**Warning** Credit Card Fraud

[OntFamily]

This is good to know, there was a night time news show that reported that a lot of CC fraud was from leaving room keys in the room at check out.

This is an urban legend. http://www.snopes.com/crime/warnings/hotelkey.asp

The news show should do a better job of fact checking (unless they are just trying to be sensational......).

 

[CDNmouse]

This is the article everyone really should read.
http://www.cbsnews.com/stories/2007/11/21/60minutes/main3530302.shtml

and watch the 13 minute video here:
http://www.cbsnews.com/sections/i_video/main500251.shtml?id=3538299n

From what I have read here from those who have been victims I have to suspect that this is how your credit card info was obtained by the bad guys. They are doing it at Best Buy and Home Depot so I would suspect that Disney World is also an easy target.

There really isn't much you can do right now except keep a close eye on your credit card bill, and if possible check your daily charges online if possible.

Here is a small excerpt from that article, it is a real eye opener:

When you swipe your credit card, your data is often transmitted through a wireless router either to a bank for approval or to the store's main computer. But the signal carrying your information bleeds easily through the walls.

Stahl got her first lesson in something called "war driving" from Kris Harms, a computer forensic investigator for Mandiant, a computer security company, who showed her how hackers, outside in a van, can grab the stores' wireless data.

"So you and I are in this parking lot, and we park in front of one of these big stores. We can just pluck it, is what you're saying, right through the wall," Stahl remarked.

"Absolutely," Harms replied.

All you need, he says, is a regular computer; the software he got for free. Within moments, Stahl and Harms started getting results.

 

[roselark]

I read recently that another very popular method of getting card numbers is to use cell phone cameras. Most people get their cards out early in a transaction at the store and hold it until time to run it through. unfortunately, the habit with most people it to hold it by the corner or the top. All someone has to do is snap a quick photo when the numbers are visible and they have the info they need.

I always make sure to cover up the numbers with my hand whenever my card is out.

 

[TheRustyScupper]

OR...a front desk CM could just hide a skimmer in their pocket (they're smaller than a pack of cigarettes) and not have to worry about "hit or miss."

1) I don't think it came from the Front Desk.
2) They run the credit card right in front of you.
3) It is not out of your sight, thus, there is no time to run through a skimmer.
4) Once processed, the full card number does not appear anywhere.
5) Just the last four digits.
6) If you only used the card a check-in, you need to look elsewhere.
7) The number did not get stolen from the Front Desk or Concierge Desk.

 

[DisneyTarheel]

This is why I will never use a debit card.

 

[Luckymommyx2]

I was a victim of cc fraud last year and it's very disturbing. Since I used to work in the fraud department for a national cc I knew what to do such as put fraud victim alerts on all three of my cc's. One thing I haven't heard anyone doing is filing a complaint with the FTC.
(https://rn.ftc.gov/pls/dod/wsolcq$.startup)
I think it's important to do so, especially if they can determine a pattern throughout the complaints. It gives the authorities a better chance at catching some of these guys. Something else that helps when dealing with the cc companies is to file a complaint with the police. (Sometimes the police will do something, other times they won't but take the name of the officer and date and time to document that you called.) If you have a case number from both the FTC and the police then it helps speed things up with your cc company. The more info you have to fill out on the Affidavit, the better for you and the cc company. Hope some of this info helps someone out there.

 

[Mtnman44]

Hard to say, but don't assume there is no skimmer just because you can't see one. A skimmer can be attached to the communication lines between the terminal and the computer/register. No second swipe necessary. It just skimms the data it needs as the transaction occurs. The skimmer is small and can be under the counter, inside the gas pump, etc, etc. So, it is possible that you can get skimmed while using a legit terminal, even without physically handing your card to anyone.

In fact, one big problem in SE Asia right now is that the skimmers are being placed on the communication lines, completely outside of the business. They are tapping the phone and computer lines and skimming as the merchant terminals conduct business with the banks.

