Slashdot Mirror
The Economy of Online Crime
hdtv writes "You might call the thugs or thieves, but on their own closed forums and referral-only Web sites, they value honesty and reputation. Fortune magazine looks into the black market for stolen credit card numbers and identities. What's interesting is that so few of the criminals retrieve their information via breaking into online stores." From the article: "Gaffan says these credit card numbers and data are almost never obtained by criminals as a result of legitimate online card use. More often the fraudsters get them through offline credit card number thefts in places like restaurants, when computer tapes are stolen or lost, or using 'pharming' sites, which mimic a genuine bank site and dupe cardholders into entering precious private information. Another source of credit card data are the very common 'phishing' scams, in which an e-mail that looks like it's from a bank prompts someone to hand over personal data."
Isn't pharming when DNS is actually hacked in some manner? How many cases of this actually happening have been documented? Simply setting up a website that mimics a legitimate financial institution or pertinent party (e.g. Ebay), is, and has always been, phishing. The phishing emails are just lures to the bait of the phishing websites.
Is there a source that even tried to identify online stores as a source of credit card numbers? I wouldn't have ever thought that someone would try to use them as a large source.
"...or using 'pharming' sites, which mimic a genuine bank site and dupe cardholders into entering precious private information."
BOA is using a pictograph means to reduce pishing.
No kidding. We're seeing an incredible increase in phishing attacks, either in the form of fake pages (and the corresponding spam mails telling you to go there), or in the form of trojans that hook into the browser.
It's interesting. Place a person, a very clever person, master degree in commerce or law, with a Ph.D., people who're worth their 6 digits a year, place them in front of a computer and you will be amazed. Something inside this computer turns the smartest person into a gullible idiot.
Ok, idiot being too hard a word. But it is VERY intriguing to see people who would never ever fall for a con job in real life to fall without even thinking twice for one online.
And I wonder why. What makes an e-mail more credible than snail mail? If they got a mail from their "bank", telling them to send their CC number or other details, they would NEVER do that. Online? No problem.
Why? Why are online scams so much more successful than offline?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Yes, but I can't be having my Paypal account expire!!!
What if thoose sites are phishing sites setup by law enforcement to catch phishers ?
What kind of criminal masterminds would fall for their own scams ?!
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
I work at a b&b where we continually get reservations by people wanting to pay with a credit card. Our customers make their bookings over the phone, fax and even e-mail - to process a payment, all we need is the card number and expiry date. When a receipt is printed (from entering the numbers), it actually has the card details on it!
I have seen many people collect their receipts from us upon checkin and just throw them away, without any thought about the information contained. Anyone willing to stick their hand in the bin would be able to collect these numbers for themselves.
I often think a better credit card system would be to have a credit card number and require the use of a temporary code for a transaction to take place (similar to my online banking) where we have an electronic device which has a changing code, of course, this would only be practical for over the phone and website bookings rather than fax/e-mail (although fax/e-mail bookings are insecure now as e-mails may not be deleted from the system and fax's could be just thrown away with the numbers on them).
Excuses Are Like Assholes - Everybody's Got One
"You might call them [pirates] or thieves, but on their own [outside legal jurisdiction] sites and [encrypted] referral-only [P2P], they value honesty and reputation (smirk!). Small Fortune magazine looks into the black market for [stolen movies, music, and software]."
They are raking in such huge margins on credit card debt that until very very recently, they seemed to more or less wink at online fraud. Only now that it's starting to really cut into their margins are they really taking notice and making half-hearted attempts to deal with the problem.
As much as I want to blame the "online idiot" who falls victim to phishing and other scams, the banks really bear a lot of blame themselves for making it so damn easy to steal from these people.
Well it's nice to know that my online shopping is safe, it is somewhat scary to know that real life shopping is less secure. Just one more reason to never leave the room.
Philosophy.
