It is always a treat to hear from actual identity thieves: understandably they are not often forthcoming on their criminal activities. Dan DeFelippi operated unrestrained for nearly half a decade, starting from college-years dabbling in fake IDs, before getting caught by a perceptive Best Buy store manager. Facing eight years in prison, he made a deal with the government to pay back $200,000 and join the Secret Service to help spot credit card fraud perpetrated by thieves like him. In an interview with CreditCards.com, DeFelippi recounted his adventures in fraud, and the important lessons we should take away form his experience.
Anatomy of identity theft
DeFelippi preferred buying the stolen identities online to stealing them on his own. He would get the information from “people who hack into computers where that data is being stored” and “people like waitresses and waiters with handheld skimmers.” It is frightening to imagine that restaurant workers knowingly run your credit card through skimmers to steal the information, but DeFelippi says that is exactly what happens.
ATM skimmers are another common source of identity theft, he says in the interview. These are readers placed on top of the machine's actual reader, and usually come along with numberpad overlays or tiny pinhole cameras that also record the PIN number of the user. As we described in the previous post, the rise in their sophistication has been frightening – from low-tech pamphlet holders concealing hidden cameras, to entire false front panels, to whole ATM machines outfitted with skimmers and placed in high-traffic areas. Several years ago, one of them even fooled a hacker convention! DeFelippi agrees, noting that “Some of the equipment now is very good and it's hard to tell the difference between that and a real machine."
For his part, he would pay, he says, from $10 and $50 for a single stolen account and use an encoder to transfer it to fake credit card. His preference was always American Express cards for their generous lack of preset spending limits, meaning he could easily make thousand-dollar purchases. The downside to American Express cards was increased security: where the card was used over the phone or online, merchants would often ask for the four-digit security number. Other places would require verifying the ZIP code of the cardholder.
Phishing and Sniffing
Aside from skimming, there are several other methods fraudsters like DeFelippi would steal credit card information. One was phishing, where they would send out official-looking email “alerts” from banks directing readers to a fake website where they would need to re-enter their account information “for security purposes.” DeFelippi says he would target AOL users because they were perceived the most unsophisticated (indeed, the origins of the term “phishing” came from hacker groups who would “fish” AOL users for financial account information). Other times, fraudsters would set up entire fake shops online, advertising popular items at extremely low prices (think, for example, an IPad for $40) to dupe buyers into entering their information.
He also mentioned sniffing, another common identity theft tactic involving breaking into the communication between computers and websites. That way, users submitting their card information even to legitimate websites would unknowingly also submit them to the thieves. Although many stores have counteracted this vulnerability with “secure http” protocols (always look for “https” in the web address when submitting sensitive info, says DeFelippi), sniffing is still popular due to the prevalence of WiFi connections everywhere. “If you're using an open Wi-Fi connection,” he says, “you should pretty much have the expectation that there is no security.”
What can we learn?
DeFelippi advises consumers to carefully examine their credit card statements for any unauthorized purchases. This is wise advice indeed, but given the recent losses to retail fraud - $11 billion annually for financial institutions and over $100 billion for merchants – it is safe to say the advice is not always followed. Many credit card users still get their identities stolen, and merchants still face an uphill battle in detecting counterfeit credit cards and fake IDs. Despite DeFelippi's best efforts, identity theft and its constant companion retail fraud are poised for an increase this year, as they for every year before.