BRICs PM - Sales System Software - ActBlue

ActBlue Money Laundering, the CVV Debacle, and TX AG Retardation concerns...

8/8/2024

I woke up this AM and saw something odd.

Numerically it was 8.8.8, and surely that would help out, but then I saw something odd, as I mentioned prior.

I thought to myself, "surely that can't be right"

The TX AG, Ken Paxton can't be that retarded, can he?"

OMG, is he one of them too?

https://x.com/JamesOKeefeIII/status/1821588957987283232

https://x.com/TXAG/status/1821572828246003994

I tried so hard not to click on the link. I really did. I didn't want to read it. but then I did.

And holy fukman, these ppl are really that retarded...

https://www.texasattorneygeneral.gov/news/releases/attorney-general-ken-paxtons-ongoing-investigation-actblue-yields-cooperation-donor-credit-card

Credit Card Security 101

History

When credit cards came out, there were no computers for processing.

The cards had RAISED NUMBERS on them.

If/when you sold something and took a credit card you used a "nuckle buster" to make an imprint on carbon copy paper. It was like printing a check in real time. Alternatively you could take a number from someone over the phone and hand write it on a carbon copy form.

Credit card numbers were "public numbers". Anyone you gave your credit card to would have a full copy of your number on paper.

As the vendor, before executing the transaction, you could call in by phone and get an authorization for the transaction to help ensure payment but it was optional. It was a trust based system. For that reason, vendors would often require photo ID and not Drivers License numbers on the receipt.

https://americanmemorylane.com/2024/02/07/credit-card-imprinters-the-ole-knuckle-buster/

At some point hours or days later you could call a phone number provided by your merchant account provider and key in the card information and amounts and the money would show up in your account days later, assuming the transaction was good. If not you got notice it was no good and typically you were screwed if you didn't take down the persons contact info and if that wasn't legit.

Modern Credit Cards

If you look at a modern credit card,

It has 15 or 16 digit number on it (some may vary but standard is 16), That number is no longer raised, so the old nuckle busters are out.
It also then has a mag strip or a chip on it. .
I has an expiration date on it
I has another 3 or 4 digit number referred to as a "CVV", "CVC" or some other acronym standing for "Card Verification Value" or "Card Verfication Code".

"CVV" Values

The CVV is like a bank issued PIN.

The interesting thing about the CVV is that it is NOT embedded in the magstripe or the chip of the card. That CVV is ONLY printed on the card.

Anyone who accepts credit cards is NOT legally allowed to record CVVs by hand or in any databases. If you are caught doing that it can cost you your merchant account and more.

The purpose of the CVV was to decrease fraud.

Stolen Credit Cards - it doesn't help if a credit card is stolen, as the person has the card and the CVV

Stolen Credit Card Numbers - It DOES help prevent fraud for stolen credit card numbers that may be stolen from the older paper receipts or numbers stored in a database, BUT it only really helped with "telephone order / mail order" business, and it only helped there if they asked for it and submitted it with their pre-authorization.

The operator would ask for the CVV and submit that with the approval request.

Only people who had a card in their possession (or who had written down the CVV for that purpose) would get an approved response on the CVV value. (note, credit card responses include separate approval codes for amount, cvv and address match)

This added a "layer of fraud protection" for those taking phone or mail orders is nice.

Given the CVV is only typically 3 characters long, there was a 1 in 999 chance someone could guess it, but for a minimum layer of security it makes sense.

The "Act Blue" Money Laundering Fraud

I'm a huge fan of James O'Keefe. His reporting is awesome and I found his reporting on the Act Blue Money Laundering scheme great when it came out. However, the way he reported on it was confusing. I kept thinking he'd reframe it but that hasn't transpired yet. That has sustained some confusion that Act Blue just took advantage and only a moron pretending to be the TX AG might have fallen for it.

