Slashdot Mirror
Study: $1.8 Billion In Reshipping Fraud With Stolen Cards Each Year
An anonymous reader writes: Researchers from the University of California, Santa Barbara and others studied the economy of how criminals monetize stolen credit cards by operating reshipping scams as means to cash out, KrebsOnSecurity reports: "A time-honored method of extracting cash from stolen credit cards involves "reshipping" scams, which manage the purchase, reshipment and resale of carded consumer goods from America to Eastern Europe — primarily Russia. A new study suggests that some 1.6 million credit and debit cards are used to commit at least $1.8 billion in reshipping fraud each year, and identifies some choke points for disrupting this lucrative money laundering activity. [...] disrupting the reshipping chains of these scams has the potential to cripple the underground economy by affecting a major income stream of cybercriminals. By way of example, the team found that a single criminal-operated reshipping service can earn a yearly revenue of over 7.3 million US dollars, most of which is profit."
Wow, that sounds even better than the other MLMs, tell me more!!
Lost at C:>. Found at C.
I had to ask Google in order to know what is a reshipping scam... To summarize, criminal found stupid people on craiglist that will accept to have goods paid with stolen credit card shipped to their home in order to reship them to a foreign address.
If we really wanted to stop CC fraud, we could almost eliminate it. It's pretty simple, but we've abandoned this in favor of convenience.
The new credit cards in the US with chips are good, but why chip and signature? Why not chip and pin like much of the world does? Better yet, why not require two-factor authentication for large and online purchases where the card isn't swiped? If the purchase is large or the card isn't swiped, simply send a verification code to the customer's phone for that transaction that they have to enter. This is used for so many services now that are less sensitive than financial transactions, so why not use it for these as well? Even the "verified by Visa" program that required a password for online CC transactions seems to not be widely used.
Also, it's a different method of fraud, but a few months ago my CC was used to make a purchase from a fraudulent website. In this scheme, a transaction is made for a small amount of money, often less than $10, to a website that's not legit. In this case, the website is actually in on the scam. It was pretty obvious the website wasn't a legitimate business. The best thing that can be done is to do a chargeback and report the merchant to the CC processor, which in this case was Visa. If there are sufficient numbers of complaints against the merchant, who in this case is part of the fraud, they will be penalized and probably not allowed to make any more transactions. I provided my bank plenty of evidence that the merchant was fraudulent and asked them to do a chargeback, but they said they didn't want to bother and claimed it was simpler to collect insurance from the FDIC. It seems like merchants ought to be penalized when they're part of the fraud. It also seems like merchants that use poor security practices ought to be liable.
I'm convinced that there really isn't an interest in ending fraud, because the technology exists to make it far more difficult. We just don't implement it, which is frustrating.
Basically, there are many businesses in the USA who won't ship internationally for many reasons. Heck, some won't even ship to parts of the USA like Alaska (ask me how I know). Said reasons include customs difficulties, fraud, damage in transit, time, etc...
Thus, there's a market for 'reshippers'. People who accept packages on behalf of their clients and act as facilitators for international shipping. Good ones handle the customs requirements, any extra packaging, etc...
Thing is, they can be a bit like a pawn shop. You have legit ones, and you have ones that are more straight out fences.
Given the description, it sounds like they're ripe for some additional regulation.
I don't read AC A human right
Basically, there are many businesses in the USA who won't ship internationally for many reasons.
There is also the market where these businesses will ship to foreign destinations, but charge a huge premium for the privilege. Thus making dealing with re-shippers attractive.
I am Slashdot. Are you Slashdot as well?
Safekey, 3DSecure, etc have some potential. AVS and shipping checks also.
But the simplest way is to use the stolen card to buy gift cards, use these to purchase merchandise, and fence that via reship or whatever, even eBay.
