Identifying the Fraudsters
Not all fraudsters are the same, they differ in their motivations, skills, techniques and potential activities.
DID YOU KNOW
Not all fraudsters are the same, they differ in their motivations, skills, techniques and potential activities.
On this page I discuss the different types of fraudsters and their motivations. In understanding a fraudsters motivation you can gain a better understanding of the tools and places where they get information on how to infiltrate your site and commit fraud. Common fraudster profiles include:
Crackers are individuals attempting to gain access to a website or system with the intent of using that activity to steal from the business or individual. They are not trying to prove anything. They don’t want publicity. They want money, goods or information you have.
The cracker is a fraudster, and is an individual that both you and your IT information security personnel should be focused on. These individuals are using the same sites and materials as the hackers, but have crossed the line from proving their ability to attempting to profit from it.
Phreaks are crackers with a major in telephone, cell phone and calling card fraud. Their intent is to steal telephone time, and to use it or sell it on the street. Phreaks focus on sites that sell telephone, cell phone and calling cards. They will target these products and will attempt to move as much of it as they can in as short of a time frame as possible.
Phreaks are very focused on certain product types. Some phreaks will stand in public places and memorize people’s calling card numbers to resell on the street. Other phreaks set up fake identities to purchase mobile phones they use or sell on the street. Still other phreaks focus on stealing pre-paid mobile phones and extra minutes. You may have seen these individuals in big cities selling cell phones, all ready for use, with super low charges. Or on one of the auction websites selling calling cards and prepaid mobile phones. You would be amazed at just how much telephone time is stolen annually by phreaks.
Think of a hacker with an agenda. These folks are the political activists of the fraudsters. They will attempt to hack or crack under the guise that they are serving a higher cause, and they feel this act is a justifiable means of protest. There are plenty of causes to go around, from stopping fur, animal-tested cosmetics, cigarette sales, use of oil, saving the environment and simply protesting the government.
The hactivist will gain access to a site or system with the firm intent of malicious activity. Whether they personally profit from the act is not of general importance to them. These are the ones that may not just steal from you, which is typically not their style, but they will put in a nice tasty virus to shut you down.
Script Kiddies are your casual fraudsters. They are not hardened fraudsters, and although the idea of potentially pulling off a fraud and profiting from it is nice, they are also motivated by the excitement of doing the theft.
The Script Kiddie may be a teenager, college student or highly technical individual who finds out about a tool or method to commit fraud and actually attempts to use it. The Script Kiddie is not a sophisticated criminal. They will be using tools and methods that are highly published, like card generators. They are typically easy to see and stop in your fraud-prevention strategies. Threats of prosecution, use of third-party branding that shows additional fraud checking, and fake information gathering (such as gathering the card security number, but not checking it) are typically enough to scare them off.
White-collar criminals are those individuals that attempt to de-fraud a business from the inside. These individuals are motivated by greed and money, and they exploit inside information and/or access for personal profit. The white-collar criminal could be working with external fraudsters, gangs, or individuals. There are many different definitions for white-collar crime, but for the purposes of card-not-present fraud, I label white-collar criminals as either active or passive.
The active white-collar criminal is one that directly attempts to steal consumer data to process fraudulent orders against that business or other businesses. They may directly place orders into the system, or monitor and accept orders that they know are fraudulent.
The passive white-collar criminals are the ones that pass on information about the policies and procedures to external personnel so they can commit the fraud. They are paid from the other criminals but they are feeding the information they need to stay under the radar screen of the fraud-prevention activities of the merchant.
With all of the news on break-ins, stolen information, fraud and abuse, how do you make sense of all of the different characterizations of fraudsters? Hackers, crackers, Phreaks and Hactivists — it sounds like a bad horror movie. But there are some good reasons to understand what these terms mean.
First you get a feeling for the motivation of your fraudster. Find out why they are committing fraud. You also get a feel for how likely they will be to repeat their crime; or if it will mean others will repeat the crime. Finally, you get an understanding of the tools and places where they get information on how they infiltrate your site and commit fraud.
The following short business case describes each of the fraudster characterizations. The intent is to give you a high-level view of the motive and potential activity of a particular fraudster characterization. Actual fraudsters could do more or less than the example I give. The examples are not intended to be all-inclusive, but should provide a good reference point.
Business Case - ABC Electronics, Fraudster Characteristics
ABC Electronics is a well-known electronics retailer with over 1,200 direct retail stores in 9 different countries (the United States, Canada, the United Kingdom, Ireland, Germany, France, Sweden, Italy, and their newest stores in China). ABC Electronics also has very active channels in mail order, telephone order and e-commerce, with 20% of their overall revenue coming from these non-direct channels.
While their roots in providing businesses with their computer and office automation equipment has always been the majority of the mail and telephone order sales they receive, approximately 18% of their non direct business comes from MOTO, their web business has been growing at a phenomenal rate of over 500% per year. Currently they receive another 1,000 orders per day from their web business.
