Credit Card Theft Thrives Online as Global Market

[InfoSec News <isn () c4i org>]

http://www.nytimes.com/2002/05/13/technology/13CARD.html

By MATT RICHTEL
May 13, 2002   
 
Tens of thousands of stolen credit-card numbers are being offered for
sale each week on the Internet in a handful of thriving,
membership-only cyberbazaars, operated largely by residents of the
former Soviet Union, who have become central players in credit-card
and identity theft.

The marketplaces - where credit card prices fluctuate with supply and
demand in a sort of black stock market - offer a window into a crime
that costs the financial system $1 billion or more a year. They also
show how readily personal information is being stolen and traded in
the computer age.

But the same Internet technology that has enabled the theft and sale
of credit cards also provides a veritable transcript of the criminal
activity, and a real-time peephole into the attitudes, ethic - and
sometimes honor - among the thieves. The chat forums indicate as well
that several dozen of the top participants recently have discussed
gathering at a credit-card reseller's conference in Odessa, Ukraine,
at the end of this month.

"It's straight out of Capitalism 101 - it's become a big industry,"  
said one high-technology executive who surreptitiously monitors the
Internet card markets, and who noted that the market price of credit
cards fluctuates daily based on supply — which, he said, is copious.  
"There appears to be an endless supply of cards out there," he said.

In recent days, the cost of a single credit card has been between 40
cents and $5 depending on the level of authenticating information
provided. But the credit-card numbers typically are offered in bulk,
costing, for example, $100 for 250 cards, to $1,000 for 5,000 cards,
with the sellers offering guarantees that the credit-card numbers are
valid.

Security experts say the buyers of the card numbers in these forums
are all over the world, but often come from the former Soviet Union,
Eastern Europe and Asia, specifically Malaysia. The buyers use the
numbers in a variety of frauds, including making purchases over the
Internet, having them fenced in the West, or even extracting cash
advances directly from the credit-card accounts.

Security experts say the people living in the former Soviet Union -
often in Russia and Ukraine - who are operating the marketplaces are
typically buying the card numbers from so-called black-hat computer
hackers. These hackers obtain the card numbers by breaking into
computer systems of online merchants and getting access to thousands
of credit-card records at a time.

"This is highlighting a tremendous lack of security," said Richard
Power, editorial director of the Computer Security Institute, an
association of computer security professionals that recently published
a report with the Federal Bureau of Investigation on computer crime.  
"In the old days, people robbed stagecoaches and knocked off armored
trucks. Now they're knocking off servers."

The ultimate cost of this is hard to estimate, according to financial
analysts, though they say it is a fraction of the total size of the
credit-card industry. A recent survey from Celent Communications, a
market research firm, found that credit-card payment fraud will cost
online merchants a minimum of $1 billion a year, which is not
insignificant, though it pales in comparison to the more than $900
billion that Visa alone processes annually.

The cost to individual businesses, however, can be dramatic. In
January 2000, an extortionist based in Russia demanded $100,000 from
an Internet music retailer, CD Universe, by posting credit-card
numbers stolen from the company's database to a Web site, which was
subsequently shut down by the F.B.I. Last year, people close to
Flooz.com, a bankrupt purveyor of certificates used for online
purchases, said one reason the company failed was that it had
unknowingly sold $300,000 of its currency to credit-card thieves in
Russia and the Philippines.

Generally speaking, the Celent report found that the fraud rate on the
Internet is 0.25 percent for Visa and MasterCard transactions,
significantly higher than the 0.08 percent for Visa and 0.09 percent
for MasterCard in the offline world. The typical consumer is generally
protected from these costs, since consumers are not held liable for
most fraudulent charges, but credit-card interest rates can rise
because of crime, and consumers may have to deal with the aggravation
of removing charges they did not make.

Mr. Power, from the Computer Security Institute, said: "You don't want
to be an alarmist and say, `The sky is falling, and Visa is going to
crumble.' But the financial losses involved in this kind of theft are
underestimated, underreported and underacknowledged," estimating the
worldwide cost is in the "double-digit billions."

"There's a lot more hemorrhaging going on than some people believe,"  
he said.

The Internet sites of the online marketplaces are mostly known only to
their participants — though that number can run as high as 2,000
registered users. The site operators change their online addresses
frequently to prevent monitoring by law enforcement. In the past,
credit-card traffickers did business in private chat rooms on the
Internet Relay Chat, a communication network, and now they also use
the World Wide Web, where it is easy to start and shut down sites to
avoid detection.

But there are security professionals who surreptitiously listen in,
tracking the supply of card numbers and prices.

John Shaughnessy, senior vice president for risk management and fraud
control at Visa USA, said the company was aware of online marketplaces
and sought to monitor them, when it could find them. He said it
appeared that many of the buyers and sellers of cards were in Asian
countries and the former Soviet Union. Some people familiar with the
trend have also said that stolen credit cards were being purchased by
people in Saudi Arabia and Dubai, United Arab Emirates.

Mr. Shaughnessy said Visa had worked closely with the F.B.I. on these
issues. Officials at the F.B.I. did not return calls for comment.

Even though the activities of the marketplace can be monitored, this
does not mean participants can be easily caught, since they do not use
their real names or give their whereabouts, and they make their
payments through secure money transfers over the Internet that are not
easily traced. But the Web sites offer a profile of the typical
participant and of the way they do business.

A security expert who monitors several of the bazaars said one of the
most active was run by a Ukrainian 18 or 19 years old who went by the
name "Script." The operator lives in Odessa. He is among about nine
members of a clique, whose members call it "the family," and who are
considered the most powerful and reliable of the middlemen.

In a recent transcript, the dealer who operates the forum posted in a
typical note: "I am selling Visa and MC (American cards)." He added,
"The minimal deal size is 40$."

He also listed a higher price if the deal included the card's CVV2
code, a printed security code that appears on credit cards and is
supposed to prevent fraud. Merchants are not supposed to record the
code in their databases, but they sometimes do, which means that
hackers can get access to this higher level of information. On the
online forum, the seller noted that 100 cards with the CVV2 code cost
$300.

A discussion then ensued involving his former buyers, attesting to the
seller's reliability. One buyer wrote, "This guy's always slightly
more expensive, but his stuff is good." Another wrote: "This guy is
awesome. He always gave me three times the number of cards I paid
for."

The endorsements are a somewhat surreal reproduction of the rankings
given to sellers on legitimate e-commerce sites, like the auction site
eBay, or to authors by readers on Amazon.com. The feel of the site is
one of pure capitalism, replete with marketing. The seller who
operates the site sometimes posts online banner advertisements for his
service.

The sellers usually ask for payment to be made through online
accounts, like www.WebMoney.ru, where money can be electronically
deposited, wired, then transferred to a bank account.

The discussions on the forum have a definite anti-Western bent,
particularly anti-American. They are critical of American foreign
policy. Some of the members of the forum also express anti-Semitic
views.

There is not much social interaction, but it is not unheard of. The
participants will brag about using their spoils to take vacations, for
instance, to Bulgaria or Dubai.

Recently, there was a discussion that nearly 40 members of the group
would meet in Odessa on May 31, at the first "World Carders"  
conference, though the organizers appear to have moved the talk to a
more private setting.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.