Advertisement

Feds Bust $200 Million Credit-Card Fraud Ring

By D.J. Murphy, Editor-in-Chief

DJ MurphyEighteen people based in New York and New Jersey were charged in federal court Monday alleging they stole at least $200 million in what could be the largest credit-card fraud ring in U.S. history. The complaint brought by U.S. Attorney Paul J. Fishman, alleges an extensive, complicated scheme in which tens of thousands of credit cards were obtained using more than 7,000 false identities.

The perpetrators are alleged then to have enhanced the credit scores of the bogus identities by providing fabricated information to credit bureaus, enabling the identities to qualify for large loans and lines of credit they turned into cash and never repaid.

Complicating the scheme, said Fishman, the accused fraudsters created “dozens” of sham companies that applied for, and received, credit-card acceptance services including merchant accounts and credit-card terminals. They then ran the fraudulent cards through the terminals pouring money from the fake purchases into the merchant accounts, which they raided. When processors caught on to the fraudulent activity and shut the accounts down, the defendants simply created new companies and moved on to new merchant services providers.

The alleged criminals also leveraged several existing businesses that were complicit in the scheme, according to the U.S. Attorney’s Office in Newark, N.J. Several jewelry stores in Jersey City, N.J. allowed the defendants to use the fake credit cards to run fake transactions on their equipment. Law enforcement officials said these businesses operated multiple merchant accounts simultaneously, enabling more fraudulent transactions to be processed before all the accounts were shut down.

Scope ‘Astonishing’

Establishing identities of this nature and “nurturing” them to the point where they could be leveraged to secure loans and lines of credit, is an uncommon form of identity fraud to begin with, according to Dr. Stephen Coggeshall, CTO of risk management solutions provider ID Analytics and a director of the Council for Identity Protection. Doing so on a scale the defendants allegedly did is “astonishing,” he said.

Identity theft (appropriating the real identity of an existing person) and identity manipulation (changing your own identity to perpetrate fraud) are fairly common, Coggeshall said. But creating what he calls “synthetic identities” (fictitious identities that don’t exist but are plausible due to a real social security number and address) is a much more sophisticated crime. It requires applying for credit cards, and probably getting rejected, a few times.

“If they persist, they may get one through on an institution that doesn’t do the extensive checks that some of the larger banks might do, and be able to establish an identity” Coggeshall explained. “But, I’ve never seen an organized fraud on that scale, creating and establishing that many thousands of these synthetic identities and nurturing them carefully. They had to keep track of who’s who, what credentials they were using, what they had applied for and what credit they had gotten in order to establish and nurture these identities to get them up to good credit ratings so they could steal a reasonable amount of money using those identities. The level of care and effort and precision these thieves achieved is astonishing.”

Coggeshall also said catching fraudsters that successfully establish synthetic identities is much more difficult than nabbing those using stolen or manipulated identities. But, he said the fact that the defendants in this case created more than 7,000 identities but used only 1,800 addresses is likely one of the factors that led law enforcement to the perpetrators as commonalities like the same address on multiple cards is a red flag that most antifraud systems catch.

Underwriting Failure?

Creating the identity for a business that doesn’t exist is, if not easy, Coggeshall said, straightforward. Getting a merchant account, however, shouldn’t be. How the “dozens” of fictitious businesses involved in this scam were able to slip through the risk management cracks of processors, acquirers, ISOs and other merchant services providers speaks to overworked underwriters and the natural tension that exists in these companies between diligent risk management and the pressure to onboard merchants, according to Matthew Parker, executive advisor at ContractPal, a New York City software provider that automates part of the underwriting process for merchant services companies.

“Merchant processors have to strike the balance between being too strict and blocking potentially good customers and not being strict enough and letting fraud happen,” Parker said.

Good due diligence takes time and effort in a manual underwriting environment, Parker noted. Some of the things an underwriter might need to do when evaluating a potential merchant client include matching addresses to actual locations, seeing if a company has readily apparent privacy or delivery policies and terms of service, a Better Business Bureau record, complaints on file, a working Website, etc.

“All this takes a lot of time,” he said. “And, frankly, most underwriting departments are swamped. They’re underfunded. The marketing departments have these big pushes and all of a sudden you have tons of applicants signing up and the bottleneck is the underwriting department at a merchant processor.”

The merchant processor thinks, ‘we spent the money on the marketing, we have to book the business.’ And the pressure to cut corners in the underwriting process mounts, he said, resulting in a situation where entirely fabricated businesses receive merchant accounts and the ability to accept credit-card payments.

Losses May Grow

Law enforcement agents from the FBI’s Cyber Division and the U.S. Secret Service, postal inspectors, representatives of the U.S. Social Security Administration and various financial institutions and merchant services providers were involved in the 18-month investigation. According to U.S. Attorney Fishman, the massive scope of the conspiracy, which began in 2007, may result in the final loss figures eclipsing the $200 million confirmed losses.

