$200 Million Card Fraud Scheme Alleged

18 Arrests in Global Case that Reveals Cross-Channel Gaps
By Tracy Kitten, February 12, 2013. Follow Tracy @FraudBlogger

Arrests in connection with an alleged $200 million global credit card fraud Bank info security2ring offer an important reminder about gaps in cross-channel and cross-account fraud detection, says one anti-money-laundering expert.

Banking institutions must practice more due diligence when it comes to account activity monitoring – and greater reliance on big data would help, the expert advises.

On Feb. 5, federal authorities arrested 13 individuals allegedly connected to one of the biggest payment card schemes ever uncovered by the Department of Justice. The defendants’ alleged criminal enterprise – built on synthetic, or fake, identities and fraudulent credit histories – crossed numerous state and international borders, investigators say.

The scheme involved the creation of false identities used to create fraudulent credit profiles, falsified information to establish creditworthiness with the credit bureaus and large loans that were never repaid by the fraudsters, according to court records that were recently unsealed.

The defendants have been accused of moving millions of dollars through accounts under their control, as well as wiring millions of dollars overseas. An investigative analysis of 169 bank accounts allegedly used by the defendants, their “sham” companies and/or complicit businesses identified $60 million in proceeds that had flowed through the numerous accounts, with most of those funds being withdrawn in cash, investigators say.

Additionally, those charged allegedly wired millions of dollars to Pakistan, India, the United Arab Emirates, Canada, Romania, China and Japan, authorities say. Due to the massive scope of the case, which involved more than 25,000 fraudulent credit cards, loss calculations are ongoing. Final figures may grow beyond the confirmed losses of more than $200 million.

Cybercrime experts from the Federal Bureau of Investigation have been investigating the case for 18 months. Several other individuals allegedly connected to the scheme were arrested earlier. So far, 18 individuals have been charged with bank fraud and face up to 30 years in prison and a $1 million fine.

Difficult to Trace

Micah Willbrand, director of AML market planning for LexisNexis’ financial services division, says the two-year alleged scheme, which involved opening numerous business bank accounts, establishing high-scoring credit reports and moving funds to accounts in high-risk international markets, should have raised flags sooner. Unfortunately, international schemes are often the most difficult to trace, he says.

Bank Secrecy Act and AML regulations do not require banks to identify or scrutinize the recipient of funds associated with high-risk transactions, Willbrand says. “Laws and regulations today only require that the bank have KYC [know the customer] in place for the sender, not the receiver of money,” he says.

And financial institutions have been reluctant, until recently, to push the envelope. Jurisdictional challenges related to international transactions would require banks to do a lot more leg work to verify the authenticity, risk and identity of a recipient to parallel the due diligence and KYC controls they have in place for senders, Willbrand says.

But card fraud schemes demonstrate why it’s imperative to have KYC controls in place for both senders and recipients, he adds.

“With FACTA [Fair and Accurate Credit Transactions Act], all countries are realizing we need to know more about who’s receiving the money. We need to be more transparent about how money is moving around the world, and that is something everyone is coming around to.”

Moving Money

Authorities charge that the defendants and their conspirators in this case allegedly created more than 7,000 false identities and fraudulently obtained tens of thousands of credit cards they used to purchase lavish goods and stockpile large sums of cash.

The enterprise allegedly maintained more than 1,800 so-called “drop addresses,” including houses, apartments and post office boxes, used as the mailing addresses for the synthetic identities. These IDs were used to create dozens of sham companies that did little or no legitimate business, investigators allege. Through those sham companies, the defendants and their co-conspirators purchased credit card terminals used to run up charges on fraudulent credit cards, authorities charge.

The sham companies established merchant accounts with merchant processors, investigators say. Those processors deposited funds they received from the credit card companies for charges made by the sham companies into business bank accounts opened by the alleged criminal enterprise. If a merchant processor shut down an account for some reason, the conspirators established a new business name and applied for new terminals, investigators allege.

The fake companies also served as “furnishers,” providing false information to the credit bureaus about the credit histories of the synthetic identities they had affiliated with the companies. They then used lines of credit to increase their borrowing ability from card issuers and added authorized users to their credit card accounts to improve credit histories.

Authorities charge that the alleged criminal enterprise also relied on complicit businesses, including several jewelry stores in Jersey City, N.J., to conduct sham transactions on fraudulent cards to receive the proceeds from the credit card companies. Those proceeds would then be split with the alleged conspirators, investigators say.