1) I don't think it came from the Front Desk.
2) They run the credit card right in front of you.
3) It is not out of your sight, thus, there is no time to run through a skimmer.
4) Once processed, the full card number does not appear anywhere.
5) Just the last four digits.
6) If you only used the card a check-in, you need to look elsewhere.
7) The number did not get stolen from the Front Desk or Concierge Desk.

 

[highoctane]

1) I don't think it came from the Front Desk.
2) They run the credit card right in front of you.
3) It is not out of your sight, thus, there is no time to run through a skimmer.
4) Once processed, the full card number does not appear anywhere.
5) Just the last four digits.
6) If you only used the card a check-in, you need to look elsewhere.
7) The number did not get stolen from the Front Desk or Concierge Desk.

It looks like CDNmouse might be correct in saying it is someone "listening in on the wireless signal, in todays time it is cheaper to equip each terminal with a wireless connection than to run actual wiring. Sometimes cheaper is not better.

 

[feedthebirds]

I have been the vicitm of cc fraud in a few ways.

First, on my trip to WDW in 2002, a charge to a store in another part of FL. Quickly resolved, but didn't know about it until I checked my statement.

Second, a person broke into my car and stole my purse (in my garage) last year. I was stupid for thinking my purse was safe in my own car in my garage. They went through 20 homes in my neighborhood at night and stole from various cars outside and in garages but never went into the living area of a home (I live in an upscale housing development and they cased the area during our annual community garage sale). Wal Mart woke me up at 630 in the morning to tell me someone was trying to be my husband. I killed all my cards within 20 mins. It ended up that over a 2 week period these gang members victimized over 50 people in 4 towns in my area. It would make you sick if I told the whole story.

Third, last month, a charge for printer cartridges in Orlando for over $2000 . Printer cartridges! The cc company called me right away and denied the charges beforehand. Not sure how this person got my info, wish I knew.

 

[JimMIA]

1) I don't think it came from the Front Desk.
2) They run the credit card right in front of you.
3) It is not out of your sight, thus, there is no time to run through a skimmer.
4) Once processed, the full card number does not appear anywhere.
5) Just the last four digits.
6) If you only used the card a check-in, you need to look elsewhere.
7) The number did not get stolen from the Front Desk or Concierge Desk.

It would be nothing to swipe the card twice right in front of the customer without it being noticed. It happens every day in the real world. I have seen it done right in front of experienced bar managers, who knew about skimmers, knew a particular employee was using one, were watching the employee at the time...and they still missed it!

In fact, there is one technique with the skimmer which has the card-holder swipe their own card into the skimmer "for verification."

"...there is no time to run through a skimmer." It takes one second. How many times have you seen someone swipe a card once, and then swipe it again? Did it not read correctly? Or were they really doing something else? Are you sure?

The card number, by itself, is virtually worthless...and has been since the 1980's. But the skimmer captures ALL of the information on the magnetic stripe, including the security devices encoded there. That's what's valuable to a credit card counterfeiter -- the whole package. Nobody cares about the card number.

With regard to eavesdropping on wireless signals -- if in fact, DVC uses wireless for those transmissions (which I doubt) -- that would NOT yield the info needed to counterfeit credit cards, which is the whole purpose of the exercise. Eavesdropping is theoretically possible -- as is hacking the resort's computers -- but that's NOT where the money is in credit card fraud.

 

[JimMIA]

By the way, it's pretty widely known in law enforcement circles that Disney has a very serious problem of employee involvement in major, organized credit card fraud rings. I'm talking about rings that do millions of dollars of fraud a year.

With the turnover Disney has, and the sheer volume of credit card transactions, it's inevitable that they would have a major problem. Disney does as good a job as anyone could expect in trying to prevent the fraud, but it's a huge problem. Don't forget that a lot of the fraud is committed against Disney itself, and all those chargebacks come right off their bottom line, so they work hard to reduce it as much as they can.

 

[CDNmouse]

It would be nothing to swipe the card twice right in front of the customer without it being noticed. It happens every day in the real world. I have seen it done right in front of experienced bar managers, who knew about skimmers, knew a particular employee was using one, were watching the employee at the time...and they still missed it!

