Introducing The Investigator's Toolkit
Why the world needs another Substack. Also: OpSec for online drug dealers.
Intro and motivation
I’ve been working in fraud management for seven years now, focusing on online payments at Stripe and Lithic. Like everyone I’ve met in the field, I got into it by chance, and consider myself lucky. The subject matter is deeply interesting, and there’s a strong sense of satisfaction in being charged with safeguarding something.
However, the career trajectory I’ve experienced and observed in this field is that as you advance you tend to focus more of your time on “creating business value” than actually honing your craft. You go from building subject-matter expertise and becoming a skilled investigator, to aligning stakeholders and navigating an organization to try and get decisions made.
This is, in part, driven by the logic of fraud management itself. As sages far wiser than I have observed, the optimal amount of fraud is non-zero. Companies must balance the constraints of their limited resources with the loss savings they are able to generate, and if a particular effort does not have a direct and measurable effect on either of these variables, it can be hard to justify. Because of this dynamic, deeply understanding adversaries and building sophisticated investigative skills can be seen as a waste of time. In such circumstances, it’s easy to end up devoting the majority of your focus to lubricating the gears of your organization’s cost-benefit tradeoff engine.
But who wants to read a newsletter about that?
I’m a curious guy. I like learning new things, especially about fraud, cybercrime, and performing online investigations. So I’m starting this Substack as an outlet to continue this journey and document what I find. A piece of writing advice I came across once said to write the type of thing that you would want to read, and that is what I aim to do.
I’m admittedly not an expert in most of the topics I expect cover here, and will be an utter novice in many. Yet I’ve resolved not to let the fear of making mistakes hold me back. If you read something I’ve written and have thoughts or critiques to offer, I’d love to hear them in the comments below.
OpSec for online drug dealers
A light-bulb moment I had recently while taking my neighborhood walk was this: the goal of your fraud prevention system is to defeat the fraudster’s operational security (OpSec). If you can learn more about their OpSec strategies and tactics, you can more effectively design detection systems that will foil them. These OpSec strategies employed by fraudsters and cybercriminals are very similar to the strategies employed by hackers, and there has been considerable study on this topic by our friends in the cybersecurity world that has much to offer professionals focused on fraud and online abuse. Exploring this seems obvious in hindsight, but it isn’t something I’ve seen done often or in a systematic way.
I’m still early in this process, but one of the best resources I’ve come across thus far is this talk given at Def Con 30 by Sam Bent, a former darknet vendor (i.e., an online drug dealer).
The entire thing is worth watching, but one of the highlights is where Sam talks about researching the methods of his adversary and taking countermeasures to evade them. As a former drug trafficker, his adversary was law enforcement, and since he shipped product via mail, his primary law enforcement adversary was the US Postal Inspector. Realizing that his adversary would follow written procedures, he did some research and found the Postal Inspector’s manual.
From the manual, Sam learned that one of the indicators of a suspicious package is the quality of the listed return information: the name and address should be real. Here, rather amusingly, he faced a moral dilemma. He wanted to use a real name and physical address for the return information without implicating an innocent person, since they could potentially have their door kicked in by the Feds if a parcel full of drugs was flagged with their information on it. Sam knew there had to be some kind of database he could use to find real names and addresses of people he “wouldn’t mind screwing over,” and he had a pretty ingenious solution (if you can’t watch the whole talk, just watch starting at 4:28 where he discusses this).
Sam also discusses the vulnerability assessments he conducted on his operations on a regular basis, knowing that any mistake or moment of complacency could land him in federal prison. To get in the right mindset to do a proper vulnerability assessment, he uses the analogy of being locked out of your house:
“When we’re at home, we all feel safe, we all feel secure. Then one day we lose our keys. And then all of the sudden we’re all penetration testers.”
In that moment, we discover all sorts of opportunities to get around the things we’ve put in place to keep ourselves safe.
I remember once in high school a friend and I went over to his house after school, only to discover that his garage door keypad had died, and he didn’t have a key to the front door. After a few minutes of walking around the outside of the house and thinking, I realized that there was an upstairs balcony off the master bedroom that was almost certainly unlocked. All I had to do was move some patio furniture in place underneath, make a small jump to grab the bottom of the railing, and then shimmy up. After that day, his parents began to lock the balcony door.
A useful exercise for those of us safeguarding online platforms in functions like fraud prevention or trust and safety would be to occasionally lock ourselves out. Open the sign up page in an incognito window and start planning out in detail how you would get through. Perhaps even have a written list next to you of the known checks and safeguards you have in place to detect bad behavior, and start imagining how you would develop countermeasures evade them. Do some research on how you would specifically employ these countermeasures: what tools or services would you use? How could you cycle IP addresses for every account you create or employ browser fingerprint spoofing? How much motivation would someone need to get employ all of these countermeasures, and what would their reward be for their efforts? Your adversaries are making that calculation, and you should too.
The goal here is to deepen your understanding of your adversary. Equipped with this understanding, you can develop a better mental model for thinking about how abuse occurs and what to do about it.
The typical progression I’ve experienced first-hand and observed in others in this space looks something like this:
When I am evaluating a potential case of fraud, I look for sketchy signals. If there are a lot of them then it must be fraud.
When evaluating a potential case, I look for sketchy signals, and then try to contextualize them by figuring out the most plausible story that explains them. I look at the signals and behavior and try to answer the question “What is this person trying to do?”
When evaluating a particular case, I look for sketchy signals, contextualize them in a story, and orient that story within a framework of different typologies of fraud: friendly fraud, third party fraud, bust-out fraud, etc.
I am a fraud fighting god. I think about fraud in terms of specific threat actor profiles, associated with particular tactics, techniques, and procedures. I employ multiple layers of tailored defense mechanisms targeting their specific behavioral patterns.
Don’t worry, I’m not at Level 4 either. But the purpose of this blog is to help us both get there.
Future posts
The goal of this first entry was to lay out why I’m doing what I’m doing here. In future posts, I plan to go deeper on useful concepts, along with explanations of analytical techniques that will make us all better investigators and defenders. If you have thoughts or ideas for what I should research and write about, please let me know in the comments below.
Thanks for taking the time to read this. I look forward to writing more very soon.
Zach