Previous month:
December 2009
Next month:
February 2010

14 posts from January 2010

Canadian Man Arrested For Operating Sophisticated ATM Theft Scam in Massachusetts

On Thursday, a Canadian man living in the Boston area was arrested for operating a sophisticated ATM theft ring which stolen the bank account information and money from an unknown number of consumers. WBZ Television in Boston reported:

"Police said at least $100,000 was swiped from unsuspected bank customers. The scam could impact many consumers in and around Boston. Izaylo Hristov, 28, faces larceny charges after a Citizens Bank in Quincy noticed weird activity and called police, which led to an investigation and an arrest."

Reportedly, Hristov told police that two other men participated in his ATM theft scam. The criminals attached card-skimming devices over the debit card slots to steal bank customers' account numbers and installed tiny cameras within the ATM booths to record bank customers' personal identification numbers (PINs). The thieves sat in a car near each ATM booth with a wireless router to download the stolen bank account information. Then, the thieves created duplicate ATM cards to withdrew money from victims' bank accounts at other ATM locations.

From WBZ Radio:

"Norfolk County District Attorney William Keating on Thursday alleged 28-year-old Izaylo Hristov of Ontario, Canada, was part of a gang that loaded the stolen information on new cards to withdraw thousands of dollars from various bank accounts."

Hristov's accomplices have not been arrested yet. A Quincy District Court judge has ordered Hristov held on $1 million cash bail, or $10 million surety.

Consumers should read this blog post with tips about how to recognize and avoid using ATM machines that has been tampered with.

Man Receives Prison Sentence For International Check Scam

A popular topic on this blog topic has been check scams and tips for consumers about how to recognize them. It is always good to read about the prosecution of fraudsters and scam artists by law enforcement.

KABC Television in Los Angeles reported that a Nigerian national was sentenced Monday to 97 months in federal prison for operating an international check scam:

"Prosecutors say that 39-year-old Alvin Chiemezie Asieru bilked hundreds of victims out of more than $1.5 million. Asieru was also ordered to pay full restitution to his victims. He pleaded guilty last year to one count of mail fraud, admitting that he participated in an international telemarketing scheme that defrauded almost 500 American victims. Prosecutors say Asieru's scheme involved sending fradulent checks to victims, telling them that they had either won a contest, had been chosen to participate in a promotion, or were being offered employment as "secret shoppers."

How To Spot In Companies' Annual Filings Upcoming Trouble

Canadian Business Online reported the results of an interesting study:

"The study, by University of Notre Dame business professors Tim Loughran and Bill McDonald, reveals that certain innocuous-sounding phrases such as “related party transaction” and “unbilled receivables” that appear in corporate filings could signal fraud or, at the very least, problems with the business."

The researchers analyzed more than 50,000 10-K filings, documents publicly=traded companies file every year with the U.S. Securities and Exchange Commission. Phrases the researcher found as worrisome:

"The phrase that popped up the most was “related party transactions,” which appeared in 16,524 reports. The term, which means a deal between two parties who have a prior relationship, is worrisome... as it “could be an indication that a board of directors is not independent.” The study found that the more the phrase appears, the greater the company’s volatility in the following year..."


"... the more companies used the words “materially and adversely affected,” which usually refers to a negative event affecting earnings, the more the stock value dropped after the report was submitted to the SEC. Another term to watch for is “unbilled receivables.” The study reveals that the more times that term is used, “the more likely it is that someone will subsequently file a class action lawsuit against the company.”

The results of this study sound like advice consumers could use for both investing decisions and for employment search decisions.

