Security Team TrainingSecurity Team Training*Fraud**Fraud*

OverviewOverview 1a. Handling an account that we received a chargeback for.1a. Handling an account that we received a chargeback for. 1b. Handling an account suspended/trapped due to association with 1b. Handling an account suspended/trapped due to association with

chargeback player (1a.)chargeback player (1a.) 2a. Hacked Accounts – Friend/Family Member/Friendly Fraud2a. Hacked Accounts – Friend/Family Member/Friendly Fraud 2b. Hacked Accounts – Hoax / Keylogger / Foreign Login2b. Hacked Accounts – Hoax / Keylogger / Foreign Login 3. Trapped Accounts – When to stay shut, when to open, serials to 3. Trapped Accounts – When to stay shut, when to open, serials to

untrap, looking for other emails from trapped players.untrap, looking for other emails from trapped players. 4. Off-site transfers / chat scam victims4. Off-site transfers / chat scam victims 5. FirePay / Nexum deactivations/associations5. FirePay / Nexum deactivations/associations 6. Affiliate Fraud – Cost per acquisition fraud6. Affiliate Fraud – Cost per acquisition fraud 7. Processing ID and when to request it7. Processing ID and when to request it 8. Bookkeeping – Trap/Untrap/Seizure Log and emailing Dublin.8. Bookkeeping – Trap/Untrap/Seizure Log and emailing Dublin.

1a. Handling an account that we received a 1a. Handling an account that we received a chargeback for.chargeback for.

EXAMPLE: Player- vtmc (Kana ID: 806126)EXAMPLE: Player- vtmc (Kana ID: 806126) S:\FTP_Fraud_Department\TEMPLATES\CC Processor TemplatesS:\FTP_Fraud_Department\TEMPLATES\CC Processor Templates

1.1. Receive email from customer asking why account is closedReceive email from customer asking why account is closed2.2. Issue template (1.) explaining chargeback and possible descriptor confusion Issue template (1.) explaining chargeback and possible descriptor confusion 3.3. Player emails back wanting to repay debt. Issue template 2a or 2b.Player emails back wanting to repay debt. Issue template 2a or 2b.4.4. Review account to work out discrepancy whether we owe player, or they Review account to work out discrepancy whether we owe player, or they

owe us.owe us. a) If we owe player, then submit a report to Dublin to have funds re-a) If we owe player, then submit a report to Dublin to have funds re-

deposited. (email deposited. (email dquach@tiltware.comdquach@tiltware.com and and gcoronado@tiltware.comgcoronado@tiltware.com)) b) If player owes us, then we reopen account with limited access and have b) If player owes us, then we reopen account with limited access and have

player email us once funds have been deposited/transferred in. We will then player email us once funds have been deposited/transferred in. We will then send email to Dublin to have funds seized. (send email to Dublin to have funds seized. (fraudoperations@tiltware.comfraudoperations@tiltware.com))

5.5. Once action has been taken by Dublin, then remove all restrictions on Once action has been taken by Dublin, then remove all restrictions on account and email player. Issue template 3.account and email player. Issue template 3.

1b. Handling an account suspended/trapped due 1b. Handling an account suspended/trapped due to association with chargeback player (1a.)to association with chargeback player (1a.)

EXAMPLE: Player- bigbrad95 (kana ID: 833964)EXAMPLE: Player- bigbrad95 (kana ID: 833964)

1. Issue template 'S:\FTP_Fraud_Department\TEMPLATES\CC 1. Issue template 'S:\FTP_Fraud_Department\TEMPLATES\CC Processor Templates\Trapped through association with Processor Templates\Trapped through association with chargeback.txt chargeback.txt

2. Add alert on the account that received the chargeback informing 2. Add alert on the account that received the chargeback informing to reopen associated player should the CB be repaid.to reopen associated player should the CB be repaid.

Reading Know100Reading Know100 Run a Know100 with a big threshold like 9999999Run a Know100 with a big threshold like 9999999 We are looking for a foreign login over the past few days.We are looking for a foreign login over the past few days.

Foreign Logins

Clean logins

Evidence of chip dumping

2a. Hacked Accounts – Friend/Family 2a. Hacked Accounts – Friend/Family Member/Friendly FraudMember/Friendly Fraud

S:\FTP_Fraud_Department\TEMPLATES\Hacked TemplatesS:\FTP_Fraud_Department\TEMPLATES\Hacked Templates

We will not reimburse players for their losses. Password We will not reimburse players for their losses. Password security is the player's responsibility.security is the player's responsibility.

Reopen account with restrictions (no Reopen account with restrictions (no chat/play/transfer/deposit)chat/play/transfer/deposit)

Player will then email back confirming password change. Player will then email back confirming password change. Review logins make sure the change occurred from Review logins make sure the change occurred from primary/secondary computer. Then remove restrictions.primary/secondary computer. Then remove restrictions.

