Sun-tanned and relaxed, he sat in a Miami hotel room, watching the sunlight spill across the rich red carpets. The soft, steady hush of waves drifted in through the open floor-to-ceiling windows. But Albert Gonzalez wasn’t on vacation. Instead, he was orchestrating the biggest credit card heist in American history.
The thin, chain-smoking 28-year-old wasn’t just another wannabe, hoodie-wearing hacker. He was an accomplished black hat, a master of deception, and also a paid informant for the Secret Service. At the height of his career, Gonzalez made $75,000 a year helping the U.S. government take down cybercrime operations.
But in the spring of 2010, he was sentenced to two 20-year consecutive prison terms for his lead role in stealing 130 million credit card numbers, which cost retailers, banks, and insurers nearly $200 million. The question begs to be asked: What drove Gonzalez to this risky path in life?
The tricks behind the plastic: What exactly is credit card fraud?
Before we follow Gonzalez into the shadows, let’s be clear about what credit card fraud is.
Quite simply, it’s the unauthorized use of a credit card to acquire goods, services, or funds. The card is obtained through various means: social engineering, phishing campaigns, identity theft, or outright physical theft.
Although Gonzalez’s infamous scheme shook the world, the fact is, credit card fraud didn’t start with high-tech schemes. Its lineage runs much deeper, stretching back to a time long before online banking and magnetic strips on wallet-sized cards.
When did credit card fraud start?
The story goes like this.
The year was 1899. A livestock dealer received a credit card from a local carriage company. Instead of jumping at the chance for luxury rides, he tossed the card into the trash. A few hours later, someone fished the card out and racked up a bill of $27. Although a small sum, it amounts to about $700 in today’s money.
Imagin this: The real owner was stuck using public transportation, while the thief traveled in a luxury horse-drawn carriage, the ultimate Uber ride of the 19th century.
When the victim got the bill, he was floored but was forced to pay up anyway. Unfortunately, fraud alerts hadn’t yet been invented, and consumer protections were very limited or non-existent.
The real growth in credit cards didn’t occur until the 1960s and 70s, when Bank of America launched the BankAmericard (which later became Visa) and the First National City Bank introduced the Everything Card.
Revolving credit democratized access to what was previously considered luxury goods, fueling the rise of the “buy now, pay later” consumer culture.
Fraudsters capitalized on this by ramping up physical theft. In one notable case, a middle-class family was stuck with thousands of dollars in charges after their card was stolen, despite a card limit of just $400. Again, with no consumer protections, the family was left holding the bag.
Next, the 80s and 90s saw the rise of counterfeit cards, prompting Mastercard and VISA to add holograms and complex backgrounds to make their cards more difficult to reproduce.
By the late 90s, the internet had become a force multiplier for fraud. One of the earliest and most high-profile cases was that of a Russian teenager who stole 350,000 credit card numbers from CD Universe.
After failing to extort the retailer for $100,000, “Maxus” posted the stolen numbers online. As a result, customers began seeing fraudulent charges on their cards, which led to a public outcry.
The high-profile theft raised awareness in Congress about the need for fraud consumer protections and stronger security requirements for merchants handling cardholder data.
In response, the major card brands formed the PCI Security Standards Council, and released the first version of PCI DSS - a unified standard for securing credit card data – in 2004.
By 2015, American retailers began adopting EMV chip-and-PIN technology, driven by a liability shift that made merchants not using EMV liable for fraud losses.
Undaunted, the fraudsters simply pivoted to CNP (Card Not Present) fraud. Global card-not-present (CNP) fraud losses are estimated to reach $28.1 billion by 2026, up 40% from 2023.
This brings us to an important question.
Is credit card fraud a felony?
The short, and unequivocal answer, is yes.
And the story of Albert Gonzalez proves how high the stakes are.
By the age of 14, he had already gained notoriety among black hat circles for hacking into NASA’s systems, prompting a visit by FBI agents to his South Miami high school.
Unfazed, Gonzalez gave a triumphant interview to ZDNet (using a pseudonym) and began hijacking internet service systems to get free broadband.
