- Brett Johnson
Synthetic Refund Fraud: A Brief Dialogue
I’m hammering away at the keys, knocking out a blog for Arkose Labs. First week on the job as CCO, Chief Criminal Officer. A title like that means better not roll with some vanilla topic. A title like that means go big or go home. Groovy. I can do that. I just gotta get the right format for the blog. I’ve went through several drafts and styles, not thrilled with any. I’m thinking alcohol might help. Or a round of Street Fighter. Then I get a knock at the door.
David stands at the door to my office, smiling. “What are you doing?” he asks.
“Blog. For Arkose.” I answer.
“Sweet! Big CCO in the house. Should be CUCO.”
“CUCO?” I ask, puzzled.
David starts laughing, “Chief Ugly Criminal Officer!”
“Haha, hehe, hoho. Laugh it up, Chucklehead. Now kick rocks, I’m busy.”
David stops laughing and nods toward the laptop, “Well, what you writing about?”
“Refund Fraud,” I say. “New technique being used.”
That brightens David’s day, “Ooh! I love it! What is it? Tell me!”
“Ok, ok. First tell me that statistic I preach to you.”
“Ah, Man. Come on.”
I lean back and cross my arms. “Gotta say it.”
“Alright,” he grumbles. “90%+ of every attack uses known exploits.”
I point at him, “Cha-Ching! And what about Zero Day Attacks, unknown vulnerabilities?”
David acts like a robot and says it, “Bah, Humbug. They are out there. But a criminal waiting on a Zero Day to profit? That Dude is going to starve.”
“Correct. Cybersecurity and Cybercrime? It isn’t the stuff we don’t know about. It’s the stuff we do know about that we haven’t done anything about that is the issue. Remember that and you will go far in this game.”
“I know, I know. You are proud of that statement.”
I smile. “Well, it’s a good statement. And its true. Probably the most truthful thing one can say about online crime and cybersecurity.”
“I know, I know,” he says doing the robot thing again. “A Zero Day is just a nice extra that pops up every now and then, like extra cherries on an ice cream sundae. It isn’t necessary to be successful, but it can be a nice thing to have.”
“Keep talking like that and I may start to like you.” I blow him a kiss.
“Promises, promises. You told me you’d tell me the new technique.”
“Yes, I did. The latest technique in play against merchants and retailers? Synthetic Profiles.”
David looks at me like IQs in the room suddenly dropped. “Whoa, Slick! That ain’t new. Synthetic Fraud has been around since 2011! That ain’t new!”
“Yes, I know. Believe me, I know. I was one of the first people to talk about it, remember? 2017 CNP Conference. Keynote. I talked about Synthetics and warned about Refund Fraud.”
“I remember,” he says. “I remember it fell on deaf ears.”
I bobble my head, “That it did. But anyway, merchants and retailers have somewhat known about synthetic fraud for a while. A fraudster sets up a synthetic credit profile, gets the credit cards, and then uses those cards to defraud a merchant.”
“Yes, Bretty. We know. Tell us something we don’t know,” he scowls.
“Ok. What happens when the synthetic profile is built not to defraud a financial institution, but a merchant instead?”
I lean forward and look at him. “You heard me. What happens when a synthetic profile isn’t about getting a creditor to issue a credit card so a fraudster can profit. What happens when its about using the synthetic to specifically defraud a merchant on Refund Fraud?”
“I don’t get it.”
I start to walk him through it, “I figured. OK. Been more than a few individuals defrauding Apple and Wayfair for over $130k in product. And they get away with it. Right?”
“Yeah, OK,” David nods.
“That doesn’t seem strange to you?”
“What do you mean?” he asks.
“I mean, you can steal a few hundred dollars and no one will come looking for you.
You steal $130k? Someone is going to get interested.”
“You steal $130k. You do it under your own name? No, that’s stupid. Easy enough to find you. Or maybe you do classic ID Theft and steal someone’s information to commit the crime? Questionable. A company like Apple has great security. Classic ID Theft likely fails. But what if I am able to create a new person? And then use a legitimate payment instrument?”
