I don’t know who you are.
But what I do have are a very particular set of skills: skills I have acquired over a very long career. Skills that make me a nightmare for people like you.
If you make my funds whole now, that’ll be the end of it. I will not look for you, I will not pursue you, I will not publicly shame you. But if you don’t, I will look for you, I will find you, and I will sue the fuck out of you.
I was defrauded out of $1,500 in July as told in my story here, via PayPal My Cash reloadable prepaid cards, operated by InComm. InComm Holdings Inc has a subsidiary ITC Financial Licenses (ITCFL) which, as far as I know, is in a different location, quite small, and tightly coupled with InComm. They handle fraud research and disputes. The COO is Skeet Rolling who is also on the BBB Board of Directors for Atlanta. The team lead of his fraud investigation team is Jon Williams. This is the story of how they refused to investigate my fraud and how I investigated it myself and ultimately found that someone was embezzling money and identifying who it was.
The quick boring intro part of the story – I went to load my cards. Scratched off the silvering covering the PIN, went to load the money – aaand it’s gone. My CSR had me scratch off all PINs as if it was the only way to check (incorrect information, resulting me inadvertently destroying proof of my story). I naively thought this would be an easy problem to resolve due to experiences with credit card false charge handling, and the fact these can only be loaded to PayPal accounts – so it is known exactly where they money went to, and then went next. The CSR had me fill out a form for their fraud investigation team.
I was not contacted and had to call in to get an update. This team advised I open a police report. I thought this was ‘to show I’m serious’ and that I’d open one – as a means to test if I had perhaps just given the card to a friend and claimed the money was stolen, under the theory I’d then be histant to open the case. This was not their motive at all. I opened a case, although the computers were down the day I did it and my detective was headed out the door soon for retirement. InComm would only provide information to him.
Nothing ever came from this and it wasn’t handled that well either – then again nothing probably would have ever come from this. InComm had me open this (criminal investigation) in the hopes that it would lead to catching the criminals who they thought I gave my PIN to, at which point I could (try) and get restitution by recovering funds directly from them. They ignored my story and determined I was tricked into giving my PIN numbers away. However the reality of the case is that I had an unauthorized electronic transfer from my account, which InComm has a civil liability to protect me from. The type of fraud that thought I was a part of is called Victim Assisted Fraud (VAF) wherein the victim provides access to the money voluntarily. This does happen occasionally to unsophisticated buyers who fall for this scam on sites like craig’s list.
My detective retired, and local police forces are ill equipped to deal with cyber crime anyway. At this point, no real progress was being made. I was also starting to realize this company was just going to fuck me and got angrier about it. I put my post out there to try and find more victims, search for patterns, and find if anyone gained resolution to this issue in the past. I also put up a myriad of options to try and get InComm to do the right thing.
I did not know who the decision maker who could make me whole would ultimately be (Skeet) and began to contact people directly via e-mail, as the method described in my article was very accurate at targeting employees. My initial e-mails were on my background and the unlikelihood that I would participate in victim assisted fraud, as well as suggested spots to look for exploits, ranging from low tech to high tech and from outside to inside the company. It was to two members of the executive suite and I did not receive a response. It was stated matter of factly, without threats or anger, and asking the company to simply do the right thing. My next letter repeated the same and expanded to the entire C-suite and executive list. No response. My next letter described all the places I would complain to and included everyone I could find on their fraud team as well. My hope was to shame and embarrass them into action with an ever increasing employee list as my points and logic were perfectly valid to an impartial observer. Still no response. So I fired away.
Network Branded Prepaid Card Association – Contact submit 12/15/15
Better Business Bureau – InComm case# 27451505
Better Business Bureau – Walgreens case# 10997570
Better Business Bureau – Paypal case# 457470
Better Business Bureau – ITC Financial Licenses case# 10997602
Contacted ABC Chicago consumer reporter Stephanie Zimmermann ‘The Fixer’ 12/15
Illinois Attorney General – Consumer Fraud Bureau – InComm #OAG2015-000018608
Illinois Department of Financial & Professional Regulation – Complaint submit 12/15/15
Georgia Department of Law – Consumer Protection Unit – Complaint submit 12/15/15
Federal Reserve Consumer Help Agency – Complaint submit 12/15/15
Consumer Financial Protection Bureau – InComm #151215-001539
I noted on the federal complaints that I believe InComm to be in violation of the Electronic Fund Transfer Act – Regulation E – specifically Subpart A, V. Consumer Liability and Error Resolution (12 CFR 1005.6, 1005.11).
It was finally after this that I received a call from Skeet Rolling, COO of ITCFL. Skeet provided two pieces of information of value.