Class Action Lawsuits Claim Companies' Purchases Of Drivers' Data Violated Law (Part 2)

I promised in yesterday's post to provide updates as I discovered more lawsuits where companies allegedly violated the DPPA. A search discovered a similar lawsuit in Arkansas. The Southeast Texas Record reported:

"... each driver in Arkansas may receive $2,500 from companies that may have obtained their personal information illegally through the Arkansas Department of Licensing. The class action alleges that several companies violated the Driver Privacy Protection Act by obtaining personal information contained in motor vehicle records maintained by the state. On behalf of themselves and all others similarly situated, seven plaintiffs filed a class action against Arkansas Automobile Dealers' Association, TRW Target Marketing and The Recall Center..."

Similar to the lawsuit in Oregon, the Arkansas class-action alleges:

"... the state of Arkansas does not obtain express consent from any driver to release personal information but will only sell the personal information from a motor vehicle record to people or organizations that claim that they have a "lawful purpose for the information (other than direct or mass marketing)." Once an entity certifies that it has a lawful purpose for some personal information and/or has obtained any necessary consent, the motor vehicle department provides that entity with a copy of the state's entire database of names, addresses and other personal information... The lawsuit claims that class members did not expressly consent to the release of their private information and that the defendants obtained their personal information unlawfully, violating a legally protected right."

The plaintiffs are represented by several Texarkana-based attorneys and a name I recognize: Joseph H. Mallery of the Law Offices of Joseph H. Mallery -- a Privacy Crusader. Thanks to all of the attorneys for protecting consumers' interests.

Class Action Lawsuits Claim Companies' Purchases Of Drivers' Data Violated Law

In May 2009, I wrote a blog post about Acxiom, an Arkansas-based corporation, and the huge database it maintains about consumers. Some of that data includes consumers' auto information which suggested that Acxiom (and companies like it) purchase data from states' motor vehicle registration agencies.

That blog mentioned a lawsuit against Acxiom and the Drivers Protection Privacy Act, which was intended to protect the sensitive personal information stored about consumers by states' drivers and vehicle registration agencies. I began to wonder what the status is of that class-action lawsuit.

The Taylor et al v Acxiom class-action lawsuit is still in litigation. Acxiom stated in November 2009 in its quarterly filing (bold emphasis and links added):

"Richard Fresco, et al. v. R.L. Polk and Company and Acxiom Corporation, (U.S. Dist. Court, S.D. Florida, 07-60695) formerly, Linda Brooks and Richard Fresco v. Auto Data Direct, Inc., et al., (U.S. Dist. Court, S.D. Florida, 03-61063) is a putative class action lawsuit, removed to federal court in May 2003, filed against Acxiom and several other information providers. The plaintiffs allege that the defendants obtained and used drivers’ license data in violation of the federal Drivers Privacy Protection Act. To date, a class has not been certified. Among other things, the plaintiffs seek injunctive relief, statutory damages, and attorneys’ fees. Acxiom has agreed to settle the case and is seeking preliminary approval by the court. The process of obtaining final approval of the settlement is expected to take several months. Acxiom has accrued $5.0 million for the settlement and ancillary costs to obtain final approval and has paid $2.5 million of this amount into an escrow fund established for the settlement, leaving a remaining accrual of $2.5 million. Two companion cases, Sharon Taylor, et al., v. Acxiom, et al., (U.S. District Court, E.D. Texas, 207CV001) and Sharon Taylor, et al. v. Biometric Access Company, et al., (U.S. District Court, E.D. Texas, 2:07-CV-00018), were filed in January 2007. Both Taylor cases were dismissed by the District Court and are now on appeal."

To summarize: there have been at least two court cases against Acxiom about alleged DPPA violations. One case (e.g., Taylor et al) is still in litigation on appeal, and Acxiom seeks to settle out of court the second case (e.g., Fresco et al) with a planned $5 million payout.

So, that's the status on Acxiom. I began to wonder if there were any other lawsuits about alleged DPPA violations. A quick blog search found a Pogo Was Right blog post about a class-action suit in the State of Oregon. I downloaded and read the complaint available at Courthouse News Service.