Clearly a secret identity is insufficient to protect your money. Debit cards are widely accepted; I wonder what motivates a retailer or credit company to allow signatures as authentication in this day and age, if not to profit from fraudulent purchases.
I Browse at +4 Flamebait
Open Source Sysadmin
"Don't visit any of these sites. Tapping into them could lead to unpleasant consequences. I only looked at them via the safety of RSA's computers."
...ah dammit..
"You're everywhere. You're omnivorous."
Honesty my ass. They're all just being extra careful not to get caught.
That page hasn't been a goatse mirror in a long time.
my first credit card theft occured in the mid-80s while living in Indianapolis... i used my Amex card to pay for dinner with friends at a local Japanese restaurant... i rarely used the card (and have never been over my head w/CC debt), but was surprised to see a charge from a florist in Chicago...
:-)
this really ticked me off, so i called the florist, got the order number, product, and phone number and address of the delivery...
apparently, someone at the restaurant had a girlfriend in Chicago, and used my card number to order flowers delivered there...
i called the girlfriend and told her that the flowers she received were purchased with a stolen card and that i would be contacting the police...
next, i called Amex... to my amazement, even back then, they really didn't give a rat's patootie about the fraud - i had to force my info on the customer service rep - although the info was taken...
i was never subsequently contacted, so AFAIK, the scumbag got away with credit card fraud...
my only consolation was that the dipstick wasn't going to be getting any anymore!
in fact, that's becoming the law in many american states...
every day http://en.wikipedia.org/wiki/Special:Random
>$3 per CVV, or $20 for a card number with CVV and the user's date of birth
For a card which may have a $10,000 credit limit or higher. Either it's hard to turn a stolen card into money, or the supply is more than meeting the demand.
Contrariwise, why so expensive? Mail theft rings, bribed insiders, credit report lookups by crooked merchants -- there are so many sources that maybe the price should be lower. After all, what's the cost of a botnet PC to a crook who wants to use it?
Now to the stock market. The all ordinaries are up 15 cents, NASDAQ is running smoothly up 10 cents and the incredibly illegal bit torrent file sharing ring has mysteriously and suddenly dissappeared from the market.
In other news the US government has been superceded by the RIAA in a grant of 'emergency powers'. Among the proposed changes is a rename of the US to the 'United Empire' and the purging of all online music stores. CDs have also reportedly tufwappled in cost.
I've been to one of these credit card forums (not as a user, I don't have that kind of moral flexibility) and the thoroughness of these forums is quite amazing. The one I went to in particular required that if you wanted sell something, i.e. CC numbers, fake IDs, card skimming equipment (ATM bezels and strip readers), etc. you first had to provide free samples to the administrators of the forum to verify the quality of your product. If your product was found to be satisfactory, you would be allowed to sell your products, but first you had to put up a certain amount of cash (like $500, iirc) to be held by the administrators -- this cash would be used to refund your customers money in case you didn't deliver your products to them.
Such careless imbeciles would really need to lose their contracts at the very least. Why don't IBM, HP and others laugh WF out of the room when their contract comes up for renewal? They are not just WF's customers, they are also employers of the people who got messed up.
Of course, my solution would involve finding out who is the moron at WF that let his goons store unencrypted financial details of customers' employees on Windows laptop. Armed with his name, I'd then mug him, steal his wallet, use his driver license to obtain his personal info, and plaster all these details over the Internet, preferably on the #Cardz IRC channel. See how he likes it.
People who store SSNs and CC numbers on Windows machines need a good whipping. If the machine is a laptop, whip them then brand their forehead with "DOH". There is cheap or free encryption available, what's the excuse of these cretins?
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
Back in the day, I had a small business where I accepted the "big 4" credit cards. We were selling sporting gear via mail order and the web.
One day, some kid called up and placed a decent-sized order for about $1,000 worth of gear. Naturally, I demanded to speak with the card holder, and he put his mom on the line who prompty told me "no problem".
