Black Market in Stolen Credit Card Data Thrives on Internet
posted by:Jennifer Manning // 06:54 AM // June 21, 2005 // TechLife
From the New York Times
"Want drive fast cars?" asks an advertisement, in broken English, atop the Web site iaaca.com. "Want live in premium hotels? Want own beautiful girls? It's possible with dumps from Zo0mer." A "dump," in the blunt vernacular of a relentlessly flourishing online black market, is a credit card number. And what Zo0mer is peddling is stolen account information - name, billing address, phone - for Gold Visa cards and MasterCards at $100 apiece.
It is not clear whether any data stolen from CardSystems Solutions, the payment processor reported on Friday to have exposed 40 million credit card accounts to possible theft, has entered this black market. But law enforcement officials and security experts say it is a safe bet that the data will eventually be peddled at sites like iaaca.com - its very name a swaggering shorthand for International Association for the Advancement of Criminal Activity.
For despite years of security improvements and tougher, more coordinated law enforcement efforts, the information that criminals siphon - credit card and bank account numbers, and whole buckets of raw consumer information - is boldly hawked on the Internet. The data's value arises from its ready conversion into online purchases, counterfeit card manufacture, or more elaborate identity-theft schemes.
The online trade in credit card and bank account numbers, as well as other raw consumer information, is highly structured. There are buyers and sellers, intermediaries and even service industries. The players come from all over the world, but most of the Web sites where they meet are run from computer servers in the former Soviet Union, making them difficult to police.
Traders quickly earn titles, ratings and reputations for the quality of the goods they deliver - quality that also determines prices. And a wealth of institutional knowledge and shared wisdom is doled out to newcomers seeking entry into the market, like how to move payments and the best time of month to crack an account.
The Federal Trade Commission estimates that roughly 10 million Americans have their personal information pilfered and misused in some way or another every year, costing consumers $5 billion and businesses $48 billion annually.
"There's so much to this," said Jim Melnick, a former Russian affairs analyst for the Defense Intelligence Agency who is now the director of threat development at iDefense, a company in Reston, Va., that tracks cybercrime. "The story that needs to be told is the larger, long-term threat to the American financial industry. It's a cancer. It's not going to kill you now, but slowly, over time."
No one is willing to estimate how many cards and account numbers actually make it to the Internet auction block, but law enforcement agents consistently describe the market as huge. Every day, at sites like iaaca.com and carderportal.org, pseudonymous vendors do business in an arcane slurry of acronyms.
TrackBack URL for this entry:
I have to add (may be it would be interesting for you):
Guard your card online
Beware of “phishing” e-mails. These are made to look as if they’re coming from your bank or credit card issuer and usually urge you to take “immediate action” so that your card isn’t deactivated. The link in the e-mail takes you to a criminal’s Web site, where you’re encouraged to input your credit card account number and other personal financial details. If you get an e-mail purporting to be from your card issuer, use the toll-free number on your card to call and ask what’s up. If you want to apply for credit card online choose tried credit card resource such as http://creditcardspecialist.com Be cautious shopping with unknown Web sites. A quick trip to an evaluation site like Bizrate.com or the Better Business Bureau online could save you money. Also make sure you have multiple ways to contact the merchant, including a phone number, fax number, street address (not just a post office box) and e-mail address. Make sure the transaction is secure. Don’t enter your card number unless the little padlock is showing on the lower part of your browser, and the Web site address starts with “https” rather than just “http.” Don’t let Web sites “store” your cards. The encryption technology used for transactions -- the information zipping back and forth between your computer and the merchant’s -- may well be better than the security used to protect information stored in the merchant’s databases. Besides, a big database of credit card numbers is a juicy target for hackers.
Guard your card offline
This is really basic, but: Don’t forget your card. You might be rushed, or distracted by your kids, or involved in an interesting little chat with the clerk. Whatever. Keep an eye on your card and make sure it goes back in your wallet. I typically leave my wallet on the counter or restaurant table, with my hand on top of it, until the card goes back in. This can be a little awkward sometimes, but it helps remind me not to leave the store without my plastic. The one time I forgot is the time, of course, someone swiped my card. Shield your card. Think how many people these days carry around camera phones -- and think how easy it would be to snap a picture of your card if it were left in plain view. Don’t give your number out to solicitors. This includes telemarketers who contact you by phone to offer you a “great deal” on magazine subscriptions, vacations or any other purchase. Consider carrying fewer cards. Reduce your exposure by limiting the number of cards a thief could potentially steal. Copy what you carry. Every once in a while, empty your wallet onto a copier and zap an image of the front and back of your cards. Keep this info in a secure place (not in your purse or wallet) so you know which issuers to call to report stolen cards.
Posted by: Daniel at December 12, 2006 06:46 AM