Life Real Loud
Page 18
“And in those days, PayPal was eating the cost of the credit card discount,” says Lefebvre. “They were using that as a mechanism for gaining market share. So if you put $100 into your PayPal account on your credit card, they would give you $100. They wouldn’t take the two percent. So we were funding people’s Neteller accounts free.”
Neteller became PayPal’s biggest client, and made it a lot of money. Most PayPal users sold bobbleheads or baseball cards or knickknacks for five or ten bucks. Neteller was pumping hundreds of thousands of dollars through its system, and PayPal personnel didn’t really get why. When they started to figure it out, they began treating Neteller like a credit card company would—they held back a percentage of the transactions. When merchants settle up every month, they receive ninety percent of their money from the credit card company. The remaining ten percent is put into a holdback fund for six months, and that money is used to cover fraudulent transactions. “That’s why nobody likes credit cards in the industry,” says Lefebvre. “The risk continues and you don’t get all the cash for a long time.” This is what PayPal did to Neteller.
Then PayPal decided to go one step further and hold back Neteller monies retroactively. With five or six million dollars now pumping through the system, that’s a lot of clawback. The skirmishes went on, but so did the climb to success. Glavine explains:
I set up a computer in the office that would receive emails. It wasn’t automated, so we’d get an email from PayPal saying Joe Smith sent fifty bucks. Then we’d have to update his account manually online. It was slow, so I set up this computer in the office that checked the PayPal email—that’s all it did. Then I changed the normal ping you get when you receive an email to a cash register sound. Every time we got an email from PayPal we’d hear “Cha-ching!” and me and John would go, “Yeah!”
Then I got to know some of the guys at PayPal. I started talking to the head IT guy. I was telling him about our system and he said they were working on a new automated system. I looked into it and then got it for Neteller. So now, when somebody sent money from PayPal, it would automatically update the Neteller account. So that took the cash machine computer out of it.
Then there came a point when Lawrence, Lefebvre, and Natland flew down to Palo Alto to talk to the PayPal IT guys. When they walked into the offices, the PayPal people were saying to each other, “That’s Jeff Natland! That’s Jeff Natland!” They couldn’t believe it—the guy whose account was churning millions of dollars was some eighteen-year-old kid.
The cordiality didn’t last. Lefebvre explains:
We were using PayPal to get money into our Neteller system, doing about $17,000 a week [$884,000 annualized] when PayPal shut down our account the first time. We sent emails and they’d send back those automated emails. We phoned them up and you couldn’t get through to anybody. It was, “Fuck! What are we going to do now?” And then, by some magic, about three days later, PayPal opened our account again.
And then, at about $70,000 a week [$3.6 million annualized], PayPal stopped it again and asked, “What are you guys doing?” We were scrambling. We were fucked. We were really running around. So we explained to them what we were doing. And then, within about two days, they said, “Okay, we don’t have any problem with that,” and they let us do it again.
Lefebvre estimates the company took about a month to reach $17,000 a week and another month to reach $70,000 a week. Neteller’s host still had no qualms—until relations got personal. Lefebvre explains,
Then, between $70,000 and $170,000 [$8.84 million annualized], an interesting thing happened. A guy signed up, Dan something, he was vice president of development, I think, at PayPal. He signed up under the name Jonathan Davis, which also happens to be the name of a rock star. So one of our guys says, “Hey, we got the lead singer for Korn signing up!” But our guy was kind of paranoid so he said, “I don’t fuckin’ believe it. It’s not him.”
So he phoned Dan and started asking questions and got him to admit, “Yeah, you’re right, I’m not that guy.”
“Well, then, who the fuck are ya?”
He said he worked at PayPal, and we knew we had him. “You lying bastard, we should nail you with fraud.” We froze his account for a few days and then, “Okay, if you apologize we’ll open it again.” PayPal began to understand that we had capable security procedures—which they didn’t. We phoned them, right?
• • •
Neteller’s security wasn’t always that good—far from it. There was a steep learning curve involved in developing antifraud measures, and Neteller got beat several times along that curve. The cons started early—even those faxed hard copies were an opportunity for the fraudsters. Glavine says, “The thing about money on the internet is somebody’s always trying to rip you off. Always. Guys would change the date on the faxes, right, and send it in again the next day or the day after.”
Edmunds says, “We were dealing with single highest-risk market going. A lot of gamblers are keen to get their money, and a little bit desperate. We got worked on by every scam going—whatever it takes.”
Edmunds and Glavine then say in unison: “Every single possible scam.”
When the team finally got their credit card processor up and running, the scams only got more outlandish. Glavine remembers,
Right around that time, this guy signed up. You could use as many credit cards as you wanted, right? You could use twenty credit cards, which a guy did. And we didn’t think anything of it. We were like, “Oh yeah, I guess it’s perfectly normal for a guy to have twenty credit cards—whatever.” So he accumulated all this money in his account, about $4,000, and then he wanted a withdrawal. He never did anything with the money, just deposited it from credit cards. And so he asked for a wire to be sent to Latvia. And we didn’t think anything of that, either! Well, hey, that’s common for a guy to use all these different credit cards and then ask for a transfer to Latvia. This went on for a few days.
