Slashdot Mirror

← Back to Stories (view on slashdot.org)

Study: $1.8 Billion In Reshipping Fraud With Stolen Cards Each Year

Posted by samzenpus on from the send-it-back dept.

An anonymous reader writes: Researchers from the University of California, Santa Barbara and others studied the economy of how criminals monetize stolen credit cards by operating reshipping scams as means to cash out, KrebsOnSecurity reports: "A time-honored method of extracting cash from stolen credit cards involves "reshipping" scams, which manage the purchase, reshipment and resale of carded consumer goods from America to Eastern Europe — primarily Russia. A new study suggests that some 1.6 million credit and debit cards are used to commit at least $1.8 billion in reshipping fraud each year, and identifies some choke points for disrupting this lucrative money laundering activity. [...] disrupting the reshipping chains of these scams has the potential to cripple the underground economy by affecting a major income stream of cybercriminals. By way of example, the team found that a single criminal-operated reshipping service can earn a yearly revenue of over 7.3 million US dollars, most of which is profit."

2 of 139 comments (clear)

  1. Re:Re-what? by w1zz4 · · Score: 5, Informative

    I had to ask Google in order to know what is a reshipping scam... To summarize, criminal found stupid people on craiglist that will accept to have goods paid with stolen credit card shipped to their home in order to reship them to a foreign address.

  2. So many ways to combat this... by Anonymous Coward · · Score: 5, Informative

    If we really wanted to stop CC fraud, we could almost eliminate it. It's pretty simple, but we've abandoned this in favor of convenience.

    The new credit cards in the US with chips are good, but why chip and signature? Why not chip and pin like much of the world does? Better yet, why not require two-factor authentication for large and online purchases where the card isn't swiped? If the purchase is large or the card isn't swiped, simply send a verification code to the customer's phone for that transaction that they have to enter. This is used for so many services now that are less sensitive than financial transactions, so why not use it for these as well? Even the "verified by Visa" program that required a password for online CC transactions seems to not be widely used.

    Also, it's a different method of fraud, but a few months ago my CC was used to make a purchase from a fraudulent website. In this scheme, a transaction is made for a small amount of money, often less than $10, to a website that's not legit. In this case, the website is actually in on the scam. It was pretty obvious the website wasn't a legitimate business. The best thing that can be done is to do a chargeback and report the merchant to the CC processor, which in this case was Visa. If there are sufficient numbers of complaints against the merchant, who in this case is part of the fraud, they will be penalized and probably not allowed to make any more transactions. I provided my bank plenty of evidence that the merchant was fraudulent and asked them to do a chargeback, but they said they didn't want to bother and claimed it was simpler to collect insurance from the FDIC. It seems like merchants ought to be penalized when they're part of the fraud. It also seems like merchants that use poor security practices ought to be liable.

    I'm convinced that there really isn't an interest in ending fraud, because the technology exists to make it far more difficult. We just don't implement it, which is frustrating.