By Leslie Walker
Thursday, June 8, 2006

Ladies, beware of men buying drinks in bars -- they may be retired drug dealers trying to recruit you into their life of cybercrime, specifically identity-theft rings.

The stories told by Richard W. Goldberg, a cybercrime prosecutor in the U.S. attorney's office for Eastern Pennsylvania, at a Cleveland Park security conference this week sounded like they were right out of a Hollywood movie.

An identity-theft ringleader, also known as the "concierge," recruits an "insider" to steal personal information from work, data that can be used to make bogus credit cards with real names and account numbers.

Often the "insider" is a lonely woman who falls in love with the concierge after he sidles up to her in a bar, orders her a drink, and discovers that she works for a bank or insurance company -- at which point he escalates his wooing. After a while, he persuades her to leak him some customer data because he's "short on cash."

"The truth is that the average identity theft scam reads a lot more like an edition of 'Ms. Lonelyhearts' than 'The French Connection,' " Goldberg said.

The concierge then turns that information into cash using various schemes. One involves giving the customer names and numbers to someone who uses machinery in his basement to churn out phony credit cards and IDs -- documents that might not fool a cop but do get past many store clerks. Or the ringleader may use the information to open new credit accounts in the names of unsuspecting victims.

Next, he rents a van in someone else's name, rounds up a bunch of drug addicts, and gives each a bogus credit card and a shopping list, Goldberg said. Dumped at a suburban mall, they make their purchases and return with hot merchandise.

Then they are driven to another mall in a nearby county, where they are sent shopping again. Purchases are kept under $200 and repeated in different counties to keep the dollar value of individual merchant losses below the radar of police agencies, Goldberg explained.

It may sound unbelievable but, over the past year, personal data thefts have become everyday news, particularly since the federal government and many states have passed laws requiring disclosure of personal data breaches. Not all cases are as sensational as the recent theft of a laptop containing personal information on 26.5 million veterans. But many clearly have the potential to create misery.

Last week, Hotels.com notified 243,000 customers that their personal information was on a laptop stolen from its auditor. Supermarket giant Ahold USA disclosed that a laptop missing from an airplane contained pension data on its former employees, and another laptop ripped off in New England held data on YMCA members.

And those were just in the past week.

Thanks to a steady stream of scary news stories, most of us are aware that identity thieves often use pilfered data to pose as us and steal stuff in our good names. But these aren't kids playing with stolen credit card numbers hacked off the Internet. These are criminals, no different than the ringleaders in a drug-trafficking network.

"What I am finding is these people are in fact retired drug dealers who are sick of getting shot at and arrested," Goldberg said at the summit, which drew thousands of security professionals to Washington for four days.

These days, identity theft is almost as lucrative as drug dealing -- but safer.

A stolen credit card number can sell for $100 to $1,000 on the black market, Goldberg said, depending on whether it includes the expiration date and other security codes, plus background on its owner.

Goldberg didn't hold out much hope of stopping ID theft anytime soon, particularly, he said, because banks and other financial institutions have such strong financial interest in making it easy for people to get credit.

One real-world case he cited involved Harold McCoy, whom he described as a former "stick-up man." McCoy allegedly wooed a female Red Cross employee he met in a bar and persuaded her to give him information on blood donors, which he used to commit ID thefts.

"Harold is doing 10 years now," Goldberg said.

Goldberg described similar cases involving insiders at banks, schools and hotels, including a Philadelphia hotel employee who stole credit card numbers from work and used them to purchase Amtrak tickets. He sold the tickets at a discount to strangers out of his home, which got so much traffic that it looked like a train station.

One less-sophisticated data thief was a truck driver for a shredding firm that companies hired to destroy their financial documents. The driver was on a run one day with a load of boxes holding 100,000 bank-account records, and he impulsively pulled into an alley and hid a few boxes. After a nosy woman watching from her window called authorities, the FBI came and staked out the alley.

"Sure enough, back he came," said Goldberg. "He really had no idea what to do with the data. . . . His plan was to go to the corner bar . . . and find a concierge."

My favorite tale involved the guy who tricked hotel clerks in the Caribbean into faxing him credit card transactions by phoning and telling them that he worked for Visa and their transactions were not coming through. Nine of out ten clerks hung up, but the rest unwittingly faxed their data to a Kinko's near the man's house, thinking it was a Visa office.

And what did the thief do with the credit card numbers?

"He had a shoe addiction," Goldberg said. "He only bought shoes with this stolen information -- hundreds of pairs. We caught him at a UPS center where he was picking up his shoes."

So ladies, be doubly wary of men bearing drinks and wearing expensive shoes. They just may be new-age data thieves trying to recruit new cyber-mules.

Leslie Walker welcomes e-mail atleslie@lesliewalker.com.