For most people, Thanksgiving marks the beginning of the Holiday season; a time to relax, spend time with family, or prepare for Christmas. However, a small minority see Thanksgiving and Christmas as the best time of year to take advantage of others through scams, schemes, or outright robbery.
And that’s exactly what happened over Thanksgiving 2011 to hundreds of Walker County families who found themselves victimized by debit card fraud.
Initial reports of fraud came in Wednesday November 23rd on the LaFayette Underground Facebook: Shortly after lunchtime, a reader posted “If you have used any cards at walmart to purchase things. You need to check your accounts I heard they got hacked and got alot of people’s info. The police said they got people’s info from using cards at walmart.”
Other readers echoed that warning, saying at least ten Gateway Bank customers had been impacted and were in line to cancel cards there. Cohutta Bank reportedly told a customer “there have been cards compromised from almost every bank in LaFayette.” That confirmation prompted the Underground Facebook team to warn readers to check their own banks. Many did, and most found suspicious activity in their accounts. A torrential flood of fraud reports quickly followed.
News outlets were initially dismissive of the problem (Channel 9 did a cursory report on the evening of November 23rd concluding nothing had really happened), and at least one local bank said it was a minor issue being “magnified” by Facebook. (For what it’s worth, LaFayette Underground will proudly take credit for bringing this problem to people’s attention.) By the time most heard of the problem, banks had already closed for Thanksgiving break – but even without official confirmation it was pretty obvious by Thanksgiving day that someone (or something) was stealing money from bank accounts of people living in and around LaFayette.
Lucky victims (if any victim can be considered “lucky”) had their debit cards deactivated when banks noticed unusual charges made on the Tuesday and Wednesday before Thanksgiving. Other victims had hundreds, even thousands, of dollars taken from their accounts through fraudulent debit card activity. Both types of victims were at least inconvenienced, finding themselves without access to money at gas stations, restaurants, and retailers – and some were left without funds for days waiting on bank refunds while bills went unpaid.
Many feel thefts were precisely timed to fall during Thanksgiving week. With people traveling across the country to visit family, unusual charges for out-of-town hotels, restaurants, and gas stations were less likely to raise banks’ suspicions. Many of the banks were additionally blinded by their limited Thanksgiving schedules, closing early on Wednesday the 23rd and not opening at all on Thursday the 24th. On top of that, many of the victims were saving up to do Christmas shopping, leaving more money in their accounts than usual for thieves to take.
To date, as this is written, authorities and banks speculate well over $100,000 has been stolen from at least 600 victims, almost all in Walker County with a few from Catoosa and Chattooga. Thefts have impacted customers from 17 different banks, and most victims have made transactions at the same store in the last few months. The majority of fraud activity happened in a four day period around Thanksgiving, but new victims and new incidents of fraud are still showing up into 2012.
Investigation of the incident has been turned over to the GBI and FBI. But after two months no law enforcement agencies – GBI, FBI, LaFayette PD, or Walker Sheriff’s Office – have provided exact answers to how, where, or when the thefts occurred and whether or not they’ve completely stopped. That leaves some residents wondering if they can safely shop at all in local stores.
|BANKS KNOWN TO HAVE CUSTOMERS AFFECTED|
|Bank of LaFayette, Regions Bank, Cohutta Banking Co, Bank of Chickamauga, Wells Fargo, Bank of America, United Community Bank, Covenant Bank, Gateway Bank, Tennessee Valley FCU, Northwest Georgia Bank (incomplete list)|
Thoughts about the theft’s origin have varied widely. Police officers informally told victims that Walmart was the source of the information, but no official announcement blaming that retailer was ever made. An early Walker County Messenger report quoted Walker Sheriff Steve Wilson blaming a “company that manufacturers credit cards for several of the banks” for the leak, but that laughable article was taken down shortly after it first appeared.
