Heads-Up: Bank Fraud Alert

[Keyur @ Camp BX]

Hi everyone,
          A couple of days ago we noticed some suspicious transfers to CampBX, and reported those to our bank as well as Dwolla.  After talking to bank fraud investigators today, seems like there is a well orchestrated, large-scale bank fraud underway.  This includes very convincing fake passports and utility bills used to open bank accounts and Dwolla accounts, and transferring money to Bitcoin companies.  Bank customers who have been hacked are spread all over geographically: MA, CA, TN, NYC, and WI.

         The old-fashioned practice of processing bank+Dwolla transactions manually mostly saved CampBX: We have lost $2.6K and prevented a loss of $9.8K so far.  I don't have email IDs for newer exchanges so sending out this open heads-up on the forum.  I believe BitInstant does manual processing, so their damage may be limited, but exchanges like Mt.Gox that do automatic processing of Dwolla may be at higher risk.  (Unless the fraudsters are selling their coins on Mt.Gox - in that case they will make a nice profit).

Keyur

[1715550000]

1715550000

[1715550000]

1715550000

[1715550000]

1715550000

[1715550000]

1715550000

[1715550000]

1715550000

[Keyur @ Camp BX]

PS: All this info is from the bank investigator.  Dwolla so far is reacting like a deer in headlights.

[Stephen Gornick]

Sorry to learn of the financial loss incurred by this.  Thank you for being diligent and also for sharing what you've learned.

[cypherdoc]

This includes very convincing fake passports and utility bills used to open bank accounts and Dwolla accounts, and transferring money to Bitcoin companies.  

do u mean they're transferring stolen USD's to exchanges to buy Bitcoin?

[Keyur @ Camp BX]

do u mean they're transferring stolen USD's to exchanges to buy Bitcoin?

CD,
     Yes - I didn't make that clear in a rush to get the message out.  Just in last couple of hours we received several thousand dollars more from what seems like compromised accounts. 

InterSango and BitInstant are okay, but seems like one other exchange is going to take a big loss on this one.

Keyur

[Yankee (BitInstant)]

Essentially, this is what happend to us, MtGox, CampBX, Crypto and to TradeHill

Someone stole the identity of a US citizens, opened up bank accounts.

Use that account to verify Dwolla, (Since they have fake ID's and access to the account) and in small amounts used the exchanges to buy Bitcoin.

Once the account owner realized (Weeks later!) that funds were being taken account of their account, they call the bank and claim fraud. (Most of the compromised accounts were trusts, or lawyer accounts which are rarely checked...ironically)

They sign an affidavit, and the banks reverse all the charges from Dwolla. Dwolla then pulls the money from the merchants...and we get screwed.

Right now, Dwolla is very cooperative, and works with us. They changed their whole system around to deal with these things.

However..this was not always the case.

When it first started happening, mostly to TradeHill, Dwolla would reverse the transactions and change TradeHill's statements to cover their asses. Chargebacks were NEVER in Dwolla's TOS until later on. I told Jered to start downloading the statements after after transaction, and all of a sudden we started noticing transactions disappearing from them! (I've seen ALL the evidence, TradeHill really did get screwed...BAD)

Dwolla then changed their TOS, and started cooperating with merchants, thinking they can get away with it.

[Stephen Gornick]

Just in last couple of hours we received several thousand dollars more from what seems like compromised accounts.  

Ok, Keyur is using "accounts", which is plural.

Someone stole the identity of a US citizen, opened up a bank account.

Use that account to verify Dwolla, (Since they have fake ID's and access to the account) and in small amounts used the exchanges to buy Bitcoin.

Once the account owner realized (Weeks later!) that funds were being taken account of their account, they call the bank and claim fraud.

Ok, Yankee is using "account", which is singular.

(Most of the compromised accounts were trusts, or lawyer accounts which are rarely checked...ironically)

No wait, ... that's plural.

Oh ... so maybe is Yankee bringing in stuff from last July into this conversation?  Or is that referring to today's activity?

