Site icon Merchant Fraud Journal

New Podcast Episode: An Ex-Fraudster Tells You How He Committed Card Not Present Fraud

Alex Hall is a former fraudster who spent ten years successfully operating in the Las Vegas fraud scene. Today, he is the Principal at Dispute Defense Consulting, a Full-Spectrum Fraud Mitigation Consulting agency, with an aim to assist merchants to build a comprehensive defense against fraud throughout many aspects of their system.

Alex came on the podcast and shared a wealth of information that you won’t hear anywhere else.

How do today’s fraudsters communicate, collaborate, attack, and avoid detection? If you ever wondered what really goes on in the mind of fraudsters and what really happens in the world they inhabit, you won’t want to miss this interview.

Bradley Chalupski: Hey everyone. This is Bradley Chalupski, co-founder and editor-in-chief at MerchantFraudJournal.com. And this week, we have an absolutely incredible conversation that I had with an ex fraudster, Alex Hall. Alex worked his way up through the Las Vegas fraud ranks. Actually rising pretty high in that world before coming over and becoming what he is today – an independent fraud prevention analyst and consultant. He shared absolutely invaluable information for the community to hear about how that world operates, the information that people in that world care about, how they go about getting it, how they go about sharing it, how they go about exploiting it. Any merchant will gain a ton of actionable advice from listening to this conversation. I’m going to be breaking it up into two parts. In the first part, Alex is going to go through his decision to join the fraud world, what that looked like, how he got involved, and his time in that world. And then in the second part of the conversation, which I’m going to be releasing in a subsequent episode, he talks about his work currently as a fraud prevention specialist and consultant independently for companies. And he shares the ways that he goes into these organizations and helps them to improve their fraud prevention methodologies, and how anyone can take what they currently have today and improve it for the future. Absolutely wonderful conversation. Alex, thank you so much for coming on the program, giving us more than an hour of your time sharing it. And I really hope and think that everybody out there listening is going to gain a ton from your insight. So, as always, you can get all the latest merchant fraud tips and prevention tricks on MerchantFraudJournal.com. Enjoy, everyone.

 

Bradley Chalupski: Alex, thanks for being on the show, man.

 

Alex Hall: It’s awesome. Thank you so much for inviting me.

 

Bradley Chalupski: It’s our pleasure. So, we have a really, really special guest this week, Alex Hall. Alex is a former fraudster. So I won’t give too much of his life story away. But this is going to be a really awesome episode. He is an absolute wealth of information. So, let’s start off, Alex, by just introducing yourself and give in your story of how you went from the dark side to the light side.

 

Alex Hall: So, for about a decade, I did, I operated as a fraudster. I quickly moved to the ranks of managing different aspects of the fraud community that’s localized here in where I used to operate – Las Vegas. My network grew and grew and grew, and then it shrunk and shrunk and shrunk because of liabilities. I didn’t want the extensive risks that are going on out there. So, I progressed. I started to author my new methods. And then about eight years in is whenever we found out that my wife and I were pregnant. So, she told me that in order to be a father, it’s time to turn my life around, which I did. Turned myself in, about six months away from expiring my probation. So, in 2018, I came over to the fraud prevention industry. And my first year, I mitigated and further prevented about 1.2 million in losses that were due to fraud. And since then, COVID hit, I started Dispute Defense. And here we are.

 

Bradley Chalupski: I have so many questions. I’m going to see how long you’re willing to sit here and talk with me. We spoke a little bit before this, which I usually don’t do, but just absolutely fascinating stuff. So, I guess, let’s start at the beginning. I’m really curious to hear how you get into fraud, specifically e-commerce fraud, because it takes a certain level of sophistication and knowledge to get into this. It’s not petty theft. It’s not other things that other people might be doing. And so I’m curious what led you down that path, even right from the beginning that this is what I want to go after with my time.

