04/24/2018 | Episode 21
Karisse Hendrick is a consultant and editor-at-large at CardNotPresent.com.
A former FBI Most Wanted hacker, Brett Johnson is now an educator and consultant with AnglerPhish Security.
Evan: Welcome to Trust & Safety In Numbers, presented by Sift Science. I’m your host, Evan Ramzipoor. We’re all taking about account takeover. Last year, ATO increased by a whopping 45%. 2016 saw a similar spike. In an era of shocking data breaches and wily social engineering, it’s hard to imagine the same thing won’t happen again this year. That’s why we’ll be devoting the next few episodes to ATO. To better understand this pervasive threat, we’re approaching the issue from two sides, from the perspective of a fraud fighter.
Karisse: So, I’ve been in CNP fraud fighting for, I don’t know, 13, 14 years now, at this point.
Evan: And from the perspective of a fraudster.
Brett: Oh. For the first…you mind as well say for the first decade, I was committed to committing fraud and stealing money from whoever I could steal money from.
Evan: You may recognize these voices from previous podcasts. That’s Karisse Hendrick, principal consultant at chargelytics.com and former FBI most wanted hacker, Brett Johnson, who’s now head of the security consulting group, AnglerPhish. I was surprised to learn that they’re actually really good friends. That’s an interesting story we’ll get into in a bit.
They were inspired by this podcast to create their own, so look out for the Online Fraudcast. You can check their website for updates, that’s onlinefraudcast.com. Before we get to my interview with Brett and Karisse, let’s warm up with a quick fraud fact.
Did you know that in 2016, imposter scam complaints like catfishing scams surpassed identity theft as the most common type of consumer complaint? The Federal Trade Commission received 400,000 complaints that year, and those are just reported instances of imposter scams. To learn more, check out “The Many Faces of Content Abuse” on the Sift Science blog. Now, onto the interview.
Brett and Karisse probably never should’ve been friends. Karisse Hendrick started her career fighting friendly fraud chargebacks for Expedia and has since moved into a supporting role for hundreds of merchants worldwide. She’s also the editor-at-large at cardnotpresent.com. As for Brett Johnson, well, he puts it best.
Brett: I was just as passionate as Karisse, albeit on the other side.
Evan: Brett Johnson was a founding member of ShadowCrew, a cybercrime message board that was so much more than a cybercrime message board. ShadowCrew and Brett in particular pioneered much of the fraud that we see today. He was arrested, escaped from prison, and evaded capture for a while before he was arrested again. This time it stuck and as Brett puts it, he learned his lesson.
Now, he’s doing quite well for himself. He has a TED Talk coming up and is even going to be presenting on the same stage as Julian Assange, though as he points out, not at the same time. With all that in mind, how on earth did you two become friends?
Karisse: I joke that Brett probably gave me a lot of job security the first half of my career. You know, so actually, it started on LinkedIn. Brett sent me a connection request about a year and a half ago, and I was familiar with ShadowCrew and he has that on his work experience. We started talking, but I was very skeptical. And Brett can tell you that I wasn’t very nice at the beginning. I mean, I think for likely, you know, for a good reason, right?
Brett: It’s true, but you…
Karisse: Especially when you look at his history and he fooled the Secret Service. I, you know, wanted to be cautious. But after, you know, three months of conversation and vetting, and I talked to the FBI and talked to his other references, I realized he’s very genuine and he’s very remorseful, and he really does wanna help this side of the fence.
In a way, Brett defected from the fraud side. And so, we need to take full advantage of that. It’s so funny to me sometimes how he’ll talk about a specific company and how they’re being mentioned a lot on the darknet. And I’ll be like, “Oh, I know they’re a fraud team and I know they’re going through some challenges.” And so, we can kind of put together the full picture.
Evan: Let’s dive into account takeover, first from a fraudster’s perspective. Brett, can you walk me through the typical ATO attack?
Brett: Entrepreneur magazine last year said that 70% of every single person used the same password across multiple platforms. So, what tends to happen is you’ll get a phishing attack or something like that. The criminal will get a couple million different logins, and then he’ll go about testing these logins across multiple platforms. So, he may launch a phishing attack on Netflix, asking for your Netflix information. Once he gets that, he’ll try that same login with your bank account or your credit cards, or any number of things like that. It’s all about the type of account as to what the criminal will do.
With bank accounts or anything like that, he may just want to change his phone number, and that tends to be the number one item that is changed, is just the phone number. Because when you change the phone number, it basically gives you entire control of that account. So, at that point, if you placed an order with a credit card, they call the number on file, number on file comes to the criminal’s number instead of the actual cardholder’s number. If the criminal has the password and the login, he basically, because of the way things work these days, he basically has the ability to take over that entire person’s account online, and not just that account, but other accounts as well.
Karisse: Well, I would add to that, like the benefit to criminals accessing account takeover is one of two things. Either they’re gonna be using the card on…and this is specific to CNP merchants. Account takeover for banking is very different. But either to take over the stored payment method or to basically use that account for validity. Several years ago, before account takeover was really big, one the biggest things that fraud systems would flag as well as merchants would look at would be new accounts placing orders. That could be significantly risky. If you take over an existing account, it’s not as risky.
