Mike Braatz of Memento Security talks about credit card bus out schemes in the wake of a series of arrests in New Jersey. The complex schemes can run for years and may be the biggest source of banking fraud – but you didn’t hear that from the banks.
When FBI agents descended on Sang-Hyun (a.k.a “Jimmy”) Park and crew in September, it was the culmination of months of investigation of a sprawling criminal enterprise that brokered and sold false identities to New Jersey residents, while simultaneously using those stolen identities to extract millions from banks and credit card issuers.
The criminal conspiracy, outlined in a 10 count, 138 page criminal complaint in the U.S. District Court in New Jersey, was just the latest and most prominent instance of what experts say is the hottest trend in bank fraud: credit card bust-out schemes. In an age of sophisticated banking Trojans and phishing attacks, bust outs are decidedly low tech in their approach: relying on large networks of willing conspirators, including brokers who cull stolen or fenced identity documents, credit build up specialists and collusive merchants who help build up fat credit line out fir those identities, then the bust out specialists who are charged with extracting the maximum amount of cash from those credit lines as possible and transferring it to safe accounts off shore.
Still a relative obscurity in the public eye, bust outs are a big problem for banks and credit card companies, which are on the hook for almost all the losses incurred by these schemes, according to Mike Braatz of anti fraud firm Memento Security. Despite that, Braatz says that in the tightly regulated and monitored banking industry, you won’t hear banks talking up bust out fraud, which may constitute the single biggest source of fraud related losses, but generally isn’t treated as bank fraud — and that’s not good. What’s needed, Braatz argues, is more transparency about the dimensions of the bust out problem facing banks, and better technology for piecing together emerging bust out attacks.
Threatpost: Most people have never heard of credit card bust out schemes. How common are they?
Mike Braatz: They’re very common and growing. Its increasingly easy for fraudsters to get access to identity information, whether its stolen or manufactured to start the scheme. So that’s one factor. The other is that fraudsters are collaborating more. They’re specializing. You’ve got folks who just do identity theft, then sell that information on the black market. Other criminals pick that up and use the information. So there’s formal and informal cooperation. You’ve got access to modern technologies that make creating fake IDs and other stuff easier. You can also look at how competitve banking and financial services is and how they’r emaking credit and funds more available to customers. You can deposit an envelope in an ATM and get access to those funds immediately, regardless of whether the money is in that envelope or not.
Threatpost: It seems as if identity theft is step one in bust out fraud. Is that correct?
Mike Braatz: Yes. In many cases, these scams use manufactured IDs. In (the Park) case, they used valid Social Security Numbers, combined with valid IDs, which they used to open up credit card accounts. The other reason is that its really easy to open credit card and bank accounts online. Most credit card bust out fraud or bank bust out fraud is perpetrated by first parties who set up the account for the purpose of committing fraud against the bank. They set up the accounts, transact normally for some period of time to get their credit limit raised. And once that happens, they use their knowledge of how banks process transactions — they’ll go to to jewelry stores and liquor stores and buy fenceable goods. They’ll max out their credit line, then pay off that charge, then max it out again. Its legitimately a multi billion dollar problem, but its hard to quantify. Banks and card issuers don’t have their arms around this problem.
Threatpost: These are huge and complex scams, but they rely on lots of foot soldiers and collusive merchants. That must make it very difficult for banks to spot these scams.
Mike Braatz: Yes. One thing our analytics look for is real merchants who are used for the purpose of commiting the scheme. If you know what to look for, you start to see connections between a small number of merchants and the network of accounts that use those merchnants in ways that are atypical of normal account behavior. There’s a matrix of accounts and merchants that allow you to zero in on the network before they bust out. Sometimes its accounts opened with smaller nubmer of Social Security Numbers or addresses. If you’re monitoring weblogs, you might notice that they’re performing maintenance for a number accounts from a handful of different computers, so the small number of IP addresses is a risk factor, as well.
Threatpost: One of the big problems in spotting these scams is that they span different financial institutions, so it can be difficult to correlate data across different banks. Is there any effort to start sharing that kind of data?
Mike Braatz: There are organizations that are making strides to facilitate cross bank analysis. Its not as far along as regulators would like to see, but there are organizations that are trying to make that happen, so that you have one clearing house of bank transactions. But its not a reality today.
Threatpost: Banks already spend considerable amounts on fraud monitoring, but clearly there are blind spots in the existing analytics. What are they?
Mike Braatz: Few institutions use tools that can uncover bust-out schemes. Even those that are don’t always spot them. There are a couple different ways to come at the problem. The common way is to start at the fraud incident and spider out from that to see the connections between the account holder and perpetrator – social and transactional data, where the funds are flowing into or out of and just spider out to see if that incident was connected to one of these things. The problem is that that appraoch is reactive and only works after at least one bad event has happened. You can do your spidering before the network is complete, but then you can tip (the fraudsters) off. So you can start at the bottom and work up, which is the common approach that fraud teams use, and there are basic tools to do the spidering, but they’re ineffective. The other way, which we take, is to recognize in any set of data – whether its transactions or reference data – the networks and connections between these entities. So multiple accounts that share a phone number. That in itself isn’t much – you can have husbands and wives that share phone numbers, so that is low risk in and of itself. The trick is to have analytics that can find millions of connections from hundreds of millions of pieces of data and zero in on the risky ones. If you present the risky networks to the fraud analysts – the few dozen accounts that use a merchant that is supicious, then the fraudulent networks bubble to the top. That’s the approach that works and that we use.
THreatpost: How do you crack down on these schemes without interrupting legitimate commercial activity because, before the bust out, the charges look like good activity.
Mike Braatz: Banks try all different methods. If they think the activity is suspcious, they might put a hold on the account, call the customer and inquire or shut down the account all together. There are a few different things they can do, but you have to be careful.
Threatpost: Is there more than can be done to raise awareness? Mike Braatz: Merchants need to be careful. Jewelry and electronics are particularly popular items for these bust out schemes. But most of the time the victims in these cases is the bank, not the unwitting consumer.
Threatpost: What trends are you seeing with bust out attacks?
Mike Braatz: We’re seeing smaller banks and credit unions start to take fraud more seriously, which is different from five years ago. If you take the top 50 banks, down to billion dollar institutions, they’ve traditionally been targeted and they’ve also seen pressure from regulators, so they fared better. When it comes to check and Automated clearing House and wire fraud, banks are good about accounting, tracking, etc. with credit card bust outs, but they need focus on it as a problem, as opposed to acccounting for it as a credit loss.