MUSKOGEE — A federal case involving two men accused of skimming credit and debit card account numbers from gas station pumps offers a glimpse into the world of high-tech fraud and identity theft on an international level.
The two men, Kevin Konstantinov, 51, and Elvin Alisuretove, 36, pleaded guilty in U.S. District Court here Thursday to one count each of conspiracy to commit wire fraud. They live in Seattle, but they also have ties to Russia.
In July, a federal indictment accused Konstantinov and Alisuretove of defrauding five Oklahoma banks, four in Durant and one in Oklahoma City, out of about $400,000 in a scheme that involved stealing credit and debit card account numbers.
To do so, between April 2012 and January 2013, they placed card readers, or “skimmers,” inside the gas pumps at Murphy USA stations in Little Rock and Conway, Ark., and Durant, the indictment stated. Murphy USA stations are pay-at-the-pump and located in Walmart parking lots nationwide.
These skimmers would collect account numbers, card numbers and PINs as customers placed credit cards in the slots to pay for gas. The devices operated in place for one to two months before the men retrieved them and the account numbers to use on counterfeit cards.
A skimmer like the men used “captures all the card information, and the cardholder would have no way of knowing,” Assistant U.S. Attorney Ryan Roberts said. They gained access through a universal key that opens the type of pumps common to all Murphy USA stations, he said.
Investigators estimated there were between 50 and 500 victims whose account numbers were stolen using this method, Roberts said. The losses in all the states involved could be as much as $1 million, Roberts said, but the indictment only tracks the $400,000.
Fraudulent transactions occurred in Oklahoma, Eastern Europe and Russia, the indictment stated.
Alisuretove was arrested in Seattle, and Konstantinov was arrested in Virginia with others from Russia, including a fugitive who was wanted in the same kind of crimes in California. With them were skimmers, iPads, smartphones, computers, gas pump keys and related items, Roberts said. “Our first hit came into Durant. A huge amount of cardholders' cards were compromised all at the same time,” Roberts said.
An investigation by the U.S. Secret Service and Muskogee and Durant police departments connected all the compromised accounts to cards used at gas pumps. The conspirators then used the cards weeks later to make withdrawals at 7-Eleven stores in Oklahoma City, he said. A tip led investigators to a rental car and identification of those involved, and the Secret Service tracked them for about four months.
“We mapped out a pattern of how they moved. They would go from one town to the next,” Roberts said.
Konstantinov remains in the Muskogee County jail; Alisuretove is out on “pretrial release conditions” and is being monitored in Seattle, Roberts said. Both appeared in court Thursday for the guilty plea before U.S. Magistrate Judge Steven P. Shreder. The two now await sentencing as their cases go through a presentence investigation, Roberts noted.
A growing trend
This kind of fraud has been a popular trend for a while now in the criminal world, said Chester Wisniewski, a senior security adviser for the enterprise computer security company Sophos Inc. who writes for the company's Naked Security blog.
“I'm getting asked about it more frequently,” he said.
Many of the thieves committing credit card/debit card fraud — known as “carders” — are highly organized and connected to international rings, he said. The types of devices they use to commit the fraud may differ depending on the machine and the sophistication of the carders, but the intent to steal people's account numbers is the same.
“In essence, your card is going through two readers instead of one,” he said, adding the legitimate transaction still occurs.
One problem is that the U.S. is one of the few countries in the world still using a magnetic strip on credit cards to read transactions, Wisniewski said. Most other countries use “chip-and-PIN” cards, which have an added layer of security that requires a person to enter a PIN while inserting the card in a device.
“The instance of fraud in the United States is much higher than the rest of the world,” Wisniewski said.
So even if you steal a card number elsewhere, you'll likely come to the United States to commit the fraud, he added.
It happens most often at ATMs, but he has heard of credit card readers being swapped with fake ones at retail stores, as well, while distracting or tricking an employee.
“I'd be a nervous wreck. I'd never be able to pull it off,” he said.
You can 3D-print the skimmers, but you can buy everything you need over the Internet — blank cards to create your own credit cards, gas pump and ATM skimmers, etc.
The sites that have these items are kind of like a “criminal eBay,” Wisniewski said.
The investigation into the Oklahoma fraud started when the banks noticed strange activity on the accounts when the men started cashing in on the accounts and alerted law enforcement.
“We had some very early detection and really jumped on it,” said Scott Flowers, executive vice president and chief banking officer of First United Bank of Durant, which was one of the defrauded banks. The others, according to the indictment, were Arvest Bank of Oklahoma; and First Texoma National Bank, Landmark Bank, and Shamrock Bank, all of Durant.
Flowers said banks have a lot of systems in place to prevent fraud on their ATMs, including sophisticated anti-skimming devices, but people swipe their cards in other places like gas pumps and grocery stores, and the criminals have adapted with them.
“Technology breeds technology, and it's just the way it is,” Flowers said. “Money is the thing, and how do I get it?”