A Boston federal court on Monday sentenced a Romanian national to 65 months in federal prison for a multi-state ATM card-skimming scheme through which he and his gang drained $868,706 from 531 people’s bank accounts.
The Justice Department said that Bogdan Viorel Rusu, 38, was also sentenced to five years of supervised release and ordered to pay restitution and forfeiture of $440,130.
Rusu pleaded guilty in September 2018 to one count each of conspiracy to commit bank fraud, bank fraud, and aggravated identity theft. He had been arrested November 2016 and has been in custody since then.
ID’ed through his asylum application photos
According to court documents, video surveillance cameras picked up a man installing a pinhole camera and a skimmer device on a bank ATM machine located in Chicopee, Massachusetts in August 2014.
Thomas Roldan – a special agent with Homeland Security’s Immigration and Customs Enforcement (ICE) within the US Department of Homeland Security (DHS) – said in an affidavit that he identified Rusu based on photos that Rusu submitted in support of an asylum application to US Citizenship and Immigration, as well as Roldan’s own physical surveillance of the suspect.
The skimming devices were plugged in at around 16:26, and then the video cameras picked up footage of somebody else picking up the pinhole camera and skimmer a few hours later, at 20:01. Bank records showed that 85 customers used the ATM during that time, and 12 of them later reported losses totaling $8,399.43.
Next day, same thing, but this time, Rusu plugged in the skimming devices and picked them back up himself after a few hours. That time, customers lost $9,823.50.
It went on like that for almost two years: between August 2014 until his arrest in November 2016, Rusu and his skimming buddies skipped from bank to bank, from Massachusetts on down to New York and on to New Jersey, grabbing people’s account details through ATMs and then using those details to steal money from their bank accounts.
Their take: they lifted $364,419 from Massachusetts banks, $75,715 from New York banks, and another $428,581 from New Jersey banks.
The devices
According to the DOJ, Rusu and/or his co-conspirators installed electronic skimming devices on the ATMs to surreptitiously record customers’ bank account information on the banks’ card-readers at the vestibule door, the ATM machine, or both.
They also installed other devices – generally, either pinhole cameras or keypad overlays – to intercept the PINs people typed in to access their bank accounts.
Then, the skimming crooks came back, removed their devices, and went on to transfer the details onto counterfeit payment cards. From there, they’d visit other ATMs to use counterfeit cards – before the bank or the customers became aware of the ripoff – in order to withdraw money.
They used the risky type of skimmer
There are multiple types of card skimmers, and Rusu and his gang were apparently using the kind that sets crooks up to get caught, since they have to physically install the devices and then come back to the scene of the crime to retrieve them and their valuable stolen data.
Say hello to the nice people scrutinizing video camera footage, guys!
There are other types that enable crooks to get the stolen information via text message or from Bluetooth. From a thief’s point of view, Bluetooth has limitations, notably that the wireless technology has limited range, so any thief who uses a Bluetooth-enabled skimmer needs to hang around nearby.
It also means that anybody else using Bluetooth in the vicinity could see the payment card details and perhaps intercept them, thereby beating the crooks to the punch.
Speaking of which, no, you can’t really sniff out gas station card skimmers using Bluetooth, though there was a Facebook half-hoax (mostly a bunch of half-truths) that promised you could. That one made the rounds back in February.
Software skimmers
We’ve also seen incidents of credit card skimming code planted on websites: in April, skimming code showed up on the ecommerce site for the Atlanta Hawks basketball team.
The obfuscated code turned out to be keylogging software.
There are more varieties still of skimming tools. Security journalist Brian Krebs has cataloged all sorts of them installed at all manner of locations, from self-checkout lanes at some Walmart locations to gas stations to Safeway grocery stores to yes, bank ATM machines.
What to do?
You can wiggle the card point of entry on the reader device to see if it’s a fake that’s been installed over the authentic slot – is it a bit too big? Color or texture’s not quite a match? However, that won’t help with keylogging software like that found on the Atlanta Hawks’ site.
So make sure that you also grab and wiggle your bank account and credit card statements to see if any phishy transactions fall out. If they do, notify your card-issuing institution as soon as possible.
AnnieG
Virtually every financial institution allows you to set up email and/or texts for every transaction that occurs. That’s the quickest way to catch fraudulent activity.
anon
True but in 4 hours while I was asleep the crooks ran up over $400 in fraud charges once. That was just three transactions. Some folks can’t be awake 24/7 to catch strange behavior until it is too late. I for one am not cemented to my phone like recent generations are. I have better things to do. Vendors, banks and retailers need to take responsibility for their security to begin with. Just because an insurance company can cover fraudulent activity when it occurs doesn’t mean it should be the norm.
Mahhn
Part you might not know of that is great – is that you can set it so when you get these alerts, that the transaction FAILs if you don’t approve the alert. So nothing will get charged while you sleep. Call it 2 factor purchasing.
Anon
These crooks don’t even need to put your info onto a fake card. They can add your name, credit card number and identifier number to apps like Venmo, Lyft, Squareup and a number of other phone based apps they can transfer money to themselves without any kind of verification on the owner of the cards part. These skimmers were on the Newegg and Aerogarden websites as well and I ended up having fraud charges. Try and make sure and use a credit card for online purchases if possible and never agree to arbitration through these sites. It is unacceptable the banks did not catch these guys within a few weeks. Years are absolutely unacceptable when their behavior was pretty predictable. Mobile payment methods also need to put more sophisticated verification systems in place for adding cards as well. Criminals can stay truly anonymous without ever being recorded stealing others funds using mobile apps. They can additionally use the “gift card” method as we see in phishing emails requesting gift cards. There should be an authentication mechanism for gift cards as well. Retailers selling digital services (Google play, Amazon, Etc) are common gift card acquisitions for these criminals and the retailers do nothing to track / reverse charges and that kind of thing for stolen gift cards. We are very much in the dark ages for tracking payment methods. Digital currency (cryptocurrency) is a whole other ballgame. Created with criminals in mind….