The plaintiffs are consumers: owners of Oregon drivers licenses and most also own a vehicle registered with the State of Oregon. The defendants include a mix of Oregon-based and foreign-based companies who allegedly used the plaintiffs' sensitive personal data in violation of the DPPA law. The suit alleges that the defendants did not gain the consumers' permission to use their personal information:

"Each Defendant in this litigation purchased this entire database of names from the State of Oregon. Defendants each have a signed contract with the State of Oregon whereby they claim that they have a proper purpose for obtaining each piece of personal information... Defendants, however, cannot and do not have a permissible purpose to obtain all the personal information contained in the State of Oregon's database."

The complaint explained the original DPPA in 1993:

"... made it unlawful for any person or organization to disclose or obtain personal information derived from any motor vehicle record, unless the subject of the information had authorized such disclosure or the request/disclosure qualified under a recognized exception, including use by any federal or state agency, use in connection with motor vehicle and driver safety, use in court proceedings, use in certain research activities, use relating to certain insurance matters, and use for verification of personal information submitted by the subject of such information. Use of personal information for marketing activities was permitted, so long as the States had provided individuals identified in motor vehicle records with the opportunity to prohibit such disclosures. This "opt out" provision effectively gave individuals the right to prohibit the States from disclosing personal information for marketing purposes."

The complaint also explained a 1999 change in the DPPA by Congress:

"... eliminating the "opt out" provision for marketing activities. Use or obtaining of personal information contained in motor vehicle records for "surveys, marketing or solicitations" is permitted only "if the State has obtained the express consent of the person to whom such personal information pertains." Similarly, a requester of personal information may obtain such information for any purpose, "if the requester demonstrates if has obtained the express consent of the person to whom such personal information pertains."

A contributing factor to the problem seems to be that:

"Oregon law does not provide for an "opt-in" procedure as described in the 1999 amendments to the DPPA. In fact, Oregon does not obtain express consent from any driver. Instead, the State of Oregon only sells "personal information" from a motor vehicle record to "persons" who claim that they have a lawful purpose for the information (other than for direct or mass marketing)."

Does it make sense for a state DMV agency to sell all of its DMV records when a company needs only a few records? Do you want your State DMV selling your sensitive personal information to persons, or companies, who CLAIM to have a legitimate purpose and but don't? Wouldn't you want that company to get your express written permission, first? I know I would. I want to maintain control over my sensitive personal information.

I want companies like Acxiom and the defendants in the Oregon lawsuit to disclose exactly where they purchase consumer data from. To me, it isn't enough for these companies to hide behind an excuse that's its proprietary process; or make a vague claim in their Web site terms and conditions policy that they exchange data with unnamed companies for marketing purposes.

This is playing fast and loose with valuable consumer data. The fast-and-loose approach with selling consumers' sensitive data has led to some spectacular data breaches and fraud. In 2006, Choicepoint paid $15 million fines to the FTC after selling data to identity thieves posing as potential lenders that lead to identity theft and fraud.

As I read the Oregon complaint, I noticed a familiar name in the list of attorneys for the plaintiffs... the Law Office of Joseph Malley Law, a Privacy Crusader in the NebuAd class-action suit. It's good to see  attorneys acting again to protect consumers' interests.

This story about Acxiom and the Oregon lawsuits is only the beginning. I will continue to search for more lawsuits about possible DPPA violations, and will report my findings in this blog.

Cyber Criminals Trick Consumers To Wire Money To Overseas Accounts As "Money Mules"

In his Krebs on Security blog, Brian Krebs outlined a rather creative scam by cyber criminals. This story highlights how criminals tricked consumers to help them commit fraud by preying on consumers job search insecurities.

First the criminals hacked into the Delray Beach Public Library's computer systems to steal the library's financial account credentials. Then, the criminals created a bogus company to recruit fake empoyees to help them commit wire transfer fraud. The scam began to surface when the staff at a Florida library couldn't determine:

"... how or why nearly $160,000 had disappeared from their bank ledgers virtually overnight. The money was sent in sub-$10,000 chunks to some 16 new employees that had been added to the usual outgoing direct deposit payroll."

