Slashdot Mirror
U.S. Govt. Appears To Have Nabbed Kurupt.su Carding Kingpin
tsu doh nimh writes "The Justice Department on Monday announced the arrest of a Dutch man wanted for coordinating the theft of roughly 44,000 credit card numbers. The government hasn't released many details about the accused, except for his name and hacker handle, 'Fortezza.' But data from a variety of sources indicates that Fortezza was a lead administrator of Kurupt.su, a large, recently-shuttered forum dedicated to carding and Internet fraud. Krebsonsecurity.com provides some background on Fortezza, who 'claimed to be "quitting the scene," but spoke often about finishing a project with which he seemed obsessed: to hack and plunder all of the other carding forums.'"
U.S. Govt. Appears To Have Nabbed Kurupt.su Carding Kingpin
I thought he had something to do with sorting cotton fibres before spinning.
Just looked him up on Spokeo. Already updated to show him in jail. wow!
RTFA, Krebs almost seems sympathetic for the guy.
I don't care much for the whole extradition-to-the-US thing, but this is not your average whitehat/greyhat hacker, highlighting security issues by breaking systems, or for the lulz.
This is card skimming pond scum, doing it for profit. Good riddance, I say.
What are you talking about?
Anyone checking my post history will see I'm pretty critical of the US, but good work on this one Team America!
Lets see how Dutchie-Boy likes the US prison system.
What would that go for these days, about $440?
this hero of the people taking from the evil banks and redistributing back to the little people will never lose
It was credit card fraud. The only people that lose are the shops who take credit cards and maybe a few rich people who don't check their statements.
If the banks were losing out from this though would change the credit card system.
The financial system is saved. No need for more regulation and more bank/insurance bailouts! Yaaay...?
Interestingly enough, it was a restaurant owner in Seattle who tipped the feds off, after angry customers contacted him about additional $70-90 charges on their checks. So yeah, he was really sticking it to the banks.
this hero of the people taking from the evil banks and redistributing back to the little people will never lose
That sounds like PR. More likely, he invested in portraits of Elvis and Mexican jail doors.
I'll bet Hallmark is just as thrilled.
Join the Slashcott! Feb 10 thru Feb 17!
One huge problem is the FBI decided that credit card fraud - any type - is "Identity Theft" and that is how their reporting structure works. This hugely inflates the amount of "Identity Theft" that is reported giving a big leg up to the probably bigger scam artists at Lifelock. No matter how much credit card fraud costs merchants, the number is dwarfed by the amount of money going to Lifelock and other "identity protection" thieves.
Now, who really is affected by credit card fraud? Certainly not the banks - fraudulent charges are simply charged back to the merchant. Does it hurt the card holder? Well, not really. If you get a charge on your bill that you didn't make you do not have to pay it. Most of the time the credit card company is already aware of the fraudulent use and has taken such charges off the bill. Now, the card company almost certainly will want to change the card number and set you a new card and that can be somewhat inconvenient, but that is about it. Well, what about the merchant? If you are in the business of taking credit cards for almost any retail business you have insurance that covers this sort of thing. The merchant is paying for this insurance, so they might as well use it. I guess we are all paying a little bit for this because the merchants might save a few pennies on their general business insurance if they didn't need this coverage. So figure that when you go to a store you are paying $0.000001 more to cover the credit card fraud insurance.
So who loses? The insurance company? Not really. The merchant that is silly enough not to have insurance? Probably. Certainly nobody else is losing anything in this which is why it is not prosecuted in the US - nobody actually using a fraudulent card ever gets even arrested. They do take the card away if you are using a fake card, which obviously doesn't apply when credit card fraud is done through the Internet.
So really this is almost a vicimless crime that affects nobody. So your credit card number is used fraudulently... big deal... get a new card and move on.
