editorial comment And we all though meth addicts were all dump hillbillies...Can you pack more cliches in an article? See the section: how meth addicts collect data....must be very different as to the methods used by non- meth addicts.....

Hot on the trail of identity thieves, veteran Edmonton Police Service detectives Al Vonkeman and Bob Gauthier last winter hustled to a local motel, a cinder-block establishment where rooms rent by the hour.

Twice before police had descended on locations in Edmonton and Calgary, 200 miles away, chasing down a tip about someone accessing a dial-up Internet account linked to an e-mail folder full of stolen identity data. Each time, the user logged off and vacated the premises before police arrived.

This time the motel's manager told the detectives that the phone in Room 24 was in use. As Vonkeman and Gauthier prepared to bust down the door, out strolled a garrulous drug addict, 25, whom they'd arrested before, followed by a younger man — a 21-year-old computer whiz — both sky-high on methamphetamine.

Inside Room 24 the detectives found meth pipes, stolen credit cards, notebooks with handwritten notations about fraudulent transactions and printouts of stolen identity data. The distinctive smell of street meth pervaded the air. "They were just starting to set up," recalls Vonkeman, an economic crimes analyst.

On the motel room bed, connected to a wall phone jack, a laptop computer was downloading something. Before going to work on stolen ID data, the younger man was downloading the latest version of his favorite video game. "But it was a dial-up modem, so it was taking forever," says Gauthier, a veteran drug unit detective.

Vonkeman, 44, and Gauthier, 48, had flushed out the roving nerve center of a loose-knit ring of meth addicts running identity-theft scams. Evidence in the motel room would ultimately lead them to a much bigger revelation: The Edmonton ring had gone global.

It no longer relied solely on dumpster-diving, mailbox-pilfering street addicts to supply stolen credit cards, checks and account statements, the grist for local thefts. Instead, it had advanced to complex joint ventures, conducted over the Internet, in partnership with organized cybercrime rings outside the country.

Intersection of crimes

What's happening in Edmonton is happening to one degree or another in communities across the USA and Canada — anywhere meth addicts are engaging in identity theft and can get on the Internet, say police, federal law enforcement officials and Internet security experts.

Internet Relay Chat channels, private areas on the Internet where real-time text messaging takes place, are rife with communications between organized cybercrime groups and meth users and traffickers discussing how they can assist each other. "It's big time," says San Diego-based security consultant Lance James, who monitors IRC channels.

Such collaboration seems almost preordained. "This hits at the intersection of two of the more complex law enforcement investigations: computer crimes and drug crimes," says Howard Schmidt, CEO of R&H Security Consulting and former White House cyber-security adviser.

Identity theft has fast become the crime of preference among meth users for three reasons: It is non-violent, criminal penalties for first-time offenders are light — usually a few days or weeks in jail — and the use of computers and the Internet offers crooks anonymity and speed with which to work. Meth is a cheap, highly addictive street derivative of amphetamine pills; it turns users into automatons willing to take on risky, street-level crime.

Meanwhile, global cybercrime groups control e-mail phishing attacks, keystroke-stealing Trojan horse programs and insider database thefts that swell the pool of stolen personal and financial information. They also have ready access to hijacked online-banking accounts. But converting assets in compromised accounts into cash is never easy. That's where the meth users come in.

Sophisticated meth theft rings, like the one in Edmonton, control local bank accounts — and underlings who are willing to extract ill-gotten funds from such accounts. The two men at the seedy motel were helping outside crime groups link up with local accounts under their control when a tipster guided police to them in December 2004.

Edmonton police granted USA TODAY exclusive access to cases investigated by Vonkeman and Gauthier from early 2003 to the present. The newspaper examined police evidence files and interviewed two central ring members, ages 37 and 22. In this story, they are referred to as Mary and Frank.

Police set up the interviews but required that the suspects' real names, as well as the true identities of the two men arrested at the motel, be withheld for the safety of the individuals and to preserve the integrity of ongoing investigations. In this story, the two men arrested at the motel are called Martin and Socks — not their real names.