With impeccable instincts and a silver tongue, he even managed to talk one New Jersey provider into hiring him to its security team (after hacking into its system). By the time the Secret Service approached him, Gonzalez had already been arrested once for fraud.
In 2003, he signed up with the Secret Service and FBI to participate in Operation Firewall, run out of an Army repair garage in Jersey City. His mission? To take down the infamous Shadowcrew cybercriminal network.
While working his way up the Shadowcrew ranks, Gonzalez managed to convince its leaders to use a VPN for secure communications. The fraudsters had no idea, however, that Gonzalez’s VPN was designed by the Secret Service and came with a key feature: a court-ordered wiretap.
So it was that, on a cool October evening in 2004, agents knocked down doors and arrested 28 people across eight (8) states and six (6) countries.
But the story doesn’t end there. Gonzalez was playing both sides. While working with the government, he was quietly masterminding a multi-million dollar fraud operation, which he dubbed “Get Rich or Die Tryin,” named after a 50 Cent album. It was clear Gonzalez was motivated by a deep-seated need for challenge and status.
He often stayed at luxury hotels, gifted expensive jewelry to friends and family, and threw lavish parties, shelling out $75,000 on one occasion to celebrate his birthday.
Gonzalez and his accomplices used a combination of wardriving (cruising around with a laptop looking for unsecure retailer wireless networks) and SQL injections to steal millions of credit cards.
By the time he was done, Gonzalez had 130 million+ credit card numbers at his fingertips, all from Heartland, a major card payment processor serving a quarter of a million businesses.
Ingenious? Maybe. But his actions were definitely illegal. And when someone crosses the line, what price must be paid to set things right?
Below, we take a look at the real-world consequences of credit card fraud.
Is there jail time or prison time for credit card fraud?
The short answer is yes.
Federal prosecutors hit Gonzalez with a slew of charges, including conspiracy to commit wire fraud, computer fraud, access device fraud, and aggravated identity theft.
He was sentenced to 20 years and one day in prison for the Heartland case. This sentence was set to run concurrently with 20-year terms for related breaches at Hannaford Brothers (a grocery chain), TJX, Dave & Buster’s, Office Max, Sports Authority, JC Penney, and 7-Eleven.
Gonzalez’s case is a stark reminder that credit card fraud is a felony with serious consequences.
As for Gonzalez, he’s still in prison.While Gonzalez's schemes ended behind prison bars, the tactics he used are still alive and evolving.
So, how can you spot fraud before it empties your bank accounts, and what steps can you take to protect yourself?
Below, we break down the battlefield and show you how to safeguard everything you hold dear.
What type of credit card fraud is the most common?
Credit card fraud comes in many forms, each with a different way of targeting you.
Below is a clear breakdown of the most common types, how they affect you, and what the financial toll looks like.
Types of credit card fraud |
How it affects you |
What it means for you |
Card-Not-Present fraud (CNP) |
Scammers use your stolen card for online or phone purchases, without the physical card present |
|
Lost or stolen card fraud |
Your physical card is lost or stolen and used for purchases |
|
Credit card application fraud |
Fraudsters use your stolen personal info to open new credit card accounts in your name
|
|
Account takeover (ATO) fraud |
Attackers take over your credit card account, change your passwords, and make unauthorized transactions
|
|
Credit card skimming and cloning |
Devices capture your card data, which is then used by scammers to clone your card
|
|
Phishing and malware-based credit card fraud |
Fraudsters use social engineering to trick you into visiting phishing sites and entering your card data |
|
Synthetic identity fraud |
Fake identities are created with a blend of real info (like your SSN), details from other people, and fake data (like made-up names and phone numbers)
|
|
Sources:
1) Synovus
2) Discover
Building your defenses: How to prevent credit card fraud
So, how can you protect yourself? Ultimately, prevention comes down to staying alert, using the right tools, and practicing safe habits. This includes:
- Using the latest CISA and NIST guidelines to customize strong passwords for every account. This means passwords should be at least 15 characters in length and composed of a mix of upper- and lower-case letters, symbols, and numbers.
