Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Economy of Online Crime

Posted by ryuzaki0 on from the honor-among-thieves dept.

hdtv writes "You might call the thugs or thieves, but on their own closed forums and referral-only Web sites, they value honesty and reputation. Fortune magazine looks into the black market for stolen credit card numbers and identities. What's interesting is that so few of the criminals retrieve their information via breaking into online stores." From the article: "Gaffan says these credit card numbers and data are almost never obtained by criminals as a result of legitimate online card use. More often the fraudsters get them through offline credit card number thefts in places like restaurants, when computer tapes are stolen or lost, or using 'pharming' sites, which mimic a genuine bank site and dupe cardholders into entering precious private information. Another source of credit card data are the very common 'phishing' scams, in which an e-mail that looks like it's from a bank prompts someone to hand over personal data."

13 of 119 comments (clear)

  1. Phising getting more and more "important" by Opportunist · · Score: 5, Insightful

    No kidding. We're seeing an incredible increase in phishing attacks, either in the form of fake pages (and the corresponding spam mails telling you to go there), or in the form of trojans that hook into the browser.

    It's interesting. Place a person, a very clever person, master degree in commerce or law, with a Ph.D., people who're worth their 6 digits a year, place them in front of a computer and you will be amazed. Something inside this computer turns the smartest person into a gullible idiot.

    Ok, idiot being too hard a word. But it is VERY intriguing to see people who would never ever fall for a con job in real life to fall without even thinking twice for one online.

    And I wonder why. What makes an e-mail more credible than snail mail? If they got a mail from their "bank", telling them to send their CC number or other details, they would NEVER do that. Online? No problem.

    Why? Why are online scams so much more successful than offline?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Phising getting more and more "important" by datafr0g · · Score: 5, Insightful

      Why? Why are online scams so much more successful than offline?

      It's easier to attempt to scam more people at a time online, thus the ratio of suckers is higher.
      Also, and more importantly, most people still don't understand the internet / web / email, etc and how it all works. So they're going to be in a far more vunerable position online. Most people don't think to check to see what web site that link takes them to - it looks like eBay - that's good enough. Most people wouldn't even think to look at that ugly URL bar in the browser and why would they - they can't make sense of it - dozens of letters, numbers and squiggles.

      Learning the internet is like learning another language and another culture in the real world and it can take a great deal of time and experience to get to grips with it. For example, I bet it's much easier to scam a tourist or a new immigrant visiting your local country than it is to scam them in their home country.
      You move to a new country - most people will learn as much as they can about it. You want to use the internet? same thing - but how many people are there who really want to learn about it - most people just want to use it but it doesn't work that way. Well it can, but like in the real world - you end up making yourself more vunerable and more susecptable to making mistakes.

      --
      "Who says nothing is impossible? Some people do it every day!" - Alfred E. Neuman
    2. Re:Phising getting more and more "important" by JMemmert · · Score: 5, Insightful
      Why? Why are online scams so much more successful than offline? As far as I understand the mechanisms, there's several at play:
      • The technicalities of spoofing an address are lost on most people. So "if it says it's from my bank and it looks like it is, so it must be".
      • The second problem, to me, is pattern recognition. We've been trained to identify stores or banks by their corporate identity. It is perfectly obvious that the combination of that color and that logo represents that corporation. Nobody else uses these colors, this logo. So everything with these characteristics is automatically associated with that corporation. And since item one is not understood, there's no reason to doubt that assumption.
      • The third problem is that people want to believe. They want to believe that something is done to keep them and their money safe because it is oh so unsafe and dangerous out there. This has a much wider area of applicability, of course, but on topic, the fact that the bank does something to keep my money safe is good. I want to keep my money safe and so do they. If they want my cooperation in doing that, that's fine. It's in my interst as well. And since they do not understand the implications of spoofing, they accept things on face value. You probably know that line of thought.
      • The fourth problem that I see is that we've gotten used to being treated as a number. So a mail that does not correctly identify me with my full name and only states "Dear Sir or Madam" or "Dear Customer" is considered acceptable.
      • The fifth item I think plays a role is the fact that non-technical computer users have become accustomed to do things that they do not understand. If you told them that performing a rain dance every morning over their machine will keep it from crashing, they will do it, because it's no more arcane to them than a sequence of finger-breaking key combinations that they are so accustomed to. This extends to error messages and application failures, etc. Even when there's evidently a problem, the software more often than not does a rotten job at explaning what's wrong. This is why "we have increased the security of your credit card. Please enter all your data." works so fine. It's nonsensical, but it's no more arcane than any number of other messages our machines give us every day.
      • This leads into the last issue of today. Tunnel-vision. I believe that computer users know exactly as much as they need to to perform a specific task. They look neither left nor right. The classic example is people overlooking UI elements that are right next tho those they've been using for years, simply because they do not use them. Once you leave that comfort zone of things that they know and use regularly, all is new, all is strange. And they have learned that it's lots of work to find out what is going on. It's easier to go with the flow. Unfortunately.
  2. Phishing by Joebert · · Score: 5, Insightful

    What if thoose sites are phishing sites setup by law enforcement to catch phishers ?
    What kind of criminal masterminds would fall for their own scams ?!

    --
    Wanna fight ? Bend over, stick your head up your ass, and fight for air.
  3. The Problem Is The Credit Card by omegashenron · · Score: 5, Interesting

    I work at a b&b where we continually get reservations by people wanting to pay with a credit card. Our customers make their bookings over the phone, fax and even e-mail - to process a payment, all we need is the card number and expiry date. When a receipt is printed (from entering the numbers), it actually has the card details on it!