Over the next ten days, law enforcement officials said the thefts were “not connected to any particular store,” then blamed card processor Elavon, “a single retailer,” a “clearinghouse,” Little Caesars, Hardees, online retailers, local restaurants, and “cyber terrorism” in various conflicting reports.
Nobody in law enforcement or banking would officially discuss suspicions that the crime originated at the LaFayette Walmart. However, several banks denied the “card issuing source” theory and told reporters “scammers stole the information directly from a retailer.” Off the record, banks quietly cited Walmart as the likely source and even a few Walmart employees carefully warned customers about using cards there despite management refusal to comment about the thefts.
Since the authorities can’t or won’t do anything to reduce confusion, here’s a look at some things we do (and don’t) know about the wave of debit card fraud:
It’s Not the Banks
None of the victims’ banks are the cause or source of thefts. Involved banks range from small locals with one or two branches all the way up to multinational giants like Wells Fargo. The wide variety of institutions involved, each with different software systems, security policies, employees, and vendors, makes it impossible for this to have originated with all of them at the same time. About the only thing they all have in common is customers who have shopped in LaFayette area stores and restaurants.
If the banks have any responsibility, it’s for the ways each one responded to fraud reports and individual incidents. Some were johnny-on-the-spot, noticing unusual account activity early on and suspending cards as necessary to keep customers from losing money. Others slipped into denial and hid from the problem until it grew too big to ignore. Every bank bears the cost of refunding customer money, but few did an adequate job of contacting affected customers to notify them of card suspensions or tell them what to do in response to the thefts.
Bank of LaFayette President Henry Gi—–t said on December 4th his company had over 200 compromised accounts and “everyone has been reimbursed.” But several BoL customers complained weeks later that the bank had yet to refund any of their stolen funds while “sorting out” all the fraudulent charges, and some didn’t get replacement debit cards until January. If those claims are true, it’s a poor response compared to quick actions of competing chain banks.
It’s Not a Processor, Either
We’re equally certain (despite conflicting claims of law enforcement) that a central credit card processor or card manufacturer isn’t the source of leaked numbers, either. Most card processors handle transactions from all over the country, and there’s no company that only processes cards used in Walker County or Northwest Georgia. A processor hack or leak would have customers from all over the country involved, a few here and a few there – not hundreds all at once primarily from LaFayette. The same thing applies to companies manufacturing debit cards or card equipment. Any suggestion of a processor or manufacturer being at fault is just a distraction from the core issue.
Thieves Didn’t Use Numbers Directly
Transactions using stolen card numbers occurred in hotels, gas stations, restaurants, and various retail stores in Lawrenceville, Lithonia, Atlanta, Florida, Ohio, Idaho, Vermont, Arizona, New Jersey, California, Canada, Mexico, Brazil, Egypt, Pakistan, and dozens of other places around the world. That doesn’t mean thieves are international criminals, terrorists, or traveling the globe at record speed – it just means the people using stolen card numbers weren’t the same ones who stole those numbers in the first place.
The most likely scenario is whoever stole the numbers collected a good number of them, bundled them into packages of 25 or 50, and then sold the packages for a set price to others over the Internet. Criminal sites hosted in foreign countries work somewhat like a black-market eBay, where “trusted” vendors sell stolen card numbers for $30-$50 each, regardless of each individual card’s limit or bank balance. Buyers can resell information to others or record the numbers onto blank cards with embedded magnetic strips, similar to programmable hotel key cards. To bypass PIN numbers, criminals run the fake cards as credit – initially buying something small to check its validity, then buying big-ticket items until cards stop working.
The Monday before Thanksgiving, police in Woodstock, GA arrested 30-year-old Ben Achampong at a BJ’s Wholesale store trying to use stolen credit card numbers. Investigators there, who said Achampong had already gone on a spending spree, found 16 other stolen cards in his possession and located equipment for making additional cards in his home. The numbers belonged to people in four states, including Georgia.
