I've written about exploits in
banking and
brokerage fraud with further articles to follow. Bad banking practices don’t feature well in my write-ups. Institutions change only when they’re forced to.
Recently my fraud expertise touched upon the personal. A good friend fell victim to gaping holes in one of New York’s largest financial institutions,
J.P. Morgan Chase & Co.
Lily is smart, pretty, and unattached. Two out of three is pretty good, but she means to win the trifecta. She doesn’t advertise, but merely hopes to attract the right kind of guy. She appears on social media:
Facebook,
Pinterist, and a singles’ site that’s been around some thirteen years,
MeetMe.com, where she met an interesting fellow.
Telling the good from the bad isn’t always easy. By the time our malefactor (male factor or dirtbag are also suitable) stepped into the light, he already knew critical pieces of information about Lily: her real name (thanks to odious Facebook requirements), where she’s lived, family relationships, and importantly– her birthday.
For a few weeks, ‘Antonio Sanchez’ from ‘New Jersey’ wooed our lass on MeetMe. He didn’t do anything crass like ask her bank account number or credit card information; thanks to Chase’s security ‘features’, he didn’t need to.
As Thanksgiving approached, Lily traveled across the country, stopping to visit relatives in Greenfield, Indiana, home of another Lilly, the famed pharmaceuticals company. Our heroine happened to check her bank account and found it unexpectedly fourteen hundred fifty dollars richer.
Lily, not only smart but honest, sought clarification at the Greenfield branch of Chase. Greenfield couldn’t fathom the problem.
 |
| check 1 of 6 #808869 |
“You put money into your account in the early hours of the morning. Looks like you needed it. What’s the problem?”
“I didn’t deposit anything.”
“But you did.” Greenfield regarded her suspiciously. “You’re saying you didn’t?”
“Exactly. I didn’t do any such thing.”
“Well, lucky you. Someone likes you well enough to put coins in your account.”
*
click* Instantly Lily knew who’d made the deposit.
A couple of hours later, the situation reached me. By then, other deposits had appeared. Curiously, monies were rapidly shifting among Lily’s three accounts. My fraud alert alarms clanged.
“If you make a withdrawal,” I advised, “calculate only what you own to the penny and not a cent more.”
“What’s the problem?” friends asked. “A handsome guy sending Lily money? Does he have any brothers?”
I spoke adamantly. “There is no money, no boyfriend in New Jersey, no gold at the end of the rainbow.” When I explained the con, Lily agreed to join me for a visit to the Indiana State Police.
The man manning the reception desk told us all detectives were out of the office and wouldn’t return until the next day. Lily asked if she could file a report.
The grizzled trooper brought forms out to us in the lobby. He stood by as Lily tried to explain the situation.
He interrupted her. “A guy giving you money is no crime. No crime, you can’t file a report.”
I said, “There is no money. It’s a con…”
The trooper threw up his palm in a ‘Talk to the hand’ gesture. Cops are trained to seize and maintain control, even when counterproductive. He went on to lecture Lily, not so much accusing her of wasting police time, but of being silly.
“May I explain?” I said as levelly as I could. “There is no money, only fake deposits. He will use that false balance to pay himself.”
The cop paused, considering. “Wouldn’t work,” he said. “If I deposit a check, I have to wait a few days to withdraw funds.”
“That’s why he’s moving money around her accounts. Some banks, perhaps including Chase, lose track of new deposits as they’re moved around. The technique is called seasoning, losing the new deposit tag and making the money look like it’s aged on account.”
“I’m a road warrior,” said the trooper. “I’m not up on these things. Yeah, I’ll have a detective phone you.”
Virtually next door to State Police Headquarters, we’d noticed a Chase branch. Lily made the wisest decision of the day, visiting the bank for an update.
The young woman listened attentively. She quickly grasped the situation. “Oh my God,” she said. “I received a notice exactly like yours of a deposit early in the morning. I need to check my own account before I go home today.”
Together, the three of us discovered additional deposits and further shifting around of money. By then, funds had been used to buy the first Western Union money order made out to an unknown and very foreign name.
“Let me guess,” I said. “The money’s sent to Nigeria?”
“If Lily didn’t give this jerk her personal information,” the young lady said, “how did he get into her account?”
I explained one hypothesis. I’m a vocal critic of the so-called security questions routinely forced upon on-line customers. “What city were you born in?” “What was the name of your first pet?” “What’s your favorite team?” “What’s your favorite color?”
With the slightest information, bad guys find it ludicrously easy to guess the answers. The favorite color question often includes a helpful drop-down menu of eight colors. No one chooses black or white, so a malefactor can guess the answer in six tries or less.
The young branch manager rang the fraud department. She posed the same question to them, who replied “There are so many ways to breach an account…”
 |
| check 2 of 6 #808870 |
The bank gave us copies of the checks. One peculiarity came to light. Chase said it appeared the Nigerian repeatedly deposited the same two checks over and over, fooling Chase and highlighting another flaw in their security, a defective filter for detecting duplicate deposits.
Chase froze Lily’s accounts, leaving her stranded without travel money in the midst of a cross-country trip. But wait, we’re not done.
Lily awoke the next morning, finding her accounts unlocked and a half dozen or so deposits burgeoning her balances.
Lily phoned Chase to let them know further monkey business was afoot in her reactivated accounts. They quickly closed the window and her accounts, again cutting off her funds.
Big banks and little people, comes now the pathetic part. Instead of expressing gratitude for Lily’s quick action of notifying them of fraud, Chase blames Lily for the leaking of money from the bank. Their stance is that Lily either worked with the malfeasant Nigerian to defraud Chase, or at the very least handed over her account information to the bad guy. As you now know, that doesn’t have to happen. All it takes is sloppy banking.
Besides seizing Lily’s bank balance, Chase now demands another $600 in compensation for their losses. Good move, Chase: encourage honest citizens to rush in to report fraud made possible by your own shortcomings.
It’s a great day for banking. Have you had similar experiences?
