UPDATE: reddit is concerned I am doxxing these people/criminals so I have updated this information to be more criminal friendly. I sent this blog post to many places, including the FBI, and all information is available uncensored upon request.

I have a couple posts on being the victim of a $1500 loss via PayPal My Cash cards, which are actually operated by InComm. InComm itself appears to hold another company called ITC Financial Licenses. As far as I can tell the latter does all investigation into card issues. I found another $3500 in victims from my first post on this tiny unknown blog as well.

My prior posts are stream of consciousness and written to tell my story and search for fellow victims, as well as my pursuit for justice and excitement over ultimately identifying the thief.

In an effort so support my claims as clearly and simply as possible, I offer them in bold below with underlying support.

 
PayPal My Cash cards have a fundamental security 101 design flaw making them easy to embezzle as a simple crime of opportunity.

I have an anonymous contact who helped me explore the job of security weak spots that could explain my situation, which the InComm fraud team never made any attempt to do. I speculated that a possible problem was the sensitive PIN numbers – the only thing required to load money – may be easy to get by clever employees. As it turns out however, even stupid employees can get to them. They are stored in a database in plaintext – meaning they are there to just read off. They are not encrypted or encoded. They are not even shielded from mass user access – anyone who can poke around in the database can see them. In the past, and possibly still now, even users without database access could see them via portals; there is no reason for any of this. I used to think storing passwords in plaintext was the worst amateur hour mistake you could make; but in this case each record is worth $500, plus InComm will even blame the victim for you.

How do I know this is true? It fits a realistic situation very well, and my contact told me my PIN numbers after I gave him my card numbers. How do you know it is true? Below is a video of one of Jun’s cards. My contact did not provide me the full PIN, only the last 4 numbers. Jun sent me the card to make this video. You can see the postmarked date. No one has ever communicated these PIN numbers out from InComm officially – not to Jun personally, and not on any kind of Better Business Bureau or other complaint. The silvering is untampered with. InComm says the following is impossible, yet…

It’s difficult to me to communicate how poor of a design that this approach is. Keep in mind this is a billion dollar company that has run millions of dollars through this product and made extremely large amounts of money off of it, and this has been the situation for years. It is truly shocking.

 
InComm knows it has had past issues of embezzlement.

Jun’s story is exactly like mine, although I uncovered all PINs on my cards per InComm customer service’s (incorrect) claim that cards could only be looked up by PIN and not the 16 digit card number. Jun was also only a couple hours away from ITCFL, which is located in Columbus, GA. InComm and Jun are both based out of Atlanta. Jun, like me, is a computer science guy – and had indisputable proof that he did not give his PIN numbers away, as the company asserts I did. I arranged an introduction for Jun and the ITCFL fraud team. Skeet Rolling is the COO of ITCFL and someone I have spoken on the phone and e-mailed with frequently. I have also chat with Jon Williams, a senior fraud analyst on his team. What happened at this meeting with the Skeet Rolling InComm fraud investigation team?

If Jun had scratched the PINs off, he would be in the same boat as me. InComm incorrectly associated his cards with Victim Assisted Fraud (VAF) where a victim is duped into providing their sensitive PIN to a scammer, a type of social engineering fraud that sometimes occurs with unsophisticated users and too-good-to-be true craigslist ads, at least in the PayPal My Cash related world.

What is important to note here is that in their determination of VAF – they are wrong.  The logic is flawed.  It created a false positive for Jun, and one they could not deny. Jun did receive a check for all of his money. Was this enough to help me recover funds? Or put any doubt into their conclusion that I was a victim of VAF?

In this clip of Skeet, we have a soft admission of an internal problem here. Of course he 100% assures me it has noooothing whatsoever to do with my case. My only conclusion from this is that they somehow decided the person who embezzled from Jun did not also embezzle from me. With little concern that I could have been the victim of someone else’s embezzlement.

 
InComm’s determination of VAF existence is completely flawed.

As is already obvious per Jun’s situation above, they have false positives in determining when someone is the victim of Victim Assisted Fraud, where a cardholder’s own poor choice led to their money being taken. What do intelligent people do when they encounter false positives in a model? They fix or stop using the model. In the case of victims losing money, this is the only ethical thing to do. Yet I have from day 1 always been victim blamed as doing this to myself, and being a participant in VAF. Why is this? Very simple: InComm can deny liability in this situation. For reference, here is what an actual account of VAF looks like.

