Businessweek has an article that describes the motivation of PCI DSS and other security measures using a different perspective, that of the criminals. The article is a long read, but thoroughly describes the fraud that is occurring for those storing, processing, and transmitting CHD. These organized crime groups are targeting processors and merchants with weak security practices, and selling this information online. I have pulled some interesting quotes from the article for your convenience:
An affidavit by a special agent with the Federal Bureau of Investigation states that Golubov held the title of “Godfather” for “an international ring of computer hackers and Internet fraudsters that has…trafficked in millions of stolen credit card numbers and financial information.” ……
U.S. Postal Inspection Service senior investigator Gregory S. Crabb, says Golubov and others controlled the numbers, names, and security codes attached to credit cards. “Golubov was known as the go-to guy,” says Crabb.
Interestingly, Golubov was released on his own recognizance after 2 Ukrainian politicians vouched for him. According to Crabb, and “Chat from the carding community” Golubov is back in business.
“The picture that emerges is of organized gangs of young, mostly Eastern European hackers who are growing ever more brazen about doing business on the Web. They meet in underground forums with names like DarkMarket.org and theftservices.com to trade tips and data and coordinate scams that span the globe.”
“Cyberscams are the fastest-growing criminal niche. Scores of banks and e-commerce giants, from JPMorgan Chase & Co. (JPM) to walmart.com (WMT), have been hit, sometimes repeatedly, by hackers and online fraud schemes.”
The 2005 FBI Computer Crime Survey estimates losses to be $67 billion a year – 87% of all respondents had a security incident.
“During the battle with US Secret Service, we !@#&! all those [law enforcement] bastards and now are running a brand new, improved and the biggest carder’ forum you ever seen.” The message brags about its array of stolen goods: U.S. and European credit-card data, “active and wealthy” PayPal (EBAY ) accounts, and Social Security numbers. Those who “register today” get a “bonus” choice of “one Citybank account with online access with 3K on board” or “25 credit cards with PINs for online carding.”
A snippet taken from an e-mail promoting the launch of a new online credit card trading bazaar, vendorsname.ws.
“Among the most pernicious scams to emerge over the past few years are so-called re-shipping rings. Shtirlitz, ‘King of these’, is being investigated by the U.S. Postal Inspection Service in connection with tens of millions of dollars worth of fraud in which Americans are signed up to serve as unwitting collaborators in converting stolen credit-card data into tangible goods that can be sold for cash. Investigators believe that people like Shtirlitz use stolen credit cards to purchase goods they send to Americans whose homes serve as dropoff points. The Americans send the goods overseas, before either the credit card owner or the online merchant catches on. Then the goods are fenced on the black market. BusinessWeek found that re-shipping groups take out advertisements in newspapers and spoof ads from online job sites. “We have a promotional job offer for you!!” beckons one e-mail for a “shipping-receiving position” from UHM Cargo that appeared to come from Monster.com (MNST ). It states that “starting salary is $70-$80 per processed shipment. Health and Life benefits after 90 days.”
Re-shipping requires merchant accounts, creditcards, or paypal accounts. These criminals use online websites like CardingWorld.cc, ccpowerforums.com, theftservices.com, scandinaviancarding.com, cardersmarket.com, darkmarket.org, and darkpay.org. Below is a conversation with Shtirlitz:
“Hi, I need eBay logins with mail access, please icq 271-365-234.” A few hours later, Shtirlitz replied: “I know good vendor. ICQ me: 80-911.” Once equipped, someone could log into those eBay accounts and use them to buy goods with the owner’s money, while emptying the money out of their PayPal account.
Another part of the story describes the danger of people who work internal at these creditcard companies or other services that are given access to sensitive fraud prevention code. A company in Russia, operated by Smash, provides code that allows its “clients” to access computers bypassing security features of McAfee and Symantec. Could this Symantec hole be the same as the one posted in the news?
“Smash’s Russia-based company, RAT Systems, openly hawks spyware on the Web at http://www.ratsystems.org. E-mails requesting comment were not returned. On its home page, RAT Systems denies any malicious intent: “In general, we’re against destructive payloads and the spreading of viruses. Coding spyware is not a crime.” But the “terms of service” guarantee that its spyware products will be undetectable by the antivirus software made by security companies such as McAfee Inc. (MFE ) and Symantec Corp. (SYMC ). One product, called the TAN Systems Security Leak, created for attacking German companies, sells for $834. “It’s like [saying]: ‘Yes, I sell guns to someone who sells crack, but I’m not responsible for them,”’ says the Postal Service’s Crabb.”
Smash is also a senior member of IAACA and operates sites in countries that protect his activites:
“International Association for the Advancement of Criminal Activity, which they describe as a loose-knit network of hackers, identity thieves, and financial fraudsters. Smash and another sought-after hacker named Zo0mer jointly operate IAACA’s Web site, http://www.theftservices.com, one of the most popular and virulent data trading sites, according to U.S. officials.”
There is much more detail and few other side stories that I did not choose to quote above that are very interesting, and provide insight into what we are all trying prevent. At this time, (using napkin math) over 50% of Americans has had their identity stolen in the past few years. These attacks and those perpetrating them are talented and smart. It is only with equal effort will we secure sensitive data (CHD, ePHI) and maintain confidence in the online market. This story brings to mind how important is it for these online networks to be monitored broadly? Does the NSA or other law enforcement agency have any other means of capturing these criminals?
More stories…opinions… please post away. A special thanks to afterlife.wordpress.com for a great review of this article, and some other interesting discussions.