Chapter 9. Hot Wire

RYAN W. MUELLER

Adrian Vargas was a young man with big dreams. Originally hailing from Texas, Adrian was a proud Marine who served two tours of duty in Iraq. Despite being overseas for several years, Adrian remained close to his relatives, and many people would have described him as a family man. Originally, Adrian joined the Marine Corps in search of excitement and adventure. In spite of the miles between his Marine base and his home in El Paso, and the even longer distance between his locations on tours of duty and family, Adrian maintained close ties and frequently sent back letters and gifts. This pattern held true after his discharge when Adrian began sending home illicitly obtained funds and unknowingly assisted investigators in tracing the proceeds of his crimes.

After four years of service with the Marines, Adrian received an honorable discharge, and the world could have been his oyster. However, life after service proved to be stressful, as reported by Adrian himself in his sentencing hearing. He had money troubles and difficulty readjusting as a civilian. He missed the adventure and liveliness that the Marines had provided him, and eventually found a new outlet for his restless energy that also helped solve his money issues — identity theft.

Onward and Upward

Founded in a basement in Alberta by two friends eager to break into the online funds-transfer industry, www.OnlineMoney.com quickly became a runaway success. Other service providers were abandoning high-risk merchants and their attendant customers with increasing rapidity. Online-Money was quick to step in and fill this ever-widening gap, and it soon outgrew the basement and opted for more spacious accommodations above a car wash. The sky would prove to be the limit, and quickly OnlineMoney found itself in a multilevel office building with a number of dedicated departments and business units. Eventually, it would move to even more spacious and luxurious locations, both locally and internationally. Before this final move, I would discover Adrian's treachery in our customer database and assist in bringing him to justice.

Night Watch

I was initially employed with OnlineMoney as a customer service representative, aiding customers with the setup and navigation of their accounts and finishing my university homework between calls. Within a few years, I had demonstrated a knack for dealing with difficult customers, pursuing debtors and locating fraudulent or otherwise suspicious accounts. I was promoted to the investigations unit and promptly placed on the night shift, riding the rookie desk as the newest addition to the team.

Despite its somewhat negative effect on my social life, working nights offered the first crack at all the best cases, as this was when the majority of identity theft or other victims notified us of their unfortunate discoveries. It was also the prime time for fraudsters with day jobs to try their luck against our identity and bank verification systems with varying degrees of success.

I was working yet another 3:00–11:00 PM shift, collating data on an active investigation in Broward County, Florida, when my desk phone rang. I lifted the receiver, pressed the queue button, and said, "Thank you for contacting OnlineMoney Investigations. How can I help you?"

"Ummm. Hi, Ryan, " came the reply from our receptionist. "I have an investigator employed with a Marine credit union on hold claiming several bank accounts have been compromised. Can you take the call?"

"Put him through, please."

Information Deployment

I began by asking the bank investigator for a brief summary of the issues and how he had come to feel the charges against the accounts were unauthorized. I asked this because we received several calls a day that were simply cases of buyer's remorse. Frequently, these remorseful buyers would involve their banks, and even law enforcement, in an attempt to negate their purchases. Other times, an overzealous bank employee would call us to check up on the products their client was purchasing to ensure they were not controlled or prohibited by the bank. At this point, I thought I had heard it all.

The gentleman proceeded to outline the five Ws (who, what, when, where and why) of the case so far. The evidence supporting his claim that the transactions were not authorized seemed solid; all of the identities used to establish accounts belonged to Marines on active duty in Iraq at the time. Being perhaps the most compelling evidence I had heard up to that point in my career, I quickly dispensed with my usual cynical phone persona and got down to business.

I closed all accounts with a few keystrokes and employed a variety of techniques to isolate a clear trail to the identity of the perpetrator and assess the possibility of criminal proceedings. The majority of OnlineMoney's account products were designed to be as user friendly to increase conversions and decrease abandoned signups. This left the intrepid investigator with a very lean sample of "tombstone" data to work with that typically consisted of:

  • Name

  • Date of birth

  • Social Security number or other identification number

  • Phone number

  • Address

  • E-mail address

  • IP address

  • Security questions and password

  • Bank account or credit card information

It helped that the perpetrator had registered multiple linked accounts, leaving a wider trail of unique attributes to investigate. I set about my task, following every lead as far as it would go, and then following the next one.

