Alex Hall is a former fraudster who spent ten years successfully operating in the Las Vegas fraud scene. Today, he is the Principal at Dispute Defense Consulting, a Full-Spectrum Fraud Mitigation Consulting agency, with an aim to assist merchants to build a comprehensive defense against fraud throughout many aspects of their system.
Alex came on the podcast and shared a wealth of information that you won’t hear anywhere else.
In part two of our two part interview, he lays out how he helps the merchants he works with to prevent card not present fraud.
Bradley Chalupski: Hey everyone. This is Bradley Chalupski, editor-in-chief and co-founder at MerchantFraudJournal.com. And on this episode, we’re going to be continuing our conversation with Ex-fraudster Alex Hall. He’s going to talk about specific actionable items; how he goes into organizations and increases their fraud prevention defenses. It was a great conversation – absolutely invaluable insight you won’t hear anywhere else. Thanks again, Alex, for being willing to share your expertise with us. And remember, you can get all the latest merchant fraud tips and tricks on MerchantFraudJournal.com. Enjoy.
Bradley Chalupski: So, let’s start to bridge the gap here. So, you make the decision because of your family that you want to move on, you make that top-level decision. What does that look like? Where do you go? How do you say, “I’m done with this today. And I’m going to go on to the other side.”? How do you start to work your way across the barrier?
Alex Hall: So at the time, I knew that I had some traffic warrants out for me. So, I went and I turned myself in on those. And while I was locked up for those, I also found out that I had this mid-level trafficking charge associated with my name. So, I said, “What the hell?” I found out that this dude from high school that I used to serve different things to. He had snitched on me. He rolled on me, sold me out. And I got busted for that. So, I ended up selling a half ounce of coke to a cop. So, I found out about that while I was locked up on traffic warrants. So, for mid-level trafficking, you’re looking from three to seven years in prison. So, it scared the shit out of me. I went to court, I spent six months in jail, going through the court process, and was able to get out on probation. But it was also because it was mid-level trafficking and I had a high – whatever they call it – missing court. I never went to court, I didn’t care [02:14 inaudible]. So, because of that, I was put on intense supervision – house arrest. Because I had a drug charge, I couldn’t go live with my family because my mother-in-law was on probation at one point in her life. I couldn’t go live with my family. And so they actually house arrested me to the Catholic Charities Homeless shelter. So, I’m house arrested for – what’s supposed to be – 19 months to a homeless shelter. A lot of loops and hoops to jump through. But I ended up finding a job. I decided that I would be most effective either in an operations management position or in a fraud prevention capacity.
Alex Hall: So, I got a job working at a [02:57 inaudible] distribution company. And like I said earlier, within my first six months, I had got the transaction analysis down, I brought their chargeback rate from a six-month rolling average of $28,000 a month for chargebacks, down to $8,000. Every quarter, we were doing $158,000 worth of transaction analyses. And then identified a bunch of return fraud that was going on there. So, at the end of my first six months there, we calculated about $1.2 million in mitigated and prevented losses that were due to fraud. So, I’m happy with that. But that was the first success that I had on this side of the fence. And then I was promoted several times. I ended up managing the dropship division over there, helped all the accounts that I was managing, helped all of them get their fraud situations under control, how to do transaction analysis and chargeback representments. And then COVID hit, and now I own Dispute Defense Consulting and I’m talking to you. Here we go.
Bradley Chalupski: Living the dream. So, I want to go all the way back there to the beginning. You gave us the broad overview there. So, you start working, you said, for a specific company. So you weren’t getting into a prevention company that works with multiple clients who are working for a single business. So take me through that process, now is where I want you to share all that great expertise that you have. I want to know the whole thing that you’re willing to share. You get in there. What are you looking for? What’s day one? What are you thinking? “I got to figure out where this is, that is.” Take me through that whole process.
Alex Hall: It was actually really awesome because they didn’t have anybody dedicated to fraud prevention prior to me working there. What they did have was customer service representatives, who would look at orders that were flagged by Shopify. So, when I first stepped foot in there, I had to learn, of course, what their system was. Well, they didn’t really have one. If Shopify flagged it over here, their fulfillment software would unissue the order, and then it would go up for analysis. But nobody knew how to analyze it, no one knew what these different data points represented, like the AVS, the CVV, card response code, whether or not the billing and the shipping address should match, what the IP address this. They didn’t know how to look at any of that. So, what I did was, again, I learned their system, and then I started. I’m like, “Well, I’ve done this on that side plenty of times. What would I be trying to do? How do fraudsters do this?” So, I just created a spreadsheet really quick. This is my first experience with seeing it on the back end, seeing it from the merchant’s perspective.
