An FBI Agent's 3 Years Undercover With Identity Thieves

snydeq writes "InfoWorld offers the inside story of how FBI Supervisory Special Agent J. Keith Mularski, aka Master Splynter, penetrated and took over DarkMarket.ws, the infamous underground carding board hacked by Max Butler and later transformed by Mularski into an FBI sting operation. The three-year tour sent Mularski deeper into the world of online computer fraud than any FBI agent before, resulting in 59 arrests and preventing an estimated $70 million in bank fraud before the FBI pulled the plug on the operation in October."

How much more...

[Pig+Hogger]

How much more such operations could they conduct if they weren't so clueless by having agents investigate peaceful protesters and non-criminal **HACKERS** (in the original sense, that is, not meaning "cracker")????

Re:How much more...

[mi]

How much more such operations could they conduct if they weren't so clueless by having agents investigate peaceful protesters and non-criminal **HACKERS**

All crimes or suspected crimes deserve thorough investigation. Ruling certain kinds of crimes out-of-reach of the FBI simply due to resource-constraints is equivalent to encouraging the said crimes.

Re:How much more...

[TheRealMindChild]

FYI man, alright. You could sit at home, and do like absolutely nothing, and your name goes through like 17 computers a day. 1984? Yeah right, man. That's a typo. Orwell is here now. He's livin' large. We have no names, man. No names. We are nameless!

HACK THE PLANET!

Re:How much more...

So, you think they would use the same agents to investigate protesters as are used to investigate hackers? They're not the ones I'd be calling "clueless" right now.

Re:How much more...

[pete-classic]

Sure. But, given finite resources, should there not be some rational priorities set?

-Peter

Re:How much more...

[SomeJoel]

How much more such operations could they conduct if they weren't so clueless by having agents investigate peaceful protesters and non-criminal **HACKERS** (in the original sense, that is, not meaning "cracker")????

Sixteen

Re:How much more...

[Gizzmonic]

All crimes or suspected crimes deserve thorough investigation. Ruling certain kinds of crimes out-of-reach of the FBI simply due to resource-constraints is equivalent to encouraging the said crimes.

That must mean the FBI encourages drug trafficking and sex crimes because they are not investigating those while they are going undercover to bust a group of peaceful protestors who have committed zero crimes Great logic you have there.

Re:How much more...

I think both their salaries are subsidized by my salary.
If we got rid of the useless investigations that'd be one less resource drain on the good departments.

Re:How much more...

Stopping 70million in bank fraud is useless? Allow me to ask... what then does it take to be usefull?

Re:How much more...

Ruling certain kinds of crimes out-of-reach of the FBI simply due to resource-constraints is equivalent to encouraging the said crimes.

Crimes like peaceful protesting, you mean?

Re:How much more...

[morgan_greywolf]

All crimes or suspected crimes deserve thorough investigation. Ruling certain kinds of crimes out-of-reach of the FBI simply due to resource-constraints is equivalent to encouraging the said crimes.

Right. Because the FBI is out investigating every single federal crime within their jurisdiction, right?

No. Because the FBI does have limited resources, cases not specifically brought to their attention by promising, credible leads -- or at least serious media attention -- don't get investigated. Those with credible leads that may not look so promising might sit on the backburner -- often for months or years.

While the FBI does investigate people who turn out to not have been criminals, that's more the exception than the rule.

Re:How much more...

[lazy_playboy]

Does the FBI not investigate sex crimes or drug trafficking, then?

Re:How much more...

[Grimbleton]

I don't think that's the group he meant.

Re:How much more...

[Cowmonaut]

DEA does drug crimes. FBI does investigate sex crimes. FBI does do some drug crimes I guess, but usually by accident. They're more into the "cool" crimes like Murder, Sex, and Cyber.

Re:How much more...

The FBI only cares about "glamour" crimes now, terrorism, serial killers and the mafia. Terrorism is extremely rare in the US, serial killers are also very rare, and the mafia has withered away to a shadow of its former self. Young men (mainly) join the FBI because they want to deal with these Hollywood crimes from their childhood crime fighting fantasies not crimes that affect real people on a daily basis.

Re:How much more...

Uh.. I think he was suggesting that the government investigates things that aren't even suspected crimes. If you relax the word "investigate" and just say "fuck with" then there are already real life examples.

Re:How much more...

[Maestro485]

While the FBI does investigate people who turn out to not have been criminals, that's more the exception than the rule.

They leave that to the Department of Homeland Security ;-)

Re:How much more...

[MadMidnightBomber]

Well, anything worth more than $500K, or anything that affects senators.

Oops, did I say that out loud?

Re:How much more...

[beav007]

FBI does do some drug crimes I guess, but usually by accident. They're more into the "cool" crimes like Murder, Sex, and Cyber.

This post is so much entertaining (and possibly accurate) when read without context...

Re:How much more...

stopping 750 billion in bank fraud

Re:How much more...

[Xest]

But if said crimes are actually harmless like those the parent cited then what's the problem with them being more commonplace exactly when more harmful crimes are being dealt with instead?

The parents point isn't that people should be able to break the law and get away with it, it's that police time is wasted with laws that are ultimately pointless for the aim of furthering political agendas and such.

You're effectively saying we should ignore say, a few rape cases, because little Billy being allowed to get away with downloading some MP3s might cause it to become more widespread. So fucking what? Catch the bloody rapists instead please.

Re:How much more...

[Bourbonium]

To hell with tracking down "hackers." The story asserts that after a three year undercover investigation, the operation prevented only $70 million worth of fraud and identity theft (which would have been absorbed by the banks). For cryin' out loud, that's a fucking drop in the bucket! Why the hell couldn't they have directed these resources into investigating THE BANKS THEMSELVES, which have now robbed the American taxpayers of over $700 BILLION in bailout money? Why couldn't they have investigated Bernard Madoff and prevented the loss of $50 BILLION stolen from his investors? Or why did they not investigate this guy http://www.dvorak.org/blog/2009/01/22/presto-another-fund-manager-disappears%E2%80%A6/ who stole $300 MILLION from other investors?

If their role is to protect citizens from crime, I think the FBI's priorities need to be re-evaluated.

Re:How much more...

[mi]

But if said crimes are actually harmless like those the parent cited then what's the problem with them being more commonplace exactly when more harmful crimes are being dealt with instead?

FBI, being part of the Executive Branch are not (and ought not) to decide, what's "harmless" and what is not. If the Legislature has made something illegal, then it is the Executive's duty to enforce it. Now, given limited resources the can (and ought to) prioritize certain things up and down. But they should prioritize anything down to zero.

The parents point isn't that people should be able to break the law and get away with it

Yes, actually, that was his point — that "peaceful protesters" and "benign hackers" should be able to get away with it. He didn't say it outright, but was nevertheless quite explicit. I don't know, how anyone could've missed it...

You're effectively saying we should ignore say, a few rape cases, because little Billy being allowed to get away with downloading some MP3s might cause it to become more widespread.

Rapes (and murders) aren't, actually, a typical FBI fare — unless a federal official is involved or in cases of organized crime.

Re:How much more...

[Xest]

"FBI, being part of the Executive Branch are not (and ought not) to decide, what's "harmless" and what is not. If the Legislature has made something illegal, then it is the Executive's duty to enforce it. Now, given limited resources the can (and ought to) prioritize certain things up and down. But they should prioritize anything down to zero."

