The Economy of Online Crime 119
hdtv writes "You might call the thugs or thieves, but on their own closed forums and referral-only Web sites, they value honesty and reputation. Fortune magazine looks into the black market for stolen credit card numbers and identities. What's interesting is that so few of the criminals retrieve their information via breaking into online stores." From the article: "Gaffan says these credit card numbers and data are almost never obtained by criminals as a result of legitimate online card use. More often the fraudsters get them through offline credit card number thefts in places like restaurants, when computer tapes are stolen or lost, or using 'pharming' sites, which mimic a genuine bank site and dupe cardholders into entering precious private information. Another source of credit card data are the very common 'phishing' scams, in which an e-mail that looks like it's from a bank prompts someone to hand over personal data."
pharming? (Score:3, Informative)
Re:pharming? (Score:5, Funny)
Re:pharming? (Score:2, Funny)
Here's a hint; if it only has one teat instead of four
pharming? rare? (Score:2, Interesting)
Re:pharming? rare? (Score:2)
Re:pharming? (Score:1)
Re:pharming? (Score:1)
If you have malicious code on their machine, then the rest is easy game anyways. Changing hosts files seems to be one of the least likely scenarios, and it'd be much easier, and more powerful, and likely to succeed, to simply keylog when t
Re:pharming? (Score:2)
Is there a source that... (Score:2)
Re:Is there a source that... (Score:2)
Re:Will the real site please stand up. (Score:3, Funny)
But then your bladder might exshplode.
Re:Will the real site please stand up. (Score:4, Insightful)
Here's the problem: the whole rationale behind the process goes WAY over the head of the average user. I watch my non-technical sister signing up for this thing. You might as well have written the interface in Chinese (oh, bad example, she reads that fine -- Swahili, then). And I had to spend 15 minutes looking through pages of randomly generated photos (they're all clipart of iconic things -- a bowl of fruit, a watch, etc) until I found one that I'd remember after two months without seeing it. For my mother (the archetypical phishing victim, knows nothing about technology and forwards every "If you send this to 15 people Bill Gates will cure cancer!" email she gets), I think this whole process would be hopeless.
Re:Will the real site please stand up. (Score:1)
"We're sorry, but our new picture verification is currently offline. Bank Of America apologies for the inconvenience this may cause, we are doing everything we can to fix it. In the meantime, please log on as you would normally without the picture. Thank you."
Easy. Picture verification security by-passed. Understanding customer ("These computers are always breaking, aren't they? Good job the website's still up though.") logs
Re:Will the real site please stand up. (Score:1)
One advantage might be that the bank's website would notice there is a large number of attempted logins from different users all coming from the same machine. But this is no longer true if in addition copies of the phish
Phising getting more and more "important" (Score:5, Insightful)
It's interesting. Place a person, a very clever person, master degree in commerce or law, with a Ph.D., people who're worth their 6 digits a year, place them in front of a computer and you will be amazed. Something inside this computer turns the smartest person into a gullible idiot.
Ok, idiot being too hard a word. But it is VERY intriguing to see people who would never ever fall for a con job in real life to fall without even thinking twice for one online.
And I wonder why. What makes an e-mail more credible than snail mail? If they got a mail from their "bank", telling them to send their CC number or other details, they would NEVER do that. Online? No problem.
Why? Why are online scams so much more successful than offline?
Re:Phising getting more and more "important" (Score:1, Funny)
Re:Phising getting more and more "important" (Score:2)
It can't be. I mean, anyone could write anything on the 'net. Or are we already so indoctrinated to believe anything said "on TV" (and I can quite easily see people being unable to discriminate between the 'net and TV) has to be invariably true?
Non-stupid person? No such thing! (Score:1)
Re:Phising getting more and more "important" (Score:5, Insightful)
It's easier to attempt to scam more people at a time online, thus the ratio of suckers is higher.
Also, and more importantly, most people still don't understand the internet / web / email, etc and how it all works. So they're going to be in a far more vunerable position online. Most people don't think to check to see what web site that link takes them to - it looks like eBay - that's good enough. Most people wouldn't even think to look at that ugly URL bar in the browser and why would they - they can't make sense of it - dozens of letters, numbers and squiggles.