Bradley Chalupski: What was that like? It’s like looking through the looking glass. You must have been freaking out a little bit.
Alex Hall: Yes, it was awesome. It was so awesome to see like, “This is what they see. And this is what options you have. And this is what the reports look like. This is how you configure your fraud flags. This is how you configure this. Oh, my goodness, this is so awesome. I get to have so much fun.” And it was just fun because I got to step in and play with all these different rules and all the different data points and then jump between systems. Man, it was just a bunch of fun.
Bradley Chalupski: Did you find it intuitive to connect the two? Were you like, “Oh, I can see how I can use this to get what I used to do.” Or did that take you a little while to really put them together?
Alex Hall: So, once you learn the interface, yes. After getting to know where things are in the interface, knowing how they work together, and knowing how – on that side of the fence – we used to bridge that gap by using social engineering or whatever. We’d call in and say, “Hey, my wife ordered that. Can you just put it through?” “Oh, sure.” We used to bridge the gap that way. Well, I can bridge the gap just by clicking this button. But I know what people are calling in for, so I can help people in customer service. Oh, man, it was such a great time. And yes, you’re right, it was super intuitive.
Bradley Chalupski: That’s great. I’m excited just hearing you talk about it. I’m sure, on the other side, you’re always kind of aware that people are trying to stop you. And you’re probably also trying to figure out the couple of times you do get stopped – because I’m sure you get stopped, I’m sure everybody gets stopped – how they knew that, what they were looking at. And so you probably were thinking of your former self and going, “This is it. This was that thing when I was so frustrated that these people stopped me. This is what they were looking at.” It’s a rare moment where you really get that closure on the other end to paint that whole picture.
Alex Hall: 100%. Yeah.
Bradley Chalupski: So, I know you don’t want to give away the whole kitchen sink here so to speak. But what are some of the things once you get set up, you understand, you’re not figuring out the system anymore. Where are you looking that fraudsters are slipping through? What’s the low-hanging fruit that you didn’t even really need to dig into the numbers so much, you just saw it and said, “I know what that is. I can stop that,” right off the bat.
Alex Hall: Well, of course, your card code. If your card code is not on point, why even process the transaction if it’s e-commerce? If your CVV is not on, why even do that? Secondarily, be aware of what your AVS response codes represent. And then third, make sure that you understand the importance of what the story is being told to you with every transaction. So if you use these five or six data points – the billing, the shipping, card code, address, name – it tells a story. Everyone tells a story. Just be aware of what these data points represent.
Bradley Chalupski: So, give me an example of a good story and a bad story.
Alex Hall: Well, the good story is the billing and the shipping match. It was an AVS response code of Y, and the IP address is no more than 10 kilometers – depending on how it’s measured – away from the zip code, or within 10 kilometers of the zip code – that’s the best one. AVS Y, billing and shipping match, card code represents M if it’s Shopify, and within 10 kilometers. Perfect story.
Bradley Chalupski: So, weren’t you able as a fraudster, though, to manipulate those?
Alex Hall: Yes.
Bradley Chalupski: So, it’s still iffy. You never know a hundred percent.
Alex Hall: There’s an A and a B after you flag the transaction. So, there’s a transaction flag, and then you can go Course A or Course B. Course A is going to be that you request additional documentation, so then you’re forcing these people. So, say, you catch this bad transaction [10:16 inaudible] tells you about story. So, you’re like, “Okay, I want to verify this further.” So you request verification documents from them. Now, PCI compliance and all this different stuff about what information can go where; you just get the card minus the CVV and the first 12, get the last four, and you get their ID minus their ID number, and a selfie. You get those three pictures submitted for this one transaction. And that’s how you can do a secondary verification. We call them just Request Verification Docs. When you do this, now you got to be aware of what the security features are on each of these things. I’ve been able to identify that the seal was wrong on a fake ID that someone submitted. I was able to identify that the card that was embossed, looked good, great, but they put a MasterCard on a Visa. You can identify all these things. And at the end of the day, it’s the importance between customer satisfaction and merchant security that has to be taken into consideration. And then you consider that every chargeback is worth any amount of money. If you lose arbitration and you pay another $275 on top of that $80 transaction, you tell me if it was worth giving the customer the benefit of the doubt.
