1/24/2011 12:30 PM ET|
Secrets of a former identity thief
Dan DeFelippi was the sort of criminal you worry about -- a, smart, savvy, nearly invisible fraudster. Here's his advice on how to protect yourself from people like him.
We've all heard the standard tips about preventing identity theft and credit card fraud. But what would a real identity thief tell you if he had the chance? Dan DeFelippi, who was convicted of credit-card fraud and ID theft in 2004, says simply this: You can't be too careful.
DeFelippi, 29, mostly made fake credit cards with real credit card information he bought online. "I would make fake IDs to go with them, and then I'd buy laptops or other expensive items in the store and sell them on eBay," he says. DeFelippi was also involved in several other scams, including phishing schemes that exploited AOL and PayPal customers. Committing credit card fraud is still "ridiculously easy to do," he says. "Anyone with a computer and $100 could start making money tomorrow."
After his conviction, DeFelippi faced eight years in prison, but under a plea deal he agreed to perform community service and pay back more than $200,000 in restitution. He also worked for the U.S. Secret Service, helping infiltrate the online underground and training agents in the latest fraud techniques. His help led to the arrests of as many as 15 people over two years. Today, he's a Web developer at a graphic design company in Rochester, N.Y. He agreed to take an hour with CreditCards.com to share his story and his top tips on how to protect yourself.
Q: How did you get started?
A: When I was in middle school and high school, I was into what I would call innocent hacking. I wasn't trying to be malicious or make money. I was just interested to see what I could do. In college, I started selling fake IDs to make a little extra money. I was pretty active in online chat rooms where people would talk about this stuff, and I began to realize there was a whole world of credit card fraud where I could make a lot of money with very little effort. From there, it was just a huge downward spiral.
Q: You said you bought credit card data online. Tell me about that.
A: Every credit card has magnetic stripe on the back with data on it. There are people out there who hack into computers where that data is being stored. There are also people like waitresses and waiters with handheld skimmers who steal the data that way. Then they sell the data online. I'd pay $10 to $50 for the information from one card. Then I'd use an encoder to put that data on a fake card, go into a store and purchase stuff.
Q: Do identity thieves like some credit cards better than others?
A: Well, a lot of American Express cards have no set limit, so you'd be able to buy a lot more. However, the downside is that a lot of merchants require more security for American Express than for other cards. They may ask you to enter the four-digit code on the front of the card or your ZIP code. That information usually isn't in the magnetic stripe information. So if a card is skimmed, if someone has its magnetic stripe information, they would still need the number on the front or your ZIP code to commit fraud.
Q: What about debit cards?
A: I always recommend against them. With debit cards, it's your real money in your bank account you're playing with. So if someone gets your debit card information and uses it, your cash is gone until you fill out a lot of paperwork and persuade the bank to give it back to you. Credit cards are much better at protecting you against fraud. And if you're worried about debt, you can always pay them off every month.
Q: What's your No. 1 tip on how consumers can protect themselves?
A: You've probably heard this before, but the most important thing really is to watch your accounts. And I don't mean just checking your statement once a month. If you're only checking your statement once a month, someone can start using your card at the beginning of the billing cycle, and they can do a lot of damage before you catch it. You're talking thousands of dollars, and it will be a lot harder to catch them and dispute it. I use Mint.com, which is a free aggregation service that allows you to put all your accounts on there and monitor everything at once. I check that every day. It's also a good idea to check your credit report at least twice a year to make sure no one has stolen your identity.
Q: Is online shopping safe?
A: You've got to be careful. It is really easy to create a fake online store or to create a store that sells stuff, but its real purpose is to collect credit card information. I'd try to stick to reputable sites or at least to sites that have reviews. A lot of times they'll create these stores that sell things that are widely searched for at prices that are incredibly low. If a deal is way too good to be true, it's probably a scam and they just want your information. The more information a website asks for, the more you need to be certain that this is information they really need and it's a legitimate site. Also, don't buy anything from somebody e-mailing you, no matter how good the offer sounds. If a company is sending you an ad through e-mail and you've never heard of the company, don't buy anything from them.
Q: How did your phishing scams work?