[Yankee (BitInstant)]

Just in last couple of hours we received several thousand dollars more from what seems like compromised accounts.  

Ok, Keyur is using "accounts", which is plural.

Someone stole the identity of a US citizen, opened up a bank account.

Use that account to verify Dwolla, (Since they have fake ID's and access to the account) and in small amounts used the exchanges to buy Bitcoin.

Once the account owner realized (Weeks later!) that funds were being taken account of their account, they call the bank and claim fraud.

Ok, Yankee is using "account", which is singular.

(Most of the compromised accounts were trusts, or lawyer accounts which are rarely checked...ironically)

Plural.

Oh ... so is Yankee bringing in stuff from last July into this conversation or is that referring to today's activity?

Stephen,

Unfortunately, we get 4-5 compromised accounts every month.

If it happend today, I would not be getting notification from Dwolla until Monday.

I changed my text to plural, not sure why you focused on my grammar rather then my text

It's a constant problem thats not going to end, unless we leave Dwolla, there is nothing we can do 

[Dutch Merganser]

Hi everyone,
          A couple of days ago we noticed some suspicious transfers to CampBX, and reported those to our bank as well as Dwolla.  After talking to bank fraud investigators today, seems like there is a well orchestrated, large-scale bank fraud underway.  This includes very convincing fake passports and utility bills used to open bank accounts and Dwolla accounts, and transferring money to Bitcoin companies.  Bank customers who have been hacked are spread all over geographically: MA, CA, TN, NYC, and WI.

         The old-fashioned practice of processing bank+Dwolla transactions manually mostly saved CampBX: We have lost $2.6K and prevented a loss of $9.8K so far.  I don't have email IDs for newer exchanges so sending out this open heads-up on the forum.  I believe BitInstant does manual processing, so their damage may be limited, but exchanges like Mt.Gox that do automatic processing of Dwolla may be at higher risk.  (Unless the fraudsters are selling their coins on Mt.Gox - in that case they will make a nice profit).

Keyur

So, in talking to the bank investigator, did you get the impression that theft was the operation? I ask because it looks rather like a money laundering set up, and that's been a big feature of bitcoin for some time now, IMO it may possibly be what bitcoin is best used for.

I mostly observe the speculative side, and it seems to me that there has been a lot of ping-pong volume lately with price movement staying in a fairly narrow range. I'm unconvinced that the volume is related to any success bitcoin may be having as an above-ground payment system.
 
Money laundering is costly and lucrative. Back in the 1990s just about every life insurance company in the world was involved in laundering South American drug money via something called single premium life. To the point, customers were willing to surrender 50% or more of their premium spent on an SPL policy to the insurance company for the cleansing benefit they provided. Entities like Cayman Islands banks and such couldn't handle the volume of money involved, hence the involvement of the insurers.

So, this could be pretty significant in impact. Bitcoin stands on a three-legged stool, contraband trade, speculation, and money laundering. Pull out one of those legs and flows could change significantly.

[Littleshop]

So as a heads up....

If you individually deal with someone, most probably a new member of this board, and sell them BTC for Dwolla you could get screwed as well.  While we already knew this, the message again is Dwolla is not cash and can be charged back.

It is unlikely (but possible) that a fraudster buying a physical item with Dwolla would do this because the physical address would be the address of the bank account holder, not the fraudster so the fraudster would get nothing.

[Keyur @ Camp BX]

If you individually deal with someone, most probably a new member of this board, and sell them BTC for Dwolla you could get screwed as well.  While we already knew this, the message again is Dwolla is not cash and can be charged back.

LS,
     Not just Dwolla - One exchange that accepts Chase QuickPay also seems to be affected.

Keyur

[Steve]

I wonder if this will be the last straw for Dwolla and they simply decide it's too risky to deal with bitcoin related accounts any longer (like paxum).

