To Catch a Credit Card Thief

(Bloomberg Businessweek) -- When Chad Evans took a job in 2016 as manager of online investigations for retailer PetSmart Inc., he thought he’d be ferreting out small-time credit card fraudsters. But sometimes he catches glimpses of what may be larger, darker crimes.

Evans and his team spend their days in a squat Phoenix office building combing through online transactions to find suspicious patterns. He’s basically an internet mall cop, tasked with nabbing virtual shoplifters. Not every company has an Evans. Many websites accept fraud as a cost of doing business. But online fraud has soared in recent years—a side effect of the introduction of chip cards, which have made it harder for crooks to create fake cards to use in stores. This has forced many merchants to rethink their approach. Along with rejecting suspicious purchases, they’re tracing them to their sources and building cases against the perpetrators with police.

That’s why the 33-year-old found himself in a police car one day last year, parked down the street from a customer’s home on an all-day stakeout in Tucson. Weeks earlier, Evans and his team had spotted something weird. Several people had complained that their cards had been stolen and used to buy $400 Garmin Trashbreaker electronic dog collars. His security software determined the orders were linked, but they were being shipped to houses all over the country, including in Tucson. When the next order came in, Evans decided to follow it.

Evans called police departments around the country and told them what he knew. Locally, he worked with the Pima County Sheriff’s Office to set up a controlled delivery of the dog collar. When the recipient arrived home to pick up the package, police swarmed. Evans later spoke to him and learned that he was hired through a posting on Craigslist. Evans says the man was paid $20 to receive a package and ship it to a freight-forwarding center, which would combine his items with other shipments and send them overseas. Evans persuaded the man to share a list of everything he’d shipped for the service. “It was water filtration systems, duct tape, containment fences, tents, clothing, blankets, shoes,” Evans says. After seeing the list, he says, “we started thinking human trafficking and human smuggling.” Evans and his team began to compile documents and other data and presented the case at the FBI field office in Phoenix.

Scammers have been coming up with ways to cash in on stolen numbers since Diners Club introduced the first credit card more than 60 years ago. In the early days, thieves stole numbers one at a time, looking through trash and mail for receipts or bank statements that would contain the information.

But dozens of high-profile data breaches—like those at Equifax Inc. and Target Corp.—mean more consumers have to worry that their financial information is out there. Hackers place it for sale on the dark web, where identity thieves buy files containing dozens of names, addresses, and card numbers. The good news for consumers is that they’re rarely liable for fraudulent transactions, but they still have to worry about monitoring their cards for suspicious activity and deal with the inconvenience of getting a new card whenever one is compromised.

For years, fraudsters would take those numbers and print them onto blank plastic cards to use at brick-and-mortar stores. But in 2015, Visa Inc. and Mastercard Inc. mandated that banks and merchants introduce chip card technology, which generates new codes for each transaction that can’t be copied and stored by hackers for later use. The move helped cut the amount of counterfeit fraud in half, according to a report by Capco, a consulting firm.

Not all merchants benefited from the added security of chip cards. Those that take orders over the phone or online have seen fraud costs balloon. So-called card-not-present fraud is expected to cost retailers around the world $71 billion over the next five years, according to Juniper Research Ltd. “Fraud never really goes away,” says Justin Griggs, a senior vice president for product commercialization at payments processor Total System Services Inc. “These guys aren’t packing up shop. They’re just moving on to the next point where they find the most significant vulnerabilities.”

There are many ways online fraudsters can profit from their exploits. An increasingly popular one: The scammer will use a stolen credit card to purchase an item online and opt for in-store pickup. Then they’ll return that item for cash at a nearby location. Merchants are in a bind. When they beef up fraud-prevention tools, it can slow down the checkout process and hinder sales. The alternative: raise the risks for scammers by tracking them down and handing the evidence over to police. “There’s a righteous indignation amongst a small group of these merchants now,” says Brad Wiskirchen, chief executive officer of Kount Inc., which provides fraud-detection services to retailers, including PetSmart. “There’s more and more merchants now that are saying, ‘Hey, I’m going to stop him from ripping me off, and then I’m going to stop him from ripping anyone else off, too.’ ”

The bad guys do share criminal know-how, according to Steve Mott, a consultant to the payments industry. Using forums on the dark web, they’ll trade secrets about their luck with exploiting vulnerabilities at certain merchants. “They know the retailers that are lackadaisical,” says John Bode, a New York State Police investigator who’s focused on organized retail crime. “They’re watching the trends as much as we are.”

Evans says it took time to learn how to hand off his findings to police. “I’ve taken my lumps of being laughed off the phones, but I’ve learned how to present these cases,” he says. Updates on the case with the dog collars have been few and far between, but Evans says the FBI told him that Interpol is now investigating. “The message I try to send to my fellow merchants is that not all these guys are trying to feed a drug habit or want to buy these items for themselves,” Evans says. “They can be involved in something more sophisticated.”

To contact the editor responsible for this story: Pat Regnier at pregnier3@bloomberg.net

©2018 Bloomberg L.P.