The criminals had hacked into the library's computyer systems to insert the bogus employees into the library's payroll, and to steal the library's money using the library's financial account credentials. Krebs described the plight of one fake employee:

"... 19-year-old Brittany Carmine... Carmine had just lost her job at a local marketing firm when she received a work-at-home job offer from a company calling itself the Prestige Group. She said after researching the company online, she decided it was legitimate, and filled out the paperwork to begin her employment. Just days later, she received a bank deposit of $9,649, with instructions to wire all but roughly $770 of that to individuals in Ukraine."

Not knowing she was working for criminals, Carmine followed the instructions she received and wired the money to separate accounts in the Ukraine and kept each wire transfer amount below $3,000 -- a limit that would trigger alarms at Western Union and Moneygram. Of course, the bank deposit Carmine received into her bank account was money stolen from the library, and:

"The next day, Carmine found she had a negative $9,649 balance at her bank, which froze her account and sent an investigator to hound her for the money. Brittany says she doesn’t have the money to pay back... The library would later learn that the attackers had swiped its online banking credentials with the help of a password-stealing computer virus, and then initiated a batch of sub-$10,000 transfers to Carmine and 15 other so-called money mules. Because staffers at the library noticed the fraud immediately, their bank was able to reverse most of the other bogus transfers and was willing to refund the library the remaining amount..."

Carmine was stuck because her bank had reversed the deposit to her bank account, and she had already wired money overseas to the cyber criminals. What should a consumer do to avoid getting scammed like this? The Privacy Rights Clearinghouse advises consumers:

  1. "Do not give personal bank account, PayPal account, or credit card numbers to an employer.
  2. Do not agree to have funds or paychecks direct deposited to any of your accounts by a new employer.
  3. Do not forward, transfer, or "wire" money to an employer.
  4. Do not transfer money and retain a portion for payment."

"Legitimate employers do not usually need your bank account numbers. While direct deposit of a paycheck is a convenience, if that is the only option an employer offers, then you should not accept the job. A legitimate employer will give you the option of direct deposit, but not demand that it is used. You should wait until you have met the employer in person before agreeing to a direct deposit option."

Follow this advice so you don't become a "money mule" in your next job. If you are already a scam victim, then you should:

  1. "Close all bank accounts at the bank where the scam took place.
  2. Order a credit report from all three credit bureaus every 2 to 3 months. Watch the reports for unusual activity. If you have given your SSN to the fraudster, we advise that you place fraud alerts on your three credit reports - Experian, Equifax, and TransUnion.
  3. Victims of payment-forwarding scams should contact their local Secret Service field agent. The Secret Service handles complaints of international fraud. Fraud victims should also file a police report with local law enforcement officials as well.
  4. Victims should report the company name, the job posting, and all contact names to the job sites where the scam was posted.
  5. Victims should permanently close all email addresses that were associated with the job fraud."

The U.S. Supreme Court Suggests Some Constitutional Changes

If you read this blog regularly, then you know that I regularly write about and advocate for consumers'  rights against corporate greed and abuses involving identity theft, corporate responsibility, and corporate data breaches. Today's topic definitely includes corporate responsibility and consumers' (voters') rights.

Last week's SCOTUS decision on campaign finance suggests some changes to the U.S. Constitution are necessary:

"We the Corporations of the United States, in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defence, promote the corporate Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America."

Article 1, Section 2 of the Constitution also requires an update:

"The House of Representatives shall be composed of Members chosen every second Year by the Corporations of the several States, and the Electors in each State shall have the Qualifications requisite for Electors of the most numerous Branch of the State Legislature. No Corporation shall be a Representative who shall not have attained to the Age of twenty five Years in business, and has maintained a headquarters for at  least the seven latest consecutive Years in the United States, and who shall not, when elected, be an Inhabitant of that State in which he shall be chosen."

