Hey, there! Log in / Register

So a guy walks into a bar, his credit card disappears and gets used to charge $1,200 worth of stuff and then it reappears

UPDATE: Board found no violation.

Both Boston Police and the owner of Stats Bar and Grille, 77 Dorchester St., are mystified about an incident last month in which a credit card being held for a man running a tab disappeared, was used to charge $1,200 worth of stuff at the South Bay Target, then reappeared at the bar a couple hours later.

Credit-card thieves don't normally bother to return the cards, C-6 Sgt. Det. Kenneth O'Brien told the Boston Licensing Board this morning. "It's all very perplexing," agreed Karen Simao, attorney for Stats owner Jim Statires - who said he's never seen anything like this in his ten years in business.

O'Brien said Target got a really good surveillance photo of the guy after he charged the merchandise - but that nobody at BPD recognizes the guy. "We're at a dead end right now," he said.

He added that Target doesn't know whether the guy presented the actual card or just lifted its numbers and used those, which might explain how the card showed back up at Stats - it might not have ever been physically removed from the bar, just lost there on a busy night when waitresses were holding dozens of cards for individual tabs during a charity fundraiser.

Statires said both he and Boston detectives reviewed video from the bar in general - and the particular waitress station where the card was stored - and didn't find anybody who looked like the guy in the Target video in the bar at all, and didn't see anybody who wasn't an employee rifling through the waitress station.

The owner of the card also testified at the board hearing on the incident and said it was only luck that he was even able to figure out what had happened: He decided to leave early and when the waitress couldn't find his card, a manager brought him downstairs to check his credit-card account online to see if his card had been used - which it had.

Had he stayed later, he said, the card might have reappeared and he wouldn't have realized his card had been used illicitly for several days, and by then might not have associated the theft with the bar.

The licensing board decides Thursday if the bar is at all responsible for the incident and, if so, whether to levy any sort of penalty.

Neighborhoods: 
Topics: 


Ad:


Like the job UHub is doing? Consider a contribution. Thanks!

Comments

anyone _at the bar_ recognized the guy?

Yes, very perplexing.

up
Voting closed 0

If indeed the thief did take the card, that may have been his goal by bringing it back- letting it go undetected for a while. I had just one credit card stolen out of my wallet once while I was at rugby practice. If the dummy hadn't stolen someone else's entire bag, prompting everyone to look through all their stuff, I wouldn't have noticed for at least a day or two.

up
Voting closed 0

Was the card present at sale? The techies at Tar-Jay would know. Along with the red shirts and walkie talkies they have computers. If no card was present and lets say a picture was taken on a phone as the card sat on the bar or a picture was texted by a bar employee to some slug, well then you go to the weak link. The person ringing up the $1,200 worth of underwear and socks at Tar-jay. I just hope this male felon didn't use the ladies room while there.

up
Voting closed 0

Cloning a card takes seconds and since you swipe the card yourself at Target, the cashier doesn't ever have to see it. The card would show up as being present because something was swiped.

up
Voting closed 0

WiFi

up
Voting closed 0

Im curious to see how WIFI might have been used in this scenario and why it is unsafe.

up
Voting closed 0

I assume the Bulging one was thinking of RFID.

up
Voting closed 0

to a network via a wifi then a hacker has Christmas morning. You give too much credit to those in the restaurant business thinking they use sophisticated technology to run a ticket.

up
Voting closed 0

They are all very secure. All the credit card systems are governed by regulation and they do not wirelessly transfer plain text data as you are suggesting.

The most likely compromise for a POS system is via USB. Where a staff member plugs in a cell phone or other device to a POS via a port designed for a printer.

The outcome of this situation will be plain old theft of the credit card with help from an insider.

up
Voting closed 0

You can't use a cloned card in a chip reader. (That's the whole point of chips.) Does Target have them yet?

up
Voting closed 0

I was gonna go with the simpler theory that the card data was compromised prior to visiting Stats and the physical card was just coincidentally misplaced at Stats rather than stolen. However the Target South Bay is *really* close to Stats, like 1.2 miles according to google maps. That seems like too much to be mere coincidence.