So Johnny went to the bank to send this wire. As he’s at the bank I get all these credit card rejections coming back. I start looking at the account they’re on and every single one is on this one account. I think, Oh man! And I call Johnny. And he has literally just sent the wire. “Johnny, it’s all fraudulent!”
“Oh no!”
I don’t think we got that money back.
Edmunds concludes, “No, we didn’t. That’s how we found out about the wire system. It’s just this little telex train of information. You can’t call the telex back. All they do is send out another little recall that follows the telex train. It’s following the money; it isn’t going to pass the money.”
Glavine adds, “Another quick lesson learned in internet fraud. Twenty credit cards and Latvia? Somebody would just laugh now.”
“That’s when we started to come up with the banned country list,” says Edmunds.
“And we locked it down so a person could only use two credit cards in their account,” says Glavine. “This was the start of our security—the first little things we added to the system to lock it down.”
There were other guys from other former Soviet republics who figured out how to use phony credit cards on the Neteller website. An embarrassing incident in October 2001, for instance, involved a teenager from Belarus. Glavine recounts,
He got into our database and sent me a list of our customers’ passwords. For three days, things would happen on the website and we wouldn’t know how. I had to check every single bank number because this kid was going in and changing the numbers to ones he controlled in the U.S. Sophisticated hack.
Steve Lawrence tried to hire the kid. He talked to him quite a bit and got him on our side. He Western Unioned him 500 bucks or something—not much money to get the kid to lay off.
Breaches happened with some frequency before Neteller shifted from credit cards to electronic money transfer and before it devised an elevated system of security, wherein e
ach Neteller client had to prove he was legitimate with an initial $250 maximum deposit before the company would increase the limit. Even after this elevated system was put into place, some fraudsters would play legit with the two-fifty rule, in order to be accepted into the Neteller club, and then try to beat the company for a grand. Lefebvre says,
We began to discern those patterns of behavior. Before that, most of the time we got beat when we didn’t have those elevated steps at the gate. These guys—probably just hoods, guys trying to make an easy buck—would go to all the different sites on the internet that accepted credit cards to see if they could hack into the databases. If they hacked into one they could take legitimate credit card numbers and use them to open up Neteller accounts, make some bets and get us to send them a check, hopefully, before we found out we were being scammed. The last guy that beat us took us for $14,000, which was good money in Latvia in those days, especially if you didn’t have to take off your housecoat. It was the frontier out there.
With each successful scam, the Neteller team learned a new lesson in security and were forced to come up with new measures. Lefebvre says,
When we were trying to use Neteller SmartCard system, it came to us that the cards were just one more level of security. You still have to have a password, so why don’t you just have two passwords? Or have a password and a security code? Then we sent out the news release: “You thought Neteller SmartCards were smart, wait till you see no card!” That was our inside joke—we never really did that.
But we had a password and a six-number security code that prevented people from hacking into other people’s Neteller accounts. Like, I could find out what your Neteller username was somehow. Then, if you’re a woman, I’m ninety percent sure that the password is going to be your daughter’s birthday. So I go into your account and send all the money to my account. Funny, eh?
Security is way better now. Two layers of passwords are the standard. Now you have to have your credit card, plus the little number typed on the back of your credit card, plus a password. Or some people will use your email address and a password, and the password they send to you is the one they send to your email address. So you have to have your email password, plus their password. They don’t know your email password but you do, so the only way someone can hack your account is to get both your email password plus your password password. Those levels of security introduce an exponential problem for guys who are just out there running random numbers.
Neteller personnel became so proficient at security that it joined forces with the FBI—twice. One was for a fraud committed in New York, the other a Department of the Treasury money-laundering case. In the fraud case, a guy from Flushing, Queens, named Juju Jiang was putting keystroke software on computers in a Kinko’s store. People would come to Kinko’s to do their Neteller transactions (or private banking or whatever), and the keystroke program would relay the secure information back to the fraud artist’s home. He could sit in his robe, get into their Neteller accounts (or bank accounts), and transfer money to himself. One of the victims was a Neteller account holder, who marveled as he watched someone break into his account remotely. The client contacted Neteller and alerted them, and Neteller contacted the FBI.
In the money laundering case, Neteller had its system set up to monitor for accumulations and aggregations. If money was being transferred from a bunch of different accounts into one Neteller account, personnel decided “smurfing” could be happening. Originally, the fictional Smurfs would switch out a verb in a sentence for the one-size-fits-all “smurfing,” as in: I have to go smurfing for a new pair of runners. In the realm of fraud, the goal is to avoid detection. If you have a lot of cash and can’t put it in the bank without filling out papers to say where you got it, there are smurfing networks out there to help you out. Let’s say you need to get $500,000 into your bank account and don’t want anyone asking you where it came from. You give a smurf $5,000 in cash. The smurf deposits $4,500 in your bank account and keeps $500. You go back to the smurf network ninety-nine more times, and the job is done. It cost you fifty grand, one-tenth of your stockpile, but the rest is now safely in your account. In the smurfing case, Neteller personnel assumed an aggregation was happening and reported it to authorities. The FBI found the guy using Neteller’s systems to launder some kind of illegal money, possibly from drugs (Lefebvre was never certain). The FBI sent Neteller a citation in recognition of its help, and executives proudly hung the salute on a wall in its Calgary office.
