杏吧原创

How much is your identity worth?

Personal and financial details change hands for just pennies in the online underworld. Delve into the murky depths of cybercrime in our special report
Credit card details change hands for just pennies in the online underworld
Credit card details change hands for just pennies in the online underworld
(Image: Photolibrary.com/Getty )

HOW curious. Early this year my bank sent me a replacement credit card. I hadn鈥檛 asked for one, and the bank did not elaborate except to refer vaguely to 鈥渟ecurity鈥 issues.

I still don鈥檛 know why my card was replaced, but I have a hunch: a massive electronic heist at a New Jersey-based company called Heartland Payment Systems. Heartland acts as a middleman between retailers and credit card companies, and processes about 100 million transactions every month. At some point in March 2008, a group of hackers is believed to have broken through the firm鈥檚 cyber-defences. They installed software that, for about four months, secretly relayed credit and debit card details to an external computer. It is likely that tens of millions of cards were hacked.

Like many other people, I initially missed the news about Heartland 鈥 perhaps because it was announced on the day of Barack Obama鈥檚 inauguration. But my belated discovery made me wonder what would have happened to my credit card details if they had been stolen. So I called internet security company , based in Burr Ridge, Illinois. A few weeks later, cybercrime experts Steve Santorelli and Levi Gundert introduced me to a sprawling criminal underworld so large and pervasive that no one can control it.

This underworld is surprisingly easy to access. It consists of a network of online chatrooms and web forums where stolen information is openly traded, along with off-the-shelf software tools needed to pull off just about every kind of online scam going. 鈥淭his is an economy that is worth billions of dollars,鈥 says Dean Turner of the security company Symantec in Calgary, Canada. 鈥淚t鈥檚 highly organised. Everything that criminals need is available for sale.鈥

It was not always like this. In the early days, criminal hacking required advanced technical skills. But organised crime has moved in and the black market has become a service economy where anybody can buy a career in cybercrime.

As soon as Santorelli and Gundert log me onto a chatroom, messages start to appear.

&#60cinch&#62: I got fresh hacked UK cvv2鈥檚

My guides explain. This means that a criminal by the name of 鈥渃inch鈥* is selling stolen British credit card details. 鈥淐VV2鈥 means he or she has the full credit card numbers, expiry dates, billing addresses and the three-digit security codes on the back of the cards 鈥 all the details you need to make a purchase at most online retailers. These will cost you anything from about 50 cents to $12 depending on the card鈥檚 credit limit, where it comes from and how many you want to buy.

Gundert says that cinch or an associate probably obtained these details by hacking an online retailer or an intermediary like Heartland. Web retailers routinely employ tough electronic protection, but hackers are frighteningly adept at finding and exploiting holes in their defences. Once hackers are in, they can scoop up credit card details and start selling them. The retailer may never know its defences have been breached.

Symantec estimates that almost a third of all adverts in the underground economy are for credit card information of some type, (see diagram). While I鈥檝e been talking to Santorelli and Gundert, a new, more sinister message has appeared:

&#60loopz&#62: Uk US Dump Track 1 Track 2

Loopz is selling 鈥渄umps鈥 鈥 CVV2s plus all the information encoded in the card鈥檚 magnetic stripe, known as Track 1, or that stored in the chip that is built into many European cards, which is called Track 2.

Illicit goods

Dumps are more valuable. Access to these details allows criminals to print 鈥渃loned鈥 credit cards and shop almost anywhere. The card-printing equipment costs $20,000 to $30,000, but is available legally. If that investment is too great, traders can email the details to criminal specialist printers who will run off cards and return them by mail for just a few dollars per card.

I send a message to loopz asking about price and availability. Minutes later I get a reply: he has 10 dumps and wants $15 for each.

That seems ridiculously cheap for details that could potentially be 鈥渃ashed out鈥 for thousands of dollars. A few months back, loopz might have been asking several times that. But supply and demand shape this market, just like any other, and recently prices have slumped. It is impossible to say why, though the economic slowdown is probably not the cause: credit card fraud, says Turner, is a recession-proof business. Santorelli鈥檚 guess is that the market has been flooded with information stolen from Heartland.

As in any transaction, however, let the buyer beware. Anyone who took loopz up on the offer would probably have come away empty-handed. Santorelli says that 9 out of 10 traders in the chatroom are 鈥渞ippers鈥 鈥 con artists who take the money and run. To combat this, many chatroom operators impose a ratings system not unlike the ones you find on eBay or Amazon. Most of the 340 people in the room are, like loopz, unrated, but a few have coloured dots next to their name which indicate that they have shown some level of trustworthiness in their previous transactions: the colour changes from yellow to blue to green to red as the trader鈥檚 reputation grows. I guess that鈥檚 what they mean by honour among thieves.

鈥淪ome chatrooms rate the traders鈥 trustworthiness. I guess that鈥檚 what they mean by honour among thieves鈥

There are a handful of 鈥渞eputable鈥 traders in the room, including one called netter who has a blue dot next to his name.

&#60netter&#62: Selling USA Fulls Cvv2 Info + SSN MMN DOB 8$ Per 1

This marks netter out as an identity thief. 鈥淔ulls鈥 is jargon for a collection of information that includes credit card details but also more personal details: SSN for social security number, MMN for mother鈥檚 maiden name and DOB for date of birth. Criminals can use these details to apply for credit cards, take out loans or set up bank accounts to launder money.

