The Perfect Crime

August 25, 2005

Like most people today, I’m careful about protecting myself from theft. I shred all of those unsolicited pre-approval credit applications that I get in the mail (which should be outlawed), and I refuse to write my social security number on any form where I’m not applying for credit or a loan. (It amazes me that the dentist still asks for this information on the forms they require, despite this information being totally unnecessary for insurance purposes.) I carry very few credit cards – just a corporate AMEX, my debit card, and my VISA.

I avoid writing checks, and I shred anything that has any of my financial account numbers on it. I check my credit report at least once a year and I scrutinize every charge on every credit statement I get. To be smart, I recently got a separate American Express card to use expressly for online purchases. For all other purchases, I use my VISA.

I’m doing everything right. Right? At least, that’s what Officer Stefan of the Houston Police told me on the phone this morning. But it still doesn’t matter – I am still at risk. Credit card theft is at an all-time high, thanks in part to the Internet.

On July 7th as I was on my way out the door for vacation, I received an unexpected package from Target.com. I mentioned to the concierge, “Hmm. I didn’t order anything from Target.” I opened the large box, and inside was a smaller brown box. The invoice told me it was a portable DVD player. My first thought was, “Great. Now I have to go through the trouble of shipping it back.” I didn’t have time to deal with it that afternoon so I got in my rental car and split.

I called Target.com the same day I returned from vacation on the 15th to ask for a return shipping label. I logged on to AmericanExpress.com and saw an unexpected bill for $509.80 dated July 4th. I assumed this was for the DVD player. The Target rep noticed a second order made the same day for $194. That’s when I knew something was wrong.

As it turned out, the second charge was for the DVD player sent to my address. The larger charge was for a camcorder sent to a Houston address. She wouldn’t give me the address. I’m thinking, “Something is charged in my name using my AMEX, and you won’t tell me the address it went to?” That’s the funny thing – once a charge becomes “fraud” everyone clams up and the victim is left hanging.

From this point on, I had a new job to do (in addition to my regular job that pays the rent). This entailed several phone calls to American Express over the next four weeks, as well as two visits to NYPD, a dozen calls to Houston PD begging them to call me just once – which took a solid month - lots of credit card theft research, and calls to credit reporting agencies and the FTC to alert them to the fraudulent charges. I was going to do everything in my power to catch the person who did this, so I launched my own personal investigation.

The interesting (and sad) thing is the speed with which American Express reversed the charges for me. They didn’t even question my fraud report – they took the charges off faster than I could say thank-you. As I’ve learned, credit card companies are making so much money that they can afford to eat the cost of fraud. Officer Stefan told me that for every 100 credit card dollars spent, 10 to 12 cents of that is fraud. Think about it – that’s nothing. So, credit card fraud has become routine for these large banking institutions. They expect, and therefore tolerate, a certain amount of risk. So investigative efforts are minimal, at best.

Another call to Target.com revealed that the thief had opened a Target account using my initials. But Target wasn’t talking either. A call to Yahoo revealed that a subpoena would be required to get info about the person who created that Yahoo account. Of course, the chance of that information being accurate is slim, but you never know how stupid the perp is.

I started writing all of this down – dates and times and names of people I talked to. I wanted the Houston address. Since Target wouldn’t give me that information, I tried calling them again. When they asked for my email address, I gave them the Yahoo alias. For identity verification, they asked me my name and address. I gave them my address and name, not knowing if I’d pass the security verification. Sure enough, I passed the test. I was now scb@yahoo.com and they’d tell my anything I wanted to know. They gave me the address my package was shipped to, the date it was delivered, the name of the person who signed for it, and the UPS tracking number.

If someone can get away with a crime impersonating me, I’m sure as heck not going to feel bad about asking for information while impersonating myself.

Armed with all of that info, a phone, and Internet access, I was able to find out a lot about the alleged thief. Using reverse lookup on whitepages.com I was able to get the names of all the residents of the apartment complex where the stolen property was delivered. Calling the management office of that complex revealed yet more information.

So, within a month I had the woman’s name, address, place of employment, and job title. I was on a first-name basis with the apartment manager and also knew that the alleged perpetrator would be moving out in September. I wrote all this down and mailed it to the Houston PD.

Here’s the sad part – even with all the information I was able to gather, it is nearly impossible to prove Internet credit card theft. Earlier this week the NYPD detective assigned to my case called me, and we had a very interesting conversation. Despite my only waiting a few short days for him to call about my case, he apologized for not getting back to me sooner, saying he’d caught seven of these cases last week alone. He gets over 350 fraud cases a year. That’s one a day, for one single detective, in one single NYC precinct.

The detective explained with some dejection why it’s difficult to prosecute a credit card fraud case. Even with all the information we have on this case, we can’t prove who created the Yahoo ID. Even though we have the address where the stolen item was delivered, we can’t prove that the person living there used the computer to place the order – at least not without an IP address. The detective sounded more than a tad dismayed when he concluded, “It’s the perfect crime.”

So I learned a lot. I always knew it is generally easy to get information out of people. But now I know how easy it is to have your credit card information stolen, no matter how careful you are. Thieves go to chat rooms online and buy credit card numbers. My brother Dave said, “You have no idea how many companies store your credit card numbers in unencrypted databases.” Entire lists of credit card numbers are stolen (usually an inside job) and re-sold. Typically the person using your card isn’t even the one who stole it. Essentially, if you use a credit card anywhere, there is no guarantee that it will be protected.

Remember the old days when we insisted on tearing up the carbons? How stupid is that when anyone with access to the credit card slip could just copy down your number?

The good news is the Houston police are still on the case and will subpoena Yahoo.com for account information. They actually took the time to track the package and make a visit to the delivery address but no one was home.

I really don’t expect the case to be solved, but at least they are trying, and I appreciated that. And both officers I talked to were very pleasant - unlike the first PAA in my local NYPD precinct who was in a bad mood and refused to file a report without a letter from American Express - even when I produced that letter on the spot. I think she was annoyed with my preparedness. She obviously would have preferred to be anywhere else that day, so she fabricated a reason to not accept the letter as proof I'd been ripped off. Despite being disgusted with her rolling-eye behavior toward me, I remained polite in the hopes that she would in fact do her job and fill out the report.

God I hate disgruntled civilians. This required another walk over to the precinct a couple weeks later to try again. I got a different PAA and she had no problem filing a report with the very same information I’d come in with the first time.

The NYPD detective on my case told me about a great idea that would help rid us of credit card theft – and I don’t know why banks don’t do this. Each individual credit card purchase should require a PIN - and not just one time when opening an online account (like when you’re required to input the 3- or 4-digit CVV number on the back of the card). Debit cards require it – why don’t the credit card companies do the same? Is it too costly a solution? I guess so if it costs more than the money they lose on fraud each year.

So we’ll see what happens. Right now I’m at 36,000 feet flying Song Airline to Seattle. According to the neat personal media center I have in front of my seat, it’s one degree Fahrenheit outside, we’ve traveled 915 miles, and we’re moving at 470 mph. I like Song. This is my first time traveling with them. My non-stop coast-to-coast flight cost me only $296 – I got it for a song. :) The flight attendants are genuinely nice, the pilot has a sense of humor, and the flight is on time. The media center and complimentary headset is a sweet bonus.

If you ever fly Song, I highly recommend seat 1C. Although it’s adjacent to the noisy galley area, it’s the only seat on the plane that gives you unlimited leg-stretching space. It’s first class without the first class service or price.

Now if the guy behind me would just stop using the touch-screen monitor on the back of my seat as a punch-screen, everything would be perfect……