[ISN] Credit Card Theft Thrives Online as Global Market

From: InfoSec News (isnat_private)
Date: Tue May 14 2002 - 00:19:12 PDT

  • Next message: InfoSec News: "RE: [ISN] Smith Bill Raises Police Power Concerns"

    May 13, 2002   
    Tens of thousands of stolen credit-card numbers are being offered for
    sale each week on the Internet in a handful of thriving,
    membership-only cyberbazaars, operated largely by residents of the
    former Soviet Union, who have become central players in credit-card
    and identity theft.
    The marketplaces - where credit card prices fluctuate with supply and
    demand in a sort of black stock market - offer a window into a crime
    that costs the financial system $1 billion or more a year. They also
    show how readily personal information is being stolen and traded in
    the computer age.
    But the same Internet technology that has enabled the theft and sale
    of credit cards also provides a veritable transcript of the criminal
    activity, and a real-time peephole into the attitudes, ethic - and
    sometimes honor - among the thieves. The chat forums indicate as well
    that several dozen of the top participants recently have discussed
    gathering at a credit-card reseller's conference in Odessa, Ukraine,
    at the end of this month.
    "It's straight out of Capitalism 101 - it's become a big industry,"  
    said one high-technology executive who surreptitiously monitors the
    Internet card markets, and who noted that the market price of credit
    cards fluctuates daily based on supply  which, he said, is copious.  
    "There appears to be an endless supply of cards out there," he said.
    In recent days, the cost of a single credit card has been between 40
    cents and $5 depending on the level of authenticating information
    provided. But the credit-card numbers typically are offered in bulk,
    costing, for example, $100 for 250 cards, to $1,000 for 5,000 cards,
    with the sellers offering guarantees that the credit-card numbers are
    Security experts say the buyers of the card numbers in these forums
    are all over the world, but often come from the former Soviet Union,
    Eastern Europe and Asia, specifically Malaysia. The buyers use the
    numbers in a variety of frauds, including making purchases over the
    Internet, having them fenced in the West, or even extracting cash
    advances directly from the credit-card accounts.
    Security experts say the people living in the former Soviet Union -
    often in Russia and Ukraine - who are operating the marketplaces are
    typically buying the card numbers from so-called black-hat computer
    hackers. These hackers obtain the card numbers by breaking into
    computer systems of online merchants and getting access to thousands
    of credit-card records at a time.
    "This is highlighting a tremendous lack of security," said Richard
    Power, editorial director of the Computer Security Institute, an
    association of computer security professionals that recently published
    a report with the Federal Bureau of Investigation on computer crime.  
    "In the old days, people robbed stagecoaches and knocked off armored
    trucks. Now they're knocking off servers."
    The ultimate cost of this is hard to estimate, according to financial
    analysts, though they say it is a fraction of the total size of the
    credit-card industry. A recent survey from Celent Communications, a
    market research firm, found that credit-card payment fraud will cost
    online merchants a minimum of $1 billion a year, which is not
    insignificant, though it pales in comparison to the more than $900
    billion that Visa alone processes annually.
    The cost to individual businesses, however, can be dramatic. In
    January 2000, an extortionist based in Russia demanded $100,000 from
    an Internet music retailer, CD Universe, by posting credit-card
    numbers stolen from the company's database to a Web site, which was
    subsequently shut down by the F.B.I. Last year, people close to
    Flooz.com, a bankrupt purveyor of certificates used for online
    purchases, said one reason the company failed was that it had
    unknowingly sold $300,000 of its currency to credit-card thieves in
    Russia and the Philippines.
    Generally speaking, the Celent report found that the fraud rate on the
    Internet is 0.25 percent for Visa and MasterCard transactions,
    significantly higher than the 0.08 percent for Visa and 0.09 percent
    for MasterCard in the offline world. The typical consumer is generally
    protected from these costs, since consumers are not held liable for
    most fraudulent charges, but credit-card interest rates can rise
    because of crime, and consumers may have to deal with the aggravation
    of removing charges they did not make.
    Mr. Power, from the Computer Security Institute, said: "You don't want
    to be an alarmist and say, `The sky is falling, and Visa is going to
    crumble.' But the financial losses involved in this kind of theft are
    underestimated, underreported and underacknowledged," estimating the
    worldwide cost is in the "double-digit billions."
    "There's a lot more hemorrhaging going on than some people believe,"  
    he said.
    The Internet sites of the online marketplaces are mostly known only to
    their participants  though that number can run as high as 2,000
    registered users. The site operators change their online addresses
    frequently to prevent monitoring by law enforcement. In the past,
    credit-card traffickers did business in private chat rooms on the
    Internet Relay Chat, a communication network, and now they also use
    the World Wide Web, where it is easy to start and shut down sites to
    avoid detection.
    But there are security professionals who surreptitiously listen in,
    tracking the supply of card numbers and prices.
    John Shaughnessy, senior vice president for risk management and fraud
    control at Visa USA, said the company was aware of online marketplaces
    and sought to monitor them, when it could find them. He said it
    appeared that many of the buyers and sellers of cards were in Asian
    countries and the former Soviet Union. Some people familiar with the
    trend have also said that stolen credit cards were being purchased by
    people in Saudi Arabia and Dubai, United Arab Emirates.
    Mr. Shaughnessy said Visa had worked closely with the F.B.I. on these
    issues. Officials at the F.B.I. did not return calls for comment.
    Even though the activities of the marketplace can be monitored, this
    does not mean participants can be easily caught, since they do not use
    their real names or give their whereabouts, and they make their
    payments through secure money transfers over the Internet that are not
    easily traced. But the Web sites offer a profile of the typical
    participant and of the way they do business.
    A security expert who monitors several of the bazaars said one of the
    most active was run by a Ukrainian 18 or 19 years old who went by the
    name "Script." The operator lives in Odessa. He is among about nine
    members of a clique, whose members call it "the family," and who are
    considered the most powerful and reliable of the middlemen.
    In a recent transcript, the dealer who operates the forum posted in a
    typical note: "I am selling Visa and MC (American cards)." He added,
    "The minimal deal size is 40$."
    He also listed a higher price if the deal included the card's CVV2
    code, a printed security code that appears on credit cards and is
    supposed to prevent fraud. Merchants are not supposed to record the
    code in their databases, but they sometimes do, which means that
    hackers can get access to this higher level of information. On the
    online forum, the seller noted that 100 cards with the CVV2 code cost
    A discussion then ensued involving his former buyers, attesting to the
    seller's reliability. One buyer wrote, "This guy's always slightly
    more expensive, but his stuff is good." Another wrote: "This guy is
    awesome. He always gave me three times the number of cards I paid
    The endorsements are a somewhat surreal reproduction of the rankings
    given to sellers on legitimate e-commerce sites, like the auction site
    eBay, or to authors by readers on Amazon.com. The feel of the site is
    one of pure capitalism, replete with marketing. The seller who
    operates the site sometimes posts online banner advertisements for his
    The sellers usually ask for payment to be made through online
    accounts, like www.WebMoney.ru, where money can be electronically
    deposited, wired, then transferred to a bank account.
    The discussions on the forum have a definite anti-Western bent,
    particularly anti-American. They are critical of American foreign
    policy. Some of the members of the forum also express anti-Semitic
    There is not much social interaction, but it is not unheard of. The
    participants will brag about using their spoils to take vacations, for
    instance, to Bulgaria or Dubai.
    Recently, there was a discussion that nearly 40 members of the group
    would meet in Odessa on May 31, at the first "World Carders"  
    conference, though the organizers appear to have moved the talk to a
    more private setting.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue May 14 2002 - 03:53:49 PDT