In fact, there is one technique with the skimmer which has the card-holder swipe their own card into the skimmer "for verification."

"...there is no time to run through a skimmer." It takes one second. How many times have you seen someone swipe a card once, and then swipe it again? Did it not read correctly? Or were they really doing something else? Are you sure?

The card number, by itself, is virtually worthless...and has been since the 1980's. But the skimmer captures ALL of the information on the magnetic stripe, including the security devices encoded there. That's what's valuable to a credit card counterfeiter -- the whole package. Nobody cares about the card number.

With regard to eavesdropping on wireless signals -- if in fact, DVC uses wireless for those transmissions (which I doubt) -- that would NOT yield the info needed to counterfeit credit cards, which is the whole purpose of the exercise. Eavesdropping is theoretically possible -- as is hacking the resort's computers -- but that's NOT where the money is in credit card fraud.

Card swiping is very fast however from an the investigators side it is easier to discover the pattern and eventually who the suspect is. If it was the front desk person who was doing this the pattern would soon be discovered. I would be niave to think that this has not happened but this would not be the method currently used by major credit card rings.

I would hope that Disney has secured their wireless network and is not using WEP. If you had a chance to watch the 60 miniutes video that I linked to you see that many large corps still have not secured their network by replacing WEP and infact some are still installing WEP networks today.

Looking back at the post of those who have posted about their CC being compromised there is a pattern. The have used their CC at just a few locations, Disney check in, Hess gas stations, and I believe a few local restuarants. I would have to suspect that one of these locations is still using a WEP network for credit card charges.

 

[dragonflymom]

We never leave a credit card on file, because we never charge anything to the room.

Is it as simple as flat out saying "no" whenever we check into a prepaid hotel stay and inevitably the front desk person would ask for a CC for incidentals? I guess I have never thought to do this but it absolutely makes sense especially when we are always careful not to have any "incidental" expenses!

 

[JimMIA]

Card swiping is very fast however from an the investigators side it is easier to discover the pattern and eventually who the suspect is. If it was the front desk person who was doing this the pattern would soon be discovered.

Yes and no. You have to remember how these crimes are usually discovered.

100 guests have their cards compromised at WDW. They go back home, scattered all over the US, Canada, worldwide really. They get their credit card bills a few weeks later, and freak out when they see a lot of charges they didn't make. They call the credit card company.

The credit card company sends them a fraud affidavit which they fill out and return. The charges go away. If anything, the credit card company will tell them they can report the theft to their local police agency. If they do, the police correctly tell them the credit card company has taken their place as victim in the case, and the credit card company is the one who will have to file a police case. So there is zero investigation.

The victims are scattered all over the place, and noone will see the pattern. The credit card company won't even look for a pattern; they'll just charge the fraudulent charges back to the merchant and move on.

The only time you'll have any investigation in this kind of case is if Disney security is notified. They will investigate, and when they do, the patterns will be easy to spot. They'll confront the CM's involved, flip them to identify people higher up the food chain, and then go to the Orange County Sheriff's Department or the U.S. Secret Service who will take it from there. But that's a very rare occurrance. Very rare.

I would be niave to think that this has not happened but this would not be the method currently used by major credit card rings.

We always want to look for the techie answer. I mean, after all, we saw it on CSI just last night!

But the vast majority of credit card fraud is committed in one of two ways -- skimming, or in-house compromise within the credit card companies themselves.

I don't know what your investigative experience is. Maybe your experience in actually investigating these kinds of crimes is different from mine.

 

[JimMIA]

Is it as simple as flat out saying "no" whenever we check into a prepaid hotel stay and inevitably the front desk person would ask for a CC for incidentals? I guess I have never thought to do this but it absolutely makes sense especially when we are always careful not to have any "incidental" expenses!

Yes. Room billing is an option. If you are not going to use it, there is no need to leave a credit card at the front desk.