Although Skeet has opined about rules and “fact patterns” to determine VAF, the reality is their model distills to simple rules I picked up which have obvious logical flaws. Essentially it is “any card with money loaded to a PayPal account associated with VAF is a card whose PIN was obtained via VAF.” How about the original association of an account to VAF? I don’t even trust them to flag it this way, but this approach only even starts to make sense when that original cardholder articulates exactly that happened to them.

Let’s look at actually liquidating a stolen PIN however. There are 4 ways I can think of to do it, as not a professional money launderer:

1. load it to your own account – like an idiot
2. load it to a compromised account – placement step of money laundering
3. load it to a fake account created with real/fake identify information – placement
4. sell it to someone ($500 for $450!) – to someone naive, or a better money launderer

If you are someone embezzling and stealing PINs from InComm, what would you do? You are probably not a master owner/creator of PayPal accounts nor an experienced money launderer – so option 4 looks pretty juicy. There is probably a secondary cash market for these, the one most easy to find however, which provides some additional anonymity, is buying and selling bitcoin with these cards.

So now we have a clear gaping hole in InComm’s VAF logic. Not everything in the pawn shop is stolen. Not everything loaded to PayPal account xyz via a My Cash card PIN was a PIN obtained through VAF. I figured this out in a 10 minute drive to get my coffee one morning after my first conversation with Skeet. However they still use this logic today.

 
I tracked down the thief whole stole the money.

My anonymous guy provided me the 3 PayPal accounts my money was loaded to. I feared I’d be able to do nothing with this, as would even be the case with probably most legit PayPal account e-mail addresses. Indeed this was the case for the first two addresses. However the third…

I already had this information, but it did show up in a response from ITCFL to the Federal Consumer Financial Protection Bureau later as well, which seemed to be one of the more serious complaints that they took.

Some things to note here.

1. I have included the text where they said they refunded me $500 for a card not confirmed as VAF. This was not done quickly however. This was done after 6 months, after I filed 11 complaints to private, state, and federal entities, and mailed their entire fraud department and C-class suite.
2. The line ending in gton they have “conclusively identified” as VAF. per my inside man’s info, this is **********ton**@*****.com

Getting to work with that, let’s see who loaded my account.

This e-mail address is associated with this old babysitting profile on sittercity. In Georgia, looks promising.

Any modern accounts with more information? Yes – she can be found on both linkedin and facebook.

Brittany does not appear to have ever worked for InComm however. I followed a red herring of looking for people with a common last name, and found some at InComm who might have had database access, but I felt the connection was too loose. However I did find someone juicy in her list of many Zach friends; facebook seems to flop around between what additional information is provided in this list. I luckily saw it when it displayed InComm as this guy’s employer.

I present to you Zach ******. Here is his facebook and linkedin. This is someone with very clear access to data. In fact, even if well protected, this would be the job role of the person most likely to be able to circumvent the protection. (Which again, does not exist.)

All of this information was provided to the Skeet Rolling InComm fraud investigation team on January 19th, 2016, the same date as the phone call video clips from above. InComm did absolutely nothing; the above has been completely dismissed as if a total fantasy of mine. After all, they’ve already “conclusively identified” that I, a computer scientist, bank employee, ex-IBM employee, and long time user of their product – simply gave my PIN away to some imaginary scammer that has had zero evidence presented as even existing. Completely coincidentally of course, there appears to be a tie to a former database employee. Peculiar, huh?

 
Avenues that did not work.

I complained to a lot of places. I did not hear back from any state agency at this time. I hoped BBB complaints would put additional pressure on InComm. PayPal just punted the issue to InComm. Walgreens customer relations did contact me, ask for some clarification on some points, and I can’t fish out of my e-mail what happened next. Either it died or I’m missing a response where the punted it to InComm or just parroted a response from InComm and looked at it as a he said/she said issue.

