Last Thursday, U.S. Federal prosecutors charged five Eastern European men with, among other things, stealing more than 160 million credit card numbers, which resulted in more than $300 million in losses. The scheme, we were told, was the largest ever prosecuted in the United States. Over a period of several years, the criminals managed to hack into the systems of several big retailers, banks and payment processors in the U.S. and elsewhere.
But to me, the most interesting part of the indictment was the one that listed the rates at which the criminals were selling the stolen credit card data. It turns out that U.S. credit cards were by far the cheapest, with Canadian cards selling at a 50 percent premium and European ones being five times as expensive. At first I couldn’t make any sense of it and the reporting wasn’t much help. For example, Reuters told us that European cards were “more expensive because they have computer chips that make them more secure”. But how does that make any difference? We’ve known for a long time that criminals had come up with a low-tech solution to the higher European security issue — they simply take the stolen European cards to the U.S., where an older and less secure technology allows them to process fraudulent transactions much more easily. And that old and less secure technology should also allow them to monetize stolen U.S. cards just as easily. Well, this morning The Washington Post’s Andrea Peterson finally sheds light on the matter. It turns out that the weak link in the system was not the older U.S. credit card technology, but the European payment processing system.
How Credit Card Data Were Stolen and Sold
First let’s take a quick look at how the scheme was operating. It would begin with the criminals hacking into the computer networks of several of the largest payment processing companies, retailers and financial institutions in the world — the targets included NASDAQ, 7-Eleven, JCP, Hannaford, Heartland, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment and Diners Singapore — and stealing batches of sensitive personal information. Stolen data included user names and passwords, means of identification, credit and debit card numbers and other cardholder information. The prosecutors’ “conservative” estimate is that the conspirators were thus able to acquire more than 160 million card numbers. For those of you interested in the technical details, the indictment offers specifics on precisely how the hacking was done.
Once they acquired the data — referred to as “dumps” — the criminals sold the dumps through online forums or directly to individuals and organizations. And here is where it gets interesting. The criminals would charge approximately $10 for each stolen American credit card number and associated data, about $50 for each European credit card account and about $15 for each Canadian one. Naturally, discounted pricing was offered to repeat customers and for bulk purchases. To close the cycle, the end users would encode each dump onto the magnetic stripe of a blank plastic card and proceed to use it either for withdrawing money from ATMs or for making purchases at retailers. In all, the victims — credit card companies, banks and consumers — suffered hundreds of millions in losses, including more than $300 million reported by just three of the corporate victims.
Why European Cards Cost More and Are Used in the U.S.
Understandably, many commentators were intrigued by the huge discrepancy between the price tags of North American and European stolen cards, but, as far as I can tell, The Washington Post’s Andrea Peterson is the only one who managed to offer a convincing explanation. Here it is:
Merchants in Europe use chip-and-PIN security measures on credit cards. The chip contains all the same sort of information in the magnetic strips on U.S. cards, and after you swipe it you must also enter a PIN to complete the transaction like you would with a debit card. U.S. merchants aren’t set up for the advanced security features on European cards. So when European cards are used in the United States, they fall back to the old-fashioned magnetic strips used here.
But some European banks and credit card providers have a delay in processing transactions over weekends. So, fraudsters could clone European cards and go on weekend spending sprees, capitalizing on the delay while the transactions make it across the pond and through fraud analytics processing. The result: a wave of credit card fraud by American criminals targeting European victims.
Now, one would think that suffering substantial losses for years on end would have convinced the European payment processors to stop shutting down on weekends, but evidently that is not the case. Furthermore, one would expect the appropriate European authorities to apply some pressure on the processors to mend their ways, but said authorities are instead focused on cutting down interchange fees, which will almost certainly lead to higher bank fees for consumers.
We’ve known for a long time that most of Europe’s credit card fraud is actually committed in the U.S. Back in January of 2012, Douglas King from the Atlanta Fed told us that the British and French experiences offered a convincing proof that adoption of the smart-chip EMV technology, which is now the norm in Europe, reduces domestic fraud levels. However, the data also showed that, following a switch to EMV in a given country, criminals shift their attention to non-chip transactions (for example, e-commerce) or move away from countries where EMV has been implemented and focus their efforts in countries that are still reliant on the magnetic stripe technology (i.e. the U.S.). What we did not know was just how much help the criminals were getting from European payment processors. Now, thanks to Peterson, we do.
Image credit: Flickr / barsen.