Evan: Karisse, is ATO something that’s generally easy for a fraud fighting team to detect? Why are so many fraudsters able to fly under the radar when committing ATO?
Karisse: Well, that’s actually one of the biggest issues of account takeover, is that it has been really difficult to detect, because fraud providers and merchants in general, whether it’s in-house or just their rulesets, used to flag new accounts but not so much existing accounts. I’ve been able to see a natural progression of account takeover over the years. The first time it really came to my attention was when I was organizing a national conference for fraud fighters and a group of online gaming companies said, “I really wanna talk about this new fraud that we’re seeing.” This is probably five or six years ago, I think it was 2012, 2013.
And so, I moderate a panel of some of the biggest online gaming companies talking about this new kind of fraud. And it was a full room, but not really because anyone else was experiencing it, but because they were really big brands and they wanted to learn from them. And now, I see it with small, specialty retailers, in the outdoor space. I see it with…I mean, almost every type of company you can think of, you need to diagnose what type of account takeover you’re seeing.
So, are you seeing it through credential stuffing where they access lists, like Brett talks about millions of usernames and passwords? And are they putting them in through a bot or a script and just testing every single one automatically? Are they doing one-offs? Are they doing phishing scams to the consumer where they ask them to provide…or reset their password or provide their login, claiming that they’re this retailer? You know, are they one-offs? So, looking at how are they accessing your site and committing account takeover, and then what are they doing once they take over that account? Are they changing the phone number? Are they changing the credit card number?
Knowing what your account takeover looks like today is important to be able to identify account takeover. Working with a fraud provider that provides insight into this maybe account takeover behavior is really important. Whether that’s your main fraud provider or an additional layer that you put on, it is a struggle. But getting the right partners in place and learning the specifics of what’s happening once they get into that account is really important.
Brett: I agree. And just to add to that, it’s important that the companies and everyone involved in the antifraud industry starts to understand just how sophisticated cybercriminals are. Now, the crimes themselves don’t tend to be very sophisticated, but the network that these criminals operate on, that’s pretty damn sophisticated.
So, you take an account takeover, say someone has logins or what have you from three million people, and the initial person that stole everything lives in New Jersey. So, just because he lives in New Jersey doesn’t mean that all the orders are gonna come from New Jersey or even look like a company from New Jersey. So, the networks are so sophisticated that he’s going to sell those logins or he’s gonna sell the ability for people who take over those accounts to local people. So, cyber criminals now, they look for targets that are local.
There’s a number of tools that criminals can use to make it appear that he’s within five miles of wherever that actual accountholder is. He can use a SOCKS 5 proxy. He can use a remote desktop, any number of things what will allow him the ability to look like he’s actual local to the accountholder.
Karisse: Yeah. So, adding onto that, as somebody who, you know, has never committed credit card fraud before, Brett gave me his login once I was about to do a presentation to include some of the tools that these guys are using. And he gave me his login to a company that provides these SOCKS proxies. It was insanely simple.
Now, granted, I mean, he had to pay a significant amount to get a membership to this private website and all that, and I basically committed account takeover. The irony was not lost on me at all when I did that. I’m like, “Oh my gosh, I’m literally committing account takeover to be able to show people how easy it is to commit account…”
But they have customer service, they have a return policy, they have a guarantee. They actually run these proxy IPs through various tools to see if they’re on negative lists. I think that there definitely are some fraud providers out there who are able to recognize a proxy IP or a remote desktop.
That’s definitely some technology I’ve seen, and I think that that’s an important question for merchants to ask perspective fraud providers, if they have that capability, and if they flag that or provide a high score, so that you can have that insight and look at that order, either on an automated fashion or manually to determine if it’s legitimate or not.
And that’s something that Brett asked me, you know, when we first started talking, how come merchants don’t work together as much bad guys? And I had to explain, we have privacy policies, we have a lot of rules within our company. But that’s something that I personally dedicated a big chunk of my career to, is providing opportunities for merchants to get in a room together, and magic happens when they do that.
You just can’t get comfortable as a fraud fighter, and I think that’s why a lot of us love it. Right? We love the challenge. We love the continual change. But I think if that’s one thing that we can get across, it’s don’t get comfortable, because as soon you set rules and thresholds, they’re gonna figure it out and they’re gonna tell all their friends.
Brett: No, I agree with you on that. That’s the thing, an experienced fraudster or a group of fraudsters will force you to evolve. That is a fact. If you don’t, you will lose completely. To give you an example, you mentioned device IDs. So, absolutely, device IDs can be used to flag fraud. Now, fraudsters realize that.
So, what are we seeing now? We’re seeing credit card numbers and accounts that are being sold with device fingerprints attached to them, so the fraudster can then emulate that device ID and look more legitimate on the other side, and that’s the type of thing that always happens. The fraudsters are committing the crime, someone adapts to that type of crime, finds one specific item to identify the fraud, fraudsters realize that, and then find a tool to defeat it really quickly and keep moving on.