 

[casper]

JimMIA,

So are you suggesting that if we are vics of CC fraud and that we are pretty sure it happened at Disney that we should not only call our CC company to get the charges worked out but that we should also call Disney so that they can investigate? That sounds like good advice to me. I'm sure Disney would like to stop this from happening as much as possible. Should we still call even though we cannot "prove" it occurred at Disney and let them know that we are just assuming it did? How do you think Disney would respond to a report like that?

Thanks for your sharring your knowledge with us.

 

[disneynutz]

JimMIA,

So are you suggesting that if we are vics of CC fraud and that we are pretty sure it happened at Disney that we should not only call our CC company to get the charges worked out but that we should also call Disney so that they can investigate? That sounds like good advice to me. I'm sure Disney would like to stop this from happening as much as possible. Should we still call even though we cannot "prove" it occurred at Disney and let them know that we are just assuming it did? How do you think Disney would respond to a report like that?

Thanks for your sharring your knowledge with us.

I have had mixed response from Disney security regarding CC fraud. One agent seemed very interested and referred me to the correct group. The agent from that group said that there wasn't anything they could do.

 

[CDNmouse]

Yes and no. You have to remember how these crimes are usually discovered.

Hi Jim,

Oh yes, I do know how they are discovered.

We always want to look for the techie answer. I mean, after all, we saw it on CSI just last night!

LOL, now I know there is a reason I don't watch shows like CSI. Besides this would be way over the head of most forensic guys.

But the vast majority of credit card fraud is committed in one of two ways -- skimming, or in-house compromise within the credit card companies themselves.

I don't know what your investigative experience is. Maybe your experience in actually investigating these kinds of crimes is different from mine.

Sounds like we may be in the same line of work, just on different sides of the border. While we may not agree on what is the biggest CC security threat right now I believe we both are aware that credit card fraud continues to be committed.

WEP security is a major problem. Corps are aware of the issues but choose in many cases address this problem.

Be safe,
Gary

 

[CDNmouse]

JimMIA,

So are you suggesting that if we are vics of CC fraud and that we are pretty sure it happened at Disney that we should not only call our CC company to get the charges worked out but that we should also call Disney so that they can investigate? That sounds like good advice to me. I'm sure Disney would like to stop this from happening as much as possible. Should we still call even though we cannot "prove" it occurred at Disney and let them know that we are just assuming it did? How do you think Disney would respond to a report like that?

Thanks for your sharring your knowledge with us.

You would need to call your credit card company and dispute the charge with them right away.

If you believe your credit card has been compromised tell the credit card issuer so that they can take necessary steps.

If you believe that your card was skimmed by a CM working the front desk let Disney know as well. While I believe it would be rare that a CM has or is doing this it can happen in any business.

As others have mentioned the charge will be for some online service, or used to purchase items at malls and electronic stores that can be resold.

When a dispute is filed the store that sold the goods and services will receive a charge back charge from the credit card company. They do have an opportunity to dispute the charge back but many don't.

As Jim has mentioned, often nothing more will be done. This is because the store that received the charge back sucks it up as part of doing business and the fraud is not big enough for the issuer to investigate.

If the credit card issuer notices a pattern they may enter into an investigation.

Gary

 

[Mule2007]

Very interesting thread that covered CC security from Skimming to Network encryption (WEP)

Skimming is definitely the easiest and fastest turnaround theft being used for Credit Cards -- your exposure is highest there -- following most people's recommendations to check your statements monthly is the best action.

Network hacking is riskier because the hacker has to be close enough to the signal to hack it - and it Disney's case with all the camera's around -- you will eventually be seen, even if you can crack WEP in less than 4 minutes (see DEFCON)

Your fancy phones with their Blue Tooth capabilities are continuously transmitting for potential connections to wary "listeners" - hope you don't have any personal or banking info on your phone -- Blue tooth hackers can hack your phone, send messages and call numbers while your phone is in your pocket...(Airports and coffeehouse pose the greatest exposure)

I turn my BT off, check my statements monthly, and use WPA or WPA2 for my wireless.

Mule