As we were first to report that a Secret Service electronic crimes task force has made a major break in its investigation of a wave of credit card fraud emanating from Capitol Hill, reports of fraudulent charges continue to pile up. More than 40 additional reports were added in the Capitol Hill area on Monday bringing the tally since the wave first started to build to nearly 100. The latest map marking the approximate home or work location of the latest round of victims is below.
On Monday, the agent heading the Secret Service’s Electronic Crimes Task Force Seattle office told CHS that the immediate threat to credit and bank accounts on Capitol Hill had been contained. “There was a point of interest that we were working on Friday. That threat was reduced,” agent David A. Iacovetti said.
Iacovetti told CHS it was too early to release details of how the information was accessed and where the ‘point of interest’ was located because of the ongoing investigation into the chain of people likely involved in this kind of crime. Iacovetti later told KOMO that multiple Capitol Hill stores may be involved:
In the newest Seattle case, police and Secret Service investigators say they’ve identified multiple points of compromise, and the businesses involved have upgraded their anti-virus software so the fraud cannot continue. The Electronic Crimes Task Force is pursuing leads on suspects, but the businesses involved are not being identified at this time.
Though Seattle police are not the lead agency on investigating this wave, they continue to be on the front line of collecting reports from the public. If you have found that your account was compromised, contact your financial institution and then report the fraud to SPD at (206) 625-5011 (non emergency line). The department issued a statement on the wave on Monday. “At this early point in the investigation it does not appear that a fraudulent credit card access or ”skimming” device was used,” one portion of the statement read.
For thieves, there are plenty of ways to access this kind of information more sophisticated than skimming technology which requires sneaking malevolent hardware into a point of sale transaction. This wave from spring 2010 in which the Dave and Buster’s restaurant chain was targeted by a “packet sniffer” is one example:
A packet sniffer logs information being sent over a network. In this case, the criminals used it to log credit- and payment-card data as it was sent from the branch locations to corporate headquarters.
The hacking took place from April to September 2007 and was lucrative, according to court filings. At Dave & Buster’s Islandia, New York, location, for example, the hackers accessed details of about 5,000 payment cards.
The information was sold to other criminals who then used the card numbers to scam online merchants. The criminals were able to post at least $600,000 in fraudulent transactions from 675 cards taken from this one store.
Even with Friday night’s break in the case, it’s likely new Capitol Hill area victims will continue to emerge as the compromised account information is already distributed on the criminal network. The Secret Service’s Iacovetti said his team was working to “reverse engineer” the Capitol Hill wave so that all victims can be identified and further use of the account information, stopped. Still, it’s likely this wave will ripple on even if all the bad guys involved are rounded up and put away. Capitol Hill residents and people around the city are watching their accounts closely, on the lookout for peculiar transactions. How long will that vigilance last?
My friend mentioned that this was on the blog and KOMO news. I checked my cccards this weekend and saw an unfamiliar charge pending for a dollar to A LUGARES Y DESTINOS and called Amex. They said it was to a company in Spain and I explained that I was in Seattle. In the past few months, I used my Amex at the QFC Store at Broadway in Capitol Hill. I was lucky since it is easier to clear up a pending charge!
my information was taken as well. i found a purchase from a fast food place in the dominican republic on halloween. they spent $25. i’m glad i caught it the same day otherwise i’m sure it would have been worse. i am waiting for a call back from SPD to take my report. they said they have quite a few people in front of me.
i’m glad CHS has been so vigilant in reporting on this situation otherwise i might not have reported mine to the police.
Thanks for all the updates on this situation. I reported in the comments last week that almost $1,100 was taken from my BECU checking account due to DEBIT card fraud. The money went to GROUPE MARCHE LATINQPS GRANBY QCCA, plus $10 in ATM foreign transaction fees. I never lost posession of my BECU debit mastercard so somehow they got the information. BECU is investigating but my funds have not been restored yet. I hope we find out more about how this was perpetrated so we can better protect our finances in the future.
I had a fraudulent charge from a pharmacy in the Dominican Republic too. I guess someone down there is grabbing some meds and a meal on our dime!
After reading about this on both the Central District News and Capitol Hill Seattle yesterday afternoon I checked the debit and credit accounts for both myself and my partner and found that my partner’s debit account had been hit by the “STD Solutions” charge and then a charge for Target in San Jose, CA. Reported to both Chase and the SPD non-emergency line (we live in Central District).
Crappiest part for us is my partner is currently in South America on medical mission work and needs to use debit card to access cash regularly (since many places don’t take credit cards). But Secret Service and Chase had already shut down the debit card. So now the fun of trying to figure out how to get access to cash for someone in a remote part of the world without a functioning card.
if the bank was a decent institution it should conditionally restore your funds the next business day. WAMU did that to me many years ago. US bank on the other hand took a couple months to jerk me around before doign anything and THEN, refused to admit they screwed up. Financial institutions definitely aren’t our friends.
One of threads of comments here on CHS condemned naming names of businesses. I disagreed then and I disagree even more now.
Now that we know it was software upgrades that allowed things to go on this scale, I think it’s absolutely appropriate. These businesses need to be held accountable for keeping our information as safe as possible. By not doing a software upgrade, they’ve exposed people to financial harm.
Ours was an unusual charge in New Jersey. We got a call from the credit card company who first noticed the out-of-state charge, and they checked in with us before cancelling our VISA and issuing new cards. What a hassle! How can these merchants be operating with unsecured connections in 2010?
