Yare Twiyzyila was a tall, lanky twenty-something who liked to sport an Afro hairdo and glasses because he thought it gave him an "old-school" look. He was the eldest of five children and the only boy, so he considered himself the head of the family. As a young man, he was eager to establish a name for himself and prove to his sisters that he deserved the authority he asserted over them — he just didn't want to work hard to earn it. He dropped out of high school because, by his own estimation, he was not cut out for words and numbers. He thought he was better suited for trading spare car parts in Nigeria's commercial capital, Lagos, so he moved downtown and made connections with traders. Through his new friends, Yare heard about informal computer classes offered at the local college and enrolled in one to try it out. With constant practice, he advanced appreciably and became familiar with the technology. A few months later he took a job as an attendant in an Internet cafe. His easy access to computers and the Internet at work further expanded his cyberspace horizons.
While Yare was acquiring his computer skills he was also developing a group of criminal friends who convinced him to channel his new prowess into fraudulent activities. He had one particular friend named Qiddsa Dodagi — nicknamed "Mr. Cool Cash" by colleagues and friends — who did nothing tangible for a living except to be on the Internet every day, yet he had more money and lived more comfortably than any of his hardworking peers. He drove a sleek, black BMW and owned a three-bedroom house in an expensive area of the city. Mr. Cool Cash's easy lifestyle and wealth lured Yare Twiyzyila into the world of Internet fraud.
Yare and Mr. Cool Cash became such good friends that Mr. Cool Cash revealed the source of his money — hacking into people's bank accounts. He taught Yare this art and science and Yare — with his knowledge of computers and the Internet — learned quickly. Together they amassed so many victims they were becoming a racket. To create their enterprise, Mr. Cool Cash and Yare used three methods to break into people's bank accounts: phishing, card cloning and extrapolation.
Phishing — a common Internet scheme directed at the fraudulent acquisition of privileged, sensitive, confidential or private information from an individual — was committed by Yare via text messages, e-mail or instant messaging (IM). His scheme involved posing as a genuine or trustworthy authority or company to persuade victims to provide their banking information. They sent mass e-mails to unsuspecting victims that were supposedly from their bank and requested they confirm their account details. By replying to the e-mails, people were essentially handing the fraudsters their money.
Yare learned how to clone cards by printing, embossing or encoding a fraudulent credit or debit card with information from a genuine card. Typically, the data on a real card's magnetic stripe was copied onto another card without the cardholder's knowledge, or the card details were stolen from discarded receipts or directly from the card at a point of sale (POS) terminal or ATM. Yare was able to read, overwrite and encode an existing card with new details or information using a cloning machine.
Because they knew that the 19-digit number — called the personal account number (PAN) — on a debit card was a combination of the issuing bank's code and the account holder's personal account information, Yare and Mr. Cool Cash made informed guesses until they hit on the right combination. They gathered some of the information from receipts littered around the ATMs and they used a hacking tool called a net monitor to generate numbers and test their validity. Once they confirmed on the Internet that the card was active, they began to extrapolate the personal identification number (PIN). Unfortunately some debit card users create PINs that are easily guessed, such as 0000, 1234, 1111, 1980 and 1970; fraudsters had two tries a day before they were locked out of the online login process. But given a long-enough period of time, they were able to guess the correct PINs.
Micah Jumo was a public servant with a demanding job in Lagos. He denied himself and his family luxuries in the hopes of one day building a home. Micah had maintained a checking account with a leading Nigerian bank for nearly 10 years. He also used the checking account as his major savings depository and had a debit card associated with it. Because Micah was saving to buy a home, he guarded his debit card diligently against possible compromise and checked his account balance regularly. Toward the goal of owning a home, Micah had already purchased a plot of land in the suburbs. In a show of determination, Micah had commissioned the architectural design for the house — four bedrooms with a guesthouse — from a childhood friend who was an architect. He had even begun requesting building permits from the various city and planning councils that oversaw the process. He was hoping to start construction within a year.
One afternoon Micah went to the bank to make a withdrawal from his account, but the balance did not tally with what he expected. He was shocked to see it was short by an equivalent of about $12,000, and he knew perfectly well that he did not withdraw such an amount. He lost his temper with the bank teller and demanded an explanation. He was referred to the customer care unit, where he registered his complaint and requested to see the manager. After an exhaustive deliberation, the manager asked Micah to write a formal complaint. The manager ended their conversation by asking Micah to exercise patience while he looked into the problem.
The bank records showed that the money was withdrawn from Micah's account over the course of three days in amounts equal to $4,300, $4,300 and $3,400. The transactions were made through the Internet. Because Micah denied knowledge of the transfers, the bank manager referred the case for further investigation to the government agency in charge of economic and financial crimes. I worked there as an investigator and was given the case.
From past investigations of similar crimes, I had learned that debit cards can be compromised directly or indirectly, intentionally or unintentionally, by a bank employee, a debit card owner or an external fraudster. I also knew that insider abuse was rare. Therefore, my initial hypothesis was that the culprit or culprits were outsiders. As the leader of the investigation team, I attended a briefing with Micah and heard his account firsthand. This meeting was also attended by key staff members from the bank.
After hearing the basics, I requested Micah's bank statements and transaction records; both showed that the three disputed transfers were debited from Micah's account for Internet purchases. This led us to an Internet-based payment facility — InterSwitch — and in turn to a Web site that sold pay-as-you-go cell-phone service. We requested that the phone company, Comsoft Limited, send us the Internet protocol (IP) addresses used to make the three purchases. We also asked for the buyers' names and e-mail addresses, although it was likely that the information provided would be fake. However, we knew the IP addresses could be traced to physical addresses with the help of the Internet service providers (ISPs). After following the trail backward, we identified two public Internet cafes as the site of the fraudulent transactions. Unfortunately, Internet cafe owners in Lagos were notorious for not maintaining records of their customers; we began surveillance on the cafes in the hope of establishing suspects, but to no avail.
