Merchant Fraud Journal is proud to launch our latest collaboration with the eCommerce fraud prevention community: ‘To Catch a Fraudster’, a podcast dedicated to telling the crazy, true stories of eCommerce fraud.
In our inaugural episode, we talk with Sasha from Nethone. He shares stories about fraudsters setting up physical sales booths inside of airports, walls of cell phones committing fraud attacks, and more.
The podcast is currently available on Spotify, Google Podcasts, and TuneIn, and should be available soon on iTunes.
B: Hey everyone. This is Bradley, editor-in-chief of Merchant Fraud Journal. Thanks for checking out our podcast. This week, we’re going to be speaking with Sasha from Nethone. And he’s going to be talking with us about a couple of really crazy scams that Nethone has dealt with in the past that include fraudsters setting up shop in airports and selling tickets, as well as walls of cell phones and cryptocurrency. So, it’s a really great episode, I think you guys will learn a lot. We really appreciate the support. If you want to check out Nethone on the net, you can visit their website at Nethone.com. They specialize in a variety of eCommerce and fraud prevention solutions including online retail, travel, digital lending, PSD2, and SCA compliance. So, definitely give them a shoutout. If you have any questions, any feedback about the podcast, you can reach me at email@example.com. We hope you enjoy.
B: We are here with Sasha from Nethone, who is here to talk to us on the inaugural episode here of To Catch a Fraudster. So, Sasha, thank you so much for joining us.
S: Hi. And thank you very much for having me.
B: So, the idea for this podcast – just to give a quick little thing here at the beginning – is just we want to talk about real stories of fraud because often in the industry, there’s a lot of talk about technologies and methodologies. But fraud is fundamentally a personal issue. And that’s why chargeback certainly hit merchants so viscerally is that sense of having been stolen from. So, something we wanted to explore here was just to have some of the great vendors in the industry come on and tell some of their stories about crazy fraud attempts that they’ve seen, and things that they’ve heard, and just get a sense for some of the zaniest things that go on out there. And then try to learn a little bit along the way. So, Sasha, we spoke before, you told me two great stories. So, you can pick whichever one you want to start off with, and let me know one of the craziest fraud stories that you and Nethone have had to deal with.
S: So, basically, the way I view fighting with fraud is like a game of cat and mouse. It’s really having an alternate on the other side, gloves off. They’re just really trying to sneak through whatever means they can. and also minimizing their costs. And they are very brazen, meaning that they really don’t care. They will look square into the eye of the person that they’re trying to fool, and as if they are allowed to do that, they will just steal money from them. And one of the most peculiar stories that I have from the industry is the situation where — So, Nethone started as a tool for fighting fraud, and we decided to concentrate on travel. And one of the stories coming from the travel space is actually a bunch of fraudsters – it was a whole team – that has set up shop inside of an airport, selling tickets for every person who wanted to get a different flight last minute. So, they have set up a shop inside of the airport, where actually what they were selling is that they were having laptops within that shop that they have set up in the airport. And they were actually purchasing tickets from regular websites. And for the ones that are a bit more on the know when it comes to eCommerce, you divide the transactions as card present. So, a situation where you’re actually in shopping with your own card, and that’s the card-present operation. And then if it’s done through the web, through the internet, that’s a card-not-present. So, even though by the rules of regular commerce, this will be a card-present transaction. And actually, that’s one of the ways the person who is purchasing the ticket might see that something’s fishy is that it was a card-not-present transaction because, actually, the fraudsters were selling tickets going onto a regular website. And of course, they were using the card of the person who was trying to purchase, but those people were not using their own credit cards.