[zer0]

Even a cash deposit can be frauded without taking certain measures, like having people write 'Not for auctions' on the deposit receipt and scanning/sending, or using Trust Cash. If you just have a bare account taking anybody's deposits nothing to stop scammers on ebay with stolen accounts convincing people to go there and drop money thinking they are getting a cheap deal. Banks will unbelievably reverse the transaction later if the victim is loud and persistent enough. Happened to many a LR exchanger over the years

Canadian bitcoin company had ridiculous low EMT limits yet still ended up with their account seized from too many fraudulent transactions recently. Never underestimate the motivation of a scammer with access to the black hole exploit kit and a lot of time to set up accounts to do miniature frauds by the hundreds.

[Stephen Gornick]

ike having people write 'Not for auctions' on the deposit receipt and scanning/sending, or using Trust Cash.

How does that scam work?

[zer0]

ike having people write 'Not for auctions' on the deposit receipt and scanning/sending, or using Trust Cash.

How does that scam work?

Using phished ebay accounts. or stolen through black hole exploit kit or the other dozens of crime bots, (or just buy them by the hundreds for cheap on crime forums) make listings for crazy discount laptops or electronics and convince your mark to go to Bank of America or wherever the bitcoin exchanger has an account and make a deposit. Or make craigslist ads.

Then go make a buy order on the bitcoin site. They get cash, you run off with bitcoins.

People will go do it because the scammer is excellent at convincing them how much safer bank deposit is and how the laptop will be sold otherwise unless they go drop cash right now. When I worked @ ebay years ago every single day some variation of this scam fooled a buyer.  The bank reverses the charges because none of them respect digital currency exchanges and there will be a 60yr old guy screaming in the bank he was scammed with the cops beside him so they just refund and claw the funds back.

If the buyer has to write 'Not for auctions or craigslist' on the receipt they might think twice about what is going on. Either way the scammer will move on to somebody else's exchange not yours. Trustcash basically eliminates this too

This scam started after western union agents started preventing scams when buyers showed up to wire to Romania or somewhere. "Did you buy something on ebay? Yeah you're being scammed". Bank doesn't ask questions just takes the money.

[teflone]

I still dont get why writing somewhere not for auctions works ?

Can you elaborate for retards like me ?

[Stephen Gornick]

I still dont get why writing somewhere not for auctions works ?

I made the same mistake when I first read that.   Written a different way:
"Even a cash deposit to your bank account could be later reversed by the bank if it is determined the depositor was defrauded.  The bank can help prevent this from occurring by making the depositor write 'Not for auctions' on the deposit receipt."

This way if the person tells the cops they got scammed, too bad -- the receipt shows they were warned and should have known better.

[Stephen Gornick]

I know fraud is always happening but sheesh, just from today:

 - http://www.wivb.com/dpp/money/4_your_wallet/woman-loses-1000-on-walmart-moneycard
 - http://www.democratandchronicle.com/article/20120413/NEWS01/304130024/brockport-hacking
 - http://krebsonsecurity.com/2012/04/thieves-replacing-money-mules-with-prepaid-cards/

[zer0]

Cryptome.org was hosting black hole exploit kit for 4 days a couple weeks ago before anybody figured it out. Who knows how many thousands of people were backdoored

[adamstgBit]

Cryptome.org was hosting black hole exploit kit for 4 days a couple weeks ago before anybody figured it out. Who knows how many thousands of people were backdoored

Interesting
more details?

[teflone]

I still dont get why writing somewhere not for auctions works ?

I made the same mistake when I first read that.   Written a different way:
"Even a cash deposit to your bank account could be later reversed by the bank if it is determined the depositor was defrauded.  The bank can help prevent this from occurring by making the depositor write 'Not for auctions' on the deposit receipt."

This way if the person tells the cops they got scammed, too bad -- the receipt shows they were warned and should have known better.

ok??? 

[zer0]

Correction, a couple of months ago
http://nakedsecurity.sophos.com/2012/02/14/cryptome-org-hacked-into-serving-up-blackhole-exploit-kit/

They claim 2,863 visitors at risk, probably a lot more. Usually the kit is used for side channel targeted attacks not an open net catching everybody

Dwolla now offers an instant loan service for up to $500. Don't even need to rob people's bank accounts, just make a new account using their stolen information you bought for $10 on a crime forum and apply for credit. Spend $500 to get bitcoins and they won't know for a month anything is wrong.

