Intro: Fraudulent Bodegas
Across the city of Las Vegas, agents wearing navy blue vests reading “STATE POLICE” and “USSS POLICE” enter gas stations, grocery stores, and bodegas. They’re carrying out a widespread, coordinated action called “Operation Sandblast.”
“[Haywood] I’ll never forget some of the images I saw when I was participating in sandblast, with the Secret Service.”
Haywood Talcove, CEO of LexisNexis.
“[Haywood] You go to these bodegas and really rough parts of town [. . .] You look around the stores, and all the food is expired.”
Like movie sets: shelves of food nobody was really meant to buy.
“[Haywood] I saw a box of Kellogg’s Raisin brand that had expired in 2015. That was there in case they got inspected, or someone was walking around from USDA, so the store looked appropriate.”
These stores were not concerned with selling everything on their shelves. The expired food was just a guise for SNAP fraud.
You may know of SNAP–the Supplemental Nutrition Assistance Program–by its more colloquial name: food stamps.
A bodega can engage in food stamps fraud in any number of ways. Some allow customers to trade their government benefits for cash, for example, by charging their Electronic Benefits Transfer (EBT) cards, say, $100, and giving the customer $75 from the register. Or if a bodega has rows of expired food on its shelves, it may be because they’re actually focused on selling more lucrative items that don’t qualify for SNAP, like alcohol, at a premium, and ringing it up as regular food. So you use your government money to purchase, say, a bottle of cheap vodka, but the cashier rings it up as Raisin Bran. Everyone wins.
And the purpose of Operation Sandblast actually had to do with a whole other kind of SNAP fraud funneled through stores like these–a threat far more consequential, sending millions of stolen taxpayer dollars every year to cybercriminals. More importantly, it’s causing millions of men, women, and children to go hungry.
The History of Food Stamps
In the years leading up to 1910, an industrial chemist–Fritz Haber–and a chemical engineer–Carl Bosch–came up with a unique chemical recipe. They took nitrogen right out of the air we breathe, and hydrogen from natural gas, and mixed and squeezed it together with the help of a catalyst, iron. The outcome: ammonia.
Industrializing the production of ammonia allowed for the large-scale production of fertilizer. With more fertilizer came more food. Figures vary, but experts have estimated that the “Haber process” helped triple or quadruple total wheat and rice yields worldwide, and that we would only be able to produce two-thirds of the food we can today without it.
A lot of people mistakenly attribute world hunger to the drastic rise in population in recent decades. In fact, we have more than enough capacity to feed 8 billion people. The real problem with food has always been distribution–getting it to everybody who needs it–and access–because some people can’t pay for it.
One of the most elegant solutions ever conceived to solve both of these issues at once was put forth by the U.S. government in 1939. The Great Depression had left tens of millions of Americans in poverty. With so many unable to afford food, farmers ran low on customers. They started destroying their excess, rotting stock, and some farms even went bankrupt.
In response, the U.S. Department of Agriculture began to issue orange stamps. People could buy these stamps, and then use them to purchase food in participating stores. The upshot: for every $1 orange stamp, you’d get a free, 50 cent blue stamp, which you could use on any foods deemed in surplus by the government. Surplus included perfectly tasty and healthy foods like eggs and fruit.
This is why they’re still called “food stamps” today even though, beginning in the late 80s, states transitioned from literal stamps to a more modern system. Now, food-insecure Americans use funds allotted to them through EBT cards.
And then the problems started.
1996 Welfare Reform Act
“[Vicky] When the system transitioned to EBT in the mid 90s, there was an intentional decision in this very large and very harmful, very racist and very punitive set of federal laws called the “Personal Responsibility and Welfare Reform Act”.
Vicky Negus (NEE-JIS) is a policy advocate at the Massachusetts Law Reform Institute. The Welfare Reform Act she’s referring to was signed into law by President Clinton in August, 1996.
“[Vicky] That package of laws did a ton of things that decimated the safety net and harmed low income families for decades to come. But separately from that, it also established a legal system where EBT card holders are not on the same legal footing as credit and debit card holders.
At the heart of the matter was The Electronic Funds Transfer Act of 1978, a law for protecting consumer rights with regards to electronic payment systems. One thing it did, for example, was limit the liability of debit and government benefits card holders affected by unauthorized electronic transfers. A kind of safety net, when fraud strikes. Sounds good, right?
