400 likes | 560 Views
Americas Fraud and Revenue Assurance Workshop Brasil. CFCA 3030 N. Central Ave., Suite 707 Phoenix, Arizona 85012 USA +1 602 265 CFCA (2322) +1 602 265 1015 Fax Fraud@CFCA.org www.CFCA.org. Identity Theft and Subscription Fraud. Cliff Jordan. Identity Fraud and Subscription Fraud Agenda.
E N D
Americas Fraud and Revenue Assurance WorkshopBrasil CFCA 3030 N. Central Ave., Suite 707 Phoenix, Arizona 85012 USA +1 602 265 CFCA (2322) +1 602 265 1015 Fax Fraud@CFCA.org www.CFCA.org
Identity Theft and Subscription Fraud Cliff Jordan
Identity Fraud and Subscription Fraud Agenda • Definitions, Purpose and Intent • Documents Used for Phone Subscription • Counterfeiting in Brazil • Counterfeit Examples • Counterfeit Detection • Experts in Counterfeit Detection • Interview with Brazilian Hacker • Authentication of the Client • Detection of ID Theft / Subscription Fraud • Prevention of ID Theft / Subscription Fraud • Possible Solutions #1 through #5 • Responsibility!?!
Definitions, Purpose and Intent • Subscription Fraud – This is the application for a service without the intent of paying. The fraud is in the intent to pay. When a person subscribes for a service, they sign a form indicating their willingness to pay for the service. If their intent is otherwise, then this is subscription fraud. However, many Subscription Frauds are done using “Identity Fraud” as a way to disguise the true identity of the fraudster.
Definitions, Purpose and Intent • Identity Fraud – A fraud perpetuated through the use of False Identity Information.
Definitions, Purpose and Intent • Types of False Identities: • Fictitious Identity – An identity that does NOT represent a real person. Also called “False ID” or “Fake ID”. • Modified Personal Identity – An identity that is true but has been modified in order to falsify some information such as the age, address, etc.
Definitions, Purpose and Intent • Types of False Identities: • Identity Theft – This is the using of an identity belonging to another person for any unauthorized purpose. Such purposes could be: • to earn or steal money • to obtain or steal service • to hide the true identity • to frame someone • for vengeance.
Definitions, Purpose and Intent • Summary: • Subscription Fraud can be committed using: • True Identity • False Identity (Identity Fraud) • Fictitious Identity • Modified Personal Identity • Stolen Identity (Identity Theft)
Docs used for Phone Subscription • Photo Identification • RG (Registro Geral) – Common Brazilian Identity Document OR • CNH (Carteira Nacional de Habilitação) – Brazilian Driver’s License • Number Identification • CPF – Cadastro de Pessoas Fisicas – Brazilian Tax ID number and Social Security Number OR • CNPJ – Cadastro Nacional de Pessoa Juridica – Brazilian Corporation Number • Proof of Billing Address
Counterfeiting in Brazil FALSIFICAÇÕES Friday, January 7, 2005, 12:35 Group Negotiates 200 False Drivers Licenses Source: Diario de Cuiaba The Civil Police arrested yesterday two people accused of counterfeiting public documents. Adilson Sampaio Pontes and Clodoaldo Pedroso Barbosa were put under house arrest in the suburb of CPA, after a two month investigation. With them, the agents found 20 falsified drivers licenses (CNHs) and 9 CDs whose contents were blank documents It is believed that they have sold over 200 counterfeit drivers licenses. According to Police Representative Alana de Souza Cardoso, the group deals with other delinquents, who try to negotiate counterfeit drivers licenses for as much as R$1000. Adilison was responsible for the counterfeiting of the documents and Clodoaldo was responsible for the sales. They received on average about R$200 per document. This scheme has been going on for more than a year. Being that this is a crime with no opportunity for release on bail, the two were taken to jail yesterday afternoon after questioning. They will be accused of the crime of possession of equipment with the objective of counterfeiting, such as a scanners and printers, and counterfeiting of a public seal. The investigations will begin when João Batista Lima da Silva was imprisoned while caught using a fake drivers license. Since then three people have been imprisoned using counterfeit documents created by the same group. Following this, approximately 200 buyers were identified by photos, signatures, and other documents found with the counterfeiters. “It is important to note that the drives licenses were sold to people that do not have the ability to pass the drivers license tests of Detran (DMV). They are illiterate, people with mental disorders or people with a serious problem with sight. Also, those that buy a counterfeit document will also be sought after for the use of a counterfeit document and can gain two to six years of prison”, explained the police representative. Among the documents found on the first CD by the police, are blank checks, store credit cards, CPF (Social Security Cards), RG (Identity Cards), a marriage certificate, school documents, proof of driving school, and more than 200 photos and signatures.