[LoupGaroux]

That's an awful lot of Nigerian Princes and Romanian Hot Chicks answering the Dwolla security verification process with "Yes, this is Peggy..."

[Stephen Gornick]

Dwolla now offers an instant loan service for up to $500. Don't even need to rob people's bank accounts, just make a new account using their stolen information you bought for $10 on a crime forum and apply for credit. Spend $500 to get bitcoins and they won't know for a month anything is wrong.

Ohh ... I didn't even think of that, ya -- that's going to leave a mark.

It could actually go more than a month.   Dwolla doesn't do an ACH just because you didn't pay at the end of the month.  They just assess a fee.  It proably could go a couple months or more before they send collections to look into it.

[MysteryMiner]

I would be happy if someone will pay me back the cash bills I lost when I got drunk last night.

The identity verification is only invasion in anonymity on legitimate users, this will not stop fraud. Checked on MtGox and Paxum - they both accept photoshoped files. The bank transactions also should be made irreversible. This will protect exchanges and merchants. The losers who are unable to protect their data and computers will lose their money sooner or later anyway.

[zer0]

I would be happy if someone will pay me back the cash bills I lost when I got drunk last night.

The identity verification is only invasion in anonymity on legitimate users, this will not stop fraud. Checked on MtGox and Paxum - they both accept photoshoped files. The bank transactions also should be made irreversible. This will protect exchanges and merchants. The losers who are unable to protect their data and computers will lose their money sooner or later anyway.

I 100% agree

So far the trust system used here and at #bitcoin-otc has almost eliminated all fraud.
The new bitcoin market MPEX is also based on this system. IDs, 2 factor auth, IP tracing is all meaningless in 2012 seems GPG auth is almost invincible as the people that use it typically don't use Windows exploitable OS, don't click on obvious side channel attacks in their email box, know what they are doing and all around a good system so far.

[zer0]

Dwolla now offers an instant loan service for up to $500. Don't even need to rob people's bank accounts, just make a new account using their stolen information you bought for $10 on a crime forum and apply for credit. Spend $500 to get bitcoins and they won't know for a month anything is wrong.

Ohh ... I didn't even think of that, ya -- that's going to leave a mark.

It could actually go more than a month.   Dwolla doesn't do an ACH just because you didn't pay at the end of the month.  They just assess a fee.  It proably could go a couple months or more before they send collections to look into it.

Yeah I read they just debit your account the interest, then if nothing happens take forever to collect.
Their Dwolla "instant" system in Iowa which allows you instant funding to your dwolla account (no waiting 2-3 days) seems to enable fraudsters in whole new ways as well. Can't trust any online banking it can always be used for evil

[BitPay Business Solutions]

Dwolla just needs to get rid of the "pull" ACH funding option.  This is the most insecure money transmission ever invented by the banks.  It's awful.  All I need is a printed check from any person, and i can pull money from their account.  No PIN, no security, nothing.  It should be dropped entirely.  "push" type ACH, initiated by logging in to your online bill-pay, is much more secure.  

[Yankee (BitInstant)]

Dwolla just needs to get rid of the "pull" ACH funding option.  This is the most insecure money transmission ever invented by the banks.  It's awful.  All I need is a printed check from any person, and i can pull money from their account.  No PIN, no security, nothing.  It should be dropped entirely.  "push" type ACH, initiated by logging in to your online bill-pay, is much more secure.  

They need to get accepted into the online push/bill pay system. Alot of banks are VERY tight on who they allow to use it.

For years, Paypal was using pull. Finally, only a few years ago they were allowed to use the better system

[BitPay Business Solutions]

They need to get accepted into the online push/bill pay system. Alot of banks are VERY tight on who they allow to use it.

