Blog

Fraud: by a Fraudster

Former fraudster Alexander Hall was never one to follow trends. And he’s living proof that businesses aiming to fight fraud are up against some truly innovative opponents.

While most crooks in his circle of acquaintances were busy purchasing or selling stolen credit card data on the dark web and then bragging about their exploits either there or on social media, he forged his own, more discreet, path.

“The problem with obtaining information on the dark web is that there’s no guarantee that you’re the first one to have purchased it. It may have been used to commit other crimes, and there’s a better chance that the true owners of the information have either cancelled the card or gotten law enforcement involved” Hall said. “People are doing a lot of work and taking on a lot of risk to not get paid well.”

“Besides,” he said, “the market for stolen credit card data is fairly saturated.”

Adept at converting information into money – more on that later – Hall would occasionally offer his services to a high-level drug dealer who had obtained identity information from an underling, but had no knowledge of how to profit from it. “He’d ask me, ‘what can I do with this?’ and I’d take a 40% cut of whatever money I could make with it.”

Rather than continue to let somebody else take a large cut of the profits, Hall was soon in business for himself.

“I had a team of addicts working under me who would do almost anything for another hit. They’d break into businesses – doctors’ offices, lease management companies, mortgage companies, essentially any business that runs a credit check – and use widely available password-bypass tools to steal the information I needed, for the price of a dose of their drug of choice.”

With a wealth of identity information at his disposal, the venues for exploiting it were diverse.

Hall would create his own checks in the name of a fake or stolen identity, complete with fake MICR (magnetic ink character recognition) numbers, which he’d deposit into a large number of bank accounts that he’d opened using stolen identity information. Before the check cleared, he’d drain the account.

Another scheme was to create a check stub that appeared to originate from a valid employer and present it to a payday loan company as proof that he’d been paid in the past – a tactic that could pay-out as much as $3,000 at a time.

Insurance companies were another target. Hall would open an account under an assumed identity, then ask for a refund before the check cleared. “It’s amazing how the left hand doesn’t talk to the right hand at these organizations. There would be absolutely no attempt made to recover the loss.”’

When asked about using synthetic identities to create an account, Hall replied, “That’s not how fraudsters talk. They just talk about building and fleshing-out profiles.”

Hall has had quite a bit of experience with that. 

“Stolen credit card numbers have an established line of credit, but I could also start from scratch and build the profile’s credit myself.”

He’d start with a stolen Social Security number and name, but never that of a POW or MIA soldier: although theft from this demographic is common, Hall made it known among his circle that the practice disgusted him. He’d then search geographically for where the best credit ratings were likely to occur, so he’d end up with a fake identity that would be likely to start off with a high credit rating. 

Hall would then obtain a prepaid phone, using a fake ID and credit card, and reassign the phone to the name on the fake profile. 

“It’s easy to call in and say, I’d like to assign this account to my brother.” 

With identity information and a bill to pay, he’d employ the services of legitimate credit-boosting services such as Experian that use timely payment of bills as evidence of creditworthiness. He’d even go as far as to get LifeLock on his fake identities.

With a better credit rating and a history of using the account to pay bills, banks see the identity as trustable, and it’s possible to make-off with larger amounts of cash.

A man with an aptitude for mathematics, Hall moved from theft of information (association with drug addicts is a dicey proposition) to a scheme that didn’t involve the inclusion of others.

Using a checksum formula called Luhn’s algorithm – a validation tactic used by credit card issuers to ensure that a random number can’t be submitted to a merchant in place of a valid credit card number – Hall started creating credit cards from scratch and using them to make purchases.

Bank account takeovers were another specialty of Hall, who says that often, all it takes are a name, Social Security number, a billing address, and some smooth talking. 

When asked how he knows when a particular fraud scheme has gone far enough, he replied, “I have a directive: four abuses, and get out.” 

Now that he’s out of the game for good – the birth of his first child was the impetus to go legit – he figures that the door is closing on many of the types of crime he used to commit. New technology, like Pipl SEARCH, is making it more difficult for fraudsters to mix and match information to create full profiles – and more difficult to hide the true identity of the person who’s created them. 

When asked what fraud-prevention advice he has for merchants, Hall responded, “First, I’d advise merchants to pay special attention to the processes involved in transfers of value. Depending on the industry and the size of the company, they might have between one and fifteen processes that a fraudster might seek to exploit. Each transfer has policies and processes that need to be evaluated for weaknesses. 

“One idea that became especially relevant in 2020 was the adoption of card-not-present processing by businesses who were not prepared for the risks and vulnerabilities that come along with it. Curb-side pickup, telephone orders, online portals, etc. all have a great potential for customer service and convenience (and more), but without proper understanding of the associated risks, many businesses are now struggling with chargebacks (both malicious and "friendly fraud") stemming from a lack of relevant fraud prevention.”

“Data management is another important consideration,” Hall said. “I strongly advise that fraud prevention service providers and businesses become thoroughly intimate with the value of the data that they have available to them. Whether that comes in the form of identity information, device IDs, data-point networks, or just a customer history in a proprietary database, the information available is powerful and tells a story. With more data, more of the story is available, which then stands to lead to more accurate chargeback determinations. This will help to balance fraud prevention and customer service.”