The Tallahassee arrests of Timothy Julsaint Johns, 21, Jeremy A. Frazier, 20, and Tony Acreus, 20, are very far from closing this case. Federal officials are still focusing on an overseas group—apparently in Eastern Europe—that accessed the data from Heartland. It's not unusual for such groups to then sell the numbers in bulk to various smaller criminal groups, which turn the data into bogus credit cards and false gift cards and then use those cards to purchase goods that are sold for cash.
Just this week, the Secret Service and the FBI issued an alert describing the methodology behind what it termed "a considerable spike in cyber attacks" against E-tailers. That detailed an alert typically means authorities already are tracking the suspects, who most likely are fully aware they are being tracked. Hence, there's little investigative risk to issuing an alert to try and minimize additional data theft attempts using the same procedures.
Meanwhile, the full impact of the Heartland breach has not been confirmed. But the number of financial institutions that say they have been impacted by the Heartland breach continues to rise, now hitting 440.
Back in Florida, officials said they have been working this breach case for three months in a joint probe by the Secret Service, the Leon County Sheriff's Office and the Tallahassee Police Department. Authorities said the three men were arrested after being caught on Wal-Mart surveillance video using homemade Visa gift cards. A Florida law enforcement statement didn't list the dollar value of the thefts associated with the three suspects, other than to say, "the total actual and declined fraudulent transaction in Leon County is currently in excess of $100,000. This amount is expected to be much higher as this investigation continues."
Sgt. Tony Drzewiecki, of the Leon County Sheriff's Office, said the three defendants are not suspected of having any involvement in the data breach and that they "were at the end of the line, with these numbers. We're trying to determine how they came into possession of the numbers."
A New Twist
What makes this case interesting is that the suspects are accused of having tried a new twist to credit card fraud. Typically, fraudsters take stolen credit card numbers and create bogus documents by stamping out the cards from plastic. In this case, the suspects didn't have to create bogus credit cards at all. It also meant they weren't required to show any identification when using the gift cards.
All the suspects did in this case was steal Visa gift cards from retailers and then simply use an electronic coding device to overwrite the data on the magnetic strip, Drzewiecki said, which would have saved them a lot of time and money because it meant that the suspects "didn't have to have the facilities to make" bogus credit cards or fake gift cards.
The trio was fond of hitting Wal-Marts and purchasing large electronic devices. "Flat-screen TVs, that was a favorite. That can be sold very easily on the outside and converted into cash," Drzewiecki said.
One of the reasons gift cards are so popular with thieves is that they provide a very easy way to allow fraudulent purchases to happen for a much longer period of time. If a thief grabs a credit card, it's only a matter of hours—and sometimes minutes—before the theft is discovered and the bank invalidates that card worldwide. But if the thief uses that card to immediately purchase gift cards, it significantly extends their safety timeframe. Even after the credit card is deactivated, the gift cards are still valid. That continues until law enforcement tracks down the purchases and then identifies the specific gift card numbers. Different retailers have different levels of sophistication regarding gift card tracking.
In this Florida case, though, the suspects took such a long time to use all of the stolen credit card numbers that some had already been deactivated and the Wal-Mart gift card system flagged them as unacceptable. That, according to Drzewiecki, was one way the suspects were caught.
"They kept going back to the well. Fortunately, we were getting some red flags from these businesses," Drzewiecki said.
The probe is not over in Florida, as that statement said: "This investigation is on-going and will likely produce additional charges and additional arrests."
Technical Legal Note
Even though the accused in this case did not use traditional identification (driver's license, photo ID, etc.), authorities charged them with fraudulent use of personal identification because they had overwritten the gift card's identification with the name and numbers associated with one of the consumers whose data was lifted in the Heartland breach, Drzewiecki said. In so doing, they, in effect, were using the gift cards to convince the retailer they were someone else, he said.
Johns was charged with 151 counts of fraudulent use of a credit card, 45 counts of fraudulent use of personal identification, one count of grand theft and one count of fraud to obtain property valued at "$50,000 or more."
Acreus was charged with 60 counts of fraudulent use of a credit card, 15 counts of fraudulent use of personal identification, one count of grand theft and one count of fraud to obtain property worth $50,000 or more.
Frazier (who was apparently slacking off in the credit card department, at least compared with Johns) was accused of seven counts of fraudulent use of a credit card, seven counts of fraudulent use of personal identification, one count of grand theft and one count of fraud to obtain property worth $50,000 or more.
Johns and Acreus were still being held in the Leon County Jail on Sunday (Feb. 15) evening. Frazier had been released.