In this episode of the “To Catch a Fraudster” podcast, Jimmy Fong, Chief Commercial Officer at SEON, talks about how eCommerce fraudsters have created the “Crime as a Service” business model.
Bradley Chalupski: Hey everyone. This is Bradley, editor-in-chief and co-founder of Merchant Fraud Journal. We’re going to have Jimmy from SEON on the podcast for this episode. We had a great discussion talking about fraudsters stealing digital identities and breaking into actual physical telephone boxes. So, you definitely don’t want to miss this one. It was a wild one. I had a great time talking with Jimmy. Really appreciated him coming on to the program. Really appreciate everyone listening out there – response has been great. And remember, you can get all the latest insights and e-commerce fraud tips and news on MerchantFraudJournal.com. Thanks, everyone. Cheers.
Bradley Chalupski: Hey, Jimmy. How are you doing, man?
Jimmy Fong: Really good, Bradley. Thanks for having me on.
Bradley Chalupski: Thanks for being here. So, why don’t we start off, tell our listeners a little bit about yourself, your solution. What’d you get all that good stuff up front? And then we’ll jump in.
Jimmy Fong: So, I have the very great privilege of serving as CCO (Chief Commercial Officer) for quite an early stage risk tech startup called SEON. We’re pre-Series A, seed funded. Been around just come up to three years just now, Bradley. And we’re focusing on providing real-time data enrichment, particularly known for social footprinting, and then also a end to end risk platform for making real time decisions. And we kind of focus in on what we call the high risk sector. So first, we designate high risk as, essentially, whenever something happens, there’s almost no recourse. So, that covers quite a white domain, obviously. So, for us, classically it’s a folk in the iGaming industry. So, once an interaction happen, there’s no recourse. And then, through to crypto exchanges, to more challenger banks which have very low legacy tech stacks and using our technology, and then of course, e-com and travel merchants as well. So, quite a wide space there.
Bradley Chalupski: Well, we’re very happy to have your fierce, I think, Scottish accent on the program, which is always amazing to my American ears to hear that fierce Scottish accent. So, thanks for joining us. I want to jump in right off the bat here and hear your craziest story. And just so our listenership knows, I don’t actually hear these stories beforehand, so you’re getting my organic reaction. The craziest story that you have for preventing eCommerce fraud.
Jimmy Fong: So, I think, in the nature of our customer base because they’re in these right-on-the-edge wild use cases, and whether it’s eSports betting, these new frontier domains. We hear these on a very regular basis. So, there’s a couple that springs to mind. The first one is around one of our customers, and we serve a lot of customers within the online lending space. So, one of them, recently, was telling a story about how, for them, the kind of things they’re facing are. As part of onboarding, they take IDs. As part of KYC/AML compliance reasons all in the world, they have to take literally the IDs from these kind of prospective new customers. And they were seeing, actually, the growth of face swapping as part of these IDs. So, you kind of hear this in media news. As you see now, Elon Musk and Donald Trump, there’s lots of these memes of people literally coming in and using consumer-grade Face Swap AI tools to make crazy memes of all these famous characters. Unfortunately, that kind of consumer-grade stuff which was used for common comedic reasons is being used – we’ve seen – in the actual fraud domain as well. So, if you think about an ID, or Bradley, someone halfway across the world, just as easily could be swapping in and using your IDs off that, which is kind of crazy, right?
Bradley Chalupski: Yes. So, how are they doing that? I can understand where you’re getting enough info or enough data for someone like Elon Musk or some kind of famous politician. But for just me, little me, hanging out somewhere in my mom’s basement, whatever, trying to play some online gaming, where are people getting this stuff? That’s crazy.