Bradley Chalupski: So, my question is we talk a lot in the industry about these high tech algorithms, about thousands of data points across all these kinds of different areas. But you, the guy that’s been on the other side, you’re not talking about that. You’re talking about kind of old-school detective shit. Like I’m looking at the englossed MasterCard seal on the card or on the ID, and picking out fake IDs. What are your thoughts on the state? And it’s maybe a little bit of a digression but I just want to ask while it’s relevant, what are your thoughts on the state of the industry, the broader high-tech fraud prevention industry as somebody who’s been on the other side and is now on this side? Do you think it’s good, bad? Are you indifferent? Do you think that it’s all a bunch of hype? What is your thought on that?
Alex Hall: It is awesome. I gotta say, it is awesome, but there are some missing points, there are some missing things. So, the fraud prevention industry as a whole, you’re gonna have different types of fraud prevention. So you have a data point transaction analysts or software, you have your chargeback represenments, you have your ID validators, you have your device validators, you have your service orchestrators, then you have your graph data – all of them do different things, but all of them have the same sales message, even though they might have one, two, or three service offerings to their software, they’ll say, “Hey, we’re the best at what we do. You need us.” Okay, well, no one can argue with that, I got you. But here’s the thing, no one single service is the end-all, be-all. No one is the ultimate fraud prevention solution. And that conclusion that I have is based on the fact that as a fraudster, I exploited every transfer of value that you can imagine.
Alex Hall: And I always give the comparison between the hotdog stand on the corner and the corporate juggernaut on Walmart. So, you have the hotdog stand, what his needs are for a fraud prevention service is the ability to identify fake cash. That’s it. Simple. That’s his entire strategy. That’s all he needs. Well, now go to Walmart. Walmart has cash, checks, card, then they have cashing checks, then they have lines of in-store credit, then they have e-commerce, they have drop shipping, they have the AmEx, Bluebird, Money Center, Money Orders, return policies, marketing promos – they have all of these different transfers of value that’s standing to be exploited, each one of them needs to be aware of how they stand to be exploited. Now, what one system can Walmart hire to handle all of its fraud prevention? There isn’t one. Not in my opinion. There are ones that can have different effects at different places, don’t get me wrong. That’s why I say they’re awesome. I’m not putting billions of dollars in the R&D of the software, but they have. And they’re diving down the rabbit hole of data point transaction analysis and they’re doing a damn good job. So they’re awesome. But there’s a lot of gaps in between the different service providers. And that’s actually what Dispute Defense Aims to do is I aim to work with all these different service providers in order to help supplement where their clients might need a little bit more care or a little bit more direction outside of just transaction analysis. They might need a little bit of help with their policies, a little bit of help with the returns, a little bit of help with identifying friendly fraud and chargebacks. But that way, the service providers can keep their market share and be a little bit more effective, rather than losing it to someone else. So, anyway, that’s my assessment of the entire fraud prevention industry as it is, and I aim to help.
Bradley Chalupski: It’s great. I’ve never heard anyone put it that way. And it’s a really interesting thought. Because obviously, I come from the other side, I started working with these high-tech solutions. And so it’s really interesting for me to hear you talking about how you’re doing it as somebody who’s actually been down in the muck is not a data scientist but somebody who’s really done the thing. And then when you go over to the other side, you’re using old-school MacGyver methods to try and find people, and it’s a huge disconnect for someone. Because from my end, I was never working in the prevention area, I worked in the marketing part of the business. But when we would talk about the product, we’re always talking about the same technology that you use in self-driving cars and all these kinds of things. And so to have you in front of me saying that you’re checking for IDs to make sure the decals are there, it’s really interesting to hear that there are gaps and that you can’t just automate the problem away at the end of the day. I know, in our publication, we’ve come out in favor of the idea that there’s always going to be a human fraud analyst role because people are always going to find those gaps in the blanket solution, and they’re going to have to find someone that knows where those gaps are and can fill them. I guess I hadn’t really thought of what that meant when you’re talking about such low tech, low-fi methods that are effective in catching things that, like you said, companies that have tens of millions, hundreds of millions of dollars of R&D going into these algorithms can’t ultimately get. So, I guess it gives me some hope that maybe one day we’ll figure out the matrix and we’ll get out.
