN to complete the sale, the information was obtained for later use.
Another recent device was recovered from an ATM in the heart of the city. Many customers reported to the bank that the ATM was not working properly but had no idea that their credit card information was being compromised.
Thieves have begun to use high-speed weatherproof cameras, mounted nearby and focused on the skimming devices. These cameras are hooked up to a transmitter that relays the credit card information to the thieves' location.
Kollar reports that his squad is also working more "bust-out" merchant locations than ever. A bust-out merchant is one that is set up primarily to commit credit card fraud.
The merchant buys a small amount of inventory and generally sets up shop in a strip mall, submits an application to an eager sales rep and begins perpetrating credit card fraud.
These merchants are around for only 30 to 45 days - just long enough to generate enough money, then pack up and move to another location, set up another shop, apply to another processor and start the scheme all over again.
One of our ISO clients became suspicious of a merchant and contacted us to perform a detailed site inspection. We discovered that the location listed on the merchant application was closed during normal business hours. We contacted our client and found out that credit card transactions were being run while we were standing at the front door.
We waited and observed the owners leave the building. After obtaining some additional information, the case was turned over to law enforcement. The storeowners were arrested and are awaiting trial on federal credit card fraud charges. They were involved with a group that not only skimmed the credit card numbers but also used white plastic. They were operating a true bust-out.
Good underwriting can prevent losses from both of these schemes, and with a little training and the proper risk-management parameters in place, losses can be minimized. New merchant applications need to be scrutinized, and the application information should be verified.
Many of these thieves use Internet sites to sign up for merchant service. Today, with many Merchant Level Salespeople not even doing site inspections on new merchants, it makes it easy for the thieves to conduct business.
Monitoring new merchants is critical. Since most of these transactions are swiped, your risk-monitoring department should review transactions for all new merchant locations. Once you get a feel for what these new merchants are doing, then you can reduce the monitoring.
Not properly underwriting and monitoring new merchants can cause big problems down the road when chargebacks start coming in and get rejected from the merchant's DDA account. A visit to the merchant location will reveal that the merchant is gone and there is no chance of recovery.
David H. Press is Principal and President of Integrity Bankcard Consultants, Inc. Phone him at 630-637-4010, e-mail dhp@integritybankcard.net or visit www.integritybankcard.net.
|