Did you know that a fresh credit card number is worth about $0.50 on the open market today? This means that every time you use a card with a human involved it is a good chance they are collecting card numbers. A guy working in a restaurant can make an extra $50 a week easily just collecting numbers and such from cards handed over by customers. There is little risk with this as at worst he might get fired if caught. The police will not even arrest someone for this sort of activity.
Yes, I get a credit card used fraudulently at least once a year. I get a call about some silly charge that someone tried to make and they take it off the bill. End of story. The guy this posting is about is evidently higher up the food chain enough that someone thinks he is worth prosecuting, but I doubt it goes anywhere. There just isn't anyone losing out enough to justify spending anyone's time and money prosecuting folks like this. So it will continue and get more and more prevalent.
Thanks to the chargeback fees paid by the merchant.
Twitter: @dainsanefh
All the banks will resist, citing "high cost" of implementing new system and potential "revenue lost". Why even bother when the existing model bring the banks and its shareholders enormous profits?
Twitter: @dainsanefh
It's certainly not victimless: any merchant who doesn't have insurance is getting screwed by the fraudster, any merchant who does have insurance (because of all the credit card fraud) is getting screwed by the insurance company.
Your numbers are also off - good credit card numbers can go for $30 - $45 depending on the type of card and where it's from:
http://www.npr.org/blogs/money/2011/06/16/137181702/the-tuesday-podcast-inside-the-credit-card-black-market
and the idea that a guy working in a restaurant would do this... Well, if he was very stupid then maybe. But he'd get caught in no time once this restaurant was identified as a common point of use between all these stolen cards.
"If the banks were losing out from this though would change the credit card system."
They're definitely losing big money but they're doing so much business that the losses don't have a material impact on their profits. Millions or maybe tens of millions vs. tens or hundreds of billions. Not enough to justify the expense of updating all the point-of-sale systems(they already have the technology to do this) and certainly not enough to make them want to change their policies of giving easy credit to anyone with a pulse.
"Did you know that a fresh credit card number is worth about $0.50 on the open market today?"
I didn't know that, and I doubt it. That might be the cut that the carder gives to the bus-boy, but it's my impression that the mag stripe data is worth a lot more than that on the open market.
Unfortunately you are wrong on at least one point: the guy in the restaurant is unlikely to ever be fingered for skimming. If the restaurant were identified (which it won't be) it won't be likely he works there anymore (check out the employee turn over in food services some time). But lets get to the notion that someone is working to find correlation to determine the point of loss: lots of luck, there are simply too many ways for a card to be compromised. For example:
1. restaurants
2. card readers
3. malware on a computer
4. thief walks out with hard drive full of the data from a data center
None of those are theoretical, all are significant problems. The poster claiming that it is a victimless crime is either incredibly naive or trying to justify the crime, but the real problem with catching and prosecuting the criminals is that it is an easy crime to commit, hard to identify the criminals and build a case for prosecution. However, the FBI *does* consider it worth pursuing and they do. But they are more likely to catch a poor mule who only has a loose idea that crime was even being committed than the professionals who run the business. Doesn't stop the mule from going to jail, though. It also doesn't get much press because it isn't exactly exciting to read that "Joe Schmoe fell for a work-at-home scam where he purchased product from Amazon with fraudulent CC (provided by his anonymous handler) and shipped the items to England".
It was credit card fraud. The only people that lose are the shops who take credit cards and maybe a few rich people who don't check their statements.
If the banks were losing out from this though would change the credit card system.
I had my card stolen (or at least, it was caught) while I was away on a business trip in a foreign country. I sort of got it resolved, but after a marathon phone session (which I got to pay for!), and countless other little inconveniences. That inconvenience and wasted time has to count for something.
If there was a more secure, but more annoying to use, credit card option, I'd jump to it in a heart beat. But since credit cards are effectively a monopoly, I have a choice of images to put on the card, and little else.
If the banks were losing out from this though would change the credit card system.
I disagree if bank lose more money to credit card fraud they will insure themselves for more loss.
So Then they have many options ask you to pay more for your card, "offer" you a deal special anti fraud card for money, take more money from your bank account...
