global workshop americas fraud and revenue assurance workshop brasil cfca 3030 n. central ave.,...

Global Workshop Americas Fraud and

Revenue Assurance Workshop

Brasil

CFCA3030 N. Central Ave., Suite 707

Phoenix, Arizona 85012 USA+1 602 265 CFCA (2322)

+1 602 265 1015 [email protected]

Global Workshop

Identity Theft and Subscription Fraud

Cliff Jordan

3

Global WorkshopIdentity Fraud and Subscription Fraud Agenda

Definitions, Purpose and Intent Documents Used for Phone Subscription Counterfeiting in Brazil Counterfeit Examples Counterfeit Detection Experts in Counterfeit Detection Interview with Brazilian Hacker Authentication of the Client Detection of ID Theft / Subscription Fraud Prevention of ID Theft / Subscription Fraud Possible Solutions #1 through #5 Responsibility!?!

4

Global Workshop Definitions, Purpose and Intent

Subscription Fraud – This is the application for a service without the intent of paying. The fraud is in the intent to pay. When a person subscribes for a service, they sign a form indicating their willingness to pay for the service. If their intent is otherwise, then this is subscription fraud. However, many Subscription Frauds are done using “Identity Fraud” as a way to disguise the true identity of the fraudster.

5


Identity Fraud – A fraud perpetuated through the use of False Identity Information.

6


Types of False Identities:

1. Fictitious Identity – An identity that does NOT represent a real person. Also called “False ID” or “Fake ID”.

2. Modified Personal Identity – An identity that is true but has been modified in order to falsify some information such as the age, address, etc.

7


Types of False Identities:

3. Identity Theft – This is the using of an identity belonging to another person for any unauthorized purpose. Such purposes could be:

to earn or steal money to obtain or steal service to hide the true identity to frame someone for vengeance.

8


Summary:

Subscription Fraud can be committed using:

True Identity False Identity (Identity Fraud)

Fictitious Identity Modified Personal Identity Stolen Identity (Identity Theft)

9

Global Workshop Docs used for Phone Subscription

Photo Identification RG (Registro Geral) – Common Brazilian

Identity DocumentOR

CNH (Carteira Nacional de Habilitação) – Brazilian Driver’s License

Number Identification CPF – Cadastro de Pessoas Fisicas – Brazilian

Tax ID number and Social Security NumberOR

CNPJ – Cadastro Nacional de Pessoa Juridica – Brazilian Corporation Number

Proof of Billing Address

10

Global Workshop

Counterfeiting in Brazil

FALSIFICAÇÕESFriday, January 7, 2005, 12:35Group Negotiates 200 False Drivers LicensesSource: Diario de Cuiaba

The Civil Police arrested yesterday two people accused of counterfeiting public documents. Adilson Sampaio Pontes and Clodoaldo Pedroso Barbosa were put under house arrest in the suburb of CPA, after a two month investigation. With them, the agents found 20 falsified drivers licenses (CNHs) and 9 CDs whose contents were blank documents It is believed that they have sold over 200 counterfeit drivers licenses.

According to Police Representative Alana de Souza Cardoso, the group deals with other delinquents, who try to negotiate counterfeit drivers licenses for as much as R$1000. Adilison was responsible for the counterfeiting of the documents and Clodoaldo was responsible for the sales. They received on average about R$200 per document. This scheme has been going on for more than a year.

Being that this is a crime with no opportunity for release on bail, the two were taken to jail yesterday afternoon after questioning. They will be accused of the crime of possession of equipment with the objective of counterfeiting, such as a scanners and printers, and counterfeiting of a public seal.

The investigations will begin when João Batista Lima da Silva was imprisoned while caught using a fake drivers license. Since then three people have been imprisoned using counterfeit documents created by the same group. Following this, approximately 200 buyers were identified by photos, signatures, and other documents found with the counterfeiters.

“It is important to note that the drives licenses were sold to people that do not have the ability to pass the drivers license tests of Detran (DMV). They are illiterate, people with mental disorders or people with a serious problem with sight. Also, those that buy a counterfeit document will also be sought after for the use of a counterfeit document and can gain two to six years of prison”, explained the police representative.