A: People are much savvier now. Back when I started, it wasn't that common. I was getting thousands and thousands of responses from single mailings. The first one I did, I targeted AOL users, because I thought they would be less computer literate and more likely to fall for my scams. We said, "Your credit card information has expired. Come to this site and update your information or your account will be closed." I did something similar with PayPal. I sent an e-mail that said, "Someone has accessed your account. We've locked your account. Please click here to access your account." We'd link them to a fake website and they'd give us their PayPal log-in information. Then we'd say, "For security purposes we've removed your account information. Please re-enter it."
Q: Where did you get the e-mail addresses for your phishing schemes?
A: There's software that allows you to harvest them from anyone who has posted their e-mail addresses online, so don't ever put your e-mail address on a website. If I was targeting a specific group, I'd try to find e-mails for that group. For the PayPal scam, I was trying to find people around my age or younger, so I targeted colleges and universities. I looked for ones in Massachusetts because I could make fake IDs from Massachusetts. As part of the scam, I'd get their date of birth, address, Social Security number and driver's license number. Then I could make a fake ID that had all accurate information on it. The only thing that wouldn't be real would be my picture. It's kind of scary how much information I could get.
Q: What other mistakes do consumers make on the Web?
A: When you're using your computer online, it's sending data back and forth between your computer and website. If someone gains access to that connection -- it's called sniffing -- they can capture the data between you and the website you're communicating with. That's the reason it's so important to access secure websites if you're putting in any sensitive data, so look for "https" in the Web address. A more recent issue is the free wireless offered all over the place. If you're using an open Wi-Fi connection, you should pretty much have the expectation that there is no security.
Q: What steps do you take to protect your own data online?
A: All financial services companies have two-factor authentication. So you typically have to put in a password plus something else. A lot of banks use questions, but that can actually give you a false sense of security because you can find out a lot of information about people online. So maybe this is extreme, but for those questions, I make up stuff. I don't put in my real information. For example, a common question is: "What city were you married in?" Well, I'm not married, but I'll answer that question so there's no way anyone could possibly know the answer. I try to make sure at least one of the questions has a made-up answer.
Q: What's your advice on using ATMs?
A: ATM skimming is the big thing right now because it's cash, and cash is king. Basically, that's where someone puts a card reader on the ATM machine, captures your PIN, then goes and drains your bank account. The skimmer device goes over the card slot, and it's designed to look like part of the ATM. Some of the equipment now is very good and it's hard to tell the difference between that and a real machine. So what you need to do is try to use the same ATM every time, and watch out for anything on the machine that looks out of the ordinary, especially something stuck on the front where you put your card in. Generally, I like to use ATM machines at banks rather than convenience stores or a bar or club. There have been incidents where thieves installed their own ATM machines in places with skimmers inside them. That's much less likely to happen at a bank.
Q: Is there more the banking industry could do to protect us?
A: The biggest thing they could do is get away from using magnetic stripes. They aren't that secure and anyone can get a magnetic stripe reader (a skimmer) for $5 to $10. The smart chips that are widely used in Europe and internationally are much more secure and harder to hack. They offer near 100% protection against fraud, at least from a skimming point of view, and they also require a PIN. But the credit card companies have done the math. They think people will use their credit cards less often if they had to put in a PIN. It might eliminate a lot of the fraud, but there would be less card use and they would end up losing money. So they're actually doing just the opposite, moving to a system where you can just have your credit card in your pocket -- you don't even have to swipe it to use it. The problem is, that's very unsecure. Anyone with equipment can sit out in their car and pick that up.
Q: How did you end up getting caught?
A: I went to Best Buy with a guy I was working with locally to buy a laptop, and the manager there was pretty well trained. When he swiped the card, he asked for my friend's ID. Most stores don't ask for ID. My friend gave him his fake driver's license, but then when the manager swiped the credit card, it came up "Call for authorization." A call for authorization, if you're trying to commit credit card fraud, is really bad; it means the credit card company has seen suspicious activity. The manager said he needed to go to the front desk to finish processing the order. As soon as he left, we walked as quickly as possible to the exit and left the store. The problem was, my friend had given the manager his fake ID with his picture. They ran it on the news and caught him. He told them the whole story, so they ended up catching me, too. I really was better off getting caught when I did. I was lucky I didn't go to prison. Under the guidelines now, I'd probably have to serve at least two years. So anything I can do to help people now, to help compensate for what I've done, I'm trying to do.
This article was reported by Michelle Crouch for CreditCards.com.