Example: Example: soti892soti892 (Kana id: 778096) (Kana id: 778096)- Run know100 (99999999 threshold)Run know100 (99999999 threshold)- Enter know100 into ‘Where’s My Money Tool’Enter know100 into ‘Where’s My Money Tool’- Work out how much money was lost during Work out how much money was lost during

session.session.- Match up session with login informationMatch up session with login information- See if funds were dumped or not (win/loss See if funds were dumped or not (win/loss

report or tourny results)report or tourny results)- Time at tables is usually a good indication of Time at tables is usually a good indication of

dumpdump- Email player appropriate templateEmail player appropriate template

2b. Hacked Accounts – Hoax / Keylogger / 2b. Hacked Accounts – Hoax / Keylogger / Foreign LoginForeign Login

Foreign login found – run a ‘Serial Relationship by Serial Key’ to Foreign login found – run a ‘Serial Relationship by Serial Key’ to determine who is the primary player who uses that serialdetermine who is the primary player who uses that serial

Has the player shared player-to-player transfers or serials with them Has the player shared player-to-player transfers or serials with them before?before?

Were there several accounts compromised by that one serial? Most Were there several accounts compromised by that one serial? Most likely a hoax website or some other phishing scam.likely a hoax website or some other phishing scam.

If funds were dumped, then please review the hands to see if it was If funds were dumped, then please review the hands to see if it was a pure dump, or it was a big hand. If it was a pure dump, suspend a pure dump, or it was a big hand. If it was a pure dump, suspend the account.the account.

Reopen account with restrictions. Ask player to email in once Reopen account with restrictions. Ask player to email in once password has been changed. Review logins make sure the change password has been changed. Review logins make sure the change occurred from primary/secondary computer. Then remove occurred from primary/secondary computer. Then remove restrictions.restrictions.

Example: 5dollahobo Example: 5dollahobo

3. Trapped accounts - When to stay shut, when to 3. Trapped accounts - When to stay shut, when to open, serials to untrap, looking for other emails open, serials to untrap, looking for other emails

from trapped players.from trapped players. Find out why original account was trapped. If trapped due to CC Find out why original account was trapped. If trapped due to CC

fraud, account hacking or collusion, then be harsher on allowing fraud, account hacking or collusion, then be harsher on allowing players to return.players to return.

Determine how close association is. Are logins from the same Determine how close association is. Are logins from the same computer minutes/seconds apart?computer minutes/seconds apart?

Must use discretion. Take into account how close the logins are to Must use discretion. Take into account how close the logins are to other accounts (multis found?), FullTiltPoints, cash balance, serial other accounts (multis found?), FullTiltPoints, cash balance, serial relationship etc.relationship etc.

If player is to be reopened, get serials untrapped, untrap player and If player is to be reopened, get serials untrapped, untrap player and email template: frd.ass.reopenemail template: frd.ass.reopen

If player is to stay shut, but funds are clean, then email player If player is to stay shut, but funds are clean, then email player template: frd.ass.close.fundstemplate: frd.ass.close.funds

Untrapping serials: Untrap primary serial plus others that player has Untrapping serials: Untrap primary serial plus others that player has logged into many times before. Have a TL untrap the list of serials for logged into many times before. Have a TL untrap the list of serials for you.you.

Be sure to inform player about the consequences of sharing Be sure to inform player about the consequences of sharing computerscomputers

3. Trapped accounts - Tips3. Trapped accounts - Tips

Take the initiative to clear any other accounts Take the initiative to clear any other accounts that are not multiples that have been trapped. that are not multiples that have been trapped. Especially those that have over 20 cash game Especially those that have over 20 cash game sessions or any real money balance.sessions or any real money balance.

Untrap any possible multiples (session count 0, Untrap any possible multiples (session count 0, and have logged in within seconds of trapped and have logged in within seconds of trapped acct) then pause them. This way they won't trap acct) then pause them. This way they won't trap themselves at a later date. No need to email.themselves at a later date. No need to email.

Be sure to notate in log file (to be discussed Be sure to notate in log file (to be discussed later)later)

4. Off-site transfers / chat scam victims4. Off-site transfers / chat scam victims

If we have strong evidence that they were scammed, If we have strong evidence that they were scammed, then we will intervene and return any funds recovered.then we will intervene and return any funds recovered.

WSOP seat scammer is always asking people for $ in WSOP seat scammer is always asking people for $ in exchange for WSOP seat / tournament entry on FTP.exchange for WSOP seat / tournament entry on FTP.

Example: Mkind016Example: Mkind016 ‘‘Guess who this is?’ scammer.Guess who this is?’ scammer. Often the funds are sent on another site. If at Often the funds are sent on another site. If at

PokerStars, then we can contact PokerStars, then we can contact security@pokerstars.comsecurity@pokerstars.com. They can confirm if a transfer . They can confirm if a transfer took place / freeze accounts.took place / freeze accounts.

To return the funds, please email To return the funds, please email dquach@tiltware.comdquach@tiltware.com and and gcoronado@tiltware.comgcoronado@tiltware.com with the details. with the details.

