How cons wipe accounts clean with help from rogue bank staff

Beware! Your credit cards - Visa or MasterCard - are not safe, at least not as safe as you would like to believe, and your PIN code does not help.

It takes only a few minutes for criminals to wipe clean your account. All they need are the details embossed on your cards.

Private investigator Daniel Njue explains how it all works and provides an insight into the operations of syndicates that are siphoning millions of shillings from unsuspecting credit card holders.

It does not matter whether you lost your card or still have it safely guarded in your wallet or purse, if it has passed through their hands, and you had some money in your account, it will disappear.

From street urchins who collect and sell the cards to hackers and computer specialists to rogue bank staff who sell data to them and allies in foreign countries, the syndicate’s web is extensive.

It gets even worse, with Visa admitting to Mr Njue, in his quest to alert them about a loophole he had discovered, that it is almost impossible to stop the fraudsters.

Financial statements

“I have evidence to show you, financial statements of how hackers use people's credit information to drain their bank accounts. I do not know if I am the only one who knows how it is done, but I think I am the only one who can stop it,” Mr Njue wrote to Visa on December 20.

He then requested Visa to share the solution with its competitors like Master Card in order to prevent the massive, illegal draining of people’s accounts.

Eight days later, Visa responded, but the feedback was not encouraging.

“Consumers should understand that it is extremely difficult for Visa to control companies that use the Visa name without our authorisation,” a Visa representative responded.

This implies that millions of people using Visa and MasterCard cards are on their own, in a cutthroat market where techies are minting cool millions illegally from their accounts.

By sharing these details on the murky world of fintech, Mr Njue is risking it all, and some of the people in the outlawed business know him well and may go for his head, he says.

“We are all at risk. Our information is exposed and data is not safe. The information on the cards is what endangers people.”

He identified the loophole almost two years ago while conducting a random search on the security features of fintech. It then hit him that online payment and purchase platforms do not require PINs to transact.

As such, armed with details on Visa and Mastercard cards, one can create an electronic wallet, link it to the card and purchase items with someone else’s card.

First, hackers, known in their circles as Ghost Track Hackers, need the information on the cards, and they get it from street urchins for as low as Sh100.

“Mostly, the cons tell the urchins that they work in banks and that they recollect lost ATM cards. This works very well. That is why it is so hard to find lost ATM cards nowadays compared to two years ago. There are people who know the value of these lost cards,” Mr Njue says.

The second way fraudsters get the cards or at least the cards’ details is through their contacts at leading banks. Rogue staff are willing to share customer data because they get a cut of the stolen money.

Having stolen the data, the criminals learn the money behaviours of their victims. They know when they deposit huge amounts in their accounts, including bank loans.

Bank officials

“The percentage the bank officials get depends on the amount on the cards. Most of them target moneyed clients who at times fail to notice the small deductions made in their accounts,” Mr Njue says.

According to a report released in May by PrivacyAffairs.com, an online publication from Romania-based Zisk Web Ltd, the prices for stolen credit cards had increased by $0.55 to $4 between October 2020 and February 2021, depending on the type of card and accompanying account data.

“The price hikes are due to a combination of factors, including the increased risk criminals face in obtaining the data, the improved quality and accuracy of the card data, and inflation. To entice buyers, sellers of stolen card data will typically guarantee that 80 percent of data sold is accurate,” the report says.

Stolen online-banking logins for accounts with a minimum balance of $2,000 sell for $120 per account, up $55 from 2020. A cloned MasterCard with a PIN sells for $25 per account, a $10 increase from 2020, while a Walmart account with a credit card attached sells for $14, a $4 increase.

Credit card data for an account with a credit line of up to $1,000 saw a $3 increase to $15. Prices for cloned American Express and Visa cards with PINs, which sell for $35 and $25 respectively, remained flat.

Among new card products were hacked accounts with card-verification values from Israel that sell for $65 per account, while card data accounts with CVV numbers for the United States sell for $17.

“You can see that USA hacked credit card details are valued the lowest (due to high supply), and Israel the highest,” the report stated.

Cryptocurrency accounts currently command the highest prices due to increasing prices for Bitcoin and growing values for other digital currencies.

“A key factor driving prices is Bitcoin ATMs, which enable criminals to remove money from an account anonymously. In addition, hacked crypto accounts may hold large sums of coin-based currency and cash, protected by relaxed security measures after the initial verification process,” says the report.

A verified account with Kracken (a cryptocurrency platform for individuals and large trading firms) commands the highest price at $810 per account, followed by a Cex.io verified account at $710 per account.