Learning the internet is like learning another language and another culture in the real world and it can take a great deal of time and experience to get to grips with it. For example, I bet it's much easier to scam a tourist or a new immigrant visiting your local country than it is to scam them in their home country.
You move to a new country - most people will learn as much as they can about it. You want to use the internet? same thing - but how many people are there who really want to learn about it - most people just want to use it but it doesn't work that way. Well it can, but like in the real world - you end up making yourself more vunerable and more susecptable to making mistakes.
Re:Phising getting more and more "important" (Score:1)
Re:Phising getting more and more "important" (Score:1)
--chris
Re:Phising getting more and more "important" (Score:1)
Online scams are so much more successful simply because any scammer can make themselves look l
Re:Phising getting more and more "important" (Score:5, Insightful)
Re:Phising getting more and more "important" (Score:2)
Insightful post, thank you. I have an alternate view on one of your points: It is somewhat related to posts above, too.
I think much of the problem lies in pattern recognition, but in a different way. It may be a lack of pattern r
Re:Phising getting more and more "important" (Score:2, Insightful)
I agree with the statements you make about pattern recognition skills.
However, I believe that the skillset you describe is too narrow.
As far as I can tell, most people are well able to distinguish two banks based on their flyers, even if you remove the names of the banks. They don't read the text, they don't look at the offerings, they merely look at the colors, layout and the logo.
On this level, pattern recognition works just fine for them and it's usually enough.
And since trademarks prohibit someone e
Re:Phising getting more and more "important" (Score:1)
To be fair to most people, the software they use (e.g. Outlook, MSIE) c
Re:Phising getting more and more "important" (Score:2)
It's relatively easy for scammers to set up a website for a few hours or days, on a computer they don't own, located in a country far away from them, and get a couple of quick hits, with it being somewhat hard for authorities to track down the location that the scammer actually connects to the internet.
If scammers tried this with snail-mail, they would have to wait a week at least to wait for the responses. Also, while it's probably possible to hide your identity when receiving sna
Re:Phising getting more and more "important" (Score:3, Insightful)
Immediate response without time to think about it.
I once got a phishing email supposedly from Amazon.com. I had had too much to drink, and I had been up for about 20 hours. I clicked the link and gave them my Amazon password, where they had access to my credit card information, address, etc. As I hit enter, the fact that it was fake finally penetrated the fog in my head. I quickly changed the password on my account, and have not had a problem. I
Re:Phising getting more and more "important" (Score:3, Informative)
About the worst they could have done was order 500 romance novels in your name and have them delivered to you. The modern equ
Re:Phising getting more and more "important" (Score:2)
If there wasn't, why would a phisher want your Amazon password in the first place?
Re:Phising getting more and more "important" (Score:1)
Dhamija, R., Tygar, J. D., and Hearst, M. 2006. http://people.deas.harvard.edu/~rachna/papers/why_ phishing_works.pdf [harvard.edu]Why Phishing Works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montréal, Québec, Canada, April 22 - 27, 2006). CHI '06. ACM Press, New York, NY, 601-610
Wu, M., Miller, R. C., and Garfinkel, S. L. 2006. http://groups.csail.mit.edu/uid/projects/phishing/ chi-security-toolbar.pdf [mit.edu]Do secu
Re:Phising getting more and more "important" (Score:2, Insightful)
Some less-than-scrupulous telemarketers do the same thing by calling people and telling them that they just won something, and then asking for a subscription to a magazine or whatnot as almost a side por
Re:Phising getting more and more "important" (Score:2)
Oh, I don't know about that. I suspect if someone sent out notices on authentic-looking Bank of America letterhead, stuffed into authentic-looking Bank of America envelopes,
informing "customers" that there was an "issue" with their accounts and they need to call an authentic-looking 800 number and provide their account information to resolve it, the phone would ring more than a few times.
So
Re:Phising getting more and more "important" (Score:2)
Are you sure? Granted, I've never seen anyone try this, but I suspect it would work better than you think. Probably not as a mailback though, that would require too much effort, but if it had some "hotline" number to call I bet you could get a ton of CC numbers, especially if the letter is worded in
Re:Phising getting more and more "important" (Score:2)
Phishing (Score:5, Insightful)
What kind of criminal masterminds would fall for their own scams ?!