Look at Broadway Grill
The SPD person told me to call http://www.ic3.gov
If merchants installed anti-virus software to fix the problem this tells me:
1. This is not a hardware issue such as skimmers.
2. This is not a network issue such as packet sniffing.
Was anyone noticed that Seattle-area restaurants and bars often have the same POS system – DinerWare? (blue UI, touch screen … if you look at the photos on their website you’re sure to recognize them)
Vulnerabilities in this kind of enterprise/business software are very common. The companies often don’t have the expertise, funding, or motivation to fix security vulnerabilities in their software like the bigger corporations do (Google, Microsoft, etc). I wonder if someone discovered a vulnerability on a common POS system like DinerWare and somehow loaded software to log credit card numbers?
Does this break mean it’s reasonably safe* to use credit/debit cards on the Hill again?
Or should we be getting cash from another neighborhood and use only that for now?
*There’s always fraud and abuse, but not like this
They got my credit card, my credit card company called me. I only use this card very rarely, and only used it at about 4 places in the last two weeks, so i know it must be one of those 4.
i would file a police report, but can you do it online? if anyone has the link please post it.
note – i did find the online reporting site at seattle police department, but it doesnt look like ccard theft is an option, only property theft or identity theft
I went to the online reporting link yesteday in one of the earlier article postings or comments and found it would not let me file online either, at least when I selected the boxes that seemed to apply.
So called the SPD Non-Emergency line (206-625-5011, opt 2, then opt 8) and filed the report with the helpful operator there after they took a name and number and called back a short while later(there were 4 calls ahead in the queue). The operator even already knew the first fraudulent charges — the one from “STD Solutions” that many other people have reported in comments on earlier articles.
With Chase, their fraud department says that nothing can/will be done with the fraudulent charges until they actually POST to the account — currently they are still marked PENDING. But they had already detected the issue and disabled the debit card.
From the KOMO story:
“…investigators confirm this is kind of fraud is not limited to Seattle. Similar high-volume sniffer cases have been reported across the country this year.”
Seriously? This security breach has already resulted in high volume fraud, has already been identified by security experts, AND IT IS STILL HAPPENING?? Why should there be even a SINGLE POS system anywhere on the planet whose wireless link software hasn’t been upgraded to defeat the “sniffing”?
Ridiculous.
They hit my friend and I as well, only 3 days apart, and the “STD Solutions” charge came up as the first one. It was debited and then credited from my account for a small amount, and then after that there were several hundred dollars worth of charges, all placed in Brazil. This is crazy!!
Both my banks called me last Tuesday morning (10/26) to tell me that they had proactively shut off my debit and my credit cards because the “card numbers had been compromised.” My credit card company said that 3 fraudulent transactions had been attempted, but they were all declined because the fraudulent transactions had been made in Pennsylvania.
One thing that the map above does not show is the victims who live outside of the city. I live on the Eastside but I visit CapHill several times a week to eat. I frequent a few of the establishments in the Broadway corridor (but NOT QFC), so I’m pretty sure my compromise probably happened at a restaurant. This has the potential to be much broader than a single neighborhood issue, since when I tried to report the fraud to the number listed on this site, the police told me to report it to the Kirkland authorities… the Kirkland police non-emergency line is busy, so it has gone unreported and I probably won’t try again to report it, especially since I didn’t actually lose money. Shout out to Chase and USAA for jumping on this quickly.
Yeah I just had this happen to me today.
The SPD press release reposted by CapitolHillSeattle.com instructs victims to report online, but the SDP website declines to accept these report. According to the SPD website:
“Unauthorized use of your exisitng account constitutes Fraud, and is not eligible for online reporting.
Please call 206-625-5011 to enquire about other means of filing this report.”
Thus, I expect that far more than 100 residents’ accounts were compromised, but most victims won’t be bothered to call in a report to the SPD
For several nights in a row, I saw a guy sitting in a parking lotnear my building, 24/7, with his computer on – even late into the night. A very big laptop that was quite visible for a block away. Thought it was strange, but also thought he was homeless and maybe just sleeping in his car. Also thought it odd he had his computer on most of the time and highly visible from our apartment building. Wish now I had called SPD to check on him – bet he was the guy lifting information from area businesses.
Test charge was 2.46 at:
POS Withdrawal Frgn Fee Incl 0.01 COCACOLAVENDINGMACHINE TORONTO ONCA
Then .02 (probably related to the first) at:
ATM Foreign Transaction Fee Foreign Transaction Fee
Then a pending charge I can’t see online yet of 107.94 at “ESSO”.
Irritating, but BECU was very easy to work with.
same here – the Dominican – a fast food place and a pharmacy
i will be using cash for a while – to be on the safe side
I agree – after sitting on the phone with my bank… I’m not sure I’m up for that call.
It’s really neither here nor there, but I’ve read the posts on this issue and seen that some people are distinguishing this from Identity Theft. This is a form of Identity Theft.
RCW 9.35.020 (the ID Theft statute)begins by saying “No person may knowingly obtain, possess, use, or transfer a means of identification or financial information of another person, living or dead, with the intent to commit, or to aid or abet, any crime.” Credit card information is included in the definition of “financial information.”
As I said, it’s not a big deal, because the culprits suck either way. But this is a form of ID Theft.
This is what I thought as well. People have been quick to blame QFC because it has so much overlap between all the victims…well, duh, it’s the biggest/only grocery store in the area, of course it’s a common thread. Also, if you look at the map, the “hot zone” where most of the CapHill dots are, it’s shifted south.
I might disagree with you about the network being eliminated (I see a lot of places around here running the cards through routers)…but you probably spread about as wide a net as QFC if you filter by the software/hardware that all the small businesses around here use.
Me too, a men’s clothing store in the Dominican Republic for $900!