In this second installment of a two-part series, former hacker and card-not-present fraud pioneer Brett Johnson outlines specific fraud threats your business may face as a consequence of doing business online.
So, how does a crook capitalize on merchants and make money?
Here’s a fairly recent example that illustrates how fraudsters make money on low dollar physical goods. In October of 2016, the Darknet was buzzing with news that the website of a well-known coffee machine maker was wide open for fraud. The website could be easily carded by the most novice fraudster using only the TOR browser as a carding setup.
The problem was the most expensive of these machines only retailed for slightly more than $300. Resell value for a fraudster meant only getting around $240. Hardly enough money for a carder to set up his own drops and run around picking up stolen goods.
The worst thing in the world would be to sit in jail and have to tell the other inmates you got arrested picking up a coffee maker.
It’s nearly impossible to live down that level of embarrassment.
So how to make money on these items?
In this case, the fraudster cards the items directly to the addresses of legitimate buyers. Leading up to Christmas Day, one could head over to eBay, search for that brand of machine and see several sellers listing hundreds of the machines for 80% of the retail price. They sold like hotcakes to countless buyers. And fraudsters walked off with massive amounts of money at $240 a pop.
Of course, sometimes fraudsters want to receive expensive items, but live in areas where it is impossible to receive such goods. The answer is to use a reshipper. The fraudster will card the item directly to a mail forwarding service, an unsuspecting person thinking they are working as a freight forwarder, or someone complicit in the crime making a percent off the stolen loot.
Carding physical goods falls mostly to intermediate carders. Again, expert carders also steal large sums of money in this area, but most fraudsters here are only moderately skilled.
Payment processor fraud
$20,000 a week. That’s a typical amount an expert carder can expect to rake in while engaging in payment processor fraud. New payment processors pop up every day offering to accept and process credit card payments for businesses and individuals.
Defrauding them involves setting up bank accounts, drops, various IP addresses, RDPs, aging accounts, laundering money and more.
It takes a fraudster with an expert level of skill to successfully run an operation like this without attracting the attention of law enforcement.
Another area of CNP Fraud practiced by more skilled fraudsters is phone spoofing. A fraudster bypasses all online security, spoofs a card owner’s number, and calls into customer service to place an order, take over an account, order replacement cards, and so on.
By calling in, the fraudster only needs to convince the person on the other end of the line that they’re the real customer. Usually, that person is the lowest paid and the least educated in the company.
Beginner fraudsters avoid the phone like the plague. They lack the confidence it takes to speak to someone on the other end of the line. As they become more skilled, they learn the value of using the phone and often incorporate it.
Almost a fringe type of crime, but no less popular because of it. A fraudster orders an item online and either walks into the store to pick it up personally or hires someone to pick it up for them. Skill level varies.
Often newbies will card and do the pickup themselves, while experienced fraudsters will hire some dummy to walk in and show their faces to all the store cameras and staff instead of walking in themselves.
So, where are you in the fraud spectrum?
Figuring where your organization fits in the CNP areas outlined above provides many benefits. You better understand the skill level of the person trying to steal from you. Is the attacker a novice? If so, the anti-fraud measures needed against that level of attacker are far different than the measures needed against an expert carder.
Furthermore, knowing how a fraudster will make money on your goods or services better prepares you for the attack that will be coming. Knowing how a fraudster operates teaches you where to apply your defenses.
Click here to discover how to get secure, intelligent risk assessment using just an email address.