Among the documents found on the first CD by the police, are blank checks, store credit cards, CPF (Social Security Cards), RG (Identity Cards), a marriage certificate, school documents, proof of driving school, and more than 200 photos and signatures.

11

Global Workshop

Counterfeit Examples

Example from: http://www.fraudes.org/id_false.asp

12

Global Workshop

Counterfeit Examples

Example from: http://www.fraudes.org/id_false.asp

13

Global Workshop

Counterfeit Detection

How to identify a false Identity Card:

Bend the photo to see if the photo was glued on top of another.

Verify the format and feel of the Identity Card Determine the chronology between the birthday and

the date of issue to see if the dates are plausible. With the Identity Card in hand, question the client

about his birth date and his parents. Whenever possible, leave from the field of view of the

client for a few seconds, inducing him to think that you could be calling the police or security. This procedure causes the Identity Thief to be nervous and he will generally leave cursing, leaving the Identity card in the hands of the attendant.

This and more hints at:http://www.fraudes.org/fraudes_cdc.asp

14

Global Workshop Experts in Counterfeit Detection

AFS Consultaria e Treinamentohttp://www.afsconsultoria.com.brFlorianópolis - SC

Eberson Bento da Silva (unconfirmed)

e-mail: [email protected].: +(0) 21 31837837 e +(0) 21

98448936

15

Global Workshop Interview with Brazilian Hacker

Chistiano Cony: Important data items such as credit card numbers, CPF (Cadastro de Pessoa Física), RG (Registro Geral), among others can be copied and used in perchance the hacker finds them. Naturally, these data items are re-used, sold, and bartered ? What are these data items used for?

Mad_Skater: This is not really my area, but basically it works like this.... After gaining access to the system, comes the part of stealing important data.... These are RG, CPF, which serve to fraud email accounts, pay for access to websites, etc... The hacker uses [identity] data from other people in case something goes wrong... Even I use a CPF which I obtained during a site invasion...[to gain access to] email accounts and internet access accounts. And the credit card numbers are used to buy things on the net....the “carder” gets a card number; makes a purchase normally on American sites or even Brazilian just the same and has the product shipped to a post office box created with [a fake ID and] fake documents.... Afterwards he pays 10 bucks for a friend of his to go and retrieve the product...this way he takes no risk....there also exists bartering for credit card numbers, trades, selling, etc....

Christiano Cony: Nowadays, in order to use data items as these, taking into account the payback and the anonymity, are any other equipment needed, other person, or can the hacker earn money on the web by himself?

Mad_Skater: Alone, a hacker can do and get everything... But normally carders are members of groups with the objective of getting the greatest number credit cards as possible.

Christiano Cony: Do there exist people specialized in hunting down credit cards? Mad_Skater: Yes, they are called “Carders”...

Christiano Cony: Nowadays with the police becoming specialized, is it possible to earn a living in front of a PC?

Mad_Skater: Apart from Carders there exists a mafia behind the hackers... This was something new to me as well, but I discovered some sinister things.

16

Global Workshop

Authentication of the Client

Definition of Terms*:

Validation:Insuring that each identifier that is used is, in isolation: 1. not fictitious 2. is in the proper format

IS THIS DATA VALID DATA?

Verification:Insuring that the combination of identifiers truly identifies a known client

or customer.DOES THIS DATA DESCRIBE A VALID CUSTOMER?

Authentication:Insuring that the combination of identifiers belongs to the client in

question.DOES THIS DATA TRULY BELONG TO MY CUSTOMER?

