Cybercrime in Rural Texas.
Though we often consider cybercrime to be a phenomenon affecting internet-reliant organisations through ransomware or phishing scams, the mass availability of new technology means that anybody can be at risk – even if they are not using a computer.
Criminal lawyer Edward G Estrada goes further in depth in this article, using the example of card skimming organisations in east Texas. How did card skimming become so widespread in the state, and how did courts finally curtail the issue?
Speaking broadly, how has the landscape of internet-based crime developed in the US over the past decade?
Not only with the emergence of the internet, the rapid growth and development of technology and how technology is now ubiquitous in our daily lives has opened avenues for criminals in areas never thought of before. With the rise in technology, we have seen a drastic drop in the average cost of computers, tablets, cellular devices, blue tooth capable devices. Criminals are learning how to utilise everyday technology to cloak themselves behind laptops cell phones and blue tooth devices to virtually pickpocket our wallets and enter our bank accounts.
What forms do these crimes typically take?
The location where these crimes are occurring is in every neighbourhood. Just about every street corner, every city and town in Texas is vulnerable.
We heavily relay on gas for all our everyday travel and commute to and from work, for all our daily activities. Gas stations are the target for these criminals. An ordinary gas station pump with a few inexpensive tools all available to order on the web can be converted to the source of income for an organised criminal network. Without any detection, that gas station pump can be modified to record and store all credit card information – including pin numbers – used by each person buying gas at that particular pump. Just think to yourself, on any given day, how many people are stopping and getting gas at a pump? How many cards are being run through the gas station pump? A skeleton key purchased online is all it takes for these card skimming rings to access the technology inside gas station pumps.
Now couple the skeleton key with downloadable software. A connection cable that interacts with the pump’s credit card reader and a Bluetooth device are all it takes to read every card used at a certain gas station pump. For less than $150 online, a criminal can compromise a pump. The actor then lets the device sit for a day before coming back and downloading credit card information and the pin numbers associated with those cards.
The majority of us now pay at the pump when we get gas. When was the last time you recall going inside a gas station to pay for gas?
Can you tell us a little about the typical enterprises that engage in card skimming?
These are not the organised groups you see on CSI, Law & Order or other TV crime shows. These are not sophisticated hackers sitting behind a computer monitor cracking a binary algorithm and accessing sensitive information from banks. These are small networks of individuals working in groups of generally three to five members that plot to drive to rural areas of Texas and target certain gas stations and certain pumps – mainly those farthest from the attendant. These actors set their devices throughout the city or town and come back, usually at night, to retrieve all the credit card data. Once the data is transferred to a laptop or tablet, they take back the device placed in the card reader of the pump and leave without a trace. This concludes phase one.
Phase two then begins: these organised rings use the stolen credit card information to create a forged credit card that is connected to an unknown victim’s bank account. When they use the forged credit card, it will look and appear to belong to the holder of the card, but the transactions will be linked to a victim whose card was used recently at a gas pump. All credit cards are comprised of is plastic and magnetic strips that read electronic data; these skimmers are creating their own card systems from the comfort of their living rooms or motel rooms and training others as if this was a how-to-get-rich-quick scheme.
With the stolen card information and dubbed cards begins phase three of the operation for converting the cards into cash. Phase three is the money laundering portion of the enterprise, usually conducted on the second day of the criminal operation. On day two the organised groups target several local grocers and retailers to purchase gift cards in bulk. We are talking about purchasing dozens upon dozens of $25-100 gift cards. These gift cards are now untraceable and can be used just as simply as cash.
The game does not end there. It would be suspicious if someone were to pay for items strictly with a bunch of gift cards – hence enters phase four, the final phase of the card skimming scheme. The skimmers utilise social media group chats used for selling and trading items to sell these cards at a discounted rate in exchange for cash; think of an ad selling a $50 amazon gift card for $25. Thus the money laundering process is completed.
How organised have these groups become, and how sophisticated are their methods for choosing targets?
The ease of access to the tools for committing this crime, paired with the anonymity and lucrative nature of the offence, ushered in a crime wave of card skimmers throughout the state of Texas for a period of several years. Case law research in the prosecution of gas station credit card skimmers goes back to 2011, but the surge in the criminal enterprise appears to have begun around 2017, peaking in 2018 and lasting until around 2020. This crime wave blindsided every law enforcement agency, both state and federal. They were lost, confused about how to charge and prosecute these offenders, and about what statutes within the Texas Penal Code would apply.
At the beginning, district attorneys’ offices were charging individuals with low-level felony offences indicted as “fraudulent use of identifying instruments”. Bonds were being set at a rather low amount, as judges were not aware of the magnitude and gravity of the losses that financial institutions were experiencing at the hands of the card skimming craze.
Is there ever an international element to these crimes? What further complications can this cause?
