Black Market in Stolen Credit Card Data Thrives on Internet

[David Farber <dave () farber net>]

Begin forwarded message:

From: "John F. McMullen" <observer () westnet com>
Date: June 21, 2005 12:04:48 AM EDT
To: johnmac's living room <johnmacsgroup () yahoogroups com>
Cc: Dave Farber <farber () cis upenn edu>
Subject: [johnmacsgroup] Black Market in Stolen Credit Card Data  
Thrives on Internet
Reply-To: johnmacsgroup () yahoogroups com


From the New York Times --
http://www.nytimes.com/2005/06/21/technology/21data.html? 
hp&ex=1119326400&en=e2682fc4b8435f71&ei=5094&partner=homepage

Black Market in Stolen Credit Card Data Thrives on Internet
  By TOM ZELLER Jr.

"Want drive fast cars?" asks an advertisement, in broken
English, atop the Web site iaaca.com. "Want live in premium
hotels? Want own beautiful girls? It's possible with dumps
from Zo0mer." A "dump," in the blunt vernacular of a
relentlessly flourishing online black market, is a credit card
number. And what Zo0mer is peddling is stolen account
information - name, billing address, phone - for Gold Visa
cards and MasterCards at $100 apiece.

It is not clear whether any data stolen from CardSystems
Solutions, the payment processor reported on Friday to have
exposed 40 million credit card accounts to possible theft, has
entered this black market. But law enforcement officials and
security experts say it is a safe bet that the data will
eventually be peddled at sites like iaaca.com - its very name
a swaggering shorthand for International Association for the
Advancement of Criminal Activity.

For despite years of security improvements and tougher, more
coordinated law enforcement efforts, the information that
criminals siphon - credit card and bank account numbers, and
whole buckets of raw consumer information - is boldly hawked
on the Internet. The data's value arises from its ready
conversion into online purchases, counterfeit card
manufacture, or more elaborate identity-theft schemes.

The online trade in credit card and bank account numbers, as
well as other raw consumer information, is highly structured.
There are buyers and sellers, intermediaries and even service
industries. The players come from all over the world, but most
of the Web sites where they meet are run from computer servers
in the former Soviet Union, making them difficult to police.

Traders quickly earn titles, ratings and reputations for the
quality of the goods they deliver - quality that also
determines prices. And a wealth of institutional knowledge and
shared wisdom is doled out to newcomers seeking entry into the
market, like how to move payments and the best time of month
to crack an account.

The Federal Trade Commission estimates that roughly 10 million
Americans have their personal information pilfered and misused
in some way or another every year, costing consumers $5
billion and businesses $48 billion annually.

"There's so much to this," said Jim Melnick, a former Russian
affairs analyst for the Defense Intelligence Agency who is now
the director of threat development at iDefense, a company in
Reston, Va., that tracks cybercrime. "The story that needs to
be told is the larger, long-term threat to the American
financial industry. It's a cancer. It's not going to kill you
now, but slowly, over time."

No one is willing to estimate how many cards and account
numbers actually make it to the Internet auction block, but
law enforcement agents consistently describe the market as
huge. Every day, at sites like iaaca.com and carderportal.org,
pseudonymous vendors do business in an arcane slurry of
acronyms.

"Cobs," or changes of billings, are a hot commodity.
Typically, a peddler of cobs is offering fresh bank or credit
card accounts, along with the ability to change the billing
address through a pilfered PIN. In other cases, a vendor
selling cobs is offering to change billing addresses himself,
as a service. Sometimes the address is changed to a safe
"drop," which might be an empty apartment in a local building,
or some other scouted locale where goods can be delivered.
(Information on reliable drops is also bought and sold.)

Lengthy tutorials posted at online "carding" forums indicate
that the cob art form is highly developed. A patient criminal
will wait until the day a victim receives a billing statement.
"That way you have a full 30 days" before the victim is likely
to look over his account again, explained one frank tutorial
collected by the F.B.I.

A user going by the name "mindtrip" had cobs for sale
recently: "I'm selling cobs from at this time only banks
Discover and American Express t'ill further notice," he wrote
in brusque English. "The cobs come with full info including
MMN" (mother's maiden name). Discover Card cobs with any
balance were on special: $50. American Express, a more
exclusive and potentially more lucrative account, commanded
$85.