Jimmy Fong: Unfortunately, nowadays, I think every week goes by and you hear another big massive data breach of a name. And I think as people we are just kind of fairly nonplussed when we hear another brand has lost hundreds of millions of records. All of that clearly floats in on a secondary and tertiary market into somewhere. It used to be, I would say, a few years ago, Bradley, you’d have to go into the dark web to go grab this stuff. But spend five minutes now on the clear web and you find the exact same stuff. So, unfortunately, your details [05:26 inaudible] they have, no doubt. We can all go onto [05:28 inaudible] for example, and you’ll see the data breaches you’ve been in. So, what’s happening is, it used to be people have to go on the dark web to grab this, but this is on the clear web now. Yeah. So if we were to spend five minutes, maybe that’s an interesting experiment, maybe we should do that for five minutes.
Bradley Chalupski: There’s no gold at the end of that rainbow with me though. You’re just going to find a bunch of debt. And who the heck knows about else? Nothing that’s going to be of any use to a fraudster. So, I guess I fall into that category of “Yeah, yeah, yeah, go, whatever. You want my student loan debt? Go for it. You can go pay it off. That’s cool.”
Jimmy Fong: So, to the extension of that, though, unfortunately, one of those elements [06:13 inaudible]. That’s where we’re finding more and more of your own IDs and stuff, whether it’s a face of yours, is out there. That’s a reality. And so these ID documents that we think are super safe with all these different entities. And you’ve probably done it before you signed up for an online service. And at some point or other, you’ve probably had to upload your passport pic, or your driver’s license, or some bit of actual official ID. That’s all part of cached data, unfortunately, that fraudsters are trading back and forth quite freely nowadays. And that’s the scary thing, obviously.
Bradley Chalupski: So that’s what I’m getting at is just that one photo enough to recreate? I thought with these types of deep fake things that they needed to have multiple different versions of a face to kind of get it. Because can’t the software tell if you’ve just copy-pasted? I assume if I went into a Word document and copy-pasted my face onto something else that a serious vendor is going to catch that. So, there has to be something that’s more sophisticated going on here. So, where are they getting the ability from just a single ID upload that maybe I did to put money on to an online gaming site? How is that one image enough to fake in the future? That’s really fascinating to me.
Jimmy Fong: Unfortunately, the short answer to all of us is it is the scariest. And that’s what’s crap for the rest of us. Yes, it’s obviously even stronger and more robust, better if it’s multiple images. And chances are that there are multiple images of Bradley floating around there, unfortunately. We’ve seen stuff that is taking a single image and the algos are good enough, sophisticated enough to be able to kind of recreate almost a different version. And it’s not surprised. I mean, this is all part of a bigger trend. Crime as a Service – this is the thing that’s kind of scaling up as well. I think sometimes people at the work in risk and fraud, they don’t realize how consumer-like this is becoming, how convenient it’s becoming. So, for the flip side of us. Just like in our tech world, no code is a thing. It’s also a thing for our criminal adversaries, no code is a thing there as well.
Bradley Chalupski: I love that phrase. You just blew my mind with that phrase “Crime as a Service.” You got to dive into that more for me. The ways that you’re seeing that ecosystem develop and what’s going on that would cause you to use that phrase. That’s great. I’m gonna steal that, I’m letting you know now. I love that phrase.
Jimmy Fong: It’s pretty interestingly documented. I would say that a big part of the misconception is hacking, fraud is perpetuated by people with deeply technical skills. And I think on any bit of cursory research, you’ll find that the big trend nowadays is it’s not so much people that are deep hackers. Deep hackers have coated up and created much more user-friendly interfaces for, I would say, recreational criminals to kind of get into that space. As long as your mindset is that you’re happy to exploit some sort of weakness and you’re happy to hear the consequence of criminal activity and the potential retribution that brings, then it’s as easy as pie to get into. And what we’ve found is there’s a slippery slope. So, some of this stuff on the clear web is kind of masked, looks like fairly legit side hustle kind of activities, for example – so, “Make money in your part-time.” And even within them certain spaces. Then what you find is that you get more into it that you get these potential options if your ethics and more morality is thin, it’s quite frankly, to go down a very slippery slope to stuff that is clearly illegal activity and it just gets worse and worse. And it’s done with the best marketing in the world. It’s very well positioned so that it catches people that aren’t aware necessarily that this is the activity that will happen to them. So, it’s, I think, a bit of a problem. And it’s particularly strong in the pandemic times. Our observation is, as, unfortunately, the economy is getting smashed by the epidemic and people’s roles are even more uncertain; there’s more and more people looking for work from home schemes, side hustles. And it’s drawing casual people into ways to make money easily. And so this whole Crime as a Service is an extension [11:03 inaudible] kind of services in a bit of demand. But it’s also because tech has got good enough that it can be big.