VIDEO ON MSN MONEY
I supposed it's good that this guy is sharing his "secrets" and if that prevents some of this stuff from happening, great. All the same, I'd still like to hit this smart guy in the head with a baseball bat. These guys that abuse the system and the rest of us who are out trying to make an honest living, I don't know, I think we cut them too much slack. It ends up costing us weeks, months and sometimes years to get our credit straightened out, lots of hard money in higher interest fees and a lot of money in product pricing to cover theft and fraud. I say hang em high and let them sell their apologies to their maker.
hey dude22, out here in the flyover states we rarely have a murder, the biggest news stories are fires, so yes, the tv stations DO put pix of criminals and would be criminals on air and ask for the public's help in identifying them. From fake door to door contractors and fake charity solicitors working the area to people pushing shopping carts of shoplifted items out of Wal-Mart to would be thieves at convenience stores, they all see their pix posted on air, and they usually do get identified and caught.
to 8srwild- what happened to the old adage "let the punishment fit the crime"? If it takes 2 years and x amount $ to clear up a stolen id, then the punishment should be that amount of time times the number of victims. If the crime pays many times more than the punishment costs, let alone the odds of not being caught, then there is substantial incentive to do the crime. I think the main reason for giving white collar criminals a slap on the wrist is that the prisons are overflowing with violent criminals, and some states are even releasing murderers early to relieve the crowding. Our prisons seem to function more as a training ground for criminals to improve their criminal skills than to rehabilitate them so our "punishment" needs to be rethought. While violent criminals need to be removed from society as protection for the rest of the society, most white collar criminals could be treated in more creative ways that would keep them out of prison but which would be most unpleasant to them, and which would include their [supervised] working fulltime at nasty jobs others don't want until they've paid back what they stole. Only after BOTH their time in the program AND full payback would they then be eligible for parole. Of course their assets would be seized as well and would count towards payback, an incentive for the biggest thieves to cough up their hidden assets. The biggest thieves would still have to be incarcerated [doing the worst jobs available in prisons] as their hidden assets could buy an escape. Since many gross jobs don't pay well, the more they stole, the longer it would take for their wages to equal the amount they stole. I think the possibility of spending years of doing things like cleaning sewage grinders might be a deterrent to the type of people who commit white collar crime.
NO WONDER THE ECONOMY IS SCREWED UP DUE TO A BUNCH OF LAZY **** BASTARDS, PLAYING THE SYSTEM, RIPPING OFF HONEST SHOP KEEPERS & CLIENTS OF THEIR MONEY
A THIEF IS A THIEF, NO MATTER WHAT
THIS NONSENSE MUST STOP
Q: You said you bought credit card data online. Tell me about that
Yes you can get to buy credit cards online from alot of spammers and not hackers.. now ask me the difference between a Hacker and a Spammer. Hackers are the good guys. they build all the computer programs you can ever think of but a Spammer are only out there to exploit you and steal your information. so back to the question. you can buy any credit card information for as cheap as $2.5 and full details with SSN, MMN and DOB for as cheap as$10.
Do identity thieves like some credit cards better than others?
Not really .. It all depends on what you need the cards for, if they need to make purchases they prefer a credit card but if you are in need of real time cash they go for a debit card coz it as good as cash at hand.(Western Union, Money Gram, Xoom and other personal merchant sites).
How do i get to protect myself?
The truth is you cant protect yourself until your government. The US government put some kinda security measures in place to curb it coz it cant be stopped. an average US store is vulnerable to any spammers attack. The only way you can get to protect your self is avoid any online transaction and pay in cash or be very careful with whom you share your information with.
I hope this helps.
Speaking as an actual victim of identity theft yes it sucked , it was a time consuming process with the banks and Paypal with their foreign customer service (whose reps can speak english but can not comprehend it) but the problem with today is not that carders get light sentences and plea deals.
The problem with our criminal courts are that it is perfectly legal to steal our money if you are fdic insured. And talk about light sentences and plea deals that issue should be raised about the child molesters who prey on our children time and time again because they are released time and time again!!!
Copyright © 2013 Microsoft. All rights reserved.
Fundamental company data and historical chart data provided by Morningstar Inc. Real-time index quotes and delayed quotes supplied by Morningstar Inc. Quotes delayed by up to 15 minutes, except where indicated otherwise. Fund summary, fund performance and dividend data provided by Morningstar Inc. Analyst recommendations provided by Zacks Investment Research. StockScouter data provided by Verus Analytics. IPO data provided by Hoover's Inc. Index membership data provided by Morningstar Inc.