Alex Hall: So, I want to make sure that even though I said what I said, oh, man, I really appreciate what these guys are doing, what these different teams are doing. I won’t name anybody specifically, but you know who you are. They’re doing badass work. They’re doing amazing work. But it’s just so laser-focused. They’re going deeper and deeper down the rabbit hole for that form of fraud prevention. And they’re doing an amazing job. So, I don’t want to discredit anybody in the game. They’re all doing awesome. It’s just there is space in between them. And AI/ML institutions are doing really well. But to your point, I feel the best fraud prevention strategy is going to include as much automation as is possible with someone overseeing it at the top in order to have that human element. We can get rid of a whole fraud prevention team, in my opinion; automate all their processes and have someone overlook it and manage the software. Now, the more hands, the better because you have a thought process going on. But it’s really looking to be a robot whatever.
Bradley Chalupski: So, I’m curious now, when you go off and you’re working on your own, I want to get into what’s the difference between working in one company versus working with a bunch of different organizations as a freelancer so to speak? Because obviously, they’re conceptually different. But I’m interested to know you don’t have as much time to work with each person when you’re not there nine to five every day, you’re focused on that one thing, you’re doing it over and over again. And there you can really build your house the way you want to build. You can set the foundation, build it up, you’re there for months, years. You can put everything just so with a budget, probably hire some people, etc. Very different than going into a situation where you’re just someone that they’re bringing in for immediate ROI. You have to get some quick wins, probably cut some corners – even though I’m sure you won’t want to say that – just to get to where you need to be fast enough. And you’re not so much worried about building the best possible ship or best possible house as you are delivering value on why they’re hiring you right away. So, I’m interested kind of when you’re transitioning across that divide, if your mindset shifts or if you’re just taking certain things that you know are top-level absolute has-to-have, and then leaving some maybe more nuanced details out because you just don’t have the time to do it with the amount of time you’re spending with that merchant. What does that look like on your end when you’re striking that balance between speed and effectiveness?
Alex Hall: So, I’ve put together a four-step process. And that’s what sets Dispute Defense apart from a lot of other service providers is the fact that I first identify what I term as transfers of value, just like I was saying before. I want my solution to be as effective as possible for the merchant. I’m not coming in saying, “My solution is the best as it is. Buy my solution.” That’s not what I’m saying. I’m saying, “Let’s get together. Let me find out where you stand to be exploited. I can help you identify where you stand to be exploited. And then let’s put together a strategy that’s going to play out over six months.” Six months, as you know, is the average lifespan of a transaction. Chargebacks can be filed up to six months later, sometimes two years. But if you don’t see it by six months, you’re not going to see it. You can almost guarantee that right if you don’t see the chargeback within six months. My contracts last about six months. And it starts off finding out what the needs of the merchant are. And then I work with them on a weekly basis or bi-weekly basis if they have the software that they need. And along the way, we just put these policies in place that are going to strengthen their operations in addition to that [22:08 inaudible], so they can track the effect of fraud. And as it happened over the course of months, quarters, years, we established what fraud might look like in every one of their departments. It’s an involved process at the very beginning, but then you just see it play out and make adjustments as you go. And then they take my assessment at the first at the onset, and they take my assessment at the end, we see what the differences are. Hopefully, after six months, they don’t need me anymore. Hopefully, after six months, I’ve done my job, they understand everything that they need to understand, and they can move forward. Now, if it’s a high-volume place, I might refer them over to one of my partners for the data point transaction analysis. But it’s understood that that’s all that software is gonna do is data point transaction analysis and guarantee the transaction amount. That’s it. So, if that’s all they want and they can make use of one of my partners, they go right ahead. So, that’s how that works.
Bradley Chalupski: So, do you find, in the course of your work, that the biggest determining factor is just the merchant-specific business versus what vertical they’re in? Or how they’re choosing to sell online? Is there a lot of variation that you need to do as a prevention specialist based on what industry or vertical that you’re working in? Or are you finding that fraudsters are fraudsters wherever they are?
Alex Hall: My biggest claim to fame on the streets was the ability to exploit a vertical outside of retail and wholesale. That was my biggest claim to fame. You could make a $300,000 income off of 20 minutes of work. It had nothing to do with credit cards. It was pretty lightweight as far as the workload goes. But so in doing that, every transfer of value has its ways of being exploited. My whole operation was heavily weighted on the idea of transfers of value. If I can send you a box of rocks, call it a return, and you give me money; we participated in a transfer of value. If I can send you a social security number, a name, and a billing address, and you send me a card for in-store credit; that’s our transfer value. And I didn’t pay with a credit card. I didn’t pay with cash or cheque. It’s outside of all of that. So, to answer your question, the industry doesn’t matter as much as what is being transferred. If you’re basing it on stuff that can be socially engineered, like a return, or if you’re basing it on something that’s just profile information, like an in-store credit. At the end of the day, it is possible to list out every possible combination because it’s all going to be an ID and a credit card, or it’s all going to be an ID and a social security number, billing address. The different variables are going to be there. So, then it just depends on, again, whatever transfers they participate in.