- Skeet noted that 1 of my 3 $500 cards was not associated with a VAF and would give me the money on that. This isn’t a position that makes much sense since the next day someone could come in with a story and associate it with VAF. What’s implied here also, that $500 was indeed involuntarily taken, but $1000 I gave away? The reality is this was just a $500 to shut up and go away already. Skeet is on the board of directors for the Atlanta chapter of the BBB – past success has been had by complaining to them to get one card ($500 max and is common) back, although blamed for participating in VAF is included in the response.
- He explained their position on why I am determined to be a victim of VAF. This determination is made simply because 1 or 2 of these accounts have other victims of VAF associated with them. Note this also implies that I’m lying about my situation, and that I’ve filed a false police report not mentioning the scammers who duped me. Note also if my story is true he is also victim blaming me despite no error of my own.
However this situation is easily explainable, in what took me 5 minutes to think about and 15 to later relay to Skeet and Jon, although fell on deaf ears. My money was stolen. The thief in any case of these cards may be good at stealing them, but they now have dirty money. Are they good at laundering the money so that it’s actually usable and they don’t get caught? This is going to require stolen social security numbers to open new accounts, or password compromised accounts. A lot if the volume is large. That would be hard to come by. Maybe the thief knows how to do this. Maybe the thief simply sells a $500 card to someone else for $400. Maybe they buy bitcoin – a fairly likely scenario. What could they do?
Don’t load these yourself, go to someone with some expertise and PayPal accounts under control. This easily explains the observance.
This does not definitely mean I am not the victim of VAF – however it means InComm’s claim that I definitely am is destroyed. Erring on the side of consumer protection (which I would hope a court would at this point) am I made whole? No change in opinion from them at all.
However we’re in luck – I’ve met some other victims. We’re from all sorts of different states – not much of a pattern there. However we have some attempted loads by ourselves that failed around the same time; June-July. This doesn’t mean the money was loaded out of our accounts then (InComm won’t say) but it is when we noticed it. We also all had cards that sate around a while (a month or more.) Thankfully, a fellow victim Jun had 5 cards of which the money was taken – 4 of which still had the silvering intact covering the PINs. His superior CSR or knowledge of the cards resulted in him keeping this undeniable evidence – fantastic. Jun is my new BFF. He was just starting down the path of filling out their forms to get the runaround, but he lives in Atlanta. InComm is headquartered there, ITCFL is about 2 hours away. I introduced him to Skeet and Skeet advised Jun mail the cards in.
Jun decided to keep the cards and take the drive in to chat with these guys directly. As I understand it, Skeet was not there, but Jun met with the fraud team. Some of the cards were associated with VAF – a seemingly impossible situation given how they have described how they see the world. Clearly Jun did not give the PINs out though. To any rational impartial observer, the money laundering scenario was not only highly plausible, but now validated. The fraud team does not deny possibility of an inside job to Jun.
Jun is sent a check for his entire amount, without explanation. Jun is a fellow IT professional and computer scientist (although all this really requires is common sense) – we both feel the inside job theory is now VERY WELL supported. This is a much less sophisticated technical hack than other plausible technical scenarios, and if there’s anything that surprises me now in my IT career more, it’s when a system is actually designed well. I’ve dipped my toe into pre-existing cesspools far too often. Given this, if Jun assists me in civil small claims court, do I have a preponderance of evidence on my side to win the case? I believe I do.
Does InComm believe all the above is sufficient enough to provide me my funds? Of course they do not. Through some kind of impressive cognitive dissonance and illogical rationalization, I am told this scenario has nothing whatsoever to do with my case. Note their reasoning as to how I am part of VAF has already been eroded, and now we have undeniable evidence of a situation existing they asserted could not. The only real difference is Jun had his PINs unscratched, I did not. Only poor reasoning can conclude that I should not be made whole. This is incredibly frustrating to my computery nerdbrain.
Thankfully I have something else up my sleeve.
I was able to come upon two vastly important pieces of information.
1. The passwords are kept plaintext in the database, and well accessible to many users. I can’t stress how poor a design this is enough; it’s not a computer science degree you need to understand this, it is common sense. The PINs rarely, if ever, need to be stored in a human readable format, or accessed in that form for anything. Skeet prior told me how they are x y and z compliant, things are encrypted, etc. He talks the talk, I live in the world that walks the walk, I see people do dumb shit all the time. Although how this ever got into production, or never got fixed, is an amazing mystery to me. Much of the cards (99% I’m sure) are redeemed within 24 hours – but others aren’t. Kept plaintext for anyone to see, with whether they have money, and when they were loaded? That data is sitting there 30 seconds of keyboard strokes away from a report telling you tens/hundreds of thousands of dollars worth of PINs full of money that you think people will not miss and may have forgotten about. This is a point of shocking incompetence and negligence.
