Fintech Products Increasingly Being Used as Dollar Exfiltration Conduit

According to Statista, global digital payments transaction value is expected to exceed $12 trillion by the end of 2025. What this data does not tell us, however, is how much of those transactions will be initiated by cyber fraudsters.

Criminals go where the money is, and in this day and age, the smart ones don't need to go physically rob a bank. As the payment landscape evolves, so do the tactics and techniques of cyber fraudsters. According to a recent cyber fraud intel gathered by Digiss, MoneyLion, which recently went public, is one of many Fintech companies whose products are being used to victimize real bank account, credit card, and debit card holders. In 5 easy steps, virtual money is moved from a legitimate account to an illegitimate one, then converted to Cryptocurrency before being turned to cash.

Here are those steps:

Step 1 - Fraudster purchases Fullz from the darkweb or other illegal online stores. Fullz, which is short for full information or full package, is the term used by cyber fraudsters to refer to a complete set of information (i.e. Full Name, Social Security Number, Date of Birth, Bank/Card Account Numbers, and other data) on a fraud victim.

Step 2 - Fraudster opens a MoneyLion account. This isn't straightforward if you don't have a real phone number that can be used to receive a verification code. Based on the account of an accomplished cyber fraudster (obtained from a Telegram group), MoneyLion has raised the bar by ensuring that no virtual number generated by VOIP apps such as Google Voice or TextNow can be used to receive the verification code. But guess what, that too can be bypassed.

Using an online service (URL withheld) that makes it possible to bypass Voice, SMS and text verifications, a criminal pays 75c per verification code and it works a treat!

Step 3 - Once the account is successfully created, the criminal goes in to his/her account settings to change the assigned temporary phone number to a Google Voice or TextNow number, which is then used to conduct subsequent transactions.

Step 4 - RoarMoney (MoneyLion's product) account is funded from a compromised online account or using stolen credit card data. Note that it is trivial to obtain this from the darkweb or various cyber criminals' online stores.

Step 5 - Lastly, using the MoneyLion Crypto product, money moved into RoarMoney is converted to Bitcoin or Ethereum, which can then be withdrawn or used to trade.

/End of kill chain.

So, what can individuals do to protect themselves against this type of fraud? Well, not much can be done better than doing your best to keep your personal information personal. Even at that, we would not always get it right because, our Fullz is out there with several providers and so, it is out of our control.

With that said, there are Identity Theft Protection services such as LifeLock which can alert subscribers whenever they are being impersonated.

This may not be foolproof, but it certainly raises the bar.

Now, what can MoneyLion do to make it more difficult for these cyber fraudsters to continue to misuse its platform to steal people's money?

Based on the kill chain described above, there are three additional controls that this Fintech company can put in place to reduce misuse. In cyber security, Indicators of Compromise (IoC) are used by security analysts and engineers to proactively increase the odds of promptly detecting malicious activities whenever they unfold while Indicators of Attack (IoA) are used to reactively establish that an attack is occurring or has occurred.

With regards to how MoneyLion can further raise the barrier of cyber fraud, its Fraud Monitoring and Prevention team needs to keep an eye on the following Indicators of Misuse (IoM), and implement possible countermeasures recommended below:

1. IoM 1: account holder updates phone number within 24 hours of account creation; Possible Countermeasures: verify the new phone number using the same method used during the account creation process, suspend the use of the account to complete financial transactions, or freeze the account altogether. Changing a phone number within hours of completing registration is a clear indication of misuse, which should put the account on a watchlist.
2. IoM 2: account holder attempts to move more than x% of funds in RoarMoney to Money Lion Crypto within 24 hours of account creation; Possible Countermeasure: send an authorization code to the phone number used to register the account originally. If this number has changed, do not authorize the transaction!
3. IoM 3: account holder updates phone number within 24 hours of account creation then attempts to move more than x% of funds in RoarMoney to Money Lion Crypto (this is IoM 1 + IoM 2). Countermeasure: block the account immediately and report the fraud to the financial institution whose customer was about to be victimized.

These are just three simple triggers and countermeasures that come to mind, there could be a lot more. When financial applications and associated business process are developed, business analysts and developers typically pay less attention to unexpected or misuse cases than they pay to expected or use cases. Paying adequate attention to negative testing will significantly minimize opportunities for misuse.

As the adoption of digital financial products and payment methods continues to rise, Fintechs have a duty to protect unsuspecting account holders being impersonated by cyber fraudsters. A healthy and trusted ecosystem can only drive adoption northward.