By Ben Rafferty, Global Solutions Director
Working in the payment security sector, I’ve always been interested in how CNP fraud happens in real life and is treated by the justice system. To witness this first hand, I recently went to see a court case taking place against an alleged fraudster. I’ve summarized the case and some of my thoughts about it.
A Common Crime
The defendant in this case was involved with a group that targeted small businesses. This group was following a common criminal practice of contacting small businesses and ordering goods with stolen credit cards. They were then giving delivery addresses over the phone that were not registered to the cards’ registered billing address. In the industry, this is called Mail Order Telephone Order (MOTO) CNP fraud.
Sadly, this relatively typical case means that businesses remain unaware of the crime until after the event. Many small businesses who suffer from this type of fraud are not covered by their bank or insurance; at least two independent firms were put into financial hardship after this particular crime.
On the stand was DS Connelly, arguing a case against the defendant, who failed to show up in court on the day of the trial.
Because the defendant had already pleaded guilty to “conspiracy to commit fraud” in previous years, a detective sergeant was able to provide evidence that the fraudster was committing crimes as part of a “criminal lifestyle”.
This, I discovered, is a very important distinction for considering sentencing in the UK.
A “criminal lifestyle” can be proved if the defendant has been convicted of an offense which is listed under Schedule 2 of the Proceeds of Crime Act 2002 – fraud is included in this list – and that the offense has occurred or re-occurred for 6 months or more.
According to the Proceeds of Crime Act 2003, once proven guilty of “lifestyle crimes”, the Crown could examine the fraudster’s financial history over a six-year period, potentially leading to a bigger fine.
One would think that any other criminal would have made more efforts to cover their tracks and hide any evidence of the crime, but prosecutors presented a mountain of damaging evidence against him, all of which the defendant had left rather sloppily.
One of the presented pieces of evidence was a piece of paper with 110 handwritten card strings carried by the individual, with many used cards crossed out.
The 110 handwritten cards strings gave a real insight into how fraudsters transfer and handle this data. The numbers included, as expected, the expiry date, the security card and the card number. However, they also had two additional numbers at both the beginning and end.
Why would these numbers have extra digits at the beginning and the end? The MET police never proved what they were used for, but I had a couple of thoughts on these possibly multi-functioning digits:
- Firstly, the digits could prevent simple scanning software from easily identifying the numbers.
- Secondly, they could be “mixer” numbers. These are used when criminals are stealing credit cards from multiple sources, to help ensure that they do not sell too many from one crime scene to any one individual. If a single buyer did try to use them en masse, this could trigger card scheme anti-fraud alerts, making them worthless.
- Lastly, if a swathe of compromised cards can be attributed to an exfiltration (the unauthorized transfer of data) attack by the card schemes and are cancelled and reissued, it’s an easy way of blackmarket “sellers” to advise criminal “buyers” to stop using cards starting and ending with certain numbers, for example, 12-…-12.
My feeling was that, on the balance of probability, these card numbers had been purchased in bulk.
In addition to these numbers, some of the other evidence, which a savvier criminal probably would not have left, included:
- Hanging wallpaper purchased on a stolen credit card in his house, and the salon where money was being laundered…. With spare rolls also in the garage!
- Fraudulently purchasing a rattan furniture set, and set outside the salon that his partner ran – and then including this ill-gotten furniture in the shops promotional literature, double-cheek!
- Illegally purchasing an electric beauty therapy chair in use in the salon.
- A fraudulently purchased flat screen TV in his children’s’ bedroom
- A fraudulently purchased washing machine at his mother’s house
- A single taxi journey made to his home address using one of the phone SIMs linked to making fraudulent purchases
- An unaccountable £5,059 of cash hidden in a bed and wardrobe in his home address – supposedly unbanked Salon taking
- A tax return for the previous year – The judge rejected this as HMRC only provides a receipt for claims!
Taken altogether, all these items appear to be the smoking gun, and certainly didn’t help the defendant’s case. If there were any questions to his guilt before the presentation of this evidence, they were surely dashed afterward.
Interestingly, the prosecuting barrister requested two things prior to the judge passing sentence:
- To ensure that the individual (who was not present) was aware that the case was being heard.
- The opportunity to defend the fraudster himself, as the defendant had arranged no representation.
Barrister Don Rogers took this second point very seriously and raised points against his own evidence, which to an outsider like me appeared completely counter-productive! When I spoke to him later, however, he explained that these requests were a “double lock” to prevent the defendant claiming either that he was unaware of the case being heard or that he had no defense of his own.
The Judge ultimately found the defendant guilty of criminal lifestyle crimes and deemed benefit payable of £135,118 in 90 days.
CNP now accounts for 70 per cent of all card fraud. While e-commerce transactions are not immune to this type of crime, there are simple Address Verification System (AVS) checks that can be implemented by way of prevention, such as collecting the billing address and submitting it along with the card details. MOTO does not lend itself to these checks easily, and hence fraudsters attack this channel – often, and very effectively. Businesses therefore need to be aware of the dangers surrounding over-the-phone payments – and take steps to protect themselves.
If any of the issues raised above interests you, or you are looking for solutions – please do drop me an email: Ben.Rafferty@semafone.com
The post Card Not Present (CNP) Fraud in Real Life: An Account of a Trial Court appeared first on Semafone.
*** This is a Security Bloggers Network syndicated blog from Semafone authored by Aaron Lumnah. Read the original post at: https://semafone.com/blog/card-not-present-cnp-fraud-in-real-life-an-account-of-a-court-trial/