Mary Breen and the Cashapp Problem. UPDATED WITH A MAD MARY RESPONSE
Updated: Sep 15, 2019
Updated: Im currently in the Bahamas speaking for a BlueStar Event. Outstanding group. Woke up this morning to Text Messages from Mary Breen, who I outed in this blog. Ive added those and my response to the end of this article. Im doing so as I think it benefits reader to see the criminal mindset in action. It also benefits Mary toward moving--willingly or not--to a more legal profession. Added to end of blog.
The first time I met Mary Breen was after she contacted me saying she wanted to go legal.
Mary was in Atlanta. She said she was desperate. She said she needed help. She said she didn’t know if I would respond.
That got me. One reason I am a legal person is people gave me a chance to do the right thing. They responded when I was desperate and needed help. I believe in returning the favor. If you want to reform, I will help you. If you are breaking the law? I think prison is a good thing.
I met Mary at a Starbucks in Atlanta. She was high on meth. Probably the worst high one can have. Jerky, jumping, paranoid, talking 90mph, only able to focus on what she wanted. I bought a couple of lattes, sat back, and let her talk.
Mary was intent on impressing me. She detailed how she was using BeenVerified to look up other Mary Breens, getting their SSN and DOB on robocheck.com, then using their credit to make money.
She also told how she hit a well known bank for $50k in the last month. The bank had suffered a breach a few years ago. Profiles were still available on criminal marketplaces. She would buy a profile, get the SSN and DOB, pull the background check. Then go to the bank to answer KBA—Knowledge Based Authentication questions. She was very successful taking over accounts.
Aye, but there was a rub. Mary could takeover the account but was having trouble withdrawing money. She had only gotten about $4k. Mary didn’t know it, but those three elements of successful cybercrime had bitten her in the ass. ”Gathering Data, Committing the Crime, Cashing Out.” All three have to work or you, my friend, are a failure. Problem is a single criminal isn’t good at all three—as Mary illustrated. That is why networking with other criminals becomes a necessity. Mary knew how to commit the crime, but she damn sure didn’t know how to cash out. Mary hadn’t yet learned the power of networking. Given enough time, she will.
Mary doesn’t realize it, but she already has the perfect networking partner. Mary has connections with a large LGBTQ Identity Theft Ring in Atlanta ran by a fellow calling himself Crafty. Mary has worked with him but hasn’t told him of the bank exploit, fearing he won’t give her much money. Mary hasn’t yet learned what skilled criminals come to learn: A little of something is worth much more than a lot of nothing. Again she will, given enough time.
The next day I informed my law enforcement contacts of Mary Breen and Crafty and told all I knew. Mary has pending charges, outstanding warrants, and existing felony convictions. Her days are numbered.
I informed the bank. They asked me not to mention their name. I agreed. Not to protect the company, but because the problem of KBA is something which exists with all banks and institutions. It does no good to single out a specific bank when KBA is a problem for the entire country.
The bank handled the situation in the best way possible. I received a call from the head of fraud at 6am. Off the record, to the point, and no excuses. I told everything I knew, gave names, and was given assurances security measures were in place which prevented Mary from capitalizing on the KBA problems. After another follow up call I was convinced they were intent on fixing the problem.
Which brings us to my second meeting with Mary. I was taking a trip to Charleston, South Carolina. Going out there to find closure, working on a podcast telling my story. Charleston was where I was arrested. I wanted to go back to apologize to one of the Secret Service Agents I screwed over, and to maybe find some peace.
I met Mary on the way to Charleston. Dinner. Picked her up at a house she was squatting at with 7 others. No electricity or running water. The “Owner” had been going around filing Quit Claim Deeds on unoccupied homes and stealing them. He had 8 under his belt already.
Meeting with Mary was selfish on my part. She had been sober for three weeks. I met her because I have this theory that human traffickers use the same money laundering mechanisms as financial cybercriminals. While they may not know each other, they run in the same circles. I’m also convinced some traffickers engage in identity theft and financial cybercrime.
“I want to meet Crafty.” I said.
I told her my theory. “I don’t think Crafty trafficks, but he may know something. Hell, he may know something and not even realize it.”
“I don’t know.”
“Look, at some point the Dude is going to prison. He’s going to get a federal case and he’s going to serve time. That’s a fact. It would be pretty nice on sentencing day if a reformed, highly respected former cybercriminal showed up to tell the sentencing judge how Mr. Crafty helped save some victims of trafficking. Not to mention doing this might help with the bad karma he’s getting by stealing.”