* source: Presentation given at the National Institute of Standards and Technology from the Economic Crime Institute at Utica College. Feb 10, 2004

17

Global Workshop

Detection of ID Theft / Subscription Fraud

1. As part of the subscription process the carrier needs to know and verify the following data:

Name An identity document number such as:

CPF (Cadastro de Pessoas Físicas) CNPJ (Cadastro Nacional de Pessoas Juridicas) RG (Registro Geral) CNH (Carteira Nacional de Habilitação)

A Billing Address Optional

Bank Account Number (for automated debit) Credit Card Number (for automated charges)

18

Global Workshop


2. If at all possible, view and copy or scan documents that prove these data points:

CPF Card, CNPJ Document RG Card CNH Card Proof of Address such as a utility bill or bank

statement Bank or Credit Card Statement

For Cellular Carriers, this can be done at the points of sale (stores).

For Fixed Line Carriers, this is much harder to do but could be done at time of installation by technician.

19

Global Workshop


3. Validate all numbers:

CPF/CNPJ Number: Software Abundant - Google search: “Validar CPF” http://www.universalturismocuiaba.com.br/cpf/

formvalidar.asp

RG, CNH Number: Difficult because format is state dependent. Credit Card Number: http://www.beachnet.com/~hstiles/cardtype.html (Visual Basic Source Code)

http://www.vb-helper.com/howto_validate_credit_card.html

20

Global Workshop


3. Validate all numbers:

Address Validation: Example: CODE-1 Plus International (Group 1

Software) Fixed Line Carriers can validate upon installation. Send “Welcome Mail” to validate billing address. Send “Notification Letter” to other addresses.

Automate All Validations!!!

21

Global Workshop


4. Verify these data items all describe the same person:

Sources for Verification: Serasa:

http://www.serasa.com.br/ingles/i_produtos/i_confirmei.htm Equifax: http://www.equifax.com.br/pro_pse_inf_pes.asp SPC Brasil: http://www.spcnegocios.org.br/nav/produtos.asp Receita Federal:

http://www.receita.fazenda.gov.br/Aplicacoes/ATCTA/cpf/CPFautentic.asp

Banks for Bank Accounts Credit Card Companies for Credit Card Numbers

Automate All Verifications!!!

22

Global Workshop


4. Example:

23

Global Workshop


5. Review Copied/Scanned Documents:

If there is sufficient resources and need, review ALL scanned documents for all new subscriptions, OTHERWISE:

Review only those in hot locations (by CEP, or Store Locations, or by Vendor), OTHERWISE:

Review only those that alarm in fraud system according to key indicators of fraud, OTHERWISE:

Do nothing!

24

Global Workshop


6. Check all data items against Fraud Database(s) looking for known fraudsters:

Internal Database

Shared Information Database from other Brazilian Telecoms

What should be checked: CPF or other Document Number Contact Phone Number Billing or Physical Address Name

25

Global Workshop


7. Check all data items against Bad Debt Database(s) looking for fraudsters masquerading as bad debtors:

Internal Database

Serasa, Equifax, SPC Brasil.

What should be checked: CPF or other Document Number Contact Phone Number Billing or Physical Address Name

26

Global Workshop


8. Look for Abnormal or Strange data items:

Examples: Large number of lines for the client

Large number of lines per client per CEP (Postal Code)

Addresses nearby known fraudster addresses

27

Global Workshop


9. Monitor Behavior for Subscription Fraud:

Perform Fingerprint compare against known fraudsters

Perform Fingerprint compare against other lines belonging to same client to validate that indeed both lines belong to same person.

Look for INACTIVITY! For cellular phones this could indicate that the phone was shipped overseas to commit roaming fraud.

Monitor the volume of traffic. Is it normal for this type of customer? Is it normal for this CEP (Postal Code)

Watch for changes in profile of established customers which could indicate “account takeovers” or “cloning”.

28

Global Workshop


10. Contact the Customer for Authentication:

Contact Options: Call Customer on his subscribed line:

Pros: Speak directly to customer Cons: Often timing is inopportune for the customer.

Redirect next call for Authentication: Pros: Speak directly to customer when he is able to

speak Cons: Often viewed as intrusive

Send message via SMS requesting customer to call for Authentication

Pros: Not seen as intrusive and customer can call when it is opportune.

Cons: Customer may not call.

29

Global Workshop


10. Contact the Customer for Authentication:

Authentication Options: Request that customer authenticate his subscription

information.

