ACCOUNT TAKEOVERS

I am quite new to blogging and this must be the reason why I am still excited to prepare long articles for you to read. “Ganado pa kumbaga”.

Last year, a prominent socialite came to the Office to refer a friend who was supposedly victimized by a credit card syndicate. Accordingly, the victim’s credit card issued in the United States had been used to make hundreds of thousands of pesos worth of unauthorized purchases in various merchant stores in Luzon in a buying binge which took place all in 48 hours. The victim likewise claimed that she only knew of the unauthorized purchases after she received her billing statement which prompted her to verify from the issuing bank. During verification, she learned that someone had actually requested for a change in billing address with further instruction to send the renewal card in the new address.

In my sixteen years of work in this Office, I have practically seen all types of modus operandi using credit cards. The traditional method of card fraud which involved that of stealing someone’s credit card and then forging that of the owner’s signature on the transaction slips has already mutated into the “complicated” and sometimes sophisticated way involving modern technology. Fraudsters have never failed to “dazl” me with new forms of techniques which require an update of skills and knowledge just so that we can cope with the talented counterparts.

The past two years, the more prevalent forms of card fraud are those involving that discussed in the above scenario, skimming, unauthorized applications and those involving the internet.

Let us discuss the first.

The above type of card fraud is ordinarily perpetrated by organized crime syndicates using the Postal Office as a source of valuable information about their prospects. Oftentimes, companies abroad which are obviously unaware of the condition of the postal system in the country mistakenly send billing statements (bank statements) via regular mail. Once these reach the hands of unscrupulous postal employees who have uncanny abilities to know if an envelope contains valuable items, material information about a cardholder becomes accessible to the suspects.

You may ask then how is it possible for these people to open mail matters without having to damage the envelope. In reality, there are solvents, such as cleaning fluids made either of carbon tetrachloride or trichloroethylene which when sprayed to the envelope makes it temporarily translucent allowing suspects to peek into the contents. Likewise, without the need of any chemical, suspects would simply steam or “refrigerate an envelope allowing it to open and close afterwards leaving minimal trace of tampering.

As soon as the envelopes have been opened, the suspects would be able to know the account holder, account number, local address and other related information followed by a series of verification with their contacts with the census office. The contacts would then provide other information about the card holder including but not limited to birthdate, birthplace, civil status, name of spouse, parents, children’s names, and other relevant information. Since the card was issued by a foreign based company, the suspects would think that the cardholder must have been issued a passport and the next logical verification would be their contacts in the foreign affairs department.

The passport application of the cardholder is a “treasure” of sorts to a card syndicate. In the said document very material information are revealed such as the current address, civil status, children’s name if any, spouse name if any, employment, and most importantly the signature of the cardholder. As soon as these information are acquired, the syndicate performs “social engineering” to determine other details which are not available from the documents secured.

Social engineering, is a method which is utilized to acquire information without the use of any tangible tool but merely the ability to speak of the person needing the information. The ability to speak of a person allows him to penetrate the defenses of an intended victim and ultimately gain his trust and confidence into acquiring valuable information about the victim or others.

I know of someone, who does not necessarily perform fraud but has mastered the art of social engineering. In fact she is so good at it that I cannot help but grin when I think of the times when she has “socially engineered me into giving information- confidential and otherwise. She is a sort of “human lie detector machine” so to speak. Really dazzling!

This method (of social engineering) applying to credit card fraudsters allow suspects to call a cardholder’s office and residence and acquire information that are not available from the documents secured. Information are easily secured when the persons with whom suspects talk to haphazardly release information such as “cellular phone number”, nicknames, hobbies and others without having to notice that they are being had.

With all these information available, suspects may now prepare a letter to the card company to request for a change of address and cellular phone information of the cardholder. As the signature of the cardholder is already available, the same becomes a template in the letter or becomes a reference for forgers to copy. As soon as the letter is received by the card company, they call the cardholder, now the suspect, and ask security questions to determine if the cardholder was indeed the one who sent the letter.

I really don’t know why card companies, which are supposed to be well-financed institutions, have not improved in the manner by which they ask security questions from cardholders. To this date, card companies still limit their security questions to “personal circumstances” of the cardholder which are readily accessible to a talented fraudster who has mastered the art of verification and networking. Why can’t card companies ask questions which are really very personal to the cardholder and not those which are “publicly accessible” anyway? Those questions which only the cardholder knows, not even by the persons very close to him? This question may be: “who was your first kiss” or “who is your greatest love” or “what is the significance of MARIAN PEDAL in your life”. I may sound funny but am willing to bet my balls this will work.

Likewise, I don’t know how many of foreign card companies bother to contact the cellular phone number originally listed in their records before contacting the new number as suggested by the syndicate. In one case a card company said that they thought that since the letter sender was able to indicate the old mobile number in the letter, they somehow believed that the request was genuinely sent by the cardholder.

Once the renewal card is sent to the new address, the syndicate will just have to sign at the back of the card and have it activated by phone where again, security questions will be asked. The syndicate would breeze through the security questions then proceed with their shopping spree.

You will be amazed that syndicates do not actually target high value items all of the time for their purchases. While they do buy high-value items for their personal caprices, most of the time purchases would be over the counter medicines, groceries, phone cards and mobile phones which may be easily disposed.

Next time I will discuss skimming and the other forms of fraud and how to avoid them.