Karisse: Well, it’s easy as a fraud fighter, especially on the frontlines to start losing faith in humanity when all you see is fraud, but I think that that’s why you have to have a sense of humor about it. And the other thing I can say is having worked with literally hundreds of merchants, I have a lot of hope about it too though because there are so many different tools in the ecosystem, there are so many merchants who are doing great, innovative things with what they have and addressing it. And I think that the reason why these bad guys are having to be more sophisticated is because we’ve been sophisticated. It’s because we’ve been upping our game.
We as a collective fraud-fighting industry, we can’t ever 100% eradicate fraud. We can, it just means no sales. You know, I joked about that with my CEO and so he didn’t think it was very funny. I was like, “Well, there is a way to not have any fraud ever again,” and he said, “Oh really?” “Well, yeah, shut down the shopping cart.” You know, that’s not our goal.
Our goal is to make their life harder. Our goal is to build a better mousetrap. Our goal is to play whack-a-mole and get as many away, and make it harder, and maybe make them go somewhere else. I don’t think we’re ever gonna get them to go get a $10-an-hour job at McDonald’s, especially when you hear how much they make a week. Brett, how much were you making a week before you got arrested?
Brett: I wasn’t making anything. I was stealing $160,000 a week.
Karisse: Yeah, I mean, $160,000 a week.
Evan: Where do you store all that, in a mattress? Like, where does it go?
Karisse: His stripper girlfriend.
Brett: A lot of it went to the stripper girlfriend. But before that, if you’ve seen the JanSport backpacks that kids carry to school and everything, that will hold $150,000 cash in all 20s.
Karisse: Oh my God, the fact that you know that. I wonder if that’ll ever be a deputy question. You would totally [crosstalk 00:15:04].
Brett: Then, they could ask me how much it weighed and I would say, “It would come out to 7.5 kgs.”
Evan: So, Brett, let me get your perspective with your colorful background as a fraudster. What do you think we’re doing wrong or even doing right in our fight against scammers and fraudsters? Are we making their lives harder the way we think we are?
Brett: Certainly, the antifraud industry has made it much rougher for cyber criminals to get away with things. The methods that I used to use to break the law, they simply don’t work anymore. So, you know, you have these tools that have come out. But, you know, tech is so rapidly increasing that fraudsters can now pull tools, you know, legal tools off the shelf to commit these crimes. And as long as we see stuff like that going on, I mean… I mean, you’re right, at the end of the day, these guys are not gonna give up their job, go down to McDonald’s and start flipping hamburgers. It’s simply not gonna happen.
Karisse: Unless they caught, right? Well, actually, I mean, even if they get caught, like you couldn’t get a job at McDonald’s because you’d have to handle credit cards.
Brett: Right, absolutely.
Karisse: I mean, I hope you know me enough to know that’s not me being mean, it’s just like a statement of facts. A lot of times, people, when they first start fighting fraud, they kind of think that they’re fighting a dragon, where they go and have predictable tools, and once they fight this dragon and kill them off, they can go back to their village and celebrate and there won’t be another dragon. You know, it’s one event that you are attacking, and once you do that, then you have your fraud contained and you can go back to your normal life and everyone is gonna celebrate you.
Instead, fighting fraud is more like fighting zombies. They’re regenerating all the time. As soon as you use a club, then they’ll regenerate next time to not be able to be caught with a club or hurt by a club, so you have to upgrade to a flamethrower or whatever else and you need to keep upping your game. And there’s no time to come back to your village and be celebrated because you’re continually fighting these guys.
And so, I think it’s the mindset of a fraud fighter that’s really important, to know that, “I’m in this for the long haul. This tool might work right now for what they’re doing, but we need to continually learn what might be coming up. What are other people seeing? What are we going to see? What new business models are we adding that’s gonna create all new vulnerabilities?”
Evan: That was part one of our Account Takeover series. Next time, I’ll chat with Brett and Karisse on why ATO is uniquely devasting and pervasive and get their perspectives on what fraud fighters are doing wrong in the fight against account takeover. Thanks for joining me on Trust & Safety in Numbers. Until next time, stay vigilant fraud fighters.
This is our secret after-credit scene. Like, Marvel movies can have an after-credit scene, we can have one, right? More fraud, less trauma.
Karisse: You know, a funny little story about Brett and I, don’t know if you’re gonna want to put this in or not. But when we were at the expo, it was right after he had done his presentation and spoken about his life and then also what he thought merchants should be aware of. But somebody had said something to him about…something about how, you know, he’s making money legitimately now, but he’s gonna have to pay taxes.
He knows where I’m going with this, so that’s why he’s laughing. And the other guy said, “Yeah, well…” Brett said, “Well, I’m thankful to be making money legitimately.” And I said, “Well, wait until you have to file your taxes.” And the other guy said, “Well, have you ever had to file your 1099 before something?” And Brett, like very seriously, said, “Oh yeah, I file hundreds of 1099s, just never for myself.”
Evan: Oh my God.
Karisse: That’s what they love about Brett, is he’s very honest about it.
Learn more about what sets Sift Science’s machine learning apart.
With billions of compromised credentials already in criminals’ hands, how do you protect your users’ accounts, your brand, and your bottom line?