Police participated in USA TODAY'S phone interviews with Mary and Frank, then arranged for a reporter to interview Mary in person, with no police present. She took the reporter on a daylong tour of locations in Edmonton where the ring had committed ID thefts and fraud.

What emerges is the tale of how one cadre of meth addicts, from ordinary backgrounds, found extraordinary ways to steal and manipulate sensitive personal and financial data — data they discovered to be rather haphazardly protected. Here is their story:

Dumpster diving Summer-fall 2003

Mary had to think quickly. The security guard had appeared out of nowhere. She was sitting in her black sedan, waiting for Frank to yank garbage bags out of a dumpster behind Neiman Marcus' Edmonton call center, where the upscale U.S. retailer routes calls from customers.

A soft-spoken, attractive blonde with a friendly demeanor, Mary passed herself off as an absent-minded employee hunting for a lost day-planner. She sweet-talked the guard into helping Frank load bags into the sedan. "He says, 'Oh I'll help you, maybe it's in one of these,' " she recalled during an interview conducted while showing a reporter dumpsters she helped scope.

Mary, 37, met Frank in the summer of 2003 through her boyfriend, a meth dealer who was Frank's supplier. Up until her divorce in 2001, Mary says, she was a "model citizen": She was college-educated and had two children and a management career. But then her marriage hit the skids. Her boyfriend, the meth dealer, "was domineering, and I was vulnerable from the divorce," she says.

Frank, 22, passionate, creative but easily manipulated, says he became a meth addict at age 14. He quickly demonstrated a high aptitude for committing fraud. A fellow addict who was an employee of Canadian cellphone company Rogers Communications showed him how to open new cellphone accounts over the phone and on the Internet, using data from customer records plucked from Rogers' dumpsters.

As a high school student, Frank had possession of stolen cellphones to use and sell. He soon advanced to using stolen credit card numbers to shop online. He found that he loved manipulating data on his computer almost as much as conning customer-service reps over the phone. "I needed to feed my drug habit and make a living," Frank said in a phone interview from an Edmonton police station in October. "That's when I began to look into using my PC."

During the summer and fall of 2003, the Neiman Marcus call center was a favorite stop on a route of dumpsters Mary and Frank mined behind banks, trust companies, telecom companies, hotels, car rental agencies, restaurants, video rental stores — anywhere a business might throw out paperwork.

Neiman Marcus spokeswoman Ginger Reeder says no records of sensitive customer information are printed out at the call center. If any such information made it into the trash, "It would be a breach of company policy and an isolated incident," says Reeder.

Frank and Mary say their dumpster route yielded copies of credit card transactions, loan applications, customer-service reports, employee manuals and internal phone directories — all with potentially useful information. "Nothing was shredded," says Frank. "All the information you wanted was (in the dumpsters)."

One dumpster behind a call center in suburban Mill Woods proved to be a jackpot. In a nondescript strip mall just two blocks from the spacious three-bedroom apartment where Frank lived with his divorced dad, it brimmed with valuable data. The company using the dumpster, Convergys, often tossed out paperwork related to customer-service calls from Sprint cellphone subscribers in the USA, Mary says.

"We'd get credit check information from Equifax, credit card numbers to make payments, Social Security numbers, date of birth, addresses," Mary says. "They would make a printout, then just throw it out."

Convergys spokeswoman Lauri Roderick disputes Mary's account. The Cincinnati-based company has a "strict clean-desk policy" that requires shredding of any sensitive paperwork, she says. And Sprint customer-service calls, she says, were never handled by the 1,200 workers at the Mill Woods facility, one of 14 in Canada. "We're confident there has been no breach in security of our customers' data," Roderick says.

Probing systems Winter 2003-2004

Mary's management skills and Frank's computer savvy were a profitable match. By late 2003, they had delegated dumpster diving to others and concentrated on fine-tuning schemes to make the most of pilfered data. They became adept at developing what they referred to as "full profiles."

