Who are these people who hack our credit cards? Two reformed card thieves reveal the tricks of their trade, and how to avoid them.
Credit card fraud is the unauthorized use of such payment tools as credit cards, debit cards and electronic fund transfers to obtain money or property fraudulently.
Cameron Harrison of Augusta, Georgia
“I did just about every aspect of credit card theft. I dabbled with it all, but the main thing was cashing out stolen data from ATM machines and in stores,” says Cameron Harrison, who was convicted on Racketeer Influenced and Corrupt Organizations Act (RICO) charges. “That was my specialty. There are a couple ways I did it but all were by hacking data. I phished by spamming and then created credit and debit cards out of the data.”
It all began when he was a kid making fake IDs. “I was always good at it,” says Harrison. “It was easy for me, and I started selling more and more of them. Eventually, I realized that I could do it for credit card theft too, so I tried that. I obtained peoples’ information, put it in the right format and found out that it works. I was good at programming so I taught myself.
“Later, my hacking got more advanced and I started to work with suppliers who would give me the data I wanted, then I would create cards and get the money from ATMs. I got deeper and deeper into it. What’s funny is that originally it wasn’t about money. It was just something I did because I could. Then it became work, and it paid well.”
Harrison was committing credit card fraud in various states and ended up the focus of a sting operation. He had been under investigation in Las Vegas, and after investigators cross-referenced the alias he was using, he was arrested at a hotel in Birmingham, Alabama. After being convicted, he spent nine years behind bars and was released in 2021.
“Being out is unreal sometimes,” says Harrison. “I wish I never got involved with it. I had started doing drugs, too, and that wasn’t helping. It started out as fun. I hated it by the time I got in trouble but didn’t know what else to do. And it’s interesting because I never stole anything from a person in my life. If someone dropped their wallet, I’d give it back! But on a computer, all you see is a bunch of numbers. You don’t think about it. No one was hurt, you say to yourself. But it happened to me recently, and yes, it does hurt.”
Brett Johnson of Birmingham, Alabama
Brett Johnson was part of the notorious ShadowCrew cybercriminal network and spent time on the FBI’s Most Wanted list before being caught, prosecuted and sentenced to 90 months in federal prison.
Crime was an early part of Johnson’s life. “I was 10 when I started shoplifting with my sister,” he says. “She started with a pack of pork chops. When she stopped, I kept on going, but this time with scams and frauds. I faked documents, faked accidents. I just grew up with it.”
As an adult, Johnson got into telemarketing fraud, and around 1999 started doing business with Ukrainian nationals, buying credit card details from the dark web. “It involved three necessities: gathering data, committing the crime, then cashing it out,” he says. “One guy can’t do all three. It relies on skill level and location.” Johnson would create counterfeit credit cards to use in stores by buying the necessary data and then making usable accounts.
“You can buy anything to make the cards, including holograms,” says Johnson. “Other times I used existing credit cards. I’d wrap it with a washcloth, iron the numbers out and use an embosser to stamp in the fake numbers. When you buy a card you assume it’s live, based on the seller. There’s a lot of trust in this business.”
Criminals can learn the available limit on a card from the dark web. Still, there are other clues, such as the bank identification number (BIN), which is the first four to six account numbers that identify the issuer and type of card. “I loved 414720 BINs because they’re Chase accounts with high limits,” says Johnson. “The people who get this kind of card tend to travel a lot. They may be shopping globally, so high charges in different parts of the world won’t trigger a fraud alert.
Still, Johnson was careful not to arouse suspicion. That meant, for example, not going into the Apple store and buying three MacBooks unless it’s the holiday season when security loosens up.
“Opening new accounts is easy,” says Johnson. “I could hack into credit reports, get all the data I needed and apply for an account that the person didn’t have. I’d buy things and have them sent to a drop address (locations where a thief picks up merchandise). Or I’d just steal it from the front porch. It’s not a sophisticated crime.”
Although Johnson was justifying his actions, he came to terms with the pain he was causing in the end.
“I stole money from a man online, and when he found out, he said, ‘I guess you needed it more than I did.’ That felt awful,’” he says, “I stole money a woman needed for a roof by defrauding her on eBay. It’s not victimless. It’s not just numbers. Some people depend on their credit card to pay their bills, but they can’t because of what a thief did. You make people feel vulnerable. Fraud can be fixed, but not that. Somehow, when I was committing these crimes, I was able to dismiss all that. It took a lot to change – therapy, my sister disowned me. I caused a lot of damage.”
Today Johnson makes amends by helping companies protect against theft, and has developed the educational course, Cybercrime101.
Protection tips from the pros
Although both Harrison and Johnson say there’s no stopping a dedicated credit card criminal from trying to defraud people, there are ways people can protect themselves.
Be on the lookout for fake websites, says Harrison. “There’s a huge spike in them,” he says. “The EMV chips have helped stop a lot of credit card fraud. I don’t know why the U.S. was so late to adopt that technology. Spamming and phishing is harder, too, since they show up in alerts. What people are doing now is setting up websites to sell goods that don’t exist. You’ll see a really good deal on something like golf clubs, so you use your card to buy them, but it comes back as an invalid purchase. The transaction doesn’t go through on your card, so you think nothing of it. But the hacker has your card information and will use it later on when you’re not expecting it. They sit and wait.”
Many e-commerce websites can look perfect, so check out the domain on sites like domaintools.com to see how long it’s been in operation. If it’s only been registered for a few months, odds are it’s bogus. Only accepting Western Union or Bitcoin are other red flags.
Harrison also suggests using a prepaid card in the amount of the purchase you want to buy, but if that’s too much of a hassle, consider using a virtual card number. Most credit card issuers offer temporary card numbers. For example, Capital One uses Eno to create virtual card numbers from any checkout page, which will pop up on the browser when you’re ready to check out.
Johnson believes everyone should freeze their credit, which restricts access to credit reports, thus making it much harder for a thief to open new accounts. It’s free and should be done for each member of the household. Other tips from Johnson:
- Monitor your accounts for unfamiliar activity, and contact the issuer immediately if you spot it.
- Place alerts on all your accounts, so you will know when possible fraud happens without having to check first.
- Make different passwords for each online account.
- Pay attention to your surroundings to avoid being pickpocketed.
- Don’t share personal information on social media, especially when you’ll be out of town.
- Enroll in credit security systems but don’t just rely on them. Take an active role instead.
Finally, take the time to file a police report if you fall victim to credit card fraud.
“Always choose to prosecute the criminal,” says Johnson. “Prison does a body good. It gives a sense of justice to you and them. It also sends a strong message to others that they can be sent to prison.”