• Share this Episode


09/19/2017 | Episode 6

Are We Encouraging Fraudsters? Interview with an FBI Most Wanted Hacker

Remember Brett Johnson? He's the former FBI Most Wanted Hacker who the Secret Service called "the original Internet godfather." Now, he's a sought-after security consultant who delivered a keynote address at the last CNP conference.

In this episode, Brett shares some invaluable insights into how fraudsters operate. As fraud fighters, we all know what comes to mind when someone says "card-not-present fraud" or "account takeover," but what does a fraudster see that we're not seeing? When do our fraud fighting methods actually stop fraudsters in their tracks...and when do we accidentally encourage them to innovate? Brett takes us beyond the buzzwords, shedding light on the types of fraud we’re overlooking, ignoring, or even promoting.


Roxanna “Evan” Ramzipoor is a content marketing manager at Sift. Her debut novel The Ventriloquists will be released in 2019.


Evan: Welcome to Trust and Safety in Numbers presented by Sift Science. I’m your host, Evan Ramzipoor, here today with Brett Johnson. Last time we heard Brett Johnson tell his personal story about his journey from a life of committing cybercrime to helping businesses protect themselves against just those types of crimes. In this episode, we’ll get his take on some of the fastest growing threats to look out for. But first, let’s warm up with a quick fraud fact. Did you know that mobile commerce companies experience an average of 880 fraud attempts each month since 2016? Of those attempts, 66% were successful. To learn more about mobile commerce and mobile commerce fraud, check out “Mobile Commerce Payments and Fraud by the Numbers” on the Sift Science blog. Now onto the episode. So you do have a security group now, AnglerPhish Security, and what sorts of things do businesses typically hire you to do?

Brett: What I’ve been doing right now is basically going in and showing them the different types of current techniques that cybercriminals use. For example, if you’re looking at using stolen credit cards or opening bank accounts or anything like that, I’ll walk the organization through exactly how the tools that they’re using, how they’re putting those tools together, how they’re going about trying to compromise whatever type of anti-fraud measures they’ve got. So like, for example, a carder, someone who’s using fraudulent credit cards. They may use a remote desktop, they may use a sockspy proxy in combination with a product called Antidetect and VMware. So I’ll show them exactly how that looks, how the Darknet operates, where they go and look for things, the type of communities. I’ll explain the mindset behind what the cybercriminal is doing, how he targets, every aspect of that. Same thing with setting up bank accounts or anything like that.

Recently, I was keynote at the CNP Expo in Orlando, which, outstanding group. And what we talked about was current techniques of ATO fraud, which is account takeover, current techniques of card-not-present fraud, so when you order something online, whether it be a virtual item or you’re having it shipped to yourself or someone else, how criminals operate, how they go ahead and target that, how they pick their targets, and I also taught the people how to best protect themselves from the type of person that I used to be.

Evan: So what kind of fraud that you’ve been seeing a lot of is synthetic identity fraud? Can you tell us a little bit about what that is? Why it’s so common? What businesses and people are doing wrong when they’re trying to prevent it, or maybe they’re not doing anything at all and that’s the problem?

Brett: Well, a lot of it is, a lot of businesses simply don’t understand what it is. For example, I was talking to a group from Wells Fargo two weeks ago about synthetic fraud. Here’s what synthetic fraud is. So basically, you’re taking and creating your own Social Security Number, or you’re using a child’s Social Security Number or an inmate’s Social Security Number. The idea is that you’re using a number that has never applied for credit before. And here’s the way this works. So as a person, you have three credit bureaus. You have Equifax, Experian, and TransUnion. They don’t know you exist until you apply for credit. All right? So what happens is now, criminals are taking advantage of that and thankfully for them, the United States government even helped that out.

