General security

Confessions of an Identity Thief

Richard Sands
July 15, 2013 by
Richard Sands

Note: This is the first in a series of articles written by a convicted felon currently serving 57 months in a federal correctional institution for identity theft and mail fraud.

I am a former identity thief. That's not a fact of which I'm proud. I sit here at Fort Dix FCI, trying to redeem myself for some of the wrongs I have perpetrated. And I hope what I have to offer will be of value to banking and security leaders.

In this first installment, I discuss the front-door tactics that are used to commit bank fraud via identity theft. Take note that none of this is theoretical. I have put these methods into practice. They work, they are prevalent, and these tactics are being employed by identity thieves even now. In future installments, I will address different ways to deter these types of attacks upon your institution.

Front-Door Fraud

Most of the discussion regarding fraud prevention and identity theft is predicated on the

assumption that an identity thief is some hacker who uses back-door system access tricks to compromise a bank's database of customer account information. While often this is true, many identity thieves use what we call "front door" tactics to commit fraud.

I was able to pull off many fraud deals -- some in the realm of $150,000 -- by simply having the confidence to be brazen when speaking on the phone with a loan specialist or underwriter. Although I am an accomplished web developer by trade, these skills are not required for frontdoor identity theft, except for some minor proficiency in any basic graphics application. The entire operation can be executed using any IP masking software from the comfort of your favorite WiFi-enabled coffee shop. Consequently, there is virtually no face-time required.

Please note that these crimes generally begin with a dollar amount, not a "victim." With frontdoor identity theft, the true "victims" are typically banking institutions, loan providers, brokers and credit card issuers -- not an actual individual. Using front-door tactics, frankly, provides us with a larger playing field of potential targets.

As frightening as it may sound, I know first-hand that any institution can become a victim of this type of crime, regardless of how diligent they may be in securing their assets. Few institutions offer enough deterrence to make themselves unattractive to front-door identity thieves – without compromising any of the conveniences offered to legitimate customers.

Considering that the average identity thief obtains $6000, and there are 8 to 10 million victims each year, front-door identity theft should be considered a significant threat -- especially since it can take a year of more to discover the offense.

How I Did it

Let's start with a basic scenario: I'm looking for a relatively quick $100 K. Personally, I was a fan of automobile loans, but the following fraud can be pulled off with RVs, boats, business loans, mortgages, etc.

So, say I decide to seek a loan for a high-end Mercedes. I have no interest in the vehicle itself, but rather I want the cash value of the car. First, I need to identify a vehicle and obtain the VIN. Sites like eBay are great for these details.

A next step (I am purposely omitting key details, so as not to provide a roadmap for would-be fraudsters) is to find a loan provider that offers auto loans direct to the customer. The institution will believe that, if it grants the loan, it will have a lien on the vehicle, so approval is almost certain. Consequently, the relatively high dollar amount is not an issue, as long as I steal the identity of a person with a decent credit rating.

After I select a loan provider, I then need to make the first call anonymously to the institution as 'a prospective customer' to make sure there will not be any unwelcome surprises. Among potential deterrents (which I'll go into in detail in a future installment): The bank may deal only with a restricted list of pre-qualified dealers; it may require a vehicle inspection by its own inspector; or the institution may actually require an in-person loan closing. That last one is a show-stopper – the golden rule of front-door ID theft is "no face time" -- but it doesn't occur as frequently as you might think.

So, assuming I've encountered no obstacles, then pretty quickly I'll have the inside scoop on exactly how the particular loan process works.

Next, I need the stolen ID -- the part of this crime that will add a nifty two consecutive years minimum to any underlying conviction. I am certainly not going to discuss how to steal someone's ID, but suffice to say that are many ways, and they don't require diving through someone's trash. Now, when I refer to an ID, I mean the basic components: name and social security number. Date of birth and address can be found online, so they serve as an added bonus.

With this information in hand, I need to pull a credit report, so I can correctly answer the loan provider's challenge questions. This is the only real line of defense for front-door identity thieves, and its effectiveness is marginal at best. Fortunately (for the thieves), the Federal Trade Commission has been kind enough to offer free credit reports via the free credit reporting act, which resulted in the huge security hole called 'Annualcreditreport.com.' I will avoid any further details, but trust me: You do not have to be a hacker or computer whiz to figure out how to secure someone's credit report.

After the FTC hands over someone else's credit report, I fill out the online loan application. Since I have selected an individual with decent credit, I expect to get a prompt reply, and it is almost always a guaranteed approval. Remember, the institution assumes that it will have a lien on the vehicle. Of course, I have to manufacture some employment -- preferably something listed on the credit report -- along with a career match. For the most part, not one of these items is scrutinized by the banks, so the sky is the limit as long as the income is substantial, considering the loan-to-value ratio and a couple of other factors.

I then call the designated loan specialist and give the details of the vehicle, as provided by eBay or whatever resale site I have chosen to use. In most cases, the loan provider will then ask me to fax the vehicle's bill of sale, which can be forged quickly using any graphics application.

Shortly thereafter, I will receive loan documents via express mail to be fully executed in the presence of a notary. Normally, this would be a major show-stopper. Remember the golden rule: No face time. But take it from me, the notary requirement is not a significant obstacle, and it certainly does not require any unnecessary exposure or even a real notary, for that matter.

Less than one week later, the institution will mail me a check. To provide extra security, the check will typically be made out directly to the dealership or seller. This extra precaution is designed to prevent 'legitimate' buyers from simply cashing the check and using the funds for something other than the automobile. Believe it or not, though, there are some banks that provide you with a draft that is nothing more than a blank check pre-authorized for the value of the loan.

But let's say I have the check made out to the seller. The bank is absolutely, positively protected from any type of fraud now, right? As I was once was told by a rather naive loan specialist "We are not worried about the check ending up in the wrong hands because no one but the dealership can cash it."

Think again. Yes, indeed, the front door is truly wide open.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

In the next installment, I will discuss how to cash the dealership's check.

Richard Sands
Richard Sands

So how did I end up here? I am college educated, have good strong family roots, plenty of ambition and love a good challenge. My Bachelors degree in computer science along with about 20 years of coding experience allowed me to rise to the top of my field in the investment banking arena. It suffices to say, money was not an issue. Which leads me to one and only one conclusion. Greed. Pure unadulterated greed.

I have recently been released from federal custody and am in the process of getting my career back on track. I'm still in the technology arena, given the fact that its pretty much all I know how to do. I've had to make a slight adjustment in my choice of vertical markets due to the fact that working for the banking industry is no longer an option for me. Go figure. I continue to code on a daily basis and am knee deep in a couple of projects. I must admit that I'm loving every minute of it. The income is sparse, to put it mildly, which is to be expected given my background and recent change in career path. But that's the least of my worries at the moment. I am recently married and spend plenty of time with my children. I now know that quality of life is a lot more important than financial gain.

One of the most valuable and profound lessons I learned while incarcerated came from one of my counselors. He said, "Mr. Sands, don't fool yourself. Crime certainly does pay. There's no mistaking that. It just costs too damn much!!!" Truer words have never been spoken.