 

Alex Hall: So, when I first got introduced to the idea of fraud, it was through the gateway of drugs. We were partying out here, maybe we didn’t have enough money to get our next bag, so a lot of people would introduce the concept of just running fraud. So, at that point, you get introduced to the very basic level things like going on the dark web, buying stolen information, reading the instructions there on how to employ it or where do you want to employ it online, things like that. And that was really where it began for me. You mentioned the sophisticated setup. They’ve made it really simple for you to have access to the dark web; it only takes about 20 seconds to install the dark web browser and get access to all those dark web communities. So, that, and then in conjunction with the equipment that you might need to purchase in order to utilize track data, you’re pretty much set up. And track data is only used for in-store purchases anyway. But it’s become a lot easier to get set up to do that level of fraud.

 

Bradley Chalupski: So, it sounds like right off the bat, you were able to really get up and running without any kind of prior knowledge of what you were doing. All that information is just available to you online.

 

Alex Hall: Yeah, and that actually fed my want to move up and author my own methods, because it was so simple for me to get involved in it and dive deep into it, that I saw it as being some low level worthless, whatever. And that since everyone was doing it, there was a high risk. So, I quickly sought to get out of that and move up to authoring my new methods, my own methods. And working out my own methods really is what it was.

 

Bradley Chalupski: So, I want you to take me through that progression, where you start off. I assume you have to, at least, begin at that initial low-level stage where you’re taking what other people are giving you and you’re deploying it on your own volition, so to speak. Take me through that process for you once you got all the information, and how did you put it into play, and how did your thinking evolve over time as you were doing that to say, “I’m actually gonna go and do my own thing.”? Because also that, to me, signals that you already at that point had a certain level of expertise that you felt confident that you could innovate. So, let’s start at the beginning where you’re doing what other people are doing and what that looks like.

 

Alex Hall: So, when you go onto the dark web, or if you have someone locally who’s figured out some, what we call, hustles or licks, someone who’s figured out a couple of methods; they typically tell you what works, what’s required, and where to use it. Well, with that information, you can see where the variables are. So, you start to learn the security methods or the security features that are on cards, the security features that are on checks, the security features that go into an online checkout, and stuff like that. You start to see how they can vary. For example, if you go on the dark web and you’re told that you have to use a VPN Socks configuration, and you have to use a card that’s registered within five miles of the zip code that you intend to ship it to, and then you have to have the CVV matching. All those instructions that go with the dark web instructions, you start to see how those can vary. So, when you start looking at all these different instructions, you’re like, “Okay, well, this one only requires that I’m five miles away or 500 miles radius of the shipping address. This one requires that I’m in the same zip code absolutely with my IP address.” So, when you start to see that there’s this big wide variance, you start to realize that not every security system is built the same. So, then that’s what led me to start getting really in-depth knowledge regarding how to manipulate security features, checkout systems, and how to find the weak ones so that I can make repeatable methods and then, of course, sell those or do that for other people or whatever it may be. So, that’s how I graduated from just entry-level do-as-I’m-told on the dark web to “I can find my own and start doing my own thing.” So, that’s how that happened.

 

Bradley Chalupski: And how long was that ramp-up period from when you said, “I’m going to do this,” to when you said, “I’m going to start branching out.”?

 

Alex Hall: Probably six months. I would say that I’ve only put in probably 100 or so – that’s probably stretching – transactions by utilizing the dark web.

 

Bradley Chalupski: Wow! So, take me through, if you will, that first time that you do this. Are you scared? Are you excited? Are you indifferent? Are you thinking it’s not gonna work? Are you worried someone’s gonna break your door down the next day? What’s going through your mind at that first transaction that you’re doing fraudulently?

 

Alex Hall: So, the first transaction is scary because you don’t know what you don’t know, which means you don’t know how things can go wrong, and you don’t know who is looking for you whenever you mess up. For example, I thought that when you put in a transaction that’s determined is fraud, essentially, they reported that to the cops. I thought that’s where it went.

 

Bradley Chalupski: That’s what I would have thought, too, if I didn’t work in the industry for sure. That’s why I asked if you were afraid someone’s gonna show up at your door the next day.

