Undercover Internet Investigations by NetBootCamp.org

Online: The risks of undercover payments

There are personal risks to going undercover.

Any law enforcement officer will tell you that a lot of planning precedes an undercover operation. Agents discuss the target, the environment, and the risks. There are many possible outcomes and a sound plan covers the potential forks in the road: the risks, the evidentiary goals and how each will be acquired.

There are also risks to online investigations, yet how many investigators browse the web with an operational plan? The risks online are personal and they can arise through undercover payments.

Proxy Payments
Investigators make online purchases for a good reason, to follow the money. They’re looking for a merchant account and its links to other e-commerce websites or to an account and identity where the illicit proceeds may be held. Caution should be extended when conducting these purchases through IP addresses on a public proxy server. Here’s why:

Fraud detection software is ever present in payment processing and it associates proxies with fraud. A single card network transaction can pass through several fraud detection services with each operated by different parties engaged in the transaction. These parties include the payment processor, the merchant bank and the network itself. The fraud services your information passes through are determined by the subscriptions each party has selected. You will not know these parties until you process the payment and you may never know the detection services they used.

For detection services like MaxMind’s Minfraud, this information includes your IP address. This particular service assigns a risk score to each buyer, with negative scores assigned to attempts made from “a high risk IP address, high risk email, high risk device, or anonymizing proxy.” These scores and the buyer information are shared between other merchants subscribing to the same service.

What does this mean to investigators? It is unlikely that you will know which fraud detection services will process your payment in advance. And, if your transaction is declined you probably won’t know why. This is why it is important to compartmentalize the card information, email addresses, and the IP addresses used in undercover purchases from everything else, i.e IP addresses and information used in personal or business transactions. Its also a good idea to dedicate an IP address just for researching the target website where your purchase is placed.  If a service flags an IP address as a proxy, then other IP addresses used by this buyer with other merchants will also be flagged. Imagine what might happen if the IP addresses was assigned to your office or home. The buyer information for anyone else at those locations would be added to the block.

Suspects also use payment processors and fraud detection services to their advantage. Card networks need to ensure their merchants comply with the laws in the countries where they operate. They make this possible by blocking the full IP range of those countries. Buyers can access and place orders through forms, but services in the background will decline the transaction Again, you won’t know the reason why the order was declined and you may not know the merchant is blocking the country in advance. Merchants are known to use these features to block transactions in the U.S., making it difficult for law enforcement to establish a U.S. nexus.

The takeaway is this: IP addresses are an essential piece of an operational plan. Online payments are especially susceptible to interference when processed via a publicly identified anonymous proxy address, such as those posted by VPN subscription services like Hidemyass.com.

Prepaid Cards
Investigators have used prepaid debit cards to conduct online purchases for years. In most cases, the cards are set up with the email addresses and names of their undercover identity. This, too, is a practice that exposes investigators to personal risks.

The largest prepaid card network in the U.S. is, by all means, Greendot. Greendot reportedly owns between 30% and 40% of the market, largely due its partnerships with major retailers that include Walmart and CVS pharmacy.

All card networks operate with terms of service. For Greendot, these terms vary by retail partner and these variations are important to note in the area of transaction limits. There are thresholds that users are required to not exceed when loading funds onto a prepaid card, withdrawing funds from an ATM, or expending funds through purchases. At Greendot, these threshold vary by retailer. These thresholds are dollar amounts and the amounts set for different time periods by day, month and year. Transactions that exceed these thresholds trigger audits—by Greendot, not the retailer.

Audits review the card holder’s overall purchase and deposit activity.  This activity is a pattern and the purchase pattern of an investigator is very different from the buying habits of a standard consumer. It may concentrate on overseas purchases, unusual subscriptions and other transactions that are out of the norm for the network’s average demographic. This demographic uses the cards to purchase a different mix of goods such as groceries, gasoline and a wider variety of online goods. A busy investigator may also load a prepaid card more often or in a more erratic pattern than the target demographic who, preferably, connect their cards for payroll direct deposit.

When an audit is triggered, Greendot is prepared to terminate any card that violates these terms:

“You agree not to use the Card for business purposes. We may, in our sole discretion, close your Card if we determine that it is being used for business purposes.”

These prepaid cards are, of course, tied to the user by his or her social security number. It’s actually a federal law that requires this.

The Patriot Act protects the U.S. and the financial system from terrorism and money laundering by requiring all financial institutions that issue payment cards to obtain, verify, and record the information of each card holder. Individuals provide this information when they apply for a prepaid card, but they can usually add a secondary identity to draw from their card balance. This secondary identity is usually added with a name, email address and date of birth. So, while the secondary cards do not require a government issued ID, they are still connected to the primary card holder via his or social security number.

Fictitious identities represent risk to a card network and, as such, are difficult to dispute.

The consequences for account termination are deeper than one might think. Card holders are flagged and barred from obtaining another card within the network. A card holder banned by Walmart MoneyCard will also be banned by every retailer under the Greendot brand. These retailers can also choose to share account information within their internal networks. That, in turn, could impact the individual’s participation in other programs managed by the retailer. For the Walmart Money Card, this participation is described in the terms of service:

“We share information about you with Walmart Stores, Inc… your opt out will not prohibit us from sharing your information within the Walmart Companies.”

Sometimes, our successes as investigators also work against us. I networked with a payment processor many years ago to develop a referral relationship. The goal was to protect a product and the consumers who would be harmed by the counterfeit sales. We trained the payment processor to profile and identify the merchants and the transactions and we showed them how it also protected the payment processor from violating the card network’s terms of service. The training was very successful and we went our separate ways. A few weeks later I received a call on my undercover phone. It was an investigator working for the payment processor we had just trained. He inquired about a transaction I had just placed online with a suspect selling the product. I had planned the undercover purchase and the evidence process well. What the plan didn’t include was a scenario to ensure the focus of the payment would not be reversed.

Conclusion
Online fraud is rampant. Fraud detection will continue to evolve and continue to be a priority for retailers and payment processors. Payment processing is the most complex landscape on the Internet. Investigators should proceed informed and prepared with a plan to face the risks of undercover payments online.