March 17, 2006 at 10:00 AM ET
How does someone in Moscow step up to a cash machine and withdraw money from an account holder half a world away? Even when the debit card is still in the victim's wallet?
Last week’s story about criminals withdrawing money from ATMs all around the world had many MSNBC.com readers asking how such a thing was possible. It's easy, actually, say fraud experts. The recipe for creating counterfeit cards is right there on the Internet.
It's often called "white card" fraud. Criminals somehow get their hands on the electronic information stored on a legitimate card's magnetic stripe. Generally, it’s stolen from a retailer or payment processor’s database, as happened when thieves last year broke into computers at CardSystems Solutions Inc. Luckily for the criminals, CardSystems didn't store just account numbers -- it even stored customer's secret codes that were never meant to be copied on magnetic stripes. Stolen "mag stripe" data is the holy grail for card thieves.
Then they take the stolen data and write it onto a new, blank card -- a card that's often plain white -- and they're off to the bank.
To show me how easy it was, two executives from MagTek Inc., one of the largest makers of credit card stripe readers, visited MSNBC.com and gave a demonstration.
Within minutes, I was withdrawing money from my account using a plain white piece of plastic at an ATM. In this case, I knew the PIN code. But, as last week's story explained, resourceful criminals are finding ways to derive PINs. This was only a demonstration, mind you, so everything was on the up-and-up.
But a visit from experts is hardly necessary to get started in white card fraud. Dan Clements, who runs CardCops.com, shared with me a magnetic card theft tutorial that's commonly found on Web sites operated by Internet criminals. The document is surprising both in its detail and its smugness.
"You must have certain mindset," the author, identified as jedimasterC, writes. "It takes charisma. It takes charm. If you're a pimply 16 year old wearing cut offs and a sleeveless shirt, do you honestly think that someone will believe you can afford a $3,000 computer system? It's possible, if you know how to act and what to say."
More from the tutorial in a moment.
The key: getting an encoder
Andy and Paul Deignan are brothers who both work for MagTek. Both came by to show me how easily thieves can manufacture scores of counterfeit cards. MagTek sells both card readers, which are seen in stores across America, and card encoders, which very few people should ever see. Encoders actually write information onto that mysterious piece of magnetic tape on the back of the card. Banks use them to create credit cards. Readers cost about $100. Encoders cost between $1,500 and $2,000.
Except on eBay, where stolen or salvaged encoders can sell for as little as $500. Armed with one, someone can create credit and debit cards that work exactly like the cards produced by financial institutions.
Magnetic strips may seem mysterious, but they're not. In fact, they are just like the magnetic tape you'll find on cassette tapes. Card readers and encoders are very similar to the "heads" you'll find on cassette recorders, Andy Deignan tells me.
For demonstration purposes, the Deignan brothers took my debit card, dropped it in an encoder, copied the data from the back, and handed the card back to me. Then they took a piece of white plastic, a second card, inserted that into the encoder, and essentially pasted my ATM information onto the second card. The process took less than 15 seconds.
The walk to the nearest cash machine took longer. Within a minute, I had taken a white piece of plastic and withdrawn $100 from my own checking account. Obviously, with slightly different data and a PIN number, I could have taken the money from someone else's account. With a database of stolen information, I could have withdrawn money from hundreds of accounts.
'Keep the fake stuff and your real stuff separate'
In fact, as jedimasterC makes clear in his document, anyone with magnetic stripe data, blank cards and an encoder can churn out counterfeit credit cards. Anyone with a PIN can make counterfeit debit cards and start withdrawing money from anywhere in the world. That’s what happened last week to thousands of consumers around the country.
We're going to omit much of the detail in jedimasterC's tutorial, but to give you a taste of how detailed it is, the author even recommends specific encoder models that would-be thieves should get. To have a portable manufacturing operation, he tells pupils to buy a briefcase to carry the equipment in, even a cigarette lighter power inverter so they can create counterfeit cards while in the car. And he recommends an extra wallet, so criminals can "(k)eep the fake stuff and your real stuff separate."