Guess #2 is that the POS/register system at Stats has been compromised via malware and the card data was stolen the moment the card was run through to start the tab. This is hugely common all over the place but again most of that data gets aggregated and sold online in bulk to cash-out teams so it's strange for (a) the physical card to go missing and (b) the stolen card to be used so close by! Plus other Stats visitors would have complained by now even if it was harder for others to trace the compromise back to this specific location.

Guess #3 is that the card was compromised at Stats but via an electronic method. A server or someone in the spot ran the card through a standalone swiper to grab the info electronically and then the card was simply cloned and reused down the street by an accomplice. This still requires that the card misplacement be a mere accident though but it does explain why there is no obvious video showing people messing with the stored cards.

I'm honestly very interested in the real story, bet we'll never know

up
Voting closed 0

"his is hugely common all over the place"

no, it isn't thankfully :)

up
Voting closed 0

I can buy single high quality card + CCV data for a few bucks or I can buy hundreds/thousands of credit card dumps for a few bucks more at various .onion (aka "dark web") websites right now. The more elite criminal marketplaces are now selling "first dibs" access to fresh data from thousands and thousands of compromised individuals for a higher price to cash-out gangs with known-good histories. It's insane how much is out for sale right now.

The biggest source of the credit card data breaches? Hotel chains and restaurant/bar POS terminals that get nailed with malware.

Brian Krebs blogs in good detail about this and he has a post up today describing how credit card thieves get the various info they need to clone cards. The site is http://krebsonsecurity.com/ but I think he's being DDOSd again by kiddie hackers so the articles may not load for a while. His writing style is non-technical and approachable and he does a good job of covering the "data breach" (particularly credit cards) news scene.

up
Voting closed 0

Considering the billions of credit card transactions daily, the number of thefts is pale in comparison.

Also, with EMV and chip technology, the mag strip will no longer be a thing to worry about. Chips are harder to crack and those "white" cards you speak of use the strip info. Mag Strip info is much easier to attain.

Europe is way ahead of the US on this. Sure, chips aren't fool proof but it will eliminate the current practice of the use of skimmers in card readers.

If Bars and restaurant POS's are getting hit with malware, well those merchants are obviously not following PCI guidelines and are not operating appropriately. Their acquiring networks will kick them off the network if they haven't already.

up
Voting closed 0

judging from your response, you would likely be stunned at just how common it really is.

up
Voting closed 0

at Tar-Jay. Especially if using someone else's money.

up
Voting closed 0

It's not going to happen.

up
Voting closed 0

they don't sell skinny jeans but they do have Starbucks Chad.

up
Voting closed 0

Again it is common to you, but compared the number of cc transactions in a day?

If it were that common, why would you ever use anything besides cash?

up
Voting closed 0

But the swiping/cloning happened to be taking place at the moment he came looking for his card. Seems like it would have to be an employee as the "inside man" since they didn't see anyone else going through the sever's station on the tapes.

up
Voting closed 0

Yes, Target would know if it was a swiped transaction versus the card number being keyed in. Those two transactions are handled differently and their acquiring network would know.

up
Voting closed 0

If the card was cloned, it would show up as a regular swiped transaction because the clone would have been swiped by the "customer"/ne'er-do-well.

up
Voting closed 0

TO CHECK THE CAMERAS IN THE PARKING LOT
TO SEE IF THE MYSTERY MAN HAD A LICENCE PLATE.
WHEN THEY FIND HIM HE WILL BE LINKED TO AN EMPLOYEE.

up
Voting closed 0

That wouldn't surprise me.

up
Voting closed 0

When did the card show back at the bar? After the manager took the man downstairs to check statement?

up
Voting closed 0

Yes.

up
Voting closed 0

They even help out law enforcement with their lab sometimes.

I'd bet Target's security people can figure out the perpetrator, if that's a priority for them.

up
Voting closed 0

Wonder if he took a Taxi to the bar. My card was skimmed a few months ago and I have a strong suspicion that a cabby had a compromised reader in their car and a camera to watch the pin being entered.