S: Firstly, they were stealing the credit card number from the person who’s trying to buy the ticket from there at the airport. And additionally, what they did is they purchased a bunch of red cards from the dark web. And that’s also a natural thing that the fraudsters do. You go into the dark web and you can buy a hundred or a thousand card numbers. And then depending on whether you have a CVV going with that credit card number, do you have the address going with that credit card number, do you have the expiry date going with that credit card number; the price of each of them is different. But you can get credit card numbers from a few dollars, up to $30 if it’s full data behind that card. So, this first story is really about being really brazen. Those people were actually looking into the eyes of people who they were stealing from, having a shop at the airport, buying tickets in this card-not-present environment, even though they were claiming to the clients that this is a card-present, this is a regular transaction. And it all happened within the airport. And this also shows the creative creativity of the person because, of course, they’re using the strength of the airport. And of the fact that the situation is so bizarre if this wouldn’t be a legitimate business, this has built their credibility. So, however fishy they might seem to the person who is purchasing the ticket, still because it was in the airport; because there were cameras; because usually, you have regular businesses at the airport that grew their credibility. And this is also what fraudsters do. It’s either they built somehow their credibility, or on the other hand, they are using the situation around in the world. And here it might be that the person is trying to get on the plane in 10 minutes, so they will be going fast for the transaction, so not really looking at any specific indicators that this might be a fraudulent operation.
B: I want to break this down because this was an absolutely wild story when you told it to me, I kind of thought for a second “Wow, that’s a great idea.” I’m really always constantly impressed by the lengths to which people go to perpetrate these frauds. And honestly, I don’t know why they don’t just get actual jobs because I’m sure they would do much better in life than I have if they were to get some actual legitimate work. So, I want to break this story down from the beginning. Start with the idea of putting someone in an airport, setting up shop in an airport. And you touched on this a little bit, but I think one of the key things that people need to realize when they’re trying to catch fraudsters is that they will look for ways to present themselves in a nonconspicuous way, something that really looks completely normal, something that really looks trustworthy. And that definitely seems to be the case here. And to go to this kind of length was was really incredible. And I’m wondering – when you caught on to this fraud – if you see these types of things going on in other places, other areas, where you’re seeing fraudsters try to blend into scenarios where they maybe don’t look out-of-place.
S: So, here, the important thing that’s from the perspective of Nethone would be that, of course, we would be the ones that are integrated into the actual website which the processors are using to purchase those tickets. So, one of the suspicious indicators that we will look at is the fact that suddenly from one network, from one location, from a location which is not a regular home, we see that there’s more and more transactions coming, that there are transactions coming for different names, for different emails, for various routes. And then what will be also interesting is that probably if you’re having the shop at that particular airport, usually most of those routes would also start off at that airport. So, we will suddenly also see a spike in the fact that that there’s quite a lot of those flights with the same airport and different destinations. And also what’s very important when you’re fighting for today, the world has changed and shifted in the sense that at one point in time – let’s say, 10 years ago, five years ago, even maybe – it was enough to look at three particular attributes, and then create something that the fraud space calls rules, where you would say, “Okay, if I see too many transactions from that particular airport in short periods of time and with multiple cards, that’s something that I would block.” But because the fraud space has created those rules and the fraudster is good to know that there are those rules behind the systems who are trying to stop them, they knew that they have to vary their interaction more and more.
S: So, of course, those fraudsters, what they might do is apart from selling those tickets at the airport, they might have an alternative kind of business, in the sense that they would have a dark-web shop, which is totally an internet shop where actually people who are purchasing from them know they’re buying from fraudsters, but they’re purchasing tickets for 50% of value. And then they would intermingle the transactions that were happening at the airport with those from the dark-web shop to make the anti-fraud systems less suspicious or be less able to actually track those particular attributes that the rules would look at. And that’s also, of course, why today, in order to properly fight fraud, it’s all about using Machine Learning. It’s all about not only looking at three attributes, four attributes but actually the full scope. And of course, depending on the data provider, you might have a hundred attributes but you also might have more than 5,000 attributes, depending, of course, on the vendor that you choose. And this is particularly important.
S: Another way that the fraudsters do in order to hide behind the scene is that they will use any promotions. So, if you have a Cyber Week, Black Friday situation, what we very often see is that, actually, the fraud raises more than the genuine traffic, let’s say. So, the fraudsters know that the systems have lowered their limitations because it’s a period of high business. So, of course, that’s the moment when the fraudsters jump on that train and actually also perpetrate even more fraud. And not just more but more even in relation to the regular types.