2. I got the accounts that my money went to.
The first account is a pretty random e-mail address and I assume something fake made with a stolen social security number. The second e-mail account looks normal but I couldn’t find anything about it on the internet, and I assume was a password compromised PayPal account at the moment. That third e-mail address though, britt***********@****.com, oopsies…
This e-mail address points to an old babysitting profile at sittercity.
Can we find her elsewhere?
Brittany is on facebook. The pics and background match up with the sitter profile and her linkedin ; this is the correct person. Local to Atlanta – InComm’s headquarters, is good – inside job theory operating perfectly. However she doesn’t have any work history there. Maybe she knows someone? She certainly knows an above average amount of Zachs. How about this one?
Looks like we’ve found Zach ****** on facebook, InComm employee, vacationing in the Caymans. For banking secrecy or just vaction? Either way I think I know who paid for this trip. Does Zach have access to a database full of plaintext PINs to pluck off and steal money from when it looks like they’ve been sitting around? Let’s check out linkedin:
Aw, snap! Dude used to RUN databases over at InComm.
To be clear, I have no evidence of Brittany being complicit in the fraud. For all I know and she knows, Zach providing her some PayPal money was legit. Now if InComm has her on 10 other loads, not so much. Zach done me dirty though. I’m not sure if they were on good or bad terms, but he also left in July when several of us found ourselves to be victims. Zach’s current company makes software for buying and selling tv adspace. I haven’t notified anyone over there of my findings yet but I did make sure he’s not dealing with something like a financial company or working with medical information.
What else have we learned?
- As of 1/21/2016 InComm has a database that openly invites embezzlement with such a trivial effort they may as well leave piles of customer money in the break room.
- InComm’s fraud department is entirely incapable of determining actual Victim Assisted Fraud cases. They falsely thought I was a victim of it before Jun’s case. It was a possibility, maybe even a high probability, but it was nowhere near conclusive. This should err on the side of consumer protection. After Jun’s case clearly pointing to a much higher probability of an inside job, I should definitely been made whole. I was not. Unless a victim explicitly states they were a victim of VAF, InComm is simply guessing, and they are doing this because it’s the one scenario that limits their liability. Their current model for doing this is overly simplistic and produces false positives. If Jun had scratched off his PINs, he would likely have been screwed. If I had not found my thief, I’d surely be screwed and on my way to small claims court. Liz in my prior article got her money, one card but only after BBB complaints – still blamed for giving her PIN away in the case. James is still out his money. Don’t worry I’m here for you bro. It would seem to me InComm is legally obligated to go through their records and look for other victims. If you are a victim of the same scenario as me, I no longer believe InComm can claim you are a victim of VAF that is remotely defensible in court.
- I introduced no new evidence to accomplish this task. I was able to do this entirely with a subset of the information available to InComm; none of it provided by InComm, mind you. Until I revealed all my cards, their claim was the data said I was a victim of VAF, and that I should work with my local police so they could do things like subpoena phone records of me talking to scammers who tricked me into providing my PIN – scammers again that never existed. At best, they have been blinded by their bias to properly perform their job. At worst, they are simply incapable of doing it. The data was always available, it just required someone to look at it properly.
- I am not clear on whether Regulation E applies to InComm, PayPal, or this particular product. It is weird enough that perhaps it escapes it, although I think one could argue original intent of the law is to cover it, as it addresses virtually all other prepaid, reloadable, and gift cards – among other things. It should definitely cover these, one of the reasons why certainly being my experience.
- There’s zero real consumer protection going on for these cards right now – and internally they are wide open for theft. IMHO sellers should pull these off the shelves until they are fixed. Any buyers of these cards should plan to use them as quickly as possible, and any holders, immediately.
- The proper thing for InComm to do is revisit, and likely reward, every other person who has ever opened a case with the same story as mine who they have identified as a VAF case with their poor logic and false positives. Unless explicitly told so I believe they have no leg to stand on. Some other victims have already talked with a laywer about a class action lawsuit as well, and happened upon one that was interested in taking the case (apparently this firm had another action against InComm) – Difie Osborne, dosborne -=A@t=- FBFGlaw d0t com
I am writing this 1/22, 3 business days after the above information about Zach was provided to Skeet and Jon. I have had no contact. I’m a bit baffled how I didn’t hear from them within half an hour of sending it over. I’m confident they’ll provide my remaining $1000 because I don’t think anyone would be crazy enough to deny me now, however I would not mind crucifying them in court and being able to go after some money for the consulting I put in doing their job for them.
UPDATE: Made aware of this, InComm did NOTHING about it.