Skimming Stopped by Bank, MerchantsPay-at-the-Pump Scheme Launches 10-Month Spree
According to the criminal complaint, authorities believe the two men carried on their scheme for at least 10 months, compromising a minimum of 175 credit cards in central Florida.
Robin Miguel Corrales Castro, 35, and Silvio Leon, 38, co-owners of Simple Mobile, a small business that allegedly served as a front for their scheme, were arrested on charges of conspiring to produce, use or traffic in one or more counterfeit devices. Three more suspects, Ivan Malagon, Lazaro J. Corrales Castro and Federico Martinez, also were mentioned in the complaint, although their arrests have not been made.
The scheme was ultimately foiled by the criminals' brazenness. After multiple fraudulent purchases totaling at least $73,500 at area Target stores, the suspects were busted by banks' transactional fraud-detection systems and retailers' in-store surveillance.
In June, Chase Bank notified Seminole County, Fla., authorities after one of its accountholders was hit with charges at an Orlando Target totaling $73,577.27. In July, retailer Target confirmed fraudulent transactions had been conducted at several of its central Florida locations. In addition to Target, Best Buy, Home Depot and Wal-Mart also reported fraudulent activity.
When detectives with the Seminole County Sheriff's Office Financial Crimes Task Force and the Secret Service raided Castro's home, they found 1,000 Target gift cards that had been encoded with stolen card numbers. Police surveillance also caught Leon and Malagon, who is still at large, successfully completing purchases at Target worth $1,129.42; $2,644.33 worth of purchases, however, were declined.
Once merchants and card issuers started connecting the dots, it was easy to trace the scheme's steps.
In July, American Express confirmed $125,564.60 in fraudulent transactions linked to Target purchases. AmEx also identified the point of card compromise to be a Hess gas station located in the Orlando suburb of Winter Springs.
'They Got Greedy'
Robert Siciliano, a McAfee consultant and identity theft expert, says the criminals in this case dropped the proverbial ball. "This case shows that the masterminds in this weren't all that smart, scamming in their own backyards over and over," he says. "They got greedy."
See Also: Ransomware: The Look at Future Trends
But the fraudsters' greed does not veil the fact that skimming vulnerabilities linked to card fraud in the U.S. are growing. "Whether hacked, or in this case skimmed, account takeover with U.S.-based magnetic-stripe card data is just too easy a target for criminals not to go after," he says. "It's almost like they can't stop themselves from doing it."
Jeff Lenard, spokesman for the National Associations of Convenience Stores, says pay-at-the-pump skimming is an issue the convenience-store and petrol industries are taking seriously. In March, NACS launched its WeCare Decals, tamper-evident labels that aim to help retailers quickly identify potential security breaches. NACS also launched an awareness campaign that focuses on steps retailers can take to protect cardholder data at the pump. [See Skimming Concerns? Here's What You Need to Know.]
"Skimming should be a concern for anyone who accepts plastic," Lenard says
Lenard says retailers that sell fuel should focus on three key areas to prevent pay-at-the-pump skimming:
- Inspect pumps regularly to see if there has been any tampering;
- Secure the pumps so they are less susceptible to tampering - i.e. cannot be accessed with universal keys;
- Monitor any suspicious activity.
"NACS has developed a number of guides, as well as a video, to help retailers protect their businesses and minimize the risk of skimming at their stores," he says.