Bill Reynolds - Life Real Loud - John Lefebvre, Neteller and the Revolution in Online Gambling

“Oh no!”

I don’t think we got that money back.

Edmunds concludes, “No, we didn’t. That’s how we found out about the wire system. It’s just this little telex train of information. You can’t call the telex back. All they do is send out another little recall that follows the telex train. It’s following the money; it isn’t going to pass the money.”

Glavine adds, “Another quick lesson learned in internet fraud. Twenty credit cards and Latvia? Somebody would just laugh now.”

“That’s when we started to come up with the banned country list,” says Edmunds.

“And we locked it down so a person could only use two credit cards in their account,” says Glavine. “This was the start of our security — the first little things we added to the system to lock it down.”

There were other guys from other former Soviet republics who figured out how to use phony credit cards on the Neteller website. An embarrassing incident in October 2001, for instance, involved a teenager from Belarus. Glavine recounts,

He got into our database and sent me a list of our customers’ passwords. For three days, things would happen on the website and we wouldn’t know how. I had to check every single bank number because this kid was going in and changing the numbers to ones he controlled in the U.S. Sophisticated hack.

Steve Lawrence tried to hire the kid. He talked to him quite a bit and got him on our side. He Western Unioned him 500 bucks or something — not much money to get the kid to lay off.

Breaches happened with some frequency before Neteller shifted from credit cards to electronic money transfer and before it devised an elevated system of security, wherein each Neteller client had to prove he was legitimate with an initial $250 maximum deposit before the company would increase the limit. Even after this elevated system was put into place, some fraudsters would play legit with the two-fifty rule, in order to be accepted into the Neteller club, and then try to beat the company for a grand. Lefebvre says,

We began to discern those patterns of behavior. Before that, most of the time we got beat when we didn’t have those elevated steps at the gate. These guys — probably just hoods, guys trying to make an easy buck — would go to all the different sites on the internet that accepted credit cards to see if they could hack into the databases. If they hacked into one they could take legitimate credit card numbers and use them to open up Neteller accounts, make some bets and get us to send them a check, hopefully, before we found out we were being scammed. The last guy that beat us took us for $14,000, which was good money in Latvia in those days, especially if you didn’t have to take off your housecoat. It was the frontier out there.

With each successful scam, the Neteller team learned a new lesson in security and were forced to come up with new measures. Lefebvre says,

When we were trying to use Neteller SmartCard system, it came to us that the cards were just one more level of security. You still have to have a password, so why don’t you just have two passwords? Or have a password and a security code? Then we sent out the news release: “You thought Neteller SmartCards were smart, wait till you see no card!” That was our inside joke — we never really did that.

But we had a password and a six-number security code that prevented people from hacking into other people’s Neteller accounts. Like, I could find out what your Neteller username was somehow. Then, if you’re a woman, I’m ninety percent sure that the password is going to be your daughter’s birthday. So I go into your account and send all the money to my account. Funny, eh?

Security is way better now. Two layers of passwords are the standard. Now you have to have your credit card, plus the little number typed on the back of your credit card, plus a password. Or some people will use your email address and a password, and the password they send to you is the one they send to your email address. So you have to have your email password, plus their password. They don’t know your email password but you do, so the only way someone can hack your account is to get both your email password plus your password password. Those levels of security introduce an exponential problem for guys who are just out there running random numbers.

Neteller personnel became so proficient at security that it joined forces with the FBI — twice. One was for a fraud committed in New York, the other a Department of the Treasury money-laundering case. In the fraud case, a guy from Flushing, Queens, named Juju Jiang was putting keystroke software on computers in a Kinko’s store. People would come to Kinko’s to do their Neteller transactions (or private banking or whatever), and the keystroke program would relay the secure information back to the fraud artist’s home. He could sit in his robe, get into their Neteller accounts (or bank accounts), and transfer money to himself. One of the victims was a Neteller account holder, who marveled as he watched someone break into his account remotely. The client contacted Neteller and alerted them, and Neteller contacted the FBI.

In the money laundering case, Neteller had its system set up to monitor for accumulations and aggregations. If money was being transferred from a bunch of different accounts into one Neteller account, personnel decided “smurfing” could be happening. Originally, the fictional Smurfs would switch out a verb in a sentence for the one-size-fits-all “smurfing,” as in: I have to go smurfing for a new pair of runners. In the realm of fraud, the goal is to avoid detection. If you have a lot of cash and can’t put it in the bank without filling out papers to say where you got it, there are smurfing networks out there to help you out. Let’s say you need to get $500,000 into your bank account and don’t want anyone asking you where it came from. You give a smurf $5,000 in cash. The smurf deposits $4,500 in your bank account and keeps $500. You go back to the smurf network ninety-nine more times, and the job is done. It cost you fifty grand, one-tenth of your stockpile, but the rest is now safely in your account. In the smurfing case, Neteller personnel assumed an aggregation was happening and reported it to authorities. The FBI found the guy using Neteller’s systems to launder some kind of illegal money, possibly from drugs (Lefebvre was never certain). The FBI sent Neteller a citation in recognition of its help, and executives proudly hung the salute on a wall in its Calgary office.

Neteller was getting its act together on the security side while its fortunes started to turn around as a result of directing customers to its PayPal account. The company had given up on the expensive, cumbersome chip technology and started to embrace electronic funds transfer (EFT). It finally got a Visa account and clearance to deposit the receipts that had been lying around for weeks and months. The money was moving, and online gamblers were signing up for service at a brisk clip.

When Neteller’s transactions blew past $170,000, a mere six weeks after hitting $70,000 a week, and PayPal froze the account again, they didn’t bother phoning the useless main line. Lefebvre says,

We knew Dan’s number by then, right? He told us, “You guys have learned how to manipulate our system to fund the internet gaming industry, haven’t you?” We said, “U-u-u-u-h-h-h, maybe we better come down and meet you.”

So Steve Lawrence and I went down to Palo Alto in late March 2001 and had a meeting with them. PayPal’s proposal was: you’re getting free discount rates, and you’re not getting those anymore unless you run all your business through us. We still had our own credit cards, and we were still receiving money through Western Union. But what they meant by “running all your business through us” was not receiving money anymore but instead making all our bookies sign up with PayPal to receive the money — the merchant side of it. We would work out some sort of deal on that.