Language

Card-Not-Present Fraud

Know Your Fraudster: Understanding Threats on the Criminal Spectrum

January 5, 2018

For this guest blog, former hacker and card-not-present fraud pioneer Brett Johnson outlines specific fraud threats your business may face as a consequence of doing business online. 

I give a lot of presentations to a lot of different groups. Usually, I start the presentation talking about being on the run, making the US Most Wanted List, and escaping from prison. I’ll segue over into the current state of cybercrime, then dive into the current popular cyber crimes that are targeting the audience to which I am speaking.

It’s a three-act structure, closing with advice on how to protect oneself from the kind of person I used to be.

One important piece of advice I stress is for the person or business to know where they stand in the criminal spectrum.

In other words, what can a fraudster gain by deciding to target you or your business?

Understand the answer to that question and you’ll better understand what you need to do to protect yourself or your organization.

Let’s apply this question to the area of card-not-present (CNP) fraud. CNP fraud is the most popular type of credit card fraud on the planet. By 2020, current projections have CNP fraud losses at $7.2 billion.

Personally, I think that estimate is low. CNP fraud is the bread and butter of the online criminal. Nowhere is it more popular than in the USA, where 77% of merchants in the US are online.

What does that mean to a fraudster?

It means, “Oh, happy day!”

It also means a fraudster can pick and choose targets. He can pick from a variety of merchants and products suited for his skill level as a criminal and, more often than not, find success.

The takeaway here is that credit card fraudsters of different skill levels tend to target different types of CNP merchants.

Let’s break it down, starting with a beginner credit card fraudster and working all the way up to an expert.

Digital goods

Digital goods include gift cards, services, tickets, software keys, etc. Fledgling carders begin here because they don’t need to manage anything other than an email address outside of their carding setup… if that. A fraudster can card virtual items one of two ways:

  1. He will card digital goods to an email address he directly controls.
  2. He will card the items directly to a buyer.

He doesn’t have to physically touch anything. He doesn’t have to worry about setting up drop addresses or fencing a bunch of physical items. Everything is done online. Easy. That isn’t to say only newbies card virtual items. Carding virtual items spans the skill set of carders.

Countless expert fraudsters steal large amounts of money defrauding various travel service providers.

Physical items

As a carder becomes more skilled, he almost always moves over into carding physical items. Carding physical items can be broken into three segments:

  1. Physical items to drops controlled by the carder.
  2. Physical items carded to buyer drops.
  3. Physical items carded to a reshipper.

In order for a carder to set up a drop address—a throw away address, usually an empty home, where he can receive stolen merchandise—the item he is carding has to be valuable. The payoff has to be enough to get out of bed, travel to the drop address, pick up the stolen merchandise, all with a chance of being arrested.

That’s not to mention the process of fencing carded goods on eBay, Craigslist, Facebook, or elsewhere. Typically, that means phones, laptops, expensive jewelry, and other top dollar items.

The problem is there are many online goods which aren’t valuable enough for a fraudster to set up drops and go to all the trouble outlined above. I’ll cover how fraudsters capitalize on these merchants make money in my next post.


Follow Emailage on LinkedIn and Twitter (@emailage)

Click here to discover how to get secure, intelligent risk assessment using just an email address. 

close-link
close-link
close-link