A Criminal’s Take on Credit Bureau Fraud

Hello everyone. My name is penissmith, and I am a new writer for deepdotweb. I am currently a member on the darknet marketplace Alphabay, and have been on marketplaces for the last 4 years. I have helped Alphabay introduce anti-fraud algorithms to prevent scamming, and created methods for moderation to be quicker. I started out like anyone else, having no idea what any of this was and mostly doing petty theft. Being a mainstay in the darknet fraud community enables you to learn a tremendous amount, and have the opportunity to turn fraud into a full time living.

In addition to committing outright identity theft, I am obsessed with anything controversial, and making illegal practices more legitimate, efficient, and practical for everyday people to execute. You don’t need to be a Russian hacker, or savvy with computers to make money from illegal hobbies. My ultimate desire would be a world where fraud is looked at like any other career path, where evading law enforcement is simply deemed a “logistical duty” rather than an inevitable death. Today I would like to enlighten you about a misconception regarding identity theft in America.

The idea of identity theft in the average consumer’s mind is always the risk that someone obtains a credit card or loan using their name and social security number. Most people don’t realize that type of identity theft is rarely executed by criminals anymore, as it requires defeating a host of anti-fraud imposed by banks that issue credit cards. If one wants to get a loan from say Wells Fargo, great; step inside the branch to sign the loan papers. This is a common theme with any bank that lets you apply for loans online or over the phone. A criminal wishing to remain anonymous is not going to step inside a bank anytime soon.

Anytime you apply for a credit card, you write your address on the application. The bank uses your social security number to find your credit report with the bureau of their choosing, which includes your address. The address you use on the application, is where they mail the card. There are no separate fields for your “mailing address” on a credit card application. If you apply with an address that isn’t on your credit report, no reputable bank is going to approve that application. You will receive a letter in the mail a week later either explaining how they were unable to verify your identity, or if you are lucky they will ask for a host of documents. The procedures for every bank is different, and the anti-fraud varies wildly, but the odds are next to nothing someone can obtain a credit card with a stolen identity, on a reliable basis, and certainly not quickly.

Regardless of the odds, this fear has caused many legitimate businesses to carve out a market for a relatively useless product, being credit monitoring. There are a plethora of free services such as Credit Karma, or simply checking your reports at annualcreditreport to identify and repair credit-based fraud. It’s not a waste to check your report a few times a year, but it’s an absolute waste to pay a service like Lifelock. If anything, the odds of Lifelock being hacked or otherwise leaking your information, is higher than you ever taking advantage of their credit repair services.

While less and less fraudsters pursue credit-based fraud in the 21st century, more criminals are into merchant fraud, which is a vague way of saying defrauding any system that handles monetary transactions. Paypal is by far the most exploited website, since it can be impossible to differentiate between a legitimate and illegitimate user. Credit card processing is also common, where a fraudster creates an account on say Stripe or Square, then proceeds to run stolen credit card numbers through his account, and withdraws the funds.

With any monetary based system, they all require your social security number and everything else to signup. A criminal doesn’t need to know your entire life history to open a business paypal account, only your name, address, and last 4 of social. Everything else, such as the email, phone number, and IP address they use to login can be completely fabricated a thousand times over. With every redention of stealing from paypal, the account will always be left with a negative balance since the fraudster turns the paypal funds into fiat or even e-currency, while paypal later reverses the transfers made to the account. I have had a personal experience of leaving an account with a negative $54,000 balance.

Let’s be clear here though, paypal is not a bank, but if your account (or an account in your name) obtains a negative balance, that debt can be sold to debt collectors, who will attempt to put negative remarks on your credit report, and contact you in a variety of ways. You can get rid of them, using the advice I found on google all you have to do is ask them to prove you owe the debt which they cannot do. It certainly differs from a bank that you owe money to, but the process to remove a fraudulent credit card in your name, and a paypal debt, really isn’t that much different. They are both a hassle, and will both require some time on the phone.

When non-credit based fraud starts to become a tad scary, is when someone opens a bank account for you, which unlike paypal, has some real legal authority. It’s degrading to live in a country where one can open accounts at financial institutions using information that isn’t remotely secure. When you think of a “drop bank account” you may think of a mule, or a desperate drug addict who doesn’t care about the repercussions. Earlier in the darknet, there wasn’t much information about opening bank accounts using stolen identities, and it wasn’t really a discussed topic. Instead, people used prepaid cards, or those infamous polish prepaid cards. Around the time Evolution Marketplace started, people started opening Ally Bank accounts, and selling them for $30-50. Next it was Bank of America for $100, with debit card shipped to your desired address.

It shouldn’t surprise anyone that Ally Bank despite having “bank” in it’s name, is hardly a real bank and does not function like one either, but Bank of America? You would expect significant identity verification, or what the average consumer would say “they can tell if it’s not you obviously”. None of that exists, and instead they have an absolutely retarded approach to fraud prevention. They don’t ask for your driver license information on the application. They would rather just close the account in a few months stating “security reasons”. If was a legitimate consumer looking to open a bank account, I would never use Bank of America out of fear they randomly close my account. It’s quite a reoccurring theme with them.

