The Economy of Online Crime

hdtv writes "You might call the thugs or thieves, but on their own closed forums and referral-only Web sites, they value honesty and reputation. Fortune magazine looks into the black market for stolen credit card numbers and identities. What's interesting is that so few of the criminals retrieve their information via breaking into online stores." From the article: "Gaffan says these credit card numbers and data are almost never obtained by criminals as a result of legitimate online card use. More often the fraudsters get them through offline credit card number thefts in places like restaurants, when computer tapes are stolen or lost, or using 'pharming' sites, which mimic a genuine bank site and dupe cardholders into entering precious private information. Another source of credit card data are the very common 'phishing' scams, in which an e-mail that looks like it's from a bank prompts someone to hand over personal data."

pharming?

[ergo98]

Isn't pharming when DNS is actually hacked in some manner? How many cases of this actually happening have been documented? Simply setting up a website that mimics a legitimate financial institution or pertinent party (e.g. Ebay), is, and has always been, phishing. The phishing emails are just lures to the bait of the phishing websites.

Re:The Problem Is The Credit Card

[Anonymous Coward]

I was under the impression that most modern equipment only prints the last 4 numbers of the card on the reciept.

Re:Rumpelstiltskin

[rabel]

Remember that you don't sign the receipt as "authentication", you sign it to indicate you agree to the terms of the credit. That's the only purpose. If a store attempts to verify your signature against the back of the credit card, well, that's sort of bonus, but not required by the credit company.

For reference, see this link [zug.com]

In my own life, I have my daughter sign the credit card bill (and compute the tip, if necessary) and since she's an art student she has been coming up with some pretty creative signature designs.

Amazing complexity

[iamdrscience]

I've been to one of these credit card forums (not as a user, I don't have that kind of moral flexibility) and the thoroughness of these forums is quite amazing. The one I went to in particular required that if you wanted sell something, i.e. CC numbers, fake IDs, card skimming equipment (ATM bezels and strip readers), etc. you first had to provide free samples to the administrators of the forum to verify the quality of your product. If your product was found to be satisfactory, you would be allowed to sell your products, but first you had to put up a certain amount of cash (like $500, iirc) to be held by the administrators -- this cash would be used to refund your customers money in case you didn't deliver your products to them.

Re:The Problem Is The Credit Card

[44BSD]

Interesting. IANAL, but it looks like your B+B better get with the program, or it will be breaking a federal law [gpo.gov]:

SEC. 113. TRUNCATION OF CREDIT CARD AND DEBIT CARD ACCOUNT NUMBERS.

Section 605 of the Fair Credit Reporting Act (15 U.S.C. 1681c) is
amended by adding at the end the following:
``(g) Truncation of Credit Card and Debit Card Numbers.--
``(1) In general.--Except as otherwise provided in this
subsection, no person that accepts credit cards or debit cards
for the transaction of business shall print more than the last 5
digits of the card number or the expiration date upon any
receipt provided to the cardholder at the point of the sale or
transaction.
``(2) Limitation.--This <<NOTE: Applicability.>> subsection
shall apply only to receipts that are electronically printed,
and shall not apply to transactions in which the sole means of
recording a credit card or debit card account number is by
handwriting or by an imprint or copy of the card.

Re:The Problem Is The Credit Card

[omegashenron]

We are in Australia, not the USA

I do systems work for a major card issuer....

[Anonymous Coward]

I am one of the people who tries to plug the holes, and build the systems that help our agents fix fraud. So I know my way around some of this stuff, and I'd like to clear up a few things.

- I don't know how things were "back in the day", but these days, if a family member racks up a credit card bill without permission, and the cardholder won't press criminal charges and file a police report, the cardholder is stuck with the bill. That said, if a merchant just gets approval from "the cardholder's wife", then it's no wonder the merchant got stuck holding the bill and with a penalty to boot. Both are part of the agreement you signed that allowed you to accept credit cards. You did read that, right? Just askin'.

-Banks are actually very serious about stopping fraud. Not only do banks end up covering a fair amount of the tab because the hoops you have to jump through to get Visa/MC to cover it get harder and harder (and in the world of banking, profits are generated by pennies a transaction, so even $50 of fraud is significant in terms of lost profits), but all the major issuers understand that no one wants to be the next one caught with their security wanting. The bad press associated with lost laptops, wayward tapes and hacked websites is something no one wants - and, in fact, it practically killed CardSystems. We are under major pressure to make sure our bank isn't next - because you do lose a lot of customers from this sort of thing. And reissuing cards to a swath of cardholders is both expensive and time-consuming. The bank I work for hasn't been involved in any of this so far, but we make a point not to brag about it - it just invites trouble.

-You DO sign the receipt as a verification. Signatures are not necessary for certain types of transactions, or for transactions under a certain fairly low limit, but if there is fraud or a dispute, the merchant has to produce the signature. Or they lose the dispute. This is why many merchants now use the CVV2, although, as you can probably infer from the story, it also is not perfect.

-Why the cheap price for high-limit cards? Because actually using them is much riskier than stealing them. Either you need your ill-gotten gains shipped somewhere, or you need to show up somewhere in-person. Or you go for fairly small stuff. In any case, it's a lot more risky than the number theft, and if you steal numbers, you probably sell a batch at a time. With the risk goes the reward, so to speak.

-Phishing, we're working on that too. All the major issuers have places on their websites where you can report phishing activities. Do so, whenever you see it. And the major issuers are also all conducting informational campaigns, trying to teach people what a legitimate communication looks like.

Overall, though, massive card number theft is unusual. Most people lose their information by losing their wallet, being careless with their info (like with phishing), or by a family member/friend up to no good.

Re:Phising getting more and more "important"

[shmlco]

Apparently your degrees aren't advanced enough. While they might have had access to your addresses, at no point in time did they have access to your credit card information. When asked Amazon only shows the last four digits of your card, not the complete number. Moreover, should they have attempted to buy something and have it shipped to them, Amazon would have asked for a new number.

About the worst they could have done was order 500 romance novels in your name and have them delivered to you. The modern equivalent of the "you ordered a pizza" gag.

Re:Why so cheap?

[patio11]

All of the illegal stuff gets *expensive* fast. I lurk over at specialham.com, the spammer forum, to keep abreast of new changes I need to make to the spam filter I'm coding. People want several hundred dollars for a script to verify addresses for one major ISP, etc. And "cashers" have the most dangerous job in the criminal supply chain, since they're the ones that have to associate a physical identity (even a fake or obfuascated one) with the theft to make their money. The guy who just nabs the information, on the other hand, just has to go to the forum/IRC channel, demonstrate his bona-fides, and then arrange a swap with payment dropped into some blind eGold account (the black market doesn't apparently like paypal that much, from what I've seen).