Loyalty rewards programs are designed with convenience in mind — in one case, all too convenient for a car thief.
By using fake credit cards and stolen drivers’ licenses, a woman in Orange County, Calif., engineered the theft of 42 rental vehicles in 2012 from a major rental car company. After joining the company’s loyalty rewards program, she successfully carried out the first transaction at the counter with fraudulent documents.
The suspect then made additional rental reservations online through her rewards program account. This allowed her to bypass the rental office and walk straight to the reserved rental cars — with the keys in them — and drive off.
According to CHP Detective Kraig Palmer of the Orange County Auto Theft Task Force (OCATT), that lack of face-to-face customer interaction is one factor that could have prevented so many rental cars from being stolen.
“We found that a single person can’t obtain this many rental vehicles without being a loyalty or VIP member,” said Palmer. “The crooks really like not having to actually talk to somebody or show their face.”
If the perpetrator had to go into the office for each rental and used different aliases and faked credentials every time, she would have been eventually recognized, Palmer says. In this case, she was able to rent as many vehicles as she could before the credit cards were discovered to be fraudulent.
When leaving the lot, the suspect relied on the fact that the security guard would only check to make sure that the name on the rental contract matched the driver’s license. Ironically, “We got a big break in the case because the [lot] security guard remembered the suspect and noticed a pattern,” says Palmer.
The perpetrator targeted higher end rental models such as Chevy Tahoe, Yukon Denali, Nissan Maxima and Mercedes-Benz E-350, while avoiding higher profile exotics. Once she rented the cars, she sold them or rented them out to gang members for criminal activities.
To better conceal the cars, the woman and her accomplices tinted the windows and removed the license plates as well as any bar codes and “no smoking” stickers that associated the vehicles with the rental company. According to Palmer, some of the cars even contained fraudulent DMV paperwork that listed the rental company as selling the car to the driver.
After a seven-month investigation, OCATT caught the perpetrator and arrested 27 accomplices. All 42 vehicles were recovered. She pleaded guilty and is headed to prison.
The rental company requested anonymity and declined to be interviewed for this story.
While the theft of 42 vehicles raises eyebrows, Palmer says the greater issue is identity theft using increasingly sophisticated methods.
Palmer first started seeing an upswing in using stolen identities to steal rental vehicles when he worked auto thefts in Los Angeles.
Now, “We have contacts all over the place — Northern California, Nevada, Colorado, Texas — and all these states are experiencing a major shift in this type of rental car fraud,” Palmer says. “It’s so new that it’s going to take some time for everyone to be aware of what’s happening.”
FRAUD IN VARYING FORMS
Identity and credit card manipulation take varying forms. In one car rental scenario, the customer produces a driver’s license and credit card with matching names, but when the card is swiped, the information pulled from the magnetic stripe does not match.
This signifies that the thieves took a blank credit card, embossed it with a name that matches the driver’s license, and loaded an identity fraud victim’s credit card information onto the magnetic stripe.
This happened in the Orange County case: The suspect initially used her true identity along with a credit card with her real name on it, though the credit card account was stolen. The real cardholder’s name would have been flagged in the rental company’s computer system; however, “The rental company hadn’t cross-checked the given name and the credit card name associated with that account,” Palmer says.
In subsequent rental thefts, the suspect used an alias from a stolen identity. “She had five or six other aliases, but we stopped her before she could use them,” Palmer says.
In another scenario, thieves not only emboss a name on the front of the card, but they are able to use that name in place of a legitimate cardholder’s name on the magnetic stripe. When the card is swiped, assuming the account is open, the name on the license embossed on the card and on the magnetic stripe is the same.
This may have been the method used by a thief in the case of a stolen vehicle from Airport Van Rental near Los Angeles.
THE CASE OF THE PERFECT IDS
A woman walked into the agency without a reservation and asked to rent a minivan for two days, says Yaz Irani, president of Airport Van Rental. She presented a driver’s license that matched the name on her credit card.
The counter agent swiped the credit card to place a hold on the account. The card went through, and the information on the card matched the woman’s name. “She took all the coverages, which got our counter agent pretty excited,” says Irani.
When the woman failed to return the minivan and after phone calls returned a “disconnected” message, the company charged the card subsequent times to cover the rental. Each time, the charges went through.
The credit card company finally called and said that the credit card number belonged to an elderly man — yet the information that showed up on the rental company’s computer after swiping the card did in fact match the woman’s license at the counter.
