Gangs (23 page)

‘Nowadays it’s all electronic. If someone reports their card stolen it can be blocked from the system in a matter of hours, sometimes minutes. If the card’s hot then as soon as you use it you’re setting off a chain of events that brings you closer and closer to getting caught.

‘Virtually every high-street store has CCTV cameras fitted and it’s just impossible not to get caught on them. But even the biggest stores only keep their tapes for a week or two at most so the way to get round it is to make sure no one realises that you’re using a stolen card.’

The first solution Mary’s gang came up with was to move into cloning. Rather than stealing an existing card, they would copy its details and imprint them on to a perfect replica. Mary would then be ‘employed’ to pose as the original card-holder and go out on major shopping sprees. ‘With a stolen card you’re always worrying about the window of opportunity,’ says Mary. ‘With a cloned card you can pretty much relax. It hasn’t been stolen so no one is looking out for it. The first time most people realise their cards have been cloned is when they get their monthly statement through. The only thing you have to worry about is the credit limit.’

By the dawn of the new millennium, card cloning had become a massive industry worth more than £150 million each year. Hundreds of waiters, petrol-station attendants and hotel staff have been caught using hand-held scanners to ‘skim’ details from the cards they are given. Sold at the end of each working day for around fifty pounds each, the numbers are then used to produce cloned cards. Many of those involved had links to the Russian and Eastern European Mafias, who are heavily involved in this sort of activity.

ATM cards are equally at risk, particularly if the criminals are able to get hold of the PIN number. There are numerous incidents of scanning devices being attached to cash machines to record the details of the magnetic stripe while a member of the gang hovers nearby to catch sight of the PIN.

In October 2003 a gang of four men and two women from Romania was jailed for running a high-tech scam that introduced a new level of sophistication to credit- and debit-card fraud. Micro-scanners were fitted to the doors of indoor cash-machine lobbies so that when customers attempted to gain entry, their card details were recorded. The gang also fitted tiny cameras to the top surface of the ATM machines and beamed pictures of the customers typing in their PIN numbers to other gang members waiting nearby.

Although the gang refused to talk, detectives believe they were part of a far wider operation. All six were illegal immigrants and one theory is that they were being forced to carry out the fraud to pay off their passage to the UK.

But, lucrative as it is, card cloning is in decline. One reason is that most of the credit companies have automated computer systems in place that detect unusual patterns of spending. These can sometimes trigger alarm bells almost as soon as the cloned cards are used. Furthermore the old-style magnetic-stripe cards – perfect for cloning – are set to be replaced by more secure ‘chip and pin’ cards, a move that cut fraud by 80 per cent when it was introduced in France five years ago. Impossible to copy, the chips fitted to the front of all cards carry all the information that is currently on the magnetic strip but in a far more secure form. Rather than being swiped, the cards are read in special terminals, and rather than signing a receipt, customers will simply input their PIN numbers to authorise their transactions.

The move will raise the stakes for the fraudsters, but they have already made a start on taking things to the next level. Instead of merely stealing the details of someone’s credit card, the best high-tech gangs go a step further and attempt to steal their entire identity.

‘People just don’t realise how important their identity is, and how vulnerable it is,’ says Mary. ‘I know house burglars who say that people will buy safes and ensure all their cash and jewellery is well out of sight but think nothing of leaving old credit-card bills or passports lying around. It’s become so valuable that, for some of the guys I know, it’s all they go after. The beauty is that they can break into your house, take a few bits and pieces and half the owners will never even know. When the police arrive they will say the gang must have been disturbed because they didn’t take anything.’

Many people fail to take even the most basic security precautions. One survey of 2000 people found that one in three did not destroy bank and card statements, which contain account details.

But burglary isn’t the only way to get hold of such information. The computer whiz-kids working for Mary’s gang say any computer logged on to the Internet is a rich source of information from credit-card and bank-account numbers to passwords and billing addresses. Using this as a starting point for getting hold of personal details, the gang has made more than £300,000 in the past year.

And Bevan should know. In 1996 he and a friend were accused of almost starting the third World War from his bedroom after hacking into secure computer systems belonging to the US Air Force and defence manufacturer Lockheed. Bevan, who used the name Kuji, hacked into a research centre at Griffiss Air Force base in New York state and allegedly planted a sniffer programme to obtain further passwords. He was arrested and charged, but the case was dropped. According to former hacker Matthew Bevan, if the information is not there right away, you can install a programme called a ‘sniffer’ to find it. ‘A sniffer will sit there in the background and monitor the computer, recording everything that someone types into it, including all their password and address information.’ He now uses his skill to expose the shortcomings of computer companies around the world. ‘Websites that request bank details carry a padlock sign denoting a secure socket layer [SSL], but although they claim it is safe, that’s just not true. All it means is that the link between you and the company is encrypted. With a lot of companies, we hack over their SSL – the expectation that this is secure is a really stupid assumption. No one I know has an online bank account.

‘Although significant steps have been taken to try to combat online fraud, it is increasing at around thirty per cent per year. As we eliminate opportunistic fraud, we are left with a highly skilled “professional” class of fraudster, often linked to organised crime.

‘In the old days, there would be groups of kids using specialist programmes which generated random credit-card numbers,’ he adds. ‘Since the introduction of tighter security, the methods of obtaining numbers have also evolved. Today the criminals will set up a bogus but professional-looking website offering desirable goods at well below normal high-street prices. The would-be buyers will input all their details – including their billing address and security numbers – but when they try to purchase something, the site will tell them their card cannot be processed. People running the site will have collected the information they need. They sit on it for six to eight weeks, then use it fraudulently.’