Article 1, Section 3 of the Constitution also requires an update:

"The Senate of the United States shall be composed of two Senators from each State, chosen by the Legislature thereof for six Years; and each Senator shall have one Vote... No Corporation shall be a Senator who shall not have attained to the Age of thirty Years, and has maintained a headquarters for at least the nine latest consecutive Years in the United States, and who shall not, when elected, be an Inhabitant of that State for which he shall be chosen."

And, Article 2, Section 1 of the Constitution also requires an update:

"No Corporation except a U.S.-based Corporation, or a corporation that has transferred its headquarter location into the U.S. for at least seven years, at the time of the Adoption of this Constitution, shall be eligible to the Office of President; neither shall any Corporation be eligible to that Office who shall not have attained to the Age of thirty five Years, and has maintained a headquarters fourteen consecutive Years within the United States."

A couple friends on Facebook summed up very well this SCOTUS decision:

"Corporations are not people, and money is not speech. And hey, where did all those people complaining about activist judges go?"

If this SCOTUS decision annoys you (and I sincerely hope that it does), take action:

Secure Computing: Top 10 Technologies For Tyranny

There's an old saying, "Guns don't kill people. People kill people." Much the same can be said for today's Internet technologies. In the hands of the wrong people, these technologies can keep you uninformed and definitely invade your privacy. And we've all learned that a democracy is only as good as an informed citizenry.

Iain Thomson at Secure Computing Magazine compiled a list of the "Top 10 Technologies For Tyranny." Number 8 on the list:

"The use of GPS to track criminals was pioneered in the US... looking ahead GPS could be a key technology in keeping populations quiescent. We're already seeing moves afoot to have GPS installed in all cars so that road pricing schemes can be put into operation. Everything from phones to pet's collars is now having GPS fitted and the ability to read the signals means we could all be tracked much more efficiently."

Number 7 on the list:

"ID cards have been around for a while... but these days, with the advent of RFID, ID cards can also be used to keep tabs on where a person is and what they are doing. If managed correctly, an authoritarian regime can know who is in the country, who is out of the country and where they have been in the meantime. In 2008, the Chinese government outlined a plan to put RFID tags in as many as a billion ID cards..."

Number 6 on the list:

"It is said that no snowflake in an avalanche ever feels responsible. The same is true for some companies it seems. I'm sure when the Chinese authorities went to Cisco for the equipment to build the Great Firewall of China the local head of sales thought about what it could be used for, but that those thoughts were elbowed aside by the thought of his or her annual bonus package if the sale went through. Similarly Microsoft and Yahoo routinely hand over user details to the Chinese authorities when asked, despite that action often leads to jail sentences for people who publicly express an opinion. Other companies do exactly the same thing, and have done so throughout history. IBM provided the Nazi regime with a customised Hollerith punch card system to help automate Hitler's Final Solution and Thomas Watson was awarded a medal by Germany for it, although he eventually gave it back. Both General Motors and Ford also helped the Nazi war effort initially and members of both companies also received medals from the regime."

Two of my favorite technologies to watch, behavioral advertising and Facebook, fall under number 2 on the list. In and of themselves, these new technologies are great but how they are used -- and abused -- is the concern.

State of Connecticut Sues Health Net Over Breach

Health Net's post-breach woes continue. Last week, the Hartford Courant reported:

Health Net is being sued by Attorney General Richard Blumenthal for allegedly failing to secure patients' medical records and not promptly notifying consumers of a massive security breach. The health insurer... had a portable, external hard drive go missing in May, though it's not clear if it was lost or stolen. The company reported the lost records in November after a six-month internal investigation... Blumenthal's office said the lost records are a violation of HIPAA, the Health Insurance Portability and Accountability Act of 1996 [HIPAA], and is seeking a court order to require the company to encrypt all information placed on a portable device. The attorney general's office says this is believed to be the first instance in which a state attorney general has enforced HIPAA since state attorneys general were given that right through the Health Information Technology for Economic and Clinical Health Act of 2009 [HITECH]."