In 2011, United States government made the issuance of Social Security Numbers random. So now you can’t look at a Social Security Number and tell which year it was issued or which state it came from or anything like that. It’s all random now. So what you can do as a criminal is you can create or steal a child’s Social Security Number, use that number only, put whatever name and date of birth you want to to it as long as it’s an adult’s date of birth, then apply for credit. As soon as you apply for credit, the initial application for credit is denied, but it opens up a credit profile in that what’s now a ghost in the system. Okay, so it gets you in the credit systems. It then goes through all three credit bureaus, that’s what’s called tri-merging.

Once that’s done, then the criminal starts to try to build up his identity, or his credit profile. Now the way that’s done, he will, first of all, go to someplace like listyourself.net, he’ll list himself free in the database so that web crawlers will start to find his name and address and phone number mentioned. He’ll sign up for rewards cards. Any type of free type of card, he’ll sign up for. Anything that will show up on the net that he’s actually a person. Once that’s done, he’ll then apply for maybe a secured credit card. Usually, it’s Capital One. Thieves for some reason, not for some reason, but thieves love Capital One and the reason they do that is you can get a secured credit card for $69 that gives you a $200 limit. Known for spending a lot of money, they’re very miserly.

So they tend to hit Capital One. From that point they get what’s called an authorized user tradeline. And the way this works, legitimately and legally, if you have bad credit, you can get a family member or really anyone to put you on as an authorized user of their credit card. Now that doesn’t give you access to the credit card, it just says that you’re an authorized user. Now what that does is, after 30 days, the next reporting date, the specific history of that one credit card that you’re an authorized user on becomes the credit history on your profile. Now for a criminal, what that means is, is if you sign up for two authorized user tradelines, within 30 days you can go from a zero credit score to a 760 credit score.

Now once that happens, the criminal starts to bang out everything. He’ll apply for maybe loans, or in-store credit cards, or actual credit cards. Anything like that. I was talking to a guy that actually did that and he got a Citigroup credit card for $17,000 after 45 days. And that was just one card. Most people I was talking to Wells Fargo, most of these criminals are hitting a lot of furniture stores, a lot of in-store credit type things. I was also talking to a detective out of Fort Lauderdale and what they’re doing down there, they’re hitting motorsports places, so they’re buying a bunch of ATVs and jet skis and then selling them as fast as they can. The thing is, the reason it’s so popular, right now it takes up over 80% of all new identity theft.

Okay, so 80% of all new identity theft is synthetic fraud. And the reason that’s going on is because there are no victims, at least from a criminal point of view. Now certainly the bank is a victim, but they don’t think that way. If you’re stealing a child’s ID, the child’s not gonna complain until he or she turns 17 or 18 and starts applying for credit or student loans or something like that. So from a criminal point of view, there’s really no one to complain. If you’re talking about the banks, most banks are just writing it as charge-offs. So they’re not even cataloging it as fraud. But how big is it? Well, last year it was $50 billion. That was the number on synthetic fraud. So it’s a huge, huge number.

And the thing is that is does, it not only targets the banks but what the banks are doing is they’re turning it back on the merchants. So if the merchant is taking a credit card that’s a synthetic fraud, or that was acquired through synthetic fraud, the person never makes a payment on it, just goes ahead and buys four or five Apple MacBooks or anything like that. When the bank sees that, as a charge-off, the bank just charges the merchant on it. So the merchants are losing all kinds of money, if the merchant has some sort of instant credit, he or she is losing that as well. It’s really just an asinine type of crime that’s going on. And it’s so prevalent right now because very few people know about it.

Evan: That’s amazing. Yeah, I had never heard about it prior to talking to you.

Brett: Well, a point of view, here’s like the tidbit for the day. Any of your listeners, again, you can create the Social Security Number or you can steal a child’s ID. Now, the number one victim for identity theft right now, that’s children. So what you need to do is you need to put a credit freeze on all your kids’ credits. All right, so call the three bureaus, have them put a freeze on it. That way the child is never a victim of that type of identity theft.