Week later, Dad calls me up furious. You guessed it: divorce. Kid and mom are getting back at a dead beat dad, and he's none too amused about it. Dad calls the CC issuer, demands a chargeback. I get hit for $1,000 refund, plus the fees coming in, plus the fees going out, plus some other "service charges" for the "bad order".
Of course...I'm still out $1,000 in gear! I call mom and kid, explain that *I* am none too amused either, and that I'd like my gear back. She implies that my parents were never married, and that I might wish to visit Satan.
Having accepted that this situation could only get worse, I called the police. They explained that no crime had occured: a) mom had "paid" for the goods and b) she had the legal right to use her husband's credit card. I called my bank, and my credit card services, and they each told me it was my own damn fault for selling a quality product at a fair price and that no one could force her to mail back goods because (by then) she was claiming she had never recieved the order in the first place.
I am sure some merchants have done lousy things, but as one of the "good guys" it simply blows my mind when I think about this, even now years later.
Epilogue: never got the gear back, but funny enough, I *did* win about a grand from a scratch off ticket the week I closed the business. Save your mod points, I must have some real karma around here somewhere. =)
barack to the future?
There are no non-stupid people, just stupid people with areas in which they are decidedly less stupid.
Its very easy to do on wireless networks. There is a program called KARMA which will make a wifi card mimic an AP. It waits for computers to probe for a SSID and then mimics an AP with that SSID. once they think your computer is an AP its amazingly easy to phish them for data. Makes you wonder about all of those places with free wireless (St*rbucks, P@nera)...
Mod others as you would have them mod you.
I am one of the people who tries to plug the holes, and build the systems that help our agents fix fraud. So I know my way around some of this stuff, and I'd like to clear up a few things.
- I don't know how things were "back in the day", but these days, if a family member racks up a credit card bill without permission, and the cardholder won't press criminal charges and file a police report, the cardholder is stuck with the bill. That said, if a merchant just gets approval from "the cardholder's wife", then it's no wonder the merchant got stuck holding the bill and with a penalty to boot. Both are part of the agreement you signed that allowed you to accept credit cards. You did read that, right? Just askin'.
-Banks are actually very serious about stopping fraud. Not only do banks end up covering a fair amount of the tab because the hoops you have to jump through to get Visa/MC to cover it get harder and harder (and in the world of banking, profits are generated by pennies a transaction, so even $50 of fraud is significant in terms of lost profits), but all the major issuers understand that no one wants to be the next one caught with their security wanting. The bad press associated with lost laptops, wayward tapes and hacked websites is something no one wants - and, in fact, it practically killed CardSystems. We are under major pressure to make sure our bank isn't next - because you do lose a lot of customers from this sort of thing. And reissuing cards to a swath of cardholders is both expensive and time-consuming. The bank I work for hasn't been involved in any of this so far, but we make a point not to brag about it - it just invites trouble.
-You DO sign the receipt as a verification. Signatures are not necessary for certain types of transactions, or for transactions under a certain fairly low limit, but if there is fraud or a dispute, the merchant has to produce the signature. Or they lose the dispute. This is why many merchants now use the CVV2, although, as you can probably infer from the story, it also is not perfect.
-Why the cheap price for high-limit cards? Because actually using them is much riskier than stealing them. Either you need your ill-gotten gains shipped somewhere, or you need to show up somewhere in-person. Or you go for fairly small stuff. In any case, it's a lot more risky than the number theft, and if you steal numbers, you probably sell a batch at a time. With the risk goes the reward, so to speak.
-Phishing, we're working on that too. All the major issuers have places on their websites where you can report phishing activities. Do so, whenever you see it. And the major issuers are also all conducting informational campaigns, trying to teach people what a legitimate communication looks like.
Overall, though, massive card number theft is unusual. Most people lose their information by losing their wallet, being careless with their info (like with phishing), or by a family member/friend up to no good.