Cex.io is a verified account that allows an account holder to buy cryptocurrency using a credit or debit card, make card deposits and withdrawals of up to $1,000 daily and up to $3,000 per month, and make unlimited crypto deposits and withdrawals.

It is followed by a verified Coinbase account at $610 per account. A Crypto.com verified account sets the floor at $300 per account.

The report also notes that PayPal account data is the most abundant on the dark web, making those accounts inexpensive compared with cryptocurrency accounts.

“In fact, the abundance of PayPal account data has dramatically driven down the price in some cases. A stolen PayPal account with a minimum $100 balance, for example, sold for $30 as of February, down from $199 in October,” the report says.

The buying of credit card and cryptocurrency data from urchins, hackers and privileged individuals with access to account holders’ information is a global phenomenon threatening the financial safety of millions.

Most criminals hack PayPal accounts to transact illicit deals and the price for any account depends on the amount of money criminals can transfer out of the account.

“Prices for actual transfers from a hacked PayPal account run as high as $340 per account and as low as $5 per account,” the report says.

Getting details from cards and accounts is the first step in the money siphoning business.

The fraudsters are not so careless as to send the money they steal straight to their accounts. This leads them to step two - creating or hacking e-wallets, with the most popular being PayPal and WorldRemit, Mr Njue says, a view backed by the Zisk Web report.

e-wallets

With the e-wallets, the swindlers are at liberty to transact as many times as they wish until their victim’s account runs dry. However, they do not send the money directly to their e-wallets; that will make it too easy for detectives to track them.

This leads to the third step: getting in touch with allies in other countries or people with connections in foreign countries who then register shell companies that sell nonexistent goods and services. The only mode of payment for these spurious companies are online deposits through the e-wallets.

“There are no strict regulations governing the formation of online companies. No one checks to confirm if the description on the company’s website or online presence actually matches what they offer,” Mr Njue says.

Once the money hits the account of the nonexistent company, the “owner” cuts his share, and through another safely guarded mode of money transfer, wires the money back to the “ghost” who sent the money a few moments before.

“This is the principal basis of money laundering. You have to use the money you steal to buy something, and in the case of most hackers, they buy nonexistent goods, cut the shell companies’ owners some small percentage and receive back their ‘cleaned’ money,” Mr Njue says.

To demonstrate how the system works, the private investigator shows this reporter a random credit card that he collected at a high-end restaurant in Nairobi in late October. He explains how he created a PayPal account using the cardholder’s name and even formed an email address with the same name. He registered this address and used it to get the verification email from Paypal.

He then linked the credit card to this fake PayPal account and has from time to time withdrawn small amounts from the PayPal account. He has wired some $188 from the account.

“I do not send this money to my registered PayPal account. I sent it to some shell online company registered in Rwanda. Having worked with some of these criminals while doing my investigations, I was introduced to a tech guru who allows us to send money to his account. His account cannot be traced,” he explains.

Once the money hits this untraceable account, the tech guru slashes his cut, in this case, a whopping 18.5 percent of the total amount wired to the account. Mr Njue, however, declined to show us how the money was wired back to his account.

But, in a matter of minutes, he logged on to his other false PayPal account and the reporter saw that the money, minus the 18.5 percent cut, had indeed been wired back to his account.

“What you saw is just the tip of the iceberg. I know people transacting thousands of dollars after being informed by their bank people when money is deposited in their victims’ accounts,” he says.

Creating heartache

“This loophole is creating heartache for millions of hardworking bank account holders. I have tried sharing it with Visa, but they have not taken me seriously,” he says.

“I have the solution. I have created software that can authenticate the validity of the companies in the cloud that get payments via credit cards. These are the ‘cleaners of the stolen money’. Let Visa and MasterCard look for me, then together, we will find a solution.”

Visa has acknowledged receiving our queries and has promised to respond soon. Mastercard has not responded.

The Nation reached out to both Visa and MasterCard on whether they were aware swindlers commit fraud using their credit cards, if they had received complaints from victims and security measures implemented to protect people’s cash.

The Nation also asked if the two companies had any way of confirming if the accounts created for e-wallets such as PayPal and WorldRemit are by the genuine card holders.

 “Thank you for contacting Visa. We apologize for the inconvenience. Your inquiry is being reviewed and we are working diligently to provide you with a response. Thank you again for contacting Visa,” responded a Visa representative named Erl. 

MasterCard replied almost immediately, issued a case number but never got back as promised in their email.

“Here is your Case Number: 02426249. We are tracking your inquiry and a representative will be in touch with you shortly.”

[email protected]