Why not? If they don't then again, more serious crimes have to go untouched which is wrong no matter what. The real point to be made is that if the FBI has to prioritise something to 0 and that something not being dealt with is a problem then you have a funding issue. Under no circumstances should harmless crimes be dealt with instead of the much more serious ones because otherwise you face the scenario I mentioned- violent crimes going unsolved in favour of arguably entirely harmless crimes that are only crimes in the first place because of ignorant political agendas and not because they make the people safer or the country better in anyway. I understand it's not the FBIs position to decide that, but it also just requires simple common sense that if you have rape/murder/organised crime/some other serious crime, it's a whole lot more of a priority than something that fits into the pointless law category. If people creating stupid laws want them enforced they either have to provide extra funding to enforce them as well or they have to decide that they're more important than the serious crimes to deal with. They can't make the FBI to prioritise themselves and complain when they apply common sense to doing so.

"Yes, actually, that was his point -- that "peaceful protesters" and "benign hackers" should be able to get away with it. He didn't say it outright, but was nevertheless quite explicit. I don't know, how anyone could've missed it..."

If he didn't say it outright, then no, he wasn't in any way explicit, if he was explicit he'd have said it outright. I think the misunderstanding here is that of quantification though, what he and I are saying is that it shouldn't be treated as a non-crime, it should still be treated as a crime because as you point out, that's how it is on the books but what we're saying is that although it's a crime, it's a crime that isn't high priority enough with the given resources to deserve any attention given to it whilst other more important cases go unsolved. If these pointless crimes need be investigated then again, the funding needs to be provided for the resources to exist for that to happen.

Re:How much more...

[mi]

Crimes like peaceful protesting, you mean?

First of all, one's "peaceful" (such as rock-throwing so common among Arab youth) is another's "violent" (each rock is, actually, a deadly weapon — especially, when thrown with a sling). Or potentially violent. But violence during a protest is a simple matter for the local police.

Where FBI can be more justifiably involved, are cases of serious (even if non-violent) disruptions, such as when protesters chain themselves to the rail-tracks to stall transportation of nuclear waste. Or damaging military equipment? Preventing such sabotage before it happens and punishing the conspirators (and would-be saboteurs) is a perfectly legitimate job. Another is protecting the military bases — both from mere disruptions and from actual threats.

Who can be sure, whether the mouth-foaming youth is "peaceful" or preparing to bomb the recreation hall? If there are credible suspicions towards the latter (and public expressions of sympathy with an enemy: "Al Qaeda has won! Kill the pigs!" — though not illegal, are one of the tell-tale signs), then an investigation is warranted, however peaceful the suspects have been so far.

Re:How much more...

[mi]

Why not? If they don't [do] then [them] again

Because they will do them again and again, if nobody is ever prosecuted for them. I'm not sure, what your background is, but there is a distinct difference in computer-scheduler designs between low and idle priorities. The idle is, actually, quite dangerous...

I think the misunderstanding here is that of quantification though

Of quantification and classification. The G..GP implied, that the particular protests he had in mind were all peaceful and utterly benign. If you scratch such a person, you'll find out, that Weatherman Underground were, in their opinion, "peaceful" too.

See my other post in this thread on the matter...

Actually

[DoofusOfDeath]

InfoWorld offers the inside story of how FBI Supervisory Special Agent J. Keith Mularski, aka Master Splynter, penetrated and took over DarkMarket.ws,

How on earth are we supposed to believe it's the real Agent Mularski now?

Re:Actually

I'm loving the TMNT reference though.

what now?

I heard he's retiring and moving to the Caymen's

oh lord

So this guy tricked a bunch of noobs who openly ran a credit card right through a public forum? I usually give credit where credit is due, but these people were compelte morons to be running a criminal enterprise right out in the open.

Had this guy penetrated somthing far more secretive I would give him more credit, but anyone who was stupid enough to run somthing like this out in the open was of course stupid enough to let an FBI agent on the inside.

Re:oh lord

[oodaloop]

I had heard about this at a law enforcement/fraud analysis/intelligence analysis conference a while back. Basically, ALL the major sites were running in the open. Before all the crackdowns, I guess they thought the anonymity of the web meant they were untouchable. After the FBI cracked down on a bunch, they got wise and went underground.

Re:oh lord

[betterunixthanunix]

As far as I know, the general idea was that the transactions would happen so quickly that even if someone was watching, the money would be long gone before anyone could track it. Keep in mind that these stories are published long after the arrest occurs, so by the time you learn about what happened, the criminals have moved deeper underground.

Re:oh lord

Don't you mean all the KNOWN sites were running in the open?

Re:oh lord

[Zwicky]

I usually give credit where credit is due

Ace! I'll take 10,000 blank American Express. Meet me by the disused warehouse down by the docks in three hours.

I like the way the government thinks

[jollyreaper]

Cool hacker name = geek culture reference + creative misspellings/capitalizations

Sample names:
Dark JedEYE
FeloniouS MonK
POPP3R SMRF
TERRORByTE
G\/\/B

I predict you will hear of these handles in future busts.

Re:I like the way the government thinks

[Compuser]

George Washington Bridge? What's so cool about that.

Re:I like the way the government thinks

That was two V's.

Re:I like the way the government thinks

[Abreu]

Those are also the initials for George W. Bush, a former president of the USA.

Since we all are already trying very hard to forget him, I guess you get a pass

Re:I like the way the government thinks

[betterunixthanunix]

Aw "terabyte" was my original handle...and I thought it was clever because it sounded like "terror."

Re:I like the way the government thinks

Whoosh...

Re:I like the way the government thinks

I predict you will hear of these handles in future busts.

Well since you just blew the cover of at least 3 FBI agents I'd expect that the name "jollyreaper" will be prominent in the next big takedown.

Re:I like the way the government thinks

you're not even worth a 'wooosh'.

Re:I like the way the government thinks

[gEvil+(beta)]

Aw "terabyte" was my original handle...and I thought it was clever because it sounded like "terror."

Well, if you wanna go for that retro feel you can always use killabyte.

Re:I like the way the government thinks

[betterunixthanunix]

My reasoning was more of the 12 year old variety: Wow, the bad guys on Reboot are Megabyte and Gigabyte! And I want to be even cooler, so I'll be Terabyte!!!

Re:I like the way the government thinks

[techno-vampire]

I predict you will hear of these handles in future busts.

I find that highly unlikely. After all, these are computer geeks; they've probably never gotten near enough to any woman except their mother to...

Oh...

Never mind!

Re:I like the way the government thinks

[Daravon]

Don't be silly. We all know the real supervillian is P3dobyte.

Re:I like the way the government thinks

[Dark+JedEYE]

Oh fuck.

Re:I like the way the government thinks

[jollyreaper]

That was two V's.

No, they were back and forward slashes, alternating. That's the beauty of the G\/\/B handle, you can try googling it but you'll never get it right! And I thought the "non-space non-printing character" hidden directory name in DOS was awesome.

Re:I like the way the government thinks

[jollyreaper]

Aw "terabyte" was my original handle...and I thought it was clever because it sounded like "terror."

My original handle was going to be my name replaced by asterisks **** ****. It took me ages to figure out why I kept crashing the boards I was tying to join. :(

Re:I like the way the government thinks

[dubbreak]

Former president of the University of South Australia? I question how many people know that the current one is Professor Peter HÃj let alone the previous president.

I assume the USA must be the Australian equivalent to MIT.

Re:I like the way the government thinks

[genner]

George Washington Bridge? What's so cool about that.

It's an awesome bridge.
Don't mock it.

Re:I like the way the government thinks

[genner]

I predict you will hear of these handles in future busts.

I find that highly unlikely. After all, these are computer geeks; they've probably never gotten near enough to any woman except their mother to...

Oh...

Never mind!

They hand access to free credit cards. Some how I think women could stand to be around them.

Re:I like the way the government thinks

If you don't like him why would you want to forget him? If you forget him then you forget all the nasty things that happened under his presidency. If you forget the mistakes of our leaders then there is no lesson learned.

America must not ever forget.

Re:I like the way the government thinks

[DgtalPimp]

FBI agent alert!!!!!

