31 Comments

Summary:

Scammers walked away with more than $1,700 from my bank account, without the bank finding anything suspicious. Here’s how they did it.

Statbucks-BURGLAR

I don’t know about you, but I find bank-account hacking the ultimate bogeyman. As a 20-something living in the uber-expensive New York City, the thought of a late-night ATM run for taco-truck money turning into an avenue for crooks to take my hard-earned cash always keeps me on alert. To say I’m diligent about checking my account, especially around paydays, is an understatement.

And that vigilance has paid off, because this past weekend hackers walked away with roughly $1,800 from my account — and my bank did nothing to alert me or stop it.

That sounds crazy, right? That somehow $1,800 would slip out of my account, under the radar from a financial institution that’s known to ring me when I buy subway passes from station vending machine. But scammers are taking advantage of modern conveniences to rapidly drain and launder money, utilizing some of the places we commonly shop — online and offline.

But let’s rewind to Sunday, Aug. 4, when an email from Mint.com entitled “Unusual Spending on Coffee Shops” hit my inbox. Mint, which I use as a budget and spending tracker, normally sends me annoying emails telling me I’m spending too much money on Chipotle. But they typically arrive at the end of the month, when my budget hits its limit — not four days into it.

So I clicked on the email and was shocked to see that someone had spent $470 on coffee in my name. To see how that was possible, I went directly to my bank account. This (below) is what I found.

StarbucksCitibank

There, in $30 and $60 increments (and denoted with the phrase “STARBUCKS CARD RELOAD 800-782-7″), was the answer. Although the charges had been made days earlier, they had not posted to my account immediately, and no fraud alert had been triggered. I only saw the charges when they finally began rolling in and posting to my online account.

That $470 in damages that Mint caught was just the tip of the iceberg. In fact, the person or people responsible had put a total of $1,700 in charges on Starbucks cards. All of this prompted my bank’s fraud agent to let out a protracted “Wow” when I spoke with her 10 minutes later. 

I also called the Starbucks hotline, and the rep there gave me enough details to figure out exactly how it all went down.

After the perpetrators skimmed my debit-card number (perhaps at a subway-station vending machine or a local merchant), they made a purchase that might have attracted notice with some banks: $15 charge to an e-waste store in Columbus, Ohio. 

When that didn’t trigger the card to shut down, the fraudsters went to work. Starbucks uses a system called “Auto Reload,” which allows anyone with a registered card to automatically assign a flat reload rate once the card has a balance under $10. Cardholders don’t have to bother speaking to customer service or verifying the ID, so credit-card or Paypal numbers can be changed out quickly with no suspicion.

It’s easy enough to do online, and the charges show up as if they were directly added via the toll-free number — which actually does use a customer-service rep to verify fund transactions.

Loading up separate cards and paying for them in $30 or $60 increments makes it appear as if multiple cards are being issued — almost like I had decided to buy 33 Starbucks cards for my extended family. The transaction log — which shows rapid transactions in three-minute intervals — indicate that Auto-Reload fields could be accomplished with a simple macro. Log in, click to the card, input new credit card, reload, repeat.

In total, they siphoned $1,671 from my bank, spread out over two half-hour sessions using the Starbucks cards. (They also took $90 from my account to pay for premium server hosting on another website– just for fun, I guess.)

The Starbucks rep said that the company watches out for major purchases all done at once — like $300 to a single card — but that smaller increments assigned over many usernames can be hard to track for fraud. 

The rep indicated that this is a common problem, and that the company tries to shut down suspicious reload activity when representatives see it. Money gets laundered through these cards and then often sold on eBay at some discount to the face value. The scammer profits, of course, and the buyer doesn’t realize what has happened until he or she is unable to register the card for Starbucks’ rewards service.

After reporting the situation to my bank, the bank ultimately credited the funds back to my account. The best way to avoid having your debit-card number grabbed, the bank said, is to be vigilant about card skimming — including fake card readers and “suspicious activity” from store merchants (whatever that means).