Alongside advertisements for cobs are pitches from
malicious-code writers, who sell their services to the con
artists, known as phishers, who contract with spammers to send
out millions of increasingly sophisticated phony e-mails
designed to lure victims into revealing their account
information.

A successful phishing operation might bring in thousands of
fresh account numbers, along with other identifying details:
names, addresses, phone numbers, passwords, PIN's, and
mothers' maiden names. The richer the detail (and the higher
the account balance), the better the asking price.

A user by the nickname Sirota is peddling account information
so detailed, and so formatted, that it clearly came from a
credit report. He is asking $200 per dump on accounts with
available balances above $10,000, with a minimum order of five
if the buyer wants accounts associated with a particular bank.
"Also, I can provide dumps with online access," he wrote. "The
price of such dumps is 5% of available credit."

Every day brings more. "These things have a short shelf life,"
said Dan Larkin, the unit chief at the F.B.I.'s Internet Crime
Complaint Center in West Virginia. "The criminal value of a
compromised credit card is very short term, so there's a
constant need to keep backfilling their resources."

A Full-Service Black Market

Those buying fresh batches of account numbers may try to make
purchases online, having goods delivered to a drop and then
fencing them through online auctions.

More sophisticated thieves will seek out a vendor of encoding
devices, and others who sell "plastic," or blank credit cards,
and "algos," algorithms that are needed to properly encode the
magnetic strip and produce a usable card. And "cash out"
services can be arranged with those offering to take the
encoded plastic to a cash machine and make daily withdrawals
until the account is depleted. (The cash-out risk commands a
premium - often 50 percent or more of the total balance.)

Traders - whether they deal in plastic, algos, cobs or other
booty - build reputations first by earning the right to
advertise, and then, in a black-market version of eBay buyer
feedback, augment their status by receiving published kudos
from other members. No one is permitted to post product or
service offers at most of these Web sites without first having
their wares vetted by site administrators, or by those who
have been selected as trusted "reviewers."

At iaaca.com, for example, those wishing to sell cobs or cob
services "will be required to provide ten (10) change of
addresses, to be distributed to two reviewers," who "will test
this service by either phone or Internet." New vendors of
credit card numbers "will be required to furnish 20 VALID
dumps (5 Classics, 5 business, 5 platinums, 5 corporate; 50
percent Visa, 50 percent MasterCard)," according to the site
administrators. "The testers will determine the quality, in a
percentage of valid numbers."

Once the wares are vetted, a vendor might then pay a fee to
peddle them on a site's message boards. Banner ads can also be
purchased.

Contacts among deal makers almost always move off the boards
and onto ICQ, the instant-messaging program of choice among
cyberthieves because of its easy anonymity (no names, no
registration, no e-mail required). Payments often change hands
in relative anonymity (and with little regulation) by e-gold,
an electronic currency that purports to be backed by gold
bullion and issued by e-gold Ltd., a company incorporated on
the island of Nevis in the Caribbean. (Secret Service agents
have expressed skepticism over the gold backing.)

Transactions might also be made in WMZ's, electronic monetary
units equivalent to American dollars and issued by WebMoney
Transfer, a company based in Moscow.

Plenty of noncriminal entities use such services to move
money, Secret Service analysts said - although they added that
the agency had conversations with some of the e-currency
issuers to discuss ways to address the problem.

Thefts at Data Aggregators

Mark Rasch, the former head of cyberinvestigations for the
Justice Department and now the senior vice president of
Solutionary, a computer security company, said the numbers
taken in the CardSystems breach - at least 200,000 are said to
have been in stolen files - are almost certain to end up in
one of these trading posts.

CardSystems represented a vital hub through which millions of
account numbers passed. ChoicePoint, a data aggregator, was
another gold mine; it announced in February that thousands of
records had been downloaded from its databases by thieves
posing as legitimate business clients (no hacking required).

"The pattern in the last six months is going after
aggregators," Mr. Rasch said. "It used to be you'd get a few
numbers from a few merchants and aggregate them yourself - a
few numbers from a lot of people. But at some point they said,
'Wait a minute, there are other people who aggregate this
stuff.' "

And, Mr. Rasch pointed out, it is nearly impossible to stop.
For all the information that law enforcement and security
experts can glean from sites like iaaca.com, "there are whole
marketplaces of bulletin board systems and chats that are
invisible," he said.

