Catching a Credit Card Thief is Near to Impossible

How does this article fit into Angry Bear’s typical offering? It doesn’t really or it does if you believe it to be an issue of economics, personal economics, and education. An education to be careful how and where your credit cards are used.

My rule(s) of thumb. If it takes too long to process a credit, ask questions about there being a problem. If the person leaves the area from where you can watch them transact the purchase, there should be an explanation for doing so. Ask questions. Yes, paranoia about spending the next week few months safe guarding your credit and cards, etc. does strike deep. Typically, a normal transaction happens quickly. KEEP the RECEIPTs too.

I am not going to print the entire article. Too many active parts to it which I can not recreate. It is a long and worthwhile recital.

Hacker Stole My Phone, Credit Card, Identity. I Set Out to Find Them, business insider, Avery Hartmans.

My phone, my credit card, my hacker, and just me were holding the bag so to speak. Verizon, Chase, the police were all useless in fixing my stolen identity. Then Psycho Bunny came to the rescue.

t was a Friday in July when I first noticed something seemed off. I was spending some time with my family on a gorgeous summer day, swimming and drinking beer, and ignoring my phone as much as possible. When I finally checked my notifications, I had two alerts from Verizon. Both contained authorization codes, the kind of security measure they take when you make changes to your account. There was also a receipt from Verizon for $0 and a message thanking me for activating my new device.

AB: This is where my wife says I am paranoid. Yep, when I see strange messages, I start to look to see what causes them. I do not like people close to me either as the environment around us has changed. We appear to be vulnerable . . .

I immediately checked my Verizon account, but nothing seemed amiss. The receipt seemed like a glitch, as if Verizon had belatedly billed me for the phone, which I’d activated four months prior. In hindsight, I should have been more suspicious. I should have called Verizon right away. But why would I want to spend the day in customer-service hell when I could spend it on a boat?

The next morning, though, something else strange happened. When I went to send a text, I realized I didn’t have service. I tried flipping cell service on and off, restarting my phone — nothing. I couldn’t text and I couldn’t make calls. I asked my fiancé to check for a local Verizon outage, but nothing turned up. I wondered whether maybe I was just in a dead zone, but I’d never had this problem before. And then I started to feel that slowly dawning sense of dread.

Price had published a terrifying story about hackers who waged a campaign of harassment and intimidation to steal Instagram handles and other coveted usernames on social media. Tucked into the story was a phrase I hadn’t heard before, a type of hack I’d had to look up:

SIM swapping.

In a SIM swap, the hacker doesn’t need to physically steal your SIM card. The thing in your phone identifying it as your phone. They just pretend to be you and persuade an employee at your telecom provider to activate a new SIM card for them, using your phone number. Once that happens, your phone immediately loses service. The hacker can now use your number to wreak havoc on your life. They can send messages to others pretending to be you, intercept texts from your bank, and even reset your passwords to lock you out of your own accounts.

SIM swapping hasn’t been around long. It started in about 2018 as a way for gamers to steal other people’s cryptocurrency, which is pretty easy to do once you have full access to someone’s phone. But now, experts say, the crime has become more pervasive — and far more organized. In 2021, the FBI reports, SIM swaps robbed victims of more than $68 million. “You could think of these people as petty thieves,” says Allison Nixon, the chief research officer at Unit 221b, a cybersecurity firm. “But after 2018, these are petty thieves that became millionaires.”

I borrowed a phone and called Verizon, which confirmed I’d been SIM swapped. While I was vacationing in western New York, more than four hours away, the hacker had shown up at a Verizon store in Columbus, Ohio, pretending they were me, complete with a fake ID. They told a store employee their phone had been destroyed and asked to use my phone number to activate an older iPhone they’d brought with them.

That strange $0 receipt the day before came to mind. I checked the store address at the bottom. Sure enough, it was from a Verizon store in the Columbus area.