B: So, I want to ask a question, also, you’re touching on a little bit. When these people are in the airport. So, obviously, they’re in there and they’re trying to look inconspicuous. They’re also trying to blend in with the surroundings around them. But another thing that I’m really interested in is this idea that the airport is inherently a transient place. It’s a place where people are trying to get in and get out. And I think that’s kind of what you’re speaking to with the idea of attacks during Black Friday sales periods, Fourth of July sales periods, where people are really able to take advantage of the situation. And the fact that in this specific scenario, you have travelers who are not really aware, they’re not really in a space where they’re thinking critically about what’s happening. So, I’m kind of curious, in this scenario, did you get any stories from the people that were defrauded where they were talking about how these fraudsters were actually speaking to them, what they were saying, the human tactics they were using in order to get them to buy into the fraud and not realize what was actually going on?
S: Not in this particular case, but here I have a different story that I might share. And this is also very interesting and also shows the creativity of fraudsters. And this is far more connected to nowadays, and it’s around cryptocurrency and cryptocurrency exchange. Of course, with the rise of Bitcoin and the rise of value of Bitcoin, more and more people wanted to jump on the train of making some money —
B: The free money train.
S: Yes. And of course, because the popularity of Bitcoin has risen, you have more and more people trying to get on the train, but not really being specialists in how this works. And what fraudsters came up with, or the problem they had is that the world came up with this new way of verifying identity. And this new way was a wire of one euro, one USD to some of their to actually verify that you are the owner of the account. And usually, in this communication, you also get the name of the owner of the account. So, of course, this became a way of verifying the identity of a person. So, first, you think “Okay, how can we sidestep this? Because if we sidestep this then suddenly the whole world — when this verification happens, we can actually sidestep it and perpetrate [15:22 inaudible] more money.” So, they saw that, actually, there’s this space of cryptocurrency, it’s already a bit shady. People that are trying to buy cryptocurrency and cryptocurrency was also made to actually anonymize people, which really even made it easier for the fraudster.
B: That’s the interesting part to me is if you can explain really clearly how that worked. Because it seems to me that if it’s supposed to be completely anonymous, the fraud wouldn’t be an issue. That was the entire point – well, not the entire point but one of the main points of the thing was that based on the blockchain technology, and you can always track the different decentralized ledger, that you wouldn’t be able to perpetrate fraud. So, I’m really curious to hear how this was going on, what this looked like.
S: So, of course, the idea behind blockchain and Bitcoin was that you actually have an ability to be perfectly anonymous, because what [16:31 inaudible] value is just the hash of your wallet. And that’s it. As long as you have that hash, as long as you have that ID, let’s say, of your money, then this is the only thing you need. So, this ID is meaningless because it’s just a bunch of letters and numbers, and that’s it. But in a certain context, it means value, it means a particular record on that blockchain. So, this was the idea, but of course, because of this full anonymization, there might be problems in terms of tracking the money in funding arms, etc. So, the cryptocurrency exchanges actually were made to verify the identity of the person. So, if they were made to verify the identity of the person, one of the ways of doing that and tracking from the exchange from regular money to cryptocurrency and back could have been done. But if you have a connected account to that exchange, of course, you can verify it by asking the person to wire a little sum of money to your account, and then you know the name and you know if it’s a real person. Of course, there’s also the picture of the ID, etc, involved.
S: So, fraudsters, knowing that this is what the cryptocurrency exchanges actually ask from regular people, what they did is they created a fake cryptocurrency exchange. So, they made a website which claimed “Hey, if you register with us, then you’re able to purchase cryptocurrency.” And of course, as part of registration to that website was the fact of doing this wire and maybe even uploading your ID. But what the first thing we’re actually after was this wire. Because in this particular scam, what they were doing is they were actually taking credit using your data. So, they were using the fact of the wire of the one euro wire in order to actually get the money out of the person. Of course, what was also interesting is it had to happen in parallel, meaning that the moment when the person was registering to this fake cryptocurrency exchange, in the background, what the fraudster was doing in an automated way, of course, they were putting that data that the person was thinking that he’s putting into the cryptocurrency exchange platform, they were putting into the regular business of lending, where the fraudsters were, in the end, getting the money from the credit. The person was thinking that he’s setting up an account for his cryptocurrency exchange, but in the end, the fraudster was ending up with this money from the credit but the liability and the need for the person to repay the loan stayed with the original owner of this fake cryptocurrency account.