Counterfeit Examples Example from: http://www.fraudes.org/id_false.asp
Counterfeit Examples Example from: http://www.fraudes.org/id_false.asp
Counterfeit Detection • How to identify a false Identity Card: • Bend the photo to see if the photo was glued on top of another. • Verify the format and feel of the Identity Card • Determine the chronology between the birthday and the date of issue to see if the dates are plausible. • With the Identity Card in hand, question the client about his birth date and his parents. • Whenever possible, leave from the field of view of the client for a few seconds, inducing him to think that you could be calling the police or security. This procedure causes the Identity Thief to be nervous and he will generally leave cursing, leaving the Identity card in the hands of the attendant. • This and more hints at: http://www.fraudes.org/fraudes_cdc.asp
Experts in Counterfeit Detection • AFS Consultaria e Treinamento http://www.afsconsultoria.com.br Florianópolis - SC • Eberson Bento da Silva (unconfirmed) e-mail: ebsconsultor@hotmail.com Tels.: +(0) 21 31837837 e +(0) 21 98448936
Interview with Brazilian Hacker • Chistiano Cony: Important data items such as credit card numbers, CPF (Cadastro de Pessoa Física), RG (Registro Geral), among others can be copied and used in perchance the hacker finds them. Naturally, these data items are re-used, sold, and bartered ? What are these data items used for? • Mad_Skater: This is not really my area, but basically it works like this.... After gaining access to the system, comes the part of stealing important data.... These are RG, CPF, which serve to fraud email accounts, pay for access to websites, etc... The hacker uses [identity] data from other people in case something goes wrong... Even I use a CPF which I obtained during a site invasion...[to gain access to] email accounts and internet access accounts. And the credit card numbers are used to buy things on the net....the “carder” gets a card number; makes a purchase normally on American sites or even Brazilian just the same and has the product shipped to a post office box created with [a fake ID and] fake documents.... Afterwards he pays 10 bucks for a friend of his to go and retrieve the product...this way he takes no risk....there also exists bartering for credit card numbers, trades, selling, etc.... • Christiano Cony: Nowadays, in order to use data items as these, taking into account the payback and the anonymity, are any other equipment needed, other person, or can the hacker earn money on the web by himself? • Mad_Skater: Alone, a hacker can do and get everything... But normally carders are members of groups with the objective of getting the greatest number credit cards as possible. • Christiano Cony: Do there exist people specialized in hunting down credit cards? • Mad_Skater: Yes, they are called “Carders”... • Christiano Cony: Nowadays with the police becoming specialized, is it possible to earn a living in front of a PC? • Mad_Skater: Apart from Carders there exists a mafia behind the hackers... This was something new to me as well, but I discovered some sinister things.
Authentication of the Client • Definition of Terms*: • Validation: Insuring that each identifier that is used is, in isolation: 1. not fictitious 2. is in the proper format IS THIS DATA VALID DATA? • Verification: Insuring that the combination of identifiers truly identifies a known client or customer. DOES THIS DATA DESCRIBE A VALID CUSTOMER? • Authentication: Insuring that the combination of identifiers belongs to the client in question. DOES THIS DATA TRULY BELONG TO MY CUSTOMER? • * source: Presentation given at the National Institute of Standards and Technology from the Economic Crime Institute at Utica College. Feb 10, 2004
Detection of ID Theft / Subscription Fraud • As part of the subscription process the carrier needs to know and verify the following data: • Name • An identity document number such as: • CPF (Cadastro de Pessoas Físicas) • CNPJ (Cadastro Nacional de Pessoas Juridicas) • RG (Registro Geral) • CNH (Carteira Nacional de Habilitação) • A Billing Address • Optional • Bank Account Number (for automated debit) • Credit Card Number (for automated charges)
Detection of ID Theft / Subscription Fraud • If at all possible, view and copy or scan documents that prove these data points: • CPF Card, CNPJ Document • RG Card • CNH Card • Proof of Address such as a utility bill or bank statement • Bank or Credit Card Statement • For Cellular Carriers, this can be done at the points of sale (stores). • For Fixed Line Carriers, this is much harder to do but could be done at time of installation by technician.