Now, there are typically a few boundaries preventing just anyone from opening a bank account in your name. Your social security number for example, well no… Social security numbers were somehow “hacked” a few years ago and now 80% or so of people over the age of 40 can be found on the website ssndob.so. Anyone, Obama and celebrities included are on there. You would think such a website would make major headlines, but that isn’t possible here when the person writing the headline puts his own identity at risk by publishing such an article. It has been in everyone’s best interest that such a national threat gets no media attention, and we deny it ever existed too! Or maybe it isn’t quite as sexy as the Target credit card hack. Ssndob has been an absolute staple in the fraud world for several years now, and it is responsible for billions in identity theft.

Some banks also ask for your driver license information on the application, but unfortunately that information isn’t secure either. Banks aren’t the DMV, and have no relation to each state’s DMV, so they cannot verify rather or not the information is valid or not. They can simply check the formatting to see if it is valid, and you can simply use google to find the format of each state’s driver license number and how long it is valid for. A few states you can even generate a real driver license number, using this.

This means you can effectively take someone’s name and city, find their address and SSN/DOB on ssndob, and apply for a bank account. You can make a free email account, use a $20 prepaid phone from the store, and either use an android phone’s internet browser to apply, or a hacked server (also known as an RDP). Traditionally criminals have used sock proxies, but they don’t last very long. You will however notice when submitting an application for a bank account, banks tend to ask 3 or 4 security questions which are related to your credit profile or previous addresses/phone numbers. Unfortunately, none of this is secure information either.

A criminal can view your credit report just as easily as you can. To view a credit report they simply go on the same websites you do to obtain it, and take a good guess at the verification questions asked (which are the same type of questions the bank asks). I have answered these questions hundreds of times, and can usually pass around 75% of the time. They will ask about a previous address, but ssndob has previous addresses, so does nearly every paid background report on the internet (likely paid for with a stolen credit card). All too frequently they ask about a recent mortgage or auto lease, but I’m pretty fucking sure an 80 year is not applying for a mortgage or getting a loan for a car. They also ask what state my SSN was issued in, ok here you go.

There are only a few questions that occasionally come up which can be considered slightly secure information, such as people I’ve lived with, and the date a credit card was opened can be one of the more difficult questions to answer, but I’ll guess AMEX in the 90s every time if it’s an option. You don’t actually need to answer every question correctly to get access to the credit report, so the odds are substantially in your favor to pass verification. Even if you fail on the first report at annualcreditreport.com, you still get to try again for the next 2 reports. If you fail all 3, try credit karma and credit sesame. Fail every time? Ok, well you spent next to nothing, just get a new identity and try it again.

With a copy of your credit report in hand, passing the bank’s verification questions will be easy most of the time. After you pass those questions, it really comes down to the individual bank’s practices if opening an account with the stolen identity can come to fruition or not. Some banks open the account instantly, giving you online access and the account number immediately, while others make you wait 3-5 days to hear a decision. Some don’t allow a separate mailing address, meaning the account information and debit card will be sent to the victim’s real address, but the majority of banks do allow a separate mailing address. With a fraudsters “drop address” as the mailing address, they can receive the debit card and all account information needed to use the account for as long as they desire. There are a few favorite banks that criminals usually target, and I have extreme favorites of mine, but those don’t need to be discussed here.

A bank account being opened in your name means you are responsible for whatever happens with it, including criminal activities. A good portion of crimes that internet criminals are committing these days requires some type of drop bank account in order to function. When someone makes an account for you then ties it to a Stripe payment processor account, runs off $30,000 in fraudulent charges, who do you think law enforcement will be coming for? Whoever the bank account belongs to will absolutely be their initial suspect.

I have no idea how that discussion will go with a warrant being issued for your arrest and you tell the police you have no idea where this bank account came from, but I suspect your day will be ruined more than someone opening a measly credit card for you and not paying it back. However I’m sure the number of people that have been arrested and spent days in custody are very few as a result of a bank account being opened in their name, which is a good thing.

It’s important to realize your identity is more a fluid concept than anything concrete. Your social security number is just “associated” with your name, and you happen to have an ID card that says you are that name. Identity is your personality and traits, not what a big government database says about you. Criminals can use your identity, and there is nothing you can do to reliably prevent it, but you have numbers on your side. With a population of 320 million, the US is a big country and there is no way to commit identity theft 320 million times. The old saying of “follow the money” doesn’t have much premise if criminals can use stolen identities when transacting money. One can only imagine the number of criminals who would have never been caught had they simply used a bank account not in their own name. It’s so fundamental, there is no excuse to ever use an account that is registered to you when committing fraud.

Share and Enjoy

  • FacebookFacebook
  • TwitterTwitter
  • DeliciousDelicious
  • LinkedInLinkedIn
  • StumbleUponStumbleUpon
  • Add to favoritesAdd to favorites
  • EmailEmail
  • RSSRSS

TheBitcoinNews.com – leading Bitcoin News source since 2012