In order to maintain security of your records, you will need to validate your information or your account may be suspended. Please click the link below and follow the on screen prompts.
typical gw. bush:
Hmm. I wonder if the same percentage of americans that think nsa wiretapping makes us more secure - also fall for phishing emails.
There's honor among thieves....
Reminds me of a site that used to run a few years back. When it got shut down the
2 6.htm
i Indict.htm
w ww.shadowcrew.com/
http://www.usdoj.gov/opa/pr/2004/October/04_crm_7
http://www.usdoj.gov/criminal/cybercrime/mantovan
Upon shutting down the operation, the USS put up a defacement of sorts, viewable here:
http://web.archive.org/web/20041128051935/http://
gwb haters are mindless morons of the first order...
(make an 'L' shape w/one's fingers, then place securely against forehead to emulate one)
on_topic: i'd bet gwb doesn't have to worry about credit card fraud, eh?
It's an easy cop out to say that credit cards only (or in the majority of cases) get compromised by "illigitimate" use. In the eyes of the consumer who falls for it, there's nothing illigitimate about a phishing e-mail, or a pharming site. There's nothing illigitimate about handing a waiter your credit card, even if it ends up being skimmed. The position taken here is "if it weren't for these pesky criminals, there'd be no crime, so it's not our fault we've come up with a system of fraudprevention that can be beat by a 3 year old". That's not an acceptable position.
SCO employee? Check out the bounty
Just because these people are spending other people's money, doesn't mean they aren't nice enough with their own kind. It would never work any other way. For a subculture to work, it must have its own rules.
Anyway, the only people who lose money are idiots who fall for age-old scams. Phishing? Don't make me laugh. For crying out loud, when you open a bank account, they tell you that they will never ask you for personal details online. How long does it take to ring your bank and ask them whether an e-mail is genuine or not? And if you've already had several e-mails apparently from banks with whom you do not even have an account {and therefore obviously fake} why should you expect that one apparently from a bank with whom you do have an account?
Restaurant card fraud? That one has been going as long as credit cards. Even long before the Internet existed -- it began in the days of imprinting machines. Now, of course, thanks to Chip and PIN, you don't even need to let the card out of your sight to get ripped off. Oh, Chip and PIN machines are reckoned to be secure; but how the hell do you know that thing you put your card in and pressed a few buttons was a real Chip and PIN machine and not a fake one? For all you know they cloned your card and grabbed your PIN, and will use the clone card and PIN in a real C+P machine a few minutes down the line, within the margin of error of most people's watches and memories. Solution, pay by cheque. Not cash, because if they see you have cash then they will expect a tip.
As for backup tapes going missing, well, there isn't a lot anyone can do about that -- besides asking, before they open a bank account, how effective the bank's procedures are and what losses they have swallowed on customers' behalf. Little things like never transporting data by the same means as the decryption key make a lot of difference.
Summary: Never make the mistake of assuming anything is secure.
Je fume. Tu fumes. Nous fûmes!
Its actually quite easy to get info at a restaurant till the receipt that the clerk keeps contains name and card number (well here in ireland anyways), and it only takes a split second to remember the 3 digit number on back of card ;)
there you go u have enough details now to go shopping....
I,ve had and reported several fake emails from ebay and paypal. They're easy to spot with a little help from the legitimate sites.
One of them had me nearly fooled last year. I scrolled to the bottom filling out stuff for my E-Bay account (or so I thought) and there it was. A field for my PIN!!! I backed outta the site and sent a notice to E-Bay. Lesson learned. WATCH OUT!! Supect all...
eBay and PayPal don't use SPF either, and they're technical enough that they should know better. They do ask you to send them copies of phishing, but I suspect that's mostly to cut down on complaints.
What banks ought to be doing with phishing mail is going to the phishing sites and giving them phony card numbers, and then nailing anybody who accepts the cards. That would cut down on the value of phished numbers, and might occasionally catch the phishers.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I wish that when you encountered a phishing site that you could go to a credit card company's anti-fraud site and be issued a card number and verification information that would appear to be legit (and would even be verifiable) but would in actuality be a trojan that would sound fraud alarms if it was attempted to be used.