Neteller was getting its act together on the security side while its fortunes started to turn around as a result of directing customers to its PayPal account. The company had given up on the expensive, cumbersome chip technology and started to embrace electronic funds transfer (EFT). It finally got a Visa account and clearance to deposit the receipts that had been lying around for weeks and months. The money was moving, and online gamblers were signing up for service at a brisk clip.
• • •
When Neteller’s transactions blew past $170,000, a mere six weeks after hitting $70,000 a week, and PayPal froze the account again, they didn’t bother phoning the useless main line. Lefebvre says,
We knew Dan’s number by then, right? He told us, “You guys have learned how to manipulate our system to fund the internet gaming industry, haven’t you?” We said, “U-u-u-u-h-h-h, maybe we better come down and meet you.”
So Steve Lawrence and I went down to Palo Alto in late March 2001 and had a meeting with them. PayPal’s proposal was: you’re getting free discount rates, and you’re not getting those anymore unless you run all your business through us. We still had our own credit cards, and we were still receiving money through Western Union. But what they meant by “running all your business through us” was not receiving money anymore but instead making all our bookies sign up with PayPal to receive the money—the merchant side of it. We would work out some sort of deal on that.
The free ride was over for Neteller—no more discounts. On top of that, PayPal had also discovered the obvious. Since Neteller was a customer, PayPal already had a built-in online gambling client base. “Yeah,” Lefebvre says, “it took them a long time to figure that out.”
PayPal gave Neteller three choices. Option one: PayPal does the accumulating exclusively in its partnership with Neteller. Option two: PayPal does some of the acquiring, but not exclusively, and for that right PayPal charges Neteller a preferred rate, like two percent. And option three: PayPal and Neteller aren’t partners, and Neteller gets dinged 3.25 percent, the top rate, for using PayPal’s system. “In other words, Lefebvre said, “the third alternative is you can tell us to go fuck ourselves and we can go toe to toe with you.”
For months PayPal had let Neteller make an excellent return right under its nose. That was no longer on. PayPal also caught on to something even more tantalizing: the glory of the “churn.” By making terms as attractive as possible for bookies, Neteller found it could keep a customer’s money in the system, betting over and over and over. PayPal finally understood that over half of every dollar in a Neteller account would eventually go to Neteller. Eyes opened wide, PayPal executives wanted in on that action.
There wasn’t much Lefebvre and Lawrence could do. Their initial reaction was, “Geez, don’t be so hasty,” but their gambit was over. Compared to PayPal their company was puny, about as puny as their market share would be once PayPal, one of the burgeoning internet age’s few instantly recognizable brand names, moved into its territory. It might even be game over for Lawrence and Lefebvre’s brilliant business plan. Neteller was now vulnerable, like a snail flushed out onto the sidewalk after a rainstorm. PayPal could scuff it into the ground. Maybe it ought to cooperate. Lefebvre recalls, “We said, ‘Well, listen, this is all very interesting. We’re honored that you’d consider doing business with us. We’re going to go and sharpen up our pencils and see where we feel we should be landing with you.’”
And then th
e two Neteller cofounders left PayPal headquarters and grabbed a cab. About five minutes into the twenty-mile ride from Palo Alto to San Francisco International, they started talking about the deal on the table. Lefebvre recounts the conversation:
“What do you think?” asked Lefebvre.
“I don’t think we need those guys,” replied Lawrence.
“Really, do you think we can get credit card transfers?”
“Yeah, and we’re getting really close on EFT, too, so …”
“You know what, if we work with them as partners they’re going to control us and try to tell us what we can do, what we can’t do. It’s us completely giving up our autonomy. Why wouldn’t they just use us to learn the system and then just kick us the fuck out and take over? They’ve got all the same infrastructure we’ve got. We would be lambs to the slaughter if we did any business with these guys—they’re setting us up!”
Lawrence didn’t interrupt Lefebvre’s rant.
“We’re getting really close to football season,” he continued, “so if we’re gonna dump ’em, let’s dump ’em right now so we can get used to running without them. Once football season starts we’ll be used to running without ’em.”
“Yup,” said Neteller’s CEO, “that’s what we should do.”
Lefebvre concludes, “So we phone Calgary and Steve says to Glav, ‘Take PayPal off our site. Send out messages to all your PayPal guys, tell them to get their money into Neteller because we’re taking PayPal off our site by tomorrow.’”
Glavine started to freak. What about the numbers? Guys, they don’t lie. Glavine knew how much of Neteller’s business went through PayPal—ninety-five percent. It sounded like financial hara-kiri to him. Glavine recalls the scary moment: