
An Identity Thief Explains the Art of Emptying Your Bank Account - ressmox
http://www.bloomberg.com/news/articles/2015-07-15/an-identity-thief-explains-the-art-of-emptying-your-bank-account
======
ScottBurson
Wait, I don't get this. The Amex agent called the old phone number on the
account. The person who answered gave _some_ indication of being the account
owner, but didn't answer quite as many questions correctly as the thief.

So what scenario is the agent hypothesizing? The person at the old number was
actually the identity thief, and used the account for maybe several years
without any challenge, before the actual owner changed the number back? That
makes _not the slightest bit of sense_ to me.

I think if the phone number has recently been changed, and you call the old
number, and the person who answers can answer any question at all about
themselves, you have to figure that's the account owner. Who else could it
be???

~~~
timv
While I agree that AMEX should have just locked the account for fraud, one
possible explanation that would create this scenario is a relationship
breakup.

Man breaks up with his partner, and moves out of their shared home. He changes
his phone number to be his new home.

Amex calls the old number, gets the old partner who is particularly vindictive
and decides to answer the questions as well as he can.

When I worked in banking we had all sorts of issues about how we handled
change of address with respect to relationship breakdown.

If a husband and wife share and account and share an address do you send them
separate statements, or combine them? If the husband tells you he has changed
address, do you assume the wife has changed too or assume that she's still at
the old address? If he's on the phone, you can ask him but do you assume he's
telling the truth?

If one member of a relationship chooses to change their mailing address, for
security reasons, you might want to send a notice to their old address in case
the change was fraudulent - but if they've changed their address because
they're fleeing an abusive relationship then you can't send anything to the
old address that indicates what the new address is. And just because someone
at the old address raises an objection to the change that doesn't mean it was
wrong, just that you need to do more investigation.

Those sorts of incidents were rare, but our procedures needed to plan for
them. And in this case, the correct action would be to lock the account and
escalate to a superior.

~~~
stephengillie
> If a husband and wife share and account and share an address do you send
> them separate statements, or combine them?

Don't allow people to share accounts? That seems to solve a lot of problems.
What problems does it create?

~~~
mcherm
The problem it creates is that you lose customers.

People want the ability to have joint accounts. A joint account generally has
a credit limit set by the income of the higher-paid (or wealthier) of the two
but allows both people to have a card and make payments. Imagine a simple
scenario: one spouse works, the other does not; the one who doesn't work often
does the shopping.

~~~
stephengillie
How is this different from a business account with 2 cofounders?

------
clamprecht
The best part of the story is how he hacked the US immigration system to be
able to stay in the US after serving his time:

> Factoring in time served and a reduction for good behavior, Naskovets got
> out in September 2012. He faced a deportation order that would have sent him
> back to Belarus. Representing himself in immigration court, he argued that
> he risked torture if sent home, based on his run-ins with the KGB. As a
> signatory to the U.N. Convention Against Torture, the U.S. cannot send
> someone back to a country knowing he’s likely to be tortured. An immigration
> judge sided with Naskovets. The government appealed. Here’s where
> Naskovets’s optimism proved justified. While he was buffing floors in a
> county prison in Pennsylvania, his case had caught the attention of Stephen
> Yale-Loehr, a law professor who runs an immigration clinic at Cornell. With
> the help of Yale-Loehr and his students, Naskovets fought Immigration and
> Customs Enforcement in court for two years—and in October 2014 the agency
> decided to let him stay.

~~~
abcd_f
Yale-Loehr must be so proud.

Deferring to the _torture_ risk in Belarus is such as an obvious bullshit. The
only way they can torture there is by forcing you to eat their organic
condensed sweetened milk.

~~~
halviti
[https://en.wikipedia.org/wiki/Human_rights_in_Belarus#Opposi...](https://en.wikipedia.org/wiki/Human_rights_in_Belarus#Opposition_and_certain_Western_countries_positions_on_Human_Rights_in_Belarus)

Belarus is subject to US sanctions for “undermining democratic process and
constituting an unusual and extraordinary threat to the national security and
foreign policy of the United States”.[25] It is also subject to sanctions
imposed by the European Union for human-rights violations.[26] Belarus has
been determined to be a habitual violator of international human-rights laws
and accepted norms of international behavior by the UN, the US, the
Organization of Security and Cooperation in Europe (OSCE), the OSCE
Parliamentary Assembly, the Council of Europe, the Parliamentary Assembly of
the Council of Europe, the European Council, the European Parliament, the
European Commission, and the NATO Parliamentary Assembly. As stated by the UN
Special Rapporteur on Belarus, “it is impossible to believe that all these
people are wrong or biased.”

~~~
gdy
How on Earth is Belarus "constituting an unusual and extraordinary threat to
the national security and foreign policy of the United States"?

~~~
kuschku
It’s a communist nation, the US just declared all soviet nations to be a
threat during the cold war.

------
kriro
Commit crimes, get relatively short term sentence and pay 200$ fine, stay in
the U.S. Crime does pay. Sucks pretty hard, identity theft is really nasty if
it happens to you.

That being said while slightly exaggerated the claim of torture in Belarus
isn't far fetched. Dude in charge is pretty much a crazy dictator. I remember
during the (last?) elections his main opponent was mysteriously beaten up and
he said in an interview that he shouldn't whine about it like a little girl.

p.s.: How do these arrests happen, is interpol involved or can the FBI
negotiate with the Czech government and just roll in there?

~~~
_yosefk
The idea that you arrest someone to serve time in your prison because he broke
your laws, and then you cannot send them back because of another law is just
mind-blowing.

