Fraud Across the Pond

As in the U.S., financial institutions worldwide face expanding global fraud and payment schemes.

November 1, 2010

The lack of a cross-border vision by regulators, and no real urge to look at a much wider picture when it comes to global financial crime, gives criminals a huge advantage. It gives them the opportunity to stay out of reach of justice.

For many years, organized criminal groups have targeted neighboring countries, driving or flying from one place to the other seeking easy hits and vulnerabilities.

Fraudsters either use foreign payment cards skimmed elsewhere, phish for data on the Internet, or shop on one of the many live “dump sites” where a large variety of consumer data are sold as on an auction site.

Data of thousands of innocent customers circulates daily on dodgy websites and underground forums. When taken down, they reappear under other names with the same speed.

This happens time and time again because there are still no applicable laws in effect today to safeguard from such reoccurrences of fraudulent activity.

ATM fraud, for example, has increased significantly in the UK over the past five years, although it accounts for less than 10% of all card fraud there. Card skimming at ATMs is a growing trend, often perpetrated by organized Eastern European criminal gangs.

When perpetrators eventually are arrested, it’s often revealed that they’re foreign nationals who have data stolen from another country to buy goods in yet another country. Therefore, the local charges typically are minor and risks to the perpetrator are minimal.

Prosecutors or examining judges often don’t want to invest further efforts as the local impact often is low. In many cases, the crimes never end in conviction.

There are large differences in approach when taking into account most European Union countries, not only on the law enforcement side but also in terms of cooperation, the exchange of information, the possibility of convictions, and data privacy laws.

But the biggest questions remain unanswered: What about the money flow? Where are funds being transferred to?

There are a wide variety of “money transfer” facilities that have no interest in being compliant with anti-money laundering regulations. Such facilities provide safe havens for fraudulent transactions.

Throughout Europe, more of these small, family-owned money transfer/international phone shops are opening. It has become apparent that these types of organizations are mainly run by a weary group of people with an unclear business involvement.

Next: Terrorist funding

Terrorist funding

In terms of terrorist funding outfits, there have been many masking-of-payment-transaction scams occurring in the UK in the form of ATM scams and the installation of machines whose only purpose is to steal information.

For example, when major petroleum companies started franchising their petrol stations, some Sri Lankan nationals became very interested, taking over a vast majority of these stations and using them to mask terrorist funding activities.

Their reach is far and wide, covering many major cities and even gas stations in local villages. It was an unclear mix of legal and illegal immigrants, all of the same ethnic origin, who operated as a network of teams moving swiftly across the UK—working one day in Leeds, moving to Manchester the next day, and ending up at one of the many gas stations around Greater London.

These groups, who by the time they were discovered had become legal employees, deployed a huge payment terminal scam. In most cases, the station owner was involved in the scam or was forced to join in.

This criminal organization is comprised of different teams working together. The first group consists of technicians altering the point-of-sale terminals, a second group takes care of the installation within the gas stations, and a third group focuses on using the obtained data.

Some of the engineers are highly skilled and are brought to the UK for the sole purpose of hacking in order to capture account information by using Wi-Fi scanners and using cracking programs to download transaction data when the systems aren’t protected by high-level encryption software.

On a large scale, terminals are opened, bypassing security measures installed by vendors, and equipped with extra hardware. Once that’s done, they’re being re-installed on the premises with additional recording devices hidden in ceilings that capture both magnetic stripe as well as personal identification number (PIN) data.

Due to numerous transactions at rigged allocations, significant amounts of data become available. Analyzing unauthorized use of this stolen data shows a unique spending pattern.

Instead of going for a quick win and hitting different countries with massive ATM attacks, the use was spread out with more transactions at a lower value.

This way, criminals were able to stay out of banks’ monitoring radar and could continue making undetected illegal transactions for longer lengths of time.

Eventually, however, the authorities caught on to these spending approaches and began arresting these small groups all over Europe. To some extent, a more in-depth investigation was carried out to identify the money flow. Disturbingly, it became clear that the end users were Tamil freedom fighters in Sri Lanka.

This criminal confidence scheme emphasizes and identifies interesting vulnerabilities within the payment and retail chain, and shows how organized crime groups with less exposure can cause substantial damage.

This scam makes it crystal clear for the UK payment card, retail, and banking industries that procedures, compliance, and back-up plans need to be closely redefined and fine-tuned. And it certainly shows these industries must be prepared for the unexpected.

Enormous amounts of untraceable funds are passing overhead on a daily basis. Criminal entities don’t like to be closely examined, and in most cases have a dubious background or spider web setup, hopping different countries and involving “mules” as front persons.

That way it doesn’t appear strange to find individuals appearing in different cities, using ATMs for lengthy periods retrieving money and flying around the region emptying ATMs with anonymous, reloadable cards.

With the increasing mobile commerce possibilities related to telecom issues, there will be bigger challenges to safeguard payment transactions, especially because there will also be an increase in the high-tech solutions available that could be used to defraud systems.

It will take some time to fully understand the different modus operandi criminals use. But end-to-end encryption of data, as well as secure payment platforms, will be a must if we don’t want to see it escalate.

PAUL BUELENS is head of project management, fraud and compliance, for EastNets, a global provider of compliance and payment solutions.