“This elaborate network utilized thousands of false identities, fraudulent bank accounts, fake companies, and collusive merchants to defraud financial institutions of hundreds of millions of dollars in order to facilitate extravagant lifestyles they could otherwise not afford,” FBI Special Agent David Velazquez says in the arrest announcement.

The Big Data Challenges

Willbrand says banking institutions have not done enough to monitor accounts or risk profiles after the initial review at account opening.

“Transaction monitoring and core banking systems, when they do risk ratings, tend to work in a vacuum,” he says. “They set rules and say if something goes outside those boundaries, something is wrong. But the systems don’t take into account any customer information or due diligence after the account is created.”

Once the bank accepts who the owner of an account is, then that account owner is not typically reviewed again, Willbrand explains. “If they had gone back to review some these identities in this case, then some of that would have come out sooner,” he adds.

Credit reporting bureaus, however, are building in more monitoring around synthetic identities, Willbrand adds, but their information is limited. “They are only looking at their files, rather than comparing their information with all of the other data out there, like where these ‘identities’ live and have lived, what their profiles are internationally, and what their credit is with the other bureaus.”

Those challenges are amplified when transactions and accounts start crossing international borders. Data about identities is not combined internationally, Willbrand says. The only way to get an accurate profile is by cross-checking public records with utility bills and bank accounts around the world, he says.

Banking institutions are just starting to address some of these big data concerns, Willbrand adds. “[Recently] we have seen a high level … of attention being paid to enhancing this due diligence area.”

Willbrand says the manual review and overlaying of information can be too demanding for some banking institutions, especially smaller ones. But a number of companies are now offering automated or partially automated services to help banks and credit unions develop more inclusive profiles of customers and members, he says.

“To a certain extent, it is a big data approach,” Willbrand says. “It allows you to bring out red flags that you would not have been able to raise four or five years ago.”

Source: BankInforSecurity


One thought on “News

  1. SFA Reporter says:
    The Hague, the Netherlands
    13 February 2013

    Spanish Police, working closely with the European Cybercrime Centre (EC3) at Europol, have dismantled the largest and most complex cybercrime network dedicated to spreading police ransomware. It is estimated that the criminals affected tens of thousands of computers worldwide, bringing in profits in excess of one million euros per year.

    Operation Ransom resulted in 11 arrests – the first was a 27-year-old Russian, responsible for the creation, development and international distribution of the various versions of the malware. He was arrested in the United Arab Emirates and is currently awaiting extradition to Spain. Furthermore, one of the criminal network’s largest financial cells in the Costa del Sol was dismantled. Spanish Police also arrested another 10 individuals linked to the financial cell: six Russians, two Ukrainians and two Georgians.

    Six premises were searched in the province of Málaga, where IT equipment used for the criminal activities was confiscated. In addition, investigators seized credit cards used to cash out the money that victims paid via Ukash, Paysafecard and MoneyPak vouchers, as well as around 200 credit cards which were used to withdraw €26 000 in cash prior to the arrests.

    The financial cell of the network specialised in laundering the proceeds of their crimes, obtained in the form of electronic money. For this, the gang employed both virtual systems for money laundering and other traditional systems using various online gaming portals, electronic payment gateways or virtual coins. They also used compromised credit cards to extract cash from the accounts of ransomware victims via ATMs in Spain. As a final step, daily international money transfers through currency exchanges and call centres ensured the funds arrived at their final destination in Russia.

    Police ransomware is a type of malware that blocks the computer, accusing the victims of having visited illegal websites containing child abuse material or file sharing, and requests the payment of fine to unblock it. By dressing the ransomware up to look as if it comes from a law enforcement agency, cybercriminals convince the victim to pay the ‘fine’ of €100 through two types of payment gateways – virtual and anonymous – as a penalty for the alleged offence. The criminals then go on to steal data and information from the victim’s computer. Since the virus was detected in May 2011, there have been more than 1200 reported cases just in Spain, and the number of victims could be much higher.

    Operation Ransom was led by the Spanish Police (Technological Investigation Squad of the Central UDEF, part of the General Commissariat of the Judicial Police, with the cooperation of the Provincial Police Station and the GOES from Costa del Sol -SPANISH NATIONAL POLICE-.) and coordinated by Europol and Interpol. Other crucial partners included Eurojust, the attachés of the Ministry of Interior of the Spanish Embassy in Moscow and the Spanish Embassy in the UAE.

    For advice on how to prevent becoming a victim of police ransomware, please read our

    Tips & advice to prevent police ransomware infecting your computer brochure.

Leave a Reply

Your email address will not be published. Required fields are marked *