The way that I see it, these cards would be very low limit cards so that when a verification was done on them they would pass through but when something of actual value would go through, they would trigger an over the limit message and would also set off a fraud alarm at the credit card company.
Because the phishers would have no way of knowing the difference between a "valid" card and a "trojan" card, information on the cards attempted use could be collected at the front end and at the back end. This would allow investigators to have two opportunities to trap the scumbags and would also help to create a map of the way things are being worked. With any luck at all they can use the low-level players that they catch to extract information from and go after the bigger fish in the middle. You could look at it like you are phishing the phishers!
The pressure that this would exert should send the crooks looking for other less risky targets.
-
The next idea is more logistical: I've recieved calls from Visa fraud prevention on a few occasions when I have made unusual purchases. I really appreciate this service and know that it is expensive for them to do. I'd think that if they automated this a bit that they could do more of it at a lower cost. Using IVR they could call a representitive sample of customers and just verify routine purchases that have been made at higher risk places (like on-line and businesses that have experienced fraud).
-
They could also have a system that could co-authorize specific kinds of purchases, especially online purchases or purchases that you make that you have shipped to different addresses. I would not feel inconvenienced by the extra step if I knew that I was helping to prevent fraud.
The way that I envision it is that you would be informed by the merchant that you must okay the purchase by calling a toll free number and entering a code from the order verification from your home phone or cel phone that is on record at the credit card company.
-
Crime costs all of us. We pay for it because retailers have to build in additional costs to cover their losses that result from theft (including fraud and shoplifting). These costs drive up our costs. These losses even affect our paychecks. If a retailer can't raise the costs to cover his losses, then he may have to shave off a little somewhere else. The most logical place for that is his biggest expense which is most likely labor. If he has suffered losses, he may not be able to give you as big a raise as he otherwise may or maybe he will have to cut back on his benefit package. It pays if we all do a little bit extra to prevent losses. If you encounter fraud, don't ignore it, report it.
"You might call the (sic) thugs or theives"
Its not "might." I *do* call them theives, and so should everyone else.
As I understand it, the smartcard based "chip" solutions are substantially more secure as they cannot simply be cloned -- The smartcard is basically a mini CPU itself and can handle basic C/R and onboard encryption.
In other words, replay attacks are no longer possible, nor can a transaction be completed off-line, the CC company sends a challenge to the card, the card encrypts it and replies, the CC company can then either verify the card is legit or not.
That being said, with numbers being accepted at most merchants (without the smartcard), it's mostly pointless -- Only once the smartcard is mandatory will the system be any more secure, but at least a merchant can choose to not be a victim of fraud from cards where the bank chooses to use a smartcard.
Of course, with most credit cards not having smartcards, it's perhaps a moot point.
Give a man a fish, he'll eat for a day, but teach a man to phish...
It wouldn't even matter if the "clone card" which is used in the "real" Chip+PIN machine actually has to be attached by an umbilical cord to a laptop or desktop computer, or for that matter even an enormous mainframe -- it's all done out of sight of the cardholder, and the card issuing bank don't know any different. The tests performed by the machine are known and the results can be faked. The sequence proceeds as follows: As long as the gap between steps 5 and 6 is short and the emulator is accurate and fast, nobody need notice anything amiss {up to five minutes is within the tolerance of most people's watches}. The real card received an authentic-looking challenge, so it will be ready for the next one. There's no good reason why a fake C+P machine should not include a wireless link to the back room where all the bad stuff is happening, for near-real-time operation. Or even just perform a simple old-fashioned MITM attack, amending the amount in transit. Just because it's electronic does not make it secure.
Je fume. Tu fumes. Nous fûmes!
What did you expect?
"Yarrr!"-ing pirates?
Principle of Least Privilege Whitepaper - MalcomVetter