Detection of ID Theft / Subscription Fraud • Validate all numbers: • CPF/CNPJ Number: • Software Abundant - Google search: “Validar CPF” • http://www.universalturismocuiaba.com.br/cpf/formvalidar.asp • RG, CNH Number: • Difficult because format is state dependent. • Credit Card Number: • http://www.beachnet.com/~hstiles/cardtype.html • (Visual Basic Source Code) http://www.vb-helper.com/howto_validate_credit_card.html
Detection of ID Theft / Subscription Fraud • Validate all numbers: • Address Validation: • Example: CODE-1 Plus International (Group 1 Software) • Fixed Line Carriers can validate upon installation. • Send “Welcome Mail” to validate billing address. • Send “Notification Letter” to other addresses. • Automate All Validations!!!
Detection of ID Theft / Subscription Fraud • Verify these data items all describe the same person: • Sources for Verification: • Serasa: http://www.serasa.com.br/ingles/i_produtos/i_confirmei.htm • Equifax: http://www.equifax.com.br/pro_pse_inf_pes.asp • SPC Brasil: http://www.spcnegocios.org.br/nav/produtos.asp • Receita Federal: http://www.receita.fazenda.gov.br/Aplicacoes/ATCTA/cpf/CPFautentic.asp • Banks for Bank Accounts • Credit Card Companies for Credit Card Numbers • Automate All Verifications!!!
Detection of ID Theft / Subscription Fraud • Example:
Detection of ID Theft / Subscription Fraud • Review Copied/Scanned Documents: • If there is sufficient resources and need, review ALL scanned documents for all new subscriptions, OTHERWISE: • Review only those in hot locations (by CEP, or Store Locations, or by Vendor), OTHERWISE: • Review only those that alarm in fraud system according to key indicators of fraud, OTHERWISE: • Do nothing!
Detection of ID Theft / Subscription Fraud • Check all data items against Fraud Database(s) looking for known fraudsters: • Internal Database • Shared Information Database from other Brazilian Telecoms • What should be checked: • CPF or other Document Number • Contact Phone Number • Billing or Physical Address • Name
Detection of ID Theft / Subscription Fraud • Check all data items against Bad Debt Database(s) looking for fraudsters masquerading as bad debtors: • Internal Database • Serasa, Equifax, SPC Brasil. • What should be checked: • CPF or other Document Number • Contact Phone Number • Billing or Physical Address • Name
Detection of ID Theft / Subscription Fraud • Look for Abnormal or Strange data items: • Examples: • Large number of lines for the client • Large number of lines per client per CEP (Postal Code) • Addresses nearby known fraudster addresses
Detection of ID Theft / Subscription Fraud • Monitor Behavior for Subscription Fraud: • Perform Fingerprint compare against known fraudsters • Perform Fingerprint compare against other lines belonging to same client to validate that indeed both lines belong to same person. • Look for INACTIVITY! For cellular phones this could indicate that the phone was shipped overseas to commit roaming fraud. • Monitor the volume of traffic. Is it normal for this type of customer? Is it normal for this CEP (Postal Code) • Watch for changes in profile of established customers which could indicate “account takeovers” or “cloning”.
Detection of ID Theft / Subscription Fraud • Contact the Customer for Authentication: Contact Options: • Call Customer on his subscribed line: • Pros: Speak directly to customer • Cons: Often timing is inopportune for the customer. • Redirect next call for Authentication: • Pros: Speak directly to customer when he is able to speak • Cons: Often viewed as intrusive • Send message via SMS requesting customer to call for Authentication • Pros: Not seen as intrusive and customer can call when it is opportune. • Cons: Customer may not call.
