The Russians are coming.
The Russians are coming.
Actually, they’re already here and have been for a while.
News came Friday that Special Counsel Robert Mueller unsealed indictments against 13 Russian nationals and three Russian businesses, over alleged interference in the 2016 U.S. presidential election.
Beyond reverberations across the political and foreign relations spheres, these indictments doubtless will have a ripple effect across the payments realm.
That’s because the indictments allege malfeasance that spans online transactions, banking and the ever-present specter of identity theft.
Oh, and cryptocurrencies too.
In a nutshell, the baker’s dozen of alleged malefactors bought fake IDs and used information, courtesy of the Dark Web, to open accounts that enabled the business of their bad business to happen.
According to the indictment, “in order to maintain … accounts at PayPal and elsewhere, including online cryptocurrency exchanges, defendants and their co-conspirators purchased and obtained false identification documents.”
Further, defendants and those “co-conspirators” opened accounts at PayPal and “a federally insured U.S. financial institution” to make transactions.
As stated in the indictment, these accounts were allegedly used to engage in a variety of omnichannel activities: buying advertisements on Facebook as well as hosting physical events, including political rallies.
The scope of the Russian effort as outlined in Mueller’s indictment is startling.
The efforts that are described in the document and were intended to influence the election have their roots in the years before actual voting, starting in 2014. The initiative, dubbed information warfare, sought to hurt Hillary Clinton’s chances of gaining the presidency and to boost the chances of Donald Trump and Bernie Sanders. Marquee names were duped in the process, ranging from Facebook to Instagram.
The operatives were said to have bought advertisements that ran on U.S. social media. Some Russians who used the stolen identities traveled to the U.S. to work at political rallies and to pay Americans to participate in those rallies too. Using the accounts they’d opened for online payments, said the indictment, the indicted and the “Internet Research Agency” spent thousands monthly to buy the ads.
Along with the indictment that focused on the Russians, there was a second indictment, which said a defendant, Richard Pinedo operated “Auction Essistance” — an online outfit with services that bypassed digital payment companies’ security measures. Pinedo sold bank account numbers that had been registered to him (the accounts numbered in the hundreds, according to the indictment) or that he bought online and had been cobbled together using stolen IDs. He is accused of selling those bank account numbers for tens of thousands of dollars. Pinedo is said to be cooperating with authorities.
In paragraph 91 of the indictment, the bad guys bought credit card and bank account numbers from online sellers for “the unlawful purpose of evading security measures at PayPal, which used account numbers to verify a user’s identity. Many of the bank account numbers purchased … were created using the stolen identities of real U.S. persons. After purchasing the accounts, defendants and their co-conspirators submitted these bank account numbers to PayPal.”
PayPal, along with peer-to-peer (P2P) mobile app Venmo, said users should expect delayed payments as scrutiny ratchets up on transactions, as noted by CNBC. So, friction is in the works.
Beyond the revelation the indicted (and perhaps others) may have used stolen data to transact — long a concern as the digital age continues to gain traction — lies the concern over how the data was obtained in the first place and how it was possible these identities were authenticated by the bank(s). Keep in mind the indictment states the bank account numbers were bought using stolen identities of real people. In other words, real (stolen) data (bank accounts) found its way into the bad guys’ hands via real (stolen) data.
Account takeover at its not so finest.
The banks from which the account numbers had been taken, and the bank where fraudulent accounts were opened, were not named.
The data breached and the data appropriated seem familiar enough. Birth dates, Social Security numbers, bank accounts — all wend their way through dark channels on the web. All can be used to construct identities.
Much has been made in this space about the dangers of synthetic identities: 15.4 million is the number of consumers who were the victims of identity theft in 2016 — at least that we know of. Such fraud in that year may have cost banks as much as $6 billion in card charge-offs.
Staggering numbers, to be sure, and still likely underreported. In a recent interview with GIACT EVP of Product David Barnhardt, the point was made that firms (including banks) should adopt more robust methods — and technology behind those methods — to ascertain who owns a Social Security number and whether it matches up with other data, such as date of birth and email. In short, triangulating a customer’s identity through several data sources becomes paramount.
The financial impact of such fraud may be significant and quantifiable. But the identity theft done here — duping banks that, in turn, made it possible for accounts to be used with third-party financial services players such as PayPal, has an impact beyond the bottom line of a financial statement.
As details emerge in how a concerted effort by a few bad actors overseas may have had some impact on the electoral process, the implication is that hearts and minds (of voters) can be influenced in at least some way by clever and hard-to-track methods that once were focused on ill-gotten gains.
The stakes in the anti-fraud game just got a bit higher, it seems.