The Economy of Online Crime

hdtv writes "You might call the thugs or thieves, but on their own closed forums and referral-only Web sites, they value honesty and reputation. Fortune magazine looks into the black market for stolen credit card numbers and identities. What's interesting is that so few of the criminals retrieve their information via breaking into online stores." From the article: "Gaffan says these credit card numbers and data are almost never obtained by criminals as a result of legitimate online card use. More often the fraudsters get them through offline credit card number thefts in places like restaurants, when computer tapes are stolen or lost, or using 'pharming' sites, which mimic a genuine bank site and dupe cardholders into entering precious private information. Another source of credit card data are the very common 'phishing' scams, in which an e-mail that looks like it's from a bank prompts someone to hand over personal data."

The Problem Is The Credit Card

[omegashenron]

I work at a b&b where we continually get reservations by people wanting to pay with a credit card. Our customers make their bookings over the phone, fax and even e-mail - to process a payment, all we need is the card number and expiry date. When a receipt is printed (from entering the numbers), it actually has the card details on it!

I have seen many people collect their receipts from us upon checkin and just throw them away, without any thought about the information contained. Anyone willing to stick their hand in the bin would be able to collect these numbers for themselves.

I often think a better credit card system would be to have a credit card number and require the use of a temporary code for a transaction to take place (similar to my online banking) where we have an electronic device [hsbc.com.au] which has a changing code, of course, this would only be practical for over the phone and website bookings rather than fax/e-mail (although fax/e-mail bookings are insecure now as e-mails may not be deleted from the system and fax's could be just thrown away with the numbers on them).

My First Credit Card Theft

[Anonymous Coward]

my first credit card theft occured in the mid-80s while living in Indianapolis... i used my Amex card to pay for dinner with friends at a local Japanese restaurant... i rarely used the card (and have never been over my head w/CC debt), but was surprised to see a charge from a florist in Chicago...

this really ticked me off, so i called the florist, got the order number, product, and phone number and address of the delivery...

apparently, someone at the restaurant had a girlfriend in Chicago, and used my card number to order flowers delivered there...

i called the girlfriend and told her that the flowers she received were purchased with a stolen card and that i would be contacting the police...

next, i called Amex... to my amazement, even back then, they really didn't give a rat's patootie about the fraud - i had to force my info on the customer service rep - although the info was taken...

i was never subsequently contacted, so AFAIK, the scumbag got away with credit card fraud...

my only consolation was that the dipstick wasn't going to be getting any anymore! :-)

Why so cheap?

[Beryllium Sphere(tm)]

>$3 per CVV, or $20 for a card number with CVV and the user's date of birth

For a card which may have a $10,000 credit limit or higher. Either it's hard to turn a stolen card into money, or the supply is more than meeting the demand.

Contrariwise, why so expensive? Mail theft rings, bribed insiders, credit report lookups by crooked merchants -- there are so many sources that maybe the price should be lower. After all, what's the cost of a botnet PC to a crook who wants to use it?

The real victims of cc fraud: merchants

[Zaphod2016]

Back in the day, I had a small business where I accepted the "big 4" credit cards. We were selling sporting gear via mail order and the web.

One day, some kid called up and placed a decent-sized order for about $1,000 worth of gear. Naturally, I demanded to speak with the card holder, and he put his mom on the line who prompty told me "no problem".

Week later, Dad calls me up furious. You guessed it: divorce. Kid and mom are getting back at a dead beat dad, and he's none too amused about it. Dad calls the CC issuer, demands a chargeback. I get hit for $1,000 refund, plus the fees coming in, plus the fees going out, plus some other "service charges" for the "bad order".

Of course...I'm still out $1,000 in gear! I call mom and kid, explain that *I* am none too amused either, and that I'd like my gear back. She implies that my parents were never married, and that I might wish to visit Satan.

Having accepted that this situation could only get worse, I called the police. They explained that no crime had occured: a) mom had "paid" for the goods and b) she had the legal right to use her husband's credit card. I called my bank, and my credit card services, and they each told me it was my own damn fault for selling a quality product at a fair price and that no one could force her to mail back goods because (by then) she was claiming she had never recieved the order in the first place.

I am sure some merchants have done lousy things, but as one of the "good guys" it simply blows my mind when I think about this, even now years later.

Epilogue: never got the gear back, but funny enough, I *did* win about a grand from a scratch off ticket the week I closed the business. Save your mod points, I must have some real karma around here somewhere. =)

pharming? rare?

[wjsroot]

Its very easy to do on wireless networks. There is a program called KARMA which will make a wifi card mimic an AP. It waits for computers to probe for a SSID and then mimics an AP with that SSID. once they think your computer is an AP its amazingly easy to phish them for data. Makes you wonder about all of those places with free wireless (St*rbucks, P@nera)...

Re:I do systems work for a major card issuer....

[mike2R]

I don't know exactly where you are in the chain, but the impression from a merchants point of view is that no one gives a rat's arse about (cardholder not present) fraud except the merchant. We cover 100% of the losses, we even get charged a handling fee on chargebacks!

I'm not really disagreeing that the merchant should be resposible for most, or even all, of carholder not present losses. I'm just irritated by the complete lack of interest from card issuers, merchant service providers and the police.

A lot of fraud attempts are blindingly obvious, and when you get an order like that you not only know it's a fraud, you know where the fraudster is going to be to receive the parcel. It seems so easy for police to dress as couriers, deliver a dummy parcel, and nick whoever signs for it - I even know of this being done once, many years ago.

However the police don't care when they get a call from a merchant over an attempted petty crime. The big card companies - who could certainly work with the police to set up some sort of scheme to do this - don't care because they don't suffer finacially.

The problem at the moment is that online/mailorder fraud is virtualy a risk free business. It should and could be a very risky one if anyone could be bothered to make it so, but they can't.