“Um. I’m not sure I get it,” he says.
I hang my head. “Growl,” I say. “OK. Synthetic Fraud. I fabricate an SSN or use a kid’s SSN. Put a name, address, phone number, adult DOB to it. Apply for credit. Application is denied, but it actually results in a credit report being generated for that synthetic person.”
David is nodding, “I know all that. Then you pump the credit score up—piggybacking, primary tradelines—get credit and cash out.”
“Exactly. Usually. But not here. Here you build the synthetic. But the goal isn’t to get credit cards. The goal is to get the bank account in the name of the synthetic. Open the bank account, fund it, commit refund fraud.”
“But why?” he asks, puzzled.
Now I’m the one thinking IQs dropped, “Ah geez, Seriously? This synthetic doesn’t hit creditors. It hits the merchant. Merchants aren’t used to seeing it. This fraud provides an unlimited number of names and bank accounts to be able to pay for product. And its quick to set up. Much faster than a traditional synthetic profile meant to defraud a creditor. And a merchant never realizes what’s going on.”
“I get it. New identity. Legit bank account to pay from. Age the merchant account. Do the refund. Do $130k in refunds. Get the money sent back to the bank account. Close the bank account and get your money out. Merchant later realizes it was fraud and they try to rebill. But the account is closed. It’s $130k so they want to know who did it. But they are screwed since it’s a synthetic. Fraudster walks away with money and product. No consequence.”
“You get it,” I say.
“That’s pretty smart.”
“I thought so.”
“I’ve not seen anyone talking about that on Telegram or Dread.”
“No, you’ve not,” I smile. “Its on the more private channels. Only people really know about it are the crooks on those channels.”
“And you.’ David winks at me.
“Well…. I am that guy.”
“You are that guy. You not gonna rail on those other consultants and businesses out there that don’t know about it, are you?”
I shrug my shoulders and shake my head, “Me? I’m a humble man. A meek man.”
“And an asshole…sometimes,” David smiles.
“I’m a Teddy Bear. And no, Im not going to rail on them. But I do think that many of those consultants are doing their clients a disservice by not supplying complete information.”
David rolls his eyes, “Yeah, yeah, yeah. Blah, blah, blah. But wait. Isn’t it worth it to build the synthetic all the way up and get the credit card? Then commit the fraud? No money up front.”
“Now you are thinking,” I tap my temple. “It depends on the ease of getting the card with the synthetic information. Easy to get a bank account with a flimsy synthetic. Cards are more difficult. But yes, it depends. Take the Apple Card? Getting eaten alive with Synthetic Fraud.”
“Really? Eaten alive?”
“Well, that’s the chatter on the private channels. But understand that isn’t the case with everything. Refunding is pretty much guaranteed profit. You can use a synthetic for new identities. Open bank accounts. Do refunding. Lots of profit.”
“Very neat,” I say. “Remind me later to talk to you about how some of these guys are even using credit freezes on their synthetic profiles.”
“I gotta hear about that. But on this refunding--how do merchants combat it?”
“That’s a problem, right? Merchants really haven’t had to worry about Synthetics. It’s been the banks and creditors. This changes things. Now the onus is on the merchant, a group that doesn’t really understand that type of fraud. They are going to be eaten alive with it until they put systems in place to look for synthetic profiles.”
David looks at me, “Are synthetics really being used that much right now in refunding?”
“They are being used. Not uncommon, not super popular. But its going to become much more widely used. Soon. Especially for those high dollar refunds.”
“Scary stuff,” he says.
“Yeah. But remember the beginning of the lesson?”
The robot returns,”90%+ of every attack uses known exploits.”
“Correct. Remember that and you will go far in this game. Cybercrime and Cybersecurity aren’t Rocket Science. Know what’s out there and anticipate how it might be used against you or your organization.”
“You sure do talk a lot,” David says.
“I like the sound of my own voice.”
“I’m glad someone does.”
“Kick rocks,” I say. “I’m busy.”