Bradley Chalupski: So, what would you say are the most common methodologies that fraudsters are using right now if you had to pick two to three that people could look out for or come to you for help? Better yet, what would be those types of common things that you’re seeing people do?
Alex Hall: I don’t think that credit card is gonna be the top of the line all the time. I think that the thing that’s gonna live on by [25:55 inaudible] credit card transactions, no matter what, you can’t avoid that. People are trying to use stolen credit cards online from the dark web.
Bradley Chalupski: So, you think the sheer volume of people that can do that, I guess, and do it very easily makes it easy. And what would be the other one?
Alex Hall: I would suggest that if you have not put real thought into your development of a fraud prevention strategy, get in touch with me. If you haven’t done it yet, you need to. That doesn’t matter if you’re doing $50,000 a year, $500 million a year. If you haven’t put real thought towards your prevention strategy, contact me, let’s talk. Because when you get hit for $30,000 and you’re not prepared for it – $30,000 worth of transactions – you gotta consider the way that fraudsters operate. When they find a place that works, they just keep attacking. It’s like a shark that smells blood. So, then they find out that this works this way, they put it on the dark web, they advertise the method that they found. I stress, they do. I never did it. That’s ridiculous.
Bradley Chalupski: Why ridiculous?
Alex Hall: Because then it just plays it out. It waters it down, and then eventually it gets fixed. [27:17 inaudible] Why would I go telling everyone how to do it? Why don’t I just keep doing it once or twice a month?
Bradley Chalupski: Is that like a fame thing? People just can’t keep their mouth shut because they feel like a baller doing that.
Alex Hall: They think they’re cool. I’d rather be the best that I can be, silent in my own room. No one needs to know about me except for whoever’s in my network. And that’s it. Everyone else wants to be too cool for school. They got the green little skull and the pink skull, like on the Pirate Bay, next to their names on the dark web, and they got these really cool status symbols. Oh, my goodness. That’s not me. I’m the one chillin’ over here doing math. I think as far as I go if you haven’t developed a strategy, get in touch with me. I’ll tell you where your soft spots are. And I’ll tell you what you need to do to get them fixed, and how to identify what attempts look like. That’s the most important thing is to know how to identify what attempts look like.
Bradley Chalupski: So, this is going to be my last question, not because I don’t have more of it, but because I’ve already taken up an hour of your time. And maybe we should do this again sometime because I have so many questions. But I guess, to close it out, I would ask kind of a fun question, which would be, what do you do to protect your personal information and your credit card information from fraudsters? And if you just say, there’s nothing I can do, and I just leave it up to chance. That’s a fair answer. But I’m curious what you do as someone that’s been on that other side to try and protect yourself.
Alex Hall: I stay away from low-end credit cards. I stay away from things that are readily accessible to anybody. But there’s a Catch-22 to that because if you go to high-end, high-requirement credit cards and debit cards, things that have a lot of prerequisites, those are the ones that are specifically being targeted by smart fraudsters based on their BID numbers. So, to tell you the truth, I got rid of all my prepaid stuff. When I first established my company, because of my history, there was no chance of getting a real credit card or real debit card, so I stuck with prepaid for a long time. But I got rid of all that. Now, I’m established and I’m a big boy. At the end of the day, unfortunately, just like so many merchants, we rely on the ability to just watch out for fraud that goes into our system, not necessarily our cards getting stolen because we have the guarantee of chargebacks. So, bank with someone good, bank was someone who has your back. That’s really it. When it comes to consumer fraud, I’m sorry to say, there’s really nothing you can do because a lot of it can be generated. Just file your chargebacks and hope your issuer has your back. Sorry.
Bradley Chalupski: I can’t thank you enough for your time, Alex. This has been just amazing and so much fun for me. And I really appreciate you coming on and being willing to share your story and tell us more. And congratulations on getting your life in this direction, and your family, and taking care of them. That’s just an incredible story. Really happy to hear it. You’re a great guy. And we’re happy to have you on this side of the fence.