Menu
Banking Exchange logo215mar2015
Menu

Beware address hijacking

When you call and the “customer” says “go ahead,” it may not be your customer

Beware address hijacking

“Why are 25 people from all over the country moving to a vacant lot in Brooklyn?”

Adam Elliott not only asks questions like that, his company, ID Insight, was founded on designing algorithms that can help companies like banks ask such questions, in an automated fashion.

Elliott explains that the sheer volume of data breaches in recent years has stocked the shelves of the “dark web” and other sources of illegally obtained consumer data with a massive supply of raw material.

“The good news is that there are not enough fraudsters to fully consume the data that’s out there,” says Elliott.

How crooks work

The methodology of choice of many fraudsters using such data is the account takeover. Typically financial accounts rely on several means of reaching the account holder, including a physical address, a phone number, and an email address. If, using access obtained via a breach, a criminal can get a bank’s records changed to divert communications from their bank to a false address or phone number, they have a chance to grab the legitimate customer’s assets.

“Address discrepancies are the biggest pain point of any ID verification solution,” Elliott explains, “as it drives so many mismatches and it is where the identity thieves are hiding.” Elliott’s firm relies in part on a system incorporating many sources of legitimate address changes, including those reported to its own customer companies. Scoring of risk of given addresses comes into it—not all reported address changes are necessarily true, obviously.

Even if certain details as Social Security number are used for verification, that may not mean anything, Elliott says. A fraudster who has breached files likely has such data. The data will match what’s on file with credit bureaus and other such sources, but that just means the fraudster has very reliable information at his fingertips.

With such information at hand, criminals can get account addresses changed to an address they control. Likewise an email or phone number.

So, the consumer may not even be receiving account information anymore, with the data going to the criminal’s destination, such as that vacant lot or a house being used as a letter drop.

Want more banking news and analysis?

Get banking news, insights and solutions delivered to your inbox each week.

Such destinations change fairly frequently.

“Fraudsters aren’t living in owned homes, waiting for the postal inspector to show up,” says Elliott. Similarly, they love prepaid phones, since they can be used and ditched before they become a liability for the criminal. Elliott says Google Voice phone numbers can be used anonymously, providing another source of contact for a hijacker.

“Yes, of course I’m me”

Elliott says his firm has seen a large spike in fraudulent phone number changes. He says a very large bank recently called a phone number that had been changed. The intent was verification for a large wire transfer that had been requested. The “customer”—actually, a criminal with enough information to convincingly pose as such—authorized the transaction. All the verification call did was confirm, after the loss, that the criminal had all the right credentials to pose as the customer.

The wealth of illicitly obtained data out there has wrought a change in the account takeover scam, according to Elliott. It has become much more organized, given the vast amount of potential waiting to be exploited.

Elliott’s firm provides nearly 600 financial companies with screening services that rely both on external databases that ID Insight has access to, as well as information shared among client customers through the company. Scoring of information under review helps highlight individual risks, while the view of the vendor’s community of banks helps spot trends where a criminal is trying to pass off the same address or other fake destination on multiple institutions.

“We’re always interested when we are seeing a lot of activity at a single address over a short period of time,” says Elliott.

The change of address, phone number, email address, and such are what Elliott calls “the setup event,” the step that puts the criminal in control.

After that, absent detection, the crook just starts the process to rake in the take, whether it be a funds transfer, obtaining a new credit card with a healthy credit line, or grabbing some other asset in a legitimate customer’s name waiting to be exploited.

Unfortunately, says Elliott, no matter what detection is applied such threats never go away.

“It’s like a balloon,” he says. “You squeeze on one side, it bulges on the other.”

Steve Cocheo

Steve Cocheo’s 38 years in financial journalism have taken him to all 50 states and nearly every corner of financial services in companies from fintech startups to community banks to regional and national giants. He is executive editor of Banking Exchange and digital content manager of www.bankingexchange.com. Previously he spent 36 years on the staff of ABA Banking Journal and 22 years concurrently as editor of ABA Bank Directors Briefing. He is the only journalist to have sat in on three federal banking exams, was a finalist for the Jesse H. Neal national business journalism awards, and a winner of multiple awards from the American Society of Business Publication Editors. A year ago he finally gave up his cherished Blackberry for an iPhone, recently tried Uber, and has made it by Citibike from Battery Park to the Washington Bridge… and back.

back to top

Sections

About Us

Connect With Us

Resources