Re:I like the way the government thinks

[dubbreak]

Huh. I was shooting for funny, but I'll take what I can get mod-wise. +4 interesting is good enough for the girls I go with.

Re:I like the way the government thinks

[fyoder]

Those are also the initials for George W. Bush, a former president of the USA.

He dead.

Re:I like the way the government thinks

Ah, how I love the sound of that...

Former president George W. Bush.

Re:I like the way the government thinks

[syousef]

Try these handles: NevaLa1d ForTYrV1rg1n M0thasBas3ment Leg3nInPwnM1nd Asp3rGas B3at3nUpNrd WannaBWayneKerr

Re:I like the way the government thinks

What's that sound again? I forgot how to spell it.

Re:I like the way the government thinks

[duggi]

You created the account just for that post, didn't you?

Re:I like the way the government thinks

[ciderVisor]

+5 P3dobyte Seal Of Approval.

Moooooarrrrrr !

Re:I like the way the government thinks

[StuckInSyrup]

A classic example of keming.

Yeah, well...

[MikeRT]

The FBI needs a charter that gives it certain, specific areas of jurisdiction. Every other agency has a defined role. It's high time that the FBI was given a few niche roles too and told to sink or swim there.

Re:Yeah, well...

[Volante3192]

You mean like at http://www.fbi.gov/quickfacts.htm ?

The FBI's jurisdiction is essentially being the nation's police force as opposed to your local city force. You can't say "ignore these sections of the state, county or city code" to a local police force just like you can't tell the FBI to ignore the U.S. Code.

Re:Yeah, well...

[morgan_greywolf]

The FBI does have certain, specific areas of jurisdiction. Ever read the FBI website? They say with specificity what their areas of jurisdiction and current criminal priorities are.

Re:Yeah, well...

[dintech]

Nice list but they seem to be missing alien abductions and unexplained phenomena.

Fencing

[planckscale]

From an article I read on Wired what seemed to have brought the downfall upon Butler was some of his associates got nabbed for trying to use stolen cards to buy expensive retail items and then fence them on Ebay for cash. Seems to me that old fashioned F**k-ups are the way these guys usually get taken down. Also from the article I read that corrupt retailers and waiters use portable card readers to steal all mag data on the card. How would you protect yourself against that kind of attack?

Re:Fencing

[CannonballHead]

Don't ever buy anything, and never eat out?

Re:Fencing

Cash

Re:Fencing

[AKAImBatman]

Also from the article I read that corrupt retailers and waiters use portable card readers to steal all mag data on the card. How would you protect yourself against that kind of attack?

As long as we use credit cards, you and I can't protect ourselves. However, the credit card companies could. Using public key authentication via smartcard technology would make it easy to verify physical access to a credit card. Yet the only instance I can think of, of anyone trying to roll this out is American Express's Blue card. Even that was mostly ineffective as the smart card circuitry appears to go mostly unused.

Re:Fencing

[gtbritishskull]

I have eaten at places that get mobile credit card readers and swipe it at your table. This way, the card never leaves your sight. You can suggest this to the managers of your favorite places to eat at. And, I worked at a restaurant where a guy got fired for having a card reader hidden in his pocket and stealing credit card info. It is very easy to do and very unobtrusive.

Re:Fencing

[ericlondaits]

There's a very cool british TV program called "The Real Hustle" in which they perform popular cons with a hidden camera and then explain them.

In one episode they show how a waiter can hide a card reader stuck to the side of their leg or under an apron and swipe it after purposely dropping it to the floor and then either picking it up or cleaning it. In this cases the waiters were using the portable reader that goes to your table, and they still were able to steal data.

Re:Fencing

[Applekid]

I have eaten at places that get mobile credit card readers and swipe it at your table. This way, the card never leaves your sight.

Sure... they'll just swipe over at the server those mobile readers upload to instead. :)

I've wondered if people with photographic memories get involved with crimes like these since all they'd have to do is glance at a card in passing and they'll catch it.

Re:Fencing

[morgan_greywolf]

Mod parent +5 insightful. Cash is accepted everywhere and stolen cash can't be used for identity theft.

Re:Fencing

[Grimbleton]

My girlfriend would NOT approve if I stopped eating out.

Re:Fencing

[samkass]

I think you're right here in the US. When I visited London last year, though, it seemed like every single person had chips in their cards. I felt like a Luddite asking the guy to actually swipe the magnetic strip on a card (and him having to try a couple times before it took), then go find a pen, sign it, then find a place to put the paper signature. Us old-fashioned Americans.

Re:Fencing

[Creepy+Crawler]

Or if you hand your CC to a drive-thru to pay for food/drink.. Our receipt paper is thin enough to easily take an imprint of a CC. All you'd need to do is remember 3-4 numbers, the CVV2.

I found out this accidently, while holding a customer CC while rubbing it: it indented the CC, expr, and name perfectly.

Good thing im honest in dealings... They wouldnt catch me if I wasnt. I know decent stat to calculate my danger, and how to mitigate any possible repercussions.

Re:Fencing

[atamido]

I had an experience nearly identical to this in London when a shop clerk asking if we had a card with a chip in it to use. The friend I was with didn't even know what he was talking about. I explained things to her, and then told the clerk we didn't, but could wander off and find an ATM to use instead. He dug around some and found a card reader, but it was obvious he hadn't used it in a while.

Re:Fencing

[thewils]

I read that corrupt retailers and waiters use portable card readers to steal all mag data on the card. How would you protect yourself against that kind of attack?

Er, pay with cash?

Re:Fencing

[SuperG]

Actually, Visa USA was big into trying to roll out smart cards as well. I used to work for a start-up company that had a loyalty application to be used on the smart card, though we never got out of the pilot phase (for Target most notably). Visa USA's big push was because of the increased security, and hoped that loyalty would be the killer app to get it out in the marketplace.

Re:Fencing

[vux984]

Mod parent +5 insightful. Cash is accepted everywhere and stolen cash can't be used for identity theft.

1) Tons of places won't accept 50's or 100's anymore. And carrying enough cash to live in 20's gets bulky.

2) Carrying lots of cash (see above) gets noticed (see below).

3) If you get robbed of cash its gone. No, phoning your bank to let them know your card was stolen. No contesting the purchases made with your stolen cash. Your insurance company won't even replace stolen cash. Its just gone.

While having my card lifted is a hassle, it won't actually likely cost me anything, even if my identity is stolen it will most likely be a hassle more than anything else. Getting robbed however is much more permanent.

Re:Fencing

Easiest defence is to put a sticker over the 3-digit CVS number on the back of your card.

One of the most effective ways to pull off a card-not-present fraud is to get the card number and expiry date from the receipt. Some terminals *** out part of the number on the receipt, but a lot don't (especially in Chip-enabled locations such as Europe). The fraudster doesn't need to double swipe anything - just memorize the CVS when they 'check your signature', and then copy down the card number/expiry off the merchant's copy once you've left.

Re:Fencing

[Zironic]

Actually most people that copy CC's tend to get caught since it only takes 2 cards to be able to notice that both bought things from the same place and then the employer can check who's was on shift.

Re:Fencing

[Mysticalfruit]

I have two checking accounts, what I call "primary and scratch".
Primary is where my paycheck goes into and bills come out of.
Scratch is the account that my ATM card in my wallet is connected to. This account has at maximum 250 bucks in it. If it has more, generally it's because I'm on some special mission to buy something (like a Wii)

So, even if some nitwit were to either rob me or my card were to be swiped surreptitiously they're not going to get far.

Re:Fencing

[vux984]

So, even if some nitwit were to either rob me or my card were to be swiped surreptitiously they're not going to get far.

So why not carry a credit card with a $500 limit? How is what you do really any different / better ?