Due to the federal financial institutions being involved as victims of the events, the United States Secret Service was involved in investigating these crimes. Any time a bank is involved in a financial or cybercrime, the United States Secret Service will be party to the investigation to assist law enforcement at the state level for the criminal exploitation of our federal banking system. The software developed for card skimming was thought to be coming from overseas, but with limited state-wide resources and lack of jurisdiction in foreign nations, law enforcement shifted their focus to tracking the criminals who were utilising the technology for illegal financial gain.
Why are rural counties particularly at risk of these attacks?
Every county in Texas has an annual budget. Larger counties have more financial resources then smaller counties. It is expensive to prosecute and try a case. Smaller counties with a population of about 50,000 on average have a $100,000 prosecution budget minus salaries for the district attorney and assistant district attorneys and staff. Compare that to Dallas County, which has a fiscal budget of over $61 million for the Dallas County District Attorney’s Office in 2022. Smaller counties are at a disadvantage and are vulnerable due to the lack of financial resources to prosecute complex cases involving technology that would require the testimony of experts in the field of software development and technology. Rural law enforcement just did not know how to deal with these offences when they began to spread. It was literally not in the books.
How does that vulnerability extend to ordinary citizens?
Everyone is a potential victim. We all use a vehicle and stop and buy gas on a weekly basis. If you live in a rural area of Texas, you either have been a victim or know someone who was a victim of card skimmers. A lot of times you may have been a victim and not even been aware of it. These criminals were not liquidating your bank account; they were taking small amounts to evade detection – $50, $75, a small amount that would likely not draw attention from a bank or its account holder for unusual or suspicious activity. These are amounts that would evade detection from a bank flagging a purchase as fraudulent.
In east Texas between 2017 and 2020, so many card skimming cases were being prosecuted we were having to ask the courts to change venue because everyone had knowledge of, had been victimised by or had a friend or relative that was a victim to card skimming. It would be near impossible to have a fair or impartial jury in a rural county victimised by card skimmers. We are supposed to be tried by a jury of our peers, but who decides who are peers when an accused card skimmer drives in to a rural town from 400 miles away and that town and community has recently been ravaged by previous card skimmers? The problem then becomes seeking justice while balancing the due process rights and constitutional protections of an accused individual.
How far can readily available cybersecurity solutions be relied upon to defend public systems against cyberattacks?
In an effort to combat this growing problem, lawmakers and district attorneys from all around the state convened in Austin and our 87th Texas Legislature passed House Bill 2106, thereby creating what is now known as the Financial Crimes Intelligence Center in Smith County, Texas. Known as the FCIC, it was created to coordinate with multiple levels of law enforcement to share resources and information on card skimmers throughout the state and elsewhere. The centre created a place where law enforcement throughout Texas could be trained to investigate and prosecute card skimming.
Through the creation and assistance of the FCIC, smaller counties once at a disadvantage can now share in state-wide resources for enforcing and prosecuting card skimming. State-wide law enforcement agencies now receive annual training in investigating and prosecuting cyber and financial crimes, leaving them prepared in the event that card skimming occurs in their community.
Do you foresee any major shifts in the landscape of cybercrime in the near future? What new threats are individuals and financial services likely to face?
Since the founding of the FCIC, County District Attorneys’ Offices began aggressively prosecuting those caught committing the offence of card skimming. Gas station attendants became vigilant. If they suspected a pump had been tampered with, law enforcement would turn on their own Bluetooth devices and, if the device read and wanted to pair with another device, they knew the pump had been tampered with. Law enforcement would then stake out the pump because they knew someone was going to come back to connect to the device and download card reader data. Sure as day, they would come back and law enforcement was ready to make arrests.
These crimes were then prosecuted under a state law known as “organised criminal activity”. This is the state version of what people commonly know as the federal RICO act. Under the Organised Criminal Activity Statute §71.02 Texas Penal Code, what would have been a low-level felony offence is enhanced to a first-degree felony charge. Think murder, which is also a first-degree felony, and which carries a punishment of up to 99 years’ incarceration. With the prosecution of these card skimmers, the district attorney’s office was asking juries to return verdicts of 99 years. Many times, the juries did so. This created a large deterrence within the community and sent a clear message: If you card-skim in our county, you will be prosecuted and a jury of your peers is not afraid to assess a punishment of 99 years.
What can citizens do to prevent themselves from becoming victims of credit card skimmers?
Stay vigilant. Try to use the gas pump nearest to the gas station attendant. Almost all gas stations now place a plastic seal or sticker on the base box of the pump. If that seal has been broken, that is a strong indicator that the pump has been altered. Another method to assist in detection of a card skimming device at the pump is to turn your phone’s Bluetooth device on before you pump. If your phone is detecting and trying to connect to an unknown Bluetooth device in the area, that is a sign that a card skimming device may be in range.