Four Security Lessons From The Tinder Swindler

Netflix’s The Tinder Swindler is a salacious tale of online dating gone wrong. As with most stories about love and money, it’s easy to understand the appeal. Unfortunately, that tabloid sheen can distract from the fact that the titular swindler, Simon Leviev, was a real fraudster with real victims who exploited real gaps in the current security infrastructure.

With that in mind, it’s worth taking a closer look at the movie to figure out just how Leviev (born Shimon Yehuda Hayut) was able to con victims out of more than $10 million over the course of several years. The Tinder Swindler focuses primarily on the stories of Cecilie Fjellhøy, Pernilla Sjöholm, and Ayleen Charlotte, but they were not Leviev’s only victims, and there are countless other con artists executing schemes all over the world at any given time.

The question, then, is what can stakeholders do to catch fraudsters like Simon Leviev? These are some of the main security lessons we can learn from The Tinder Swindler.

The Human Element

At the most basic level, The Tinder Swindler once again demonstrates that humans are the most vulnerable component of any security system. Anti-fraud programs can send up red flags if someone starts making strange purchases with a credit card, but those protections are largely meaningless if the victim is willing to corroborate that activity.

In The Tinder Swindler, Cecilie Fjellhøy’s story is the best example of those limitations. Simon Leviev was very good at building trust with his marks. He would only ask for money after showering them with lavish experiences, which spoke to his financial means and made his fraud seem more like a tit-for-tat exchange rather than a con (at least at first). As a result, Fjellhøy was willing to trust him with her American Express card to help Leviev during an emergency.

Of course, Leviev’s profligate spending habits immediately set off red flags with American Express, since they were out of line with Fjellhøy’s own habits, and the purchases were being made in a different country from the one in which she resided. In that regard, The Tinder Swindler indicates that current anti-fraud monitoring is effective, since it was able to identify strange purchases and blocked the card until the issue could be resolved.

The problem is that Fjellhøy was willing to claim the expenses as the true owner of the card. Since she voluntarily signed off on Leviev’s story, all of his purchases became legitimate from the perspective of American Express.

In all likelihood, financial institutions will always struggle with fraud that is rooted in such a deeply intimate connection. Many people in committed relationships share financial information with loved ones or family members. That is often done without any nefarious intent, since access to financial resources can be critical when someone is dealing with a legitimate crisis.

To thwart a schemer like Leviev, American Express would essentially need to automate all of its blocking decisions, and maintain those blocks even after speaking with a cardholder who wants to restore their account. However, that state of affairs may not be desirable, and comes with many of its own problems. Any decision-making algorithm would be extremely vulnerable to bias, and could block purchases that are in fact legitimate. Such a policy could also be unpopular with customers, since it strips them of a degree of financial autonomy. There are many people who want to be able to provide support for the people closest to them, and may place more value on that than they do on a truly airtight fraud prevention system.

The takeaway is that there may be no such thing as perfect defense in a system with human agency. As long as people are willing to trust one another, there will be bad actors who try to take advantage of that kindness.

Papers, Papers, Papers

That’s not to say that financial institutions couldn’t be doing more to protect their customers. Fjellhøy’s participation may have made it difficult to stop Leviev’s actual purchases, since she was the primary point of contact. Leviev took pains to avoid any personal interaction with card issuers, which allowed him to distance himself from his activities.

However, Leviev’s jet-setting scheme was international in scope, and there are several points in The Tinder Swindler in which he had to step forward to take a more hands-on approach. Any one of those contact points represents a missed opportunity, in the sense that more advanced anti-fraud technology might have set off an alarm and allowed the authorities to step in.

Leviev’s repeated forgeries are the most significant thing that stands out in that regard. By the events of The Tinder Swinlder, Leviev had already stopped using his birth name and was traveling all over Europe with a collection of aliases and fake passports. Border agents should have noticed something was amiss each time he went through customs, yet Leviev was able to travel virtually unimpeded despite being a convicted felon, and only got caught when Charlotte sent a tip to let authorities know exactly which plane he was on while it was in the air.

