Street-Level Credit Card Fraud
Until recently, Las Vegas police officers couldn't figure out why some of the prostitutes and drug addicts they arrested were found carrying multiple hotel room keys and slot machine player's club cards. When confronted, the suspects said they kept them as souvenirs or found them on the sidewalk. The cops initially assumed that the cards were stolen, or -- in the case of the prostitutes -- perhaps belonged to some of their more frequent clients.
"It was getting fairly regular that in post-arrest inventory, we would find eight to 10 room key cards ... all from different hotels," said Dennis Cobb, deputy chief of the Las Vegas Metropolitan Police Department's Technical Services Division.
The mystery began to unravel when a LVMPD officer slid one of the keys through a machine that reads the data stored on the card's magnetic stripe. Each swipe revealed a 16-digit credit number, a date, a person's name and the name of a bank. That's right, the keys functioned exactly like credit cards, allowing the carrier to pay for merchandise at any store or market where customers do their own swiping.
"The people who had these cards on them were using them in transactions with local businesses," Cobb said.
The revelation is hardly a surprising one for a city that had the nation's second highest rate of identity-theft complaints to the Federal Trade Commission last year. Cobb said the stolen card data comes from a variety of sources, but he said it is not unusual for service-industry workers who owe money to a drug dealer or a bookie to be handed a handheld magnetic stripe "skimmer" and ordered to periodically collect up to 100 accounts as a means of erasing their debt.
The discovery led Cobb's division to team up with researchers from the Identity Theft and Financial Fraud Research and Operations Center (IFFROC) at the University of Nevada, Las Vegas to devise technologies that police could deploy in the field to detect various types of fraud.
Hal Berghel, the center's director, said the people who are usually caught with key cards use them primarily at convenience stores, gas stations and other places where purchases are less than $20, which is below the scrutiny threshold for most fraud-detection technologies.
"By the time the bottom feeders get the cards, the data on them has already been shared with the organized criminals, who will bang on a credit card though mail-order and Internet purchases," Berghel said. At that point the cards are "throwaways that can only be used a couple of times before they're canceled."
Last year, Berghel filed a patent application on behalf of IFFROC for a technology called "Cardsleuth," software he demoed for me when we met up last week in Washington. He hopes that one day a pen-sized device will be used to read magnetic stripes and alert the user when unexpected data is found. Berghel and his team are working on a prototype, which he said could be updated periodically via a USB-based docking station.
Berghel said the technology could be especially useful in the case of a 9/11-type emergency by helping authorities distinguish first responders from those individuals -- be they terrorists or merely looters -- who might take advantage of a chaotic environment.
"There is still a need for on-the-spot validation of credentials where you have a convergence of emergency workers, many of whom have never seen each other before," he said.
Update, 11:45 a.m. ET: Apparently, I didn't make it clear enough what is really going on here. This post is not suggesting that hotel room keys are being encoded with credit card information by the hotels, which has always been something of an urban legend/e-mail hoax (see Snopes and previous discussions on Slashdot.) The folks I interviewed for this piece said the encoding was being done by the criminals (or more specifically, fraud rings who sold them to street hustlers who would wring every last dollar out of the cards before they were cancelled). From the crooks' perspective, the idea behind this is to be able to anonymously use someone else's credit card at a physical location; someone who got arrested holding someone else's actual credit card would have a lot of explaining to do, but hotel room keys are likely to be overlooked or set aside for what they appear to be.
Posted by: Chris | March 6, 2006 8:30 AM | Report abuse
Posted by: Bartolo | March 6, 2006 8:47 AM | Report abuse
Posted by: Jon | March 6, 2006 9:50 AM | Report abuse
Posted by: Bk | March 6, 2006 10:31 AM | Report abuse
Posted by: h3 | March 6, 2006 11:36 AM | Report abuse
Posted by: Bk | March 6, 2006 11:57 AM | Report abuse
Posted by: Bubba | March 6, 2006 2:36 PM | Report abuse
Posted by: Jeremy | March 6, 2006 10:38 PM | Report abuse
Posted by: Brian Krebs | March 6, 2006 11:17 PM | Report abuse
Posted by: Brett | March 6, 2006 11:38 PM | Report abuse
Posted by: Cory M | March 7, 2006 1:53 AM | Report abuse
Posted by: programming since before you were born | March 7, 2006 8:17 AM | Report abuse
Posted by: earwig | March 7, 2006 10:05 AM | Report abuse
Posted by: h3 | March 7, 2006 12:02 PM | Report abuse
Posted by: Fedor | March 7, 2006 5:33 PM | Report abuse
Posted by: Nyabereka | March 8, 2006 10:36 AM | Report abuse
Posted by: elaine | March 20, 2006 9:42 AM | Report abuse
Posted by: Anonymous | March 27, 2006 1:02 PM | Report abuse
Posted by: Anonymous | March 28, 2006 2:15 PM | Report abuse
Posted by: Anonymous | April 8, 2006 11:20 PM | Report abuse
Posted by: tony | April 25, 2006 4:52 PM | Report abuse
Posted by: Laila | May 3, 2006 12:42 AM | Report abuse
Posted by: Anonymous | May 3, 2006 8:35 PM | Report abuse
Posted by: Hemant Jain | July 11, 2006 7:17 AM | Report abuse
The comments to this entry are closed.