~~~
mikeash
How so? That's sort of the whole point of law and the government. You may not
follow the law, and you may be punished if you don't, but _they_ are always
supposed to. You don't forfeit all your rights just because you break the law.

~~~
_yosefk
Well, yeah, but this guy gained whatever rights he has in the US just by
breaking US law and being kept in prison there. Not only didn't he forfeit
rights just by breaking the law - he gained his rights that way! Sounds a tad
buggy and something a lawmaker might want to fix to avoid this kind of thing
next time.

------
emir_
Anyone have any idea whether this could have been prevented if banks in the US
required PIN to process a transaction? Would fraudulent transactions go down
significantly if stolen cards couldn't be used without PINs?

~~~
mikeash
It might help (depending on just how hard they make it to reset your PIN over
the phone) but it probably wouldn't happen. Credit card companies make money
when you use your card. As such, they want you to use your card as much as
possible. Anything which increases the friction of a card transaction reduces
how much people use their cards, and thus directly impacts their bottom line.

Not requiring a PIN is an example of this. If your customers have to memorize
and enter a PIN, this added friction will cause at least some of them to pay
cash (or whatever other payment method) instead. That's lost revenue.

Similarly, it shocks many people to learn that credit card merchant agreements
_forbid_ requiring customers to show ID as part of the transaction. Seems like
a sensible way to fight fraud, right? But it also adds friction, which reduces
credit card use rates, which hurts card company profits, so they don't let you
do that.

This stuff is all a careful tradeoff. They know how much they lose to fraud,
and how much they gain in legitimate transactions from making things easier.
The goal is not zero fraud, but rather whatever level of fraud is optimal for
their profits, which is almost certainly not zero.

------
manishsharan
Quick question : would you pay extra fees for a credit card that only allows
transaction from whitelisted stores and if used online, the shipping address
could be only to a whitelisted address ?

~~~
pavel_lishin
Who adds to the whitelist? Could I call them, with my Russian accent, and get
them to whitelist an Apple store when I'm buying myself a new macbook?

------
mettamage
Why don't credit cards have a secret password like a pin code? I find it
strange that all the security information is available on the card itself.

~~~
t0mbstone
Because credit card companies are run by imbeciles who don't understand
security. Instead of actually solving their security issues, they just crunch
the numbers and mitigate their risks with accountants. They are still raking
in buttloads of money (like 3% of every transaction), so even with all the
theft, they are insanely profitable.

~~~
mikeash
I don't know that they are stupid. Security is a tradeoff, and if their
optimal profit level is one where fraud happens at a decent level, is that
really wrong?

This reminds me of the Potato Paradox article posted on the front page.
Imagine if the card company comes up with some way to cut fraud by 50%, while
the added hassle has a minor impact on legitimate transactions, reducing them
by 1%. That's likely to be a significant net loss for them, because of the
relative proportion of legitimate to fraudulent transactions in the first
place.

~~~
t0mbstone
Percentages are percentages. If you gain 1% in profits from lower fraud, but
lose 1% of transactions due to the security measures on the credit cards being
harder to use, you are still basically breaking even.

They would also be saving tons of money from being able to reduce their fraud
analysis and recovery staff, and they would build goodwill with not only their
merchants but also their customers. I know plenty of people who still dislike
using credit cards because of the potential for fraud and having their number
stolen.

When you think about it, it's pretty insane how many people you probably hand
your credit card to every week. Any one of those people could have a smart
phone or something with the camera on, capturing the numbers on the front and
back of the card. Credit card numbers are so insecure right now, it's
ridiculous. If you are going to use a credit card as a consumer, you pretty
much need to keep a non-stop eye on your statements. And when you actually DO
get your number stolen, you have to deal with the hassle of disputing the
charge and going back and forth.

Who knows? Maybe they would actually have a big upswing in credit card usage
(and the resulting transaction percentage profits) if they released a "new,
more secure card"?

~~~
mikeash
Recasting fraud reduction as "1% in profits" is extremely misleading, because
fraud is a tiny proportion of overall activity. Reducing fraud by 1% of
profits would require a _huge_ improvement in your ability to fight fraud,
whereas reducing legitimate transactions by 1% of profits is much easier.

And it's not like card companies do absolutely nothing. The US is finally
moving to chips, which will cut down a lot. Notably it's just chips, _not_
chip-and-PIN, because they want to keep that friction low. But when they are
able to fight fraud while still keeping friction low, they do it.

I think the market is competitive enough that if people wanted more security,
someone would offer it and it would gain in popularity. We _do_ see this to an
extent, with security features like sending transactions to your phone as they
happen. In fact, a very few banks will issue you a chip-and-PIN card right now
if you want it. Or you can get a debit-only card, with no credit features, so
that a PIN is always required. Mostly people don't seem to care, though.

------
theumask
I didn't know that is the new way to get residence in the US... Hey, FBI guys,
next time maybe you send thieves like this one to spend some time behind bars
in their home country, so they will truly get what they deserve.

~~~
Paul_S
I can't really argue with you but I have lots of sympathy for the kid despite
him being a criminal. It's probably because I was born in a country occupied
by Russia until the 90s and his is still and I can't bring myself to wish this
unto anyone. It's probably not a good idea to trust a con-man but I think he's
likely to become a net positive asset to society.

~~~
gdy
You are misinformed, Belarus is not occupied by Russia.

~~~
Paul_S
Ah, yes. Back in the communist era my country was also an independent
democracy (with electoral turnout of almost 100%, more democratic than the
rotten west!) who just happened to be gloriously "cooperating" with our soviet
brothers... and then there was reality.

~~~
gdy
You should read more about Russia-Belarus relations, like tensions regarding
Eurasian Economic Union or Belarus's refusal to recognize independence of
South Ossetia and Abkhazia or Crimea reunification.

And, by the way, it's been more than 25 years since the dissolution of Soviet
Union in case they haven't told you that after unfreezing you.