B: So, the stage here, I guess, the scam would have been, it wasn’t just the one euro but they were telling them that they had to fund the account with a certain amount of money
S: So, of course, later on, it’s all about getting the money from the digital lender to the fraudsters. And then, of course, this person being liable for the credit.
B: So, we’re not talking about them saying, “You need to send one euro.” We’re talking about them saying, “If you want to fund your account, then send X number of dollars to our exchange.” And the exchange is really non-existent.
B: So, what do people do when you hear about these things? Can you give us any examples of things that you’ve done when you hear about these things? How do these things come up in Nethone’s day-to-day? What are you doing with your clients that you see this where someone says, “I got scammed for this amount of money.”? And is there really anything that can be done about it or is it just you have to prevent it, I would think, at the point of attack?
S: So, this is an interesting topic in general. So, firstly, when it comes to credit cards, the interesting thing is that when somebody steals money from your credit card or debit card, it’s not really you who are liable because the card scheme – Visa, MasterCard, AmEx – has set up rules behind the use of credit cards in a way that the person who has been issued the card, always can claim a chargeback. And in terms of claiming a chargeback, that means that when I claim a chargeback and that somebody has stolen data from my card and used that data to steal money from me, I will get my money back. And of course, the actual entity who will pay that money is the merchant who has originally taken money out of that cart. So, the users usually are very much protected. Who is not protected too much is the business owner. And of course, that’s why the business owners employee solutions like that because they need to actually save themselves from chargebacks. Of course, chargebacks also are a tool to make sure that the business owners are not the ones who are scamming the users. Because you can claim a chargeback not only because somebody has stolen the money onto out of your credit card but also because the goods are not as described as in the offer because there was some mistake on the merchant side. So, of course, this is a two-sided weapon but always meant to protect the user themselves in these terms.
B: So, how is that changing with cryptocurrency? I guess it’s because it’s a direct transfer to the exchange – the money is just gone.
S: That’s interesting. That actually depends on the way the regulation in a particular country works. But this is a clear use of somebody’s identity in order to commit fraud. So, the person, in a legal way, has to claim that somebody has stolen their identity, and then they have to get that money back in that way. Or actually, fight the fact that somebody is trying to get those installments from them. And that’s far harder. So, in terms of the use of credit cards, and in terms of wires, basically, wires based on the account numbers, that’s very, very different. So, basically, the wiring of money between accounts is a very different type of transaction done when it’s credit cards because credit cards are governed by the rules of the card schemes more. And you have such rules like chargebacks that allow it easier for the user to actually get the money back from the merchant.
B: So, I want to make sure I’m totally understanding here. Because basically, what I’m understanding from this crypto scam is that there’s a fraudster, they’re setting up a fake exchange, they’re telling people “Come buy Bitcoin, come buy Ether, come buy whatever you’re going to buy.” People come on, they log in, they think that they’re creating an account at this exchange, they send their bank details, the fraudster now has the bank details, and they can use it with the amount of money that’s been authorized to purchase crypto. And that seems to be the scam.
S: So, here the scam is more around the fact that when the person is thinking that they’re buying cryptocurrency or creating an account for cryptocurrency, what they’re doing they’re really doing is they’re taking a loan. And of course, if you’re taking a loan, somebody will wire money to an account. And then, of course, depending on how the fraudster will set up the whole scam and how the digital lender operates, they will either be able to say, “But wire the money from the digital lender to a different account,” or they will still need to convince the user to wire the money out of the credit loan to them. But the scam here around the cryptocurrency concentrates mainly on the fact that the fraudster is able to steal the digital identity of the person, and then use that digital identity for various outcomes.