She looks at me a moment. “Yeah.”
“So, could you do anything to get him out of jail now?”
“Where is he?” I ask.
“State or Federal charges?”
“I’m not in the getting people out of jail business. Only way he gets a lighter sentence is telling on enough people. And truthfully? I’d save the rat card until he gets federal charges. He’ll need it.”
Dinner is a bust. Mary might know some people, but she wouldn’t have the connections of Crafty. No real need to continue meeting Mary, either. She isn’t wanting to go legal. Not yet. She hasn’t yet hit bottom. I can’t help her.
The next 5 minutes prove my thought.
“You got money to eat?” I had ordered a big meal and taken a couple bites intending to send the leftovers with her so she’d have something to eat.
“I’ll be ok.”
“Look, I don’t want you out there stealing shit. You have money for food? No bullshit.”
“Ok. My Venmo is screwed. Fucking idiots. You have Cashapp?”
I Cashapp her $100.Then decide to send her another $75. That locks my account. Not unexpected.
I’m asked the standard, stupid, KBA questions: Last four of SSN and DOB. I then take photos of my driver license, then a selfie. My account is then re-opened.
Mary tells me her account is locked. “Hold on and I’ll open another,” She says.
For a former US Most Wanted Cybercriminal and Internet Godfather I am sometimes damn naïve. I think she is using her info to set up a new account. Nope.
Mary pulls a couple of driver licenses out of her purse. African-American faces on the IDs. Certainly not Mary’s pale white, moon-tan ass.
“You really want to do that sitting at a restaurant? Sitting across from someone you know talks with law enforcement?”
“You gonna tell on me?”
Yes. As a matter of fact, I am. But I don’t say anything.
What Mary does is use the same phone her account was shut down on to open a new Cashapp account in the stolen ID name. She gets the girls SSN and DOB, takes pictures of the stolen ID, and then is prompted for the selfie.
Mary pulls out a second phone. She uses the second phone to go to Facebook and look up the profile of the victim.
“What are you doing?” I ask.
“Looking for Hi-Res pictures.”
She finds some. Mary uses the first phone which the Cashapp account is being set up on to snap a photo of the Facebook Selfie she has pulled up on the second phone.
Worked like a charm.
Oh, Shit! I thought. She just opened an account using a device that should be flagged and using a photo from Facebook.
Mary tells me I can send the money to that account.
Yeah, Bullshit I can. I’m not about to.
Time to break away from our story for commentary.
First, I don’t know what type of security Cashapp has implemented. I’ve not worked with them. I haven’t researched them. They may well have device recognition and flag devices which try to register multiple accounts. I mean, they damn well better have that type of security if they are moving people’s money. I also don’t know if they have any type of liveness detection implemented when pictures are taken. Again, they damn well better have that type of security implemented in today’s world of cybercrime.
I just know what I saw. And what I saw was a thief who had her Cashapp account shut down use a stolen Driver License, a Facebook photo, and the same device to open a new account.
Mary isn’t a sophisticated criminal. She isn’t well-versed on fraud. She doesn’t understand a lot about security or the tools of anti-fraud. She acts out of desperation. She also acts with the singular focus of a meth addict. She sits for hours continuing to try and fail until something works. Add that she is clever and you have the exact way many cybercriminals operate. I used to call it throwing a bunch of shit against a wall to see what stuck. Mary Breen, an uneducated fraudster, was able to defraud 2 large companies with the “Shit Against the Wall Technique.”
I do want to give Cashapp as much of a benefit of the doubt as possible, Perhaps the account was shut down after I left. I don’t know.
I do know that more experienced criminals would start testing Cashapp immediately.
What type of tests? Off the top of my head:
1. A Facebook photo of a photo is enough for the selfie verification. That likely means I don’t need the physical driver license, just a photo of it. Could I go to Secondeyesolution.ch and buy photos of Driver Licenses For $30 and use those to open new accounts or take over existing accounts or even open synthetic accounts?
2. Could I use the same device multiple times to open accounts? Better yet, Could I use a brand new device and not have to worry about the device fingerprint to take over an existing account?
To me, that would be worth testing immediately. Other tests would include using browser fingerprint spoofing software to see if it is effective against Cashapp, using VM boxes to set up multiple accounts on the same machine, using proxies, RDPs, etc., etc.