Given just a name and home address, Mary would dispatch a street addict to the residence with instructions to scour the occupant's garbage for bank statements (a big score) or even a debit card receipt (still valuable). Depending on whether the victim was a woman or man, she or Frank would phone the victim's bank and pose as the customer.

Where they are now



Among the addicts in this story, Socks, 21, last July began serving his two-year sentence on drug and fraud charges.

Here's what has happened to his compatriots:

Frank, 22. Upon completing an 11-month jail sentence in May, Frank moved into a halfway house, got a job as a laborer and began attending Narcotics Anonymous meetings. "I'm just trying to get through each day," he said in a telephone interview in early October. At the time, he had been clean for 17 months. "It was very hard to stop using. I think about using all the time."

Like Socks, Frank possessed skills that made him a magnet for the meth crowd. On Oct. 31, he failed a random urine test. That night, he skipped out of the halfway house. He was arrested Nov. 13 in a car in the company of a known meth trafficker. In his possession Frank had a laptop computer, a cellphone and a credit card swipe device, used to decrypt information stored on credit cards. He is back in jail.

Mary, 37. When Mary was arrested for a third time in April, her mother declined to quickly put up bail, as she had done before. After three days in a lockup, Mary stopped using meth cold turkey.

"Three days to me was a lifetime. It was horrible, just horrible," she says. Now out on bail and working at a job in the hospitality industry, she is awaiting a January trial for possession of stolen credit cards and possession of meth.

She says her focus is now squarely on raising her two children, of whom she has shared custody, and disassociating herself from the meth crowd. "I've cut all ties to the old lifestyle," she says. "I pretend I'm in a different city, a different country, a different universe. I'm in my own little bubble."

Martin, 25. Police describe Martin as an astute money manager. He is free on probation for possession of meth but remains under investigation for serious criminal fraud charges. Martin is presumed to be recruiting replacements for Mary, Frank and Socks, Gauthier says.

If the bank rep asked for a recent transaction as proof of identity, information from a receipt plucked from the garbage, along with a bit of improvised play acting, often sufficed to win the rep's help. They could then change a billing address, request a replacement debit card and PIN number, apply for credit cards and credit line increases, and add other account users.

Frank used stolen credit card numbers to order the tools of their trade online: computers, graphics software to manufacture fake IDs, and online services, such as Vonage phone accounts. Vonage, like other Internet-based phone services, allows subscribers to pick any area code they want. That's useful for ID thieves who want to take control of financial accounts surreptitiously. Mary could order up area codes matching those of the location of breached accounts outside of Edmonton. The numbers appeared to be local, but actually routed back to her.

Stolen credit card numbers, Social Security numbers, and Canadian Social Insurance Numbers emerged as valuable commodities. Frank progressed to buying and selling them online. He maneuvered his way onto Internet Relay Chat channels where such trading takes place, and began transacting with crime rings in Romania, Austria and Egypt. "Whatever you wanted to buy or sell, it was there," he says.

Meanwhile, Mary and Martin, a longtime fixture in the Edmonton meth crowd, focused on assembling a street-level distribution network. Martin, 25, from a well-to-do family, had a knack for recruiting underlings. "If he was in the business world, he'd be a headhunter," Detective Vonkeman says.

Soon the Edmonton ring controlled a matrix of local bank accounts, some stolen, some opened by addicts using their real names, others opened by addicts using assumed identities and fake IDs supplied by Frank.

Mary, Frank and Martin began to test financial websites. They exploited e-mail cash transfers — a service offered by Canadian banks, by which account holders can conveniently e-mail up to $1,000 to an individual.

They sent runners to withdraw cash from ATMs just before and after a unit was serviced late at night, thus getting two days' of maximum withdrawals in the same hour. They set up shell companies to exploit bill-paying services that allow online payments of up to $10,000 to business accounts.

And they tapped online payment services, like PayPal and NETeller, to bypass the 48-hour hold on international bank-to-bank cash transfers.