For years, Paypal was using pull. Finally, only a few years ago they were allowed to use the better system

This just seems so back-ass-wards.  They should allow more businesses into the push system because it allows the banks to vet them.  Accessing the pull should be the more restrictive option! 

[Yankee (BitInstant)]

They need to get accepted into the online push/bill pay system. Alot of banks are VERY tight on who they allow to use it.

For years, Paypal was using pull. Finally, only a few years ago they were allowed to use the better system

This just seems so back-ass-wards.  They should allow more businesses into the push system because it allows the banks to vet them.  Accessing the pull should be the more restrictive option! 

I know, the whole ACH protocal is so archaic. The ACH bylaws are moronic and the whole syste, was built without any cognitive oversight whatsoever.

It was more like 'Heres alot of money, build a system you think will work and we will use it. Have a nice day'

Oh jolly,

[bitcoinBull]

They need to get accepted into the online push/bill pay system. Alot of banks are VERY tight on who they allow to use it.

For years, Paypal was using pull. Finally, only a few years ago they were allowed to use the better system

This just seems so back-ass-wards.  They should allow more businesses into the push system because it allows the banks to vet them.  Accessing the pull should be the more restrictive option! 

I ran into this problem last year. Talked to managers at several different branches (Chase) who kept insisting it was impossible for me to push ACH and that what I actually wanted to do was pay the fee for a domestic wire transfer. Turned out that I had to set up a business account, and pay an additional monthly fee for the ability to initiate ACH transactions.

Dwolla just needs to get rid of the "pull" ACH funding option.  This is the most insecure money transmission ever invented by the banks.  It's awful.  All I need is a printed check from any person, and i can pull money from their account.  No PIN, no security, nothing.  It should be dropped entirely.  "push" type ACH, initiated by logging in to your online bill-pay, is much more secure. 

I don't think this is true. You need the bank login/pw to confirm the Dwolla verification deposits. Anyway, eCheck fraud isn't the problem. Bitcoin exchanges are facing this type of online bank fraud (deposit verification + ACH pull) because the bank account log-ins that can do ACH push (like payroll accounts) are defrauded more directly through reloadable debit cards or money mules (http://krebsonsecurity.com/2012/04/thieves-replacing-money-mules-with-prepaid-cards/).

[coinuser4000]

I would be happy if someone will pay me back the cash bills I lost when I got drunk last night.

The identity verification is only invasion in anonymity on legitimate users, this will not stop fraud. Checked on MtGox and Paxum - they both accept photoshoped files. The bank transactions also should be made irreversible. This will protect exchanges and merchants. The losers who are unable to protect their data and computers will lose their money sooner or later anyway.

I totally agree with this guy.

Government regulation almost NEVER prevents criminals from perpetrating crimes. Criminals will always find a way around the rules. All it does is infringe on the rights and privacy of law-abiding citizens. It's the sad truth, new rules don't protect anyone.

[Keyur @ Camp BX]

Dwolla has stepped up their procedures to counter the latest attack.  Here is a summary of new steps:


--------------------------------------

Starting today, users sending money to your account will need to meet and/or maintain:

1) Connect a social network
2) Have a bank deposit 30 days old
3) Enable a DWOLLA hub page
4) Have a verified account
(i.e. Social Security and/or Photo Verified)

We are working hard to make sure this policy does not affect your most frequent, loyal, and responsible customers.

Thanks for being a part of Dwolla. We hope our new changes will protect customers and merchants alike. Please let us know if you have any questions.

All the best,
Dwolla

--------------------------------------



Discussion at this thread by Charlie: https://bitcointalk.org/index.php?topic=76866.0

[Stephen Gornick]

Starting today, users sending money to your account will need to meet and/or maintain:

1) Connect a social network
2) Have a bank deposit 30 days old
3) Enable a DWOLLA hub page
4) Have a verified account
(i.e. Social Security and/or Photo Verified)

The users SENDING MONEY need to enable a DWOLLA hub page?  What?

That must be a mistake on Dwolla's end in writing this message.

