How 'carders' trade your stolen personal info
An executive whose company monitors the criminal underground tells how a person's "full" set of personal data can be sold via shady online forums for a mere $20.
Debit cards and PINs are hot subjects on the criminal underground forums these days, Tom Rusin said on a recent visit to CNET. Rusin is president of North American operations at Affinion Group, a company that monitors the criminal underground for several thousand banking institutions by lurking in carder chat rooms.
"Carders" are the people who buy, sell, and trade online the credit card data stolen from phishing sites or from large data breaches at retail stores. Affinion is one of the largest identity protection companies in the world, with offices in more than a dozen countries. Over the years, it has provided a wealth of information to the U.S. Secret Service and the FBI. A few weeks ago, Affinion identified .Mac users who found themselves victims of a phishing scam.
While scrolling through posts in an online underground criminal forum on his laptop, Rosin explained that since "every American keeps some money in their savings account," unlike when stealing credit cards, debit cards grant thieves immediate access to cash. Next in demand are usernames and passwords because "most people use the same password on the sites they visit."
Carders once used to peddle their wares on forums as "novs" for novelties, as though they were only providing fake accounts or fake personal details for fun. What Rusin showed me on his laptop were bold, even boastful, claims. For example, today they're not just selling card information online.
Threaded among the expected offers in the forum were those for proxy servers and bullet-proof servers (i.e. servers that are unlikely to ever be shut down, located in parts of the world where the law often doesn't reach). These are used in conjunction with phishing kits (packages that help you create your own fake Bank of America page), which are also for sale.
Getting to this level of access hasn't been easy, Rusin said. Carders are tremendously paranoid. Often, just to gain access to the forums, you have to demonstrate your chops by providing up to five active credit card account numbers. It's the equivalent of gang or mafia initiation.
Rusin says Affinion has been establishing its carder credentials since 1998 or so. The company maintains several credit cards, accounts that they use to test their own software as well as that of others in spotting customer's data among the carder forums. For example, they once fed an Affinion credit card account to a carder, then watched at the bank's end of things.
There is a predictable pattern. Often, the purchasing individual will first run a $1 transaction through to a charity--say, the American Red Cross. Once that transaction is authenticated, a flood of illegal purchases cascade in until the card account is shut down.
That's an example of what's known in the business as an "account takeover," the most common use of personal information, in which thieves start using your active account without your knowledge. The effect is immediate, and the losses can be large.
The next most common use, according to Rusin, is new-account creation. This is a slower process, and it often involves establishing utility accounts. Here, the goal is to actually become someone else so that if it ever gets to court, a jury would have a tough time determining the difference between your transactions and another's.
New-account creation requires that a carder have a Social Security number, birth date, and mother's maiden name, at least. Rusin explained that a "full" profile will contain a name, address, SSN, date of birth, and driver's license number. Scrolling through the forum, he fingered one of the entries on the screen and said, "this guy's selling U.S. fulls for $20."
Rusin says that once a criminal has your Social Security number, it's possible to find the rest of that personal information from various sources via Google. "Typically, they're garnished from phishes but also from hacks. It's everything I need to become you. So your identity in the underground is worth about 20 bucks."
Terrorists, not just organized criminals, are interested in stealing and using your credit card history. That's one of the surprising trends identified by Rusin and documented in a Department of Justice white paper (PDF) that cites the increasing involvement of terrorist networks, starting as far back as the 2002 bombing in Bali.
In 2007, FaceTime Communications' Chris Boyd and Wayne Porter gave a standing room-only talk at the RSA Conference in San Francisco on a botnet they'd traced back to the Q8 Army sites.
Unfortunately, personal information is going to flow, admits Rusin. He cites high-profile data breaches such as the ones affecting ChoicePoint and the parent company of TJ Maxx.
Rusin, whose company also sells ID protection services, likens the process of ID monitoring to having a smoke detector: "You should have a smoke detector in your house." So the goal isn't necessarily to stop ID fraud, but rather to manage it.
In addition to having antivirus software and a firewall to protect our digital information on our desktops, it looks as if we now need ID protection for our real-world information as well.
You can hear more of my interview with Tom Rusin in this week's Security Bites podcast.