They stayed awake for days at a time in hotel rooms or dingy residences — called sketch pads — where meth addicts congregated. The three of them plotted intricate variations of scams or concocted wild, blockbuster capers. Sleep-deprived, they were paranoid about two things: the police and their larcenous fellow addicts.

Frank migrated from sketch pad to sketch pad, rarely going home to his father's apartment. "I stayed until the cops knocked on the door — or someone ripped me off," Frank says.

Mary often fantasized about a big score that would give her the impetus to return to a normal life.

"But nothing ever got really big," she says. "Somebody rips you off, or you never collect what you're owed. You feel like you can do anything (when high on meth). But you can't stay focused. You lose your train of thought. You have to move fast when you're doing fraud, and speeders don't move fast."

Dark side of the Internet Early 2004

By the time 2003 drew to a close, Frank had been arrested twice and released on bail. A judge ordered him to avoid contact with the meth crowd and banned him from using a computer.

Frank was trying to stay low when Mary introduced him to Socks, an acquaintance. Then 20, Socks was idle and had time on his hands. He had never used meth or committed ID theft. But he had just been laid off from his job as a computer technician.

A somewhat introverted video game fanatic, Socks began smoking crystal meth and associating with Mary, Frank and Martin. When the extroverted Frank bragged about his prowess at scams, Socks paid close attention. Then he began delving deeper than Frank ever did.

Socks began wheeling and dealing with cybercrime rings in Quebec, Romania and Egypt via Internet Relay Chat channels. "What we saw with Socks was interactions that were more with the dark side of the Internet," Vonkeman says.

The global contacts Socks developed put the Edmonton ring in a position to make a profound transition. Instead of going through the labor-intensive process of building profiles of local marks, it began to buy ready-made full profiles of identity theft victims in the USA.

Milking a victim from Tallahassee, Fla., had become as easy as bilking someone from nearby Banff. Mary could easily attach a Vonage IP phone number, say, with a Tallahassee area code, onto a hijacked account and use PayPal or Western Union to transfer funds across international borders.

Besides, going after U.S. victims seemed less risky; and the going rate for a full profile of a U.S. consumer seemed a bargain: $200 American for data that typically included the mark's bank account password, credit card number with security code, even his or her Social Security number.

It was such a good deal, Martin insisted on using clean money sent via Western Union to make the purchase. "We didn't want to screw it up and use fraud money that might get them caught," Mary says.

The Edmonton ring also began helping outside crime groups launder hijacked funds through local bank accounts. A street addict would take the last — and riskiest — step: making a cash withdrawal. Martin would use Western Union to wire some of the cash back to the crime group and divide the rest locally.

Extra precautions Since late 2004

Yet, the maxim "there is no honor among thieves" has never been truer than with meth addicts. "They're very networked and quite social, but when you arrest and debrief these people, they'll give you a ton of information," Vonkeman says.

Someone ratted out Frank in the summer of 2004, leading to his third arrest — and an 11-month jail sentence. Mary and Martin got arrested multiple times at sketch pad raids. Released on bail, they'd lie low for a few weeks before starting up again. Meanwhile, copycat cells cropped up to try to imitate their success.

"It's like plugging your finger in the dike," Gauthier says. "For all the people we catch and take out of action, there could be 10 more networking and already starting to form another cell."

Socks was arrested three times in an eight-month span. He is now serving a two-year sentence for various drug and theft crimes.

Until his initial arrest at the motel in December 2004, Socks had been a mystery figure to Vonkeman and Gauthier. The detectives heard rumors about a new techie on the scene with access to thousands of credit card numbers. But Socks had no rap sheet, nothing, really, to tie him to the meth crowd.

He was also clever. Socks knew investigators could monitor Internet traffic going into and out of his laptop computer, so he had made it a point to move around.

For two months in early 2004, Socks, Mary and a friend of Frank's worked from inside a plush GMC camper van parked in an alley alongside a rundown, three-story apartment building a half-mile from downtown Edmonton.

