Law-Enforcement Vets Improve CNP Antifraud Efforts at Growing Number of Retailers
StubHub case shows investigation and prosecution can work with technology to reduce fraud
By Chuck Brown
Eric Boles had the inside track as he worked with authorities to crack open an international cybercrime ring that accessed more than 1,000 StubHub accounts to commit fraud. The results of that investigation to date were made public last week with the arrest of 7 suspects.
With a background as a U.S. Secret Service agent before joining StubHub as senior manager of its Global eCrime Investigations Unit, Boles and his team had aggressively pursued other fraud cases with the intent of having the perpetrators prosecuted. And his Secret Service background definitely worked in his favor as he collaborated with police and prosecutors in this latest probe.
Prosecuting cybercrooks and making them pay for their crimes is yet another weapon in the CNP arsenal; yet it appears that not many companies are taking advantage of this very powerful tool.
“We realized early on that focusing solely on mitigation of fraud would never stem the tide of malicious activity. It’s a zero-sum-game. It’s whack-a-mole,” explains Boles, who joined StubHub, an eBay-owned company based in San Francisco, two years ago. “Eventually, the cost of doing business would be too great, as cybercriminals continued to proliferate within the commerce ecosystem.
“The only true way to combat threats from cybercriminals is to raise the cost of the attack for the attacker. One great way to raise the stakes is to hold those committing cybercrime accountable for their actions. The best tool available to us in this fight is the legal system. If fraudsters didn’t believe they were above and beyond the law, there wouldn’t be nearly as many cybercriminals to contend with. We set about changing the way we looked at the prosecution of cybercrime.”
Boles said he and his team of investigators – some of whom are former law enforcement – are responsible for linking fraud transactions on the StubHub site to organized criminal activity, and then working with law enforcement and prosecutors to pursue criminal investigations and secure prosecutions.
“We also actively work with Threat Intelligence to maintain a safe e-commerce site for our buyers and sellers as well as respond to complaints of phishing/spam against the StubHub brand,” he said, noting that StubHub has the largest dedicated investigations team of any event-ticketing company.
Following a similar prosecutorial approach is Micro Center/Micro Electronics Inc., a brick-and-mortar computer-and-electronics retailer headquartered in Hilliard, Ohio, with locations throughout the United States. Micro Center also operates an e-commerce division.
“We have zero tolerance for criminals that commit fraud at Micro Center,” said Skip Myers, director of loss prevention for the company. “We have always had a policy of prosecuting criminals that commit fraud against the company.”
Myers, who has worked for the firm for more than 20 years, formerly was a detective in the Criminal Investigations /Crimes Against Property Unit in Atlanta, Ga. He was hired by Micro Center to start up their loss-prevention program, and has since built his team in much the same way Boles has, with a mix of people from private industry and law enforcement.
“I believe that a company needs to send a strong message to the criminal element that they will prosecute,” he said. “This commitment sends a message to the bad guys that Micro Center is not an easy target and that we will pursue those who commit crimes against the company. It’s this resolve and attitude that is part of the culture at Micro Center. Our program involves an intensive analysis of fraud trends, suspicious transaction variables, and method-of-operation commonalities.”
Both Myers and Boles said they have seen a reduction in fraudsters on their sites and are convinced this is the result of their efforts to prosecute cybercriminals.
“We believe that the ‘chilling effect’ has had a similar effect on shoplifters at our retail locations,” Myers added.
Both men pointed out that any company looking to establish a prosecution program needs to lay the groundwork with authorities in order to achieve results.
“One way to help law enforcement, and to help your own efforts, is to develop law enforcement relationships before you need them,” he said. “At StubHub, we never approach a new agency with a case. We invest a great deal of time and energy meeting with new agencies as we travel about the world in the furtherance of our business.
“The most common question posed to new law-enforcement patterns is: How can we help you in your current investigations? We offer our law-enforcement partners training, briefings, and intel, reinforcing our commitment as partners in the fight against cyber threats. This level of investment means we tend to be top of mind, and we are able to get resources on critical issues much faster than if we approached an agency cold.”
Boles and Myers said their law enforcement backgrounds are beneficial in dealing with authorities and understanding what they need.
“My background in investigations and understanding of criminal procedure helps me understand what information and evidence is required for a prosecutable case,” Myers said. “I understand what the investigator and prosecution are looking for in a criminal case. We like to work each case as far as we can prior to calling the police and asking for their assistance. When we deliver a case that has been thoroughly investigated to the police, it shows respect for their time and gives the police confidence that they can trust what we say. When I was an investigator, I always appreciated when a company or victim of a crime went the ‘extra mile’ to help with my investigation. It made me want to work harder for them.”
Despite the success they’ve seen in aggressively pursuing prosecutions, both men said this approach isn’t as widespread as it should be.
“I have spoken to numerous colleagues from other companies who say that they have an ‘acceptable level of fraud’ and do not prosecute criminals,” Myers noted. “There is no acceptable level of fraud at Micro Center. We decide to be proactive as opposed to being reactive to criminals that commit fraud against the company. We do not want to be an easy target to the criminals. Rather, we would like to ruin a bad guy’s day through the use of basic crime prevention techniques that include deterring, delaying, and detecting the fraud.
“More has to be done for companies to feel comfortable with investigating and prosecuting cyber criminals. We need to communicate better and foster relationships with the law enforcement community to effectively fight fraud.”