5. FirePay / Nexum 5. FirePay / Nexum deactivations/associationsdeactivations/associations

All FirePay issues currently handled by Sarah Campbell. All FirePay issues currently handled by Sarah Campbell. Route FirePay emails directly to the FirePay queue.Route FirePay emails directly to the FirePay queue. This includes multiple accounts whose primary was This includes multiple accounts whose primary was

suspended for FirePay deactivation.suspended for FirePay deactivation. Firepay debts are handled like CC disputes. Player will Firepay debts are handled like CC disputes. Player will

get chance to repay debt.get chance to repay debt. Additional team members to be trainedAdditional team members to be trained

Nexum deactivations are advised to contact Nexum to Nexum deactivations are advised to contact Nexum to resolve their issues.resolve their issues.

If player confirms they have resolved their issue, we can If player confirms they have resolved their issue, we can contact Nexum from FraudOperations@fulltiltpoker.com contact Nexum from FraudOperations@fulltiltpoker.com to get confirmation on account status.to get confirmation on account status.

6. Affiliate Fraud – Cost per acquisition fraud6. Affiliate Fraud – Cost per acquisition fraud

S:\FTP_Fraud_Department\AFFILIATE FRAUD\PROCEDURE\S:\FTP_Fraud_Department\AFFILIATE FRAUD\PROCEDURE\Affiliate Fraud Procedure.docAffiliate Fraud Procedure.doc

Quite rare. People create a lot of multiple accounts, play for 100 - Quite rare. People create a lot of multiple accounts, play for 100 - 200 Full Tilt Points, and then withdraw. Often from China/Vietnam.200 Full Tilt Points, and then withdraw. Often from China/Vietnam.

Now handled by the Affiliate Department.Now handled by the Affiliate Department.

7. Processing ID and when to request it7. Processing ID and when to request it

S:\FTP_Fraud_Department\TEMPLATES\ID Docs TemplatesS:\FTP_Fraud_Department\TEMPLATES\ID Docs Templates

ID requested for proof of credit card ownership. Authorization form ID requested for proof of credit card ownership. Authorization form must be attached. Template: must be attached. Template: (Fraud) ID Docs & Auth Form.txt(Fraud) ID Docs & Auth Form.txt

For proof of credit card ownership we will only accept scanned For proof of credit card ownership we will only accept scanned copies. No faxes. No printing. Save ID in: S:\copies. No faxes. No printing. Save ID in: S:\FTP_Fraud_Department\IDENTIFICATIONFTP_Fraud_Department\IDENTIFICATION

ID also requested for verifying identity in hacked account cases and ID also requested for verifying identity in hacked account cases and multiple accounts. These can be processed like normal ID, and to multiple accounts. These can be processed like normal ID, and to be filed away. We will accept faxes.be filed away. We will accept faxes.

For verification of identity and not CC ownership, please include For verification of identity and not CC ownership, please include note on account: ‘Any CSR may process this ID. Please IR player note on account: ‘Any CSR may process this ID. Please IR player that docs were verified and route follow-up to fraud queue.’that docs were verified and route follow-up to fraud queue.’

8. Bookkeeping – Trap/Untrap/Seizure Log 8. Bookkeeping – Trap/Untrap/Seizure Log and emailing Dublin.and emailing Dublin.

S:\FTP_Fraud_Department\Analyst Weekly Log FilesS:\FTP_Fraud_Department\Analyst Weekly Log Files All accounts that action has been taken on (trap or untrap) must be included All accounts that action has been taken on (trap or untrap) must be included

in this spreadsheet.in this spreadsheet. For any non-urgent seizure requests, please add to the seizure request tab.For any non-urgent seizure requests, please add to the seizure request tab. For urgent seizures, please send to dquach@tiltware.com and For urgent seizures, please send to dquach@tiltware.com and

gcoronado@tiltware.comgcoronado@tiltware.com All logs compiled at the end of the week and sent off to DublinAll logs compiled at the end of the week and sent off to Dublin

Contacts:Contacts: Gil Coronado – The big kahuna (gcoronado@tiltware.com)Gil Coronado – The big kahuna (gcoronado@tiltware.com) David Quach – The boss (dquach@tiltware.com)David Quach – The boss (dquach@tiltware.com) James Ma - Ops Manager (jma@tiltproof.ca)James Ma - Ops Manager (jma@tiltproof.ca) Brad Jorgensen – Morning TL (bjorgensen@tiltproof.ca)Brad Jorgensen – Morning TL (bjorgensen@tiltproof.ca) Chris Fox – Swing TL (cfox@tiltproof.ca)Chris Fox – Swing TL (cfox@tiltproof.ca) Kevin Lee – Grave TL (klee@tiltproof.ca)Kevin Lee – Grave TL (klee@tiltproof.ca)

Security Team Mailing List – (fraudsquad@tiltproof.ca)Security Team Mailing List – (fraudsquad@tiltproof.ca)

Fraud Operations Box – (fraudoperations@fulltiltpoker.com)Fraud Operations Box – (fraudoperations@fulltiltpoker.com)