B: So, we’re talking mostly about account takeovers here as the main attack.
B: So, what’s the most amount of money that you’ve ever seen somebody get taken for? And then what are some of the things that people are doing to try and protect themselves?
S: What I can say is that, because what we mostly see, of course, being on the side of the merchant themselves, it’s not that we have one person that somebody has taken money from them, we see whole rings of fraudsters. They’re using all those identities. And here I’m using the word “identity” in the broad sense, meaning somebody’s digital identity can be the card number because, of course, that’s what identifies your account and from where you can take your money. Of course, it can be this login to your bank account, and that can be used also to actually perpetrate a multitude of scams. So, what we see is that we were able to track rings of 200 transactions that occur in a span of half a year that later on we’re able to say, “This was actually done by one fraud ring.” And this is also an interesting thing that happened over the time is that the fraud is professionalizing. Of course, we’re on the other side, so as the people who are trying to try to secure the space, what we’re doing is we’re actually raising the bar for fraudsters.
S: So, a homegrown fraudster is becoming harder and harder for them to perpetrate fraud. So, what they’re doing is they’re actually also professionalizing. You get places where you have walls of cell phones put in order to perpetrate multiple frauds, because if you have a solution that tracks a device identity, device fingerprint, then you need hundreds of devices if you want to commit that fraud. So, what we see is that, actually, fraudsters try to find a loophole. When they find a loophole, they will perpetrate the fraud until they get caught on that. And then you can really see that they actually are operating through a multitude of those identities, committing these hundreds of fraudulent activities. And this is actually just one kind of like company. You were talking about the fact that they might get a job, our perspective is that this is actually a job for them. [29:03 inaudible] Serious fraudster, there’s serious fraud, and there is serious preparation. And more even more interesting, today, you can actually go on certain websites with ads, with YouTube channels, with YouTube videos, that will even promote their services. And of course, they won’t promot as we’re helping you commit fraud, but they say point-blank, “We are helping you to anonymize yourself in the internet. But not only that, we’re also enabling you to use multiple digital identities.” That’s already suspicious. But what’s even more interesting is that those tools allow you to feed the tool with a stolen digital identity.
B: Have you ever seen one of these things up close? One of these gigantic walls of cell phones?
S: I saw pictures. I didn’t go into a physical place. But yes, I saw pictures of those. And I have to say that we do see those walls but in a digital sense.
B: So, when they use those types of tactics here, they’re not using the same account on each one to see if it gets through. They’re using 100 or 200 iPhones that are each running through however millions of identities that they’ve stolen, right?
S: Yes. Not only that but what they also might do is that they might set up virtual machines on those cell phones. So, each cell phone might be actually generating 20 more digital identities. Because what the fraudster is trying to do is, firstly, anonymize themselves slowly. And secondly, vary any attribute that they are transmitting to the merchant, in order to become as unique as possible, because that makes it harder for solutions as ours to track them. So that’s why the solutions on the other side have to be as comprehensive as possible in order to get them at some space that they were not able to either change because, of course, they are limited. Even if it’s a wall of 100 phones, it’s still not a lot. With those 100 phones, you have to have 100 emails, you have to have 100 IDs. So, all this is limited. And what we often see is that the fraudsters make mistakes, in the sense that they will reuse one of those in some other scam. And that’s when we were able to connect those two interactions and see that [31:54 inaudible] we’re able to connect two digital identities which should not be connected.
B: For all its sophistication and virtual machines inside of a wall of iPhones, it’s really coming down to a semi-brute-force attack, where they’ll just have 20,000 credentials, and they’ll decide they want to attack this specific merchant, and they’ll try 20,000 different purchases to try and get one of them to stick with that merchant where they’ll successfully purchase something fraudulently.
