The Great Credit Card Bazaar
Bigger, bolder and more brazen than ever -- that appears to be the current state of the Internet's black market for stolen credit card numbers.
Spread out from one country code to another, this international bazaar for fraudsters is a place where you can find everybody from script kiddies to career criminals and terrorist supporters.
And you can buy everything from stolen credit card accounts (in bulk or one-by-one) to Social Security numbers or birth certificates, passports, diplomas, even hacked auction site accounts. They'll even change the billing address of credit card accounts for you, so you can purchase stuff online and have it shipped to a safe location.
But with much of the activity originating from the former Soviet Union and Southeast Asia, law enforcement agencies face a tough time cracking down on the fraud perpetrators. Still, undercover cybercops are trying.
"We have a couple of undercover operations working," said Don Masters, head of a Secret Service high-tech crime unit in Los Angeles. "We jump into these cases. We look at those that are a threat to the nation's banking and financing infrastructure."
The state of the black market
The sale of illegally obtained credit card account numbers -- and the related data that makes them appear to be genuine -- remains a thorn in the side of overworked law enforcement agencies everywhere as well as smaller online merchants who may not have state-of-the-art security.
And the "carders" -- as they call themselves -- actually operate members-only Web sites with names like carderplanet.com, shadowcrew.com (which offers ID supplies from various vendors as well as links to anonymous Web hosting and domain registration offerings) and CounterfeitLibrary.com. WARNING: Clicking on the above links will lead you to the illicit underworld of the Internet. In no way does JupiterMedia these activities.
CounterfeitLibrary.com, which bills itself as "the expert's guide to anonymity," offers, among other things, various forums where more or less open discussions are held regarding the sale of stolen credit card numbers. Ditto for shadowcrew.com.
"We live this every day," said Jeff King, director of product management for risk management products at CyberSource, the electronic payments and risk management company. "We have people on staff constantly monitoring this kind of activity. It definitely keeps you busy."
And what keeps all the authorities and law-abiding folks especially busy is the shifting overseas locations of the perpetrators. King told internetnews.com that the former Soviet Union "clearly is a hot spot. Fraudsters tend to move around. It's a moving target. There are sophisticated users there, and in Singapore and Indonesia, too. Very sophisticated users. Basically those are the kind of guys we worry about. Not script kiddies."
It didn't take too much drilling down at the CounterfeitLibrary site to discover offers of card numbers for sale. No longer limiting their deal-making process to e-mail and furtive IRC conversations, these carders operate a bulletin board for all to see.
Membership was advertised as "only $4 for 1 month," which lets users read articles with headlines such as:
- Social Security Death Index (SSDI) - SSN numbers of dead people
- Types of Fake IDs - Counterfeit, Altered and Forged ID Cards
- Social Security Number Report - Look up the SSN Database
- ID Hopping for Fun and Profit Part 1 - Requested article on Identity theft
- Identity Hopping Part 2 - Requested article on Identity theft the second part
- Anatomy of a Security ID Card - The tricks used by the professionals to prevent counterfeiting
- How to build a fake College ID - a how-to-make article
- Magnetic Strips for ID cards - all you need to make magnetic stripes is just black electrical tape, scissors, and an iron
In the forums, someone with the screen name of Script, who may or may not be one of the people behind the site, appeared to be offering Visa and MasterCard account numbers with a "guaranteed" $4,000 balance, for $140. Card numbers with spendable amounts of $5,000 to $7,000 were going for $200 and payment could be made by Western Union or any of several other Internet payment services.
Billing addresses and phone numbers on some offerings were said to be changeable "to meet your needs."
English did not appear to be the first language of the purported seller. "I am accept E-gold, wire transfer, Western union.." Accordng to some accounts, Script is a Ukrainian teenager, maybe 18 or 19, living in Odessa.
One newbie inquiring about a fake ID in the forums was told that "Novelty is the word we use here -- not fake."
The Secret Service's Masters explained a lot of the fraudsters are located in various parts of the former Soviet Union, where of course the U.S. law enforcement agency has no jurisdiction. But authorities aren't helpless.
"We have agents that liaison with local police departments in other countries. Some of these countries have neither the equipment nor the training to handle these kinds of cases," Masters said.
He added that hundreds of kids are involved, but there are also serious career criminals out there, as well as terrorist supporters.
Criminals have been known to put up bogus Web sites to get users to voluntarily input credit card information. But just how else is the stolen information obtained? For that and more, see Page 2.How is the stolen data obtained? In a variety of ways, the experts say, including the time-honored tradition of dumpster diving. Then there's the restaurant waiter who sells your credit card number after swiping it through a handheld terminal. That's called card skimming, and a waiter or waitress can get $10 to $25 per number.