    I have seen many people collect their receipts from us upon checkin and just throw them away, without any thought about the information contained. Anyone willing to stick their hand in the bin would be able to collect these numbers for themselves.

    I often think a better credit card system would be to have a credit card number and require the use of a temporary code for a transaction to take place (similar to my online banking) where we have an electronic device which has a changing code, of course, this would only be practical for over the phone and website bookings rather than fax/e-mail (although fax/e-mail bookings are insecure now as e-mails may not be deleted from the system and fax's could be just thrown away with the numbers on them).

    --
    Excuses Are Like Assholes - Everybody's Got One
  4. good and bad by Umbral+Blot · · Score: 5, Funny

    Well it's nice to know that my online shopping is safe, it is somewhat scary to know that real life shopping is less secure. Just one more reason to never leave the room.

    --

    Philosophy.
  5. Re:The banks really don't seem to care... by Anonymous Coward · · Score: 5, Insightful

    Why would they care? Banks never EVER lose a dime on fraud, except for a some labor involved in procesing chargeback requests. ALL fraudulent transactions and chargebacks are immediately deducted from the vendor's account. The customer is fully protected. The banks NEVER take a loss. Only the vendors get farked. Over and over again.

    Yes, I am a vendor with my own merchant account. :-(

  6. Honesty and reputation? by 77Punker · · Score: 4, Insightful

    Honesty my ass. They're all just being extra careful not to get caught.

  7. Re:Rumpelstiltskin by rabel · · Score: 4, Informative

    Remember that you don't sign the receipt as "authentication", you sign it to indicate you agree to the terms of the credit. That's the only purpose. If a store attempts to verify your signature against the back of the credit card, well, that's sort of bonus, but not required by the credit company.

    For reference, see this link

    In my own life, I have my daughter sign the credit card bill (and compute the tip, if necessary) and since she's an art student she has been coming up with some pretty creative signature designs.

  8. Re:pharming? by Aardpig · · Score: 4, Funny

    In fact, I thought 'pharming' referred to genetic manipulation of animals and plants to produce pharmaceutical products. For instance, one might produce a strain of cows that express Viagra in their milk. Of course, they'd be a right bugger to milk...

    --
    Tubal-Cain smokes the white owl.
  9. Amazing complexity by iamdrscience · · Score: 5, Informative

    I've been to one of these credit card forums (not as a user, I don't have that kind of moral flexibility) and the thoroughness of these forums is quite amazing. The one I went to in particular required that if you wanted sell something, i.e. CC numbers, fake IDs, card skimming equipment (ATM bezels and strip readers), etc. you first had to provide free samples to the administrators of the forum to verify the quality of your product. If your product was found to be satisfactory, you would be allowed to sell your products, but first you had to put up a certain amount of cash (like $500, iirc) to be held by the administrators -- this cash would be used to refund your customers money in case you didn't deliver your products to them.

    1. Re:Amazing complexity by vastabo · · Score: 4, Funny

      Now that's customer service worthy of a credit card company!

  10. I do systems work for a major card issuer.... by Anonymous Coward · · Score: 5, Informative

    I am one of the people who tries to plug the holes, and build the systems that help our agents fix fraud. So I know my way around some of this stuff, and I'd like to clear up a few things.

    - I don't know how things were "back in the day", but these days, if a family member racks up a credit card bill without permission, and the cardholder won't press criminal charges and file a police report, the cardholder is stuck with the bill. That said, if a merchant just gets approval from "the cardholder's wife", then it's no wonder the merchant got stuck holding the bill and with a penalty to boot. Both are part of the agreement you signed that allowed you to accept credit cards. You did read that, right? Just askin'.

    -Banks are actually very serious about stopping fraud. Not only do banks end up covering a fair amount of the tab because the hoops you have to jump through to get Visa/MC to cover it get harder and harder (and in the world of banking, profits are generated by pennies a transaction, so even $50 of fraud is significant in terms of lost profits), but all the major issuers understand that no one wants to be the next one caught with their security wanting. The bad press associated with lost laptops, wayward tapes and hacked websites is something no one wants - and, in fact, it practically killed CardSystems. We are under major pressure to make sure our bank isn't next - because you do lose a lot of customers from this sort of thing. And reissuing cards to a swath of cardholders is both expensive and time-consuming. The bank I work for hasn't been involved in any of this so far, but we make a point not to brag about it - it just invites trouble.

    -You DO sign the receipt as a verification. Signatures are not necessary for certain types of transactions, or for transactions under a certain fairly low limit, but if there is fraud or a dispute, the merchant has to produce the signature. Or they lose the dispute. This is why many merchants now use the CVV2, although, as you can probably infer from the story, it also is not perfect.

    -Why the cheap price for high-limit cards? Because actually using them is much riskier than stealing them. Either you need your ill-gotten gains shipped somewhere, or you need to show up somewhere in-person. Or you go for fairly small stuff. In any case, it's a lot more risky than the number theft, and if you steal numbers, you probably sell a batch at a time. With the risk goes the reward, so to speak.

    -Phishing, we're working on that too. All the major issuers have places on their websites where you can report phishing activities. Do so, whenever you see it. And the major issuers are also all conducting informational campaigns, trying to teach people what a legitimate communication looks like.

    Overall, though, massive card number theft is unusual. Most people lose their information by losing their wallet, being careless with their info (like with phishing), or by a family member/friend up to no good.