Each defendant was charged with one count of bank fraud, which could result in a maximum penalty of 30 years in prison and a $1 million fine.



Advertisement


  • Kmart Latest Breach Victim - Oct. 14, 2014

    Kmart Latest Breach VictimAfter a brief respite as the main target of hackers, a major retailer is in the news after experiencing a breach of its network security. Sears Holdings on Friday acknowledged the POS systems at an unknown number of Kmart stores have been compromised.

  • Two Companies, One Video? - Oct. 14, 2014

    Two Companies, One Video?Two startups trying to change the way consumers use payment cards launched with eerily similar marketing videos. CardNotPresent.com got to the bottom of the mystery.

  • MasterCard Mining Facebook In The Outback - Oct. 9, 2014

    MasterCard Mining Facebook In The OutbackMasterCard and Facebook have signed a two-year agreement in Australia that will give MasterCard access to anonymized Facebook user data the payment network will then offer to its financial institution clients to use for marketing purposes, according to published reports.

  • JP Morgan Chase Breach Could Be Largest Ever - Oct. 6, 2014
    JP Morgan Chase Breach Could Be Largest EverJP Morgan Chase, one of the largest financial institutions in the world and the largest issuer of credit cards in the U.S., disclosed in a securities filing on Thursday that its systems were hacked last summer potentially compromising the accounts of 76 million individuals and seven million businesses.
  • eBay Spins Off PayPal - Oct. 2, 2014
    eBay Spins Off PayPalOn Tuesday, eBay formally announced a move that had been expected, and agitated for by activist shareholders, for some time: PayPal will be spun off as its own independent, publicly traded company during the second half of 2015.
  • Fifth Third Launches Payments Division - Sept. 29, 2014

    Fifth Third Launches Payments DivisionCincinnati-based regional bank Fifth Third Bank, several years after spinning off its processing arm into the company that would become acquirer Vantiv, has thrown its hat back into the payments ring with the formation of a new Payments and Commerce Solutions division.

  • PayPal Opens Door to Bitcoin for Digital Merchants - Sept. 25, 2014

    PayPal Opens Door to Bitcoin for Digital MerchantsPayPal signed agreements with digital-currency processors BitPay, Coinbase and GoCoin so that PayPal merchants that sell digital goods can accept Bitcoin and process the transactions through one of those providers by integrating to them through the PayPal Payments Hub.

  • Home Depot Confirms Extent of Breach - Sept. 22, 2014
    Home Depot Confirms Extent of BreachOn Thursday, Atlanta-based do-it-yourself hardware chain Home Depot confirmed that the data breach it acknowledged on Sept. 8, which was first reported by security blogger Brian Krebs on Sept. 2, exposed the information of 56 million unique payment cards, officially making it the largest retail card breach ever reported, according to multiple sources.
  • Zooz Customers Tap into China with Alipay - Sept. 18, 2014
    Zooz Customers Tap into China with AlipayZooz, an Israeli payment service provider serving large enterprises, yesterday said it reached an agreement with Chinese online payment method Alipay that will enable its merchant clients to accept payments from Alipay's 300 million account holders.
  • Feedzai Partners with Azul for Faster Decisioning - Sept. 11, 2014

    Feedzai Partners with Azul for Faster DecisioningFeedzai, a Big-Data analytics company that provides antifraud technology, yesterday said it has partnered with Azul Systems to juice up its real-time data analysis enabling the company's solution to take more data into account when deciding if online transactions are fraudulent.

  • MCX Launches Long-Awaited Mobile Payment Pilots - Sept. 4, 2014
    MCX Launches Long-Awaited Mobile Payment Pilots MCX, the merchant-backed mobile payment solution that was announced about two years ago and has been shrouded in secrecy since, yesterday announced its mobile wallet and app would be available in several pilots over the rest of 2014 and roll out nationally in 2015.
  • Jumio, IDology Partner for Simpler ID Verification - Sept. 2, 2014
    Jumio, IDology Partner for Simpler ID VerificationJumio, a Silicon Valley-based online and mobile credentials management company, and identity-verification technology provider IDology, late last week unveiled a partnership that will enable companies to use government-issued photo IDs for verification purposes in card-not-present environments.

Advertisement

 

 

Sign Up Today Free

Receive the twice weekly CNP Report and monthly feature articles providing in-depth examinations of global CNP issues.

Please take a moment and register.
* First Name:

* Last Name:

* Password:

* Confirm Pwd:

* Email:

* Category:

Company:

 
Captcha
Answer:

 

 

CNP Archive

Researching companies or people in the CNP industry? Search our past coverage for targeted news and information.

Search here