Put more thought into it and the testing becomes more detailed.
That’s the way a lot of cybercrime works. Someone happens upon something. Sometimes they don’t understand the import of what they find. That person mentions it to someone more knowledgeable and away we go.
Mary certainly doesn’t understand Cashapp is used to launder money. Financial cybercriminals, human traffickers, and drug dealers love services like Cashapp. The ability to open new fraudulent accounts with ease is valuable. Being able to open accounts using photos of photos opens the door for Account Takeovers, Synthetic Fraudsters, and more.
My concern was there might be other companies where this same technique would work. What tends to happen is one company is mined out on a vulnerability and fraudsters look at other companies in the same vertical and attempt the same technique. I wanted to raise awareness within the vertical.
I also wanted consumers to know. Facebook and social media is a treasure trove for criminals. Members post when they are going on vacation. They post pictures of valuables in their home. They post personal information. They post pictures of themselves and their children. They share that information with the world. Information which can and will be used by a variety of criminals. I wanted people to be aware of not only that problem, but also the problem of trusting a company and never questioning the security of that company.
Finally, I wanted Cashapp to know. I figured they could address any problem quickly if it was more than a one-time lapse. I also figured if they didn’t have device security or liveness detection then maybe they could head over to a company like Iovation or Mitek or any of several others who do good work and who would be happy to protect their customers for them.
Notifying Cashapp was a nightmare.
I checked my contacts on Linkedin for anyone working fraud at Cashapp. No one. I didn’t know if I should reach out to Square so I posted a message on Linkedin looking for a Cashapp contact.
It was an irate message. I said I wanted to inform Cashapp their security was garbage. Probably didn’t make many friends at Square or Cashapp calling their security garbage. Probably put them on the defensive. But when I wrote that I couldn’t get over the shock of a photo of a Facebook photo passing authentication. To me? That’s garbage. Just my opinion as a former criminal who would have loved to see something like that. I am not apologizing for it. I am saying I understand it is not a conducive term to use with people who may not be used to bluntness.
Radio Silence from the Square/ Cashapp quarter. Finally, a Square Guy comes on and suggests I head over to bugcrowd to claim the bug bounty.
Whoa, Nelly. I don’t want a bounty. And it is not a bug. If anything, it’s shoddy security. I don’t want money for telling Cashapp how some girl is stealing from them. I just want to shoot the info over.
I tell Square Guy this, publicly. The response was I didn’t have to claim the money—I could donate it. Not really the point, Dude. I stop talking to Square Guy. Can’t be an argument if there isn’t two people.
At the same time this is going on? Me and some of my contacts notice the Cashapp Fraud Head lurking on our profiles. Cashapp Fraud Head is reading up on who I am but not contacting me. Groovy.
I’m driving back from Charleston, SC while all this is going on. I’m tired. It’s an 8-hour drive. I can’t engage in a lot of chit chat unless I pull off to get gas or something.
I send Linkedin connection requests to both Square Guy and Cashapp Fraud Head when I stop for gas. Square Guy accepts. Silence from Cashapp Fraud Head. I send a message to Cashapp Fraud Head saying I saw him lurking and it was ok to talk to me. I ask how he would like me to get the info to him—phone, text, email, Linkedin, what?
Meanwhile Square Guy is going on about the Bug Bounty, saying it’s the only and proper channel to get info to them. Finally, exasperated, tired, and worn down from this crew, I pull over in Atlanta to report the problem via the bug bounty.
I’ve never used bugcrowd before and likely never will. You gotta register an account. I’m not going to do that. I don’t want money. I just want to report something. How bout an anonymous reporting system for the people who just want to tell companies how they are screwed up but don’t want money?
Then I start reading the TOS, Terms of Service. I learned to do that when I was a criminal. I have a theory that only criminals read the TOS of a website. Criminals and attorneys. Pretty much the same thing. You can learn a lot. The TOS wanted me to agree not to publicly mention anything until Cashapp was able to fix the problem.
Ah. That’s the angle being played here. Now I understood the friction and the attitude.
Here’s the thing. I don’t want anyone ripping off companies. Ever. I work my ass off every day to protect companies from the type of person I used to be. But more important than companies? Consumers. The consumers, the customers, the people who don’t have anyone looking out for them and aren’t backed by legal teams and millions of dollars in security? They are first and foremost on my list. Some company in a round-about way tries to get me to shut up about a problem I think a consumer might want or need to know? Let’s just say I have a well-documented history of problems with authority.