Re:Fencing

I try to avoid using a card for anything else than an atm. It isn't really that bothersome and is probably the safest solution...
-dreen

Re:Fencing

[Cramer]

Right. And you're certain of the security of that wireless device? And the device to which it's transmitting? And the dialup link it's using to talk to the bank?

All it takes to obtain a CC# is to simply SEE. THE. CARD. I don't need a card reader. And I don't even need to handle it. If I can see both sides of the card, it's even better because then I have the verification number as well.

I know enough about the banking and credit card industries to laugh when they talk about security. If you knew what I do, you'd probablly keep all your money in cash stuffed inside rabid ferrets.

Re:Fencing

So you're really good with stats, yet you work at the drive thru? Perhaps you can use your stats-fu to figure out whether you are getting the most for your time.

Re:Fencing

[Cramer]

According to Visa and Mastercard policies, it is illegal for the terminal to record the number -- either in print or memory. If you see anyone still printing the card number on your receipt, report them immediately. Once the transaction is processed, they have a transaction ID and authorization code and no longer need the card number.

I'd recommend writing the verification number down somewhere else and removing it from the card.

Re:Fencing

[pjt33]

The problem with that system is that it protects the banks and not the customers. Before you could contest the signature: now all they have is a PIN, and there's no way of proving who typed it in. It would be better to use chip, PIN and signature, but people will usually choose convenience over security.

Re:Fencing

Too bad you voted for Obama. Sarah Palin would have fixed that and we'd all be shopping in Wasilla using our magic cards.

Re:Fencing

[Bemopolis]

Does it really take that many calories to reinflate her?

Re:Fencing

[djdavetrouble]

Except these thieves are after dumps of the mag stripe, not just the
imprints of numbers and names. Once you have that, you can make fake cards
with real data, then its swipey swipey time.

there are lots of sites that sell white card blanks and the kit to
put data on them.

Cheers

Re:Fencing

only use cash ?

Re:Fencing

[halcyon1234]

It's coming to North America, but slowly. Mainly because it will be expensive, and only serves to protect the consumer.

Contrast that with the UK banks that have implemented the "chip and pin", where the courts ruled that due to the PIN, they aren't responsible for theft. The banks practically orgasamed all over themselves to get it going.

It still doesn't offer complete protection. You can take the UK card to Germany, where merchants have not implemented the PIN. Or you can still shop inside the UK; just damage the chip. The card will fallback into "swipe and sign" mode that is used for cards without a PIN (such as those visiting from America).

Or, even with the chip and pin, all one needs to do is some shoulder surfing. Everyone covers their PIN at an ATM. In other situations, people aren't used to doing that (restaurant, etc). Once you've identified a PIN, pick the person's pocket.

Or buy things online.

Or steal a lot of cards, and attempt to brute-force the PIN.

Or there's an interesting relay attack:

Consider the following scenario: You go for lunch in a small restaurant in London, and pay using your chipcard at the end of the meal. What you don't know is that the waiter at the restaurant is corrupt. You ask for the bill, and the waiter goes off to fetch a handheld Chip and PIN machine that he brings over to you. Meanwhile, on the other side of town, his accomplice is loitering in a jeweller's store. The waiter sends an SMS message to his accomplice, who goes up to make a purchase. Just as you insert your card into the waiter's terminal, the accomplice puts a fake card into the jeweller's terminal. The waiter's sabotaged reader simply forwards all the traffic from your card wirelessly to the card in the reader at the jewellers, and pretends to ask you to pay for lunch. You enter the PIN, thinking you're paying for lunch, but in fact you're buying the crooks a diamond!

- "Chip and Spin", http://www.chipandspin.co.uk/

Re:Fencing

Their "Chip+PIN" Implementation is crap, though. The chip just gives it's number unencrypted, the PIN is entered on merchant hardware, and one common reader is basically designed so that you can tap the main data bus and clone the signal. Read about that here: http://www.schneier.com/blog/archives/2008/03/chip_and_pin_vu.html

Re:Fencing

[pbhj]

I see what you did there ... ... better get some curtains.

Re:Fencing

Harold, is that you?

Re:Fencing

[garett_spencley]

I have a serious solution to that problem: learn how to cook. As in, learn how to cook SERIOUSLY GOOD food.

I can spend more on raw ingredients for a single meal than it would cost to take my wife out to a fancy restaurant (not that I do often, just saying that I can), or I can make something amazing for cheaper. And girls dig guys who can cook! Most geeks should like cooking too because there's tons of science involved and most of us like to tinker and make things. Plus when you're done you've got the most amazing meal that, unless you live in New York or LA, can afford to eat at a fine dining restaurant and are lucky enough to get a reservation, you're not going to get eating out.

My wife and I never eat out any more. We're in a mid-sized town and every time we eat out it's always disappointing. Over priced and something I could make way better at home.

I recommend "Zingerman's Guide to Good Eating" as a starting point for anyone looking to get into cooking. It explains how to choose the best ingredients, gives you the history of food's as well, and has some simple recipes too.

Re:Fencing

[Ihmhi]

Pay cash?

Either that, or carry around a pocket EMP and set it off every time the waitress comes by.

Re:Fencing

) Tons of places won't accept 50's or 100's anymore.

If someone refuses to accept cash in order to settle a debt, then they release you from that debt obligation. (provided you are paying in full)

Read your money, it's on there in plain English.

This doesn't usually work at retail stores, since they can just refuse to conduct business with you at all, but can be good for some fun at the gas station if they don't make you pre-pay.

Just remember, it's only required when settling a DEBT.

As for safety, I keep several bank accounts. One is used just for online purchases, and is a pre-paid credit card which I have to load up ahead of time. Another is for paying bills, and unless you are on the approved vendor list you simply can't get an auth for a transaction on it.

If you think having your identity stolen is just a "hassle", then you've never had someone run all over the internet trying to buy kiddie porn with your credit card. Even after you get the financial side sorted out, you'll spend years trying to find all the law enforcement databases that list you as a sex offender and get removed.

Re:Fencing

[iknowcss]

WOOOOSSHHHHH

Re:Fencing

[Zwicky]

There's a very cool british TV program called "The Real Hustle" in which they perform popular cons with a hidden camera and then explain them.

In one episode they show how a waiter can hide a card reader stuck to the side of their leg or under an apron and swipe it after purposely dropping it to the floor and then either picking it up or cleaning it. In this cases the waiters were using the portable reader that goes to your table, and they still were able to steal data.

For those interested in seeing this, here you go.

I'm the paranoid sort with this sort of thing, I have to say. I usually only use my credit card for select purchases and often in stores I trust (as far as you can). I never use debit or credit cards for groceries and trivial things like that.

As always though, there are new attack vectors coming into play all the time and you only need to be caught out once. It's entirely possible that I might be caught out one day by some new method I'm unaware of. For now I'm just content to reduce my 'attack surface' and try to be as vigilant as I can. (eg not specifically credit card related but a few years ago cycle rental place wanted to hold my passport until the cycle was returned. I refused.)

Re:Fencing

Also from the article I read that corrupt retailers and waiters use portable card readers to steal all mag data on the card. How would you protect yourself against that kind of attack?

Two Words.

Cash money.

Re:Fencing

[complete+loony]

Australia is migrating to swipe and pin for credit cards right now. But then our merchant payment systems have allowed swipe and pin for paying with a savings account for a long time, so I don't think the limitations were for technical reasons.

Re:Fencing

Hey, tell me something. How is living in fear working for you? I'm just curious. I imagine it's tiring.

1)Taco bell won't take your 50's and 100's, Starbucks probably doesn't either. However, any place where the tab is more than a couple bucks isn't going to blink at a 50 or 100.

2)Carrying lots of cash doesn't get noticed. Flashing lots of cash gets noticed. There are these inventions, called pockets, and in them you put things like wallets and money clips. Spread the wad out a little and you won't have to worry about flashing your high roller status to everyone in sight.