Investigators in the online space are like investigators anywhere; the case load dwarfs the available resources, the budget isn't written to give you more than last year, and the coffee in the pot is always two hours old. Given that I was not employed by law enforcement, the toolkit that I had access to was limited, to say the least.

Our chief methodology when dealing with a concentrated third-party fraud was affectionately named Search and Destroy. Essentially, it consisted of following links among accounts and running checks on the customer data attributes present on those accounts until a perpetrator was identified. Once that was accomplished, all I had to do was prove that the individual — or someone known to him — was involved in the scheme and lawfully lean on him until he either admitted the wrongdoing or squealed on his friends. Not the most sophisticated approach, but when life gives you lemons, you need to supply your own sugar and water.

The hottest data attributes were typically:

  • Phone number

  • Social Security number

  • Address

  • IP address

  • Password

By hottest I simply mean these gave the most useful results when investigated. As a first step, I ran a search of our system for all transactions submitted in the last 30 days, using the credit union routing number in question, and further pared down that list by eliminating accounts that were registered prior to the alleged fraud being reported. In past investigations, I had netted a good line on the perpetrator simply by identifying which account had been signed up and operated first. I can't count the number of times a fraud ring started with one debtor who got to know the system via their initial shady account operating.

Trip Wire

This approach bore fruit yet again when I found an account signed up in Adrian's name that did not have any transactions but was linked to several suspect accounts by a telephone number. All accounts registered with OnlineMoney required that a recorded call be placed to the account holder and certain information be verified. I looked up the phone numbers to which verification calls had been placed for every account in the questionable group; several of them were in Adrian's name or surname. Many of the addresses used also turned out to be connected to Adrian. I began to think that either I was incredibly lucky, or my perpetrator was a bit of an amateur.

Doing a computerized search on Adrian's full Social Security number, I was able to confirm his employment with the USMC; tracing several of the IP addresses yielded hits to Marine bases or public libraries near Adrian's home. The net was beginning to tighten, but I still needed more proof. Externally, the investigation was proceeding nicely. The initial complainant at the credit union had forwarded the case to the Naval Criminal Investigative Service (NCIS) for completion, but not before Ted and I compared notes.

  • "So, Ted, I think I've got good news. I've identified a perpetrator," I said.

  • "Me too! Who's yours?" he replied.

  • "Adrian Vargas. Same as you?"

  • "Yeah, same as me. One of the sloppiest I've seen," he chuckled.

  • "Yes, me too," I laughed.

I informed Ted of what I would need for an official request to release my findings and wished him well, hoping we would meet under happier circumstances one day. But I still needed more proof to make my implication of Adrian irrefutable and ironclad. Turning to our phone records, I extracted the verification call conducted on every account under investigation. That same old lucky feeling was returning; the voice that confirmed Adrian's initial account sounded the same as every subsequent account. I felt like I was unwrapping presents when every call I extracted yielded the familiar voice I had come to know as that of Adrian Vargas. All that remained was to submit my evidence to NCIS and await the results.

Typically, any progressive service that provides online funds transfers only requires that a formal request for information be submitted by the enforcement agency investigating the case, on official letterhead, before releasing its records. Some circumstances will require a subpoena; however, solid legal precedent does exist for the release of records to the authorities, and most reputable service providers write this directly into their terms of use and privacy policies. (Law enforcement staff dealing with online investigators like me will probably find this information very useful.)

I called my new contact at NCIS to discuss the case and outline my requirements to release information. I learned that in addition to the rogue transactions and purchases made by Adrian within the OnlineMoney system, there were countless wire transfers from the compromised checking accounts to himself and to members of his family. Again, Adrian was earning a reputation as the sloppiest perpetrator I had seen.

The NCIS agent was very interested in the case I had built because there was very little evidence of the fraudulent wire transfers. My key evidence was the recorded phone calls, the account in Adrian's own name, and the IP records captured each time he logged into the fake accounts. These IP records, combined with surveillance video from the public locations from which he logged on, effectively placed Adrian at the scene of the crime. Coupled with his vocal confirmation of each account, including the stolen identity information, the prosecutable crimes were beginning to pile up.