Re:Phishing (Score:2)
The Problem Is The Credit Card (Score:5, Interesting)
I work at a b&b where we continually get reservations by people wanting to pay with a credit card. Our customers make their bookings over the phone, fax and even e-mail - to process a payment, all we need is the card number and expiry date. When a receipt is printed (from entering the numbers), it actually has the card details on it!
I have seen many people collect their receipts from us upon checkin and just throw them away, without any thought about the information contained. Anyone willing to stick their hand in the bin would be able to collect these numbers for themselves.
I often think a better credit card system would be to have a credit card number and require the use of a temporary code for a transaction to take place (similar to my online banking) where we have an electronic device [hsbc.com.au] which has a changing code, of course, this would only be practical for over the phone and website bookings rather than fax/e-mail (although fax/e-mail bookings are insecure now as e-mails may not be deleted from the system and fax's could be just thrown away with the numbers on them).
Re:The Problem Is The Credit Card (Score:1, Informative)
yep (Score:2)
Re:The Problem Is The Credit Card (Score:1)
Re:The Problem Is The Credit Card (Score:4, Informative)
Re:The Problem Is The Credit Card (Score:4, Informative)
Re:The Problem Is The Credit Card (Score:2)
So? This *is* the USA we are talking about here, and you *are* in Australia, one of the USAs most trusted 'lieutenants'...
Re:The Problem Is The Credit Card (Score:2)
Better get your POS software updated from your bank.
Re:The Problem Is The Credit Card (Score:2)
funny you mention that, the POS unit we use was issued from the Commonwealth Bank 1.5 years ago after the LCD in our previous unit broke. In any case, wouldnt VISA fine the bank?
Re:The Problem Is The Credit Card (Score:2)
Re:The Problem Is The Credit Card (Score:2)
Re:The Problem Is The Credit Card (Score:2)
Re:The Problem Is The Credit Card (Score:2)
Of course, the old zip zap machines happily put the entire number on the receipt you get. And people who don't want to pay for mobile EFTPOS [wikipedia.org] equipment, such as some of the shuttle companies, tend to be keen on them...
Re: (Score:2)
Re:The Problem Is The Credit Card (Score:2)
Actually, they are.
MBNA has such a program called ShopSafe. I use it all the time.
It's been quite a while since I did any web transaction with the regular number.
That did cause some trouble on eBay in early March. I had a temporary number on PayPal with a $25 maximum limit. When I won three bids one day (easy since they were all "Buy It Now"), I created a new temporary number with a maximum high enough to handle all three bids. The total amo
Re:The Problem Is The Credit Card (Score:2)
To fight a credit card "charge-back" we have supplied the processor with a video showing the person swiping their credit card, their own vehicle license plate clearly visible, at our
Re:The Problem Is The Credit Card (Score:2)
While straightening everything out, one of the banks gave me a hard time. Apparently losing my wallet counted as "suspected fraud" and this "suspected fraud" made them cancel my account. A second bank w
The banks really don't seem to care... (Score:4, Insightful)
As much as I want to blame the "online idiot" who falls victim to phishing and other scams, the banks really bear a lot of blame themselves for making it so damn easy to steal from these people.
Re:The banks really don't seem to care... (Score:5, Insightful)
Yes, I am a vendor with my own merchant account.
Re:The banks really don't seem to care... (Score:1)
Banks aren't even using SPF (Score:2)
eBay and PayPal don't use SPF either, and they're technical enough that they should know better. They do ask you to send them copies of phishing, but I suspect that's mostly to cut down on complaints.
What banks ought to be doing with
good and bad (Score:5, Funny)
My First Credit Card Theft (Score:2, Interesting)
this really ticked me off, so i called the florist, got the order number, product, and phone number and address of the delivery...
apparently, someone at the restaurant had a girlfriend in Chicago, and used my card
Re:My First Credit Card Theft (Score:1)
And you didn't call the police because.... ??
Rumpelstiltskin (Score:2)
Re:Rumpelstiltskin (Score:5, Informative)
For reference, see this link [zug.com]
In my own life, I have my daughter sign the credit card bill (and compute the tip, if necessary) and since she's an art student she has been coming up with some pretty creative signature designs.