 

Alex Hall: Exactly. So, that was always a fear. So, there’s that fear that someone is going to come kick down your door because of some bad attempts where you use someone’s information, the merchant stopped it, and they sent the information off to the cops, now they’re going to kick in your door. So there’s that fear. Then there’s the fear that it just will never work, which is a small fear, but it’s like, “Okay, this is just never gonna work.” Or there’s the fear that it does work, and after the fact, people are going to be investigating you to come get you. So, there’s a lot of grounds for fear, but realize really quickly that those grounds are really unjustified. And that’s one thing that I learned coming over to this side of the fence is the corporation that I worked for was putting through $158,000 worth of attempted fraudulent transaction – not putting them through but was catching them when I started doing the transaction analyses. We were catching $158,000 every couple of months and stopping them and just stopping them – that was it. No one ever knew. And you’d come to find that their shipping address was being used over and over, the names were being used over and over, phone numbers being used over and over, email addresses used over and over. It would have been simple enough to just submit this whole portfolio or profile over to the cops and have them investigate. But the reality is that doesn’t happen. So, a lot of the fears that we had as fraudsters weren’t justified. There was really no fear of getting caught unless you get caught in the middle of your action or your setup – like you get caught with the information.

 

Bradley Chalupski: So, I want to contrast that with something you said a couple of minutes ago, which was that you were growing this network of people and eventually decided to cut it back a little bit. So, I want to go down that line of thinking a little bit. What is it like being in that community – which I assume is the word that you would use – the people that are doing this? And what is the type of collaboration that goes on? We’ll get to the third party selling your own unique kind of way of doing it, but I’m talking about the actual community of people who’re sharing things with each other, speaking? What is that like? What are those people like? What are you talking about every day? Are you getting up like a day trader sitting down on a computer, “Okay, here’s what we’re doing today, guys!” Kind of thing. What does that look like?

 

Alex Hall: So, at least in Las Vegas, with what I have labeled my operations, there is a heavy collaboration between drugs and fraud. It’s like the line between the two, you can’t even identify. So, the way that you would see this dynamic play out is you would have people who are regularly out on the streets doing bad things, stealing stuff, stealing purses, stealing wallets, breaking into houses, getting safe boxes coming to us. All this stuff that doesn’t really require much know-how but just kind of requires the spine in the backbone to go do something like that. So, they’ll go do that, they’ll bring it back to their connection for drugs, like their drug dealer, essentially. And then the drug dealer who doesn’t have intimate knowledge of the systems will come to me. Now, that’s the way up, that’s the way it would go up the chain of command to me, in which case I would separate stuff, I’d say, “Here’s where this is valuable. Here’s how you can use this. In the future, when you get something like this, go do this.”

 

Bradley Chalupski: So, are you talking about credit cards? Like things people are stealing out of people’s purses.

 

Alex Hall: Yes. But everything: checks, cash, cards, you want credit applications, mortgage applications. I mean, anything that has information on it really; receipts, whatever you want it. So, that’s the way it comes up. Then the way down is you can also, essentially, order out information. It’s like, “Hey, we’re looking for this and this and this. This is a place where you can find it. That’s the place where you can find it.” For example, breaking into Ashley Furniture, like a furniture store that has in-house applications and stuff like this. Get in there, directly to the computer, go directly to the file cabinets, get a couple of them, and take off, you’re done. Just get in, focus, get out. And then with that information, that’s enough information to operate for a year based on what’s in that file cabinet. You do that three or four times throughout the year, you’re good. And I tell you it works better, in my experience, than getting stuff from the cyber breaks, getting stuff from the online community on the dark web that’s selling this profile information because it’s not watered down. It’s not being sold in five or six different areas. You have the only copy of that application and it’s in your hands. So, from a fraudster’s perspective, it works out a lot better to utilize the street-level guys to get tinformation that you work with than it is to rely on the dark web.