The people James has interviewed are NOT being defrauded. They are barely impersonated, and it has no financial damage to them. They are being used as "pawns" in a very simple money laundering scheme that someone needs to blow apart properly. To that extent I believe most people who have watched O'keef's coverage have figured out that part, but nobody seems to still understand what's going on or why it hasn't been exposed.

First start out with a simpler script to get more data in less time...

Interviewer - "Hi, Im Roger. I'm doing an investigation into Political Money laundering. We've got records that indicates someone from your home has donated 350x to candidate X, in values ranging from $5 to $500. Does that sound like you made those?"

Resident - "Oh no. Not at all."

Interviewer - "We didn't think so. We are trying to figure out which of these are yours and which of these were made by someone else, with other credit cards while simply using your address to conceal their identify. If I give you this list can you compare it to your bank records and identify which are yours so we can then ask for records for those that are not yours?"

Resident - "Sure, give me the list and I'll look at my bank statements and tell you which are mine"

Interviewer - "That'd be great, thanks".

This results in a list of transactions that should be "subpoenaed" by someone in a lawsuit, if anyone can figure out how to use the US Legal System.

The credit cards being used for this money laundering are likely "prepaid credit cards". That's what I would use if I was doing this. Someone gets a prepaid card, charges it up and uses it. When they use it, they enter addresses for people who they know donate, to try to mask the deviance, although they seem to have thrown that out the window years ago when the figured out nobody could or would do anything.

Forcing Act Blue to Implement Address Check can / should stop this IF they implement it...

When credit cards are submitted for authorization, the the merchants bank id, the credit card number, and the dollar amount must be submitted.

However, to the surprise of many, submitting the CVV, the first 5 characters of the street address, the zip-code and expiration date is optional.

In this case, submitting a CVV to show it is a match to that which is on the card will not solve this at all. The people who initiating these transactions have valid credit cards they are using, and thus they have the CVV numbers from those cards. If they were using cards from others, ACT blue would be getting charged back for the fraudulent transactions and that seemingly is not happening.

In this case, forcing Act Blue to submit "billing address for card" would / should fix the problem.

Prepaid Cards - it looks like prepaid credit cards are issued without a billing address. Thus if act blue required address data and submits that data, they will always get a failed response for a match.
Regular credit cards - regular credit cards always have a mailing address associated. It's unlikely these people are using regular credit cards with mailing addresses. if they are they have to use an address other than the citizens address to get them issued as they have to be mailed to them. Technically they may be able to change the billing address for the card after that via the bank, but that leaves a hell of a trail to track and doesn't make sense. The money launderers probably are not that dumb.

NOTE: these instructions are confusing. The card issuer is telling the card holder to enter a home address and suggesting it must be a valid address, but then goes on to say the card is not registered to an address.

The address match system for cc companies does NOT check full addresses nor valid addresses. It only checks the first 5 characters of address line 1 and then it will check the 5 or 9 digit zipcode separately. In this case if a prepaid card holder entered that info when using their card, the merchant would / should get back a "no match" address given they have nothing to match it to (and assuming they are providing honest responses).

When Act Blue Submits a transaction, they can get an approval for trhe amount and the transaction but a failed notice for the address match. It then gives them the option to accept or reject the transaction. The bank will expect it to be submitted in a batch closing process.

IF Act Blue were to agree to address verification you would still need a way to audit them to make sure they were then declining the transactions that were approved, but with a bad address match. The could fake the address approval in their database.

I hope this helps out with some procedural information that might help with this...

NOTE: We are currently assuming that the transaction reporting by Act Blue for transactions with errant addresses is in fact really related to credit card transactions. We are assuming prepaid cc's are actually the probably source of the money laundering. In Fact ActBlue could be fully fabricating transaction records to funnel money. That would put them far higher on the hit list and is unlikely but just keep it tucked away in the event the prepaid card lead doesn't pan out...

We offer a lot of commercial education on this site as well as our parent sites. Check them out when you get a chance...

Thanks for your Support!

Page updated

Report abuse