Provide a “flexible” authentication in case customer does not know some information.

Call Customer on his other lines in order to determine if suspect line is fraudulent.

Be Aware that a PERFECT authentication session itself can be suspect! Generally, there are minor variations in the data such as name and address (nicknames, and street names)

If the customer passed the authentication, DO NOT BOTHER THE CUSTOMER AGAIN FOR AT LEAST 6 MONTHS!!!

30

Global Workshop Detection of ID Theft / Subscription Fraud

1. At Point of Sale (Storefronts):

1. Require ID and Documentation such as: RG or CNH CPF Proof of Address

Utilities bill Bank statement

2. Copy or Scan all Documents: Serve as evidence of fraud Helps in teaching vendors how to recognize false

documents Helps keeps vendors honest Can be used to cross authenticate against other phone

lines.

31


1. At Point of Sale (Storefronts):

3. Validate all numbers in REAL-TIME as customer data is entered into system.

4. Verify the data describes an actual person in REAL-TIME as customer data is entered into system. (verify with Serasa, Equifax, etc.)

5. Check data against fraud and bad debt databases in REAL-TIME as customer data is entered into system.

6. This is all even more critical when selling a Post-paid account.

7. Determine options for the client based on results of these checks:

Examples: Do NOT sell client a phone line OR Only sell a Prepaid account OR only allow domestic/local traffic, etc.

32


2. Subscriptions over the Phone (e.g. Fixed Line Carriers):

Validate all data items in REAL-TIME as customer requests the new line.

If customer has other lines at different addresses, ask the customer to validate those other addresses.

Perform all validations, verifications, and authentications BEFORE installing or activating the new line.

33

Global Workshop

Possible Solution #1

Electronic Card substitutes practically all the identity documents in Rio Grande do Sul. July 15, 2005

The “Gaúchos” will have, as of next week, a system which will be able to, in a single electronic card, have registered practically all their identifying data such as RG number, CPF (SSN), PIS (other social benefit card), Working History, Voter Registration Number, Blood Type, Medical Insurance Number, and bank account.

It will be an integrated way for the Three Powers of the State, with the support of the ITI (Institute of Information Technology) – tied to the Presidency of the Republic --, to give greater speed in the bureaucratic processes, with an economy of resources.The objective is that this model be the example for the rest of the country. Electronic documents will be generated digitally which will guarantee the authenticity, privacy, and integrity of transactions, as well as the streamlining of the bureaucratic processes, improve process agility and wasting less paper.

The Director-President of PROCERGS (data processing arm of the State), Carlos Alberto de Campos, said that one of the principle advantages is the adoption of a system by the Three Powers. “It will be an architecture of electronic government focused on the citizen. The citizen has only a digital certificate for his interactions with the State”, he affirms.

There is not yet an estimate for the R$ savings or for the date that the card will be officially used. One example is the use of the State Tribunal Justice system for the printing of sentences. Just with the economy of paper, the savings were R$700 thousand per year.

We know that, when a system is up and running, the total economy with be in the tens of thousands of reais, said Campos. “An example is of the citizen that needs a copy of his motorcycle license. With a digital certificate, it can be done via the internet. His physical presence is no longer necessary.”

It is not yet determined if there will be a public campaign to adopt the system. First the target clients will be those of Banrisul (State bank of Rio Grande do Sul) – a total of 1.2 Million people.

The same bank card, in this case, will be utilized for the system. The clients will have a password and the card. In the future, the objective will be to make available a computer peripheral device so that people would swipe their card at home, even vote at home, with the card and a password – the document number being inside the card.

The launching of the project is scheduled for 3pm this Monday, in the Piratini Palace (headquarters of the gaucho government), with the presence of Governor Germano Rigotto (PMBD).