Still, law enforcement has made inroads. In October, the
Justice Department and the Secret Service announced the
internationally coordinated arrest of 28 individuals in eight
states and several countries, including Sweden, Britain,
Poland, Belarus and Bulgaria.

Among those arrested were Andrew Mantovani of Scottsdale,
Ariz., David Appleyard of Linwood, N.J., and Anatoly Tyukanov
of Moscow. The Justice Department says they are the
ringleaders of Shadowcrew.com, the largest English-language
Web bazaar trading in everything from stolen credit card,
debit card and bank account numbers to counterfeit drivers'
licenses, passports and Social Security cards.

The investigation, called Operation Firewall, broke up a
4,000-member underground that, according to the Justice
Department, bought and sold nearly two million credit card
account numbers in two years and caused over $4 million in
losses to merchants, banks and individuals.

But eight months later, the traders have adapted and resumed
business. They are a bit more skittish now, said John Watters,
the chief executive of iDefense, which generates cybercrime
intelligence for government and financial industry clients.
Operation Firewall did take out some of the "low-hanging
fruit," Mr. Watters said. But that has only caused the pricing
models to become more refined, and the characters in this
black-market economy to become more sophisticated.

A New Market for New Identities

Mr. Watters said there was also a small but growing market for
the type of raw consumer information that has been pilfered
from ChoicePoint, LexisNexis and other general data
aggregators.

"We've observed people paying for identities," Mr. Watters
said, describing Web forms where criminals could tick off the
fields they had to sell or wanted to buy: address, date of
birth, Social Security number, driver's license number,
mother's maiden name. And as the traders slip deeper
underground - or onto servers in regions with lax laws,
overburdened or uninterested law enforcement and no real
working relationship with American authorities - the odds of
pulling off another Operation Firewall get worse.

"The next battle will be substantially harder," Mr. Watters
said. "It's getting harder for us to do our job."

Asked at a symposium on cybercrime late last month if law
enforcement was losing the battle against cybercriminals,
Brian Nagel, assistant director for investigations at the
Secret Service, said no, according to published reports.

But another panel member, Jody Westby, the managing director
of security and privacy practice at PricewaterhouseCoopers,
disagreed, insisting that based on Federal Trade Commission
statistics on identity and credit card theft, only about 5
percent of cybercriminals are ever caught.

In an interview, Ms. Westby offered an assessment no less
bleak. "We're not making an impact," she said. "The criminals
are too hard to track and trace, too hard to prosecute, and
the information they steal is too easy to use."

At one Russian-language site over the weekend, a user called
Lexus celebrated the CardSystems breach, saying that "judgment
day has come for the bourgeoisie." Another, Zer0, suggested on
the site that the hacked numbers might represent new
opportunities in the underground.

"It is a good occasion for us," Zer0 said. "Happy hunting."

Copyright 2005 The New York Times Company
*** FAIR USE NOTICE. This message contains copyrighted material whose  
use
has not been specifically authorized by the copyright owner. The
'johnmacsgroup' Internet discussion group is making it available without
profit to group members who have expressed a prior interest in receiving
the included information in their efforts to advance the  
understanding of
literary, educational, political, and economic issues, for non-profit
research and educational purposes only. I believe that this  
constitutes a
'fair use' of the copyrighted material as provided for in section 107 of
the U.S. Copyright Law. If you wish to use this copyrighted material for
purposes of your own that go beyond 'fair use,' you must obtain  
permission
from the copyright owner.

For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml

    "When you come to the fork in the road, take it" - L.P. Berra
    "Always make new mistakes" -- Esther Dyson
    "Any sufficiently advanced technology is indistinguishable from  
magic"
     -- Arthur C. Clarke
     "You Gotta Believe" - Frank "Tug" McGraw (1944 - 2004 RIP)
     "To achieve, you need thought. You have to know what you
      are doing and that's real power." -- Ayn Rand


                           John F. McMullen
    johnmac () acm org johnmac () computer org johnmac () m-net arbornet org
                   johnmac () tmail com johnmac () echonyc com
            jmcmullen () monroecollege edu johnmac () alumni iona edu
               ICQ: 4368412 Skype, AIM & Yahoo Messenger: johnmac13
                   http://www.westnet.com/~observer
                  BLOG: http://johnmacrants.blogspot.com/



Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/johnmacsgroup/

<*> To unsubscribe from this group, send an email to:
    johnmacsgroup-unsubscribe () yahoogroups com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/







-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/