Socks extended a phone cable from the van, down a stairwell to the building's telephone-access panel. When a tenant left for work or appeared to be sleeping, he'd patch into the person's phone line to get on the Internet. "We needed a safe place to use the computer, and it was so nice in there," Mary says.

As an extra precaution, Socks stored nothing of importance on his laptop's hard drive. He uploaded all incriminating stolen identity data to an e-mail folder that came with the dial-up Internet account he'd been given by a fellow addict who worked for an Internet service provider.

But when that accomplice got arrested on another criminal matter, the accomplice promptly disclosed the existence of the account. Vonkeman asked the Internet service provider to leave the account open and alert him anytime anyone logged on.

Ironically, it was that e-mail folder, Socks' protective buffer, that drew Vonkeman and Gauthier to the motel to see who had logged on.

Released on bail soon after the motel arrest, Socks skipped a court appearance and was on the run until Gauthier arrested him again last March. He had become more involved than ever with overseas cybercrooks.

On his person Socks had a slip of paper with log-ons and passwords for 15 hijacked Canadian bank accounts, which he said came from Romanian cybercrooks, including one account with access to six figures' worth of funds. Police believe the accounts served partly as a show of good faith to cement a partnership with the Edmonton ring.

Sentenced to house arrest after pleading guilty on several drug- and fraud-related counts after the March incident, Socks took off again, Gauthier says.

Then last July, an informant guided Gauthier to a north Edmonton apartment where the detective caught Socks in the act of using a laptop computer to manufacture fake IDs.

Socks reacted calmly, Gauthier says. "He says, 'Hi, Bob. I've been wondering when you were coming to get me.' "

How meth addicts contribute to Cybercrime

Methamphetamine users and traffickers often form localized identity-theft rings, in which addicts take on defined roles based on boldness and skills. Local identity-theft scams often revolve around use of computers and the Internet — and increasingly involve foreign cybercrime groups.

How meth addicts collect data:

Dumpster diving
Businesses that don't shred discarded paperwork are prime targets, especially financial firms, customer service call centers, car-rental agencies, large retail chain stores and hotels.

Mailbox theft
Residents who leave outgoing letters for their mail carrier to pick up are vulnerable. Thieves go after credit and checking account information. Incoming mail also is sought after, especially credit card balance transfer promotions.

Car break-ins
Driver's licenses, credit cards, cameras and laptop computers left in parked cars are prime targets. Credit cards are often used quickly at casinos or convenience stores. Laptops holding client or employee databases are highly prized.

How meth addicts use stolen data:

Creating bogus checks Using software such as Versa-Check, addicts can create checks imprinted with a stolen checking account number and a random name, backed up by fake ID.

Manipulating bank accounts
Addicts can change a billing address, order new debit and credit cards, raise credit limits and make cash transfers to other accounts under their control.

Selling bank account access to cybercrooks
Meth rings pitch bank account access to foreign crime groups looking to launder funds. Cash is extracted at the local level, then routed to the foreign group.

Overseas connections:
Global cybercrime groups use e-mail phishing scams, viruses, spyware and database theft to steal credit card numbers and Social Security numbers and to hijack online accounts. Local theft rings help them cash in.

Communications
Local theft rings buy, sell and trade identity data and negotiate other ventures with global groups via private instantmessaging lines, called Internet Relay Chat channels.

The marketplace
Daily transactions: Local and global rings sell to, and buy from, the market for identity profiles containing account access details and other personal data. Example: A local ring can buy a full profile of a U.S. citizen — supplied by a global group — for $200.

Partnerships: Local rings can help global groups launder hijacked funds through local bank accounts. Example: $2,000 in stolen money is transferred to an online account controlled by a local ring. A street addict withdraws the cash. $500 is routed back to the global group; $1,500 is payment to the local ring.

Payments
Many deals culminate with cash changing hands. Most often, cash gets wired via Western Union or online payment services, such as PayPal or Neteller, which bypass restrictions on bank-tobank transfers.

Contributing: Acohido reported from Edmonton, Swartz from San Francisco.

back | to top | full article >>