Electronic Fraud – Techniques, Methodologies, and Countermeasures

Electronic Fraud – Techniques, Methodologies, and Countermeasures Michael Schirling April 2008

Context Extortion Credit card generators Fraud Schemes Trojan Horse scenarios Stock Trading Scams Murder Child Exploitation Fraud Identity Theft

Context Armed bank robberies net an average of 7,500 each for an annual total of approximately 60 million. One-sixth of the money is recovered and 80% of offenders are incarcerated. The FBI estimates that cyber criminals net 10 billion annually, averaging 250,000.00 per heist with less than one percent of offenders going to jail (old figure circa 2000).

Cyberspace offenders: A non-exhaustive list Preferential sex offenders Terrorists Spies Hackers – trespasses for achievement Pranksters – defies authority Phreakers/Crackers Common criminals – for profit Disgruntled insiders *****

In August of 2001, a few men were hanging out in a parking lot near the Arlington, Virginia, Department of Motor Vehicles (DMV) office. This was nothing new. Their fee was no more than 100 and most of their customers were illegal immigrants. “According to an FBI affidavit, on August 2, the men in the parking lot were approached by “three Arab males” in a van. The three men were asking about acquiring official identity cards. They accompanied the men in the van to a nearby attorney’s office and swore to their Virginia state residency. The three men in the van returned to the DMV offices with the proper documentation and were issued Virginia identification cards .”

“On September 11, they were among the 19 terrorists who hijacked the jetliners that crashed into the World Trade Center and the Pentagon. Apparently, more than half of the 19 hijackers boarded the aircraft with phony ID’s. Moreover, the terrorist who was convicted last year in the plot to blow up Los Angels International Airport used 13 identities that were pilfered from the membership roster of a Boston, Massachusetts, health club.” “Clearly, identity theft is no longer confined to computer hackers and scam artist who are out to make a fast buck .” Sanford Wexler, Law Enforcement Technology, April 2002, P28

STEALING THE OLD FASHIONED WAY Small gain, great risk Victim can ID you Victim can fight back Police can chase you Gun enhancements Long prison terms

STEALING VIA ELECTRONIC MEANS High profit- low risk No victim contact No weapon use Police undermanned and overwhelmed If caught- probation or misdemeanor The loot is delivered!

Top Personal Fraud Schemes Based on Yahoo Internet Life Assessment

Top Schemes Identity Theft Work at Home Fraud Credit Card Fraud Medical Treatments / Weight Loss Chain Letters Multilevel Marketing Free Goods Bioterrorism Products Auction Fraud

Top Schemes Advance Fee Loans Credit Repair Vacation Prize Promotion Advance-Fee Fraud International Sweepstakes Web Cramming

Common fraud mechanisms Acquiring key pieces of someone’s identifying information in order to impersonate them Name Address Date of Birth SSN Mother’s maiden name Account Numbers PIN’s/Passwords

Frauds Take over financial accounts Open new bank accounts Applying for loans Applying for credit cards Applying for social security benefits Purchase/Sell cars & merchandise Renting apartments

Renting apartments to further other criminal enterprise Establishing services with utility and phone companies Forge/Counterfeit Checks Fraudulent use of stolen credit (checks/credit cards/etc) Commit crimes in another name

How They Do It Use low and high tech methods Shoulder surfing at ATMs Steal your mail Stealing your pocketbook/wallet Dumpster diving Corrupting employees with access to data Check washing Check creation software

Hacking Unlawful entry, trespass, damage to computer systems Leaving/taking/changing information on the computers that are infiltrated

Computer Viruses Computer programs that can damage computer systems Virus’s spread from one computer to another via media, network, internet Virus Software protects your computer (Norton, McAfee, PCcillin and Others) Updates – ensure your software is updated at least weekly

Web Page Fraud / Phishing

“Nigerian” Letter Scam

Protecting Yourself Businesses

Business Exposure Hardware theft Software theft Data theft Data corruption Loss of competitive/proprietary information Loss of employee productivity

Business Fraud Damages Your reputation Productivity Profitability

Cost of Workplace Fraud 400 billion annually according to the Association of Certified Fraud Examiners Insurance Fraud alone 120 billion Approximately 6% of a companies annual revenue is lost to fraud

Preventing Internal Fraud – Your #1 Exposure Hiring practices Know your people Treat people fairly (FBI Espionage Examples) Implement and maintain controls Require countersignatures & stamp incoming checks “deposit only” Have a code of ethics Conduct random audits Use passwords protection and encryption Define the consequences

Avenues of Deception Live – insiders and associates Social engineering attack On-line

Policies Have a policies Post the policies Enforce the policies Make it known that you enforce the policies Revisit the policies regularly

Response Procedures Have an incident response protocol Practice it Keep good logs, even it it costs you a bit more to store them Train your response personnel Develop a relationship with law enforcement and security vendors BEFORE an incident occurs

Check Fraud Risk Checks stored with other material accessible to unauthorized employees (or individuals). Maintenance & service personnel have access to that area. Both blank checks & outgoing written checks are left unattended. Creates employee temptation. PR aspect of fraudulent checks with your company name on them being returned to victims.