 

Bradley Chalupski: That’s really crazy. So, it’s actually more valuable to steal the data than to steal the product that’s in the store. You’re just going right for that data and saying, “Let me get that and move on.” I’d never really thought about it. I have two questions to follow-up with there. One, do they still keep these applications you’re talking about – physical paper. They must keep these still in the stores. Or are you talking about people that can break in and then hack – like Peter Parker style or something – into the Cyber Command Tony Stark style and steal the stuff out of the computer, or both?

 

Alex Hall: Both. They’ll bring back the computers, bring it back to home base. We’ll break into it. Everyone has access to Linux. And typically, that’s all it takes to get past the login. So, get in there, get the documents, see what’s what. And I would say the success rate isn’t 100%, so I’m not going to say this is an absolute bulletproof method. But in my experience, furniture stores, electronic, rental places, and rental offices, those are the places that if you do one of each, you’re gonna get two sets of information back, two of them will be successful. So, it’s called a 66% success rate. But that’s more than enough to keep you hungry or to keep you busy and fed.

 

Bradley Chalupski: That’s really incredible. So, when you’re talking about this community, are you collaborating with people in terms of the actual online methodologies? Or are you just collaborating with people that can get you the raw materials that you need?

 

Alex Hall: So, that’s why my network would expand and then contract is because I thought early on that it would be worth it for me to make a name for myself as a fraudster, as a dark web engineer, as this big bad guy without a face. But I realized that that only really applies if you have 10,000 pieces of work being done and you, for example, have a skimmer somewhere or you have someone on the inside who’s giving you all the credit card information, then you go sell each one of those for five bucks. That wasn’t really that interesting to me. So, as my network expanded, I gave different people a listen to what I was looking for. But to answer your question about the collaboration, none of my methods were fully collaborated with anybody. Nobody knew every step of what I was doing. There were different people who would do different parts of it, but that’s all they knew. Someone would bring the information, someone would format the information, someone would open accounts over here, someone would check some information over there. Maybe go to SSN, DOB to grab some more information. And then I would compile it all and know where to apply it in applications for lines of credit and stuff like that. But anyway, the reason why it contracted was because in the world of drugs, you have a lot of people who are snitching on people, you have a lot of people that are rolling on people, a lot of people who get busted and sell out the people above them. So, because I would be up above, I didn’t want to be there anymore. So, I separated myself from them. I only spoke to several higher-level people. But no one knew what my operations were 100%, no one knew how to do what I was doing 100%. And it was at that point, then my methods changed. At that point, I’d say, a year and a half to two years into my operations, I never touched the dark web again, ever after that.

 

Bradley Chalupski: So, I want to get to that but I want to hit on something here that I’ve asked other people but never a fraudster directly, which is, why would you go through all of this? This is so much work. It’s so much stress. You’re obviously a hyper-intelligent person that can run this type of an organization. You could be doing legitimate entrepreneurship yourself or you could be working for somebody else if you got the right price to do it for them. Is it just pure inertia? Is it the thrill? Is it the amount of money? Is it because you feel like a baller in Vegas? Are you getting hooked up at the clubs? What is keeping you in this world?

 

Alex Hall: I think you just nailed it. Inertia – that’s the best way I’ve heard it put. You’re moving forward. Every time I take a step back, more people would be looking for me to try and work with me. People would try to bring me more information to try and help them. Inertia is what it was. That’s a great way to put it. That’s the first time I’ve heard that, I really like it. That’s got to be what it is; you just keep going. Now, at the time, drugs did play a factor. If you maintain these relationships, you have as much of the drugs that you wanted at the time that you could ever need. So, that was good. But it was just the fact that we’ve established this lifestyle. No one had been busted under my umbrella for my entire operation, ever. None of my methods have ever been busted and resulted in jail time. Well, none of them busted at all, I don’t want to get caught up on semantics. I guess it was just that until the final slap in the face of being a father and a husband with to my wife, that’s what it took to change. I grew up without a father, so my daughter was not going to grow up without a father.