In a class action lawsuit filed in 2022, the Massachusetts Law Reform Institute explained what went wrong:
In 1994, the Federal Reserve Board went out of its way to specify that EFTA protections would apply to EBT cardholders, and made certain other modifications to the rules. To give time for federal and state governments to comply, it set the rules to take effect on March 1, 1997. In the interim…
“[Vicky] The 1996 Welfare Reform Act said, Actually, no EBT card holders are this other thing. They are not protected by EFTA. They are not included in the same legal infrastructure.”
So just after food stamps transitioned into benefits cards, those benefits cards lost their protections under the law. As a result, they’d become much more vulnerable than credit or debit counterparts.
Mag Stripes vs. EMV Chips
Gradually over the decades that followed, underground criminal operations developed widespread and sophisticated card skimming operations. They implanted hardware devices at gas stations, delis, and anywhere else you could find a point-of-sale terminal, subtly enough that paying customers wouldn’t notice.
“[Vicky] There’s like a narrative out to all of us, to all consumers, that we can protect ourselves from skimming by just like looking at the POS device and seeing if it looks sketchy. A, it’s a real unrealistic ask of people who are buying food to feed their families, you can’t inspect every device that they’re using. And B, it’s actually not possible. In a lot of the situations we’ve heard about, the skimming device is so high tech or miniscule that you can’t see it with the naked eye, it’s not visible as a consumer. So there’s no way to protect yourself in that regard.”
Skimming works thanks to the inherent security limitations in magnetic stripes–the one you swipe to pay for things. The stripes work by encoding a card’s information in magnetic particles, aligned in specific patterns. This means the data is static, and limited. Skimmers can read and interpret the data off the stripe just as any POS terminals can, then use it for online purchases, or apply the same particle pattern to their own blank cards to be used as counterfeits.
In response to the growing threat of skimming, financial institutions adopted EMV chips. (EMV isn’t a technology, it just stands for Europay, Mastercard, and Visa.) These chips are microprocessors with far more storage capacity than a stripe, and an ability to apply functions to the data they store, like encryption, and other tricks you may never have realized before.
Each time you insert your chip into a reader it powers up, runs through authentication and other checks, and performs a cryptographic dance with the reader. The card generates a unique Authorization Request Cryptogram, encrypted using private keys, incorporating details generated by the specific transaction taking place at that moment, which get verified by the issuing financial institution. It’s complicated and there are more steps involved, but the bottom line is that thanks to this process, every time a chip is used, the data the POS reads is going to be different. So if you used a skimmer on a chip, you could never use that data for a second transaction.
Thanks to their vast benefits over the mag stripe, chips became mandatory in Europe in the mid-2000s. They became mandatory in the US in the mid 2010s, except for EBT cards. EBTs without EFTA protections remained chipless.
Some of the reasons for this may have had to do with the technical challenges and costs involved in updating legacy technologies across the country. But as consumer advocates are quick to point out, these same updates were carried out successfully, years ago, for the kinds of payment cards used by people with political power.
“[Vicky] I think if this was an issue that was systemically impacting families who had significant means we wouldn’t have seen a solution a lot sooner.”
As Haywood Talcove explains, poor families receiving government benefits are at a particular disadvantage against special interests that might not align with their best interests.
“[Haywood] There’s an organization out there called the National Grocers Association.
[. . .]
They make a fortune off the EBT programming, $112 billion being spent. I mean, it’ll be a trillion dollar program according to CBO in 10 years, so they want to make it as easy and as friction free with as little oversight as possible, from government, and from those that monitor the program.
[. . .]
And in 2016, they lobbied not to have chip parts and to allow the different EBT stores – the bodegas and others that accept food stamps, to choose their own POS terminals. And that was a very intentional thing, because prior to that USDA mandated a certain type of POS, USDA mandated a certain type of card, but the national Grocers Association fought so hard to have those requirements removed, making the program much easier to steal from.”
Skimming Attacks
Because EBT cards never incorporated chips or more secure POS terminals, food stamp skimming became rampant. That’s what inspired Operation Sandblast, the Secret Service operation that swept Las Vegas earlier this year. Agents entered corner stores, gas stations, and other vendors, beelining for their payment terminals not to protect credit and debit card holders, but EBT cardholders specifically.
And pulling malicious little gadgets out of gas pumps might have solved the problem, too, if they were dealing with the kinds of petty criminals typically associated with card skimming. In reality, the agents knew they were only scratching the surface of a much deeper problem.