3) True, if they take your cash it's gone. However, there are a few advantages here. They can't clean out your account, they can't steal your identity, and they can't figure out where you live and rob your house. Hypothetically, you don't have to pay for fraud on your cards... this is true, for anything you can prove is fraud.

Hypothetically, someone sticks a gun in your face and takes your wallet and demands your pin number. You give it to them, mainly because you feel threatened. You give them the real one because they have your home address and threaten to come kill you.

Now you have less than a few minutes to report those cards stolen before they clean out your accounts from every local ATM. But wait, you say, they can't, there is a withdraw limit. WRONG. Most banks have long since dispatched such things. Besides, there is no limit if you walk into a grocery store and get cash back, or a casino (there is one near here, how about you?).

Besides, I don't know about you, but I'd rather lose a few hundred dollars to a thug or pick pocket than spend days on the phone with various financial institutions. That could be just me though.

At the end of the day, if you are really as scarred as you appear, maybe you shouldn't leave the house until your therapist works through it with you.

Re:Fencing

[LackThereof]

When I was delivering pizza, we used to do this for credit card orders. We (the delivery drivers, at the door) would take a rubbing of the customers credit card on the receipt paper. It works perfectly on that slippery thermal paper that cheap receipt printers and CC machines use.

We started doing it to protect ourselves against chargebacks. A handful of customers had taken to challenging charges on a regular basis. With our CSR's taking credit card numbers over the phone, including billing zip and CVV2 number, and the drivers presenting a receipt to be signed at the door, we still had no recourse - Even though we had a signature and an address.
Visa/MC doesn't let retailers disallow anyone paying with a card for any reason, even if you have a history of fraud reports from that person or CC number. It's due to some language in their standard merchant contract (this also spells out that you can't require minimum purchases or surcharges for using cards, but many smaller outfits do anyway, flying under the radar). National and regional management wouldn't let us simply blacklist the customers entirely.

An imprint or a machine swipe was all the CC processor would accept as proof. In the end it was a headache for drivers and managers, and an annoyance for customers. Only a small few customers were actually concerned about the imprint being used for fraud, most simply resented having to get their card out a second time. But in the end, it let us stay in business and protect ourselves.

Re:Fencing

[davolfman]

The real flaw with chip and pin is that we've known it was possible to extract keys from these things with targeted damage for about the last 15 years to my memory. I remember hearing about cracking "smartcards" in Science News sometime in middle school.

Re:Fencing

my system seems to protect me, have a small limit and keep it maxed out

Re:Fencing

[Quiet_Desperation]

So buy her something nice. Oh, wait...

Re:Fencing

[mahadiga]

I believe 2-Factor Authentication along with One Time Passwords are secure enough for Credit Card transactions.

Re:Fencing

[RJFerret]

Actually 50's and 100's are accepted more now than ever since for a while it took a 50 or 100 to fill up the gas tank in the car.

Back in the 80's I used to check beforehand, but now? Nobody blinks twice anymore and self checkouts swallow those and 100's fine.

The new bills help too (just hold up to the light), as well as the pens.

I'd MUCH rather lose the cash in my pocket than cards. What's the big deal to lose some cash that is a half hour of my work time versus cards, which have higher loss limits than the cash I carry, and would require MUCH more time to defend against? Meanwhile the cost of the spending spree the crook goes on has to be absorbed by the bank, IE, their customers, IE, you.

However, I know of only one person who has been "robbed" by a purse snatcher (who was caught by her chasing, screaming and creating a scene).

I know of several people who have had identity theft issues.

The reality? I'll limit my exposure and stick with the convenience of cash thank you very much.

(Never mind many people will discount for cash, so it's like everything you buy is on sale...)

Re:Fencing

[BountyX]

Load up a prepaid visa gift card with cash. Refill when done. Chepaer than using credit card too.

Re:Fencing

and getting that chip inserted into your hand or forehead will be so much better then a card that "can be lifted". yeah global economy, woo hoo one world gov. i hope you are not one that complains about the lack of privacy.

Re:Fencing

[dotancohen]

The problem with that system is that it protects the banks and not the customers. Before you could contest the signature: now all they have is a PIN, and there's no way of proving who typed it in. It would be better to use chip, PIN and signature, but people will usually choose convenience over security.

I had to contest a cash withdrawl recently, and because the PIN was entered correctly the bank concluded that it was an authorized purchase and would not be covered. They treat the 4-digit PIN just as they treat a signature.

Re:Fencing

It does protect the customers - if your card is stolen, the thief needs your PIN, rather than just copying the signature that is on the back of the card. Assuming you take reasonable precautions taking care of your PIN (don't write it down, don't make it your birthdate), you shouldn't have an issue.

Signatures offer no form of protection whatsoever.

Re:Fencing

[RMH101]

{points up]
This is correct. If you have a system that records the full card number on the receipt then you are not compliant with EMV (Europay-MasterCard-Visa) rules for accreditation and if they catch you, they'll pull your merchant account - leaving you unable to accept credit or debit cards issued by either member. Which is a pretty good stick to hit the retailers with.

It used to be common for fraudsters to dumpster-dive the bins at petrol stations and similar to pickup discarded receipts prior to this for exactly the reasons outlined above.

Re:Fencing

[RMH101]

You know, you could just ask her out, instead. It'd be less messy.

Re:Fencing

Or you could use throwaway pre-paid credit cards.

Re:Fencing

[Grimbleton]

Yeah, I forgot this was /. for a second there.

Re:Fencing

[bkr1_2k]

No carpet though. That just gets in the way.

Re:Fencing

Another good starter (Off topic I know) for cooking books is The Joy of Cooking (Covers everything a geek would ever need to know from nutrition, to etiquette, to 3500+ recipes... it and Zingermans guide make a great pair.

Re:Fencing

[samkass]

Their "Chip+PIN" Implementation is crap, though.

Perhaps... but my guess is it's still better than swipe+sign in terms of reducing fraud.

Re:Fencing

[noc007]

That means nothing when the device that accepts the chip and the PIN input is compromised. Some of those readers were compromised with using a paperclip to tap one of the links on the PCB board to sniff the information. The modification could be done and from the outside it looks exactly as a non-compromised unit.

I know of some PIN keypads and even swipe card readers with PIN pads that transmit the data unencrypted to the actual card terminal. All sorts of things could be done and the card holder wouldn't be able to tell.

With Chip and PIN the banks take the stance that the cardholder was negligent since the PIN was used and the PIN is infallible. In fact someone using this type of method with even pulling a black cloth over the PIN pad to hide the input from everyone can still be ripped off since the pad itself isn't secure.

Point is no method is 100% secure unless you have no money, don't buy anything, and don't own anything to barter with.

Re:Fencing

[noc007]

Why use it immediately? Upon average the cards have an expiration that's two years. I have a card with an expiration of three years. Let them make 100s of transactions first. Don't use the cards captured at the same place all at the same time. Make cross referencing more difficult. Even then, don't use the stolen cards where it can be tracked back to you.

I'm not a criminal, but am in the credit card processing industry and it's not rocket science. At any rate it's much easier to do a chargeback to the merchant where the fraudulent transaction took place than to take transaction reports from two or more cards and do cross referencing.

Re:Fencing

[Zironic]

I just know that where I live(in Sweden) there has been a number of cases in the news where corrupt personnel has been caught by cross referencing the transactions of several cards. This obviously only catches the one that stole the card not the one that might be using it.

Re:Fencing

[hankwang]

... pay using your chipcard at the end of the meal. [...] The waiter sends an SMS message to his accomplice, who goes up to make a purchase. Just as you insert your card into the waiter's terminal, the accomplice puts a fake card into the jeweller's terminal.