Bradley Chalupski: So, are we talking about full-on criminal startups here? Is this similar to if you were going to start a legitimate startup and say, “I have this platform that’s gonna help enable sales or help enable marketing or help enable whatever you’re gonna help enable.”? Are people literally creating platforms and then marketing them on the dark web and saying, “You can use my platform to do X, Y, and Z,” and essentially outsourcing their knowledge of how to commit these types of crimes? Is that what you’re talking about essentially?
Jimmy Fong: 100%. So, the innovation that we show as legit business on legit startups within the tech scene is completely mirrored in these more criminal-minded enterprises. So, we as part of what we do, I guess, controversially, we interview sometimes active fraudsters. And as part of kind of getting to be introduced with recommendations to that type of person. And it’s the same ecosystem as us. So, for them, it’s about being subject matter experts in individual criminal activities. But then banding together and coming together as a complete service, just like we are as a business. When we bring on people that are specialists in X, Y, and Z, and we bring it together. So, exact same thing happens on that end. It’s becoming even more overt, that’s the interesting thing. It’s easy to find, you don’t have to shuffle down to tour and wait ages to get access to these onion sites anymore.
Jimmy Fong: That’s absolutely unbelievable. I had no idea that that was going on, that it’s been institutionalized. I mean, Crime is a Service, Fraud as a Service – I love it. I mean, I don’t like it. But you know what I mean. That’s an incredibly powerful term. I never really thought of it that way. So, what are the returns that these people are seeing? If I’m skilled enough that I’m going to create a whole platform to do this, why am I not just going after really big fish on my own? I would assume somebody with that kind of skill level could really do high-level criminality, where they’re stealing millions and millions of dollars. Are they doing this because it’s less risk for them? Are they doing it because it’s maybe more intellectually interesting to them to own a business? Are they doing it because it’s just easier; instead of spending your day trying to hack into NASA, you’re just kind of putting this thing out there and collecting a passive income? What what is the motivation behind this?
Jimmy Fong: I think there’s a lot in the service economy as just a wider observation. So, you’re seeing just specialisms of skillsets. So, for the same reason that in the legit market, you have people that are experts at building two-sided marketplaces, the same thing is happening within the fraud community and the criminal community. So, different skill sets are coming together and they’re forming a very sophisticated system. And it’s not that hard in imagination, it’s literally a mirror of what goes on in the legit world. And that’s all it is. So, my observations are, there’s probably less risk from servicing other criminals [14:22 inaudible] where you’re not necessarily attacking a bank or a government institution, and you’re literally providing a service. So, many of these are in the gray area. So, one good example is lookup proxy services, legitimate use of proxy services, and very strong political technology reasons to have these proxy services. But guess what? Some of these proxy services will 100% be used by fraudulent criminal reasons to evade where they’re coming from. So, there’s often a [14:58 inaudible] sword to many of these things. For sure, some of it is used for legit purposes. But definitely on the other site, it’s used for, obviously, criminal proceeds.
Bradley Chalupski: So, on your end, where you’re protecting legitimate businesses, how are you using these fraudsters business models? Because obviously, when you’re outsourcing something like this, it has to follow some kind of repetitive pattern. You’re selling people a platform that does something in a certain way. And I’m sure they make attempts to randomize it in this than the other. But at the end of the day, there has to be some kind of systematic knowledge behind it that’s creating some kind of systematic way that you can make it a turnkey solution, where you say, “Here, take this and you go do what you’re going to do with it.” So, from your end, on the fraud-fighting perspective, what are some of the red flags that you’re seeing that can indicate that a customer is getting attacked by these kinds of things? What are you looking for? What are the signals on your end?
