Eight defendants in Florida have been charged for their alleged role in an identity theft fraud scheme involving the theft of personal information from a call center for use in unauthorized wire transfers and to obtain credit and debit cards.

The scheme involves exfiltrating data from a call center that handles direct sales and customer inquiries for AT&T and then using it for fraudulent purposes.

All of the defendants were charged with one count of conspiracy, and several were charged individually with access device fraud and aggravated identity theft, according to the U.S. Attorney's Office for the Southern District of Florida. The defendants face decades in prison if convicted. Two of the defendants remain at large.

The case highlights once again the security issues involved at call centers and the gaps in authentication measures used by financial institutions.

Payments fraud expert Tom Wills says insider fraud at call centers is an increasingly common problem. "I have worked with numerous call centers, and every one of them had internal fraud activity to deal with," says Wills, director of Ontrack Advisory, a consulting firm focused on payments innovation. "Out of 100 employees, you could usually count on one, two or more being 'bad eggs.'"

Al Pascual, a lead fraud analyst at consultancy Javelin Strategy & Research, says the case illustrates one of the biggest problems with how financial institutions authenticate customers through the use of identifiers.

"Among those banks examined by Javelin, 80 percent still authenticate customers using Social Security numbers," Pascual says. "For all of the improvements that have been made to securing online accounts, it is mind boggling that a criminal can rely on a static nine-digit number to effectively take over an account."

Pascual says that, historically, nearly half of all account takeover victims had their Social Security number compromised. "There are practical alternatives available for authenticating customers through the call center, which is where the SSN-authentication practice is most prevalent," he says.

Fraud analyst Shirley Inscoe of Aite Group says this prosecution is encouraging. "These criminals operate with impunity, thinking they will not get caught," she says. "Sending a message that prosecutions will take place, even if the losses are relatively low, is crucial in fighting account takeover fraud."

Case Details

The indictment alleges that Chouman Emily Syrilien, of Lauderdale Lakes, Fla., was employed by Interactive Response Technologies, Inc., located in Margate, Fla., a company that provides staffing for call centers to handle direct sales and customer inquiries for AT&T. Employees of IRT have access to personal information for customers of AT&T, including names, addresses, e-mail addresses, telephone numbers, Social Security numbers, dates of birth, credit and debit card numbers, credit card verification numbers, personal identity numbers and passwords, according to a copy of the indictment obtained by Information Security Media Group.

Syrilien, along with another defendant, allegedly provided co-conspirators with the personal identifying information from multiple AT&T customer files.

Three other defendants - Carlos Antonio Alexander of Orlando, Fla., Shantegra La'Shae Godfrey of Deerfield Beach, Fla., and Monique Smith of Pompano Beach, Fla. - in exchange for money, goods or other items of value, or the promise of money, allegedly allowed for their names to be added as "authorized users" on the credit or debit card accounts or bank accounts of the victims who had their personal information stolen, authorities say.

Once a co-conspirator's name was added as an authorized user, the bank or credit card company was directed to mail additional debit or credit cards bearing the names of these newly-added users to their addresses or addresses under their control, without the true account holder's knowledge or consent, authorities allege.

The defendants used these credit and debit cards to make purchases or obtain money. Alexander, Smith and Godfrey each made retail purchases as well as cash advances in excess of $24,000, $12,000 and $8,200, respectively, authorities say.