There is also, of course, the old standby frontal assault, an attack by hackers on shopping card data bases at merchant sites. King at CyberSource said the targets are usually smaller, less sophisticated e-commerce sites.
"In the old days, people robbed stagecoaches and knocked off armored trucks. Now they're knocking off servers," Richard Power, editorial director of the Computer Security Institute, an association of computer security professionals, told the New York Times recently.
And on occasion, fraudsters have been known to put up a completely phony Web site and entice people to leave their card numbers and other personal information. King said that at one time there was a spoof site called www.ru.fbi.com where people were enticed to enter personal information in order to get their FBI file. And yes, some people did.
King said there are a number of ways to use stolen credit card numbers quickly, launching an intense attack over a short period of time. The majority of fraudsters use the numbers to acquire merchandise and have it shipped to controlled addresses, he said, adding that in some cases they will pay people in a particular neighborhood to receive merchandise and then drop it off somewhere, then move on to another neighborhood.
Big business in bogus auction accounts
Hijacked eBay accounts also can be found listed for sale on the carder sites. Once a fraudster has control of an account, especially one with lots of positive feedback, he or she can list various items for sale, collect the payments and, of course, abscond with the money. And there's little the legitimate account owner can do about it.
eBay spokesman Kevin Pursglove said that "from what we've seen so far, there have been a relatively small number of users having their accounts taken over."
He added that eBay has imposed a number of measures to counteract account theft, including a new page that offers advice and instructions for password selection. He said account hijacking efforts became more pronounced early this year, and eBay began to beef up its countermeasures.
It's hard to say just how much is lost to fraud worldwide, but MasterCard contends that such activity is down.
"The overall fraud levels MasterCard witnessed in 2001 remain at historically low levels compared with the peak in levels in the early 1990s," said Vincent Deluca, vice president for security and risk at MasterCard International.
He said MasterCard "routinely interfaces with law enforcement agencies and government organizations throughout the world" to deal with criminals and help facilitate investigations and prosecution of hackers and fraudsters.
MasterCard "doesn't comment on specific incidents of fraud," a spokeswoman said. However, in a backgrounder document on the subject, MasterCard says that:
"The payments industry faces increased security challenges as payment card counterfeiters and other criminals employ more sophisticated techniques and technologies to defraud financial institutions and their customers." The document goes on to discuss some of the various security measures MasterCard has initiated, including its Universal Cardholder Authentication Field (UCAF) program and its Secure Payment Application (SPA) technology.
"I'm sure there are laws being broken, but they are really difficult to enforce," said King at CyberSource. "These are multinational or kids, and the FBI and Secret Service are pretty busy right now. The real priority is terrorism."
An FBI spokesman told internetnews.com that the agency is indeed aware of the problem.
For law enforcement and regulatory agencies, IFCC offers a central repository for complaints related to Internet fraud. It works to quantify fraud patterns and provides statistical data of current fraud trends.
The IFCC annual report on fraud for last year says that Internet auction fraud was by far the most reported offense, making up 42.8 percent of referred complaints.
The FBI, of course, won't comment on ongoing investigations.
The Federal Trade Commission enters Internet, telemarketing, identity theft and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the United States and abroad.
The U.S. government's central Web site for information about identity theft is maintained by the FTC.
And even though most of the financial risk is assumed by the merchants and chargebacks are a cost of doing business these days, it's clear that consumers remain concerned, as witness the rush of people to the Cardcops anti-fraud site last June when they offered to check credit card numbers to see if they had been compromised.
The Secret Service, meanwhile, is setting up electronic crime task forces in Miami, Boston, New York, Chicago and in Texas. Masters said the LA office has about 14 agents working, and "the FBI and LAPD are coming over to be a part of it."
"There's no doubt about a highly sophisticated underground market," said King at CyberSource. "They are constantly collecting and selling credt card information via many different sites."
Indeed. Just last week the Associated Press reported that Spitfire Ventures, a startup whose novelty items include a talking toilet paper holder, received 140,000 credit card submissions in 90 minutes in a scam aimed at harvesting authorization codes, thus verifying the validity of those account numbers and opening the door for more widespread theft.
All the affected account numbers have been deactivated and investigations have been opened by federal authorities, according to John Rante, president of Online Data Corp., a Chicago-based credit card processor that authorized the bogus transactions.