RIDGWAY – It had been an excellent Saturday for my husband, who stopped in for a snack at the Avalanche Coffeehouse in Silverton after a bracing morning of scouting backcountry ski lines. Now his credit card was declined. For a coffee and a pastry? He checked his phone; a message from the fraud department at our bank asked him to call immediately. On the phone, the rep quizzed him: did he live in Ridgway? Did he buy groceries in Ridgway? Did he eat out in Ouray? Did he… recently spend $580 at the TJ Maxx in Hialeah, Florida? When my husband replied no, the rep explained what had happened: an out-of-the-region charge led the bank to suspect our card had been stolen, so the card had been cancelled. And thus, we officially became victims of the credit fraud rocking Ouray County.
That was two weeks ago. Today, the fraud has claimed hundreds of victims, and doubtless many people have been far more inconvenienced than we have. On Monday, Sept. 26, the Ridgway office of Alpine Bank had logged 200 disputes regarding suspected fraudulent charges, and “we’re still getting (another) pile of them this morning,” said branch manager Dennis Alexander. The scam is being investigated by local law enforcement in concert with local banks. Jen Coates, Ridgway Town Manager, said the Ridgway Marshal’s Office is coordinating the investigative effort for Ouray County.
“I believe the banks are encouraged,” said Coates, who is a victim of the fraud. “As soon as we have information that is prudent to share, we will.”
Even so, as of late last week, there were reportedly no suspects. What is becoming known, according to Alexander, is that the card information was likely stolen during a three-month period earlier this summer, and that the source of the crime is local. “Our internal fraud detectors are pretty sensitive,” he said. “We’re not positive, but they are pointing toward a data breach of a single merchant in Ouray County between the months of June and August.”
The stolen numbers have been used to fund a string of expenditures across “the southern states,” Alexander said: Texas, Arkansas, Louisiana and Florida, and typically involve charges between $50 and $450.
Credit-card thieves steal data in several ways, but two of the most common are hacking – in which thieves gain access to an online database – and skimming, which involves stealing information from a “point of sale” (such as a shop, restaurant or gas station) when a magnetic strip along the reverse side of a credit or debit card is swiped through a machine to pay for something. If the theft of these card numbers had been limited to cards issued by one bank, “it could be a case of hacking,” said Hazel Heckers, a Victim Advocate in the Identity Theft/Fraud Investigation Unit of the Colorado Bureau of Investigation. But in this case, many cards from different banks were compromised from the same region, so what happened was likely skimming. A skimmer can be a handheld device, as small as a Bic lighter and easily concealed in the pocket of someone who, say, takes your card out of sight to run it through a machine at a restaurant. Or it can be attached to the face of an ATM, or embedded in a credit card terminal inside a store, or hidden inside a pump at a filling station.
Wherever it happens, the crime itself is quick and simple, said Ralph Gagliardi, Agent in Charge of Identity Theft and Mortgage Fraud at the CBI. Magnetic strips are highly insecure. Each strip is encoded with information about the cardholder, such as his or her full name, card number, card expiration date and the country code. When the card passes through a skimmer, the data is captured instantly. Skimmers at ATMs and gas stations used to be clumsy and obvious-looking, but the latest have gotten incredibly sophisticated and difficult to detect. Indeed, the latest skimmers at gas stations are completely invisible. Last year, 180 pay-at-the-pump terminals along the I-25 corridor between Salt Lake City and Provo were found to contain skimming devices; the stolen data can be transmitted wirelessly, often via Bluetooth, to thieves waiting nearby
“The whole thing is over in seconds,” Gagliardi said. Once the data is captured, the thieves sell the card information, often online, to individuals who encode the data onto new plastic, essentially cloning stolen cards. These cards are sold, often in bulk, for as little as $2 a card; the person who walked into T.J. Maxx in Florida clutching a clone of our card was probably way down on the criminal chain. Card-purchasers don’t usually know how much of a balance a stolen card will have on it, or even if it has any at all, which is why hot cards sell for so little. According to an undercover investigation reported by cnet.com, though, one could get a confirmation of a small balance on a card for $80, and a card with a guaranteed balance of $82,000 sold for $700. Card cloning machines went for $200-$1,000. The thief at T.J. Maxx probably got to keep his or her merchandise (“the merchant verified that the money was in the account,” said Alexander); our bank’s fraud-detection system picked up the suspicious activity after the fact, and cancelled the card. We were compensated for our losses by our bank several days later, but were out $600 cash in the meantime. The bank absorbed most of the loss.
The problems all boil down to the magnetic strip, Agent Gagliardi says, which is incredibly insecure: the U.S. is the last developed country in the world to use the antiquated technology. Most of the rest of the world has switched to smart cards embedded with microchips, which are far more secure, but most banks in the U.S. don’t issue these cards, and most merchants don’t accept them. Last month, VISA proposed a plan to “incentivize” merchants to switch to smart-card machines, in the hopes that many more banks will begin issuing smart cards to use in them. But VISA’s plan won’t take effect until 2015, meaning magnetic strips are here to stay at least for the time being. Meanwhile, here’s what you can do to keep your card safe:
• Limit debit card purchases. If you pay by credit card and your card is stolen, even if it accrues thousands of dollars in charges, you can only be held liable for $50. Use a debit card, and you can be on the hook for far more. You have 60 days after a bank statement is issued with unauthorized charges on it to dispute any suspect charges if you use a debit card. If you don’t speak up before then, the charges will be considered legit. Once they are alerted, most banks “are very reactive” when it comes to stolen credit and debit cards, Alexander says, and will quickly refund your money. Our bank compensated us for the T.J. Maxx charge within two days. “But we’ve seen some banks take many days or even weeks,” says Beth Givens, the head of Privacy Rights Clearinghouse, a consumer advocacy association. Use only a credit card if you can’t afford to lose any cash for several days.
• Keep track of your cards. If a clerk tries to take it away, try to watch what he or she is doing.
• Pay at the pump, but be aware of the risks. It’s convenient, but it may not be secure. The safest way to protect your data is to pay inside. “I buy gas outside, but I check my accounts every night,” says Agent Gagliardi.
• Not all banks automatically scrutinize accounts for irregular activity; if yours doesn’t, ask to have a fraud alert put on your account. It’s free, and could save you thousands. The downside is, you’ll have to notify your bank before you travel about where you’ll likely be going, so its anti-fraud software doesn’t flag any out-of-town charges as “suspicious activity” and shut down your spending.
• Consider having your credit and debit cards reissued. Even if you haven’t been hit by this fraud, considering how widespread it has become in Ouray County, “it may be worth asking your bank to cancel your cards and reissue them” said CBI’s Heckers. As Alpine Bank’s Alexander pointed out, cases are still pouring in, and the fraud is still unraveling.
“This thing could be going on for years,” he said. If you haven’t been hit yet, in other words, you still could be.”