Clarence Day once said, “The ant is knowing and wise, but he doesn't know enough to take a vacation.” In the modern age, the ant is perhaps wiser than the poor souls who actually decide to take a vacation — especially me.
In a shockingly out-of-character moment, my wife and I decided to take a vacation to Europe earlier this year. I got to experience the rolling green majesty of Ireland, the narrow cobblestone streets of Italy, and the sickening feeling of being involved with the other side of credit card fraud. That’s right: My wife’s credit card information was stolen.
Italy is one of the biggest hot spots for pickpocketing and robbery worldwide, to the point where Rome has been called “the pickpocket capital of the world.” Knowing this, my wife and I came prepared with high-security cut-proof bags, wallet chains, and an unspoken rule that if a pickpocket dared to try something on one of us, the other would immediately break the poor thief’s thumbs. We thought we were prepared for the worst.
Unfortunately, “the worst” did not take the form of a chase through the streets of Rome to get back a stolen bag. Instead, I suspect that my worst enemy was a cashier working at a Vatican City gift shop. In the few seconds that it took to ring up our small purchase, the credit card either passed through a skimmer or was recorded by a small camera. Either way, at the time there was no way to suspect that anything out of the ordinary had happened. The cashier rang up the items and swiped the card, and we were on our way. The store was crowded with shoppers, and it was impossible to watch all of the clerk’s movements when she had the card. It would have been out of view for only a few seconds.
Those few seconds were all it took to become a victim of fraud.
Of course, at the time I was blissfully unaware that any of this had happened. We continued on our vacation without a care in the world. On our last day, we discovered that the card was frozen. When we got back home we were greeted not only by an office full of smiling investigators, but also by the credit card statement.
To my knowledge, we had not purchased nearly $20,000 worth of car insurance along with our Vatican souvenirs. Fortunately, our credit card company’s fraud department was able to address the charges without an issue. However, being a professional investigator, I was fascinated by what I saw. I consulted with investigators in law enforcement and various antifraud departments and launched into a great deal of my own research, but I could not find any similar documented cases. I asked myself: “Why would a stolen credit card be used to buy insurance for a number of different vehicles in different states, likely registered to different owners? And what purpose would this serve if the insurance were canceled after the fraudulent charges were addressed?”
I came up with two theories. First, the culprit had released the credit card information as a “public dump.” This is a process where a carder will release a card he or she has already used to the larger fraud community for free. Like piranhas swarming around a piece of meat, the other fraudsters will frantically make transactions until the card has been shut down. This leaves a trail of potentially hundreds of transactions from different people across the world, and it makes finding the real culprit much more difficult.
Second, I suspected that the stolen credit card was being used by some kind of black-market insurance provider. Suppose an unethical person sold real proof-of-insurance cards to other criminals, at a cost far lower than actually buying insurance. This would be especially appealing in the case of expensive high-risk insurance such as SR-22, which may be required to reinstate driving privileges after a traffic offense such as drunken-driving conviction.
The unethical seller buys insurance with a stolen credit card, and while the insurance itself might soon be canceled, the proof-of-insurance cards are already printed, complete with any special markings or holograms that might be present with high-risk insurance.
These are both just theories. I am still constantly doing research in the underground carding community to find somebody engaged in such a scam. So far, I have come up empty-handed.
Compared with some victims of credit card fraud, my wife and I were quite fortunate to not have suffered any lasting repercussions from this incident. However, as a security professional and somebody who frequently sees high-tech fraud from the perspective of the investigator, being the victim gave me some insight into exactly how good these criminals are.
I ask myself what lessons can be learned from this.
I begrudgingly acknowledge that when people take vacations, they do so in order to relax their minds. Unfortunately, this also leads to a relaxed sense of awareness — enough to allow for the card to disappear from view for a few seconds. There was little we could have done.
If you’re a business owner, it is essential that you know your employees and watch for this kind of behavior. I sincerely doubt this was a scheme implemented by the pope. It was likely the work of a single unethical employee.
We are only human, but we must always stay vigilant and aware of our surroundings. Whether we're walking down a dark alleyway or visiting the Vatican, the moment we let our guard down is often the moment we most need it.
firstname.lastname@example.org. Written in collaboration with information security expert Dylan Evans, Reveal’s vice president of operations.