Dozens of chatrooms and specialist sites exist where thieves and hackers swap the personal details of card-holders. The numbers are exchanged for cash or given in return for passwords allowing free access to websites that normally require payment. ‘Virgin’ numbers – those that have not yet been used fraudulently – are highly prized.

While some fraudsters try to get the maximum amount of money from the card in the shortest time, others adopt a more sophisticated approach. Knowing a large transaction will quickly be reported as suspicious, they use a number of cards and make small debits from each. Most bills are issued weeks after a debit is made and the criminals hope that, during that time, the victim will not recall all they have bought and assume the transaction is legitimate.

Another online option is to go ‘phishing’, the practice of getting individuals willingly to submit their genuine ID to bogus sites. One of the first companies to be attacked in this way was the Internet auction company eBay. Hundreds of thousands of emails were sent out at random, telling customers that they needed to re-enter their credit-card information or risk their accounts being shut down. Both the email and the website that was linked to it looked like the real thing and thousands complied, losing thousands of pounds in the process.

Another, more sophisticated means is to masquerade as a legitimate online bank with irresistible interest rates and reel in customers. Dozens of lookalike sites including barclays-private.com and eurocitibank.com – neither of them anything to do with existing banks – were shut down, having been used to garner ID details for fraud.

‘But there is only so far that you can get with basic credit-card information,’ says Bevan. ‘What we’re seeing more and more of now is people moving into creating whole new identities loosely based on an existing person or completely from scratch.

‘Often it’s a case of searching around on the Internet and picking up bits of ID on the way. If you have someone’s name and account number, guessing the password to their online bank account is often relatively easy. People most often use their date of birth as their numerical password, and their mother’s maiden name – the most common security question – is printed on everyone’s birth certificate and you can get a copy of that for just a few pounds.

‘With this kind of information it then becomes easy to pretend to be someone else. You can call the automated bank service and transfer money from their account. You can set up a whole new account in the same name and, provided it is kept in credit for a few months, apply for loans and credit cards. When the bailiffs come knocking it is on the door of some ordinary Joe who never even knew his identity had been stolen.

‘The Internet has changed everything but not in the way many people think. The information available through online sources was always available. There is nothing available now that wasn’t available years ago. It’s just that gathering the information is now much faster. You can do in a day what used to take weeks.’

The net also offers a host of opportunities to obtain bogus documents. High-quality fake passports, driving licences and birth certificates are all relatively easy to come by online. For anyone willing to spend a short amount of time looking there is a range of websites where you can buy duplicate documents on literally anything. The sites are shut down regularly by the authorities but reappear elsewhere in another guise.

Identity theft is believed to be the fastest-growing crime in the world – worth an estimated £1.3 billion in the UK alone – and Mary is a master of it. Armed with nothing more than a few bits of paper she boasts that she can walk in anywhere and convince people that she is who she says she is.

‘The store cards are the best, especially in the run-up to Christmas when they’re really busy. Normally these sort of places are strict about the sort of ID you need to sign up, but they know for a fact that most of the people who go shopping had no intention of getting a card when they left home. That means they are a lot more flexible. If you’ve got a couple of utility bills and a credit card with your name on it, you’re away with up to two thousand pounds of instant credit. You just go from one shop to another, sign up in every one and max out your limit. I’ve spent more than twenty thousand pounds in the space of a few hours like that. You go for digital cameras, portable DVD players and laptop computers – stuff you can sell on. It’s easy.’

Stealing a whole new ID is a slow and intricate process. The starting point is to get hold of some form of identifying document such as a bank statement or utility bill, which will also provide a name and address. Such things are by no means difficult to come by. A survey by the Experian credit-reference agency found that two-thirds of local authorities around the country had a problem with ‘bin raiding’ and that it was getting worse. In a further analysis of four hundred domestic bins, the agency found that almost three out of four contained a full name and address, four out of ten contained a credit-card number and expiry date linked to an individual, while one in five held a bank-account number and sort code alongside a name.

As well as earning money for themselves, identity thieves can cause havoc for the individuals whose details they steal. Credit can be rejected, bank accounts shut down and enormous debts run up all without the individual ever knowing. It can take years and cost literally thousands of pounds to put everything back in order.

In a bid to stamp out the problem, the Home Office has announced plans to introduce ID cards to the UK. But many fear that the cards themselves could become targets for ID theft. It would also mean that a thief would have to obtain only one item rather than a range of items to acquire absolute proof of identity. In the US, where ID is linked to one single point, a social-security number, there are now instances where identities are so thoroughly compromised that their true owners have to go so far as to declare themselves legally dead – a practice known as ‘pseudocide’.

Although identity theft mainly affects individuals, they are not the only targets for computer criminals. Finance companies and online banks are also being hit hard, often by hackers who threaten to cause havoc unless they receive substantial sums of money. Although such activity is believed to be commonplace, it rarely attracts publicity.

Soon after its launch in 2001 the police National High Tech Crime Unit commissioned NOP Research to survey leading organisations in the UK on hi-tech crime. The report confirmed what the police had known for some time – that businesses were reluctant to report online attacks to their systems because of concerns about their reputation with customers and shareholders.

Although almost all of the companies in the survey had experienced at least one incident of serious computer-related crime in the previous twelve months, only half had involved the police, typically where there was a need for an insurance claim or if a successful prosecution was likely. The police were usually a second choice to having outside security consultants fix the problems, and one in ten said they would not involve anyone outside the company at all. When Russian hacker Vladimir Levin tricked Citibank’s computers into paying out more than $10 million the bank was initially reluctant to allow the matter to become public, calculating that the media coverage would cost them even more in shares and customers.