- Being vigilant against phishing and social engineering. Watch out for baiting scams and pretexting cons. Make sure you fully trust the source before sharing your credit card details.
- Enabling FIDO2 MFA for your financial accounts, whenever possible. Even if a scammer steals your password, they can’t get past this second, phishing-resistant layer.
- Inspecting ATMS, gas pumps, and POS terminals before using. Look for anything loose, crooked, or out of place on card readers. If it wiggles or looks tampered, walk away. If possible, always use ATMs in well-lit, indoor locations, as they are less attractive targets for scammers.
- Purchasing from merchants who use 3D Secure (3DS) 2.0. Retailers that embrace 3DS 2.0 put you in the driver’s seat when it comes to online shopping. 3DS 2.0 supports biometric and risk-based authentication, which stops Card-Not-Present (CNP) fraud by verifying you’re the actual card owner. And the best part? Card issuers like VISA and Mastercard automatically activates 3D Secure 2.0 for you at participating online stores, so there’s no action needed on your part to stay safe.
- Signing up for Dark Web Monitoring to check for compromised credentials and transaction alerts to monitor account activity. Dark Web alerts warn you before fraud happens, while transaction alerts help you catch fraud in the act (whether it’s an unauthorized purchase or withdrawal that exceeds your set limit).
- Monitoring your credit reports for suspicious activity. Don’t wait for fraud to strike before taking action. Besides tracking your credit reports from the major credit bureaus (Equifax, Transunion, and Experian), take the following proactive measures. Place a fraud alert so lenders must verify your identity before extending credit. And put a credit freeze in place to block access to your credit report entirely, preventing lenders from viewing it or approving new credit.
- Using tap-to-pay payments and privacy cards to protect your wallet from skimmers and shimmers. Tap-to-pay options like Apple Pay, Google Pay, or Samsung Pay generate unique, one-time codes for every transaction. This means your actual card number is never stored by retailers. Virtual cards take this defense even further. Brands like Privacy keep your real card hidden during online transactions. And that’s not all. Privacy virtual cards can be locked to spending limits and specific merchants, which prevents the card from being used elsewhere if the merchant is breached.
Now that you have options to shield yourself from credit card fraud, what if you’re an entrepreneur or business owner? Here’s what you already know: Business protections aren’t a simple extension of personal safeguards. You also know fraud risks evolve quickly.
What you need are strategies that work today, not yesterday.
Below, we highlight the tools and safeguards that deliver results now, so you can avoid costly surprises.
How to prevent credit card fraud as a merchant
Whether you’re a retailer, small business, startup, or enterprise, using the right tools can slash your losses, protect your hard-earned reputation, and peace of mind.
Here’s how you can turn the tables on scammers:
- Start with 3D-Secure (3DS). The latest 3DS version (2.0) moves fraud liability away from you and validates the cardholder in real time.
- Ensure your CVV2 and Address Verification Service (AVS) checks are properly configured and kept compliant. As you know, AVS verifies billing addresses, while CVV proves card ownership. With CVV secured at rest and in transit and AVS checks properly configured, you stay compliant while protecting your business.
- Layer on fraud scoring and machine learning. With machine learning, you can score every transaction based on dozens of risk signals, such as billing, location, purchasing, or geographic deviations. Fraud scoring spots seemingly invisible patterns and identifies risky transactions fast.
- Leverage chargeback alert tools like Verifi CDRN to get real-time warnings of impending chargebacks. Chargeback alerts let you resolve disputes before they become chargebacks and stop shipments for disputed goods, saving you production, shipping, and chargeback costs.
While no single tool is a silver bullet, a layered integrated approach creates a powerful barrier against fraud.
Along with the right tools, the right allies at your side can protect your bottom line and build trust that lasts a lifetime.
Related articles
The LastPass advantage: Keeping your digital accounts safe
Attackers don’t care if you’re shopping online or running payroll, they’ll exploit any vulnerable login they can find.
This is where a Secure Access provider like LastPass comes in.
With LastPass, you get:
A robust, hardened infrastructure
For consumers: With LastPass, every login credential, credit card number, or sensitive info is stored in a secure digital fortress that’s constantly defended. Our infrastructure is designed to resist attacks on multiple fronts.