Detection of ID Theft / Subscription Fraud • Contact the Customer for Authentication: Authentication Options: • Request that customer authenticate his subscription information. • Provide a “flexible” authentication in case customer does not know some information. • Call Customer on his other lines in order to determine if suspect line is fraudulent. • Be Aware that a PERFECT authentication session itself can be suspect! Generally, there are minor variations in the data such as name and address (nicknames, and street names) • If the customer passed the authentication, DO NOT BOTHER THE CUSTOMER AGAIN FOR AT LEAST 6 MONTHS!!!
Detection of ID Theft / Subscription Fraud • At Point of Sale (Storefronts): • Require ID and Documentation such as: • RG or CNH • CPF • Proof of Address • Utilities bill • Bank statement • Copy or Scan all Documents: • Serve as evidence of fraud • Helps in teaching vendors how to recognize false documents • Helps keeps vendors honest • Can be used to cross authenticate against other phone lines.
Detection of ID Theft / Subscription Fraud • At Point of Sale (Storefronts): • Validate all numbers in REAL-TIME as customer data is entered into system. • Verify the data describes an actual person in REAL-TIME as customer data is entered into system. (verify with Serasa, Equifax, etc.) • Check data against fraud and bad debt databases in REAL-TIME as customer data is entered into system. • This is all even more critical when selling a Post-paid account. • Determine options for the client based on results of these checks: Examples: Do NOT sell client a phone line OR Only sell a Prepaid account OR only allow domestic/local traffic, etc.
Detection of ID Theft / Subscription Fraud • Subscriptions over the Phone (e.g. Fixed Line Carriers): • Validate all data items in REAL-TIME as customer requests the new line. • If customer has other lines at different addresses, ask the customer to validate those other addresses. • Perform all validations, verifications, and authentications BEFORE installing or activating the new line.
Possible Solution #1 Electronic Card substitutes practically all the identity documents in Rio Grande do Sul. July 15, 2005 The “Gaúchos” will have, as of next week, a system which will be able to, in a single electronic card, have registered practically all their identifying data such as RG number, CPF (SSN), PIS (other social benefit card), Working History, Voter Registration Number, Blood Type, Medical Insurance Number, and bank account. It will be an integrated way for the Three Powers of the State, with the support of the ITI (Institute of Information Technology) – tied to the Presidency of the Republic --, to give greater speed in the bureaucratic processes, with an economy of resources. The objective is that this model be the example for the rest of the country. Electronic documents will be generated digitally which will guarantee the authenticity, privacy, and integrity of transactions, as well as the streamlining of the bureaucratic processes, improve process agility and wasting less paper. The Director-President of PROCERGS (data processing arm of the State), Carlos Alberto de Campos, said that one of the principle advantages is the adoption of a system by the Three Powers. “It will be an architecture of electronic government focused on the citizen. The citizen has only a digital certificate for his interactions with the State”, he affirms. There is not yet an estimate for the R$ savings or for the date that the card will be officially used. One example is the use of the State Tribunal Justice system for the printing of sentences. Just with the economy of paper, the savings were R$700 thousand per year. We know that, when a system is up and running, the total economy with be in the tens of thousands of reais, said Campos. “An example is of the citizen that needs a copy of his motorcycle license. With a digital certificate, it can be done via the internet. His physical presence is no longer necessary.” It is not yet determined if there will be a public campaign to adopt the system. First the target clients will be those of Banrisul (State bank of Rio Grande do Sul) – a total of 1.2 Million people. The same bank card, in this case, will be utilized for the system. The clients will have a password and the card. In the future, the objective will be to make available a computer peripheral device so that people would swipe their card at home, even vote at home, with the card and a password – the document number being inside the card. The launching of the project is scheduled for 3pm this Monday, in the Piratini Palace (headquarters of the gaucho government), with the presence of Governor Germano Rigotto (PMBD).
