Protect Your Assets by Neal B. Custer: The credit-card scam business

NEAL B. CUSTER, president of Reveal Digital Forensics & Security, a subsidiary of Custer Agency Inc. Adjunct professor at Boise State University.June 18, 2013 

0618 BI assetscol - screens.JPG

A website that describes how to steal using “instore carding.”

Shopping has never been as fast or as efficient as it is today. In a store, simply scan your products through the self checkout machine, swipe your credit card, type in your PIN and walk out with your new purchase. Online shopping is equally simple - all a person needs to do is enter a bit of personal information, type out a credit card number and card security code, and click the "buy" button. The slowest part in the whole transaction is waiting for the item to arrive.

The speed and relative anonymity of credit card transactions, especially over the Internet, make them a prime target for thieves. Information security experts have focused on educating consumers on identity theft for over a decade, but this is still sometimes perceived as the boogeyman by some internet users.

This attitude can be understood; after all, many people understand that stealing credit card information is a common goal for cybercriminals, but few actually know how the information is used once it gets into the hands of the bad guy. By learning more about what the criminals actually do with the stolen info, consumers can have a better idea of how to better protect themselves.

This type of fraud, called "carding" by the individuals actively engaged in it, is widespread and organized. Carding is a two-stage process. First, the actual credit card information is stolen by hackers, called "vendors" in the carding community. The vendors then sell that information online to the actual users of the cards (appropriately called "carders") through underground forums or chat rooms. The rates can vary depending on the type of card, the authorized credit limit, and the victim's personal location, but on average the data for a single stolen card sells for around $3 to $5. This might seem absurdly low considering the potential credit limit on these cards, but the vendors are more interested in a low-risk, stable reward. They often sell their stolen credit card information - called "dumpz" when referring to raw magnetic card data and "fullz" when referring to account number, expiration date and security code - in bulk, making them a decent profit with little risk of getting caught for actually exploiting the cards themselves.

The key difference is that physical "dumpz" can only be used to make phony physical cards, while Internet-based "fullz" can only be used to make fraudulent purchases online. The buyers of stolen credit card information - the actual "carders" in the scheme - face the highest risk of being caught but also the potential for high reward.

So how do the vendors get their "dumpz" and "fullz"?

There are two distinct forms of credit card theft: physical and Internet-based. Physical carding involves the vendor installing a device called a "skimmer" at a compromised point-of-sale terminal or ATM. The skimmer copies the actual magnetic data stored on a credit card, and sometimes the PIN in the case of a debit card. When the user swipes the card, the skimmer stores the data in memory until the vendor retrieves it later or accesses the skimmer over WiFi in the case of the most sophisticated models.

Internet credit card theft, on the other hand, relies on the vendor surreptitiously infecting the victim's computer with a keylogger or other spyware and simply waiting for them to make a purchase online. Everything the victims type into their favorite online retailers gets transmitted back to the vendor, and is stored along with hundreds of other cards from compromised computers.

Once a carder buys a batch of "dumpz" from a vendor, they proceed to rewrite this magnetic strip data onto a blank card with a magnetic strip reader/writer, and place the relevant information onto the blank card with an embossing machine. They create a fake ID with the appropriate name, dress nicely to avoid suspicion, and then take a trip to the local mall. The carders will attempt a small purchase - perhaps a cup of coffee - to test if the fake card works, and if it does, they will proceed to purchase a number of small electronic items, keeping the individual transaction costs down but accumulating a large inventory from many stores. Later, the carder lists the unopened items on eBay or Craigslist at a low price and makes a quick sale. Furthermore, if a purchased dump for a debit card includes the PIN, the carder will likely attempt to make a direct withdrawal from a secluded third-party ATM. In either situation, the carder now has usable cash unlinked to the stolen card, and they will likely use some of their profits to buy more dumpz from vendors, and continue the process indefinitely.

On the other hand, carders who use Internet-based "fullz" can't write the data directly to a fake card, but arguably have a scheme that is just as effective without the risk of showing their face. They begin by registering a phony email in the name of the victim, and proceed to buy online gift cards from large retailers like Amazon for an alias they have created. They will then use the gift cards from a separate IP address to buy easily-resellable products, list them on eBay or Craigslist, and end up with laundered funds.

To both vendors and carders, the profit potential is huge in carding schemes, and consumers need to know that this is a thriving illegal industry. They need to constantly be aware of what websites they use their cards on, where they swipe, and whether their computer is clean. Likewise, businesses owe it to their customers to provide a safe shopping environment, and thus they should monitor their employees and their point-of-sale equipment for suspicious activity.

•••

neal@custeragency.com. Written in collaboration with information-security expert Dylan Evans, Reveal's vice president of operations.

Idaho Statesman is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service