Last month, the Arizona AG filed suit against Health Net. To learn more about HIPAA, read this summary about HIPAA by the State of Maryland. You can learn more about the HITECH Act of 2009 at the Information Security Resources blog.

Heartland and Visa Agree To $60 Million Settlement

After Heartland Payment Systems and American Express agreed to a $3.6 million settlement in December, earlier this month Heartland and Visa agreed to a $60 million settlement. Bank Info Security reported that Heartland:

"... will pay Visa-branded credit and debit card issuers up to $60 million to cover losses incurred from the Heartland data breach. It is the largest known settlement amount ever paid to Visa as a result of a breach, eclipsing the TJX settlement of $40.9 million in November 2007."

Issuers are the banks and credit unions that administer Visa-branded debit- and credit-cards to consumers. Those issuers incurred costs to replace their consumers' stolen cards with secure new cards, and to replace their customers' stolen money. Industry experts estimated that the cost to replace a card is about $20 per consumer. Heartland never disclosed exactly how many consumer accounts were affected by its breach, but experts estimated that the identity thieves stole about $50 million. Heartland processes about 100 million card transactions monthly and more than 330 banks reported that their cardholders were affected.

"The settlement also includes mutual releases between Heartland and its sponsoring bank acquirers on the one hand, and Visa on the other. Heartland will fund up to $59.22 million of the amounts to be made available to Visa and its issuers under the settlement program. Additionally, Visa will credit the full amount of intrusion-related fines it previously imposed and collected from Heartland's sponsoring bank acquirers toward the $60 million maximum funding of the program."

Data Breach At BlueCross BlueShield of Tennessee

Health Leaders Media reported that 57 hard drives were stolen from a BlueCross BlueShield of Tennessee facility. The theft was discovered October 5, 2009 and it affected at least 500,000 patients in 32 states:

"The hard drives containing 1.3 million audio files and 300,000 video files related to coordination of care and eligibility telephone calls from providers and members were reportedly stolen from a leased office in a Chattanooga strip mall that once housed a BCBS of TN call center. The video files were images from computer screens of customer service representatives and the audio files were recorded phone conversations from Jan. 1, 2007 to Oct. 2, 2009."

The data was encoded but not encrypted. The stolen data included patients' names and BlueCross identification numbers; plus some but not all records included diagnostic information, date of birth, and Social Security numbers. BCBS of Tennessee estimated that Social Security numbers were stolen for about 220,000 patients.

Unfortunately, all of this is usable information for identity thieves for resale or for medical fraud. The good news:

"Three levels of risk have been identified for those customers whose information may be at risk. Letters are being mailed to these current and former BlueCross customers explaining the level at which their personal information is at risk. They are being offered a variety of free services to mitigate the potential misuse of personal information."

BCBS of Tennesse notified consumers in a timely fashion. BCBS of Tennesse first announced the theft on October 7 in a press release at its Web site. And, BCBS of Tennesse also hired Kroll, which was a good move.

Patients or consumers who have questions, can contact BCBS of Tennessee Privacy Office Hotlines at 1-888-422-2786 or 1-888-455-3824 or via e-mail. More information is available for consumers at the BCBS of Tennessee site.

New York Times: "Visa Reigns With Silent Tax"

I highly recommend that you watch this New York Times video. It is a "must see" video for consumers about how our financial and debit card system works today, especially if you don't know what interchange fees are and how they affect the price of products you buy everywhere.

