Stolen credit cards used only once to avoid detection

ARMED with perhaps just a simple tool similar to a pair of tongs, crooks made away with thousands of dollars by targeting letters containing credit cards in letter boxes.

But their illegal spending spree did not go on for long.

The police have busted members of a syndicate who had been stealing credit cards from the mail system.

Five men, all local, were arrested last year and four have since been dealt with in court.

The police are still investigating the role played by a fifth man.

The arrests were announced in the annual statistics released by police on Wednesday.

In all, the men are believed to have been involved in more than 100 cases of credit card fraud.

The statistics also showed that payment card fraud fell by 37 per cent to 241 cases last year.

Bank officials told The New Paper yesterday that despite the five arrests, others are still operating as members of a large syndicate targeting the mail system to intercept credit cards sent by banks to their customers.

An executive with a local bank said: "Most of these credit card thieves would make one transaction on a big ticket item, like iPhones, iMacs and even gold because they can be easily disposed of for cash."

The executive, who cannot be named due to the sensitive nature of the matter, provided details of how these thieves operated.

He said they usually hit HDB blocks and zoom in on letter boxes without an anti-junk mail flap, which prevents others from pushing fliers into letter boxes.

The thieves would use a modified tool, which looks like a pair of tongs, to reach in and retrieve the letters, taking those that look and feel like they have credit cards within.

The bank executive also said there had been cases in the past where thieves used duplicate master keys to gain access to the letter boxes.

These were copies of the keys that postal workers use to open the backs of letter boxes, offering access to dozens of boxes.

In the past, cards were sent live, which meant they could be used immediately.

Added security measure

Then, as an added security measure, the cards had to be activated with a personal identification number (PIN), which was sent in a separate letter.

This did not deter thieves, who would check the letter boxes daily to intercept the PIN.

As of July 1 last year, industry standard dictated that cards had to be sent out inactive.

Customers would activate their cards through a variety of methods.

It is understood that the thefts in this case occurred before the July 1 security measure was introduced.

The syndicate members would chalk up spending of about $1,000 before disposing of the cards.

This is because victims of the stolen cards would receive an SMS notice of their first transaction and they would notify the banks which would in turn freeze the cards.

These fraudsters always made sure the charges did not exceed $2,000 so cardholders did not have to be alerted before the transaction went through.

Charges that had been incurred would have to be absorbed by the banks because they were not made by the customers.

The bank executive estimated that between 2011 and last year, at least $1 million was lost to such scams industry-wide.

Card thieves had previously been caught when they used the cards to pay for their car modifications. When the transactions were revealed to be fraudulent, vehicle workshops provided the authorities with information on the suspects, including their car licence plate numbers.

The bank executive said that while such card fraud has been going on for nearly a decade, there was a spike in cases between 2010 and last year.

Banks told TNP that since the new measures were introduced last July, cases of credit card fraud through the mail have fallen by at least 90 per cent.

Other security measures have also been implemented to prevent other forms of card fraud, including card duplication and identity theft on the Internet.

This is not the first time the mail system has been hit. What is different in this case is that the syndicate members are not postal workers.

A SingPost spokesman told TNP that the five men arrested last year were not its employees.

She said: "SingPost has adequate security measures in place and we continue to work closely with the relevant authorities to ensure mail security and integrity."

SingPost is given three sets of letter box keys from the property developer of a housing estate, she said.

The postman and his supervisor would be given a set each while the third set is kept as a spare.

Combating credit card fraud

Many banks in Singapore have implemented sophisticated security measures to combat credit card fraud.

The head of Core Cards and Lifestyle Usage at OCBC Bank, Ms Renee Ker, gave The New Paper an overview of the measures the bank uses.

SMART CARD CHIPS

All OCBC debit and credit cards have chipcards embedded in them to prevent counterfeiting and card-skimming.

These are EMV (Europay, MasterCard and Visa standard) chip cards that are more secure than the magnetic stripe currently used.

Since these chip cards were introduced in 2011, credit card fraud losses have decreased significantly.

OCBC is looking to enhance ATM cards with these chip cards as well.

INACTIVE CARDS

Newly issued credit and debit cards are inactive to prevent fraudsters from intercepting and using them.

They can be used only after customers activate them. This can be done at OCBC Bank branches, its website, self-service Interactive Voice Response system, or by an SMS from a registered phone to the bank.

ONE-TIME PASSWORDS

Customers require a One-Time Password (OTP) to complete a transaction on e-commerce websites. Every OTP is unique.

Customers receive an OTP through a 2-Factor Authentication token, which can be a keychain-size device the customer carries with them or an SMS to the customer's mobile phone.

This prevents fraudsters who have only the customer's credit card information from making fraudulent transactions on websites.

TRANSACTION AND USAGE ALERTS

Alerts are sent to customers to notify them of the first time their cards are used, and of transactions above a certain amount made using their cards, or even for every transaction, if requested by the customer.

These alerts, available by SMS or letter, help expose fraudulent transactions.

2011

A POSTMAN was nabbed for filching credit cards from mail he was delivering and charging $24,400 to them.

The 23-year-old Malaysian was said to be responsible for at least 15 credit card thefts since February 2011 and for the unauthorised spending on the cards.

The victims found out about the transactions when they received alerts from their banks.

Each time, the transactions were made using either new or replacement credit cards that the victims were supposed to receive in the mail.

2010

A former SingPost employee was jailed 33 months for stealing envelopes with newly issued credit cards.

The 24-year-old man would hand the stolen cards to an accomplice, who used them to buy Rolex watches. He later sold the watches for up to $22,200.

Police were alerted after they received 10 reports from different people saying their new credit cards had been used in suspected fraud cases before they had received them.

2009

Between December 2008 and January 2009, a 32-year-old man stole four credit cards from victims in Tampines.

He would lurk at void decks, waiting to catch postmen off guard as they were sorting their bundles of mail.

When their attention was diverted, Tan would walk up quickly and grab a stack of letters.

He used the cards to buy seven laptops worth more than $14,000.

He was jailed for 30 months in April 2009.