27 May Learning from Antivirus Software May 27, 2016By Jon Coss - Blog Manager cross-state fraud prevention, emerging fraud methods, government fraud prevention, innovative detection solutions abuse, bad actors, data sharing, fraud, fraud detetection, predictive algorithms, waste 0 Almost everyone is familiar with antivirus software. Not everyone is familiar with how it works though. Even fewer have examined how we can apply the way antivirus software works to combat fraud. I believe that there are important lessons here which can improve our approach to fraud detection and prevention.At a high level, antivirus software performs two important functions prior to opening a file on your computer: 1) It compares the file to known viruses and other forms of malware, and 2) It checks the file for suspicious code which may indicate a new, previously unknown virus.The first function depends on a network of users willing to share known viruses and a system that is able to collect the virus data, design a fix, and disseminate the fix to other users prior to them being infected. The second function depends on heuristic programmers that can design systems to learn and even anticipate potential problems. Working together, this is one of the most effective ways to address the constantly changing nature of Internet malware.Government fraud prevention, when done properly, works in a very similar manner. By examining known bad actors, bad transactions, and bad behaviors, systems can quickly compare ongoing program data to identify suspect transactions. Modern fraud detection systems also include predictive algorithms that can detect anomalies, trends, patterns, and clusters that may indicate fraud.Unfortunately, many governments are unable, or unwilling, to share data. This limits the “network” effect that antivirus software uses so effectively. If more states and programs shared fraud schemes and findings, the library of known bad actors and methods could detect fraud and prevent it from moving from state to state and program to program.The good news is a number of states are moving toward state-wide fraud prevention efforts and a number of government subsidy programs are moving toward cross-state fraud prevention efforts. I am confident that the future success of these efforts will promote additional sharing, leading to a larger network, and more efficient governments. Related Posts How Fraudsters Stole Money from Venmo Users In yet another example of the creativity of fraudsters exploiting security flaws in commonly used services, the Federal Trade Commission recently announced a settlement with Venmo, the popular money exchange service. The charges, filed in 2016, include some surprisingly basic security flaws in Venmo, which boasts of “bank-grade security”. One major problem was found in Venmo’s cash reconciliation process. It would notify users that money had been deposited in their accounts when, in reality, many of the transactions were still under review. This allowed fraudsters to “purchase” and receive products before their payments were validated. Sellers, assuming that cash had been received, would ship the product and then find themselves without an actual payment. One scammer used this technique over several years to steal over $125,000 before being discovered.In addition to this security flaw, federal regulators also noted that Venmo neglected to notify users of username and password changes or when new devices were added to their accounts. This allowed hackers to hijack accounts without any warnings to the actual account owners.While the FTC’s settlement does not include any cash damages, it is likely that Venmo will face a slew of upcoming lawsuits. Beyond this, Venmo’s issues are particularly concerning to consumers. We often assume a certain level of security and common-sense practices when we use well-known applications and services. Clearly, we should all be concerned about trusting our money and identities with any company—regardless of how safe it appears to be. Zapping Taxes (Illegally of Course) In their never-ending quest to circumvent the law, unscrupulous business owners are now adopting the use of so-called “zapper” software to avoid paying sales taxes. Zapper software automatically deletes a portion of cash sale transactions and then automatically reconciles the business’s back end finances to make it appear that the businesses paid the appropriate amount of taxes. This scheme reduces tax collections for governments and passes the burden to the vast majority of businesses who choose to act within the law.Thanks to a crackdown by federal and local officials, recent arrests include $1 million in unreported sales at Cesar’s Restaurant in Lakeview, IL (home of the “killer margarita”) and $800,0000 at the Lao Sze Chaun restaurant in Milford, CT. However, a simple Google search will reveal that almost no city is immune to the zappers.Zapper software is so popular that some businesses are now starting to offer it to their clients. In December, for example, a Canadian man pled guilty to selling zapper software to eight restaurants in the Seattle area leading to $3.5 million of taxes avoided. It is alleged that his company, which sells Point of Sale (POS) software, also sold the illegal zapper software through a subsidiary in China. After the sale of the software, they even offered to support their customers with their ongoing efforts to defraud the government.Zapper software, while somewhat novel, is just another attempt to apply technology to skirt the law. And while law enforcement training and targeted audits will surely help detect some of these modern-age fraudsters, analytics that use peer comparisons, spike indicators, and other statistically rigorous detection methods can also help detect the problem early. Like the old saying goes, it takes fire to fight fire. Old Fashioned Credit Card Fraud While shopping for groceries this week, my wife turned from her cart when a man stumbled and fell in the aisle. Less than 30 seconds later, she noticed that her wallet was missing from her purse which was sitting in the cart. Total distance from her wallet: 5 feet.Within 3 minutes, she’d called me and alerted the store about what had happened. Within 15 minutes, I’d blocked our ATM card, our credit card, and a specialty retailer card. Total Time: 18 minutes and 30 seconds.What had the robbery netted? A $1,000 gift card purchased at a kiosk at a nearby retailer with our credit card. A second $1,000 gift card purchased at the same kiosk with our ATM card (I was under the mistaken impression that this would require the PIN number). And a $5,000 gift card purchased with the specialty retailer card. Total take: $7,000. In just 18 1/2 minutes.Of course, the thieves also got away with about $150 in cash and my wife’s driver license. She was worried that we were going to be robbed that evening “because they now had our address” but I convinced her that “having our address” made us no more likely to be robbed. We also freeze our credit which offers us some protection from identity theft. So this gave us some comfort.After this incident, I wondered just how much “old fashioned” credit card fraud still exists in the United States. As it turns out, quite a bit, as 23% of the $3 billion