Hacking Identity

False IDs are key to criminal activity that goes well beyond an underage teenager buying a six-pack of beer.  Take the case of John Colletti, who racked up over $120,000 at casinos in Michigan and Kansas using false identification.

Colletti’s ploy was to withdraw cash from casino ATMs using false IDs. From online sources, he procured fake driver’s licenses, and the phone numbers and social security numbers for his target victims.  A combination of all three identifiers were needed to withdraw cash from the Global Payment Kiosks (GPK), a kind of ATM at use at casinos where customers need to withdraw large sums.  These users would have linked their bank account with their GPK VIP Preferred Program profile. At the ATM, users insert their driver’s license and enter the last four digits of their social security number and their phone number.

Since the ATMs are under video surveillance, Colletti used dozens of different prosthetic masks, face wear, hats, wigs, glasses and surgical masks that he would change in and out of to disguise his appearance while at the casinos.

While those security measures may well be in place, the working assumption is that the IDs and such being used to operate the machines are legit.  In this case, they were not.  According to the GPK website: “Our ATM and kiosk devices feature enhanced security features such as consumer privacy screens, anti-skimming protection and employee theft prevention features.”  Colletti’s was one MO the company, and the casino, had perhaps not considered.

Michigan Casino security personnel identified at least 10 victims of identity theft who had lost money.  The Michigan State Police launched an investigation and identified a suspect (a heavily disguised Colletti) based on video surveillance.   But it was a full year later at a casino in Kansas when casino employees approached a man who had withdrawn $20K from an ATM, asking that given the amount, he go to the cashier with his Social Security number.  He ran.  Having dumped his stash and disguises in the restroom, he was soon caught escaping the casino with a prosthetic mask shoved down the front of his pants creating a suspicious bulge.  He was charged with wire fraud, aggravated identity theft, fraud and related activity in connection with access devices.

It’s worth noting that the ATM machines he was milking did not identify his MO.  Security personnel who intervened were responsible for his capture.  This was an example of how human skills and abilities trump that of a machine.  Being able to assess a situation and check a person, their appearance, stated identify, back story and behavior against their documentation and printed ID.  The human process also offers deterrence insofar as the criminal cannot predict the outcome of the assessment.  A machine is predictable.

Chameleon’s newest online course is all about ID Verification.  The training aims to add a hurdle for the adversary and is appropriate for all kinds of security and other personnel.  Topics covered include:

  • Who falsifies IDs and how they are used.
  • What to look for and why – as it relates to your specific security requirements.
  • Methods of Falsification.
  • Suspicion Indicators
  • Security Features
  • IDs versus Identity
  • Assessing Declared Identity
  • Technology vs Human Skills

Learn more and purchase here: https://chameleonassociates.com/id-verification-online-course/

Leave a Comment



one × three =