It would be so easy.

up
Voting closed 0

They don't call it the New Jack Mall for nothing.

up
Voting closed 0

Will be the most likely outcome. Some of you have been watching too much CSI.

My money is on a member of staff passing a card to a friend.

up
Voting closed 0

I wouldn't bet against you.

up
Voting closed 0

I've had this happen to me twice at this bar. Once the bartender gave my card to someone else ended up in the North End with charges two years ago Had to cancel card same day as I was heading for vacation . Cards are mismanaged there

up
Voting closed 0

That you were the victim of credit card fraud at this establishment and then went back and did it all over again? Really?

Need a slightly used bridge or some prime Florida real estate?

up
Voting closed 0

We need to hurry up and switch to chip+pin, which is infinitely more difficult to do this sort of thing with.

up
Voting closed 0

The few places I've used the chip didn't ask for the PIN. Doesn't that sort of defeat the protection of a stolen card?

up
Voting closed 0

Do any US banks even issue chip and pin cards? I've only seen chip and signature from US issuers.

up
Voting closed 0

As far as I know, mostly only credit unions seem to offer true chip & PIN with PIN as the default--not sure why. I happen to qualify for a credit union at work, and have a card that defaults to PIN even at terminals in the US. I use it especially when traveling abroad, since it "just works" without any confusion over signatures (employees may not be familiar the concept).

Barclays was one of the first to add chip & PIN to their cards (like Arrival/ArrivalPlus), although they still default to chip & signature if the terminal defaults to it--they at least still work with PIN in places that require PIN, but default to signature if the terminal offers it as an option. I've never had a technical issue abroad with Barclays--only the occasional cultural confusion over the signature concept itself. In any case, this seems to be the new, accepted standard for "regular" US banks, other than credit unions. Also, contrary to popular believe, the US is not the only country that uses signature, but more are switching to PIN each year.

up
Voting closed 0

That's dependent on both the card and the terminal, even with a chip/EMV card--but the card is generally the determining factor. Chips have several auth methods with a prioritization order, and almost all chip cards in the US prioritize (default to) signature, not PIN. Although, signature is really just a legal acknowledgement, not an actual auth method. The only ones I know of in the US that both support and prioritize PIN are ones from credit unions for some reason--I have one, which prompts for a PIN, although it's my backup card, so I don't use it enough to have a good sample of places (I know it prompts for a PIN at CVS and Target). Also, cards usually skip all auth for smaller transactions--depends on the card, but usually those under something like $25 or $30.

up
Voting closed 0

The software is still being worked on. The deadline for inside sale terminals was October, 2015 - at least for my industry.

Speaking with vendors, they admit they don't have all the software in place yet. It is a big problem as the liability shift is to the merchant, not the bank because many merchants simply can't get the software (depending upon their hardware).

If you go to Home Depot, you'll notice their chip/authorization turnaround time takes forever. It's all still so new and being rushed out to merchants. I'm hoping there will be noticeable improvement soon.

up
Voting closed 0

The real why for why we need to switch to chip&pin is because the rest of the fucking world uses it exclusively these days. I have to get an entirely separate credit card to go to the UK because my chip&signature card is refused at everything from bars to grocery stores to chinese takeaways when I go over there. I get charged additional "unsafe card" surcharges from some locations that do accept it. It's absurd.

We have chip readers. The idea that we'd still use signatures as validation of anything is stupid.

up
Voting closed 0

"Here, I'm going to be around all night - take my credit card." And this somehow is a requirement of the establishment in order to be served, then I'd find a different bar.

For once, the Licensing Board has an opportunity to effect a meaningful change for customers by abolishing this practice.

up
Voting closed 0

I've never understood how this practice is even considered legal, and never return to places that do this. I have no problem if a bar simply wants to swipe my card to get a pre-auth tab, to protect against a dine-and-dash, and then immediately returns the card. But there is no reason to have to hold a person's card hostage for the entire stay.

up
Voting closed 0