Dr Karl

Great Moments in Science

home :: Karl's Blog :: The dark side of credit card theft

r1525300_22703226
(Source: David Gould/Getty Images)

comments Comments

The dark side of credit card theft

Tuesday 2nd February 2016 3:58 pm

Cybercriminals have set up highly developed businesses in the shady world of the ‘dark net’. Dr Karl explains how they make money from stolen credit cards.

Last time, I talked about how I was one of the million-or-so Australians who have been the victim of credit card fraud.

A credit card thief usually needs technical skills to acquire the credit card details. A stolen credit card is called a “dump”. But to turn dumps into dosh, you need entirely different skills — in fact, you need organised crime.

Cybercriminals have set up highly developed and well-funded organisations — just like a legitimate company. There are many people involved, with different kinds of expertise.

Some write the malware that allows hacking into supposedly secure data banks, while others do the actual hacking. For example, they might bust their way into a big merchant’s point-of-sale network, and steal the data while it’s still being processed — before it gets sent to the bank.

Some will collect and check the validity of the stolen data — after all, the bank might have cancelled the card. Others will post the cards on so-called “dark” websites. That’s where you find the sellers, and the buyers, of the stolen card details, the dumps.

After them come the card counterfeiters, and finally, the end user of the stolen card. Just like a legitimate business, there are several layers of management, and a ready supply of workers. These organisations have the skills and technology resources that rival those of large legit companies.

Now I mentioned “dark” websites Yes, you can buy credit cards, or, dumps in bulk, on the so-called dark web. You get there via Tor (look it up on Wikipedia).

The dark web is a crazy upside-down back-to-front world.

If you want to do business on the regular web, you need to prove that you are honest. But when you go to a site that sells stolen credit cards, you have to prove the opposite — that you are dishonest.

You have to sign in with a username and password. But how would you get these? You would have to convince two people, who already have bought stolen credit cards or dumps, to email the website moderator to vouch for your criminality and say that (honestly) that you are a complete crook.

It’s along the line of getting two references when you apply for a job – but backwards. Here, you need two damning references — that would otherwise land you in jail.

Once you get inside, it’s upsie-down-town again — the background is black, instead of white (nice shady touch).

Just as with the big legit traders such as eBay and Amazon, this illegal site is rated by its customers. They might write that they bought 50 or 5,000 cards, and that they were a good mix of the basic card, with some gold and platinum cards thrown in. So one set of criminals (the card customers) is rating the honesty of another set of criminals (the card sellers).

There’s even a section for FAQs (frequently asked questions):

“Do you ship in bulk? Yes. If I become a repeat customer, will I get a discount? Yes.”

That sort of thing …

Then, you have click on a box that you agree to the terms and conditions — and that really you are a criminal, and that you are neither a journalist nor a law enforcement officer.

One site selling cards had a rule that if you used CAPS LOCK (what they called “shouting” on email), you would be suspended for a week. Yes, you can buy and sell millions of dollars of stolen credit cards (as well as drugs, flamethrowers, and small tactical nuclear devices). No, you cannot use ALL CAPS.

Once you click ‘OK’, you’re inside. And there they are — thousands of credit card numbers with their three-digit security codes. They don’t want to release too many dumps at once — the crims don’t want to drive the price down too far, because they know of the law of supply and demand).

How do you pay for dumps? Well, definitely not with a credit card — after all, it might be stolen. You use a digital currency, such BitCoin, or WebMoney.

Now when notify your bank that fraudulent purchases have been made on your credit card, you normally don’t have to pay for those items or services. The bank, or the merchant, will carry the cost. Sounds like the perfect victimless crime? No.

You see, ultimately, the bank and the merchant pass the cost back to you, the consumer, by way of higher bank fees and higher service prices.

But, no hard feelings, that’s just business …

tags: | | |

This blog first appeared on Dr Karl's Great Moments in Science

comments0 Comments

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Follow Karl on Instagram