Check Fraud Prevention Measures: Store blank check stock in a controlled area. Consider dual access controls Consider a computer program to print blank checks from blank stock Be sure to enforce the computer access controls Review/delete bank authorization immediately after Employees leave the department.

Accounts Payable Controls Risk: Risk: Improper wire, ACH or check payments Internal fraud payments Register states one payee;check another Counterfeit bills Prevention Measures: Use an established institution for conducting ANH & wire transaction Establish a secure electronic transaction system with dual signoff required Pre-establish daily you’re a/P issue report & newly established vendors.

Other Suggestions: Encourage employees to use direct deposit If an employee check is lost or stolen, be sure that they notify payroll immediately. Place a stop payment on the check. Purchase quality checks with security features: Void feature if someone tires to copy your check. Chemical-sensitive paper with background patterns to reduce the risk of alterations. Eliminate duplication of already used check numbers to ensure stop payment can be detected properly.

Other Suggestions: Conduct employee screening check Social security check Reference checks (verify phone numbers) Credit check Criminal check Document, train & enforce personnel policies & procedures

On the Business Side People will try to defraud you of your products and money Insist on full address and phone information on all orders – and verify it Do not accept orders with free e-mail accounts as the return address Use automated IP checking Beware of new payment methods like virtual checks until they have been fully accepted and tested

How to respond to a payment Fraud Check Fraud Check Fraud Contact Account Officer immediately If a check or draft item, obtain a copy of the front & back of the item Identify all “hands” that handled the check (Internally & externally for the investigation). File a police report;provide a copy to your Account Officer Obtain & complete an Affidavit of Forgery for each item (Provided by Account Officer) Notify your insurance carrier (if applicable) Anticipate 60-90 days to process claims

How to respond to a payment Fraud Employee fraud with loss: Consider filing a 1099 for the amount of the loss (You have 3 years to file) Consider offering the employee the option to pay over time within three years at a defined pace to avoid tax filing & related tax consequences

ACH Debit Fraud Contact your Banking Account Officer immediately Account Officer can initiate an “unauthorized transaction” return Account Officer can provide transaction detail, including the identification of the originator to enable you to approach the originator directly for repayment (be sure to ask for proof of authorization).

ACH Debit Fraud File a police report; provide your Account Officer with a copy. Notify your insurance carrier, if applicable Expect 60-90 days to process claims If an employee fraud with a loss: Consider filing a 1099 for the amount of the loss

Wire Transfer Fraud: Notify your Account Officer immediately It may be possible for the Bank to request the funds to be returned to your account, if the receiving account has not used the funds. Be prepared to provide enough detail to your Account Officer to identify the wire transaction Your Bank account number Date transaction posted to your account Dollar amount Currency exchange sued Transaction reference number Receiving beneficiary's Bank name & beneficiary's name

Wire Transfer Fraud: Bank will likely start the process of requesting the funds from the bank that initiated the wire If a series of banks were involved, the transaction must be processed in reverse order thru each bank Shut down the vulnerability that allowed the fraud to occur! De-activate the breached PIN De-activate the User ID/Password Block the account for wire activity If your account number was compromised, transfer to a new bank account number

Wire Transfer Fraud: If the Bank is unable to collect, you may have a loss. If the fraud was accomplished by your employee: Consider filing a 1099

Safeguarding Your Assets Make security of information & accounts a primary concern Timely identification is critical Contact your financial institution as soon as you suspect anything Financial institutions can assist with services to help you effectively manage these risks

Card Present Key Entered Transaction Higher risk of accepting a counterfeit card. Check terminal Match the account number – front to back Check expiration Date Make imprint Obtain signature Verify Signature

Card Present – Unsigned Card Request a signature – Ask cardholder to sign card & provide current government ID Check signature on card to ID