We don’t know if that specific incident is related to the LaFayette theft, but even if it wasn’t, it is typical of what happens when numbers are stolen. Even though Mr. Achampong was arrested, the person who originally stole the numbers he used isn’t likely to be caught because the two probably never met face to face and payment for the stolen numbers would have been handled through an untraceable Web site.
Methods for Stealing Numbers
There are a limited number of ways to steal a stranger’s debit card information. Sometimes cashiers or waiters copy down numbers, but something a bit faster and more automated would be needed to get more than 600 numbers from the same area. Over-the-air theft also isn’t a possibility; RFID chips that “broadcast” information are only found in high-end credit cards, not debit cards.
That really just leaves two possibilities: card skimmers or a network security lapse.
Card skimmers are small devices installed inside or on top of the card-reader slots on ATM’s, cash registers, and vending machines. Skimmers read the magnetic strip on every card swiped and forward that data over WiFi or Bluetooth to waiting thieves. Some more advanced skimmers include tiny cameras or keypad overlays to capture PIN numbers for each card swiped.
Card skimmers have been in the news a lot lately, as technology has gotten smaller/cheaper and knowledge of how to implement them has become widespread. Last fall a slick skimmer was found on a Regions Bank ATM machine in Dalton, but that one (obviously) only impacted customers of one bank.
Several years ago three RedBox kiosks in Arizona and New Mexico were violated with bulky card skimmers. Only a few RedBox customers were impacted before those were detected, and the company contacted every customer to warn them about the risk. RedBox machines were then modified to make skimmer installation more difficult. LaFayette has two RedBox locations (Walmart and Kangaroo on Chattanooga Street) but both have skimmer-blocking features and neither is used by enough local theft victims to be a single source of the card breach.
On December 12th a 25-year-old UGA student was sentenced to spend six years in a Tennessee prison after confessing to stealing $150,000 last summer with skimmers in restaurants all over the southeast. Another ex-UGA student stole more than that with a single skimmer in an Athens liquor store where he worked. He fled to his native India in 2010, but police are still rounding up his accomplices. Neither instance fits the timing of LaFayette’s thefts, but what happened here could be comparable to (or even a copy of) either crime.
The most blatant example of card skimming happened in May 2011 at 80 different Michael’s Arts and Crafts stores around the country. In that case, people claiming to be repairmen actually swapped out cash register hardware with skimmers that stole information from thousands of customers during a three-month period. The company ended up replacing registers in 7,000+ stores just to make sure the problem had been taken care of. There’s no Michael’s store in LaFayette, but a similar scenario in one local store is highly possible.
Skimmers could have been installed at several local stores or in one single large store with multiple compromised cash registers. The store, or stores, involved would have to be fairly busy in order to capture 600+ working card numbers in a short period of time. Generally card skimmer scams end when the skimmers are located, but to our knowledge none have been found in any LaFayette stores – meaning thefts could still be ongoing (highly unlikely), the store(s) where it happened discovered a problem and didn’t report it, or thieves used some other method. None of those possibilities can be completely ruled out.
Computer Security Breach/Hack
The only other possible method is a computer security breach. That means someone might have hacked a single cash register, hacked into a store’s point-of-sale (POS) server, or somehow intercepted network traffic between the two points. A hack of that type would only be implemented at a single store, and the only store in Walker County with enough business to lose 600+ debit card numbers in a short period of time is the LaFayette Walmart – so if it was a hack, Walmart has to be the point of origin.
Network security lapses are nothing new for Walmart. In 2005 and 2006 developers coding software for the company’s global processing systems were hacked, giving Eastern European thieves access to information that could have made future network breaches easier. At the time years of customer data was stored insecurely, but afterwards Walmart began taking security more seriously – or claimed to, anyway.