Evan: Well, that’s great advice. Thank you so much. Yeah, I’m sure that’s something that most people would never even think to do. So in addition to synthetic fraud, what other types of fraud trends have you been seeing lately? Having you been seeing more of something else, or less of something? Tell me, tell me what you see.

Brett: Well, you have to understand that the United States, they decided they were gonna put in the EMV chip. Now, of course, they did it kind of half-assed, but it’s still having an effect on physical carding. Okay? So what’s happening now is the same thing that happened in the UK. So the UK put in the EMV chip, it basically got rid of all physical cards, most of them anyways. That’s happening in the United States. So in the UK what they did was, they went more toward the card-not-present type thing. That’s what we’re seeing now in the United States. Now you’re seeing that a lot of fraudsters are switching over into trying to card gift cards or virtual items, or payment processors like Stripe or Square. For example, right now Stripe is like the go-to payment processor for fraudsters. A lot of people are making $20,000 a week just running credit cards through Stripe. Okay, so that’s one of the big things.

Another big thing right now is a lot of fraudsters are applying for new credit cards and having them sent to the card holder’s actual address, and they’ll either forward the mail out or they’ll actually go to the mailbox and steal it directly out of the mail. Or some of them are even going ahead and they’re having a new address placed on the credit report and then having the new cards sent to the new address that they’ve just put on the credit report. So you’ve got a lot of… because of the EMV and a lot of these new fraud companies that are out, you’ve got a lot of innovation that’s going on in the cybercrime type communities and world. But if you look at the UK, it’s basically, with a few exceptions, like synthetic fraud and ordering cards to the cardholder address, you see a lot of that, the same type of thing that was going on in the UK that’s now going on over here since the EMV has been put in. That’s for carding.

For other types of fraud, the IRS has gotten very good at shutting down the type of IRS fraud that I started. They’re very good at that now, it took them over a decade but, you know, now they’re very good. As a result, what you’re seeing is you’re seeing a lot of fraudsters that are moving over into student loan type fraud, or into Social Security account takeovers. So what’ll happen is they target some elderly person that’s receiving Social Security benefits and they actually take over that account and redirect the payments to a prepaid card or a bank account that they control. It’s always something like that. The thing is is that there’s this gap between the good guys and the bad guys. And unfortunately, the bad guys seem to be in front most of the time. And it takes a while for the good guys to catch up, and that gap between the two tends to be the area that most cybercriminals operate in.

Evan: Interesting. Yeah, there’s certainly been a lot of ink spilled on whether EMV chips were a good idea. I think that still remains to be seen and we’re gonna be seeing a lot of that in the future, a lot more discussion on whether that was wise.

Brett: Oh, absolutely. I’ll tell you one thing I saw recently was MasterCard is doing the fingerprint on the card as well. I think that’s probably a good idea. The other thing, you’ve got a few companies that are out there that gauging like email age and stuff like that, the age of the email address. I like the idea behind that a great deal because fraudsters tend to create the email address as soon as they know who the victim is. And then they try to use it as quickly as possible.

Evan: Oh, that makes sense.

Brett: Age seems to be pretty effective right now.

Evan: Okay, that makes sense. Interesting, yeah. Yeah, I’d heard a lot about biometrics as a potential solution for the EMV problem, but the email age is really interesting too.

Brett: Yeah, and by far, I mean, the biometrics, that’s a great idea. I have not had a chance to play around with it or anything but certainly the way someone types a password in or moves a mouse on the screen or holds their phone at a certain angle when they’re accessing a website, I mean, all of that is specific to a certain person. So I mean that, once they refine that enough, and it may already be done that way, I doubt it. But once it’s refined enough, I think that will be extremely effective in countering a lot of fraud.

Evan: Thanks for joining us on Trust and Safety in Numbers. Until next time, stay vigilant fraud fighters.

Your information will be used to contact you about our service and subscribe you to our direct marketing communications. You can, of course, unsubscribe at any time. Please see our Website Privacy Notice.