Weeks earlier–on April 4th, 2024–the Secret Service conducted a different set of raids in Oakland and San Diego. They called it “Operation April Fools,” arresting seven individuals involved in EBT skimming.
These weren’t your typical, petty criminals from the neighborhood. Six of the men arrested were from Romania, and the seventh was from Italy.
Oh and, by that point, the group had already stolen 181 million dollars.
How did a handful of Romanians skim nearly 200 million dollars worth of food stamps before anybody stopped them? How many trips to how many stores must that have taken?
Let’s rewind a moment.
Security Flaws in EBT
To be approved for benefits, SNAP applicants need to prove their identities. But different states have different rules about how far you need to go, and in general, the process can be completed entirely online.
To prove their identities, online applicants need to upload ID documents, or in some cases just answer knowledge-based questions about themselves that get checked against public records. In other words: the kinds of information and resources that cyberattackers can steal from you in a phishing attack, or buy for cheap on the dark web.
“[Haywood] So with the proliferation of all the stolen PII that’s available on the web for pennies, people go and buy that. And then they apply for benefits. And then they get their EBT card.”
Of course, cybercriminals also phish recipients for their existing card details, and face far fewer security barriers than they do when they try the same thing with credit cards.
“[Haywood] They didn’t turn on the geofence tool. So you know, for example, if you live in California, and you’re going to your local bodega to purchase some food, that card 10 minutes later can get used in say, Massachusetts.”
Foreign Criminal Operations
This explains how someone from Massachusetts can steal SNAP benefits from someone in California. But how can someone from Romania do it?
The simplest way to use stolen food stamps from abroad is to simply shop online. Many websites make online purchases simple, in order to convenience SNAP recipients. If you search for food on Amazon, for example, there’s a toggle for SNAP-eligible items.
The method likely employed by those arrested in Operation April Fools involves mules. Like the money mules used to cash out stolen credit cards.
“[Haywood] The criminal group overseas is the one that’s purchasing the PII to get the cards in someone else’s names. Then they have the mules that are located here in this country that then go to the bodega to do the transaction. Some of the bodegas are controlled by the criminal groups.”
At this point you might be asking: what use does a criminal group based in Romania have for fraudulently purchased food in America?
“[Haywood] Other times, they’re going to see some of the warehouse stores to steal some of the things that they can resell at scale in other countries. […] I’ve got some great photos of people exiting some of the warehouse stores with literally pallets of energy drinks, and it’s going to other countries, it’s going back to the bodegas, etc.”
By catching the mules carrying out fraudulent transactions en masse, law enforcement can interrupt international SNAP fraud operations. But this is unlikely to work for long.
FNS Fraud
“[Haywood] The problem is there’s an emerging threat, which to me is terrifying, is that the POS terminals that are used for the EBT program – are now for sale on telegram and other parts of the dark web.”
It’s not that the literal POS devices are being ripped from stores, and shipped on the dark web. Rather, the USDA–which runs SNAP–assigns seven-digit Food and Nutrition Service numbers–FNS numbers–to any store that participates in the SNAP program. Those numbers identify a machine as belonging to a store.
“[Haywood] Well, unfortunately, getting the FNS number is really simple. You can Google it, you can see it at say, a Walmart. And what these criminals have done is they’ve embedded the Walmart, the Sam’s Club, the target FNS number onto the POS terminal. And so as a result, they’re stealing cards. And then in Romania, they’re running them through the fake POS terminals, and then they’re getting their reimbursement check from USDA, so you have a fake bodega, using a real FNS number.”
So, from all the way in Romania, Nigeria, or China, a cybercriminal can masquerade as both a SNAP recipient and a participating retailer, buying and selling totally nonexistent food products.
“[Haywood] they are pretending to ring up sales all day from a foreign country. And it just looks like it’s part of the Walmart target flow. “
And how would Walmart detect this? It’d be as difficult as trying to spot a malicious bit of traffic in any billion-dollar corporation’s IT systems.
Personal Anecdotes
It’s easy to forget in all this that even when a hacker across the globe uses a stolen EBT card to buy nonexistent food using a fake Walmart terminal, they’re still stealing from a very real, low income person.
“[Vicky] We have worked with and or talked to hundreds of families who’ve had their SNAP benefits stolen, every single person we’ve ever talked to about it has communicated how extraordinarily distressing and disruptful and for many traumatizing having your food dollars stolen has been. Because there’s no recourse for you in an immediate way, you’re in the checkout line, you realize that your dollars have been stolen, you have to figure out what to do. And for the majority of people, they have no dollar, like literal dollars to make up the difference between the stolen SNAP and what they have in the checkout line.”