The minivan was finally recovered three months later at a Toyota dealership in Miami.
“We went back and looked at the situation to see if there was any negligence on the part of our agent, and there was nothing,” says Irani. “The card swiped and worked, the name matched the license, the photo was of the woman at the counter and the card had thousands of dollars of authorization left on it.”
While virtually impossible to protect against, this type of fraud requires a much higher level of sophistication to carry out and is much rarer, says Nikki Junker, media manager at the Identity Theft Resource Center.
THE CASE OF THE NON-SWIPING CARDS
In another case, stolen drivers’ licenses and manufactured credit cards were used with non-functioning magnetic stripes.
“The bastards got six of mine that way earlier this year,” says the owner of a regional car rental operation in the Midwest, who asked to remain anonymous.
He says that in each of the six rentals the reservations had been made less than eight hours prior or were walk-ins. The drivers’ licenses produced at the counter had been stolen from unrelated individuals.
The drivers’ licenses were not altered, but the photos were of the same gender and race and similar in appearance and age to the person presenting the license.
In each case, the names on the credit cards matched the drivers’ licenses, though the cardholders’ account information had been stolen. In all six cases, the card did not swipe through the card reader and the counter agent had to enter the number manually.
Two units were recovered from the port in New Jersey; the authorities suspected they were being staged for shipment out of the country. The other four units are still missing. One of the suspects was caught driving a stolen rental car from another company.
Non-functioning magnetic stripes are a tip-off to fraud, says Charlie McGougan, director of IT for rental car software provider Bluebird Auto Rental Systems.
While a credit card with a readable magnetic stripe contains the cardholder’s full account information, keying the cardholder’s account number will only return as an authorization or decline — the credit card company does not match the name on the account.
“Credit card issuers could eliminate 90% of the fraud out there if they required the name to be verified during the authorization process,” McGougan says.
PROTECTIONS AT THE COUNTER
There are several steps a rental company should take to recognize and prevent identity fraud, from refining rental procedures to implementing technological solutions.
“We no longer accept cards that do not swipe,” says the owner of the regional RAC. “If that is the only card they have, we do a background check as a requirement to rent.”
Proper counter agent training is paramount.
“We now do a double take on driver’s license pictures,” the owner says, including making a customer remove a hat or scarf. “We ask them to verify the address and date of birth on the license, and then we compare signatures between the contract, driver’s license and credit card.”
“We often see licenses which are labeled as ‘international’ and look real,” says Gil Cygler, president and CEO of AllCar, serving New York City. “We are always educating our staff that the world is made up of countries, and only countries issue licenses. There are no ‘international’ licenses.”
“We try to engage the customer and break down barriers,” says the owner of a Midwest independent rental company, who asked to remain anonymous. “We chat with them about how they intend to use the vehicle, and hopefully the sixth sense of our rental agents will show when something doesn’t feel right. We coach our people all the time with this saying: ‘If you won’t rent them your own car, don’t rent ours.’”
Angela Margolit, president of Bluebird, recommends clients look up a repeat renter using the driver’s license number instead of just the person’s name or phone number. Renters may give a fake name or phone number to avoid coming up on the internal “bad renter” list, Margolit says, but the driver’s license number does not change.
The Bluebird program also has a feature in which after a credit card is swiped, the system prompts the rental agent to key in the last four digits of the card. This ensures that the information from the swipe matches the number embossed on the front. As well, the system displays a warning if the renter’s name doesn’t match the cardholder’s name upon swiping the card.
McGougan recommends operators check with their payment processor to see if it supports address or zip code verification requests. The requests are done through the issuing banks of credit cards at the point of authorization, and would return a match or a fail regardless if the card was swiped or keyed, McGougan says.
Other car rental software systems have similar built-in protections, including credit score inquiry options.
FRAUD DETECTION PRODUCTS
There are a variety of products and services used to detect fraud during a rental transaction. In general, they are divided into machines used at the counter to scan or examine an identification card — either stand-alone or attached to a database search — or web-based services in which information is keyed in manually to access a database.
To help authenticate personal information, Jenn Romanowski, CFO of Ride Share Systems, a New Jersey Dollar licensee, uses InstantID, a component of the Accurint service from LexisNexis.
For a monthly fee, a counter agent can input a driver’s license number into the system, which will return a score relative to the likelihood that the information is valid. Though Romanowski says the check adds about two minutes to the rental process, “We swear by that,” she says.
