By Alexander Hall, Card Not Present Contributor
[Editor’s Note: Alexander Hall is a former fraudster who now works to help businesses protect themselves from the tactics he used to use. Alexander will begin contributing to Card Not Present as an expert in fraud, sharing his perspective and advice from time to time. Before he does, however, we wanted to introduce him to our audience and describe his journey. We hope it will not only help merchants understand the way a fraudster thinks and what their motivation is to break the law in this way, but also why they would give up the life and make a career of helping the very people they were stealing from. In the first of two parts, Alexander delves into his personal history as a bad actor before he made the decision to switch sides.]
Entering the World of Fraud
My name is Alexander Hall. For nearly a decade, I lived as a career criminal, operating as a high-level fraudster. I was first introduced to the world of fraud by unknowingly cashing a fake check. I was doing computer repair in Las Vegas and was paid by check. Nothing seemed off about it. I went straight to a local casino and walked out with the cash.
A few years after cashing the check, I was pulled over and informed that I had a warrant out for my arrest for forgery and theft. After paying a $500 restitution and spending a short time behind bars, I was released.
During the years between cashing the bad check and getting pulled over, I struggled to find enough work to pay for the basic necessities, so I made the bad decision to get into selling drugs. I steadily increased the quantity I was selling, which expanded my network of people who could enable criminal behavior.
In Las Vegas, the line between drugs and fraud is difficult to identify. As my network grew, so too did my knowledge of various "licks" and "hustles.” The evolution began as I was introduced to lower-level fraud methods like buying stolen credit card information online, counterfeit cash and check forgery.
I became a student of the game to understand what was truly working. It became apparent some groups in the area were employing similar methods but no single group was employing all of the methods I had identified to increase the rate of success. I leveraged my network and knowledge to help manifest an approach that increased success rates dramatically.
At the time, I was still engaged mostly in less sophisticated crimes like counterfeiting cards, checks and cash. So, even though the rate of success increased, the same types of risks persisted. Apart from being busted directly during a transaction or being sniffed out through superficial shipping addresses, there were two main reasons that led me to leave this part of the game and pursue authoring my own methods:
- Too many hands were in the pot. The information that was gathered belonged to those who orchestrated theft and burglary operations. This meant that I would only get a portion of the cash out that was achieved, if any at all. There were plenty of examples during which the work paid off, but I was kept in the dark. It was not worth the risk.
- Too many people were aware of what was going on. In a network consisting of hundreds of people, the likelihood that one of them might turn on the rest was too likely.
Now, with an acceptable knowledge of the anatomy of payment methods, how to manipulate them and how to counterfeit them, I set out to author my own methods.
Where I Fit
Life changed dramatically, I stopped marketing myself as a connection for drugs, which reduced my direct connection to drug addicts and otherwise dependent people. As my network shrunk significantly, I started to qualify the connections that I maintained. Each connection had a business-related use that contributed to my overall operations. Lower-level methods like the ones found on the "Dark Web" became a thing of the past. They were worthless and risky.
After the decision to change the structure of my network, I spoke with very few people. The ones that I would communicate with were well aware of what requests would be considered, and also, what kind of prerequisites were needed before discussing information. The requests that I chose to entertain were paid for with cash up front.
I had promoted myself from being a deeply involved, therefore vulnerable, fraudster into being a service provider. I had effectively monetized my methods, without giving the game away. Daily life was much less demanding, as I wasn't being pulled in a thousand directions at once. Also, I controlled who I interacted with, and they were qualified, which resulted in a much lower amount of risk.
Daily Life for an Effective Fraudster
A day in the life of an effective fraudster was spent behind a computer and consisted of several types of work.
- Profile Building. This is where identity theft and synthetic ID fraud comes to life and can result in a return. The basic information is presented after being attained organically through various street-level methods. This information serves as the foundation for the profile and can further be employed by several methods like Account Reassignment, Credit Hijacking and Credit Injection.
- Generating credit card numbers to be used at a future time by employing "math as a payment method.”
- Research regarding the various “transfers of value” that different companies participate in. I often talk about this in terms of a hot dog street vendor versus a corporation or enterprise.
The hot dog vendor only participates in one transfer of value—a hot dog in exchange for cash. An enterprise accepts cash, checks (for purchases), check cashing, applications for in-store credit, e-commerce, returns, refunds, exchanges, gift cards, dropshipping, and more.
An effective fraudster, who is looking to author his/her own methods, will try to exploit every transfer of value. This leads to a lot more time spent investigating the policy sets and the processes employed for each transfer.
After numerous attempts and a couple repeatable successes, the fraudster now knows what it takes to exploit the system. I call this process "Checklist Building.” When a request or a need arises, the fraudster who has built a checklist knows exactly what to do in order to get what they are after.
As I uncovered more checklists, authored more methods, and achieved a relatively high rate of success, I realized that the entire concept of fraud had become demystified.
At this point in my life, I was a career criminal. By using math and simple, lesser-known exploits, I was able to provide myself what I needed to live. I made a commitment to not being flashy with money and focusing on low-risk, repeatable applications. The majority of the practices that I developed are robust, effective, time consuming, and held a great deal of value. Most of them have not been identified by the fraud prevention community, though I am working to remedy that shortcoming.
Methods that Worked
Fraud had become a professional practice. Reflecting on my experience, I can identify the changes that occurred in my mindset, my applications, my knowledge and my intentions over time. Each step led to the next.
First, I relied on instructions from other, more effective fraudsters.
I learned as much as I could about those instructions and the possible variants regarding in-store/online purchases. I developed methods to make effective counterfeit checks, fake cash, counterfeit cards, track manipulation, counterfeit ID's, etc. I leveraged my extensive network to gain access to fundamental information, needed for elaborate profile building.
I started to follow others in identifying e-commerce weaknesses, authoring my own instructions and becoming adept at social engineering.
I manipulated systems, built laser-focused profiles, established high credit lines, and cashed out in various ways.
I employed "Full-Cycle Fraud" wherein "Account Reassignment," "Credit Hijacking," and "Credit Injection" were commonplace. In addition to establishing elaborate profiles, cashing out was done through multi-system exploits. No industry was spared. No policy weakness was left unexplored.
I abandoned all concepts generally accepted and defined as "fraud.” I relied exclusively on math. No information, no stolen credit cards, no purchased bins, no dark web dumps, no Identification information, no fake cards, Nothing. Absolutely nothing outside of the Luhn Algorithm and the knowledge of where to use it.