Experts predict that debit transactions will exceed cash transactions in 2012. You can also read the New York Times article in its "Card Game" series:

"When you sign a debit card receipt at a large retailer, the store pays your bank an average of 75 cents for every $100 spent, more than twice as much as when you punch in a four-digit code.The difference is so large that Costco will not allow you to sign for your debit purchase in its checkout lines... Competition, of course, usually forces prices lower. But for payment networks like Visa and MasterCard, competition in the card business is more about winning over banks that actually issue the cards than consumers who use them. Visa and MasterCard set the fees that merchants must pay the cardholder’s bank. And higher fees mean higher profits for banks, even if it means that merchants shift the cost to consumers. Seizing on this odd twist, Visa enticed banks to embrace signature debit — the higher-priced method of handling debit cards — and turned over the fees to banks as an incentive to issue more Visa cards."

I agree with retail merchants:

  • There should not be interchange fees on debit purchases, since consumers use their money with debit purchases and not the bank's money
  • Retail merchants they should be able to accept and not accept certain cards with high interchange fees. That makes for a competitive marketplace.

While Visa and the banks have been successful at getting consumers to buy with debit cards, consumers still should know the advantages and disadvantages of buying with debit cards versus credit cards.

Want to learn more about credit cards and privacy issues? Browse the Credit Cards section of this blog.

Class Action Lawsuit Against Facebook Application Developer seems to be an never-ending source of privacy issues for consumers. The latest issue to surface is a class action lawsuit against Rock You, one of the hundreds of companies that develop applications for members. From the Wired Threat Level blog:

"RockYou, the popular provider of third-party apps for Facebook, MySpace and other social-networking services, is being hit with a proposed class-action accusing the company of having such poor data security that at least one hacker got away with 32 million e-mails and their passwords."

The suit accuses RockYou of:

"... making its unencrypted customer data “available to even the least capable hacker. RockYou failed to use hashing, salting or any other common and reasonable method of data protection and therefore drastically exacerbated the consequences of a hacker bypassing its outer layer of web security..."

Those of you who are connected to me on Facebook know that I never accept the Facebook applications my friends send. Why? The standard one-page disclosure on is never enough. It doesn't adequately describe each application developer's data security habits:

  • Exactly which of my personal data items are used
  • How long those data items are archived by the application developer
  • The other companies the application developer shares your personal information with
  • The application developer's history of data breaches and/or privacy abuses

How To Avoid Becoming A Victim of Skimming And Credt/Debit Card Fraud

Apparently, identity thieves are active in North Carolina and are using skimming devices to steal consumers' debit card and credit card information. From WRAL:

"Skimming devices record data from the magnetic strips on the back of financial cards to create counterfeits, police said. Criminals place them automated teller machines or gas pumps to collect data, and they use hidden cameras to record people's personal identification numbers. SECU officials on Tuesday released photos of six men believed to have used stolen debit card information at credit union ATMs along the Interstate 85 corridor. Account information has been stolen from customers in Raleigh to Winston-Salem to Charlotte..."

This type of identity theft and fraud can happen anywhere. How you can avoid becoming a victim of skimming and debit/credit card fraud:

  • Closely examine card slots on ATMs and gas pumps to make sure nothing appears to be attached to the front of them.
  • Do not use an ATM or gas pump if the card reader appears to be added on, to fit poorly or to be loose.
  • Avoid device instructions that say things like "Swipe Here First" or “Use This Machine Only.”
  • If something does not look right, use another ATM or gas pump.
  • Always cover the keypad as you're entering your PIN in case a hidden camera is nearby.
  • Never accept "help" from anybody at an ATM.
  • Immediately call the customer service number on the ATM if a machine keeps your card, appears suspicious or does not function properly.

I follow all of these suggestions to avoid becoming a skimming and fraud victim. I also use ATM machines that I know well.... my bank's ATM locations. I feel like this helps me more easily spot an ATM machine that has been tampered with. I choose to avoid ATM machines at convenience stores since those vary in design, making it more difficult for me to spot ATM machines that have been tampered with. And I use cash at gas stations and convenience stores.