At least a couple times every year I write about my own or someone else’s trials with computer criminals who steal, replicate, or otherwise appropriate credit cards. It’s happened at least four times to me since around the early 2000s. The most recent occurrence is fairly typical of the scheme.
Some of this I’ve shared before. It was a nondescript Sunday night, late enough that a movie was my only light. I had my phone on vibrate. Even though the ringer was off the first call lit up the screen and distracted me anyway. I ignored it. The second time I ignored it again, but less so because I was curious about whether it was a familiar number. It wasn’t. It was an 800 number. They hung up. No voicemail. Within two minutes it came again. Usually, telemarketers and robo-callers have the minimum courtesy to cease business for the Seventh Day. So, against my better judgment and since I’d already upended my suspended reality I went ahead and answered it.
It was a recording, “This is a fraud alert from your banking institution….” That sure didn’t sound or seem legit. They closed with a case number to use. What bank? What happened? Was it a scam? The only bank I dealt with is a Kentucky bank, and obviously it was closed. I called the 800 number back and got a live person. They asked for the case number, and then asked for my banking, debit, and credit card numbers. Whaaa?!? Not a chance.
Despite the red flags it turned out to be a bona fide call, and one made by a company that my bank contracted with to detect and prevent card abuse. While this series of events had happened to me a few times, this one put a new spin on the crime. This time, the hackers somehow got my debit card information from the internet. Perhaps one of the merchants that I’d done business with was careless, or maybe the carelessness was of my own doing. Law enforcement wasn’t exactly going to be working in shifts to solve the quandary so I would never find out the particulars. Anyhoo, once the bad guys had the card data they created a new card, a physical card that is. These are called “spoofed” payment cards. You can do it, too. You can get online and squirm your way into the underbelly of the internet to find machines that produce MasterCards and Visas complete with programmable magnetic strips and chips. You can buy the blanks. You can find software that lets you program those blanks into hypothetically working cards. Those things you can do legally so long as you don’t take all of the actions together and end up with a spoofed card; though, without offering you legal advice, it may be the case that you can even do that legally so long as you don’t use the spoofed card in actual commerce.
The crooks did take those collective actions and presumably cranked out an “Ed Zuger” Visa debit card complete with the same numbers and programming that the one in my wallet had. Then, they visited a Home Depot in Knoxville. If they were new criminals I’d bet they were nervous. If they were seasoned scammers … just another day in the office. They brought around $250 worth of merchandise to the checkout lane, and moments later were headed to their car with the ill-found loot. Then, because criminals tend to be on the greedy side, they buzzed down Kingston Pike to Lowe’s. Same gimmick. Gather a few hundred dollars of goodies and head to the checkout. At that point even if they weren’t hardened in the criminal arts I bet they were confident. Thankfully, the Lowe’s staff were more diligent or less gullible or both. They took it to be fraudulent for some unknowable reason. From there, my bank’s fraud prevention contractor firm went into action and ended up ruining my film, whatever it may have been.
Besides a trip to my bank, which required an in-person consult and “wet” signature to refute the Home Depot charges and replace the compromised card, this series of events didn’t cost me anything directly. Now, trust me, you and I pay for these crimes indirectly in various ways. Upcharges at retailers to make up for fraudulent transactions. Banks’ fees. Some hundredths of a percent of our credit card interest rate goes to thwart and recoup from crimes. But, all told, I consider it successful customer service that when these events happen they don’t really cost the victim anything, aside from the retail and bank victims. There is a moral argument to be made that, “Tough. You got scammed, so you pay for it.”
I’m sharing this all too common happening, part of which I again admit to repeating, because it’s that middle piece of the puzzle that’s appearing again lately. The crime started in the store and ended with my bank trip. In the middle was that company that the bank works with to manage these messes. Last year the FBI reported that over $50 million was schemed by not-so-helpful callers with the same tale. A phony baloney call comes in that your card has been compromised, and please “help stop the scam and help us by giving us your banking numbers.” Twenty-five thousand people “helped” in that way and got got.
Don’t be the statistic. If you get that red-flag-addled call, maybe it’s legit, maybe not. Take note of the details. Don’t divulge any personal or financial information. Then, as soon as you can, call your bank to verify whether the call was truly helpful or just another crafty criminal enterprise taking advantage of us good guys, our niceness sometimes costing us.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at email@example.com.