Security Team Training *Fraud*

Overview

1a. Handling an account that we received a chargeback for. 1b. Handling an account suspended/trapped due to association with chargeback player (1a.) 2a. Hacked Accounts Friend/Family Member/Friendly Fraud 2b. Hacked Accounts Hoax / Keylogger / Foreign Login 3. Trapped Accounts When to stay shut, when to open, serials to untrap, looking for other emails from trapped players. 4. Off-site transfers / chat scam victims 5. FirePay / Nexum deactivations/associations 6. Affiliate Fraud Cost per acquisition fraud 7. Processing ID and when to request it 8. Bookkeeping Trap/Untrap/Seizure Log and emailing Dublin.

1a. Handling an account that we received a chargeback for.

EXAMPLE: Player- vtmc (Kana ID: 806126)

S:\FTP_Fraud_Department\TEMPLATES\CC Processor Templates

1. 2. 3. 4.

Receive email from customer asking why account is closed Issue template (1.) explaining chargeback and possible descriptor confusion Player emails back wanting to repay debt. Issue template 2a or 2b. Review account to work out discrepancy whether we owe player, or they owe us. a) If we owe player, then submit a report to Dublin to have funds redeposited. (email dquach@tiltware.com and gcoronado@tiltware.com) b) If player owes us, then we reopen account with limited access and have player email us once funds have been deposited/transferred in. We will then send email to Dublin to have funds seized. (fraudoperations@tiltware.com) 5. Once action has been taken by Dublin, then remove all restrictions on account and email player. Issue template 3.

1b. Handling an account suspended/trapped due to association with chargeback player (1a.)

EXAMPLE: Player- bigbrad95 (kana ID: 833964) 1. Issue template 'S:\FTP_Fraud_Department\TEMPLATES\CC Processor Templates\Trapped through association with chargeback.txt 2. Add alert on the account that received the chargeback informing to reopen associated player should the CB be repaid.

Reading Know100

Run a Know100 with a big threshold like 9999999 We are looking for a foreign login over the past few days.
Clean logins

Foreign Logins

Evidence of chip dumping

2a. Hacked Accounts Friend/Family Member/Friendly Fraud

S:\FTP_Fraud_Department\TEMPLATES\Hacked Templates

We will not reimburse players for their losses. Password security is the player's responsibility.
Reopen account with restrictions (no chat/play/transfer/deposit) Player will then email back confirming password change. Review logins make sure the change occurred from primary/secondary computer. Then remove restrictions.

Example: soti892 (Kana id: 778096) - Run know100 (99999999 threshold) - Enter know100 into Wheres My Money Tool - Work out how much money was lost during session. - Match up session with login information - See if funds were dumped or not (win/loss report or tourny results) - Time at tables is usually a good indication of dump - Email player appropriate template

2b. Hacked Accounts Hoax / Keylogger / Foreign Login

Foreign login found run a Serial Relationship by Serial Key to determine who is the primary player who uses that serial Has the player shared player-to-player transfers or serials with them before? Were there several accounts compromised by that one serial? Most likely a hoax website or some other phishing scam. If funds were dumped, then please review the hands to see if it was a pure dump, or it was a big hand. If it was a pure dump, suspend the account. Reopen account with restrictions. Ask player to email in once password has been changed. Review logins make sure the change occurred from primary/secondary computer. Then remove restrictions. Example: 5dollahobo

3. Trapped accounts - When to stay shut, when to open, serials to untrap, looking for other emails from trapped players.

Find out why original account was trapped. If trapped due to CC fraud, account hacking or collusion, then be harsher on allowing players to return. Determine how close association is. Are logins from the same computer minutes/seconds apart? Must use discretion. Take into account how close the logins are to other accounts (multis found?), FullTiltPoints, cash balance, serial relationship etc. If player is to be reopened, get serials untrapped, untrap player and email template: frd.ass.reopen If player is to stay shut, but funds are clean, then email player template: frd.ass.close.funds Untrapping serials: Untrap primary serial plus others that player has logged into many times before. Have a TL untrap the list of serials for you. Be sure to inform player about the consequences of sharing computers

3. Trapped accounts - Tips

Take the initiative to clear any other accounts that are not multiples that have been trapped. Especially those that have over 20 cash game sessions or any real money balance. Untrap any possible multiples (session count 0, and have logged in within seconds of trapped acct) then pause them. This way they won't trap themselves at a later date. No need to email. Be sure to notate in log file (to be discussed later)

4. Off-site transfers / chat scam victims

If we have strong evidence that they were scammed, then we will intervene and return any funds recovered. WSOP seat scammer is always asking people for $ in exchange for WSOP seat / tournament entry on FTP. Example: Mkind016 Guess who this is? scammer. Often the funds are sent on another site. If at PokerStars, then we can contact security@pokerstars.com. They can confirm if a transfer took place / freeze accounts. To return the funds, please email dquach@tiltware.com and gcoronado@tiltware.com with the details.

5. FirePay / Nexum deactivations/associations

All FirePay issues currently handled by Sarah Campbell. Route FirePay emails directly to the FirePay queue. This includes multiple accounts whose primary was suspended for FirePay deactivation. Firepay debts are handled like CC disputes. Player will get chance to repay debt. Additional team members to be trained

Nexum deactivations are advised to contact Nexum to resolve their issues. If player confirms they have resolved their issue, we can contact Nexum from FraudOperations@fulltiltpoker.com to get confirmation on account status.

6. Affiliate Fraud Cost per acquisition fraud

S:\FTP_Fraud_Department\AFFILIATE FRAUD\PROCEDURE\Affiliate Fraud Procedure.doc Quite rare. People create a lot of multiple accounts, play for 100 200 Full Tilt Points, and then withdraw. Often from China/Vietnam. Now handled by the Affiliate Department.

7. Processing ID and when to request it

S:\FTP_Fraud_Department\TEMPLATES\ID Docs Templates

ID requested for proof of credit card ownership. Authorization form must be attached. Template: (Fraud) ID Docs & Auth Form.txt For proof of credit card ownership we will only accept scanned copies. No faxes. No printing. Save ID in: S:\FTP_Fraud_Department\IDENTIFICATION ID also requested for verifying identity in hacked account cases and multiple accounts. These can be processed like normal ID, and to be filed away. We will accept faxes. For verification of identity and not CC ownership, please include note on account: Any CSR may process this ID. Please IR player that docs were verified and route follow-up to fraud queue.

8. Bookkeeping Trap/Untrap/Seizure Log and emailing Dublin.

S:\FTP_Fraud_Department\Analyst Weekly Log Files All accounts that action has been taken on (trap or untrap) must be included in this spreadsheet. For any non-urgent seizure requests, please add to the seizure request tab. For urgent seizures, please send to dquach@tiltware.com and gcoronado@tiltware.com All logs compiled at the end of the week and sent off to Dublin

Contacts:

Gil Coronado The big kahuna (gcoronado@tiltware.com) David Quach The boss (dquach@tiltware.com) James Ma - Ops Manager (jma@tiltproof.ca) Brad Jorgensen Morning TL (bjorgensen@tiltproof.ca) Chris Fox Swing TL (cfox@tiltproof.ca) Kevin Lee Grave TL (klee@tiltproof.ca) Security Team Mailing List (fraudsquad@tiltproof.ca) Fraud Operations Box (fraudoperations@fulltiltpoker.com)