InComm complains at how much I followed up on the police report. To be clear, if this were something like a credit card transaction, Regulation E would apply and the police would never be involved. InComm does not believe Reg E applies to them, it has not been tested in federal court, and the product is so unique that may or may not be right. In any case, the entire point of going down this avenue is to try and find the person who supposedly scammed me, and then hope I can recover some money from them. This of course is not the greatest path to pursue when the scammer only exists in InComm’s minds. Aside from that, it is not as if the local police are cybersecurity or fraud experts.

As far the actual police report, I filed it within 12 hours of InComm asking me to do so. The computers were down and my detective was retiring, officer Werner, of the Lake County IL Sheriff Dept. He said himself he would not be able to do much given my story. He did not reach out to InComm until a later point when I followed up with him. The following is from InComm in response to my CFPB complaint. Part is from a photo my brother took of the response received in the mail, as there appears to be a flaw in the website with displaying the whole letter.

This trails off to subpoenaing account information from PayPal. Skeet has also mentioned subpoenaing my phone records and those of the account record holders. This might make sense in the case of VAF, which does not actually exist in my case. I am still faulted for not doing anything more with officers, but what am I expected to do? Get a job at the police department and file the subpoena myself? I could harass the current officer, but what is the point? I have already resolved what happened with public information. Further police action should be taken – it is InComm filing a complaint against their former employee Zach ****** in their jurisdiction of Atlanta. It has nothing to do with me. I stated this to Skeet on January 19th, 2016. All of the above information regarding the embezzlement was provided on this date; some by phone, all by e-mail. Yet this response, dated February 5th, also concludes:

What the hell WOULD sufficient evidence look like at this point? All throughout this effort I kept trying to give people the benefit of the doubt believing they were interested in genuine help but just rather incompetent, to my conclusion today that they are either wildly incompetent and/or deliberately and knowingly screwing victims without accepting any responsibility or correcting any problems.

 
Avenues that did work/work in some form.

I initially successfully recovered $500 from my InComm Better Business Bureau case. This is likely in part simply due to Skeet’s reputation and the fact that he sits on the board in Atlanta chapter.

Aside from that, the Consumer Financial Protection Bureau complaint (case number# 151215-001539) seemed to be taken the most seriously. It had the most detail provided (perhaps also simply due to my persistence) and I received a response online and in the mail to it.

Unfortunately I could not lead a horse to water so my remaining options were all legal. A fellow victim did some work and found a law firm interested in exploring the case as a class action suit. They agreed to take the case. Ultimately this led to the best path being a settlement. From my read, the only thing confidential is the settlement amount – with no stipulation of an NDA attached to my story and experience. Thus my lovely blog!

 
Recommendations
Consumers

• If you buy use these cards, you should use them as soon as possible. (This is already the usage pattern for most.)
• If you have one of these that has been sitting around for a couple weeks – it’s worth calling up customer service first to verify with the 16 digit number that the money is still there. If you don’t do this step, I would recommend at least taking a video of you scratching off the PIN and trying to load the card, just in case.
• If your card has been sitting around a couple months – or longer – the likelihood of your money being gone grows exponentially!

Vendors

• Walgreens, CVS, etc – this card is absolutely unsecure. You should not continue to sell it until InComm has closed these flaws and proven they have done so to you. Trust zero of what anyone says. Multiple areas of this company have now proven staggering incompetency.

Government

• Regulation E, or something similar, should extend to specifically cover these products.

InComm

• Your model for determining VAF is garbage. Stop using it. It’s an insult to the word model to even claim it to be one.
• Make a good faith effort to seek out and compensate my fellow victims you have screwed in the past. By your own logic I know that minimally there is at least one other victim who had funds loaded to Brittany’s account.
• It is unforgivable to put such a poor and flawed security design into production, let alone have it there for years, running millions of dollars and making tons of profits off of it. I’m not even a web or front end guy and I would never in a zillion years have made this mistake. Hire some competent code designers/architects/testers/etc.
• ITCFL is deliberately screwing me and/or are all staggeringly incompetent themselves. I have never been given the benefit of the doubt, had a fair honest investigation into my case, or even had basic real investigation done. I literally solved this while having the least amount of information, spoon fed it to them, and then had them dismiss everything. Fire them all and hire people who know how to investigate fraud. Unless their only actual purpose is to come up with creative ways to deny InComm liability?