Exploring Amazon Cash — An Experiment with Fraud

Introduction:
Amazon Cash was introduced this week and it has acquired a lot of press coverage due to its ability to allow for a purchase in the Amazon environment without a credit or debit card. Because of the nature of the service in that it changes the form factor of cash from a physical nature to a digital one, I started to think about how I would take advantage of it if I was a fraudster. I possess an extensive background in payments, prepaid accounts and the prevention of fraud within these environments. In my recent role with Blackhawk Network, our teams created a fraud prevention solution that eradicated Victim Assisted Fraud (VAF) issues within the company’s money transfer product. The experiment I attempted and describe below took shape after reading about the Amazon Cash service and I put on my fraud hat to find a better way to scam potential victims.

It is my hope that this experiment will call attention to the exposure points I have found and that appropriate fixes can be put into place and all other parties can work collaboratively to stop the fraudulent use of this platform.

I will first provide some background so that my experiment and the findings make sense to those who may not be knowledgeable of these products and/or services.

For those wondering: Yes, my experiment worked. So, please read on :)

Background:
Victim Assisted Fraud (VAF) is a type of social engineering where the fraudster makes contact with people in order to convince them that they owe money or need to pay money.

The typical VAF scenarios that have gained attention are:
- IRS Tax Scam: The caller identifies themselves as an IRS agent and informs the victim that they owe money and are about to be jailed. The caller provides the victim with the option to go to a retail store and buy an iTunes gift card* for some $ amount and that by providing the gift code on the card that their debt will be forgiven.
http://www.nbcbayarea.com/investigations/70-Percent-of-IRS-Phone-Tax-Scams-Involve-iTunes-Gift-Cards-Treasury-Inspector-General-417399583.html
*Previous versions of this scam focused on money transfer products like MoneyPak, Reloadit, etc. but these avenues have now been secured and not the main focus of any serious volume fraudsters.

- Child / Grandchild in Jail / Need Bail Scam: The caller informs the victim that their child or grandchild is out of state, in jail and need money for bail. After sufficiently scaring the victim, they provide them the option to go to a retail store … (same as above)

- Health Related Scam: Same as above

Now, to be clear, these scams feel and sound ridiculous. And the majority of people who are contacted by these fraudsters do not fall for it. But, there is a demographic of our aging population that are typically the target of these scams and it does work well in these situations. The fraudster only needs a few to make a decent amount of money.

http://money.cnn.com/2016/10/06/news/india-irs-scam-arrests/

The United States Senate Special Committee on Aging takes this very seriously and had a hearing in November 2014 where they addressed these types of scams and the companies with services being utilized to perpetrate the fraud.

https://www.aging.senate.gov/hearings/private-industrys-role-in-stemming-the-tide-of-phone-scams

Fraudsters — The End Game:
The fraudster is seeking the victim to buy some type of card or product that can result in them ultimately acquiring the funds loaded. These scams have involved getting the codes off of money transfer packs, getting the victims to load funds to actual 16 digit card numbers (yes, this happens) and acquiring gift card numbers.

Their goal is to sell the codes on a black market, spend the funds, withdraw the funds and/or transfer the funds. Whatever works that allows them to profit. They may only get a portion of the money loaded but it is how the scam and this fraud game works. Their costs to run the scam are low and all money acquired is real profit.

Humorous videos of pranks being played against the fraudsters on these calls. But it gives you an idea how they convince certain people. https://www.youtube.com/results?search_query=irs+tax+scam+call

A Common Theme:
In all of the scams that I have referenced, the victims proceed to a retail store, acquire some type of prepaid product and then provide the information on the product to the fraudster on the phone. It should be noted that many times the victim is on the phone and being instructed by the caller as to how to buy the product(s) when they are completing the transaction. These calls can last an hour or more and the fraudsters are quite convincing once they have a victim hooked.

The Experiment:
What if I could take advantage of the Amazon Cash service to expedite the scams? Is it possible to create a fake Amazon account, provide the victim with a barcode to take into the retail store and just have them directly load funds into the fraudster’s account?

This is what I started to think about as I read about this new service.

After considering how I have seen these fraud situations play out in my past, I figured just how to do it. Or, at least I had thought of a way to take advantage of Amazon Cash and then load funds to a new Amazon account. My experiment took shape quickly to determine if I could acquire funds into this account that was not mine.

Step 1
Create new Amazon account
Easy. I actually created a new Google mail account to be thorough. I named both accounts under James Fradly thinking that ‘Fraudly’ would be too obvious. The set up of the Google account and the Amazon account were easy and no personal information was validated. My example fraudster account was set up and ready to go.

Step 2
Acquire Amazon Cash Barcode
Easy. Just after logging in to this new account, I proceeded to Amazon.com/cash and acquire a unique barcode for use in the store.

Step 3
Be Creative
This part of the experiment requires you to think like the fraudster and create ways to expedite the funds load process. The goal would be to provide the victim with the barcode so that they can simply present it inside a participating retailer and load the money.

The Amazon Cash site indicates that a user can get a web link to the barcode, get it within the Amazon app or print it for use inside the retailer. In order for this to work, I needed to get the barcode assigned to this account into somebody else’s possession.

The only real item needed to load funds in the retail store is the barcode and a reference to Amazon Cash. The victims aren’t thinking straight when this is all happening, so they’re unlikely to investigate any type of document or image that is provided to them. They’ve been talked into the scam and will do what they are told. Plus, the retailers are highly unlikely to review anything on a phone screen during the checkout process.

