The fraud industry: Expect to be KYC’d by criminals when buying stolen credit cards on the dark web
Feedzai’s Richard Harris explains how machine learning is used to play cat and mouse with sophisticated fraudsters.
Professionals in today’s fraud industry may come equipped with some kind of know your customer (KYC) regime to validate buyers of stolen credit card numbers, a bizarre inversion of the sort of financial services protocols designed to stop white collar crime.
Anyone can go on the dark web and start searching for opportunities to buy stolen credit card numbers, but the people brokering this data may require some evidence that you are not a time waster or an undercover cop.
Richard Harris, head of international operations at Feedzai, which uses machine learning to do real-time fraud detection for banking and ecommerce, explains: “If you just want to go and buy, people are going to want to start validating – it comes down to an identity issue for them.
“They will want to do some kind of KYC on you as a buyer to make sure you are not an undercover cop. There are various ways for them to start to validate that you are who you say you are.”
Harris said some websites begin with a perfunctory request that the buyer produce some stolen card numbers of their own to show they are in the game. “There are various websites like that where undercover cops have been caught out and exposed. Like anybody else, they are in business and they take the security of their business seriously,” he said.
Things have moved on from the public conception of a hacker in a hoodie who might hack the Pentagon’s website one day and steal some credit card details the next. That was 10 or 15 years ago. Today this is a business, pure and simple. It is about money and lots of it, like for instance the recent hit in Japan that saw a criminal gang make off with ¥1.4bn (£8.9m, $13m) from over 1,400 ATMs in under three hours. They simultaneously targeted teller machines located in Tokyo, Kanagawa, Aichi, Osaka, Fukuoka, Nagasaki, Hyogo,Chiba and Nigata. The Japanese police suspect more than 100 criminals were involved in the heist.
“That was a professional hit,” said Harris. “You have spent your time. You have profiled the individuals; you have got your data. You have got into the bank system and got the cards issued. You’ve got the cash moved into those accounts and then you take it down in a matter of hours and in military operation. These guys are good. They know what they are doing.”
There are people who make their living out of acquiring and collating data about you from places like Facebook and then selling it on. Harris walked through some of the finer points of industrial level data brokering. “There are bulletin boards out on the dark web of people who will just buy and sell that information. They will sell that to credit card fraudsters, or maybe they are credit card fraudsters and they are just looking for information to round out the profiles that they have got.
“If I’ve got your name, your address and your credit card number that’s great, but I can also fish for data like those classic security questions that you are going to get asked: your mother’s maiden name or the names of your kids, your first pet, and all of those other things which I’ve got off one of those website pages where it’s click ‘like’ if you like this.”
Data thieves want your 3D-secure password, and all of those other bits of data; you already have this profile because you have already answered those security questions. For instance, all over cities like London people set up “sniffers” (fake wi-fi hubs offering free connectivity) to sift through traffic and steal thousands of pieces of data.
It is a numbers game, assisted by the speed with which information can be processed and the cheap cost of storage, said Harris. “If I buy a thousand credit card numbers off the dark web, I only need a few of them to track out. So the quality of the data doesn’t even have to be that good.”
Like legitimate ecommerce businesses, those operating in this space have reputations to protect. A real professional looking to buy some stolen credit card numbers on the dark web might require 100 test ones to prove the quality of the merchandise. They would run a script – easily downloaded from the internet – that might fire out small transactions to online merchants or small charitable donations to get an idea what percentage of cards are live and useful. This way they can ascertain how much to pay: $3 per card, $5 per card or $10 a card depending on the authenticity.
“These guys have feedback pages and comments sections and Amazon-style reviews on how good they are. They can even give you a money-back guarantee if they are not good. They have got reputations to defend. This is a real business. They get really upset if you give them a bad review.”
A professional might also target certain bin ranges of cards, aiming at a particular bank, from which they may already have a load of personal information. “Now I can marry these together. If I have got a really good personal profile of these people and I have the credit card data, I look pretty good. Now I have got more scripts which I can pull out that just buys stuff.”
“Or if i have got more people in my team maybe I just put a roomful of people making purchases for me with lists of credit card numbers.”
Harris said some recent arrests happened at a house in the south east of England, where about 25 people sat at computer screens with lists of credit card numbers buying things constantly all day. Apparently they were caught because they called an internet provider to give them more leased lines and bandwidth, and the cable installer noticed what they were doing and called the police.
Those arrested were connected to an international criminal gang. In this case they were from Asia, but it could be anywhere; Harris said he has seen gangs from Brazil, Russia, Africa, and the UK. These gangs are not doing credit card fraud in isolation, but generally in conjunction with money laundering, which is usually also connected to older more established black market activities including guns, drugs, prostitution, people trafficking and so on.
“If I’m a people trafficker and I’m trying to move a group of people from Eastern Europe to somewhere to the UK, well, I’m already a criminal; I’m already doing something illegal. Why would I pay the airline for those flights?
“I have got the stolen credit card numbers from another guy who is part of my organisation and whose job it is to be part of the financial support for my network. I am going to take the credit card numbers from him and going to use them to book the flights for my people to London.”
Harris said this is a big issue and he has worked with hundreds of airlines in situations like this. Things like event tickets are also popular, but really any goods or services that can be fenced or sold can be turned back into money which is untraceable; put into electronic wallets around the world or shifted via money transfers for example.
Harris said smart criminals will not attack targets in the country they inhabit, which makes it hard to ever bring them to justice. He said there was about a 1% chance of this kind of stuff being prosecuted in the US, and if it is prosecuted, there is probably a less than 10% chance of you actually getting convicted because it is so hard to bring all the evidence together.
“How are you going to track them down? It becomes an Interpol issue.”
While the chances of professional gangs being caught are low, big data and machine learning counter-measures, such as Feedzai’s, make the criminals’ success rates also very low.
Harris has battled fraudsters for over 15 years at the likes of Visa, PayPal, Dell and American Express. He likes the dynamism of pitting advanced data science and machine learning techniques against such versatile adversaries.
He said: “If you are always six months behind the bad guys with a really good model, it doesn’t matter. They have been making money for six months while you have been figuring out what they have been doing and getting it into production. And they know that.
“It’s a game of cat and mouse. Key is being able to spot the MO, fix the problem with something put into production right now. Not having to go through that waiting and deployment process in fraud is really important.”