Some time before 10:50 on the morning of July 20, 2009, a man identifying himself as William Kramer boarded American Airlines flight 720 departing from Dallas/Fort Worth for New York. He traveled first class. His one-way ticket cost $1,145.60. I know this because he used data stolen from my Visa credit card to pay for it.
I had no idea that anything was wrong with my credit card, which I physical possessed, until the following morning when I checked my recent transactions online. The American Airlines purchase had not yet posted, but three other transactions had. On July 20 there was a $64 charge from Angelo’s Pizza in New York and another for $75 the following day. Then there was a charge of $663.44 from Ritz Camera, also dated the 20th.
I immediately called Visa and they canceled the card. I put in a claim against these fraudulent transactions and wondered what to do next. The next day I decided to call Angelo’s Pizza and Ritz Camera, which seems to be an enterprise specializing in Internet business. My calls to Angelo’s did not turn up anything interesting apart from confirming that these transaction had taken place, but the call to Ritz Camera was something else.
Ritz Camera informed me that this purchase had indeed taken place on July 20. My credit card had been used, including the security code on the back. A telephone number and an e-mail address had been supplied. Furthermore, the order, a camera, had been shipped to my apartment house in New York by Federal Express and I had apparently signed for it at 10:25 on the 22nd. Considering the fact that I was then in Colorado, this would have required an act of teleportation whose consequences would have been much more interesting than mere identity theft.
I at once called my building and was able to reconstruct the following sequence of events. Around 10 a.m. on the 22nd, a man appeared at the concierge desk of the building and wanted admission. He was turned away for lack of identification, and then went around to the delivery entrance. He was in luck. The man on duty in the package room was a summer temp who did not know me. The man showed him some sort of letter that seemed to have my name on it and on this basis he signed out, using my name, the Fed Ex package. By coincidence it seems the Fed Ex driver then showed up. He had two more packages for me, which the man signed for. With this he left with three packages. What he did not know was that he was filmed on a security camera. (A photograph from the security tape heads this article.)
The next day another man showed up at my building with two of the three Fed Ex packages, which he said he had found in the garbage. When these were opened they were essentially empty, but on each package there was some handwriting with the name William Kramer and also a telephone number which turned out to have been disconnected.
The Federal Trade Commission reported that in 2007 – the latest year I could find – that 8.3 million American adults, somewhat less than 4 percent, had in 2005 been victims of identity theft, a number that increased by 21 percent in 2008. In 2006 the average fraud per person was reported to be $1,882. My fraud of $1,948.04 fits right in.
There are many types of identity theft that depend on what has been stolen. If your social security number has been stolen, then the possibilities are limitless. In my case, my credit card number was known, along with the three-digit security number that Visa cards have on the back. My home address was also known. When this information was used at Ritz Camera, they needed an e-mail address and a telephone number. The ones supplied were not mine. This could either mean that they were not known to the thief or, more likely, that he did not want Ritz Camera to send e-mails or to phone me, which would have been an instant alert.
Identity frauds have been given various names, ranging from a Capgras Delusion to the Jackal Fraud. The Capgras delusion is named after Joseph Capgras, a French psychiatrist who first described the disorder in a paper in 1923. If the delusion is genuine, then it is probably not a fraud. The individual is certain that someone close has been replaced by a double. This differs from someone actually trying to replace you. (For some time there was someone in London posing as filmmaker Stanley Kubrick. He got away with it because very few people knew what Kubrick actually looked like. The double even gave interviews to people like Frank Rich of The New York Times.)
The Jackal Fraud comes from Frederick Forsyth’s novel, The Day of the Jackal. In the novel, the would-be assassin of General de Gaulle takes the identity of a dead child and uses it to apply for a passport. The Jackal Fraud is taking the identity of the dead.
There are a variety of ways that thieves can steal your identity. They can rummage in garbage cans and they can watch while you get money from an ATM. They can also break into your computer. In my case, I had been notified by the bicycle equipment company Nashbar that their security system had been breached and credit card information had been stolen. I had recently made a purchase from them and maybe that is what happened.
On Aug. 17, the Justice Department indicted three men, including one Albert Gonzales, a 28-year-old Miami resident who was already awaiting trial for a similar incident, who were accused of stealing some 130 million credit card numbers that they usually would try to re-sell in batches of 10,000 or less. These people apparently hacked into the computers of unwary owners and used those computers as platforms to launch attacks on their targets. It is said that they tested the common spyware programs to make sure that these could be breached. Once they made use of these computers, they simply erased any trace to themselves.
One of the commercial firms that had been broken into this way was Heartland Payment Systems, which was founded in 1997 and has its corporate headquarters in Princeton, N.J. They handle financial transactions for companies like Visa. In a company note they say they handle some 11 million transactions a day. But Heartland’s security was breached in 2008 and, in March 2009, Visa announced that it was dropping Heartland from its payment facilitators. But in May, Robert O. Carr, CEO of Heartland, issued a statement implying the company had made its peace with Visa. As part of its “Assurance to Heartland Merchants,” it notes that, “At Heartland Payment Systems, we believe our system is secure, the intrusion has been contained and you are safe using us to process your transactions.” It seems that Carr’s assurances were somewhat premature.