In my case, I simply captured a screen shot from my phone with the Amazon Cash web site with the barcode displayed and texted it to another unrelated phone. The image was received and when viewed on the phone, it looked just like the actual live screen. The screenshot above is the one I took (without the blur, of course).

Step 4
Load Funds
Unfortunately, very easy. I took the unrelated phone into a nearby participating retailer. I’ll refrain from naming the retailer as they were actually quite helpful and the process was smooth. But, the screenshot on the phone was scanned quite easily and I loaded $40.

Interestingly enough, during the process, a screen is displayed on the Point of Sale screen calling attention to the scams I have noted. Before I could read it, the cashier simply pressed continue and accepted the 2 $20 bills I provided.

That’s it. Funds loaded. When I logged into the James Fradly account upon my return to my car, the funds were displayed in my account.

Also, I received an email confirmation as well.

Step 5
Spend Money
It’s Amazon! Of course it is easy to spend.

Now, to be absolutely transparent, I made the order and shipped it to myself. But, I did continue to use the James Fradly name on the order and shipment.

Given the scope of items available for purchase on Amazon, it is the best place to have funds available with these types of scams. It is far better than an iTunes card where the options are quite limited and not typically physical in nature.

Great! You bought something on Amazon using Amazon Cash. So what?
For most people reading this, that’s a reasonable question. But, if you run this service and follow the steps I outlined above, then there are many items that need addressing to avoid being the preferred target of fraudsters using these scams.

The ability to deliver a unique barcode to the victim or group of victims that let a victim simply walk into a participating retailer and load funds is scary! A creative fraud ring may even create unique IRS tax liens or service invoices that simply display the Amazon cash logo and the associated account barcode. What’s to lose by sending out spam emails? Nothing. Giving these fraudsters the ability to put the barcode into the victim’s hands changes the game.

The Amazon Cash service is the perfect tool for a fraud ring that wants to maximize their performance while acquiring funds in whatever manner they can. Having the victim simply walk into the store and approaching the cashier instead of having to find a product on a rack is a crucial step in making the scams more effective and timely.

Some Suggestions
Ok. I’ve laid out quite a bit that pokes holes in this new service as it relates to being utilize to commit fraud. In the interests of being helpful with this post, here are some suggested solutions to hopefully prevent the use of the Amazon Cash service for fraud. I have personally implemented each of these solutions in one platform or another and have witnessed the effect on fraudulent activity. These solutions, when combined to combat fraudulent activity, make it painful for a fraudster to utilize your service. This pain makes them look for new avenues.

Here are a few:
- Device Fingerprinting: Being able to define a device based on unique attributes and then put in place rules that allow for a limited amount of accounts will deter high volume fraudulent activity.

- Email Validation/Scoring: Subscribe to a service like Emailage that calculates a score of an email address provided based on a lot of criteria. The most important is whether or not an email address has been utilized in another environment in a fraudulent manner. This can be crucial in cutting down new fraud accounts.

- Internal Blacklists — Email & Mailing Addresses: Like the device limitations I noted above, having the ability to blacklist email addresses and physical mailing addresses based on previous activity will drastically cut down on fraudulent usage of the service. As with devices, these fraud rings have only so many options when it comes to shipments, etc.

- Account Creation: Amazon should take into consideration some type of validation of an identity. I highly doubt they’ll want to, but given that these accounts can be reloaded time and time again and can be spent amongst multiple entities within the Amazon ecosystem, these accounts do technically fall under the definition of a prepaid account that requires Know Your Customer steps under Regulation E.

https://www.law360.com/banking/articles/853915/what-to-know-about-cfpb-s-new-prepaid-card-rule

Without some type of validation, it is conceivable that bots can create a lot of accounts and prepare them for distribution through a fraud ring for one time use amongst many victims. It could be like killing individual ants to Amazon’s fraud department to chase down a bunch of ‘one & done’ accounts.

- Retailer Training: With regards to the retail locations accepting funds on to an Amazon account, there should be some training suggested. For example, most funds loads to a prepaid account or load are not larger than $200.

In the event a customer attempts to load more than this, the retail associate may inquire if the barcode being supplied on their screen links to their personal Amazon.com account. If the customer responds that it is not their account, then they can suggest that the customer may be falling victim to a scam and have them review the materials now posted inside all of these participating retailers.

Update 4/6 — some additional ones that I forgot to note
- Barcode expiration/rotation: Do not assign a fixed barcode to the accounts so that a mass fraudulent campaign can occur. Potentially have the barcodes issued renew every 2 hours. Companies in market today, like Paynearme, have this capability and it deters inappropriate behavior. In my experiment, the barcode was captured in the screen shot approximately 8 hours before I had it scanned in the retail environment.

- Zip Code / Cash In Zip Code Radius: When setting up your Amazon account, a default billing address is needed in order to make an order — even with the Amazon Cash option. When the load attempt comes in to Amazon, they should determine if the retail location is more than 150 miles, as an example, away from the billing address. If it is, then the load request should be declined. This would eliminate a barcode from being mass distributed in order to commit fraud.

In Summary
In thinking through this experiment as I typed it up today, I have to say that I was surprised that it worked so well. Or, at least, that all of the steps I took didn’t meet some untimely verification step where I had to expose my identity in order to proceed.

The goal was to see if it worked. And, if it did, write it up for people to read and hopefully learn from in order to prevent a large scale usage of the service in a fraudulent way.

That’s all from me. I hope that anyone who made it to the this point in the post enjoyed the resulting experiment and the information provided. Thanks for reading!

Wow, that was a heck of a first Medium post :) Cheers!