34

Global Workshop


E-CPF – New Digital Encrypted CPF

More information available online at:http://www.certisign.com.br/produtos/ecpf/e-cpf.jsphttp://www.certisign.com.br/produtos/ecpf/pop_faq.jsphttp://www.safeweb.com.br/docs/ecpfecnpj.asphttp://www.certificadosdigitais.com.br/compras/

Smartcard Token

35

Global Workshop


Voice RecognitionThe technology already exists to recognize a person’s voice while

on the telephone. This technology can be used to validate a customer while he is requesting the operator to complete a call, or update his account. Accuracies have been seen with a False Reject Rate of 1% with a False Accept Rate of 0.07%. Some of the companies with Voice Recognition products on the market are: Authentify, Persay Vocal Password, Nuance, Phonetic Systems.

36

Global Workshop


Fingerprint ScansOne option is for the customer’s fingerprint to be scanned at

Points of Sale along with his ID. Then with the appropriate software a realtime compare can be performed. OR the fingerprint scan and the ID scan can be archived and used later for validating a customer at a Point of Sale. Also fingerprints could be compared against those of known fraudsters. Future cellphones with fingerprint scanners built-in???

37

Global Workshop


Facial RecognitionOne option is for the customer’s photo to be taken at the time

of the sale along with scan of ID. Could be used for validation at point of sale later on. With MMS, could be used to validate the customer in near realtime. Other idea: Use facial recognition software to compare all new applicants with other known photos of fraudsters in the database.

Manufacturers of such software are: Verilook, Aurora Clockface, LogicaCMG.

Recognition successfulwith .68 similarity!

38

Global Workshop

Responsibility!?!

Price of NegligenceBank sued by Company that received checks from a false account.By Elba Kriss, Magazine Consultor Jurídico, Feb 18, 2004

Unibanco was ordered to pay around R$20,000 to company César Augusto Lapuza Suprimentos Ltda for damages. The company received checks from a false checking account. The decision was from judge César Santos Peixoto, from the 21st Civil Precinct of São Paulo. The court order is definitive.

The company received checks in payment of a purchase and it was proven afterwards that they were from a fraudulent bank account. According to the company, the bank was “negligent” in the “opening of an account of a third party who used a false identification document”. With the account open, “the checks were circulated without any restriction”.

The company represented by attorney Rogerio Licastro Torres de Mello of the firm Cardillo, Prado Rossi, Licastro Attorneys Associated, filed suit for material damages. According to the attorney, “the bank didn’t even check the identifying data of the people that opened the account”. Unibanco, claims that it is “not responsible for the crimes committed by the third parties”.

The judge ruled that the bank is responsible for the damage and commented that the process of opening a new account should have been more rigorous. Peixoto ordered Unibanco to pay R$20,118.24 adjusted by inflation since Sep 9, 2001, in addition to interest of 6% per year since the citation. The bank also was ordered to pay for the attorney costs.

39

Global Workshop

Responsibility!?!

Failure to AuthenticateBank held responsible for account opened with false documents.Magazine: Consultor Jurídico March 6, 2005

The bank is responsible for the opening of accounts and financial movements with falsified documents. With this belief, judge Marcelo Lopes Theodosio, fo Santo André, Grande São Paulo, ordered Banco do Brasil to pay 100 minimum salaries to Lillian Rudolf.

While trying to purchase a cellular telephone on credit, Lillian was denied the credit because her name was on the credit agency blacklist. She had a debt of R$1032,49 incurred because of financing that was obtained by someone with her documents, stolen in June of 2001.

At the time of the robbery, a police report was registered. Represented by attorney Pablo Dotto, of firm Monteiro, Dotto e Monteiro Attorneys Associated, she opened a suit for moral damages against Banco do Brasil.

The judge agreed partially with the action. For him, “it is up to the bank to be equipped to adequately detect false identity documents, accepting the risks that it is subject to in the performance of its job.”

More info at: http://conjur.estadao.com.br/static/text/33346,1.

40

Global Workshop

Responsibility!?!

According to Legal Precedence:

The responsibility belongs to the provider that interfaces with directly with the customer to insure that his documentation is valid before opening an “account” with that customer.

If the account was fraudulently opened and later used to abuse another company, the responsibility could legally fall back on the provider of the “account”.

An “account” could be defined as a “Bank Account”, “Telephone Account”, “Internet Account”, etc.