ABC Electronics was a little rushed when they implemented their web site and they didn’t have the time to implement real-time payment processing. They decided to store the order information from their customers and process it in a batch during non-peak hours. ABC Electronics relies on a staff of four fraud reviewers residing in their call center to review all e-commerce and MOTO orders for fraud. Since their web-based business was not really a significant amount of the overall revenue, the web-based orders were typically the last ones to be reviewed, if they were reviewed at all.
Motivation: Prove technical prowess
The Hacker may attempt to see if they can access credi card data. If they can they may add an order or pull a list of orders from your system, which may include personal data and credit card information of consumers.
Motivation: Make money, steal anything possible
The Cracker will directly attempt to put in orders, or to pull out the credit card data to use for fraudulent activity.
Motivation: Make money, steal phone-related products
The Phreak would be the fraudster attempting to steal the company's prepaid mobile phones and their calling cards.
Motivation: Make a statement
The Hacktivist is the individual that will gain access to your systems to plant a virus to protest your newest stores in China, in order to protest human rights conditions.
Motiviaton: Excitment, make money
The Script Kiddies are the ones attempting to use freeware card generators to make purchases on the website.
Motivation: Make money, their business
The criminal gang would be working orders against the unprotected website.
Motivation: Greed, make money
Would be providing individual or gangs the information about the website being unprotected.
Hackers are individuals that attempt to gain access to computer systems and websites of businesses or individuals to be able to say they can do it and prove it to their peers. The activity of a hacker is not designed to steal or de-fraud an organization, but instead to prove the hacker’s technical skills.
Hackers will typically leave a calling card in the systems they hack to prove to others they have been there, by leaving a piece of code, or taking a key piece of information meant to prove the hack was successful. Hackers want publicity — that is why they are doing it. They are not necessarily looking for tons of publicity, news and such, but there is a hierarchy of hackers, and they need to publicize their hacks to move up in that hierarchy.
On the websites dedicated to hacking you can see this hierarchy, and how hackers have to contribute to gain entry into the society. They have to show proof of ability. There are a number of these sites out there such as 2600, PHRACK (Phreaking & Hacking) and WAREZ. And there are a number of magazines dedicated to hacking. Hackers use tools called “warez” which are tools and devices they have developed to infiltrate websites. The fact is the tools for hacking a site are easily available on the Internet, and if your site is hacked you had better fix the holes they have shown you, or else others will try the hack as well.
The hacker is not someone you should focus on in preventing fraud. The folks in your IT Department, responsible for information security, should be focused on stopping hackers. The hacker is not the one who will commit fraud on your site, but the information they gain may be used by others to de-fraud you.
The hacker is someone who may attempt to see if they can access credit card information, a hot thing in the news these days. If they can, they may add an order or pull a list of orders from your system, which may include personal data and credit card information of consumers. They would post parts of this information to prove they had gotten in. With this information posted on a hacker website, a potential fraudster could find holes into a merchant’s or bank’s systems to pull all of the personal information, including credit card data, to use for fraudulent activity. They could also find hacks in systems to get in and learn your fraud-prevention processes.
One last note about hackers and the hacking community. If you get the “itch” to check out their sites, make sure you take strong virus and security precautions as these sites are notorious for downloading items on your computer just by visiting them. These little “gifts” they leave behind can collect data residing on your computer, learn your passwords or even take over a camera that may be attached to your computer, in which the fraudster can sit and watch everything you are doing.
The criminal gang is an organized group who intend to steal money, goods or services from one or more merchants. The criminal gang has multiple people involved in their scheme and will put as much effort into hiding their activity as they do in actually committing the fraud.
The criminal gang thinks big. They aren’t really likely to be the ones trying to steal consumer data from your systems, they are the ones using stolen consumer data from skimming to move product from your site. They will set up drop points and fake addresses for coordinated thefts at multiple merchants all going to a single address, which will disappear the next day. They may also use freight forwarders to move product out of the country.
Audacity is a word I would use to describe the criminal gang. One of the scams pulled off by an organized criminal ring was the collection of consumer debit and ATM card numbers and PINs. The gang created realistic-looking ATM machines. They went out to stores with ATM machines and replaced them with the fake ones, which would collect the ATM card information and PINs. The ATM machine would tell the consumer the network is down and the consumer would wander off. The next day they came back and replaced the old machine. Then they harvested the numbers and started to withdraw money from the ATM cards.
Another excellent scam pulled off by criminal gangs is the set up of fake websites that have the exact same look and feel as a real website in which they can collect logons and passwords. The gang sets up a fake website with the same web address as the real website, except for a one letter difference, that will pull up a website that looks exactly the same and then collect the logon and password information and break into the accounts to send themselves money or steal credit card data. There was a very well publicized case of this with PayPal in which the gangs set up websites like www.paypalnet.com, www.paypa1.com, and www.paypalsecure.com.