How to Dupe a Credit Card Hacker

Create an online forum where hackers can freely discuss how to fraudulently obtain, buy and sell credit card information, identify the participants, investigate their actions and take them down. That’s the rough outline of a successful two-year long undercover FBI operation, which has just resulted in the arrests of 24 cybercriminals in 13 countries, the Bureau is telling us. It’s a big success and the FBI deserves a lot of credit for being able to beat the hackers at their own game.

This is the second successful global operation against credit card hackers of which we have learned in as many months and each of them has lasted for two years. Other than the successful conclusion and the time duration, however, the two operations have shared few similarities. In fact, the strategies executed in each one of them have been diametrically opposed to one another. While the first one, as you may recall, involved the patient monitoring and ultimate closure of 36 websites selling stolen credit card information, in the more recently announced operation the authorities themselves had set up such a website to be used as bait. Both strategies were well-implemented and they worked. Now let’s take a closer look at the latter one.

How Criminals Steal Credit Card Information and what They Use It For

The FBI is using the term “carding” to describe what the hackers they took down were involved in. Here is how they define it:

“Carding” refers to various criminal activities associated with stealing personal identification information and financial information belonging to other individuals — including the account information associated with credit cards, bank cards, debit cards, or other access devices — and using that information to obtain money, goods, or services without the victims’ authorization or consent.?á For example, a criminal might gain unauthorized access to (or “hack”) a database maintained on a computer server and steal credit card numbers and other personal information stored in that database.

Once stolen, the data can be used by the criminal to make online purchases or to produce counterfeit cards that can then be used in swiped transactions at brick-and-mortar stores. Alternatively, the information can be sold to other criminals who can then put it to use in the same fashion as described above.

But there is more. Hackers are setting up web forums to help one another:

Carders use carding forums to, among other things: exchange information related to carding, such as information concerning hacking methods or computer-security vulnerabilities that could be used to obtain personal identification information: and to buy and sell goods and services related to carding, for example, stolen credit or debit card account numbers, hardware for creating counterfeit credit or debit cards, or goods bought with compromised credit card or debit card accounts.

Access to such forums is, as one may expect, greatly restricted. A new member can join in if an established member vouches for him or, somewhat surprisingly to me, if he pays for his membership. However, rather than trying to break into such forums, two years ago the FBI had decided to create one. It’s a fascinating story.

How to Dupe a Cybercriminal

Here is the FBI’s own account of what it did:

In June 2010, the FBI established an undercover carding forum, called “Carder Profit” (the “UC Site”), enabling users to discuss various topics related to carding and to communicate offers to buy, sell, and exchange goods and services related to carding, among other things.
…
The UC Site was configured to allow the FBI to monitor and to record the discussion threads posted to the site, as well as private messages sent through the site between registered users. The UC Site also allowed the FBI to record the Internet protocol (“IP”) addresses of users’ computers when they accessed the site.
…
New users registering with the UC Site were required to provide a valid e-mail address as part of the registration process. The e-mail addresses entered by registered members of the site were collected by the FBI.

And it worked. The FBI was indeed able to identify and arrest 24 hackers in 13 countries and you can read detailed accounts of the types of activities these criminals were up to on FBI’s site. The Bureau says that during the operation it had notified 47 companies, government entities, and educational institutions about breaches of their networks, which has prevented losses of more than $205 million.

The Takeaway

So this is a big success and the FBI has every reason to be proud of its achievement. However, we should also keep it in perspective. The FBI says that it had identified “over 411,000 compromised credit and debit cards”. That is great news, but in only one incident earlier this year, the breach of payment processor Global Payments’ systems resulted in the compromise of about 1.5 million card accounts. Moreover, between 2005 and the second quarter of 2010, 2,221 data breaches were made public, according to Richard J. Sullivan, an economist with the Kansas City Fed. Furthermore, the same paper tells us that just in 2006 the total fraud losses on debit and credit card transactions in the U.S. amounted to more than $3.7 billion. So the fight is not over and there is much more work to be done.

Image credit: Wycieczka.pl.