What do you do if you’re in this position? If you have kids, and nothing in the fridge at home?
“[Vicky] A couple months ago, I have a client who called me. she had my cell phone number, she called me at 10:30pm, sobbing. She was in the checkout line. Because she had to go in to grab last minute food for her family and like snacks for the kids. She just like put them on the checkout line to pay for it with her SNAP, and was told that she didn’t have a balance. And she had checked her balance a couple of days earlier, and so had no reason to think that there would be a problem. She was mortified. She was embarrassed, she was wildly stressed about what to do because she couldn’t pay for the food that was on the checkout line. And she just was in tears. She called me, so distressed about what she was going to do.”
But there wasn’t anything she could do, besides maybe visit a food bank. When someone has their EBT card drained by a scammer, they and the people who rely on them can go hungry for days and weeks on end.
Remarkably, for nearly the entire history of EBT, there was no way to get your stolen money back, even if you could somehow miraculously prove it was stolen. There was simply no mechanism for repayment, even if you were conned for reasons totally out of your control, and probably thanks to EBT’s inherent lack of security protections.
Only in 2022 did the government even begin to address the issue, in a small provision as part of its giant 1.5 trillion dollar omnibus spending bill, the Consolidated Appropriations Act.
“[Vicky] That said, essentially, that state need to make a plan to use federal dollars to replace SNAP that is stolen up to a limit and for a specified timeframe. T he limit that it laid out was replacement with federal dollars can only be up to two times the monthly benefit amount that the household had been most recently issued. First, and second, that replacement was limited to two times in a federal fiscal year, federal fiscal year is October one through end of September. And then the second piece that the CAA, the 2023 CAA established was a time period for that, but that had to have occurred between October 1 2022 And September 30 2024.”
Following the CAA, individual states began to implement programs for compensating stolen EBT funds.
“[Vicky] Each state has an administrative agency. And then FNS provides sort of like the National oversight and guidance of the program through each of these agencies. Each state had to get a plan into the Feds for how they would do this, and have that plan approved before they could start issuing a replacement payments. What that meant in terms of like when did families and Massachusetts get their dollars families and Massachusetts who had been stolen from under the federal replacement rules essentially got their dollars in October of 2023. So a year later.”
The CAA’s compensation provision didn’t do anything to feed a victim realizing they can’t buy their groceries in the checkout line, but it did help in general. Yet even this small glimmer of hope is going to disappear in just a few weeks’ time.
“[Vicky] The structure that was set up for replacement is only in place nationally until September 30 of this year. So if Congress doesn’t do something families…I don’t know if you swear on your podcast: they’re gonna be shit out of luck.”
Some states–like California, Michigan, and Wisconsin–have taken specific actions to extend the rules for anyone affected by fraud after September 30th. But many states haven’t, and there’s no sign that the federal government is going to do anything about it.
“[Vicky] As of today, July 17, there is no plan. So the number one goal is for someone to make a plan, either the administration and or Congress need to figure out what to do after September 30. Our goal right now is that Congress would extend it either temporarily or in a permanent way.
[Nate] Any advice for SNAP recipients in the meantime, knowing that this problem might get worse soon?
[Vicky] The only thing that is helpful in terms of “protecting” yourself is to repin your EBT card regularly. But that’s not a systemic solution, and it’s also extremely difficult for many SNAP families to do that. I mean, I can’t remember my PIN for my debit card. But our SNAP families, many of whom are extremely disabled, many of whom are older adults. And I don’t just mean 60 and older, I mean, like 80 plus 90 plus, we have many older adults on staff across the country. A lot of folks are working families with kids and like, I don’t have kids, but if I did, there’s no way I’d be able to track information like a PIN change. So it’s just not a systemic solution. And it’s not fair or equitable to say to snap families, like – we put you on a second class legal footing, we chose to do this as a country and now you have to go figure out how to maybe protect yourself from extremely sophisticated criminal gangs that are trying to steal your dollars.”
Starting this month, California and Oklahoma are rolling out EBT cards with EMV chips. They are the only states to do so.
“[Vicky] It’s just so…it’s cruel and horrific. And it’s just like insane, because it could have been prevented and can still be prevented, and prospectively will be prevented to a large degree. But we sort of just left families out in the cold.”