Another Hoax story from NYT

Card sharps after your bank details
June 29, 2005

Cyber-savvy gangs are after your banking details, costing business more than $50 billion a year and shaking the world's financial system. Tom Zeller reports.

'Want drive fast cars?" asks an advertisement, in broken English, atop the website iaaca.com. "Want live in premium hotels? Want own beautiful girls? It's possible with dumps from Zo0mer." A "dump", in the blunt vernacular of a flourishing online black market, is a credit card number. And what Zo0mer is peddling is stolen account information - name, billing address, phone - for gold Visa cards and MasterCards, at $US100 apiece.

It is not clear whether data stolen from CardSystems Solutions, the payment processor reported in recent weeks to have exposed 40 million credit card accounts to possible theft, has entered this black market. But police and security experts say it is a safe bet the data will eventually be peddled at sites such as iaaca.com - its name shorthand for International Association for the Advancement of Criminal Activity.

Despite years of security improvements and tougher, more co-ordinated policing, the information that criminals siphon - credit card and bank account numbers, and raw consumer information - is boldly hawked on the internet. The data is used for online purchases, producing counterfeit cards, or in elaborate identity theft schemes.
AdvertisementAdvertisement

The online trade in credit card and bank account numbers, and other consumer information, is highly structured. There are buyers and sellers, intermediaries and service industries. The players come from all over the world, but most of the websites on which they meet are run from computer servers in former Soviet countries, making them difficult to police.

Traders quickly earn titles, ratings and reputations for the quality of their goods. That quality also determines prices. A wealth of institutional knowledge and shared wisdom is doled out to newcomers to the market - such as how to move payments and the best time to crack an account.

The US's Federal Trade Commission estimates that about 10 million Americans have their personal information pilfered and misused every year, costing consumers $US5 billion ($6.47 billion) and businesses $US48 billion.

"There's so much to this," says Jim Melnick, a former Russian affairs analyst for the Defence Intelligence Agency who is now the director of threat development at iDefense, a company that tracks cyber crime. "The story that needs to be told is the larger, long-term threat to the … financial industry. It's a cancer. It's not going to kill you now, but slowly, over time."

No one will estimate knows how many cards and account numbers make it to the internet auction block, but investigators describe the market as huge. Every day, at sites such as iaaca.com and carderportal.org, pseudonymous vendors do business in an arcane slurry of acronyms.

"Cobs", or changes of billings, are a hot commodity. Typically, a peddler of cobs is offering fresh bank or credit card accounts, along with the ability to change the billing address through a pilfered PIN. In other cases, a vendor selling cobs is offering to change billing addresses as a service. Sometimes the address is changed to a safe "drop", which might be an empty flat or some other scouted delivery point.

Lengthy tutorials posted at online "carding" forums indicate that the cob art form is highly developed. A criminal will wait until the day a victim receives a billing statement. "That way you have a full 30 days" before the victim is likely to look at his account again, explained one tutorial collected by the FBI.

A user called "mindtrip" had cobs for sale recently. "I'm selling cobs from at this time only banks Discover and American Express t'ill further notice," he wrote in brusque English. "The cobs come with full info including MMN [mother's maiden name]." Discover Card cobs with any balance were on special: $US50. American Express, a more exclusive and potentially more lucrative account, commanded $US85.

Alongside advertisements for cobs are pitches from malicious-code writers, who sell their services to the con artists, known as phishers, who contract with spammers to send out millions of increasingly sophisticated phoney emails designed to lure victims into revealing account information.

A successful phishing operation might bring in thousands of fresh account numbers, along with other identifying details: names, addresses, phone numbers, passwords, PINs, and mothers' maiden names. The richer the detail (and the higher the account balance), the better the asking price.

A user nicknamed Sirota is peddling account information so detailed, and so formatted, that it clearly came from a credit report. He is asking $US200 per dump on accounts with balances above $US10,000, with a minimum order of five if the buyer wants accounts associated with a particular bank.

Every day brings more. "These things have a short shelf life," says Dan Larkin, from the FBI's Internet Crime Complaint Centre. "The criminal value of a compromised credit card is very short-term, so there's a constant need to keep backfilling their resources."

Those buying fresh batches of account numbers may try to make purchases online, having goods delivered to a drop and then fencing them through online auctions.

More sophisticated thieves will seek vendors of encoding devices, and others who sell "plastic" (blank credit cards) and "algos" (algorithms needed to properly encode the magnetic strip and produce a usable card). And "cash-out" services can be arranged with those offering to take the encoded plastic to a cash machine and make withdrawals until the account is depleted. The cash-out risk commands a premium - often 50 per cent or more of the total balance.

