Hackers Rob. Security Reads the Manual.
Your entire digital identity costs $1.50 on the open web. For the price of a coffee, I can open a bank account in Elon Musk's name without him knowing. While White Hats write compliance reports, carders operate with zero rules. We see the stolen data, yet we do nothing. Why is the industry afraid to use Active Defense? I am exposing the massive economic asymmetry of fraud and why we are losing the war.
The Great ACH Vulnerability: How Fintech Bridges Kill 2FA
There are thousands of accounts on the black market tagged "Yodlee / AN+RN". What does this mean? It means your Two-Factor Authentication was bypassed using legitimate methods.I broke down the mechanics of how fintech aggregators leak your full Account & Routing Numbers and allow attackers to link your bank to their wallet without you knowing.Full Kill Chain analysis is inside.
<100 subscribers
Support Scott Carrig
Money Laundering via "Low Risk" Platforms: The Apartments.com Case
Support Scott Carrig
Money Laundering via "Low Risk" Platforms: The Apartments.com Case
Hackers Rob. Security Reads the Manual.
Your entire digital identity costs $1.50 on the open web. For the price of a coffee, I can open a bank account in Elon Musk's name without him knowing. While White Hats write compliance reports, carders operate with zero rules. We see the stolen data, yet we do nothing. Why is the industry afraid to use Active Defense? I am exposing the massive economic asymmetry of fraud and why we are losing the war.
The Great ACH Vulnerability: How Fintech Bridges Kill 2FA
There are thousands of accounts on the black market tagged "Yodlee / AN+RN". What does this mean? It means your Two-Factor Authentication was bypassed using legitimate methods.I broke down the mechanics of how fintech aggregators leak your full Account & Routing Numbers and allow attackers to link your bank to their wallet without you knowing.Full Kill Chain analysis is inside.
Following up on my previous article about fraud using micro-deposits and banking bridges, I want to discuss how this applies to specific industries.
While high-risk sectors—such as cryptocurrency, banking, and investment firms—undoubtedly possess robust anti-fraud mechanisms, other industries are not nearly as well-protected. They either lack automated anti-fraud systems entirely or operate them on the lightest possible settings.
Let me give you a simple example from reality.
The Target: A Real Estate Unicorn Take Apartments.com, a "unicorn" in the rental market. The company provides software for realtors, as well as a web interface for landlords and tenants.
At first glance, how is it possible to commit fraud here? But let’s look at it from a different angle—the angle of a fraudster/carder.
What if we open one account using bought data for a property owner (Landlord) and a second account using bought data for a tenant? Suddenly, everything plays out in a new light.
The Setup The scheme is elementary:
The Drop: A "Fullz" (full identity package) is purchased. Using this data, a bank account is opened to receive funds—for example, the well-known Chime.
Insight: Have you ever wondered why neobanks change their Routing Numbers (issuers) so often? It is very simple. Because of the ease of opening these accounts and the availability of virtual cards, they are the favorite banks for fraudsters/carders to cash out stolen funds. For this reason, large fintechs begin to flag their routing numbers as "dangerous" and forbid their use in client applications with a "suspected fraud" tag.
The Funding Source: Next, a bank account (log) is purchased—specifically one that can be verified through a financial bridge in income-tracking apps (e.g., BMO).
The Execution
A "Tenant" account is created using the name on the compromised bank log.
The compromised bank account is linked to the Apartments.com profile using the micro-deposit method (refer to my previous article for the technical details).
The fake "Landlord" account fictitiously "leases" a home to the fake "Tenant" and sends an invoice for payment.
The Tenant pays.
The Result It’s in the bag. No fraud alerts, no high-risk operations. The attacker receives the money directly to their Chime account and cashes it out using a virtual card.
This is one of the most elementary fraud schemes. It is worth noting that payments on Apartments.com are processed by the fintech unicorn Stripe. You would think security would be at the highest level, but no—your money is still in danger.
What’s Next? In one of the following articles, we will focus specifically on Stripe and its feature, Link. Believe me, you will be unpleasantly surprised.
For any questions, feel free to reach out at scottcarrigg@aol.com (yes, really, it’s AOL. No Protons or anonymous burner emails here). I’d be happy to chat.
Thank you for your time. Stay safe.
Following up on my previous article about fraud using micro-deposits and banking bridges, I want to discuss how this applies to specific industries.
While high-risk sectors—such as cryptocurrency, banking, and investment firms—undoubtedly possess robust anti-fraud mechanisms, other industries are not nearly as well-protected. They either lack automated anti-fraud systems entirely or operate them on the lightest possible settings.
Let me give you a simple example from reality.
The Target: A Real Estate Unicorn Take Apartments.com, a "unicorn" in the rental market. The company provides software for realtors, as well as a web interface for landlords and tenants.
At first glance, how is it possible to commit fraud here? But let’s look at it from a different angle—the angle of a fraudster/carder.
What if we open one account using bought data for a property owner (Landlord) and a second account using bought data for a tenant? Suddenly, everything plays out in a new light.
The Setup The scheme is elementary:
The Drop: A "Fullz" (full identity package) is purchased. Using this data, a bank account is opened to receive funds—for example, the well-known Chime.
Insight: Have you ever wondered why neobanks change their Routing Numbers (issuers) so often? It is very simple. Because of the ease of opening these accounts and the availability of virtual cards, they are the favorite banks for fraudsters/carders to cash out stolen funds. For this reason, large fintechs begin to flag their routing numbers as "dangerous" and forbid their use in client applications with a "suspected fraud" tag.
The Funding Source: Next, a bank account (log) is purchased—specifically one that can be verified through a financial bridge in income-tracking apps (e.g., BMO).
The Execution
A "Tenant" account is created using the name on the compromised bank log.
The compromised bank account is linked to the Apartments.com profile using the micro-deposit method (refer to my previous article for the technical details).
The fake "Landlord" account fictitiously "leases" a home to the fake "Tenant" and sends an invoice for payment.
The Tenant pays.
The Result It’s in the bag. No fraud alerts, no high-risk operations. The attacker receives the money directly to their Chime account and cashes it out using a virtual card.
This is one of the most elementary fraud schemes. It is worth noting that payments on Apartments.com are processed by the fintech unicorn Stripe. You would think security would be at the highest level, but no—your money is still in danger.
What’s Next? In one of the following articles, we will focus specifically on Stripe and its feature, Link. Believe me, you will be unpleasantly surprised.
For any questions, feel free to reach out at scottcarrigg@aol.com (yes, really, it’s AOL. No Protons or anonymous burner emails here). I’d be happy to chat.
Thank you for your time. Stay safe.
Share Dialog
Share Dialog
No comments yet