  1. Whoa, that is quite the interesting story. I am glad I have avoided this kind of things for the most part.. other than a few video game accounts being hacked.. but nothing that hit me in the wallet. It is scary to think about how easy it can be, and how it doesn’t happen more than it does

    Share
  2. Or to use cash more and leave the “convenience” at home. Also a good idea to avoid credit cards linked to bank accounts.

    Share
  3. Don’t use your direct deposit checking account as your primary checking, move the funds from the DD account into your spend account as needed, only use the DD account numbers for setting up DD and then shred all that documentation. A account that you do not use for real world transactions to hold your DD while you split it into checking for bills and savings etc you will drastically reduce your financial target footprint.

    Share
  4. This is why debit cards are a bad idea! Really, anything your bank promotes should be viewed with deep suspicion.

    Share
    1. totally agree. I refuse to have a debit card.

      Share
    2. Yes. Never use a debit card.

      Share
      1. As a community banker I realize the hesitation some customers have when using debit cards. It should be noted, however, that the vast majority (it isn’t even close) of bank fraud is attributed to paper trails and a lack of knowledge and precautionary measures when using your account info online for purchases and payments. Scanners and complicated systems like the one is this article are a fraction of the overall fraud. Also, most banks can easily implement more strict parameters for debit card purchases but the customers fight against this since it can cause consciences issues.

        Share
        1. *it can cause convenience issues.

          Share
  5. You should read some of krebsonsecurity dot com stories… he’s pretty good about digging even further on these dregs…

    Share
  6. “The best way to avoid having your debit-card number grabbed…” is to use a credit card for purchases at restaurants, subway stations, etc. Then pay it in full at the end of the month to avoid any interest, besides credit card spending usually earns better rewards: miles or cash back. And if a credit card number should get stolen, your bank account is safe.

    Share
  7. That must have been an awful experience. I’m glad you were able to get it back. A lot of banks would have blamed you for carelessness and not refunded. If only other were as vigilant as you! But the hassle must have messed up your day. I spend a lot of time tracking myself because I’ve been scammed as well. I can’t stop using convenient methods of shopping and loading, but I found that I can do most of it away from shady ATMs and vending machines. I do it online, protected by a VPN. I started following http://vpnexpress.net for the reports they have on different scams and tips for staying safe from them. So far I haven’t had any incidents and I think it’s a good option once you find reliable vendors online and get used to the change.

    Share
    1. Federal and State chartered banks are required by law to cover any fraudulent activity that results in a loss over $50. Customers are not on the hook. Also, 99.9% of banks would not blame you for “carelessness” in this case because it is obviously, with out a doubt, fraudulent activity. I would recommend that you educate yourself on the way banks handle fraud, as it would most likely ease your harsh opinion that all banks are evil and out to get you. Many banks are small and medium sized businesses that have great intentions.

      Share
  8. Debit cards come directly out of your account.

    In the old days, the robbers stole from the bank because “that’s where the money is”. Now days, they steal from the customers directly.

    My understanding is that debit card issuers promise to give your money back, but with a credit card it is federal law that your only liable for $50 assuming you act responsibly and review your bills. plus, you don’t send the money until you have had a chance of reviewing the bill.

    You should read brian krebs blog. he has story after story about card skimming devices and automatic fund transfer scams amounting to hundreds of thousands of dollars. basically these are businesses and they have to sue their banks to get their money back and they don’t always get their money back.

    So you are just putting yourself at risk of having an argument with your bank while a third party actually has possession of your money.

    Share
  9. this almost happened to me today but American Express blocked it and called me immediately

    Share
    1. Kevin Dethlefs Friday, August 9, 2013

      AmEx I think is known for their paranoia. I also know some businesses refuse to accept AmEx so it’s not as convenient. Could be worse, though. Could be Discover.

      Share

Comments have been disabled for this post