I was floored by how easily someone could steal my phone; surely it must have been a major screwup on the part of the store employee. But when I spoke with higher-ups at Verizon, they explained that actually, their device-activation process had worked precisely the way it was supposed to. When two-factor authentication isn’t possible — like when a phone has been lost, stolen, or destroyed — an ID card will suffice. All the hacker needed was a knowledge of the glaring loophole in Verizon’s security, a phony piece of plastic, and a little chutzpah.

Verizon immediately deactivated the phone that belonged to the hacker and reinstated mine. But the employee I talked to warned me that this was probably just the beginning of the scam.

It turned out he was right.

Once the hacker had control of my phone number, they didn’t waste much time. They left the Verizon store and went to a nearby Apple store, where they used my Chase credit card to spend $6,370. Then they drove to a mall across town to shop at Gucci, where they made two separate transactions totaling $2,956. They finished at a clothing store called Psycho Bunny, where they spent about $452. All told, they racked up nearly $10,000 in purchases on my card in just a few hours.

The next morning, perhaps testing their luck, they tried to make another purchase at Best Buy. But this was after I’d spoken with Verizon and locked my card. So they just opened a Best Buy credit card in my name instead.

AB: The author has a rather neat program in this article which shows the location of each transaction in Columbus, Ohio. I can not duplicate it at AB. You will have to reference the article to see it.

Still, something about all the transactions kept bugging me. I noticed that the hacker never logged in to my Chase account or my social-media accounts. They just racked up charges on my card. I couldn’t figure out why they needed my phone number in the first place.

But when I scoured my text logs, I realized what they were up to. Chase, aware that I don’t typically spend $10,000 in a single afternoon, sent out fraud alerts via text each time the hacker tried to make a big purchase. I could see in my text logs that each time a fraud alert came in, the hacker used my phone to respond, allowing the charges to go through.

That mystery was fairly easily solved. But there was something else I couldn’t figure out: How did the hacker make so many purchases on my card in the first place? I could see in my account that the charges had occurred at physical stores, not online. The hacker never logged into my iCloud account to set up Apple Pay. My credit card was safely in my wallet the entire time.

I decided to call each of the stores where the hacker went shopping, to try to figure out what happened. I tried Gucci first. A representative at a central Gucci switchboard informed me Gucci does not have telephone numbers for its individual retail locations. The only way to learn more about how the purchase was made would be to visit the store. Given that I was back home in New York City, more than 14 hours away, I decided to try my luck at Apple.

Apple was equally unhelpful. A store employee politely informed me that unless I knew exactly which items had been purchased, there was no way he could look up information about the transaction, even though I knew the total amount spent, the card number, and the date and time of the purchases. The employee said there was another option. He’d be able to hand over the full receipt, no problem — as long as the police requested it from Apple’s legal department.

I decided to give it one last shot with Psycho Bunny, a menswear retailer whose logo is a rabbit skull and crossbones. A helpful store manager looked in the store’s system and confirmed that yes, someone who said their name was Avery H. had made a purchase of $452 using my card number. The shopper had even supplied a phone number that was one digit off from mine, the manager said. Unfortunately, that was the extent of the information she had.

Disheartened, I hung up. I was not any closer to finding out how the thief was in possession of my card.

Then, about 15 minutes later, my phone rang. It was the store manager, calling back. She and her team had decided to go through the security footage from the day the purchase was made, and they’d found footage of the thief standing at the store counter. She asked me to describe what I look like.

“Yeah,” the manager said. “The person I’m looking at here is basically the exact opposite of you.” The thief was a woman, but she was wearing a hat and a face mask when she made the purchase.

I asked the store manager whether she was able to see how the thief paid for the items.

They used a physical credit card,” she told me.

AB: The story is not over yet. Even though Psycho Bunny (store) realized the credit card thief did match the physical description of Avery (author), they still could not stop the thief. And the question arises, how did they get the credit card?

The main part of this story? You really have to be on guard when you see or sense strange things occurring. Ask questions. If they leave the area with your card, they should offer a reason first. If they do not offer a reason why it took so long. Ask why? I had left the table to use the Men’s room. A few minutes I was back and we were still waiting for the waitress to return from being out of sight. My wife had used our Debit Card. The next day there were charges. It took a couple of months to get things sorted out. A pain . . . .