And that’s not all: You can see proof of this by accessing our latest certifications and security documentations at our new Compliance Center.
For merchants: Your employee credentials, customer data, and operational logins are protected within a highly secure environment, complete with powerful monitoring and threat response controls.
This strong foundation reduces the risk of breaches that can lead to fraudulent transactions or customer data exposure – keeping your reputation and revenues intact.
Military-grade encryption, Zero Knowledge model, and FIDO2 MFA
For consumers: This means your passwords, credit card info, and other private data is encrypted at rest and in transit so that not even LastPass can see it. If hackers intercept your data, it’s unreadable without your master password and FIDO2 MFA. Passkeys and hardware security keys like YubiKey lock out scammers, using advanced cryptography and biometrics.
All my passwords are kept safe, encrypted, and 2-factor authenticated so I don't have to worry. I have hundreds of logins, and I have a different strong password for each, and I cannot imagine what it would be like to manage that on paper. I use it many times every day, both in my personal affairs and in my professional work as a teacher (Aaron C, German teacher and verified G2 user).
For merchants: AES-256 keeps not just your employee passwords safe but also customer details and private communications. This reduces the chance of a data leak and associated fraud, ensuring regulatory compliance.
I love that my non-profit organization can share access via a business account. We have security and peace of mind to safely and easily keep our accounts secure even though our team is scattered throughout multiple regions and time zones. The ability to share (and quickly update) a stored credit card number for business use is something that I love. I use it at least once a week, and it was super easy for our staff to update the CC number when a new card was received without having to reach out to a number of volunteers (again, across the country) that all need to have access to the card number on demand (Brandon E, assistant director of technology at a non-profit).
Dark Web Monitoring
For consumers: If your email accounts appear on Dark Web forums, you’ll be alerted immediately. This early warning lets you act fast so you can change your passwords or freeze your cards, before the damage grows.
For merchants: Dark Web Monitoring allows you to monitor employee email credentials. Acting quickly on those alerts can prevent unauthorized access and costly fraud incidents.
Smart autofill
For consumers: LastPass autofill protects you from phishing sites that mimic real brands. This means your credentials will never be entered on fake or spoofed sites, keeping your credit card details safe.
It works across platforms and is a big help on mobile devices. The fact that items like credit cards, wireless access point passwords, and other sensitive data can be stored and easily and readily form-filled is a tremendous positive. I love using LastPass enterprise so much that I have referred several companies to it in the last couple years. I have personally been using it since approximately 2013 from when I was introduced to it from a former employer (verified G2 user in pharmaceuticals)
For merchants: With autofill, your employees can navigate sensitive platforms confidently, knowing that customer data is protected.
Mary Kay, a beauty brand selling products in over 40 countries, relies on LastPass to share corporate credentials with trusted partners, without putting its business – and its many sales representatives around the world at risk.
We are very serious about cyber security and through our securityambassadors’ program we continuously educate our people aboutcyber risk. LastPass is a core tenet in mitigating that risk. (Jerry Patterson, Security Engineer, Information Security Team, Mary Kay)
Fresh Financials, an award-winning financial services provider, keeps all customer login credentials safe, from bank passwords to HMRC & Companies House login details, with LastPass.
We are far more organized with LastPass. We just log in once to LastPass, and LastPass logs us into everything else. Staff members don’t need to ask around for passwords or open files to find client passwords and logins—LastPass just does it all automatically for us. (Emma Northcote-Green, Founder, Fresh Financials)
If you’re ready to enjoy greater peace of mind and effortless security, unlock your free trial of LastPass today.
Type of account |
Who it’s for |
Free trial? |
Premium |
For personal use across devices |
Yes, access it here |
Families |
For parents, kids, roommates, friends, and whoever else you call family (6 Premium accounts) |
Yes, access it here |
Teams |
For your small business or startup |
Yes, access it here |
Business |
For small or medium-sized businesses |
Yes, access it here |
Business Max |
Advanced protection and secure access for any business |
Yes, access it here |