The Great Credit Card Bazaar

How is the stolen data obtained? In a variety of ways, the experts say, including the time-honored tradition of dumpster diving. Then there’s the restaurant waiter who sells your credit card number after swiping it through a handheld terminal. That’s called card skimming, and a waiter or waitress can get $10 to $25 per number.

There is also, of course, the old standby frontal assault, an attack by hackers on shopping card data bases at merchant sites. King at CyberSource said the targets are usually smaller, less sophisticated e-commerce sites.

“In the old days, people robbed stagecoaches and knocked off armored trucks. Now they’re knocking off servers,” Richard Power, editorial director of the Computer Security Institute, an association of computer security professionals, told the New York Times recently.

And on occasion, fraudsters have been known to put up a completely phony Web site and entice people to leave their card numbers and other personal information. King said that at one time there was a spoof site called where people were enticed to enter personal information in order to get their FBI file. And yes, some people did.

King said there are a number of ways to use stolen credit card numbers quickly, launching an intense attack over a short period of time. The majority of fraudsters use the numbers to acquire merchandise and have it shipped to controlled addresses, he said, adding that in some cases they will pay people in a particular neighborhood to receive merchandise and then drop it off somewhere, then move on to another neighborhood.

Big business in bogus auction accounts

Hijacked eBay accounts also can be found listed for sale on the carder sites. Once a fraudster has control of an account, especially one with lots of positive feedback, he or she can list various items for sale, collect the payments and, of course, abscond with the money. And there’s little the legitimate account owner can do about it.

eBay spokesman Kevin Pursglove said that “from what we’ve seen so far, there have been a relatively small number of users having their accounts taken over.”

He added that eBay has imposed a number of measures to counteract account theft, including a new page that offers advice and instructions for password selection. He said account hijacking efforts became more pronounced early this year, and eBay began to beef up its countermeasures.

It’s hard to say just how much is lost to fraud worldwide, but MasterCard contends that such activity is down.

“The overall fraud levels MasterCard witnessed in 2001 remain at historically low levels compared with the peak in levels in the early 1990s,” said Vincent Deluca, vice
president for security and risk at MasterCard International.

He said MasterCard “routinely interfaces with law enforcement agencies and government organizations throughout the world” to deal with criminals and help facilitate investigations and prosecution of hackers and fraudsters.

MasterCard “doesn’t comment on specific incidents of fraud,” a spokeswoman said. However, in a backgrounder document on the subject, MasterCard says that:

“The payments industry faces increased security challenges as payment card counterfeiters and other criminals employ more sophisticated techniques and technologies to defraud financial institutions and their customers.” The document goes on to discuss some of the various security measures MasterCard has initiated, including its Universal Cardholder Authentication Field (UCAF) program and its Secure Payment Application (SPA) technology.

“I’m sure there are laws being broken, but they are really difficult to enforce,” said King at CyberSource. “These are multinational or kids, and the FBI and Secret Service are pretty busy right now. The real priority is terrorism.”

An FBI spokesman told that the agency is indeed aware of the problem.

The FBI is a partner with the National White Collar Crime Center in the operation of the Internet Fraud Complaint Center (IFCC), which began operation in May of 2000.

For law enforcement and regulatory agencies, IFCC offers a central repository for complaints related to Internet fraud. It works to quantify fraud patterns and provides statistical data of current fraud trends.

The IFCC annual report on fraud for last year says that Internet auction fraud was by far the most reported offense, making up 42.8 percent of referred complaints.

The FBI, of course, won’t comment on ongoing investigations.

The Federal Trade Commission enters Internet, telemarketing, identity theft and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the United States and abroad.

The U.S. government’s central Web site for information about identity theft is maintained by the FTC.

And even though most of the financial risk is assumed by the merchants and chargebacks are a cost of doing business these days, it’s clear that consumers remain concerned, as witness the rush of people to the Cardcops anti-fraud site last June when they offered to check credit card numbers to see if they had been compromised.

The Secret Service, meanwhile, is setting up electronic crime task forces in Miami, Boston, New York, Chicago and in Texas. Masters said the LA office has about 14 agents working, and “the FBI and LAPD are coming over to be a part of it.”

“There’s no doubt about a highly sophisticated underground market,” said King at CyberSource. “They are constantly collecting and selling credt card information via many different sites.”

Indeed. Just last week the Associated Press reported that
Spitfire Ventures, a startup whose novelty items include a talking toilet paper holder, received 140,000 credit card submissions in 90 minutes in a scam aimed at harvesting authorization codes, thus verifying the validity of those account numbers and opening the door for more widespread theft.

All the affected account numbers have been deactivated and investigations have been opened by federal authorities, according to John Rante, president of Online Data Corp., a Chicago-based credit card processor that authorized the bogus transactions.