I call bullshit here. The whole idea of a chip card is that some secret cryptographic data is burned into the chip that will prevent copying the chip card (except by destructive testing using an electron microscope). The communication between the terminal and the chip card needs to verify both that the terminal and the chip are authorized. The only way the above scenario would work is if the accomplice's card is connected with wires to a mobile internet device that sends the electric signals to the cardreader that the victim is using. You would only be able to pull this if the jeweller is an accomplice or so blind that that he doesn't see the wiring. And even then, i doubt that the delays involved with a long-distance data connection will fall within the timing tolerances of the handshake protocol between chip card and card reader.

I read somewhere (probably on slashdot) that even magnetic card readers need to be certified and will disable themselves if they are tampered with. It isn't that easy to create an authorized chip card reader that will leak the keyed-in data or display different numbers on the display than what is actually going on during the transaction.

Re:Fencing

Why not require the PIN pad to have a camera so it could store a picture of you?

Re:Fencing

I don't know about where you live, but my area is full of illegal aliens, and they only pay with 50s and 100s. They have big sweaty wads of bills from working landscaping and construction.

Re:Fencing

http://books.google.com/books?id=_1-fmH2cwxoC&dq=Zingerman's+Guide+to+Good+Eating&printsec=frontcover&source=bn&hl=en&sa=X&oi=book_result&resnum=4&ct=result#PPP12,M1

i love google so much 3

Re:Fencing

[halcyon1234]

It might need some nifty technology, but it's not beyond the realm of plausibility. The fake card has a blutooth relay built into it. You can get those to be pretty darn tiny-- that was their purpose. The accomplice at the store has a netbook or some other smaller Internet enabled device in their briefcase. That device is wifi'd up to the nearest hotspot, which connects via the Internet to the waiter's handheld device.

It might be possible to prevent something like this by lowering the timing window below the window required for the Internet transaction. But that's just a race to find a better relay method.

The fact is the attack isn't currently easy or convenient, but it's plausible-- and thus those in charge of security need to think about preventing it, and those of ill-intent will be thinking of exploiting it.

Re:Fencing

Mainly because it will be expensive, and only serves to protect the consumer.

Everyone here seems pretty confused. The costumer isn't liable. These technologies protect the stores.

This is SOOO cool.

[Forge]

It's like being an undercover mob boss. Except you don't get to: Bang models on their way to the street, Drown rats or wear a cool ring.

Here is my question: Now that Darkmarket is all busted and closed, will this cop just enjoy a 2nd honeymoon before starting again with a new alias and hitting on a different set of crooks.

Hell, if he plays his cards right he could enter the private sector and make millions off the MPAA and RIAA.

Re:This is SOOO cool.

[betterunixthanunix]

He probably wants a new assignment that involves less time at a computer. Did you RTFA? He was spending 18 hours a day on his computer, and was online every day of the week. His relationship with his wife was strained because he had to be available on his computer as often as possible to avoid suspicion and to keep his credibility up. He had to report his vacations to the people he was trying to bust weeks ahead of time, to keep up that reputation. To me, that sounds like the sort of assignment that you only participate in once, if only to keep your heart healthy.

Re:This is SOOO cool.

[morgan_greywolf]

It's like being an undercover mob boss. Except you don't get to: Bang models on their way to the street, Drown rats or wear a cool ring.

Also the risk of being shot and your body left in the Everglades for the alligators to eat is significantly lower.

Re:This is SOOO cool.

[Hork_Monkey]

Actually, this sounds like the average [married] slashdotter.

This was actually for some sort of productive reason, however.

Re:This is SOOO cool.

[betterunixthanunix]

Average married slashdotter sounds like a very small sample set...

Re:This is SOOO cool.

[Nethead]

I would think that a married slashdotter would be above-average.

Re:This is SOOO cool.

[MRe_nl]

But first, a shave and a shower...
http://i41.photobucket.com/albums/e297/morbid_muffin_man/Master_Splinter_Sm1.jpg

Right, you are trying so hard to move on

that you just had to trash GWB one more time. And I am sure it won't be the last time.

Fucking get over it! You have your messiah in the White House now. The terrorists have already dropped their weapons, bin laden has recinded his fatah, and al Qaeda has joined Americans in a singing of Kumbaya.

Move on.org

Re:Right, you are trying so hard to move on

[hoggoth]

> You have your messiah in the White House now.

You're damn right we do!
http://www.boingboing.net/images/x09/DSC_4696.jpg

Re:Right, you are trying so hard to move on

He's not the messiah, he's very naughty boy! Now, go away!

Re:Right, you are trying so hard to move on

+5 Must-get

Try Again

Who's to say that Agent J. Keith Mularski is not one of the stolen identities?

Re:Try Again

[geoffrobinson]

Maybe I'm a brain in a vat.

Re:Try Again

[twitter_sockpuppet]

And I am a sock around a hand.

Patience

[copponex]

Buy things at small retailers unlikely to have complicated security policies or good video surveillance. Use local criminals to do the deal for you, promising a cut if they are successful getting the item out of the store. Keep the purchases under $2,000.00

Sell those things for cash on the street. Don't sell in the same area that you bought the items. Stick to big cities, as the police have way more to deal with than small-time theft. Once you get a big enough stash, use it to start a cash friendly business or find a way to get it to a trusted party in the third world and do the same thing.

The object is to not piss one person off to the point where they dedicate themselves to finding you. As long as the victim has the credit card company to turn to for a refund, and the police don't think the fraud is connected, no one will even bother opening up a case number.

Re:Patience

[Otter]

Sell those things for cash on the street. Don't sell in the same area that you bought the items. Stick to big cities, as the police have way more to deal with than small-time theft. Once you get a big enough stash, use it to start a cash friendly business or find a way to get it to a trusted party in the third world and do the same thing.

In other words, crime is more work with less reward than just keeping your day job writing Java middleware.

Re:Patience

yeah, that pretty much works for me..

Re:Patience

Buy things at small retailers unlikely to have complicated security policies or good video surveillance. Use local criminals to do the deal for you, promising a cut if they are successful getting the item out of the store. Keep the purchases under $2,000.00

There! You have the Feds infiltrating slashdot.ws oops i mean slashdot.org now!
omg! omg! omfg!

ps: Agent Copponex, what were the original ideas for "copponex"?
Copernicus? Capone-X? Cop On Ex? ...

Re:Patience

Another way:

1. Have a friend work at Circuit City.

2. You got to CC and your friend rings up a $4,000.00 to $6,000.00 large-screen TV in the system. You do not pay for the system.

3. Another (non-involved) employee sees the sale in the system and helpfully puts the TV into your car.

4. Once your car drives away, your CC friend deletes the sales ticket from the system.

This had been happening for quite some time (20 units over a 2 month period) and would still be happening if the on-site liquidator had not questioned this particular transaction. The employee is now on the hook for stealing ~$80k to $100k, and his friends and family members are going to be charged as accessories.

-- stj

Re:Patience

[KovaaK]

I doubt it was as simple as you are claiming.

When I worked at CCity (up until June 08), very few people had access to do returns. Only managers and customer service reps... and if you do a return, the sales ticket is by no means deleted - there are logs kept. Maybe the top managers can do more stuff that I am unaware of, but it clearly isn't as simple as your first step listed.

Step 2 would be impossible to do with a credit card without logs - it needs to authorize the sale before the system thinks the unit is sold, otherwise you will need to do a return (more logs). You would want to claim to the system that the person is paying with cash and just not move any cash from the register.

Aside from that, the very high end models (I'd say $4,000-$6,000 are high end) are very rarely in stock at individual stores. You more often than not will need to special order those very high end models.

On a similar note, if he was selling models that were in stock, then that means that the inventory system recognized that the store was running lower on those models and had to have more shipped to it. The same inventory system is tied to the daily reports of traffic in general... I find it hard to believe that nothing would stand out.