Once the gift card is used, the link to the original cardholder is lost, AVS is useless. In fact, use out of town mules to use the gift cards, bus them in and out, and even the video of them at the register is useless. Nobody in Seattle is going to look at mug shots from Sacramento to figure out who used that hot gift card at Nordstrom's.
EMV cards will stop this. Then it's on to Amazon Prime and same-day delivery to the mark's home address, where your mule just happens to be waiting in the driveway for their daughter - while the actual resident is at work. This scam is used to hijack cell phones ordered fraudulently and delivered home while the residents are away working for a living. AVS can't stop this. Only vigilance, and maybe SMS alerts of purchases over a certain amount, though with cell phone financing you can just put the down payment on the card and walk away...
Apple Pay got slammed with various signup scams initially, had to fix that, the issuers and processors have to be quick and responsive. The crooks are clever, and usually quicker..
deleting the extra space after periods so i can stay relevant, yeah.
Regulating re-shipping or breaking re-shipping? I use a mail forwarder because I live in Panama. There are many things I can buy online that are simply not available locally, from my wife's designer shoes for her tiny feet whose size no store ever carries stock, to the latest computer parts for me. They all get shipped to my mail-forwarder in Miami (took all of 15 minutes to set up an account), and it all gets re-shipped to me. Takes about a week to clear customs, etc, and it's expensive as hell since we're talking air freight, 10-50% duty on CIF depending on what I buy, and inflated handling fees. But in my income bracket it's not such a big deal because the alternative is not having it at all - it's cheaper than flying to the US and staying in a hotel and bringing stuff back myself (something I used to do long before re-shipping was invented).
The point I am making is that re-shipping has valid, legitimate uses and it creates jobs. Customs Panama is happy they get revenue on stuff I buy. The airline is happy. The freight forwarding company is happy. And the store is happy. However sometimes existing regulations and policies make it difficult. Sometimes an online store won't take my credit card because it's not emitted by a US bank. All foreigners must be money launderers, right? Sometimes my mail forwarder is in someone's database and they simply refuse to ship (Apple is famous for this. OMG heaven forbid I buy a super secret tech iPod made in China and ship it to my mail forwarder, no, I must wait 10 months for them to decide to sell it outside the US and pay an extra $400 mark-up to the local retailer for the privilege of having it in his store for a day or two). Screaming for regulation is only going to make it even more difficult for legitimate people like me to get legitimate goods delivered to far away places.
What you need to do is to go after credit card fraud. THAT is the problem, but banks don't want to talk about it. It's easier for them just to pay some losses as a cost of doing business and only go after the really big fraudsters. And often these fraudsters are getting the credit card info DIRECTLY from the databases of the banks themselves, either by hacking the software or hacking the people (ahh those corruptible humans). Fix the problem at its source, don't try to make it harder for people to practice international shopping.
Seven puppies were harmed during the making of this post.
Article says "carded consumer goods from America to Eastern Europe — primarily Russia".
I don't think that Putin would like Russia to be seen as part of Europe. Look at the fuss that he made when Ukraine was getting too close to Europe.
And third, each transaction has a unique code generated by the card itself for each transaction, so replay attacks are not possible
Well, almost. If correctly implemented. Unfortunately, the security depends on an 'unpredictable number', which in a lot of devices is a simple incrementing counter, so if you can do one transaction with your real card and intercept the signals (you can buy off-the-shelf things that look like a credit card and contain a couple of extra chips for this) then you can predict it for the next transaction and bypass much of the security. Oh, and the fact that the bank authenticates the card but the card doesn't authenticate the bank also makes some MITM attacks possible. Much more secure than a mag stripe, but still quite flawed. I found it particularly entertaining that the USA waited until a load of the flaws were published before deciding to adopt the system.
I am TheRaven on Soylent News
Foreigners taking all the good American jobs. We used to dominate the Organized Crime sector of the economy, but now the real crime innovations aren't coming from the New York regional crime labs of the old days (AKA "Sicilian Valley").
We've lost our edge.
Pretending this is my office full of bitter coworkers..