In 2004, five users of data such as Visa combined their security programs to create a “Payment Card Industry Security Standard.” A council was formed in 2005 that sets security standards for the industry. It has no legal compliance mechanism but can call attention to businesses that are in compliance with its standards. It is like a Good Housekeeping seal of approval. However, its standards are not rigorous enough to prevent hacking. For example Heartland was PCISS-compliant when it was hacked in 2008. It seems clear that this is too serious a matter to be left to voluntary industrial associations. It is time for the government to step in and set the standards.
The most likely method of hacking used by these thieves is what is known as “SQL insertion.” SQL is an acronym that stands for “Structured Query Language.” It and its variants were first developed in the 1970s to allow the manipulation of very large databases. In particular it aids the insertion of masses of data such as millions of credit card transactions into an existing database. These insertion points are vulnerable, and hackers explore them until they find one that will accept unauthorized data. They can then insert their own malware and use it to extract data by writing the necessary SQL programs.
Carey Sublette, a systems engineer, gave me a brief tutorial on these matters. When the Web was invented, companies were in a big hurry to get on board. Security was secondary. Hence, what was known as a “two-tier” system was common. The way this worked was once a visitor was recognized by the system, then he or she could write the SQL code necessary for whatever tasks were at hand. This was and is a very risky setup from a security standpoint. It can be replaced by what is called a “three-tier” system. The middle tier does the identification. But, crucially, it writes the SQL code. Thus, if an intruder asks it to write code to, say, extract credit card numbers wholesale, it can refuse to write the code and the intrusion ends there.
In view of what has happened, it is essential, in my view, that information-handling companies without three-tier systems should go out of business.
I have now spoken to several people who have had their identity stolen, including Carey Sublette. He and his wife have had their credit cards compromised four times. In most instances it was simple credit card fraud, although in some cases a social security number was also stolen and used to open fraudulent credit accounts. It can take months or even years to sort these out.
The people whose credit cards were compromised seemed to me to have a remarkably blase attitude about it. Once they had established that the charges were fraudulent so that they were not responsible, they simply got a new credit card account and went on as before. I found this reflected in my dealings with Visa and my bank. As I learned new things about what happened, I reported them to the fraud departments in these institutions. Each time I got what seemed to be a new agent to whom I repeated my story with the latest additions. After doing this several times, it dawned on me that it was irrelevant. These companies have no law enforcement capabilities and are really only interested in what it might mean to them in terms of losses. So I stopped calling them. I might have stopped altogether if it had not been for the fact that this impersonator had gotten into my building and had successfully passed himself off as me. This I was not willing to ignore, and neither was the building – which filed a criminal trespass claim with the New York City Police Department.
I soon received an e-mail from Detective John Vrlic of the 6th Precinct New York City detective squad. The police had already taken the two relevant photographs from the security camera tape in my building. Below is the second one. One wishes they were clearer.
Being a reasonably law-abiding citizen, I had never had any previous close encounters with New York detectives. I told Detective Vrlic that having watched “Law and Order” innumerable times I expected the New York Police Department to solve this in no more than an hour with time taken out for commercials. Then, over the next few days, I told him what I had learned and what, as a private citizen, I could not learn. Ritz Camera is a good example. They were exceedingly cooperative to a point. They were willing to tell me by comparing notes that the e-mail address and the phone number used were not mine, but they would not tell me the address or number actually used. The explanation I was given was that this might be enough for me to find out where the perpetrator lives and to go over to his house and beat him up, for which they could be held liable. I tried to assure them that, because of my age and the fact that I was in Colorado and whoever used my card seemed to be in New York, such an assault was highly improbable, although probably merited. This did not change their mind.
Detective Vrlic visited Angelo’s Pizza and learned where the pizzas had been delivered – to a nearby office building. Here the trail stopped. The perpetrators of this identity theft have vanished without a trace. Despite the fact that we have a photograph and even a name, we will never find them and more people will have their identities stolen.
Support Local Journalism
Support Local Journalism
Readers around Aspen and Snowmass Village make the Aspen Times’ work possible. Your financial contribution supports our efforts to deliver quality, locally relevant journalism.
Now more than ever, your support is critical to help us keep our community informed about the evolving coronavirus pandemic and the impact it is having locally. Every contribution, however large or small, will make a difference.
Each donation will be used exclusively for the development and creation of increased news coverage.
Start a dialogue, stay on topic and be civil.
If you don't follow the rules, your comment may be deleted.
User Legend: Moderator Trusted User
At the onset of a special legislative session designed to address the extraordinary and ever-worsening devastation wrought by COVID-19 in Colorado, many elected Republicans chose to go maskless Monday inside the Capitol.