A Boston federal court on Monday sentenced a Romanian national to 65 months in federal prison for a multi-state ATM card-skimming scheme through which he and his gang drained $868,706 from 531 people’s bank accounts.
The Justice Department said that Bogdan Viorel Rusu, 38, was also sentenced to five years of supervised release and ordered to pay restitution and forfeiture of $440,130.
Rusu pleaded guilty in September 2018 to one count each of conspiracy to commit bank fraud, bank fraud, and aggravated identity theft. He had been arrested November 2016 and has been in custody since then.
ID’ed through his asylum application photos
According to court documents, video surveillance cameras picked up a man installing a pinhole camera and a skimmer device on a bank ATM machine located in Chicopee, Massachusetts in August 2014.
Thomas Roldan – a special agent with Homeland Security’s Immigration and Customs Enforcement (ICE) within the US Department of Homeland Security (DHS) – said in an affidavit that he identified Rusu based on photos that Rusu submitted in support of an asylum application to US Citizenship and Immigration, as well as Roldan’s own physical surveillance of the suspect.
The skimming devices were plugged in at around 16:26, and then the video cameras picked up footage of somebody else picking up the pinhole camera and skimmer a few hours later, at 20:01. Bank records showed that 85 customers used the ATM during that time, and 12 of them later reported losses totaling $8,399.43.
Next day, same thing, but this time, Rusu plugged in the skimming devices and picked them back up himself after a few hours. That time, customers lost $9,823.50.
It went on like that for almost two years: between August 2014 until his arrest in November 2016, Rusu and his skimming buddies skipped from bank to bank, from Massachusetts on down to New York and on to New Jersey, grabbing people’s account details through ATMs and then using those details to steal money from their bank accounts.
Their take: they lifted $364,419 from Massachusetts banks, $75,715 from New York banks, and another $428,581 from New Jersey banks.
The devices
According to the DOJ, Rusu and/or his co-conspirators installed electronic skimming devices on the ATMs to surreptitiously record customers’ bank account information on the banks’ card-readers at the vestibule door, the ATM machine, or both.
They also installed other devices – generally, either pinhole cameras or keypad overlays – to intercept the PINs people typed in to access their bank accounts.
Then, the skimming crooks came back, removed their devices, and went on to transfer the details onto counterfeit payment cards. From there, they’d visit other ATMs to use counterfeit cards – before the bank or the customers became aware of the ripoff – in order to withdraw money.
They used the risky type of skimmer
There are multiple types of card skimmers, and Rusu and his gang were apparently using the kind that sets crooks up to get caught, since they have to physically install the devices and then come back to the scene of the crime to retrieve them and their valuable stolen data.
Say hello to the nice people scrutinizing video camera footage, guys!
There are other types that enable crooks to get the stolen information via text message or from Bluetooth. From a thief’s point of view, Bluetooth has limitations, notably that the wireless technology has limited range, so any thief who uses a Bluetooth-enabled skimmer needs to hang around nearby.
It also means that anybody else using Bluetooth in the vicinity could see the payment card details and perhaps intercept them, thereby beating the crooks to the punch.
Speaking of which, no, you can’t really sniff out gas station card skimmers using Bluetooth, though there was a Facebook half-hoax (mostly a bunch of half-truths) that promised you could. That one made the rounds back in February.
Software skimmers
We’ve also seen incidents of credit card skimming code planted on websites: in April, skimming code showed up on the ecommerce site for the Atlanta Hawks basketball team.
The obfuscated code turned out to be keylogging software.
There are more varieties still of skimming tools. Security journalist Brian Krebs has cataloged all sorts of them installed at all manner of locations, from self-checkout lanes at some Walmart locations to gas stations to Safeway grocery stores to yes, bank ATM machines.
What to do?
You can wiggle the card point of entry on the reader device to see if it’s a fake that’s been installed over the authentic slot – is it a bit too big? Color or texture’s not quite a match? However, that won’t help with keylogging software like that found on the Atlanta Hawks’ site.
So make sure that you also grab and wiggle your bank account and credit card statements to see if any phishy transactions fall out. If they do, notify your card-issuing institution as soon as possible.