Some of that can be attributed to the fact that Leviev was active within the European Union, which does not always require document checks for citizens traveling internally. Even so, Leviev himself was born in Israel, and some of his success can likely be attributed to poor document security. Modern passport booklets come with features like polycarbonate data pages and built-in chips that store the individual’s biometric information, and those new technologies make it more difficult to produce forgeries that will pass official muster.

The widespread adoption of those booklets could have hindered Leviev’s activities. His regular travel (and his frequent use of private jets) lent a degree of legitimacy to his claims about his wealth and status. Taking that away would hinder his ability to sell those particular lies.

 Who Do You Work For?

Leviev’s duplicity was not limited to fake passports. He also forged checks, transaction statements, and employment records to create the paper trail that he needed to maintain his scheme.

The last of those three is the most noteworthy from a security perspective. The fake checks and transaction statements were designed to fool his victims rather than the banks, and it is highly unlikely that he expected (or even wanted) any of those checks to clear. The fact that they didn’t get processed suggests that they were not sophisticated enough to get past modern financial security, and could only fool civilians who have not been trained to spot discrepancies.

The fake employment records, on the other hand, are far more concerning because they were used to trick large financial institutions. In The Tinder Swindler, Leviev provides Fjellhøy with a fake earnings statement that indicates that she is making more than $94,000 a month while working for the Leviev Group. That statement was the sole piece of evidence used to convince American Express to raise Fjellhøy’s credit limit well beyond what it would have been based on her actual income.

Leviev took advantage of that to run up expenses on the card and drive Fjellhøy further into debt. The extent of the damage would have been much smaller had American Express not accepted his forgery at face value. Better risk screening could have uncovered a discrepancy or at least a pattern, since Leviev presumably used similar techniques to con his other victims.

The fact that Leviev masqueraded as a member of a real company (and a real family) adds another layer of intrigue. In the movie, it’s unclear whether or not Simon’s fake statement is supposed to come from a real Leviev organization, or whether or not it is a front that remains in Simon’s control. Either way, Simon Leviev would not have shown up in LLD Diamond’s own employment records, and more due diligence could have unearthed that paper trail (or a lack thereof). The actual Leviev family is now suing Simon for false representation. Given the scale of Simon’s lies, the fact that no one ever noticed what he was up to indicates that there are still some sizable gaps in current risk screening solutions.

Let’s Get Verified

Finally, there is the matter of Tinder itself. At the time depicted in the film, Tinder did not require any form of identity verification, so it was easy for Leviev to set up an account with his chosen alias. Thanks to stories like The Tinder Swindler, many dating apps now recognize that that lowers the amount of trust that customers have when engaging with their platform. Apps are consequently starting to integrate some form of identity verification into their onboarding process to combat fraud, echoing a trend seen in other industries in the past few years.

The most common remote onboarding solutions ask new users to submit a selfie and a picture of a photo ID when they make an account. The solutions use facial recognition to match the selfie to the ID, and document verification to confirm that the ID is legitimate.

The latter part of that check presents a potential problem for someone like Leviev, who frequently did business with fake documents. Fake driver’s licenses and fake passports can be cross-referenced with official records, so the more times a fake document is scanned, the more likely it is to set off an alarm with financial institutions and law enforcement.

Leviev’s own dating prospects have diminished, if only because many dating apps have personally banned him since he became a household name. There are nevertheless plenty of other aspiring con artists looking to follow in his footsteps, and better onboarding could prevent the next Leviev from connecting with victims through real businesses like Tinder.

For its part, Tinder seems to have learned its lesson. The company is already rolling out its own ID verification feature, after trialing the solution in Japan in 2019. No business wants to be associated with a fraudster like Simon Leviev, and better fraud prevention tech will be crucial as Tinder looks to distance itself from the world’s worst date.

–

April 20, 2022 – by Eric Weiss