Re:Rumpelstiltskin (Score:2)
Re:Rumpelstiltskin (Score:2)
Credit doesn't have it ON THE SAME CARD.
Re:Rumpelstiltskin (Score:2)
That being said, whenever I look up the fees, it still looks like PIN transactions are cheaper most of the time, unless merchants are getting substantially lower rates (approaching 0%)
Re:Rumpelstiltskin (Score:2)
Unless you're referring to the interest, but on a debit card (even used as credit), there is no interest as long as you stick with the money in your account.
Re:Rumpelstiltskin (Score:2)
Must...not.... (Score:1)
Honesty and reputation? (Score:5, Insightful)
Why so cheap? (Score:3, Interesting)
For a card which may have a $10,000 credit limit or higher. Either it's hard to turn a stolen card into money, or the supply is more than meeting the demand.
Contrariwise, why so expensive? Mail theft rings, bribed insiders, credit report lookups by crooked merchants -- there are so many sources that maybe the price should be lower. After all, what's the cost of a botnet PC to a crook who wants to use it?
Re:Why so cheap? (Score:3, Informative)
Re:Why so cheap? (Score:1)
"The Economy of Online Crime" (Score:1)
In other news the US government has been superceded by the RIAA in a grant of 'emergency powers'. Among the proposed changes is a rename of the US to the 'United Empire' and the purging of all online music stores. CDs have also reportedly tufwappled in cost.
Amazing complexity (Score:5, Informative)
Re:Amazing complexity (Score:4, Funny)
Carelessness feeds the black market (Score:1)
Such careless imbeciles would really need to lose their contracts at the very least. Why don't IBM, HP and others laugh WF out of the room when their contract comes up for renewal? They are not just WF's customers, they are also employers of the people who got messed up
The real victims of cc fraud: merchants (Score:3, Interesting)
Back in the day, I had a small business where I accepted the "big 4" credit cards. We were selling sporting gear via mail order and the web.
One day, some kid called up and placed a decent-sized order for about $1,000 worth of gear. Naturally, I demanded to speak with the card holder, and he put his mom on the line who prompty told me "no problem".
Week later, Dad calls me up furious. You guessed it: divorce. Kid and mom are getting back at a dead beat dad, and he's none too amused about it. Dad calls the CC issuer, demands a chargeback. I get hit for $1,000 refund, plus the fees coming in, plus the fees going out, plus some other "service charges" for the "bad order".
Of course...I'm still out $1,000 in gear! I call mom and kid, explain that *I* am none too amused either, and that I'd like my gear back. She implies that my parents were never married, and that I might wish to visit Satan.
Having accepted that this situation could only get worse, I called the police. They explained that no crime had occured: a) mom had "paid" for the goods and b) she had the legal right to use her husband's credit card. I called my bank, and my credit card services, and they each told me it was my own damn fault for selling a quality product at a fair price and that no one could force her to mail back goods because (by then) she was claiming she had never recieved the order in the first place.
I am sure some merchants have done lousy things, but as one of the "good guys" it simply blows my mind when I think about this, even now years later.
Epilogue: never got the gear back, but funny enough, I *did* win about a grand from a scratch off ticket the week I closed the business. Save your mod points, I must have some real karma around here somewhere. =)
Re:The real victims of cc fraud: merchants (Score:1)
Re:The real victims of cc fraud: merchants (Score:1)
::slaps forehead::
What I came to call my $1,000 mistake. In retrospect, dumb as hell I know. But I wasn't always the wise cynic I am today- once upon a time I assumed people were good and honest.
Like I said...dumb as hell.
I do systems work for a major card issuer.... (Score:5, Informative)
- I don't know how things were "back in the day", but these days, if a family member racks up a credit card bill without permission, and the cardholder won't press criminal charges and file a police report, the cardholder is stuck with the bill. That said, if a merchant just gets approval from "the cardholder's wife", then it's no wonder the merchant got stuck holding the bill and with a penalty to boot. Both are part of the agreement you signed that allowed you to accept credit cards. You did read that, right? Just askin'.