S: So, I would say that there are two ways of doing that. One is exactly brute force. And there’s the intermediary of the fact that you’re purchasing from other fraudsters, the stolen data. And what’s interesting is that, of course, if you were a fraudster who’s selling a database of credit cards and you are a fraudster, you won’t send it once, you will sell it multiple times.
B: No honor amongst thieves.
S: No honor. So, it devalues in time. So, they have to buy 100,000 credit card numbers, and they know that they have to chip in on that very quickly. Because if they want, that means that the value of the purchase database will go lower and lower.
B: And that’s because the accounts have already been used and flagged as fraud ones.
S: By some other fraudsters, exactly. So, that’s one way. And then doing that is also interesting because then you can use those in multiple purchases, not only in one purchase. You can use it with one merchant and then the other, etc. So, brute force is more universal; you’re able to attack the whole eCommerce. But there is another strategy that you can take and you can choose a particular merchant or choose a particular bank that you want to attack, and then you are far more specific in what you’re doing.
S: Another interesting scam that we have seen is the Coronavirus scam and the vaccine for Coronavirus. When the Coronavirus hit, multiple people have got messages. And this happened in Poland is that they got a text message saying, “By the regulation of the Polish entity that governs health, if you want to get a shot against Coronavirus, please pay the 70 PLM. Here’s the link.” And people got those messages. And when you click the link, actually what you were shown is a true website, or something that looked like a true website, of PSP (Payment Service Payment). And of course, the only difference from a true website was the URL because they are copying fully the visuals of the website, what they’re not able to do is change the URL. So, they are not able to use the real URL of the website. But what they will often do is they will try to change one letter. Or a new way of doing it is they will use a letter from a different language that looks the same. So, even the URL looks almost exactly the same as the real URL but it’s not the real URL. And then, of course, people – what they were doing, they were choosing their bank website, they were clicking their bank website. They thought they were going to their bank’s website, there were validating the whole process. But actually what they were doing is they were wiring money to the fraudster themselves.
B: So, they’re basically impersonating the site and doing it pretty much invisibly to the naked eye. Even if somebody was looking for it, they make it as [35:54 inaudible] as possible.
S: Yes, and sidestepping the second factor. Today, what’s very popular is the second factor; you get the message to your phone, and then you rewrite the code from there. But of course, if the fraudster is impersonating the site of the payment service provider plus the bank that you have your account with, then you will get the message. But then you will just rewrite that code to the website, and of course, what the fraudster is doing in the background there at the real website of the bank, and they’re just putting those numbers there themselves.
B: Well, Sasha, I really appreciate it. I think that’s some really excellent, excellent advice and some really amazing stories. So, I really appreciate you taking the time to share them with us at Merchant Fraud. Crazy times we live in; walls of cell phones, impersonating government websites. It’s a strange new world. A brave new world, as they say.
S: I have to say, we’re all moving more and more to the internet with the rise of chip and pin cards. Fraudsters also pushed away from copying magnetic stripes to committing fraud in the internet, which kind of makes it easier for them. And of course, we need to secure ourselves even more and be very, very conscious of what we’re doing on the web. You have to be conscious when somebody is calling, what they’re asking you. If you don’t know the person who’s calling you, if you don’t know the number who’s calling you and they ask you for any personal data, of course, you have to be very, very vigilant in providing that to any website, to any person because if not, then there’s a high chance that, at some point, the fraudster will get a hand on that data. And that’s why data security is so important, that’s why protection by the merchants is so important.
B: So, why don’t you tell everyone where they can find Nethon on the net, and then we’ll sign off.
S: So, www.nethone.com, that’s our website. And of course, there’s a contact form, you can hit the contact form and we will schedule a call with you. We are also providing some one-on-one consultations in July. So, if you would like to talk with me or anyone else from Nethone a bit more on Machine Learning around fraud, or setting up the best security for your website, not necessarily through Nethone, but basically, we provide one-on-one consultations in July. So, if you’d like that, then you’re also able to sign up for that.
B: Well, thank you again. And keep people safe from those walls of cell phones.
S: Thank you very much for having me. And we will.
B: All right. Bye.