Card Not Present Obtain an authorization Verify the card’s legitimacy Use fraud prevention tools 3 digit security code AVS Still questioning the transaction Call your bank Check telephone number Hold item

e-Commerce Payment Card Industry Data Security Standard Build & maintain a secure network Protect cardholder data Maintain a vulnerability management program Implement strong access control measures Monitor and test Networks Maintain an information security policy Verified by Visa & MasterCard SecureCode

Employee Accountability Fraud prevention training Posting fraud prevention reminders Prevent employee fraud scams Offering rewards/incentives

Potential Signs of Fraud First time shoppers Larger then normal orders Orders include several of the same items Rush or overnight shipping Shipping to international address Transactions with similar account numbers Multiple cards from a single IP address

Potential Signs of Fraud (cont.) Orders using free email services Orders using relay call service Purchasing a lot without regard to size, style, color or quality Makes purchases, leaves the store, and returns to make more purchases Makes large purchases right at the opening of the store or the closing Customer requests additional charge to card & then wire funds to another company ex: shipping expense.

Countermeasures

Computer Security Up-to-date operating system patches Virus Protection Firewall Hardware Software

Preventive Actions Promptly remove mail from your mail box or public areas Deposit outgoing mail in post office collection mail boxes or at your local post office Do not leave in unsecured mail receptacles Never give personal information over the telephone unless you initiated the call Shred pre-approved credit card applications, credit card receipts, bills and other financial information you don’t want Empty your wallet/purse of extra credit cards and IDs

Preventive Actions Order your credit report from the three credit bureaus once a year to check for discrepancies Never leave receipts at bank machines, bank windows, trash receptacles, or unattended gasoline pumps Memorize your SSAN and all your passwords Sign all new credit cards upon receipt

Preventive Actions Save all credit card receipts and match them against your monthly bills Be conscious of normal receipt of financial statements Contact sender if they are not received on time

Preventive Actions Notify credit card companies and financial institutions in advance of any change of address or phone number Never loan your credit cards to anyone else Never put account numbers on post cards or on the outside of an envelope If you applied for a new credit card and it hasn’t arrived in a timely manner, call the bank or credit card company involved

Preventive Actions Report all lost or stolen credit cards immediately Know your expiration dates Contact issuer if replacements are not received promptly

Personal Preventive Actions Beware of mail or telephone solicitations disguised as promotions offering instant prizes or awards designed solely to obtain your personal information or credit card numbers Get a locking mailbox .

Internet and On-Line Services Use caution when disclosing checking account numbers, credit card numbers or other personal financial data at any web site or on-line service location unless you receive a secured authentication key from your provider When you subscribe to an on-line service, you may be asked to give credit card information When you enter an interactive service site, beware of con artists who may ask you to “confirm” your enrollment service by disclosing passwords or the credit card account number you used to subscribe

Credit Reports Who to contact: Equifax Experian Information Solutions P.O. Box 105873 (Formerly TRW) Atlanta, GA 30348-5873 P.O. Box 949 Telephone: 1-800-997-2493 Allen, TX 75013-0949 Telephone: 1-800-397-3742 TransUnion P.O. Box 390 Springfield, PA 19064-0390 Telephone: 1-800-916-8800

Action Steps For Victims Contact all creditors, by phone and in writing, to inform them of the problem Call your nearest Postal Inspection Service office and your local police Contact the Federal Trade Commission to report the problem – www.ftc.gov/idtheft Call each of the three credit bureau’s fraud units to report identity theft Ask to have a “Fraud Alert/Victim Impact” statement placed in your credit file asking that creditors call you before opening any new accounts Alert your bank to flag your accounts and to contact you to confirm unusual activity

Action Steps For Victims Request a change of PIN and new password Keep a log of all contacts and make copies of all documents You may also wish to contact a privacy or consumer advocacy group regarding illegal activity Contact the Social Security Administration’s Fraud Hotline Contact the state office of the Department of Motor Vehicles to see if another license was issued in your name If so, request a new license number and fill out the DMV’s complaint form to begin the fraud investigation process

Complaints Per Year 1992 35,000 1998 550,000 2005 2 Million Est.

Federal Trade Commission

Federal Trade Commission

Helpful Links Federal Trade Commission http://www.ftc.gov/bcp/conline/pubs/credit/i dtheft.htm Internet Crime Complaint Center http://www1.ifccfbi.gov/index.asp State Laws pertaining to Identity Theft http://www.identityrestoration.com/state la ws.htm

Deputy Chief Michael Schirling Burlington, VT Police VT Internet Crimes Task Force 1 North Avenue Burlington, VT 05401 (802) 658-2704 x131 [email protected]