I finally get home and get some sleep. Next morning, I wake realizing I don’t need to report a damn thing via bugcrowd or bounty programs. Square Guy and Cashapp Fraud Head didn’t give me any contact information to get info to them, but I am able to message them on Linkedin.
That’s what I do. I send the info to Square Guy and he then sent it over to Cashapp Fraud Head. I also tell Square Guy I really hope I don’t come across any more Square or Cashapp problems because they are too much trouble.
I talk a lot about how the bad guys are all about communicating while the good guys aren’t so much. I point out it is one of the main reasons cybercrime is so successful and why the good guys have so much difficulty fighting online crime. I fully believe until the good guys start working together as well as the bad guys do cybercrime will continue to flourish.
I’m more than happy with the way the bank handled my getting information to them. They were amazing. It was the equivalent of, “Hey Brett! Whatcha got?” They were open and the results were great.
I’m disappointed with the Square/ Cashapp reaction. It certainly wasn’t the “Whatcha Got?” ease of reporting to the bank. To me, it reeked of legal stepping in. What should have been a quick note telling someone over there Mary’s name, what she did, and my thoughts on what that might portend? It turned into a stress session with more drama and unease than necessary.
I’m sure a variety of factors figured into making the experience that way. My saying a blog was coming and my opinion of garbage security after what I viewed Mary doing. Square’s history of being an easy target for cybercriminals before they got smart. My being a former criminal who used to hit companies like Square. Square’s Lawyers coming down from a mountain with stone tablets etched with the words BUG BOUNTY. Etcetera, Etcetera. Etcetera.
Regardless, we need to be working toward accepting pertinent information without friction or attitude from whatever quarter it may be coming from. You may not like the person giving you info, but it shouldn’t matter.
So woke up to a sunny day in the Bahamas to find these Text Messages from Mary Breen.
I'm not going to respond to Mary via text, but here. There are a variety of reasons for that. Chief is that people reading this blog can see how the criminal mindset works. Mary believes she has been wronged even though SHE CHOSE TO BREAK THE LAW. SHE CHOSE TO STEAL AND HURT PEOPLE. Yet she still feels the victim. That disconnect is common among criminals. I was no different. I think it important that readers see that.
The other reason Im choosing to have the conversation here and not via text with Mary is, oddly, for her benefit.
FIrst, Mary, you came to me. I didnt come to you. You told me you wanted to go legitimate. I took you at your word. In fact, I wanted to help you so much that I took time away from business, personal relationships, and people who actually needed help in order to try to assist you. What did I find? Someone that kinda, sorta, maybe wanted to stop breaking the law IF it meant no hardship or stress. In fact, you broke the law in front of me. SO I see someone that would like to be legal, but isnt really worried too much about it. And let's not forget that you justified your crimes saying Banks deserved it. Nope. No one "deserves" it.
So, while you may not be really serious about going legitimate? Im still going to help you achieve that goal as much as I can. I have reported everything we've talked about to the FBI. I have reported to the companies Ive seen you victimize and given your real info. And Ive written about you publicly using your real information.
Why use your real name? If you are serious about being legal, then you should be able to admit your mistakes. The only reason you would want to remain hidden is to keep breaking the law. So Im doing my part to bring you out of the shadows.
Yes, I mentioned your criminal contacts by name. Any of them read that they will know you talked to me, someone who does associate with law enforcement, someone who believes those who break the law can benefit from a good term behind bars if they cant stop their criminal activity. I imagine Crafty and Company likely wont want to work with you anymore of they read this blog. That is a benefit to you. Without contacts to break the law, you become more likely to go legal.
And no Mary, Im not using you or the Crafty fellow to make a name for myself. I did that long ago as a criminal. I dont need you guys for that. I also didn't take any dramatic license with our talks or the events. That's the way it happened.
You need to realize: Sometimes you get what you ask for, whether you really wanted it or not. Im going to try my best to get you legal. Im going to do it by telling everyone who you are. Im going to do it by letting other criminals know you talk too much. Im going to do it by assisting law enforcement and companies prosecute you. Im going to try my best to leave you no choice but to be legal. That's all I have to say. All responses will be posted here with my feedback.