in annual credit card fraud is still the result of lost or stolen cards. I was surprised at this number given today’s more sophisticated identity theft and forgery schemes.As often is the case with fraud though, the aftermath can be even more costly than the initial theft. Financially, even though we were not directly responsible for the fraudulent transactions, in the end, we pay through higher fees and rates. And of course, it’s very difficult to assign a cost to the trauma of being robbed at your neighborhood grocery store.The lesson in all of this for me? While it’s important to protect your identity online, don’t forget that thieves still snatch wallets, look for credit card offers in your mailbox and trash, and call your home to try to trick or intimidate you into providing sensitive information. Buried Pentagon Report Leads to Questions for Other Government Agencies Earlier this year, four government agencies – Commerce, Health and Human Services, Energy, and the Environmental Protection Agency—received letters from congress directing them to provide documents and comments detailing their efforts to “identify waste and… to achieve budget savings in the next five years.” The letter referenced a report from the Pentagon that identified a “clear path” to saving over $125 billion over five years, which was subsequently suppressed because of the dramatic findings.The Washington Post, which was mentioned in the letter from Congress, exposed the Pentagon’s internal study in December 2016. The Post explained the reason the Pentagon buried the study was that they feared Congress would cut their budget if they knew of the waste. Incredibly, the “clear path” to savings did not even require layoffs. Rather it would use attrition, early retirements, reductions in expensive contractors, and modern technology to streamline operations.To put the size of the problem in perspective, the study showed that the defense department paid over 1 million back-office staff to support 1.3 million active duty troops (the smallest number of troops since 1940). Thanks to these large numbers, the savings from streamlining could have led to reallocating up to $125 billion for troops and weapons and rebuilding the nation’s aging nuclear arsenal. But apparently, some Pentagon officials decided that protecting against budget cuts was more important.The four agencies who received the letter from Congress have until March 10th to respond. Their response must provide a copy of their internal reports similar to the Pentagon report, lessons learned for their department if they do not have a similar report, and any efforts the department has made to combat waste. Given that these four agency budgets total over $1 trillion, twice that of the Department of Defense, there should be ample opportunities for savings. Nigerian Email Fraud In December, a 67-year-old Louisiana man was charged with 269 counts of money laundering for serving as a middle man in a Nigerian Internet scam. These scams, which everyone with an email account has encountered, promise large sums of money from inheritance or from a “prince” trying to leave the country in exchange for your financial information. Typically, they then require you to send money to release the funds and the operation continues to run into obstacles for which more money is required.When I receive these emails, I’m always struck by just how ridiculous the stories are. They are so obviously fake that only the most naïve would lend them any credence. Given the sophistication of some of the fraudsters we combat at Pondera, I’ve always wondered why these clearly unsophisticated scammers can’t put out more believable emails.After a bit of research on the subject, it turns out I’m the unsophisticated one. In fact, Microsoft Researcher Cormac Herley wrote a thought-provoking paper on the Nigerian Scams that concludes in part “By sending an email that repels all but the most gullible, the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor.” So, like any good salesperson would do, the scammers are essentially feeding only the best leads into their pipeline and eliminating the poor leads early in the process so they don’t waste time pursuing them.Pretty brilliant actually, if you’re in to despicable crimes. And the results show it. The FBI’s Crime Complaint Center says that over the past five years it has received an average of 280,000 complaints and, more importantly, it estimates that victims have lost over $4.6 billion in that time. In the most extreme cases, victims were lured to Nigeria, held against their will, and extorted for additional money.If you’re interested in reading more about this, check out Mr. Herley’s paper at the link below:https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/WhyFromNigeria.pdf The Case of Tom Brady’s Stolen Jersey Shortly after Tom Brady led the New England Patriots to the greatest comeback in Super Bowl history, he noticed that his game jersey had been stolen from his bag. Asked if it was still missing hours later, he responded "Yeah, it's going to be on eBay at some point."This got me thinking about the market for high profile stolen items like sports memorabilia and famous artwork (yes, Pondera people think a little differently than the average sports fan). How, after all, could someone hope to profit from selling such a famous jersey—certainly not by selling it on eBay.As it turns out, the markets for stolen items like sports memorabilia and artwork are quite mature and well-defined. Stolen art obviously has a longer history and much can be learned from it. For example, pricing for stolen art is typically around 10% of the estimated value. Interestingly, this means that many of the most famous paintings are less likely to be stolen because even 10% of $100 million is a lot to pay for an item that you can’t even show to friends!While there are notable exceptions, including the 1911 theft of Da Vinci’s Mona Lisa (recovered two years later), the large majority of art thefts are of less than $10,000 items from private homes. The items are often sold after a period of time to legitimate galleries by “owners” who claim to have inherited them. Most estimates state that only about 5% of art thefts are ever truly solved. A recent seizure of famous Dutch art on the Ukrainian black market, for example, focused on recovery versus deciphering the 10 year “chain of custody” since being stolen.Back to Tom Brady’s jersey. While not as expensive as a famous painting, many experts estimate its value at around $500,000. This would translate to a $50,000 value on the black market. And because it is such a famous item, it certainly wouldn’t be wise to display it openly.While $50,000 is a great deal of money, I’m not sure many of us would take the risk of avoiding the Texas Rangers for that payday.For those who need more impetus to stay on the straight and narrow, remember that O.J. Simpson’s 33-year prison sentence stemmed from a Las Vegas robbery over sports memorabilia that he claimed was stolen from him. And while Tom Brady’s 5th Super Bowl win is sure to ease the pain of his stolen jersey, I’ll still be rooting for the Texas Rangers and Houston P.D. in their efforts to recover this important piece of sports history. Comment (0) Comments are closed.