 

Bradley Chalupski: Oh, that’s amazing. And hats off to you for that, man, for sure. That’s incredible. So, I want to ask you, continuing on this trajectory, now you’ve got this whole operation, you’re ensconced in this community, have a name for yourself as much or as little as you want, you have as much or as little work and connects with people that you want; what made you say, “Okay, I’m going to get off that bottom rung now and I’m going to start outsourcing.” Where did you go from there? What was your next step? What caused you to take that next step? Take me through that whole process.

 

Alex Hall: So, it’s important to note that at the time, I didn’t know where the top, middle, or bottom was. So, at the time when I decided to go figure out what worked for me by myself, I didn’t know that the dark web was going to be as low-hanging as it is, as I now know it is. So, at the time, I was like, “Okay, this is new, this is exciting, this is this. But a lot of people are doing this, let me do more of the same by myself. Let me do what they do here but by myself.” So, by that point, I started experimenting with different payment methods, different bank accounts, taking advantage of different social engineering. Never got into the phishing or the actual cyber-criminal activity like hacking into accounts, other than playing around with SQL Injection at one point, but that wasn’t too fruitful. But other than that, I really just stayed to organic, localized practices. And the way you do that is you experiment with different systems. So, for example, using what I’ve termed as math as a payment method generated numbers, you can sustain an entire lifestyle just using math; generating credit card numbers with Luhn’s algorithm. So, I started to experiment with that: Where would that work? Where does it work regularly? Where does it always work? What kind of industries?

 

Bradley Chalupski: I want you to go into that more for people who don’t know exactly what you’re saying with that methodology? We spoke about this when we first started talking. It absolutely blew my mind. One of those things that when someone tells you it seems so obvious, but you don’t think about it beforehand.

 

Alex Hall: So, Luhn’s algorithm – typically, people believe that a credit card number that ends in 0001, they believe that the next credit card that would be issued in that series would be 0002. Well, that’s not the case. Every card that’s issued whether it’s AmEx, Visa, MasterCard, Discover, every card fits what’s called Luhn’s algorithm. It’s a five or six-step algorithm that has the checksum digit at the end. It’s also known as the mod 10 or the modulus 10. And what it does is it’s a superficial verification or validation of the number that’s associated with the account. So, the credit card number has to fit this algorithm in order for it to be a valid one. Well, this means that out of every 9,999 numbers, I think you get about 2400 valid numbers. So, there’s a lot less than you would imagine valid between 0000 and 9999. That being said, if you have the first 12 of any card in the world, you can generate 2400 more of them off the first 12 digits. So, now you just have access to all these things. And now you just need to find a place that processes credit card information, only using the card number and the expiration date, which – that’s what I was just getting to – there’s plenty of it. Plenty of industries, you can completely pay for all of your basic necessities, basic resources, food, cigarettes, gas, water, car, everything can be paid for with generated numbers. And that was the next step in my evolution as a fraudster.

 

Bradley Chalupski: What’s so terrifying about that, for me, is your average person is just indefensible. You’re not doing anything. You could have a card that you never use online that you just keep in your wallet and it can still be subjected to this just kind of a random math hack.

 

Alex Hall: And that’s one thing that several times I’ve seen advertisements for credit card saying, “Hey, come get our credit card.” And it shows the full card number on the advertisement. It’s like, “What are you doing?” So, I reached out to these people, I’m like, “Hey, are you aware that your entire credit card is your numbers on the advertisement? You should fix that.” And they’re like, “Oh, no, it’s a dummy card.” Yeah, no shit. It’s a dummy card, right. But the rest of them aren’t. So, I’m telling you, you should probably not do that anymore. You can show the VIN number in your advertisements, I understand. But other than that, don’t do all that.

 

Bradley Chalupski: So you branch out into this. Did you go in the realm of trying to set yourself up as you’re your own fraud startup? I talked about this with Jimmy from SEON in one of the episodes. He was talking about this whole, basically, startup model that goes on. Did you get involved in that kind of thing?