Possible Solution #2 • E-CPF – New Digital Encrypted CPF More information available online at: http://www.certisign.com.br/produtos/ecpf/e-cpf.jsp http://www.certisign.com.br/produtos/ecpf/pop_faq.jsp http://www.safeweb.com.br/docs/ecpfecnpj.asp http://www.certificadosdigitais.com.br/compras/ Token Smartcard
Possible Solution #3 • Voice Recognition The technology already exists to recognize a person’s voice while on the telephone. This technology can be used to validate a customer while he is requesting the operator to complete a call, or update his account. Accuracies have been seen with a False Reject Rate of 1% with a False Accept Rate of 0.07%. Some of the companies with Voice Recognition products on the market are: Authentify, Persay Vocal Password, Nuance, Phonetic Systems.
Possible Solution #4 • Fingerprint Scans One option is for the customer’s fingerprint to be scanned at Points of Sale along with his ID. Then with the appropriate software a realtime compare can be performed. OR the fingerprint scan and the ID scan can be archived and used later for validating a customer at a Point of Sale. Also fingerprints could be compared against those of known fraudsters. Future cellphones with fingerprint scanners built-in???
Possible Solution #5 • Facial Recognition One option is for the customer’s photo to be taken at the time of the sale along with scan of ID. Could be used for validation at point of sale later on. With MMS, could be used to validate the customer in near realtime. Other idea: Use facial recognition software to compare all new applicants with other known photos of fraudsters in the database. Manufacturers of such software are: Verilook, Aurora Clockface, LogicaCMG. Recognition successful with .68 similarity!
Responsibility!?! • Price of Negligence Bank sued by Company that received checks from a false account. By Elba Kriss, Magazine Consultor Jurídico, Feb 18, 2004 Unibanco was ordered to pay around R$20,000 to company César Augusto Lapuza Suprimentos Ltda for damages. The company received checks from a false checking account. The decision was from judge César Santos Peixoto, from the 21st Civil Precinct of São Paulo. The court order is definitive. The company received checks in payment of a purchase and it was proven afterwards that they were from a fraudulent bank account. According to the company, the bank was “negligent” in the “opening of an account of a third party who used a false identification document”. With the account open, “the checks were circulated without any restriction”. The company represented by attorney Rogerio Licastro Torres de Mello of the firm Cardillo, Prado Rossi, Licastro Attorneys Associated, filed suit for material damages. According to the attorney, “the bank didn’t even check the identifying data of the people that opened the account”. Unibanco, claims that it is “not responsible for the crimes committed by the third parties”. The judge ruled that the bank is responsible for the damage and commented that the process of opening a new account should have been more rigorous. Peixoto ordered Unibanco to pay R$20,118.24 adjusted by inflation since Sep 9, 2001, in addition to interest of 6% per year since the citation. The bank also was ordered to pay for the attorney costs.
Responsibility!?! • Failure to Authenticate Bank held responsible for account opened with false documents. Magazine: Consultor Jurídico March 6, 2005 The bank is responsible for the opening of accounts and financial movements with falsified documents. With this belief, judge Marcelo Lopes Theodosio, fo Santo André, Grande São Paulo, ordered Banco do Brasil to pay 100 minimum salaries to Lillian Rudolf. While trying to purchase a cellular telephone on credit, Lillian was denied the credit because her name was on the credit agency blacklist. She had a debt of R$1032,49 incurred because of financing that was obtained by someone with her documents, stolen in June of 2001. At the time of the robbery, a police report was registered. Represented by attorney Pablo Dotto, of firm Monteiro, Dotto e Monteiro Attorneys Associated, she opened a suit for moral damages against Banco do Brasil. The judge agreed partially with the action. For him, “it is up to the bank to be equipped to adequately detect false identity documents, accepting the risks that it is subject to in the performance of its job.” More info at:http://conjur.estadao.com.br/static/text/33346,1.
Responsibility!?! • According to Legal Precedence: • The responsibility belongs to the provider that interfaces with directly with the customer to insure that his documentation is valid before opening an “account” with that customer. • If the account was fraudulently opened and later used to abuse another company, the responsibility could legally fall back on the provider of the “account”. • An “account” could be defined as a “Bank Account”, “Telephone Account”, “Internet Account”, etc.