As long as it's sustainable to make customers pay they will chose that option first.
Can you now be charged for simply setting up and administering a carding forum? I RTFA but only skimmed the indictment. Not saying that this is all the guy was doing. Just curious. I think they've taken down most of these guys because they are not only administering the site, they're also active participants in the commerce.
"he actively hacked into and absconded with stolen card data taken from other fraud forums."
IANAL, but how can they prosecute you for stealing stolen stuff? Wouldn't this be like being charged for "grand larceny" for stealing illegal drugs from someone? Don't the victims need to press charges? I think the real crime will be transfer/sale of the stolen property.
Now, if the U.S. government would exert the same effort on investigating and prosecuting the big banks for their rampant acts of fraud, there might be some justice in this country.
obviously you don't understand economics. If a merchant's costs are increased due to credit card theft, then the cost must be pushed to the consumer or the merchant goes out of business - whether there is insurance or not.
Last year I had a debit card linked to an account whose only use was to purchase food from restaurants/grocery. I got a replacement card in the mail and had used it three times before theres were attempts at huge fraudulent transactions. Of my three valid transactions one was at a gas station, one was at a mcdonalds, and the last was at a grocer. The only one it could have been was the mcdonalds. I reported it to the police and they said they didn't care and it was the cc co's issue. I got a new card, and a few weeks later I used at the bk down the street...This time the only places I'd used it at were self checkout at grocery since it was new. A few days after bk, yep, more fraudulent charges. Another call to police and attempt at alerting fbi...NEITHER cared. Both said it was extremely unlikely the fast food cashier was skimming cards and didn't want to look into it. I never heard a thing back from them.
So don't be so confident this would be caught so quickly.
Anybody wonder what the .su domain refers to? It's the Soviet Union. They haven't existed since 1991. Yet somehow people are still allowed to register under the domain.
I do get your point but listen to the podcast that I linked - they make it clear that most stolen credit card numbers come from what they call 'hacking' (probably a compromised machine at a merchant or bank, maybe one at your grocery store) and most of the rest come from fraudulent or bugged ATMs or the like. Conspicuously absent is the sort of skimming that you're talking about and I'd guess that this has something to do with the impracticality of the process in addition to the danger.
I'd imagine that you got the brush off from the police because the bank is in a much better position to evaluate your claim than the police are, so that's the system which they have in place to handle it.
Yes, most of the numbers are stolen in bulk from poorly secured databases.
There are forums, dozens of forums, where you can upload a few hundred card numbers and somebody will check they're fresh and then pay you say $5000 per thousand cards for your full list with CVVs etc. If you waste your time getting the police in some crappy out of the way place to shut down the server, another springs up the next day so the law enforcement people don't bother any more. Instead they pay White Hats to break into these forums and steal back the data, identify the bad guys and so on.
Of course people are not supposed to have databases full of credit card numbers. But they're also not supposed to have databases full of unsecured passwods. They're not supposed to have root accounts with '12345' as the passwod and remote access enabled. They're not supposed to put customer details onto a laptop and then leave it on a train. Basically people suck, and even if only 10% of people suck that means if you used your credit card in ten places online probably one of the places you used it has a poorly secured database with your credit card number in.
I'd like to see the card operators performing physical audits. Guys show up, they inspect your systems, and if they don't like what they see, too bad you're out of business. That might encourage the "Oh, I'll just put it in a MySQL DB on a shared web host, I'm sure it'll be OK" people to buck their ideas up, or if not it'll ruin them financially which is OK with me too.
Banks do have internal problems (e.g. crooked people working at the bank), but they're rare. That's no less serious for the customer, in fact it's worse because the bank's internal systems will (having been fooled by an insider) probably say it's the customer at fault, but it's not monetarily a large portion of fraud..
But the shops are businesses, as such they need to make a profit and to cover their losses from credit card fraud they need to raise their prices to cover their losses, as such it is the average consumer who pays in the end.