General security

Confessions of an Identity Thief – Part 2

Richard Sands
July 29, 2013 by
Richard Sands

The saga continues. Now things get really interesting. In our last episode our identity thief had successfully procured a check made out to the dealership for a high end (approx. $100K) vehicle he has absolutely no intentions on purchasing. As I stated before, he is only interested in the money. You will notice that I have switched over to a third person perspective for this writing. I have been out of federal custody for 6 months now and no longer share an affinity for this sort of thing. I find it difficult to write from a personal perspective because I am no longer that person. Just a little tid bit to help you follow along. Anyway, "he", lets call him Fingers R. Sticky for now, has a check in hand. But this isn't even half of the challenge. This was in fact the easy part. The next step involves getting the check to clear successfully.

As you recall from the first installment, the check has been made out to the dealership. Oh no!!!! That is most certainly the end of the road for sure. Well, not so fast. Fingers actually has a couple of options at this point. He's already planned for such an event because, as seen in the first installment, he called the bank and asked specific questions and made a list of potential show stoppers. This was indeed on his list of challenges. Consequently, Fingers prepared for such an event by opening up a bank account in another state under the same business name using the same identity he used as the buyer. This single identity is going a long way. The incorporation process is quite simple and cheap. Not to mention the fact that all of this can be done online. A few incorporation documents (which happen to be totally legit), an 800 number for good measure, a reformatted utility bill and viola, new business account with all the perks.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Fingers is now free to portray buyer or seller at will. At this point in the game he is in full control of every aspect of the deal and nearly impossible to stop. There were times when I had multiple cell phones at my disposal and would field calls as buyer and seller depending on which cell phone was called. The insight was priceless.

With the new bank account in hand and a check made out to the business name on that account, the deposit, via mail, scan or ATM deposit is a synch. And guess what, since this is a business account many of the red flags that apply to personal accounts regarding initial deposit simply don't exist. In my former life I've only come across one institution that would regularly require an in person verification for a rather large initial deposit and that was Chase. Kudos to you for your diligence. Your efforts have saved loan providers countless sums of money and tons of red tape. Alas, many of the other institutions are only too happy to have a new business account open with an initial deposit in excess of $100K so Fingers proceeds with his scheme.

The check will take approx. 7 to 10 business days to clear. But Fingers is in no rush. As long as the true owner of the identity he is using does not check his/her credit report time is not an issue. Additionally, Fingers has full access to the actual credit report and can retrieve an updated version online at anytime. Why would he want to do this you may ask. What good will this do at this point in the game? Well its a matter of insight and safety. If, by any chance, the jig is indeed up the first thing that will happen is the placement of a fraud alert by the true owner of the identity onto the credit report. This serves as an "Emergency broadcast message". Once this fraud alert appears the game is over. Burn the joint and move on. Compliance officers read between the lines, think outside the box and use this to your advantage.

To maximize efficiency while waiting for the check to clear Fingers begins to set up the "win" which is the actual securing of the funds once available. Hmmm, now this here is indeed a challenge (carefully place tongue near cheek). In 7 to 10 days he will be looking at a business account, online of course, with $100K of cleared funds that are going nowhere anytime soon. The numbers are attractive and nice to look at but totally useless unless he can get the money out. He realizes that this is where the institution's safeguards and red flags come into play. Banks don't scrutinize deposits anywhere near as diligently as they do withdrawals. Quite frankly, that's probably their biggest downfall. Obviously, this is a matter of responsibility. The institution that is the source of the funds is, for the most part, responsible for securing their funds. But at any point in time any institution can be the victim. It just depends on the scenario. Simple communication between institutions would go a long way toward fighting fraud but this is easier said than done. Anyway, I digress. Fingers realizes that he can't go to the ATM everyday and withdraw the maximum amount. This would definitely trip a flag and tip off the bank and is an amateur solution at best. The account would lock up in the first week for sure. He has to come up with a more sophisticated way to make large, seemingly 'legitimate', withdrawals. So he goes with the wire scenario. The limits on wires are pretty generous even by today's standards. $25K per day is pretty normal. Or, better yet, he can write a check to another institution offshore or launder the money to some 'investment' vehicle that is easy to liquidate.

Hmmm, investment vehicle, tangible asset, untraceable, easy to transport and most importantly, easy to liquidate worldwide. I'll take 'Precious metals' for $100K Jim. The ideal vehicle for laundering large amounts of currency. Its accepted all over the world and even at the teller window in many countries. They bear no serial number, completely untraceable, no ID required and symbolize a "win" at the very point of acquisition.

Most jewelry store owners are very only too willing to cash in your precious metals for about 10 percent less than current market value. No questions asked. Liquidation is surely not an issue. He can sit on his stack of precious metals for years and only have to worry about basic market fluctuations. At that point the money is his.

Meanwhile the charges are adding up. Based on the dollar amount alone he is looking at about 6 - 12 months. Then there is the aggravated identity theft charge which carries a mandatory 2 years. Add to that a dash of mail fraud and a half cup of money laundering and he quickly finds himself looking at a 5 to 7 year bid. Is it worth the risk? You do the math.

Again, I am not going to expose the logistics behind this process as any further information would indeed be tmi. In fact, I may have already crossed that threshold in some aspects but if this writing helps to inspire one well placed deterrence it will be worth a calculated risk based on a potential loss. This same type of scenario or incarnation thereof can be applied to just about any type of loan process. $100K car loan is pittance compared to lets say a mortgage on a home for instance.

Suffice to say, this type of fraud exists, is prevalent and cannot be stopped by securing your firewall or via anti-phishing images or dual phase secure logins based on the existence of browser cookies. Once the thief actually owns the account he is provided with legitimate credentials. Consequently all security measures become invalid. Its too late. He is inside, trusted and he entered right through the 'Front Door' no less. Ironically, for all intents and purposes he is now seen as a legitimate customer by the institution. Their safeguards are in place not to thwart but to 'protect' him from, you guessed it, criminals.

This institution has just been 'socially hacked'. This type of attack is a different ball game altogether and without the proper training of personnel and planning it will continue.

In the next installment I will discuss a few ways to deter criminals from selecting your institution as an ideal candidate for social hacking.

Richard Sands
Richard Sands

So how did I end up here? I am college educated, have good strong family roots, plenty of ambition and love a good challenge. My Bachelors degree in computer science along with about 20 years of coding experience allowed me to rise to the top of my field in the investment banking arena. It suffices to say, money was not an issue. Which leads me to one and only one conclusion. Greed. Pure unadulterated greed.

I have recently been released from federal custody and am in the process of getting my career back on track. I'm still in the technology arena, given the fact that its pretty much all I know how to do. I've had to make a slight adjustment in my choice of vertical markets due to the fact that working for the banking industry is no longer an option for me. Go figure. I continue to code on a daily basis and am knee deep in a couple of projects. I must admit that I'm loving every minute of it. The income is sparse, to put it mildly, which is to be expected given my background and recent change in career path. But that's the least of my worries at the moment. I am recently married and spend plenty of time with my children. I now know that quality of life is a lot more important than financial gain.

One of the most valuable and profound lessons I learned while incarcerated came from one of my counselors. He said, "Mr. Sands, don't fool yourself. Crime certainly does pay. There's no mistaking that. It just costs too damn much!!!" Truer words have never been spoken.