Former credit card thief spills the beans on his former profession and how he plays it safe today: Internet Scambusters #435
Inside information from a reformed credit card thief shows how crooks get their information by harvesting email addresses and buying stolen numbers to use on forged cards.
He told the online credit card news and information site CreditCards.com how he did it and provides useful information on what he himself now does to safeguard his own cards.
Fortunately for him (and us!), he got caught, changed sides to help the Secret Service, repaid his victims and, as this week's report demonstrates, agreed to help others avoid falling victim to the crime.
And now for the main feature...
Credit Card Security Tips -- from a Credit Card Thief!
A former credit card thief has confessed online that the crime, which rakes in more than $500m a year in the US, is "ridiculously easy" to commit.
Using stolen numbers that cost $10 to $50 apiece, Dan DeFelippi manufactured genuine-looking credit cards from blanks, programming their magnetic stripes, and used them to buy hundreds of thousands of dollars worth of merchandise at stores, which he then sold online.
He was part of a loose network of crooks who, according to recent research by leading ID theft surveyors Javelin Strategy, account for around 4.5 million credit card fraud victims in the US alone every year.
Since being convicted in 2004, the ex-credit card thief has spilled the beans on the murky world of credit card fraud, even working with the US Secret Service to train agents and expose the workings of online hackers and fraudsters.
Now a website developer in New York, he recently told his story to the online credit card comparison and news site CreditCards.com.
Starting out as a teenage hacker, DeFelippi progressed to selling bogus IDs at college, realizing how easy it was to discover individuals' personal and confidential information.
He used software that harvested email addresses from specific age groups and locales, then bombarded them with messages pretending to be from the likes of AOL and PayPal, saying their credit card details had expired.
Inevitably, these phishing messages contained a link to a bogus page asking victims to re-enter their details.
"It's kind of scary how much information I could get," DeFelippi tells CreditCards.com.
But he admits it's more difficult these days for a credit card thief to get information this way because many card users have wised up to this spoof.
It was simpler and quicker to buy credit card numbers from crooks who hack computers, set up bogus online stores selling non-existent goods at bargain prices, "skim" the numbers from ATMs, or simply steal them at restaurants or from documents.
We covered the "art" of skimming in a recent Scambusters report, Gas Pumps Targeted in Latest Card Skimming Scam.
To give some idea of the scale of this crime, in March this year a British teenager was sentenced to five years behind bars after being convicted of setting up an online forum that bought and sold hundreds of thousands of credit card numbers.
The site even offered software and tutorials on how to steal and use the information.
Armed with such numbers, DeFelippi says, it was a cinch for him to produce cards. Anyone with $100 and a computer could do it, he claims.
So, what's his advice to the rest of us to help cut the risk of becoming victim of a credit card thief?
Well, here at Scambusters we're previously provided some useful tips that are worth checking out again.
DeFelippi thinks the most important credit card security action is to frequently check your online accounts.
Once a month just isn't enough because, if your number was stolen early in the billing cycle, the account could be maxed out before you even look at it.
If you have teens-and-twenties in your household, make particularly certain they do the same. According to the Javelin research mentioned earlier, this is the age group least likely to check their online accounts.
The former credit card thief says he now uses the free services of Mint.com, which is owned by the financial software company Intuit (producers of TurboTax, Quicken and QuickBooks), to monitor his accounts for credit card fraud every day.
The Mint site pulls together all your online financial information into a single location, making it easier to review and spot signs of credit card theft.
If you visit the site, you'll see that Mint, which claims to have 5 million users, stresses it can't be used for transactions, only monitoring, and that it uses bank-level data security to protect your information.
We have no information, one way or the other, on the reliability of this site.
DeFelippi also advises:
- Checking your credit report at least a couple of times a year to make sure you're not a victim of ID theft. You can do this for free, once a year, for each of the three credit reporting agencies. See this Scambusters issue, Can You Really Get a Free Credit Report -- Without Getting Scammed? for the scam-proof and free way of doing this.
- Do your online shopping with reputable established sites. Otherwise, thoroughly check out companies you don't know or haven't dealt with, looking for others' comments on their experiences.In particular, don't be tempted to buy merchandise from an email that came from a person or company you don't know, no matter how much of a bargain it seems.
- Double check that any page on which you're about to give your card details is secure -- that it has "https" at the start of the address (the "s" is the security indicator).Remember that when you're online, you're moving data backwards and forwards. If you're using an open wireless network, assume it's not secure and that you could be vulnerable to credit card fraud.
- Invent your own answers to the security questions many financial sites now use. Don't use the real information. That way, nobody will be able to guess or research it.(Of course, you'll have to make sure you can remember the answers you gave!)
- Use the same ATM for all your cash withdrawals. You'll get to know the machine and therefore more likely will spot if anyone has tampered with it.Bank locations are less likely to be vulnerable than convenience stores or clubs, he suggests.
Like us, you might be wondering how DeFelippi got caught. It happened at a Best Buy store he visited with a friend. The accomplice presented a phony driver's license, bearing his real photo, as proof of ID.
When the store manager swiped the bogus credit card, he got a "Call For Authorization" message back from the card company, which had become concerned about activity on the account.
Realizing something was wrong, the pair made a hasty retreat -- leaving the license with its incriminating photo behind.
It's probably the best thing that could have happened to DeFelippi. Realizing the error of his ways, he struck a plea deal to pay $200,000 restitution to his victims and to do community service, instead of going to jail.
You can read his full interview: Secrets of a former credit card thief.
He's also done us all a big favor by agreeing to tell his story. For once, we might say, it's good to encounter a credit card thief!
That's all we have for today, but we'll be back next week with another issue. See you then!