Criminals used my account to launder credit card transactions into cash, at least where the company transacted with was willing to refund.
Last week I received a notification from Bank of America advising that my credit card may have been part of a compromise at an undisclosed merchant. The email does mention that there may not have been fraud on my card and that this is a precaution; they also advise that I will not be held financially responsible for any fraudulent transactions.
This reminded me that I need to share my own data breach experience with you. Before I get into the real story, the notification I received from Bank of America causes me some frustration. Firstly, I want to know which merchant has been subject to a data breach; they may have other data stored about me that I could take steps to protect. And secondly, I want to read the email about how the bank is hunting down the fraudsters and are going to bring them to justice, not just offering to refund any charges my account is hit with.
The glib way data breaches are notified, refunded and generally dealt with, in my opinion, causes complacency among the people affected and possibly within the companies affected. We very rarely hear the stories of the criminals being locked up or the woes of the individuals who are unfortunate enough to have been affected.
My personal data breach story
In December 2018 I received a monthly bank statement in the post for an account that is used infrequently, and yes some of us do still get paper statements. The statement is normally a single page with no or few transactions, but this time I stood shocked as the statement consisted of 7 pages. There were 50 items on the statement that were not mine – 35 debits and 15 credits – and the majority of them were insurance companies based in the UK.
Now, for context, the account in question is an offshore US dollar account and the reason it is rarely used is that it’s an emergency fund. The associated cards are kept with our passports and it’s a “just in case something happens” account, with enough instant and accessible funding to hopefully solve any issue we may encounter on our travels. In summary, the account is used infrequently, is seldom accessed online, and is only checked with an occasional glance at a paper statement.
An hour-long call to the bank’s 24-hour fraud line, whose staff were super helpful, resolved the initial problems as we stepped through every transaction on the statement to ascertain whether it was mine or fraud. They did seem a little surprised that I had not noticed the transactions earlier, but after explaining the circumstances of the account we quickly moved on. In total there was around US$7,500 in transactions and US$1,750 in refunds, leaving a fraudulent balance of approximately US$5,750 which the bank immediately credited to the account. They also blocked the account from further transactions and re-issued the cards associated with the account.
In the days that followed, additional transactions appeared and a few more credits, in fact the credits have kept coming for about four weeks. The bank continued to monitor and adjust the refunded amount accordingly. The bank also required a written statement verifying the transactions were not made by me, they produced the paperwork and I signed it. Other than the distress and the one-hour call, it was all dealt with and was relatively simple to recover from.
Insuring a better future
Now, what about the transactions? One of the first fraudulent transactions is highly amusing, given the nature of this story. They purchased a VPN product from Identity Cloaker. This allows the online fraudulent transactions to be made without disclosing the fraudsters’ own IP addresses, thus cloaking their identity and location from the merchant and potentially law enforcement.
There are three transactions that are not insurance-related: two Eurostar tickets and a hotel reservation at the Radission in Paris. I do hope they had a lovely time and would like to think their next stay will be in a penitentiary somewhere less salubrious!
Why did the fraudster, in fact let’s call them what they are, “the criminal”, buy all this insurance?
All of the insurance policies purchased are located in the UK and the transactions are all in pounds sterling, which logically should have triggered a fraud alert for the bank as the account is a US dollar account. The insurance companies in the UK are legally obligated to offer a 14-day cooling-off period during which time you can cancel a policy for any reason. The insurer is then required to refund the policy minus any insured days while the policy was in force and it can add a reasonable administration fee. If, as in this case, the insured pre-dates the start of the policy then the deduction of insured days becomes irrelevant.
When I scanned the transactions and attempted to identify the few credits with debits I saw a pattern, it became clear that some companies only allow cancellation and refund back to the original payment method, my debit card. Others may refund to alternative accounts or possibly even send a check.
The criminal is using my account to launder debit card transactions into cash, at least where the company transacted with are willing to refund to an alternative account or method.
How did this happen to me? I work in the security industry and surely this only happens to other people. The reason may be related to a previous transaction, in fact in this case perhaps it relates to the last transaction prior to the fraudulent charges appearing on the account. Between 20 and 24 July the debit card for the account was used to make three purchases for flights on British Airways. During the whole of 2018 there were only three merchants, other than the fraudulent ones, the card was used to transact with: a clothing company in London, a recreational vehicle (RV) rental company and British Airways.
In September 2018 British Airways announced that it had suffered a data breach between 21 August and 5 September and 380,000 transactions were affected. The investigation into the data breach highlighted that the airline had suffered a further data breach between 21 April and 28 July. Both of the disclosed data breaches are identified as putting payment cards at risk, potentially allowing purchase to be made. I will let you draw your own conclusions on what may have caused my card details to fall into the wrong hands, but only one of the three merchants suffered one or more data breaches.
The moral of this personal story is that anyone, even someone in the cybersecurity industry, can become the random victim of a data breach and the fraud that follows. What we rarely hear or witness is the story of someone who was the victim and how it affected them. The outcome in this incident was not that bad, it was just inconvenient, but there are many people who suffer financial loss, identity theft and other issues at the hands of cybercriminals. The good news is that Forbes recently published an article stating credit card fraud decreased in 2018 to US$6.4 billion, down from US$8.1 billion in 2017, but that still sounds like a huge amount of money or opportunity for criminals to take advantage of.
I finish with one final point: my recommendation, as you can read in this previous blog, has always been, and remains, to always use a credit card for online transactions and it should have a low credit limit. In this incident it was a debit card and used as a convenience while I was travelling – I will, of course, take my own advice going forward!
written by Tony Anscombe, ESET We Live Security