To catch a thief: Cyber sleuth edition

My wife and I recently returned from one of the best vacations of my life, bareboating around the British Virgin Islands with another couple, when I found we were victims of credit card fraud taking place on the other side of the country.

It was a lousy way to end a vacation. Worse, I had promised my wife and friends that I wouldn’t bring along my laptop or check my cellphone. Because I couldn’t look in on my bank account, the fraudsters were able to get away with the crime for almost a week.

My bank account was full of two dozen small, fraudulent transactions, mostly at the same three or four businesses in California, located about 40 miles from where we’d visited a few months ago. The transactions were on my wife’s debit card. She was still in control of the card, so we determined the card numbers and information had either been physically skimmed or stolen as part of a compromised batch from a physical or online vendor. Criminals routinely print counterfeit cards using stolen card info.  

Fraudulent transactions on a compromised card don’t cost you money, but I wasted hours documenting each transaction to get them reversed. I had to call the bank’s fraud hotline multiple times to report each transaction individually.

Along with many other questions, my bank asked if I would be willing to be involved in the arrest of whoever had been using my wife’s card number. I’m a security guy. I said yes. But I had no idea where it would ultimately lead.

The adventure begins

I set about with simple sleuthing. Each of the fraudulent transactions had occurred in the same town, and the fraudsters had bought items at the same place every day at the same hours.

They went to the same Starbucks every morning, the same convenience store for lunch, and the same drug store twice a day, followed by dinner at one of three spots. Every store transaction listed the store number — and that store number could be used to look up the street addresses.

I saw a bunch of mystery transactions beginning with “SQ *” — which I quickly realized meant Square transactions. I knew that the biggest users of Square are taxi and Uber drivers. My fraudster was taking Uber to these stores every day. After a little more searching, I found the Twitter and Facebook accounts of some of the Uber drivers along with their pictures. I even thought about contacting the drivers to see if they might help in the prosecution.

Now here’s the really crazy part: It turns out that, by complete coincidence, my next consulting gig was going to be in the same town where all these fraudulent transactions were taking place.

Hit the road

I flew out to California a few days later. My work with the client went along amazingly fast. I installed and configured what was needed in record time, finishing up early each day.

To get a little exercise, I like to walk to and from the customer work location when possible. One morning, as I was leaving my hotel — lo and behold! — one of the Uber drivers I had researched pulled up to my hotel.

I couldn’t believe it. What luck! After the passenger got out, I asked the Uber driver if he could take me to work. When we got to my work location, I started telling my unlikely story. But my driver barely spoke any English and seemed not to understand anything I said.

I let him go and sat there wondering if I could find my fraudsters. I had a few free days ahead of me, and I knew the exact locations where my criminals went like clockwork for breakfast, lunch, and dinner — and I knew they took Uber there.

As part of my job, I sometimes get involved with identifying specific hacking groups and, sometimes, specific individuals. Never had I met any of them face to face. In this unique situation, I had the opportunity to do just that.

Plus, I had a genuine curiosity to find out how they got my wife’s card. I wanted to know if someone they knew skimmed it or if it was just bought as part of a batch of cards for almost no money. It was an opportunity to be an investigative journalist — on my own behalf — and I decided to take it.

The stakeout

I sat outside the Starbucks all morning. I saw hundreds of people come through — a few of whom I thought could be using Uber. I looked for people getting out of the backseat instead of the front seat and looked for the little U displayed in the front window of Uber vehicles. In a few hours I figured I had two potential suspects.

Later in the day, I went to the convenience store where lunch had been charged every day. Neither of my morning suspects appeared. Discouraged, I went to the dinner locations where charges had been made, one each on a different evening. At first I didn’t see either suspect, but on the third night one of them, a woman, arrived at a dinner location along with two female friends.

I followed behind and was seated near them in the restaurant. I couldn’t understand everything they said, but I heard enough to realize they were talking about shopping. I watched as the main suspect selected among multiple credit cards to pay for dinner. I wondered if she would try to use my wife’s card.

I trailed them as they walked into the mall connected to the restaurant and went on a low-end spending spree — cheap items, but lots of them. I guess this was to avoid spending limits where the clerks may ask for ID. I could see them open up a big wallet with many credit cards. This normally would describe any person’s wallet, but in this case I knew they were using fake cards.

I watched as the person with all the credit cards bought a large soda, and they proceeded out of the mall. I looked around for a cop or mall security, but none were around. The first two women got into the car, and the third women — the one with the credit cards — put her soda on top of the car as she loaded the last of her bags in the back.

The confrontation

I hadn’t really thought out what I was going to do at this point. I figured I would identify myself, tell my fraudster what I knew, and try to learn more about the credit card fraud. I felt like one of my heroes, Brian Krebs. Learning about how the entire process worked was more interesting to me than getting her arrested.

As the last person was getting into the car, I yelled out my wife’s name. The main suspect stopped doing what she was doing to listen. I explained why I was there and told her that I wanted to talk and learn how she got my wife’s credit card. The meanest look I’ve ever seen passed over her face, then she took her giant soda and threw it at me. The soda missed and crashed to the ground, spilling everywhere. She got into the car and took off.

In my deluded state, I was stunned that a professional criminal might not want to talk to me, a professional cyber crime writer. A little shaken, I sat there and realized I had classically, like in a bad movie, not taken down the license plate number. Even more surreal, a mall security guard cruised by on his Segway, unaware of what had happened.

The guard came back a few seconds later. I thought about sharing the whole story, but I quickly realized I didn’t have an iota of evidence that my main “suspect” was the right person. I simply happened to see her with a wallet full of many credit cards at two of the places on my list.

I also started to wonder what the security guard — or the police — might think of me “following” a woman all the way across the country and stalking her at multiple locations over several days without real proof. It would take days of further investigation to get evidence that would stand up in court — and I had already blown my cover.

So much for my brief stint as private investigator.

Lessons learned

Looking back, I’m most amazed that literally 20 minutes of Internet searching had given me enough information to rebuild a criminal’s last few days, pictures of the Uber drivers, and locations to stake out. It didn’t take warrants or real hacking, only a few searches.

I also found myself wishing that we had some sort of law enforcement that could do what I did for every credit card fraud case. With a little effort, many of the criminals could be caught and prosecuted by people who know how to collect and use legal evidence in the right way.

The main lesson learned is that it’s easy to find anyone, anywhere. We live in a world that describes all of us using location, transaction records, and openly available profile information. You don’t have to be a super sleuth, the NSA, or law enforcement to quickly find out a lot about people — and the legal or illegal things they do.