This is part one of a two part series on account takeovers by former hacker and card-not-present fraud pioneer Brett Johnson.
For this installment, Brett will take you on a journey inside an account takeover from the perspective of a fraudster.
Let’s talk about taking over an account. Back when I ran things, we called it COB, change of billing. Somewhere along the line, and while I was incarcerated in federal prison, the good guys decided the more accurate name should be account takeover, or ATO.
Me? I’m not a hater.
A lot of our crime was simply changing the billing address and phone number on a victim’s card, waiting a few business days, then ordering high priced items.
But we also phished accounts, took over all forms of existing accounts (Bank, Email, eBay, PayPal, eTrade, etc.), and pretty much anything we could that would yield a profit for a criminal.
So, the term account takeover is much better suited than change of billing. As it turns out, not much has changed since those initial days when we started committing ATO Fraud.
Account takeovers: what’s old is new again
The process has largely remained unchanged. Oh, there are some nifty tools and services fraudsters use to help them commit the crime. But the crime itself is basically the same now that it was in 2004.
Let me make it a bit more personal.
Let’s talk about why Brett would take over an account when I was busy breaking any law I could find. Profit. That is really what it boils down to. Could I see a bigger profit, or could I increase my chances of success by taking over an existing account?
The answer to that question is always yes.
I knew if I could successfully take over an account of a credit card that I could easily cash it out for 80% of the available credit. If I didn’t take over the account? I could use the credit card once, usually for a much smaller purchase.
Back then it was always in my best interest to take over an account—if I could. The problem is that taking over an account takes a lot more time and effort than simply going out and using a stolen credit card.
I’m going to talk about more than credit card ATO. But let’s continue with that to illustrate some of the things necessary to successfully commit ATO Fraud.
To ATO a credit card or a bank account, I need several items.
Here they are, in no particular order:
- First & last name
- Phone number
- Email address
- Date of birth
- Social security number
- Driver’s license number
- Mother’s maiden name (if I can get it)
I also like to have a background and credit report. I need all this data because changing information on an account is always met with security questions by the customer service representative.
If I have all that data, the chances are excellent I can get whatever information I need changed on the account I am taking over.
Walkthrough: how fraudsters take over a credit card or bank account
For the same of drama, let’s say I have all the data except for the mother’s maiden name. I call into customer service. Prior to calling the bank, I go a buy a burner phone from Walmart for $12.88 and sign up for a phone spoofing service like Spooftel or BluffmyCall.
That way I can quickly and easily spoof the real account owner’s phone number, showing the victim’s phone number on the bank caller ID instead of Brett The Criminal.
I also register an email address in the victim’s name. That is important because for me to avoid being caught and stay safely out of prison, I need to be able to track orders or account changes via email. A thief without an email address to track these things is a poor thief indeed.
(Customer service rep answers)
Me: Hi, I’m calling to check my account balance and update some information.
Rep: Yes Sir, Happy to help. Can I get your full name as it appears on the account?
Me: Brian William Napier
Rep: And the last four of your social security number?
Rep: And your mother’s maiden name?
Me: (I don’t have that information, but I have everything else. Time for some social engineering. I just make up a last name.) Baker
Rep: (Pauses) I’m sorry, Mr. Napier. That is not what we have here.
Me: (Surprised) Well, what have you got?
Rep: I’m sorry. We cannot tell you that.
Me: (Slightly outraged) OK. Well, I don’t know what you have there, but I know what my mom’s name is.
Rep: (Reps are trained in this. It turns out that sometimes this type of thing is legitimate. Sometimes, the account owner gives an answer other than their Mom’s real maiden name.) That’s OK, Mr. Napier. I will just ask a couple of other questions to verify you, OK?
Me: (Somewhat appeased. I have all the other data I need. I should be able to answer any question the rep asks.) Sounds good to me.
Rep: Can I get your Driver License number?
Me: (Yep. I’ve got that info.) Sure, hold on and let me pull it out. (I wait a few seconds.) OK. N8702202323
Rep: And can I get your full date of birth?
Rep: Great. And would you like me to reset your mother’s maiden name to Baker?
Me: Yes, Please. That way we don’t have this same problem again.
Rep; OK. And I have reset your mother’s maiden to Baker. Now, how can I assist you Mr. Napier?
Me: Well, I was wanting to check my balance and then update my phone number.
Rep: OK. Let me check your account. You have $8,500 available credit.
Me: Thank you. And can I update phone number on the account. The phone I’m using now I am giving to my wife. Got a new number for business and want this account updated to it.
Rep: Absolutely. Do you want the old phone number removed?
Me: No. Just leave it there, but make my new one the primary. (I know that completely removing the phone number may result in a potential fraud flag. Best to leave the number associated to the account.)
Rep: Alright, Mr. Napier. Can I get the new number?
That is a working process of taking over an existing bank or credit card account over the phone.
I get the phone number changed and nothing else. Why? Because the bank or the store will call the number on file to confirm the order. I have the number changed to a burner phone I have a phone number set up for in the same area as the victim.
Changing the phone number allows me to accomplish a number of things. I can order replacement cards. I can order new debit cards. I can authorize purchases. I can ship to alternate addresses.
And before you think the data outlined above is difficult for a criminal to purchase? Nope. “Fullz” a complete identity profile of a specific victim is sold on cybercrime forums and Darknet marketplaces every day for as low as $10.