Escolar Documentos
Profissional Documentos
Cultura Documentos
Example
BY S B O E H M E ON N O V E M B E R 3 , 2 0 1 2 2 C O M M E N T S
Today we want to use PayPal as an example to show how Internet Payment Services (IPS) work to
defend against money laundering and how actual attacks look like.
For PayPal to operate, it has a comprehensive KYC (Know Your Customer) sign-up system. Which if
someone is to use purely for money-laundering purposes, would think twice. Laundered money
operators try to avoid extensive KYC checks.
In addition to this, PayPal does the following:
All payments in the PayPal system (especially overseas payments) go through an AML (AntiMoney Laundering) check. PayPal can very easily detect multiple payments (velocity checks),
payments made using different financial instruments, payments to multiple people / same
people by multiple people (1-to-1, Many-to-1, 1-to-Many) etc.
The AML setup can easily detect patterns that are common within the money laundering
space.
PayPal is also required to do SAR checks (Suspicious Activity Reports) and report to FinCEN
PayPal also does OFAC (Office of Foreign Assets Control) checks again with Department of
Treasury
It also does CTR (Currency Transaction Report) checks and reports the same.
All of the above aid PayPal in reducing money laundering. Very slow (low velocity) payments or
money laundered is very difficult to stop, but then again on a KYC based system like PayPal, low
velocity based payments, would have a very poor performance on the money being laundered (not
enough would be able to go through without raising suspicion).
Most professional money laundering outfits, first recon the institution they use. By providing on both
end (Remitter/Beneficiary) with genuine transactions (bona fide credentials) and starting low
velocity transactions and slowly increasing the transaction rates till they get flagged. They do this
multiple times to have a thorough understanding of the financial institution / network they are
rummaging through, especially to find out what the threshold levels are.
Cases
Here are two real life case examples for money laundering on PayPal [2]:
Case study 1: Identity theft and money laundering
A Pay Pal account was opened in a branch of a foreign bank. The account was debited with many
transfers into accounts of a number of beneficiaries (according to order).
Modus operandi of the shady business consisted in changing middle (i.e. from 12th to 17th) digits of
the account, checksums (check digits), names of beneficiaries and their addresses, while the last 9
digits and the bank code (digits from 3rd to 11th) remained the same. There were a few (max. 10)
transfers, the value did not exceed 3000 PLN (equivalence of ca 1000 USD).
After a couple of days, the accumulated funds were wired into accounts of a few organizers or were
withdrawn in cash.
As it was established, the funds originated from the American Pay Pal accounts belonging to different
individuals. Having stolen their identity (identity theft), the criminals opened Pay Pal accounts on
their behalf, then a motion to open a credit line was made on the behalf of victims. Material was sent
to public prosecutors office.
As a result, the bank implemented a system of automatic verification of the beneficiaries accounts in
case of incoming transfers, and this preventive measure forced offenders to change their modus
operandi. The criminals started to open lots of Internet-access accounts in different banks (a recordholder opened 1 main and 261 auxiliary accounts). The accounts were credited with wire transfers
coming from the Pay Pal account. Accumulated funds were transferred into accounts of few
organizers from which were withdrawn in cash.
Follow-up material was sent to the Public prosecutors office. 48 accounts belonging to one of the
criminals were blocked. Police found out that the shady business was organized and controlled by a
person who was a sort of specialist in banking and/or IT systems. The participants lived in the same
district of the town and were well-known to the local police. As for the technical details, the identity
theft crime was committed using botnet.
Source: Poland
Case study 2: Use of digital goods and defrauding their seller in a way that allows
criminals to obtain directly legitimate funds
The victims: a set of Credit Cards holders, an e-payment company, and a VoIP Company
The scheme: Fraudsters own several companies that offer Premium Phone Numbers. They set a large
number of relays around the world, mostly in poorly regulated countries, and they start calling these
relays from zombie PCs, using VoIP accounts funded with fraudulent Credit Cards used through the
e-payment system.
Comments: The calls generate actual revenue for the Premium Numbers providers. These
companies can legitimately assert that they have no ways to check that calls to their destinations are
fraudulent or not. Moreover, if these calls come from all over the world, it is very difficult to find a
commonality.
The e-payment system sees transactions with VoIP providers, but has no way to check if these are
fraudulent or not, beyond its usual anti-fraud checks. And the VoIP Company sees only the relays,
but not the final destinations. If the relaying infrastructure is built prudently enough, there is almost
no risk for the fraudsters to be uncovered.
And as a result, from an ML/TF perspective, we have the proceeds of a crime, the theft of Credit
Cards details, which are transferred to the legitimate economy of a given country without having to
go through the Financial System, and be exposed to its anti-money-laundering controls.