 

Alex Hall: No. I’ve done a few things that would fall under the AML umbrella, but no. At that point, I’d seen enough people get busted for drugs, I’d heard of enough people getting busted for fraud that I set myself up with three rules: nothing flashy, basic necessities have to be handled, and just keep enough cash in your pocket to pay your bills and do what you need to do. At that point, operating with those rules, keeping myself in check, I was able to operate for another six years or so without consequence.

 

Bradley Chalupski: We were at the beginning when you talked about how it would be so easy to pass information off and nobody does it. So, when you say “get busted”, take me down that line of thinking as well. What do you mean by that? Who’s getting busted? For what? By whom? Why? Because before we were talking, it was almost impossible to get busted in the real sense.

 

Alex Hall: So, it’s almost impossible to get busted by your transactions. There’s a whole big world out there. I’m gonna say, based on my experience, it’s very unlikely that you’re going to get busted for trying transactions at a merchant. Period. Unless you’re in-store. In-store – that story is a little bit different. But online, you could put through 10, 20, 30 transactions in a single day that have different lists of variables associated with it, you’re not going to get busted for anything. When you get busted, it’s because of two reasons, at least again, in my personal experience. You get busted because someone snitched on you. Somebody out there got busted and they’re like, “Oh, well, I know this guy.” It never happened in my umbrella regarding fraud, I got snitched on for drugs. But someone else’s operation, all the way up the chain of command, people were going down left and right. And it’s because people were snitching on them or because they got pulled over and had a trunk full of information. So, that’s the two ways you coud get busted; either be enrolled on or snitched on, or being caught with the information, with the equipment, with the treated material like where the credit cards have been scratched off, the checks have been cleared off or you have duplicate checks, all the check material, FARGO machines, embossers, reader/writers, all the equipment. If you get busted with the equipment or if you get snatched up.

 

Alex Hall: So, I’ve put real thought to this because now that I’m on this side, I need to be effective on this side. At one point, I do, I want my history to be behind me and I want to be known for the results that I can produce. So, I’ve thought about how I would go about beating myself, how I would go about beating the operations that I knew were successful. And there are too many rabbit holes to go down and not all of them will be fruitful. For example, I can guarantee you that I once, in one way or another, directed the establishment of over 1,000 bank accounts. That doesn’t mean that I’ve had 1,000 bank account cards, that doesn’t mean that. That means I tried something. Some of them were successful, but I couldn’t get it to me, and so I just ditched it. That’s another thing about weighing your risk factors. So, there’s a lot of things that are done fraudulently. At least in my operations, I had a lot of loose ends. There’s a lot of trial and error, cat and mouse stuff that I tried, it worked, but I only viewed it from a distance. And then tried it over here with a more laser-focused goal and was able to but make it pay off over here. I didn’t mind failing three or four times in order to succeed repeatedly over here. So, anyway, from a fraud prevention/law enforcement perspective, you could be chasing down a lot of stuff to no end. You wouldn’t win. Especially with the fact that you establish your identity at the point of account creation, you can be anybody. So, how do you associate that with someone unless you find the bank card in their hand, for example, or the credit card in their hand? So, there’s a lot of dead ends that I would expect law enforcement to reach, which is why I think it makes sense for them to only really give resources and time to busting people who have all the information parked with them or being busted in the moment.

 

Bradley Chalupski: So, let’s start to bridge the gap here. So, you make the decision because of your family that you want to move on, you make that top-level decision; what does that look like? Where do you go? How do you say, “I’m done with this today and I’m going to go on to the other side.” How do you start to work your way across the barrier?

 

Bradley Chalupski: Hey, everyone, that’s the end of part one of our conversation with Alex. I hope you found it as compelling as I did. If you want to hear the second part of the conversation where Alex talks about how he takes everything that he learned in the Las Vegas fraud scene and applies it to his work as a fraud prevention specialist today with the companies that he consults with, make sure to check out the second part of the conversation in the next episode. Thanks for listening, everyone.

Exit mobile version