Elliot Castro is a born-again fraudster, who now acts as an independent fraud consultant. It's fascinating to watch and listen to him speak on this
recent Finextra video clip
, because although he's precisely the kind of guy that my company works round the clock to stop, his keen understanding of social vulnerabilities that trump the best security systems is scary riveting and underscores the complexity
of ecommerce fraud, and the difficulty that banks, merchants and consumers have in protecting themselves. The simplicity of the schemes used to perpetrate these crimes, the fraudsters' brazenness and the organization of the underground criminal networks kept
me on the edge of my seat.
Castro notes that once the fraudster has real personal information, merchants are nearly defenseless, virtually unable to distinguish between a real and fraudulent transaction. This information is easier to obtain than it may seem. For example, a fraudster
might call a hotel front desk and ask to speak to a guest with a common name such as “Mr. Smith.” Put through to Mr. Smith, the fraudster explains that his credit card was turned down at check-in and they need to provide a new number, confirming the name as
spelled on that card and the CVV2 code. It's that simple.
As simple as Castro found it to swipe personal data, it's even harder for businesses to protect against that data being used in a fraudulent manner. Without a crystal ball, the task is nearly impossible. And, like any criminal, fraudsters only need to be successful
occasionally, whereas those defending against fraud need to be successful all the time.
How tough is that? Castro asserts that the number of fraudsters outweighs those fighting fraud by 10 to 1, begging the question, would you pick a solo fight with a Roman legion? Nonetheless, merchants walk into that fray everyday, Outnumbered, outgunned, and
Far from working alone, the criminals have become highly organized and collaborative. They share schemes, botnets, and scripts. They have social networking sites and communities where they buy and sell data and discuss merchant vulnerabilities openly, and how
to defeat the technologies used against fraud. One such community,
DarkMarket, was recently shut down by the FBI
. But we know that within hours, multiple new sites had sprung up like mushrooms to replace it.
The lesson in this? The good guys need to take a page from the fraudsters. It's high time we stopped acting like lone wolves. Against big business-like efficiency, sophisticated organization, single-minded determination and a community effort by the criminals,
banks, issuers, police and online merchants stand no chance. But
by collaborating, sharing what they know
about crime to create a
360-degree view of online behaviors
, they can more than level the playing field and turn the tables on fraudsters.
It's that simple -- and it's that hard.