Of course that wasn’t the last Walmart breach. In May 2010 residents of Greenville County North Carolina began experiencing unauthorized debit card transactions, with two area Walmart stores identified by police as the likely source. Authorities there also suggested a “credit processing center” could be to blame. Walmart was eventually cleared in that case but no source for the theft was ever identified, and six months later at least one more incident was connected to one of the same stores. The theft mirrors what happened in LaFayette: a surge of mysterious fraud with a small number of stores in common, law enforcement initially blaming Walmart and then an outside company, investigation turned over to the feds, and no culprits ever found.
A small number of LaFayette fraud victims specifically said they never shopped at the LaFayette Walmart. Those exceptions to the assumption could be unrelated thefts, or cases where a husband or wife used each others’ cards without communicating with their spouse. And since we don’t know exactly when the thefts originally occurred, it’s possible that a forgotten transaction from months earlier could have caused the breach.
Again, we don’t know for sure. Maybe a skimmer in any number of local stores, maybe a network breach at Walmart, maybe something else not considered. But those are the most likely possible scenarios – and at this point we’ve all given up on getting better answers from the authorities.
So Now What?
Some people proactively canceled debit cards to avoid having their numbers abused. In most cases it was unnecessary (or too late) but may have kept a few from being scammed. At this point canceling cards isn’t going to do anything; any debit card users who haven’t been affected probably aren’t going to be. If numbers were stolen and sold before Thanksgiving, most of the fraud that’s going to happen has already occurred. If by some slim chance numbers are still being collected, a new card is just as vulnerable to being ripped off as an old one.
The last round of thefts in LaFayette seems to be done, but debit card fraud is happening more and more often. It’s only a matter of time before this hits us again. The best way not to be a victim of the NEXT instance is to learn lessons from the last one.
The best advice for anyone concerned about debit card fraud is to reduce their usage of debit cards as much as possible. Cutting back card swipes lowers the changes of having a card compromised. Cash and checks are a hassle but safer than debit plastic – however carrying more cash might present opportunity to more old-fashioned thieves. (Consumer protection expert Clark Howard recommends eschewing debit cards entirely, in favor of credit cards that have more protection built in and aren’t tied to a checking account.) Those who do continue using debit cards are advised to be careful where they’re used, and avoid unprotected outdoor ATM’s and vending machines.
Everyone, regardless of debit card use, should carefully check bank statements or online banking on a regular basis and keep an eye out for suspicious or unauthorized/unrecognized activity. Banks caught a lot of fraudulent activity in November, but quite a bit would have gone unnoticed if not for media attention and Facebook discussion that led people to check for it.
Once fraud is found, impacted customers should notify their bank immediately. Banks will gather information to return the stolen money (with delays depending on each bank’s internal policies) but won’t automatically notify police. In order to help authorities track down the source of fraud, customers should also file a report with local law enforcement: LPD in the city or Walker Sheriff’s Office in the county. Some banks incorrectly told victims they would need to contact police where fraudulent transactions occurred (call the police in Pakistan?) but that’s not necessary for prosecuting whoever stole the numbers initially.
After the Thanksgiving thefts started getting attention, a separate scam broke out taking advantage of fear. Thieves called random people on the phone, claiming to represent various banks in need of account numbers, card numbers, and Social Security information. Banks did call people to notify them of account breaches, but no real bank would ever ask for personal information over the phone – especially when it’s information they already have. When in doubt, go visit the bank in person. Never give out personal information over the phone during a call you didn’t initiate.
At this point it’s pretty obvious we’ll never get help or clear answers about the Thanksgiving fraud from any authorities. The best protection and response is to use common sense: reduce debit card usage as much as possible, keep an eye on bank statements for fraudulent transactions, report anything suspicious to banks and law enforcement, and don’t let fear make you a victim of secondary crimes.
Fear isn’t necessary, and panic leads to making mistakes. But caution isn’t the same as blind fear; careful thought and planning can help reduce the chances of becoming the next victim and provide peace of mind during stressful situations like the one we experienced back in November.
…and that’s probably the last you’ll ever hear of it.