Note: This is the first in a series of articles written by a convicted felon currently serving 57 months in a federal correctional institution for identity theft and mail fraud.

I am a former identity thief. That’s not a fact of which I’m proud. I sit here at Fort Dix FCI, trying to redeem myself for some of the wrongs I have perpetrated. And I hope what I have to offer will be of value to banking and security leaders.

In this first installment, I discuss the front-door tactics that are used to commit bank fraud via identity theft. Take note that none of this is theoretical. I have put these methods into practice. They work, they are prevalent, and these tactics are being employed by identity thieves even now. In future installments, I will address different ways to deter these types of attacks upon your institution.

Front-Door Fraud

Most of the discussion regarding fraud prevention and identity theft is predicated on the

assumption that an identity thief is some hacker who uses back-door system access tricks to compromise a bank’s database of customer account information. While often this is true, many identity thieves use what we call “front door” tactics to commit fraud.

I was able to pull off many fraud deals — some in the realm of $150,000 — by simply having the confidence to be brazen when speaking on the phone with a loan specialist or underwriter. Although I am an accomplished web developer by trade, these skills are not required for frontdoor identity theft, except for some minor proficiency in any basic graphics application. The entire operation can be executed using any IP masking software from the comfort of your favorite WiFi-enabled coffee shop. Consequently, there is virtually no face-time required.

Please note that these crimes generally begin with a dollar amount, not a “victim.” With frontdoor identity theft, the true “victims” are typically banking institutions, loan providers, brokers and credit card issuers — not an actual individual. Using front-door tactics, frankly, provides us with a larger playing field of potential targets.

As frightening as it may sound, I know first-hand that any institution can become a victim of this type of crime, regardless of how diligent they may be in securing their assets. Few institutions offer enough deterrence to make themselves unattractive to front-door identity thieves – without compromising any of the conveniences offered to legitimate customers.

Considering that the average identity thief obtains $6000, and there are 8 to 10 million victims each year, front-door identity theft should be considered a significant threat — especially since it can take a year of more to discover the offense.

How I Did it

Let’s start with a basic scenario: I’m looking for a relatively quick $100 K. Personally, I was a fan of automobile loans, but the following fraud can be pulled off with RVs, boats, business loans, mortgages, etc.

So, say I decide to seek a loan for a high-end Mercedes. I have no interest in the vehicle itself, but rather I want the cash value of the car. First, I need to identify a vehicle and obtain the VIN. Sites like eBay are great for these details.

A next step (I am purposely omitting key details, so as not to provide a roadmap for would-be fraudsters) is to find a loan provider that offers auto loans direct to the customer. The institution will believe that, if it grants the loan, it will have a lien on the vehicle, so approval is almost certain. Consequently, the relatively high dollar amount is not an issue, as long as I steal the identity of a person with a decent credit rating.

After I select a loan provider, I then need to make the first call anonymously to the institution as ‘a prospective customer’ to make sure there will not be any unwelcome surprises. Among potential deterrents (which I’ll go into in detail in a future installment): The bank may deal only with a restricted list of pre-qualified dealers; it may require a vehicle inspection by its own inspector; or the institution may actually require an in-person loan closing. That last one is a show-stopper – the golden rule of front-door ID theft is “no face time” — but it doesn’t occur as frequently as you might think.

So, assuming I’ve encountered no obstacles, then pretty quickly I’ll have the inside scoop on exactly how the particular loan process works.

Next, I need the stolen ID — the part of this crime that will add a nifty two consecutive years minimum to any underlying conviction. I am certainly not going to discuss how to steal someone’s ID, but suffice to say that are many ways, and they don’t require diving through someone’s trash. Now, when I refer to an ID, I mean the basic components: name and social security number. Date of birth and address can be found online, so they serve as an added bonus.

With this information in hand, I need to pull a credit report, so I can correctly answer the loan provider’s challenge questions. This is the only real line of defense for front-door identity thieves, and its effectiveness is marginal at best. Fortunately (for the thieves), the Federal Trade Commission has been kind enough to offer free credit reports via the free credit reporting act, which resulted in the huge security hole called ‘Annualcreditreport.com.’ I will avoid any further details, but trust me: You do not have to be a hacker or computer whiz to figure out how to secure someone’s credit report.

After the FTC hands over someone else’s credit report, I fill out the online loan application. Since I have selected an individual with decent credit, I expect to get a prompt reply, and it is almost always a guaranteed approval. Remember, the institution assumes that it will have a lien on the vehicle. Of course, I have to manufacture some employment — preferably something listed on the credit report — along with a career match. For the most part, not one of these items is scrutinized by the banks, so the sky is the limit as long as the income is substantial, considering the loan-to-value ratio and a couple of other factors.

I then call the designated loan specialist and give the details of the vehicle, as provided by eBay or whatever resale site I have chosen to use. In most cases, the loan provider will then ask me to fax the vehicle’s bill of sale, which can be forged quickly using any graphics application.

Shortly thereafter, I will receive loan documents via express mail to be fully executed in the presence of a notary. Normally, this would be a major show-stopper. Remember the golden rule: No face time. But take it from me, the notary requirement is not a significant obstacle, and it certainly does not require any unnecessary exposure or even a real notary, for that matter.

Less than one week later, the institution will mail me a check. To provide extra security, the check will typically be made out directly to the dealership or seller. This extra precaution is designed to prevent ‘legitimate’ buyers from simply cashing the check and using the funds for something other than the automobile. Believe it or not, though, there are some banks that provide you with a draft that is nothing more than a blank check pre-authorized for the value of the loan.

But let’s say I have the check made out to the seller. The bank is absolutely, positively protected from any type of fraud now, right? As I was once was told by a rather naive loan specialist “We are not worried about the check ending up in the wrong hands because no one but the dealership can cash it.”

Think again. Yes, indeed, the front door is truly wide open.

In the next installment, I will discuss how to cash the dealership’s check.

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.