Jimmy Fong: We’re the first to [16:02 inaudible], I think, partly because we are trying in an R&D level to understand the very latest trends and getting a feel [16:10 inaudible]. We literally speak to active fraudster on our podcast, and that is a thing because we want to get into the mindset and we want to get into the psychology, and even to get into some tools if we can. But the thing about it is – we’re the first to say this – we’re in a technical business. And being in a technical business, I would say, means that everything can be worked around, that’s just the reality of it. And I think anyone that says, especially from the tech vendors side, that it’s bulletproof; I think that is the biggest question mark. So, ironically, we’re the first to say, “Yes, of course, individual methodologies – whether fingerprinting, whether it’s some sort of IP tracking – can all be gone around. There’s a workaround as we live in a technical world.” Having said that, though, I think our philosophy about it is really good platforms will have a net methodology to it. So, they’ll look at combining a ton of different signals and throwing a net over something. So, the kind of adversary I got to get past 2, 3, 4, 5 things. But our philosophy is trying to break the economics, quite frankly, for people that use our technology.
Jimmy Fong: So, a fraudster, if they were determined enough, I have no doubts, they can get past almost anything and almost any net. But typically, they don’t want to persevere long enough, quite frankly. There’s a gazillion other websites and businesses out there that haven’t got a sophisticated kind of protection. So they will go after that. And fraudsters, just like a startup and just like a profitable business, are looking for things that have ROI from a time-investment point of view as well. So, I wouldn’t say, the good platforms, applying that mentality to it. And the signals they pick up, that’s kind of the point of their platform. I think what we found just to cap off, the thing that’s helped us break into the market as a technology is around social and real-time social footprinting. So, our philosophy and our thesis is extremely simple: We make the observation that the world is only moving more social, not less, as time goes on. And that’s a good or a bad thing. That’s just the way the world that we see it. So, our technology is kind of well known because it’s around. And people using SEON can tell quickly if Bradley exists on Instagram, Facebook, Twitter, LinkedIn. And so what we care more about is, that’s a good sign that someone’s genuine, first of all, he’s more likely to be a real user; versus someone that [18:52 inaudible] email address and it was created, and there’s no social footprint on there. Oftentimes, we remind everyone that, of course, a fraudster can set up Bradley’s complete Instagram, Facebook, Twitter, LinkedIn. They can if they want to persevere. But again, that’s not very economical for them. It’s not a scalable activity. So, that’s kind of what we’re best known for is that social footprinting and being able to tell quickly that someone exists or not.
Bradley Chalupski: So, can you give me an example of when you caught one of these bots or one of these rings, some kind of outrageous attack? Do you have any juicy stories about that?
Jimmy Fong: Yeah, actually, this was very cool. We were just talking about this before we started recording. So, in the online poker world, there was a really interesting 2+2 forum. For listeners that aren’t as nerdy about online poker, it’s like the place of online record – 2+2 community. It was actually a dump. I think it was a 20-gig zip dump on the 2+2 community, and it was talking about poker bots exposed. It was literally the transaction history of all the major online poker sites and some of the correlations that were made. It was a massive, massive dump of information. And in there, it was trying to draw correlations between betting activities amongst these different sites and how they were essentially using bots to cheat on the sites. So, what we did was we did this is a bit of an actual research exercise. And since then, it’s going to be used within some poker sites. What we wanted to show was the email addresses that were exposed on there using technologies like SEON, we can actually draw correlations in those bots because they still had commonality between them, particularly the ones that had no social footprint. It’s kind of almost like a very, no brainer-y observation that the poker bots created. Of course, they’re not going to use Bradley’s actual real Gmail account because it’ll take too long to do. So, instead, they go ahead and set these temporary email addresses. And once you look at a massive data set like that and you run technologies like ours, you can start doing some really quick correlations of “Well, duh! They should not have accepted those on their website to deposit in the first place or withdrawal.”