While we were monitoring the Internet cafes, Comsoft returned the phone numbers that were used for the three fraudulent purchases. We traced one number to an apartment in downtown Lagos rented by a woman named Tifari Twiyzyila and paid her a visit. When my partner and I arrived and explained where we worked, we were invited inside by her. Upon my request, she gave me her cell phone and I scrolled through her contacts. Two numbers caught my attention — I recognized them from the list of numbers provided by Comsoft. The names associated with the two numbers in Tifari cell phone were "big brother" and "Janz." When I asked her who the two people were, she said one was her brother, Yare Twiyzyila, and the other was her brother's friend, Janzozo Danbola.
After much prodding, Tifari reluctantly led us to Yare's apartment, and the scene that greeted us indicated that he was tipped off — furniture was askew and a radio was left playing as if the occupants had left in a hurry. However, we planted a surveillance device in the apartment and made it known in the area that we were leaving. About a week later, Yare resurfaced — an event that our surveillance device picked up — and we were able to speed over to his apartment in time to find him frantically packing his belongings, apparently trying to flee. We arrested him and discovered two of the Comsoft cell phones in his possession. While searching Yare's apartment, we found Janzozo Danbola's address and my partner and I immediately headed in that direction, leaving a forensics team to finish the search at Yare's home.
Janzozo Danbola made quite an impression on us when we parked outside his house. He was just stepping out the front door when we pulled up and was dressed in remarkably elegant clothing. Much to his chagrin, we added a pair of handcuffs to his fashionable ensemble. We found one of the Comsoft phones on Janzozo as well, and discovered that only minutes earlier he had sent a text message to a contact named Doncali. The message said, "Here are the card details 5678788889075657432. Expiry date 2010." When we asked him the meaning of the message, Janz said he had lost his debit card and was asking his friend Doncali to help him look for it. Doubting this explanation, I sent another text message to Doncali from Janz's phone asking, "How soon, please?" Doncali immediately responded with, "Meet me at the Mobil filling station in one hour."
Putting my suspicions together, I came to the conclusion that Doncali was in possession of a debit card duplicator. Janzozo had somehow acquired the details of a debit card and sent them to Doncali to generate a fraudulent card. After presenting my theory to Janzozo, he admitted his role and told me what transpired. He said he stole information from the cards of unsuspecting victims and sent it to Doncali — except the PINs, which Janz kept to himself— to make fake cards. When a card was ready, Janzozo and Doncali met at an ATM to see if there was money in the account. Janz kept the PIN for this reason, so Doncali couldn't make a card and withdraw the money himself. If there was money in an account, Janz withdrew it and paid Doncali a percentage. Janz also informed me that Doncali met his clients at public places and made sure nobody knew where he lived or stored his duplicating machine.
We set up strategic positions around the rendezvous gas station and instructed Janzozo to meet Doncali, collect the cloned debit card, make the withdrawal and pay him. After that, he was to give Doncali the details of another debit card — which I gave to him — and we told him to stress the importance of getting the card quickly. We watched the meeting take place and then followed Doncali as he drove away. As he was driving, Doncali unnecessarily changed directions several times and stopped momentarily to see if he was being followed. However, we did not lose track of him. He parked in front of a two-story house with a panoramic view of the city. A few minutes after he went in the house, we entered the building and executed a search warrant. We arrested Doncali Ijabula and recovered the card duplicator.
When we were able to interview Yare Twiyzyila, he initially denied knowledge of the fraud. But when we confronted him with the volume of evidence that led to his arrest, he opened up and confessed to the crime. He said he used the extrapolation method on Micah Jumo's account to figure out the PIN — the year Jumo's first daughter was born. Yare also said that when he eventually hacked into Micah's bank account, he went to an Internet cafe on the other side of town to transfer the money, hoping that the transactions could not be traced back to him. Generally, debit card fraudsters prefer to make purchases on the Internet rather than withdraw money from an ATM to avoid the withdraw limit. Also, items purchased online can be sold easily for cash.
The arrests and confessions of Yare Twiyzyila, Janzozo Danbola and Doncali Ijabula indicated they were members of a larger fraud ring, and this led to two other major arrests, including that of ringleader Qiddsa Dodagi (Mr. Cool Cash). The evidence we found on Mr. Cool Cash's laptop was what finally nailed him. We identified and traced some of the proceeds from stolen card information to Dodagi's individual bank account and to properties he bought. The perpetrators' accounts were frozen and their properties ordered for seizure by the court. When we sent the case to our legal unit, they drafted the appropriate charges and filed the case in court.
Qiddsa Dodagi, Yare Twiyzyila and the other members of the Cool-Cash Syndicate were charged for conspiracy, forgery and stealing. They hired a brilliant lawyer who employed every stalling technique in his arsenal, but justice prevailed in the end. Each member of the fraud ring was found guilty and sentenced to jail for terms ranging from three to seven years. The court ordered the forfeiture of the proceeds of the crime and restitution for the victims.
Note
Lessons Learned
This investigation was an interesting exercise. It required time, energy, initiative and money and taught me how to best harness and employ our resources. I also learned new methods by which frauds were committed from my suspects when I interviewed them. The findings of this investigation made me take more precautionary steps in safeguarding my own debit card information, and I accordingly make the following recommendations to other users.
Austine S.M. Adache, CFE, is a deputy detective superintendent and lead investigator in the Advance Fee Fraud/Cyber Crime Section of the Economic and Financial Crimes Commission (EFCC), Nigeria. He has been involved in fraud investigation since 2005. He is currently in the Kano Zonal Office of the Commission.