For this guest blog, former hacker and card-not-present fraud pioneer Brett Johnson rips a page from the fraudster playbook & shares what you need to know.
Online fraud isn’t rocket science. Today, there are enough off the shelf products almost anyone can successfully steal almost anything online. There are top tier hackers out there, but the majority of cybercriminals aren’t hackers. They’re fraudsters. And most are fraudsters who rely on buying goods and services from established cybercrime marketplaces and learn how to commit crime within those groups.
That doesn’t mean these fraudsters are any less dangerous to your business.
I would argue they are more dangerous because of their numbers. How many? When AlphaBay–the largest online criminal community–was shut down on July 5th, 2017 they had over 240,000 registered members. 240,000. For one marketplace. Most of0 the members were there to buy drugs. But a conservative number of fraudsters would probably hit 30-40% of the membership. So, tens of thousands of fraudsters on one site. All dedicated to ripping off you or your business.
One of the more profitable crimes talked about online is also one of the easier ones to commit: Stealing someone’s identity and setting up new accounts or ordering replacement cards for their existing accounts.
A fraudster can buy a stolen identity with excellent credit in his local area for about $70
Or the fraudster can easily find his own targets within his local area. The fraudster goes to an upper middle-class neighborhood in his city. He then “cases” the neighborhood, looking for houses where the mailbox is easily accessible, the homeowners are gone during the day, the mail is delivered before the homeowner gets home, and where the neighbors don’t pay attention to their own neighborhood. Pretty much your average middle-class neighborhood.
He will then either steal the mail from the mailbox to find who lives there or he will return home and look up who the resident is using one of the common data lookup sites.
Next, he uses a site like Roboceck.cc to pull the victim’s social security number and date of birth. Cost: $2.90
He can sign up for trial programs of paid data lookup sites and pull a background check on the victim. Some sites feature unlimited background checks for less than $20 a month.
Once the background checks are done, then the criminal pulls a credit report. Often background checks from the other sites are thorough enough to answer any question asked to pull the credit report. If not, then the fraudster can research the victim on social media.
The result is that the fraudster now possesses a complete identity profile, known as “fullz.”
What now? A few different ways this crime can go:
- The fraudster can get a prepaid debit card under the victim’s name, go to USPS.com and submit a change of address for the victim and have the victim’s mail delivered to a drop address controlled by the fraudster.
- The fraudster can add an address onto the credit report of the victim. This can be done by taking over a low-level account listed on the credit report—utility, store card, etc.—and updating billing address. Or the fraudster might use the dispute area of a credit bureau to add an alternate address.
- The fraudster uses a previous address listed on the credit report that is local to the fraudster. Items sent there are then retrieved from the new resident at the address. (Mail mistakenly delivered excuse.)
- The fraudster doesn’t change the victim’s address at all, but steals the mail directly from the victim’s mail box.
Once the fraudster decides on how to compromise the victim’s mail, then it’s time to make money.
The fraudster typically applies for new accounts not on the credit report. It can be something like retail credit cards or new phone contracts, furniture stores, or any business which offers credit. The fraudster can also apply for replacement cards for accounts that are listed on the credit report.
The application process is extremely easy:
- The fraudster needs two additional items: An email address and a throw away, ‘Burner”, phone. The email address is needed to track orders, receive messages from creditors, and to keep overall watch on his fraudulent accounts.
- The phone is there to activate cards, call customer service, order new cards, unlock accounts, etc. As with much cybercrime, these items are a necessity.
- The fraudster sets up email in the name of the victim. Email reads as Victims_name@domain.com
- The fraudster sets up prepaid phone, in victim’s name.
Our fraudster will either call in and apply for new cards/ order replacement cards or do it online. It boils down to how good the fraudster is with defeating browser fingerprints. The most successful fraudsters call in. Then what?
- The fraudster spoofs the victim’s phone number. The address is either the existing victim’s address or it is an address that has been added to the credit report. As such, fraud variables aren’t engaged. Everything looks legitimate. Knowledge based questions are rare and if they do pop up are easily answered since the fraudster has a “Fullz” on the victim.
- During the application process, the fraudster uses the email address he has created. Usually, the fraudster waits until approved and then signs on to the account and updates phone information.
- The card arrives and the fraudster calls in to activate the card.
- Fraudster goes shopping
Pretty easy crime to commit.
Did I mention how profitable this crime is?
Two gentlemen in the Carolinas cashed out for over $600,000 in 90 days with the exact crime. A group of 4 outside Atlanta netted $1.2 Million over the course of a summer. Extremely easy, extremely profitable.
It is very difficult for the creditors and businesses being hit by this type to crime to recognize it. The usual fraud indicators being used tend to be worthless because the fraudster is bypassing internet security by using the phone. No flags are raised on the address because the address is on file. The result is a crime where many anti-fraud systems aren’t triggered. The criminal is able to successfully acquire the credit and then cash out before any flags are raised.
So, where are the weak points?
The email address and the burner phone. The thief MUST have both in order to successfully pull off the crime. Both items tend to not be set up and used until shortly before the actual crime takes place.
Fortunately, this isn’t the mid-2000s. Fraud prevention companies are hip to the game.
Cutting edge companies like Emailage realize that identifying a fraudulent email address or phone number is often all it takes to stop a fraudster in his tracks. It is an approach that feels borne from the minds of hackers. Instead of trying to be a company that handles all aspects of fraud, Emailage and others concentrate on specific areas of fraud and by attacking them, create chokepoints. It is an effective, cost saving strategy which more and more companies are adopting.
Want to know more? See how Find out how to use the email address to confirm identity and reduce fraud.
Get in touch with our team today to see how the email address can help you fight back against online fraud threats, without annoying your customers.