If the inventory system was not ordering replacements for those TV's, "Product Flow" would very quickly recognize that their stock in the back is not as expected and start to ask questions on where the big TV's went. Trust me, they check the big stuff before open, around noon, and near close. When big things turn up missing, questions are asked.

But, the biggest indicator that this is complete bunk is the fact that when the "Product Flow" team gets the pick ticket (automatically generated and printed at the time of sale, completely separate of the sales ticket) for the sale in question, the employee who made the sale shows up on the ticket along with the model number, and that ticket is used to make yet another log in the system of releasing the TV to the customer. Afterwards, the pick ticket is placed in a stack of released items.

Circuit City had problems. Employee theft like this was not a major one. I have heard stories about the delivery truck guys finding ways around the system, but I don't know any specifics...

Re:Patience

[KovaaK]

I should have specified a little more on the pick ticket. When a sale occurs that requires someone to get the item for a customer (big TV, desktop computer, projector, certain software... anything in the back), the pick ticket is printed at the front of the store for the people to grab it from the back and give it to the customer.

3. Another (non-involved) employee sees the sale in the system and helpfully puts the TV into your car.

The reason that non-involved employee gets the right item is because the printed out slip of paper has that model number along with the name of the sales associate who made the sale. If someone actually tried this, they would be caught quickly.

Reloadable cards.

[khasim]

I'm still wondering why the various banks don't offer reloadable cards for their customers. Why wander around with your ENTIRE credit limit in your wallet?

And for debit cards, your ENTIRE checking account balance.

Instead, allow the user to transfer the amount that he thinks he will need to a secondary card. That way, if anything compromises that card, the MOST they can get is whatever he put on that card.

As for online purchases, how about one-use card numbers? Just go to the bank site, put in how much you want to pay and the bank will give you a one use number for that amount. Then the maximum you lose if the online site is fake is that specific amount. They never get the real numbers to your real accounts.

Re:Reloadable cards.

Looks like you invented the e-wallet. Don't know about the 'states, but it exists in France (called Moneo) and Belgium (called Proton). It's money stored on your bank card, that you can reload at any terminal using your PIN. Purchases made using this system are quick, as they don't require you to enter the PIN nor sign the recipt upon payment.

So it's pretty much like cash in that it's for small amounts (up to 125 Euros IIRC), there's no authentication, and if your card is stolen whatever e-money you had loaded on the chip is lost forever (whereas your bank will obviously still cover for purchases made using the regular "debit card" function, under certain circumstances).

Re:Reloadable cards.

[Zironic]

It's relatively trivial and not very expensive to just set up a second account with a second debit card with alot less money on it.

Re:Reloadable cards.

Actually you can do this with PayPal. They have an plugin that plugs in to your browser and you can get a one time use number for the amount of your purchase as long as your PayPal account is set up for these transactions.

Re:Reloadable cards.

Your idea of reloading a debit card is something you can do today, granted you need more than one account. Have one account tied to your debit card, while a second account, one that's not tied to your debit card, acts as a repository for your cash. Just transfer money from your secondary account to your primary account when needed. I do this all the time.

Re:Reloadable cards.

[tubapro12]

This makes sense to me and I believe there are some services attempt to do stuff like this.

OTOG (Off the Top of Google):

• Citi Card Virtual Account Numbers
• AmEx disposable credit cards
• PayPal Virtual Credit Card Payment

Re:Reloadable cards.

Wrong - debit cards have a daily limit anywhere from $300 to $500.

Re:Reloadable cards.

[DamonHD]

Umm, a company I co-founded (entropay.com) does this, and is not alone.

Rgds

Damon

Re:Reloadable cards.

[Urza9814]

That's essentially what I do already. Why do you need thousands of dollars in your checking account to begin with? Why not just transfer over only what you need? I mean, I can understand doing that a couple years ago, but my bank doesn't even really have physical banks anymore. If you walk into the building they have a few computers open to their website, an ATM, and one teller off to the side to help with things like opening new accounts. That's it. Everything is done online. And they reimburse you for ATM fees since they don't have too many of their own. But I generally keep less than $100 in my checking account. If I need more, I transfer it before I go. Or get on wifi when I'm there and transfer it. Or transfer it on the phone, which can also be done without ever talking to an actual person (though it's pretty easy to get one if you really want). Why would you need to keep all your money in your checking account?

Re:Reloadable cards.

[kb9vcr]

For online purchases one-use card numbers already are available.

Bank of America has them, it's called 'Shopsafe' and it's a free feature if you have a card with them. I've used it for every web purchase now for years and it works great. You set your limit & expiration date, generate a number and your set. Easy and it limits your exposure.

(MBNA developed shopsafe and then Bank of America got it when they bought them out. Probably other companies have something similar)

Re:Reloadable cards.

[SBrach]

From an ATM. You can buy a Ferrari in your debit card assuming you have enough in your account.

Re:Reloadable cards.

[wiz_80]

In Italy you can get reloadable Visa Electron cards from the post office. Lots of people use these exclusively for online purchases, since even if the card info gets stolen there isn't much that can be done with it.

Since they can't make money by delivering mail any more, the post office has branched out into banking and mobile telephony, and operates an airline as well.

Re:Reloadable cards.

[Raenex]

Bank of America has them, it's called 'Shopsafe' and it's a free feature if you have a card with them.

By the way, it only works on their credit cards, so if you just have a debit card you're out of luck.

Re:Reloadable cards.

[tsstahl]

Since they can't make money by delivering mail any more, the post office has branched out into banking and mobile telephony, and operates an airline as well.

How many stamps does it take to fly from Palermo to Genova?

And where do you stick them?

great relationship with the financial institutions

[davidsyes]

"They have a direct personal relationship with industry people in all areas, but specifically a great relationship with the financial institutions,"

Well, hell, no shit! But, for those who are curious as to why i say it that way, check out:

www.visualanalytics.com

They've been around since before 2002, and i've found them to have some really cool products, based on screen shots and explanations. As far as i'm concerned, the railing bush did on the NYT reporter who outed an ongoing investigation tool probably though along the lines of VisualAnalytics, and i bet VA was the tool used. Or, some in-house FBI/CIA modification of it.

See:

http://www.visualanalytics.com/products/visualinks/index.cfm

http://www.visualanalytics.com/products/visuaLinks/details/vlComparisonChart.cfm

http://www.visualanalytics.com/products/visuaLinks/vlPreview.cfm

Now, imagine if MySql, Postgres, and OpenOffice and other tools could be fused, but toned down for non-intelligence/spying, but for companies mining their own hepta-wheta-peta-quad data wharehouses, or for small businesses something less powerful...

As for anti-terrorism and money laundering, they have (or in 2002 had) slides showing how the bank or federal agency using the tool can interoperate and flag activities by monitoring the target's/targets' phones (any known), contacts' phones, any or all parties' banks transactions, credit cards, deposits, money orders and transfers to or from their names, addresses, and so on, and so on. Heck, if you get access to publishers and libraries, utilities, charitie, and more, HUGE or SMALL networks can be sleuthed/sussed out.

It's a mind-bogglingly powerful and impressive tool.

Administrators don't sleep

[troll8901]

Actually, this sounds like the average [married] slashdotter.

You've reminded me of an old BlueWave tagline:
... Sleep? I'm a SYSOP!

rarely asked for my ID

[mbannonb]

even though I have written on the back of the credit card in the signature space, 'Ask for ID'.

Fraud/corruption is clearly a cost of doing business, another line item, an overhead already accounted for.

Re:rarely asked for my ID

[Cramer]

Like an ID cannot be forged as well? If the person doesn't know you, then They. Don't. Know. You. No amount of "photo id" can *prove* who you are.