Criminals demand instructions
To create fake stuff, criminals do have to fork over at least a few hundred dollars for an encoder -- a small barrier, given that many are purchased with stolen credit cards. But there is one obstacle, the Deignan brothers say. The machines are normally castoffs from banks and retailers, so they rarely come with the appropriate cables, software and instruction manuals.
That's when MagTek hears from the crooks. Many are brazen enough to write to MagTek to ask for help.
In January, a writer using the name Dan asked MagTek for that kind of help.
"I have a MagTek ...and I need the documentation for it. When I try to access this information (on MagTek's Web site) it says that I need a login/password. Can you provide me with this or at least the documentation?" wrote Dan in early February. He even provided the model's serial number. When MagTek looked up the unit, it found the items was originally purchased by a financial institution. MagTek customer support then told the writer it would not provide a manual.
Dan then went on the attack.
"Are you saying that MagTek does not provide any support for resale hardware? Isn't this illegal?... I hope that the provided statement was a mistake and you can provide me with access to the documentation I need. Otherwise I will start legal action against MagTek," he wrote in one e-mail.
Then later on:
"I have no doubt that the corrupt government that exists will not do anything about your blatant violation of the laws in this country, I will still submit a complaint to the attorney general. I see no disclaimer on the unit that I bought. Therefore MagTek is in violation of the law. Of course, being a large corporation MagTek is exempt from the law," he said. "Your greed is surely destructive to any innovation."
Greed, it turns out, is a powerful motivator. While MagTek does what it can to make things hard on potential criminals like Dan, people manage to get the software and hardware they need anyway, Clements said -- normally by buying it from each other.
It's all about attitude
In fact, according to the tutorial shared by CardCops, creating the fake card is the easy part of magnetic stripe counterfeiting. JedimasterC spends most of his time in the tutorial explaining the attitude that's necessary to pass off a counterfeit card as real.
White cards can only be used in situations where a person is not involved in the transaction, such as an ATM or a gas station. Store transactions are a bit tougher, requiring plastic that actually looks authentic. Criminals can use their own plastic and rewrite the information on the magnetic stripe (a bad idea, JedimasterC warns), or they can buy prepaid credit cards and use them as "card stock."
Either way, committing crimes in person requires a certain mindset, the author says.
"You ARE the person on your ID. This is YOUR credit card. You are buying something you saved for. It is YOUR money you are spending," he writes. And in case something goes wrong and the card is denied -- most often, the account used to create the fake card has been called in as fraudulent -- jedimasterC has a plan.
"You will have cards declined frequently. I like to make the nice person at the register think it may be declined before I even use it. I'll say something like "Ohhh, I didn't think it was that much. I hope I have enough left to buy it! They will expect it to be declined and think nothing of it if it is."
Retailers taking extra steps
Retailers and processors have caught on to the widespread phenomenon of card counterfeiting and have made some small adjustments to their systems to combat it. Riders of the New York City subway are now required to enter their ZIP codes when swiping bank plastic to buy Metro cards. Many stores now force their clerks to type into payment terminals the last four digits found on the front of the plastic card, to make sure it matches the data on the magnetic stripe. Obviously, if they don't match, the card is fraudulent. Such checking does make a counterfeit thief’s life a bit harder.
But the cat-and-mouse game continues, and the criminals have a counter-measure. JedimasterC's file includes a list of stores that do this kind of fraud checking.
Clements says the tutorial written by jedimasterC really is old news -- he's had the information for 18 months, and the file is probably quite a bit older. Retailers and credit card companies have had time to implement upgraded fraud detection, which has reduced the amount of counterfeit credit card fraud, he said.
That's why the recent spate of stories of debit card fraud have him concerned. Since no human interaction is required, and cold, hard cash is the end result, he is one of many experts who believe debit card counterfeiting will only get worse in upcoming months.
"You can easily get these machines. The software you need to encode cards can be gotten easily. With the advent of compromised PINs, these guys are off to the ATMs,” he said. “Consumers and banks need to realize the bad guys have the data and plastic and can make ATM cards in minutes.”
Consumers should regularly check their bank account information and report evidence of fraud to their banks immediately. Consumers who don’t report debit card fraud within 60
days may not be able to recover the stolen money. MSNBC.com has more information on consumer rights and electronic transfers available here.