Later that day, I received the official request for information from NCIS, which I stapled to the front of my case folder. After dropping it on the desk of my supervisor, I cut out for an early lunch, thoroughly satisfied with a pending successful collar and confident the approval process would take about as long as a leisurely cheeseburger down the street. Sure enough, on my return to the office, the proverbial rubber stamp had authorized the release of my evidence. I sent an e-mail to the NCIS with my full case attached. Then, I got back to work on other open files. Sadly, they were not all as amateur as Adrian Vargas.

Mission Accomplished

At the time that this case crossed my desk, I had about one hundred open investigations. Some were isolated instances of family members hijacking each other's accounts, some were high-dollar compromises in accounts, some were complex money laundering schemes, and the rest were concentrated fraud efforts, similar to that of Adrian, but with more sophistication. Unfortunately, not all of them were concluded as favorably.

Once all the data was collated from OnlineMoney's database and fully investigated, the identity of the perpetrator in this case was painfully obvious. Some criminals are exceptionally good at covering their tracks; Adrian Vargas was not one such criminal. Nearly every online vendor provided details that confirmed Adrian made the purchases in his own name. Additionally, the NCIS investigator had discovered that Adrian had made several wire transfers from the bank accounts in question using forged identity documents to himself and his family in Texas.

With the addition of the information from the vendors involved, the case against Adrian was as solid as anyone could hope. Having been in custody awaiting trial for a considerable amount of time, Adrian would now get his day in court. I felt a great sense of personal satisfaction about the investigation.

The defendant was indicted and eventually pleaded guilty to one count of conspiracy to commit wire fraud, one count of wire fraud and two counts of identity theft. Obviously, plea-bargaining was involved, as this represents a fraction of the charges originally laid against him. He faced up to 45 years of incarceration and $750,000 in fines. But Adrian was ultimately sentenced to 18 months in prison, five years of probation and ordered to pay restitution equal to the total loss. In this case, the risks and punishment did not justify the reward. The total loss incurred, and thus the total gain that Adrian could have hoped for, was $39,094 — a far cry from the value of a clean record and the possible fines he could have faced.

Note

Lessons Learned

Several key lessons can be learned from this case by aspiring gumshoes and pros alike. The first is to act quickly, especially when efforts among several investigative agencies are involved. This limited the total loss faced by Online-Money and, in turn, the victims. Quick action on the part of the credit union investigator shut down one of the chief avenues employed by Adrian to obtain the illicit funds. And promptness by the NCIS resulted in the apprehension of the perpetrator before he was able to go on the lam to avoid capture.

Second, it always pays to keep complete records on customers and maintain a reliable audit trail. This is doubly true for investigators and business owners operating online where the bulk of your interaction with a customer is done remotely. Had OnlineMoney's system not tracked the data attributes it did, this case would have been significantly more difficult to resolve.

A key feature of our system was that if customers were unable to successfully log in to their accounts because they had entered their password incorrectly, our computers captured that information. A sole individual or a small group often operates fraud rings and they will frequently enter the password of another account when logging in. One example of a different case in which retaining incorrect passwords proved useful was that of one customer gaining access to another customer's account. The IP address records were not conclusive enough to identify the culprit perpetrator, but when I realized the perpetrator's unique password was used in an unsuccessful login to the victim's account, I was able to move forward.

A final, high-level lesson to be taken from this case is not to sacrifice too many verification steps to drive customer acquisitions. I'm sure many professional investigators have crossed swords with sales and marketing staff in their organizations regarding conversion and abandon rates. At every stage of an online account signup or online purchase, potential customers will abandon the process if it proves too difficult or time consuming. Fortunes can be made or lost on abandon rates, so it is important that processes remain easy and user-friendly; but this should not involve sacrificing effective "Know Your Customer" procedures, especially in light of ever-changing anti-money laundering and counterterrorist financing legislation. Without effectively identifying the customer, there is no way to serve them well or investigate if things seem amiss.

In the case of Adrian Vargas, the absence of the recorded telephone verification could have made the case much more difficult or impossible to prosecute, and thus diminished the consequences he faced. This single procedure meant the difference between a manageable fraud loss and an unmanageable one.

About the Author

Ryan W. Mueller has been a fraud investigator for more than seven years, working exclusively in e-commerce and online payment processing. Ryan graduated from the University of Calgary in 2006 and is currently the director of Golden Apple Consultants, a consulting firm focused on online fraud prevention and investigation. E-mail him at .

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.223.208