Re:rarely asked for my ID

[red0ktob3r]

You're not supposed to put "ask for ID" anyway. If a merchant gets a card with anything but a signature on the *signature* panel, they're supposed to refuse the card. Your options then are 1) signing the card in front of the merchant and providing an ID to verify that signature, or 2) pay with cash.

Re:rarely asked for my ID

[Achromatic1978]

Because the merchant agreement specifically states that they are not to use the "Ask For ID" thing as a credit card processing mechanism. In fact they can have their merchant account revoked if sufficient complaints are received about requesting ID for CC transactions and not others (though I know in your case you're asking for it).

TECHNICALLY, under YOUR agreement with Mastercard, Visa, or Amex, NOT signing your card with your signature is a breach of your cardholder agreement. In fact (though granted, in practice rarely), Visa requires merchants who come across an unsigned / ASK FOR ID card are supposed to not finish the transaction until the card is signed. If you refuse to sign, at least up until recently, the last time I looked at a merchant contract, they're meant to retain your card (uh oh, you do remember the clause in your cardholder agreement that states that the card remains the property of the issuer, not you, right?).

Not good advice.

Re:rarely asked for my ID

[corsec67]

even though I have written on the back of the credit card in the signature space, 'Ask for ID'.

No.
Visa and MasterCard specifically do not allow seeing an ID to be required for completing a transaction. The merchant can ask, but they can't require the ID.

If your card isn't signed, then it isn't a valid credit card, and the merchant shouldn't honor it.

Re:rarely asked for my ID

[StuartHankins]

I had a credit card stolen once and the credit card company told me to do this exact same thing. I've put "PHOTO ID REQ'D" on every card I own.

In 14+ years, visits to several countries, and many many purchases I've had only one retailer try to refuse the purchase (a particular Best Buy store). I refused to sign it and threatened to leave my items at the counter. I asked for a manager and after he gave me a hard time I told him I wouldn't shop there again. I never went back to that store.

It's actually really stupid to use a signature, especially when clueless stores (think Wal-Mart) print your sig on the receipt! Everyone should have photo ID on their cards, and perhaps even more rigorous methods of ID should be used. When a single card can be $25K it gets to be a bit much to assume a simple signature is enough.

If a cardmaker actually tried to enforce this, I would simply take my business elsewhere. The card is there for my convenience and the bank works on my behalf, not the other way around.

Re:rarely asked for my ID

[StuartHankins]

See my comment above. Assuming a physical signature is "proof" is naive at its best and could be quite dangerous.

When I had a credit card stolen, it was signed. Someone of a different race used the card, which would have been quite obvious if ID were required. It took several hours of my time to clear up the matter and it was very inconvenient.

Re:rarely asked for my ID

[corsec67]

When I had a credit card stolen, it was signed. Someone of a different race used the card, which would have been quite obvious if ID were required. It took several hours of my time to clear up the matter and it was very inconvenient.

Having your identity stolen because the clerk got your credit card # in addition to everything on your ID would be more convenient?

Re:rarely asked for my ID

[StuartHankins]

My ID was not stolen, my credit card was stolen. Had I signed it "ID REQUIRED" the store would have had to check for ID (since that phrase isn't acceptable as a signature by itself).

It's stupid to use a sig on a credit card simply because copying a signature isn't proof of identity, which is the whole point of "signing" the card to begin with.

I was advised by that card's fraud department to always use "ID REQUIRED" or other such wording in the future in lieu of a signature on all my cards. After 14 years of this, I can verify it works.

Re:rarely asked for my ID

an unsigned card is just plain stupid. If I got hold of an unsigned card, I'd just sign it. Then when I signed the receipt, the signatures would match, and the cashier (who doesnt really give a damn anyway) has no cause to ask for my ID.

Idiots!

Re:rarely asked for my ID

This actually caused problems for me the last time I was in Bangkok.

On two separate occasions, the clerk in a major department store had to go back to management for approval because my signature did not match the words "See ID" on the back of my card. (This was after I presented both my US Passport and my California Driver's License as ID.)

Re:rarely asked for my ID

[jandrese]

I still think it's ridiculous that instead of getting a photo id to check the cards name, every wage slave cashier in the world is supposed to be a handwriting analysis expert. The signature on the back of your card is security theater at its worst. Not only is it completely worthless at stopping someone from using a stolen card, it also leaves your signature right out in the open. Don't get me wrong though, I believe that writing your signature on the cashier's copy still has merit, mostly for going back after the fact and proving that whoever used your card is not you, by a trained handwriting analyst, using a sample you provide. It's the signature on the card that's completely worthless.

Internet Rule #1

[arthurpaliden]

Just goes to show you cannot trust anyone you meet online. They may not be who they claim to be.

Re:great relationship with the financial instituti

[davidsyes]

Replying to my own thread... FTA:

"One hacker who called himself Theunknown swore at Mularski, "You piece of crap fed... you're never going to catch me."

"Why don't you turn yourself in. It beats living the rest of your life on the run," Mularski wrote back. A week later, Theunknown followed his advice."

LOL!

African dancing

[SethJohnson]

al Qaeda has joined Americans in a singing of Kumbaya.

That would be great because then George W. Bush could dance along....

Seth

Sounds like many jobs I've had...

[Klootzak]

So Agent Mularski got a taste of what it's like to be a SysAdmin? I think it's a good thing, now he would understand what it's like to work in IT, he'll (hopefully) be more sympathetic to IT staff that he works with... We should get more Law-Enforcement officers into undercover IT "busts"!!!

Now, if he had a pager that would buzz him in the 6 hours he got "off" from the computer, that would be JUST like being a SysAdmin ;)

Sure

[copponex]

If you can make 1,000 a day, tax free, working thirty hours a week. And if they throw you in prison, you can take some classes and write J# middleware when you get out.

The downside is the anal raping. For most people, I mean.

Re:Sure

The downside is the anal raping. For most people, I mean.

But not your average Slashdotter. Any action is good.

Wait a sec...

[dontmakemethink]

If this ID nark spent 3 years among the best identity thieves, how can you be sure he's not an identity thief undercover as an FBI agent?

I'd at least sweat the guy down with a good wholesome interrogation before letting him regain access to the secret filez! Good for a few chuckles at least!

credit card crime syndicate - small charges

I'm being stung by a credit card fraud crime syndicate. I think they have a lot of credit card info - they supposedly get it from the source or close to source. They charge you innocuous ammounts like $2.95 put to maybe $12. I've been getting hit for $4.95, three times now - one from code-x and two from synergetics. You have to cancel your card to get off their fraudulent billings. Lookie here: http://whocallsme.com/Phone-Number.aspx/8703300621 and here: http://www.dslreports.com/forum/r19620593-Ebook-websites-fraud-charges-DevbillDigitalAgePluto for more about this crime and more about who may be charging your card.

Suggested tag: hero

Nuff said.

Cash

Use cash money

You dont have that facility in the US of A?

That's the most basic thing here in Mumbai, India.
You can always just fill an application online for a limit so that you cannot be robbed of more than a certain amount.
Keep 2-3 cards - at least one for small purchases.
My lowest "cheap internet card" limit is INR 1000 (== US $20). Next, INR 5000 (== US $100).
Anything more than that is roughly durable and valuable and therefore is purchased offline - cheque/cash.
Suits me fine, you might want to give that a try.

So...this is why...

[hesaigo999ca]

This is the guy that pissed off the Russian mob so much that they are now developing the new worm out there, and are intent on taking over ALL computers in the US. Great!

*ahem*

Don't know quite how to say this, but... GP wasn't talking about going to a restaurant and eat food prepared by a chef. There is another meaning of the expression "to eat out". I'll let you figure it out.

LOL

thank god I quit that carding shit back in 05
cuz it got reaaaal risky right after that