-Banks are actually very serious about stopping fraud. Not only do banks end up covering a fair amount of the tab because the hoops you have to jump through to get Visa/MC to cover it get harder and harder (and in the world of banking, profits are generated by pennies a transaction, so even $50 of fraud is significant in terms of lost profits), but all the major issuers understand that no one wants to be the next one caught with their security wanting. The bad press associated with lost laptops, wayward tapes and hacked websites is something no one wants - and, in fact, it practically killed CardSystems. We are under major pressure to make sure our bank isn't next - because you do lose a lot of customers from this sort of thing. And reissuing cards to a swath of cardholders is both expensive and time-consuming. The bank I work for hasn't been involved in any of this so far, but we make a point not to brag about it - it just invites trouble.
-You DO sign the receipt as a verification. Signatures are not necessary for certain types of transactions, or for transactions under a certain fairly low limit, but if there is fraud or a dispute, the merchant has to produce the signature. Or they lose the dispute. This is why many merchants now use the CVV2, although, as you can probably infer from the story, it also is not perfect.
-Why the cheap price for high-limit cards? Because actually using them is much riskier than stealing them. Either you need your ill-gotten gains shipped somewhere, or you need to show up somewhere in-person. Or you go for fairly small stuff. In any case, it's a lot more risky than the number theft, and if you steal numbers, you probably sell a batch at a time. With the risk goes the reward, so to speak.
-Phishing, we're working on that too. All the major issuers have places on their websites where you can report phishing activities. Do so, whenever you see it. And the major issuers are also all conducting informational campaigns, trying to teach people what a legitimate communication looks like.
Overall, though, massive card number theft is unusual. Most people lose their information by losing their wallet, being careless with their info (like with phishing), or by a family member/friend up to no good.
Re:I do systems work for a major card issuer.... (Score:2, Interesting)
I'm not really disagreeing that the merchant should be resposible for most, or even all, of carholder not present losses. I'm just irritated by the complete lack of interest from card issuers, merchant service providers and the police.
Re:I do systems work for a major card issuer.... (Score:1, Insightful)
I'm the master of shipping for an internet merchant who slings several million bucks of loot a year. And by "master of shipping", I mean "it's pretty much all my problem".
I know what a fradulent order looks like, I can successfully pick them out -- but nobody wants to know about this stuff. The credit card companies couldn't care less, I've tried. Police departments? Nobody cares. This is my best effort here, folks -- without actually hiring private detetives and/or ninja, I can't do any more than just pass
Re:I do systems work for a major card issuer.... (Score:2)
Nonsense! Given the amount of credit card and phishing schemes which the banks could shut down trivially and protect their customers, and the general ease of stopping most wholesale credit card fraud houses by applying existing law, they're not interested in fraud per se. They're interested in reducing their own fiscal bleeding from fraud: that means a very different set of priorities, such
a connection? (Score:1)
In order to maintain security of your records, you will need to validate your information or your account may be suspended. Please click the link below and follow the on screen prompts.
typical gw. bush:
Hmm. I wonder if the same percentage of americans that think nsa wiretapping makes us more secure - also fall fo
Re:a connection? (Score:1)
Re:not typical Slashdot (Score:1)
Well, whatya know... (Score:2, Insightful)
Easy cop out (Score:2)
Of course they are honest with one another ..... (Score:2)
Anyway, the only people who lose money are idiots who fall for age-old scams. Phishing? Don't make me laugh. For crying out loud, when you open a bank account, they tell you that they will never ask you for personal details online. How long does it take to ring your bank and ask them whether an e
Re:Of course they are honest with one another .... (Score:1)
Re:Of course they are honest with one another .... (Score:2)
In other words, replay attacks are no longer possible, nor can a transaction be completed off-line, the CC company sends a challenge to the card, the card encrypts it and replies, the CC company can then either verify the card is legit or not.
That being said, with numbers being accepted at most m
Re:Of course they are honest with one another .... (Score:2)
It wouldn't even matter if the "clone card" which is used in the "real" Chip+PIN machine actually has to be attached by an umbilical cord to a laptop or desktop computer, or for that matter ev
Ideas (Score:2)
The way that I see it, these cards would be very low limit cards so that when a verification was done on them they would pass through but when something of actual value would go through, t
so what? (Score:2)
"Yarrr!"-ing pirates?