LexisNexis also offers a physical scanner called TrueID, which performs a forensic examination of the actual driver’s license and compares it with a stored repository of information for the 50 states and more than 300 international documents.
If the InstantID program returns an unacceptable or borderline score, Romanowski will ask for two additional forms of identification, including a Social Security number. If they have the intent to defraud, “Most people walk out at that point,” she says.
Another company, AuthenticID, offers a cloud-based database lookup as well as a physical scanner that support virtually all government-issued identifications worldwide, according to the company. The scanner instantly checks the identification against a variety of state and federal lists and produces a photo of the true owner of the piece of identification.
The owner of the Midwestern independent uses an ultraviolet (UV) reader from UVeritech to analyze drivers’ licenses, credit cards and even paper currency for watermarks and holograms. The machine costs less than $100 and is not tied to a database. It’s very manual but it’s better than not having anything at all,” says the owner.
UVeritech offers an accompanying guidebook that contains photos of state drivers’ licenses under ultraviolet light.
Similar to Romanowski’s procedures, if the identification doesn’t check out under the UV reader, counter agents will run the information through the Accurint system. If the information comes back below a minimum score, the next step is to ask the customer for his or her Social Security number.
“If they are willing to provide the Social Security number, chances are we have a legitimate person,” the owner says. “If they are not, we decline them.”
THE RECOVERY PROCESS
Though the fraudster may have circumvented your counter protections and is overdue with the rental, there are a number of steps to take to determine if the renter driving your car is bent on fraud.
After the usual series of escalating phone calls, rental companies will also attempt to place another deposit on the credit card. “If it declines, that’s never a good sign,” says Lisa Cisler, a U-Save franchisee in Tampa, Fla.
Cisler says she will call other area rental companies to see if they have ever rented to the customer and had any problems. She will also perform an online arrest inquiry using a publicly available database in her county and surrounding counties.
“Failure to redeliver hired vehicle” is a possible tag. Once a car is two days overdue, she’ll start the proceedings to report it stolen.
As part of his recovery toolkit, Cygler uses a company that maintains databases of license plate locations accumulated from license plate readers that scan vehicles on the street. The fee is $30 per vehicle to search the database. “We have found cars using the system,” he says.
Another blanket protection involves telematics. Both Airport Van Rental and AllCar Rent-A-Car have installed GPS tracking devices in a growing percentage of their fleets. “There are too many variables we must contend with that the cost of a unit should be considered part of the acquisition cost,” says Cygler.
WORKING WITH THE POLICE
Once you’ve determined that your renter has intent to steal the car, the next step is to involve the police. Of course, car rental thieves are able to exploit the fact that there is a legal process to follow when reporting stolen rentals.
“The problem is if there is a signed contract, it is not considered stolen. It is a contract violation or ‘unauthorized use,’” says Sharon Faulkner, executive director of ACRA and a former Dollar Thrifty licensee.
“Even if all the evidence proves that they falsified the contract, you have to send a certified letter of demand to the address on the contract, even when it is a false address,” she says, explaining the system in New York State. “Then you have to wait for the letter to be returned as undeliverable by the post office.
Then you have to send another certified letter of demand, wait again, and then take it to the police and hope they’ll honor your request to list it as stolen.”
Other states have similar rules, and in most states there is a waiting period of two to 14 days before vehicles can be reported stolen.
Detective Palmer of OCATT has one remedy to speed up the process of reporting a stolen vehicle. He suggests when going through all overdue rentals, verify with the credit card company’s bank that the card is still valid. If the card is closed due to fraudulent activity, those cars can usually be reported as stolen immediately, Palmer says.
Palmer also recommends getting to know the right cops. He says every police station has a general auto theft detective, and that detective will know if rental theft is handled at the station level or a county’s auto theft task force. He suggests simply doing an Internet search for the name of the county and auto theft.
A GROWING TREND
In its annual report of complaints, the Federal Trade Commission cites identity theft as its top complaint in 2012 for the second straight year.
According to the 2013 Identity Fraud Report by Javelin Strategy & Research, identity fraud affects 5.26% of U.S. adults. Incidences of identity fraud increased by one million more consumers over the past year. As well, the amount stolen increased in 2012 to $21 billion — a three-year high — though still lower than the all-time high of $47 billion in 2004.
While these statistics are alarming, implementing a combination of employee training, a policies and procedures review and fraud prevention products will mitigate your company’s chances of becoming a victim.