Threats Without Borders - Issue 164
Cybercrime Investigation Newsletter, Week ending January 7, 2024
A recurring fee caused me to close an account with a traditional bank and open one with an online bank. An entirely online bank. Yes, I work for a conventional bank and have my main financial account there, but I still dabble in cryptocurrency and don’t want some of my riskier adventures linked to my primary finances.
During account creation, the bank asked me for my name, address, phone number, email address, date of birth, and social security number.
The account was created and ready to use within minutes.
But how did they know that Matt Dotts created the account? There was no requirement to submit any form of positive identification or even a phone call to confirm a human created the account. They validated the phone number and email address through push and response prompts, but all that confirms is that the person requesting the account can access those communication methods. They didn’t confirm that it is Matt Dotts who controls the phone number or the email address.
In fact, they only confirmed through the entire process that whoever was creating the account knew enough information about Matt Dotts to pass the automated identity verification checks conducted on the back end of the process.
I had a fully operational and funded account within an hour.
Is the debit card the verification check? “The address provided at account creation is verified as the address of Matt Dotts. We mailed the debit card to the address. We have yet to receive a summons from Matt Dotts asking why he received an unsolicited credit card; therefore, he must have created the account.” I guess that logic works. Kind of.
Are they using IP address-geolocation verification and browser fingerprinting?
I’m curious to hear from Know-You-Customer experts.
As a consumer, the process is frictionless and very pleasing. As a professional in the cyber-fraud prevention space, it is concerning.
Some News…
Regions Bank lost 135 MILLION dollars in six months last year due to check fraud. The CEO admitted that they made changes to how long a check was held before fund availability to be more “Customer Friendly.” He explained, “We opened the door too wide, bad people came rushing in, and we didn't close the door timely enough” when questioned about the mistake. Wow. If you don’t have a subscription to American Banker, you’ll need a ladder to climb the paywall to read the article. https://www.americanbanker.com/news/how-regions-bank-unwittingly-invited-a-surge-in-check-fraud
Security vendor Emsisoft is demanding a complete ban on ransomware payments. Easier said than done. I have spoken and written at length about the devastation of ransomware and the pay or don’t pay debate. Why don’t we want to pay the ransom? Because it rewards antisocial behavior and incentivizes additional criminality. Ok, so it’s an easy decision, right? Yeah, until you stand in the office of a small business owner whose network is completely sacked, they have no data back-ups, no incident response team, and no other options. It becomes a decision to pay the ransom and hope for the best or shut down the business. https://www.theregister.com/2024/01/03/ban_ransomware_payments/
So what happens when the helpers need help? San Francisco-based law firm Orrick, Herrington & Sutcliffe, which specializes in assisting companies affected by security incidents, has suffered a cyberattack that exposed the sensitive health information of hundreds of thousands of data breach victims. The hackers stole personal information and sensitive health data from a file share on Orrick's network during an intrusion in March 2023. The stolen data includes consumer names, dates of birth, postal addresses, email addresses, government-issued identification numbers, medical treatment, and diagnosis information; insurance claims information and healthcare insurance numbers. The breach also included online account credentials and credit or debit card numbers. Uh-Oh. https://techcrunch.com/2024/01/04/orrick-law-firm-data-breach/
Are you applying to Ghost Jobs? https://www.marketplace.org/2024/01/03/those-jobs-youre-applying-to-they-might-not-be-real/
ScamSniffers reports that “Wallet Drainers” have stolen nearly $295 million from about 324,000 victims through 2023. The attacks are launched through phishing websites. https://drops.scamsniffer.io/post/scam-sniffer-2023-crypto-phishing-scams-drain-300-million-from-320000-users/
Socure claims to have removed 204,536 synthetic identities from the U.S. economy in 2023. Really? I’d like to know how they got to that number. They also claim to have prevented over 3 billion dollars in fraud. https://www.prnewswire.com/news-releases/socure-eliminates-more-than-200k-synthetic-identities-in-2023-302020604.html
Cool Tools
A ladder to help you over those walls. https://12ft.io/
All the tools. https://it-tools.tech/
Cool Jobs
Senior Director of Corporate Security - PP&L. https://careers.pplweb.com/jobs/10138?lang=en-us
Head of Compliance and Fraud - Dapper Labs. https://www.dapperlabs.com/join/position?id=ef303c33-3df5-48c9-9598-eba07cd4f404
Irrelevant
Your humble editor likes pens. Yes, ink pens. Here is a great review of the best. https://www.jetpens.com/blog/The-44-Best-Pens-for-2024-Gel-Ballpoint-Rollerball-and-Fountain-Pens/pt/974
Super Long Geeky Read - That You Should Read
Hackers researchers find a way to remain persistent within compromised Google accounts. They maintain access to the account even after the password is changed! https://www.cloudsek.com/blog/compromising-google-accounts-malwares-exploiting-undocumented-oauth2-functionality-for-session-hijacking
We had low open rates last week, but we did pick up a few new subscribers. There’s a ton of demand for your attention, and I appreciate that you give me a few minutes each week.
I look forward to seeing you next week.
Matt
“A gunshot wound may be cured, but the wound made by a tongue never heals.”
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Anything written in this space is my nonsensical opinion and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.
Good article, brother. Keep doing what you’re doing!