The saga continues. Now things get really interesting. In our last episode our identity thief had successfully procured a check made out to the dealership for a high end (approx. $100K) vehicle he has absolutely no intentions on purchasing. As I stated before, he is only interested in the money. You will notice that I have switched over to a third person perspective for this writing. I have been out of federal custody for 6 months now and no longer share an affinity for this sort of thing. I find it difficult to write from a personal perspective because I am no longer that person. Just a little tid bit to help you follow along. Anyway, “he”, lets call him Fingers R. Sticky for now, has a check in hand. But this isn’t even half of the challenge. This was in fact the easy part. The next step involves getting the check to clear successfully.

As you recall from the first installment, the check has been made out to the dealership. Oh no!!!! That is most certainly the end of the road for sure. Well, not so fast. Fingers actually has a couple of options at this point. He’s already planned for such an event because, as seen in the first installment, he called the bank and asked specific questions and made a list of potential show stoppers. This was indeed on his list of challenges. Consequently, Fingers prepared for such an event by opening up a bank account in another state under the same business name using the same identity he used as the buyer. This single identity is going a long way. The incorporation process is quite simple and cheap. Not to mention the fact that all of this can be done online. A few incorporation documents (which happen to be totally legit), an 800 number for good measure, a reformatted utility bill and viola, new business account with all the perks.

Fingers is now free to portray buyer or seller at will. At this point in the game he is in full control of every aspect of the deal and nearly impossible to stop. There were times when I had multiple cell phones at my disposal and would field calls as buyer and seller depending on which cell phone was called. The insight was priceless.

With the new bank account in hand and a check made out to the business name on that account, the deposit, via mail, scan or ATM deposit is a synch. And guess what, since this is a business account many of the red flags that apply to personal accounts regarding initial deposit simply don’t exist. In my former life I’ve only come across one institution that would regularly require an in person verification for a rather large initial deposit and that was Chase. Kudos to you for your diligence. Your efforts have saved loan providers countless sums of money and tons of red tape. Alas, many of the other institutions are only too happy to have a new business account open with an initial deposit in excess of $100K so Fingers proceeds with his scheme.

The check will take approx. 7 to 10 business days to clear. But Fingers is in no rush. As long as the true owner of the identity he is using does not check his/her credit report time is not an issue. Additionally, Fingers has full access to the actual credit report and can retrieve an updated version online at anytime. Why would he want to do this you may ask. What good will this do at this point in the game? Well its a matter of insight and safety. If, by any chance, the jig is indeed up the first thing that will happen is the placement of a fraud alert by the true owner of the identity onto the credit report. This serves as an “Emergency broadcast message”. Once this fraud alert appears the game is over. Burn the joint and move on. Compliance officers read between the lines, think outside the box and use this to your advantage.

To maximize efficiency while waiting for the check to clear Fingers begins to set up the “win” which is the actual securing of the funds once available. Hmmm, now this here is indeed a challenge (carefully place tongue near cheek). In 7 to 10 days he will be looking at a business account, online of course, with $100K of cleared funds that are going nowhere anytime soon. The numbers are attractive and nice to look at but totally useless unless he can get the money out. He realizes that this is where the institution’s safeguards and red flags come into play. Banks don’t scrutinize deposits anywhere near as diligently as they do withdrawals. Quite frankly, that’s probably their biggest downfall. Obviously, this is a matter of responsibility. The institution that is the source of the funds is, for the most part, responsible for securing their funds. But at any point in time any institution can be the victim. It just depends on the scenario. Simple communication between institutions would go a long way toward fighting fraud but this is easier said than done. Anyway, I digress. Fingers realizes that he can’t go to the ATM everyday and withdraw the maximum amount. This would definitely trip a flag and tip off the bank and is an amateur solution at best. The account would lock up in the first week for sure. He has to come up with a more sophisticated way to make large, seemingly ‘legitimate’, withdrawals. So he goes with the wire scenario. The limits on wires are pretty generous even by today’s standards. $25K per day is pretty normal. Or, better yet, he can write a check to another institution offshore or launder the money to some ‘investment’ vehicle that is easy to liquidate.

Hmmm, investment vehicle, tangible asset, untraceable, easy to transport and most importantly, easy to liquidate worldwide. I’ll take ‘Precious metals’ for $100K Jim. The ideal vehicle for laundering large amounts of currency. Its accepted all over the world and even at the teller window in many countries. They bear no serial number, completely untraceable, no ID required and symbolize a “win” at the very point of acquisition.

Most jewelry store owners are very only too willing to cash in your precious metals for about 10 percent less than current market value. No questions asked. Liquidation is surely not an issue. He can sit on his stack of precious metals for years and only have to worry about basic market fluctuations. At that point the money is his.

Meanwhile the charges are adding up. Based on the dollar amount alone he is looking at about 6 – 12 months. Then there is the aggravated identity theft charge which carries a mandatory 2 years. Add to that a dash of mail fraud and a half cup of money laundering and he quickly finds himself looking at a 5 to 7 year bid. Is it worth the risk? You do the math.

Again, I am not going to expose the logistics behind this process as any further information would indeed be tmi. In fact, I may have already crossed that threshold in some aspects but if this writing helps to inspire one well placed deterrence it will be worth a calculated risk based on a potential loss. This same type of scenario or incarnation thereof can be applied to just about any type of loan process. $100K car loan is pittance compared to lets say a mortgage on a home for instance.

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

Suffice to say, this type of fraud exists, is prevalent and cannot be stopped by securing your firewall or via anti-phishing images or dual phase secure logins based on the existence of browser cookies. Once the thief actually owns the account he is provided with legitimate credentials. Consequently all security measures become invalid. Its too late. He is inside, trusted and he entered right through the ‘Front Door’ no less. Ironically, for all intents and purposes he is now seen as a legitimate customer by the institution. Their safeguards are in place not to thwart but to ‘protect’ him from, you guessed it, criminals.

This institution has just been ‘socially hacked’. This type of attack is a different ball game altogether and without the proper training of personnel and planning it will continue.

In the next installment I will discuss a few ways to deter criminals from selecting your institution as an ideal candidate for social hacking.