Bradley Chalupski: It makes sense that you would see. Also, I think, it speaks to the idea of the criminality goes across all kinds of barriers. You’d be thinking, what do eCommerce stores and online gambling sites really have in common? Well, fraudsters can steal money from both using the same techniques. That’s where that Venn diagram cross is where you would think that these worlds are completely separate. Because if you’re an eCommerce store, you’d be thinking “Well, what do even legitimate gaming sites and poker sites and gambling sites have to do with me?” But fraudsters don’t see it that way. They just see ways where they can take information off the internet and use it to create accounts that they can profit from. So, it’s a really interesting kind of example that you’re giving – I really like it – about how fraud doesn’t know any boundaries. And a lot of times the separations that industries think that they have a really ephemeral when you get into the online realm because the fraudsters can go from industry to industry with just the click of a mouse, it doesn’t take anything. So, these kinds of barriers just disappear. And it’s a really interesting kind of way to think about it. And that’s part of our mission as a publication is to try and get that word out to people because we definitely believe that the collaboration across the different industries and across the different solutions are so important because, at the end of the day, everybody’s just trying to protect legitimate merchants who have their livelihoods in their businesses – even if it’s a large company, the people that work for that company. Everybody gets hurt when people are getting stolen from. So, it’s really interesting. I hadn’t really thought of it that way, but I really liked that thought that even across the different industries, everybody’s in the same boat with these people trying to steal.
Jimmy Fong: I’m a big supporter of what you guys are doing because we’re just kind of sitting across for sure. But think about it from a fraudster’s end, these guys are communicating on private Telegram groups, or in their own individual [23:55 inaudible] forums. They’re don’t organize their forum or Telegram group per kind of, “Hey, there’s some travel merchants we can exploit, or there are some shops we can exploit.” They are very much across “We’re just smashing anybody that has ways to exploit.” The only kind of thing is “Can we get past the technology existing in those domains?” So, it’s a bugbear because, I think on the fraud-fighting side, we’ve developed more, I would say, vertical-specific communities, whereas the adversaries are very agnostic. And it’s one of the most effective things we’ve observed from them is that they’re very quick to move as well. Like a flock of birds, they will pick up signals that a particular sector has opened a particular merchant [24:47 inaudible], and they just go after it. Also, the retail side – the funny thing from our observation is I would say retail is probably one of the easier ones to help with from a fraud tech point of view. And the lessons learned dealing with these kind of higher risk areas vary, and very nicely translated into more mainstream eCommerce risk, I would say. The crypto exchanges, these poker sites, these iGaming sites – they sit at the forefront. They’re having by necessity to be even more ninja-like when they think of fraud and risk, quite frankly.
Bradley Chalupski: It’s a great lesson, I think, for fraud managers listening that you got to get out of your own lane. It’s not just about what’s going on in your specific area, but it’s about what this community, so to speak, or fraud people is doing because they’re moving across. You think of yourself as a merchant in this space or that space, they don’t think of you that way. So, if you can get info from another area, anywhere where people are fighting fraudsters to say, “This is what we’re seeing,” it’s valid for you too. You got to take that information and translate it over to yourself and not just think, “Oh, well, that’s online gaming. That’s not me.” And that’s just not the case.
Jimmy Fong: 100%. I’ll promise my second story. I didn’t mention it was kind of two stories. So, the first one was around the face swap stuff. But also, Bradley, the second one I can think of there is, actually, swap the domain over again. These guys are video games, and they deliver an instant product. So, again, it’s kind of instant. So, once it’s done, it’s done, and they can’t reverse payment back. But they were telling me about a really interesting case, where they saw, actually, a lone Pay By Phone in their market. So, you can literally add-on the product onto your phone bill. And they actually had an instance where they couldn’t work out what the heck was going on. But what happened was, their fraud was perpetuated from somebody coming in and literally hacking a local telephone network on public streets, coming in, using that phone number, hacking into it, and then charging a bunch of products against it. And when they did their research afterwards on the chargebacks, that’s what they all linked it back to. So, there’s this weird physical fraud domain where they were literally coming —
Bradley Chalupski: You mean like a physical payphone on the street?