Either way, this change is going to leave a mark for those using Dwolla with Bitcoin exchanges.

[RaggedMonk]

Starting today, users sending money to your account will need to meet and/or maintain:

1) Connect a social network
2) Have a bank deposit 30 days old
3) Enable a DWOLLA hub page
4) Have a verified account
(i.e. Social Security and/or Photo Verified)

The users SENDING MONEY need to enable a DWOLLA hub page?  What?

That must be a mistake on Dwolla's end in writing this message.

Either way, this change is going to leave a mark for those using Dwolla with Bitcoin exchanges.

Nope,  I emailed Dwolla support, and all four are required to send funds to certain merchants, such as MtGox.

The fact that they are upselling their service as part of the verification process is disgusting, and (along with needing to be connected to my facebook) the reason I am cancelling my account.

[Aggro]

Starting today, users sending money to your account will need to meet and/or maintain:

1) Connect a social network
2) Have a bank deposit 30 days old
3) Enable a DWOLLA hub page
4) Have a verified account
(i.e. Social Security and/or Photo Verified)

The users SENDING MONEY need to enable a DWOLLA hub page?  What?

That must be a mistake on Dwolla's end in writing this message.

Either way, this change is going to leave a mark for those using Dwolla with Bitcoin exchanges.

Nope,  I emailed Dwolla support, and all four are required to send funds to certain merchants, such as MtGox.

The fact that they are upselling their service as part of the verification process is disgusting, and (along with needing to be connected to my facebook) the reason I am cancelling my account.

Wow ... if all four are required, this is the end of dwolla as a funding option for bitcoin.

[bb113]

Why didn't the people affected get a notified of this?

[Stephen Gornick]

Why didn't the people affected get a notified of this?

We'll likely each learn about this the next time we try to send a Dwolla payment to a bitcoin exchange.

[bb113]

So they are going to charge a quarter then ask for this info?

[bb113]

Who would use a real account for this?

[RaggedMonk]

Why didn't the people affected get a notified of this?

We'll likely each learn about this the next time we try to send a Dwolla payment to a bitcoin exchange.

Yep.  They will still let you fund your Dwolla account (pay a fee), and then you will realize you can't send your funds where you meant to without giving them more information than you would need to open a bank account, then you have to transfer back to your bank, realizing they are useless for you (pay another fee).  All while tying your money up for 5+ days.

They are going to piss off a lot of people with this. 

[Stephen Gornick]

So is this policy in place and active now?   If so would expect a bunch of people who've not already verified w/ Dwolla or have not linked their Facebook to their Dwolla account to be starting new threads complaining that they can't send funds to the exchanges.

But I've not seen that yet.

Was that notice instead a trial balloon?

[Update:  Nope, not a trial balloon.  Shows up like this:



 - http://bitcointalk.org/index.php?topic=76910 ]

[eldentyrell]

Essentially, this is what happend to us, MtGox, CampBX, Crypto and to TradeHill

I think the long-run solution might be using Dwolla only for withdrawals (from exchange to my bank account) and inter-exchange transactions (from my mtgox account to my campbx account).

If you need to get money into an exchange from anyplace other than an exchange, you're probably going to have to do a cash deposit.

The situation above is the only way I can see Dwolla being able to make a profit on $0.25/transaction, after factoring in the cost of fraud.  The fraudsters will keep getting more sophisticated.

[R-]

I stopped using Dwolla.

[Raize]

A friend of mine's wife just had her bank account hit with a "BillPay" request that then transferred the money into CampBX. Is this a variation on what you guys are mentioning here? I'd like to try and track the money to find out where it goes.

[Keyur @ Camp BX]

A friend of mine's wife just had her bank account hit with a "BillPay" request that then transferred the money into CampBX. Is this a variation on what you guys are mentioning here? I'd like to try and track the money to find out where it goes.

Raize,
    Yes - banks were fooled by the fake IDs too.  We didn't deposit the flood of BillPay deposits that followed, and have put in new restrictions for BillPay deposits.

Keyur