Traders build reputations by earning the right to advertise, and then augment their status by receiving published kudos from other members. No one is permitted to post product or service offers at most of these websites without first having their wares vetted by site administrators, or by those selected as trusted "reviewers".

At iaaca.com, for example, those who want to sell cobs or cob services "will be required to provide 10 change of addresses, to be distributed to two reviewers", who "will test this service by either phone or internet". New vendors of credit card numbers "will be required to furnish 20 valid dumps (five classics, five business, five platinums, five corporate; 50 per cent Visa, 50 per cent MasterCard)", say the administrators. "The testers will determine the quality, in a percentage of valid numbers."

Once the wares are vetted, a vendor might then pay a fee to peddle them on a site's message boards. Banner ads can also be purchased.

Contacts among deal makers almost always move off the boards and onto ICQ, the instant-messaging program of choice among cyberthieves because of its easy anonymity (no names, no registration, no email required). Payments often change hands in relative anonymity (and with little regulation) by e-gold, an electronic currency that purports to be backed by gold bullion and issued by e-gold Ltd, a company incorporated in the Caribbean.

Transactions might also be made in WMZs, electronic monetary units equivalent to American dollars and issued by WebMoney Transfer, a company based in Moscow.

Mark Rasch, the former head of cyber investigations for the US Justice Department and now the senior vice-president of Solutionary, a computer security company, says the numbers taken in the CardSystems breach - at least 200,000 are said to have been in stolen files - will probably end up in one of these trading posts.

CardSystems represented a vital hub through which millions of account numbers passed. ChoicePoint, a data aggregator, was another goldmine. It announced in February that thousands of records had been downloaded from its databases by thieves posing as legitimate clients (no hacking required).

"It used to be you'd get a few numbers from a few merchants and aggregate them yourself - a few numbers from a lot of people," Rasch says. "But at some point they said, 'Wait a minute, there are other people who aggregate this stuff.' "

And, he points out, it is nearly impossible to stop. For all the information that police and security experts can glean from sites such as iaaca.com, "there are whole marketplaces of bulletin-board systems and chats that are invisible".

Still, law enforcement has made inroads. In October, the US Justice Department and the Secret Service announced the internationally co-ordinated arrest of 28 people in eight US states and several countries, including Sweden, Britain, Poland, Belarus and Bulgaria. The Justice Department says that among them are the ringleaders of Shadowcrew.com, the largest English-language web bazaar, trading in everything from stolen credit card, debit card and bank account numbers to counterfeit drivers' licences, passports and social security cards.

The investigation, called Operation Firewall, broke up a 4000-member underground that, according to the Justice Department, bought and sold nearly 2 million credit-card numbers in two years and caused more than $US4 million in losses to merchants, banks and individuals.

But eight months later, the traders have adapted and resumed business. They are a bit more skittish, says John Watters, the chief executive of iDefense. Operation Firewall did take out some of the "low-hanging fruit", but that has caused the pricing models to become more refined, and the characters in this black-market economy to become more sophisticated.

He says there is also a small but growing market for the type of raw consumer information that has been pilfered from ChoicePoint, LexisNexis and other general-data aggregators.

"We've observed people paying for identities," Watters says, describing web forms where criminals can tick off the fields they have to sell or want to buy: address, date of birth, social security number, driver's licence number, mother's maiden name.

And as the traders slip deeper underground - or onto servers in regions with lax laws, overburdened or uninterested law enforcement, and no real working relationship with American authorities - the odds of pulling off another Operation Firewall get worse. "It's getting harder for us to do our job," he says.

Asked at a symposium on cyber crime recently if law enforcement was losing the battle against cyber criminals, Brian Nagel, assistant director for investigations at the Secret Service, said no, according to published reports.

But another panel member, Jody Westby, the managing director of security and privacy practice at PricewaterhouseCoopers, disagreed, insisting that based on US Federal Trade Commission statistics on identity and credit card theft, only about 5 per cent of cyber criminals are caught.

Westby later offered an assessment no less bleak. "We're not making an impact. The criminals are too hard to track and trace, too hard to prosecute, and the information they steal is too easy to use."

At one Russian-language site, a user called Lexus celebrates the CardSystems breach, saying that "judgement day has come for the bourgeoisie". Another, Zer0, suggests on the site that the hacked numbers might represent new opportunities in the underground. "It is a good occasion for us," Zer0 says. "Happy hunting."

The New York Times