Jimmy Fong: Yeah, it was a network of residential phone lines that you can access from the street. You bust open the cabinet.
Bradley Chalupski: Oh, they broke open the box. Wow!
Jimmy Fong: It was kind of crazy. These are residential lines. And then they were charging products off that individual’s home phone line. And that’s kind of how they paid for the product. Obviously, it didn’t matter to them. It’s kind of crazy as well.
Bradley Chalupski: So, they were saying that they were coming from that phone line. So if that phone number was connected to an account that had automatic payments set up or a card already saved for payment, they were hacking in through that line and saying, “I want to charge my card.” That is unbelievable.
Jimmy Fong: So, it’s a very localized fraud. They must have been able to work out. First of all, they have to have someone on the ground to get into that local network. But then they would have known the area code, I guess. And I guess, if they really could be bothered, they would have had to do, and even work out, to that particular house [28:45 inaudible].
Bradley Chalupski: How did they break into the box? Aren’t those things secure?
Jimmy Fong: And that’s probably the easiest bit out of this.
Bradley Chalupski: So, you’re breaking in and then you’re using the physical connection, I guess, you’re routing it through something else to make it look like you’re calling from that number.
Jimmy Fong: I want to say that breaking the box would be the easiest bit of this whole thing. All that back-end stuff of how they tied init that particular residential address and said, “Hey, just charge my phone number instead.” I think that was a payment option. That was my understanding from this video game company is they had a Pay By Phone option. And I guess that’s what they took advantage of someone. Yeah, it kind of blew my mind as well.
Bradley Chalupski: Because I guess they figured no one’s going to be able to hack. You would actually have to have the physical phone to call from that phone number. One of the recurring themes of this podcast is me just being shocked that the people that pull this stuff off don’t just go into legitimate business. Because I can tell you, I never would have thought of that. These people would do very well for themselves in legitimate circles because that is some next-level stuff right there. You’re hacking into the phone box out on the street. If you have that much drive and dedication, open a business, you’ll do way better for yourself.
Jimmy Fong: Back to your comment you made earlier, you know, what kind of ROIs are these guys getting? I think clearly they’re doing that activity because the ROIs are astronomical. They do have the risk of incarceration, of course.
Bradley Chalupski: Yeah, well that’s where – forget the moral stuff – I don’t do things, as a general policy, anything that I think is going to get the state to use its powers against me, I try to stay away from. This is a general life policy. But I guess other people don’t care.
Bradley Chalupski: That’s crazy. I am always appalled and impressed – whenever we have episodes of this podcast – at the crazy things that people do. We can now add “busting into telephone boxes” to the list. I think I got to do a top-10 list for the sight of crazy, crazy things that people do. It’s wild.
Jimmy Fong: For me, it always this kind of strange mix of stuff that you wouldn’t even consider in card-not-present fraud, being where there is a physical element to it. Increasingly, these things are mixing up. The more obvious thing in retail, especially in my market in the UK, you’ve got extremely high return fraud levels. So, pandemic has even boosted this. And some of that is very kind of gray again. It starts off as probably genuine things that you’re trying to do. But it kind of segues a little bit into being extremely great after a while when you take advantage of return policies and you’re just abusing them, quite frankly. And that really hurts for the classic retailer, of course, that hurts. We already know how high return rates are for CNP already for retail. But imagine now in a situation where people are now abusing that. And that’s kind of a sad thing. Sometimes we’re a technology company that deals with it, sometimes we don’t have necessarily the answer. [32:54 inaudible].
Bradley Chalupski: Well, Jimmy, I feel like we could sit here and talk forever, but I don’t want to take up any more of your time. So, why don’t you sign off by letting us know where people can find you on the web, how they can get in touch with you? And then we’ll call it a podcast.
Jimmy Fong: So, we’re always happy to help and have these chats. We love to hear these crazy stories from merchants. We’re reachable on SEON.io. Very happy to help.
Bradley Chalupski: Well, it’s been great talking to you. And looking forward to getting this out into the world and letting people know that their phone boxes are not as safe as they thought they were. That’s the global takeaway from this podcast.