Retail systems like Heartland鈥檚 do not generally contain personal information, but hackers find it surprisingly easy to dupe people into handing it over. 鈥淣etter is almost certainly getting his information by phishing,鈥 says Gundert. He鈥檚 referring to scams that direct users to websites that look almost identical to those operated by major banks. In reality, the sites are run by criminals, who use them to trick people into giving away the kind of information that netter is selling.

Phishing sounds like a complex operation, and five years ago it was. But like e-commerce in general the black economy has matured. Now a relatively unskilled criminal can buy everything they need to go phishing. I saw several adverts for off-the-shelf phishing kits, and others for hacked access to internet servers, which phishers need to host their fake websites. Still others were hawking scanners 鈥 software that roams the internet looking for holes in servers鈥 defences. I could also have bought hacked email logins, which can be used to squat on the web space that comes free with most internet accounts but which few people use.

Phishing is not the only way to steal logins. Hackers can also covertly install 鈥渒eylogger鈥 software, perhaps by attaching it to an email that appears to come from a friend. Once installed, the keylogger monitors every keystroke a user makes and relays details to a remote computer known as a dropzone.

Last year, Thorsten Holz at the University of Mannheim in Germany . He and colleagues tracked down 240 dropzones and took a peek inside 70 of them. They found usernames and passwords for around 5700 eBay accounts, login details for over 10,000 bank accounts and 5700 credit card numbers. Holz estimates that this information was worth $16 million.

So if just 70 dropzones open the way to such a large sum of money, how much is the entire black economy worth? Since criminals do not file company reports, it is hard to be precise. In , Vern Paxson of the International Computer Science Institute at the University of California, Berkeley, monitored chatroom trading over a seven-month period in 2006. He saw over 13 million messages sent under 100,000 different names. Every day, more than 400 credit card numbers were posted, and hacked access to bank accounts containing millions of dollars offered. Almost 4000 valid social security numbers were posted in total. All in all, Paxson observed trades worth $93 million.

The underground economy is almost certainly much larger than that now. A year-long in 2007 and 2008 identified credit card details, bank accounts and other stolen information worth $276 million on just a small sample of underground chatrooms.

Not surprisingly, individual criminals can make a fortune. For example, the US government is currently trying to take possession of $1,650,000 in cash, a condominium in Miami and a BMW owned by hacker Albert 鈥淐umbaJohnny鈥 Gonzalez, who was along with 10 alleged accomplices from the US, China, Belarus, Ukraine and Estonia.

I found it unsettling to watch people like this doing business in the chatrooms. The fact that the conversation was public didn鈥檛 stop me feeling that I was eavesdropping: it was as if I was overhearing a gang discussing plans for a bank robbery. But there is a crucial difference. In the real world, I could call the police and identify the plotters. Tracking down the people hiding behind usernames like netter and cinch is close to impossible.

The first layer of anonymity is provided by the servers running the chatrooms, which are programmed to mask the identity of traders. I asked the server to supply information on loopz. Here鈥檚 what came back:

&#60 &#62: loopz@xxxxxxx-6C3F616C.adsl-static.isp.belgacom.be

Even to an expert eye, this means little except that the chatroom server is set up to hide the trader鈥檚 identity. The last parts suggest that that loopz may be connected via Belgacom, a Brussels-based internet service provider, but there is no guarantee of that, as there are numerous ways for hackers to obscure the route they use to connect. Some rent time on legitimate servers and send their messages from them rather than their home computers. Others use bots 鈥 illegal software installed covertly on other computers 鈥 to relay messages for them. Either method makes it very difficult for law enforcement officers to identify the location of the sender.

Tracking down the chatroom servers is equally difficult. I ran a standard search, known as a 鈥渨hois query鈥, to establish the internet address of the chatroom. It revealed only that the operators have an appreciation of irony: they had registered the server under the name and address of the New York State Division of Criminal Justice Services.

Law enforcement experts, such as the cyber-security team run by the FBI, have more sophisticated methods for locating chatroom servers, but the trail often leads to countries such as China or Russia, where foreign agencies can find it time-consuming to collaborate with the police. Security experts say better international cooperation is producing results, such as last year鈥檚 arrest of two prominent Turkish hackers. There will always be some governments, however, that will not work with authorities in the west, where most victims of cybercrime live.

With no technological fix, law enforcement has to rely on old-fashioned detective techniques, such as sting operations and the use of informants. The police can also work up the trading chain by catching criminals using stolen credit cards in stores and then tracing the traders who supplied the forged plastic.

All these techniques have played a part in the big police successes of recent years, including the September 2007 arrest of Max 鈥淚ceman鈥 Butler, a trader from San Francisco who is alleged to have run a site known as Cardersmarket and to have personally sold tens of thousands of credit card numbers. A month earlier, a US Secret Service investigation culminated in the arrest of 11 people in what federal officials said was the biggest ever identity-theft and hacking bust.

Victories like that are causes for celebration, and not just for card issuers and retailers. If somebody hacks your credit card, they pick up the bill. But both ultimately pass the cost onto consumers. So in the end, we all pay for the ill-gotten gains of cinch and netter.

The cost would be smaller if we all took steps to defend ourselves (see 鈥淏eat the cybercrooks鈥). But with so much money to be made, the threat is not going to go away. 鈥淭here is never going to be a silver bullet,鈥 says Santorelli. 鈥淲e can make it harder for these criminals, but we鈥檒l never stop them.鈥

* The names of all traders have been changed, and some of the messages edited for clarity

Beat the cybercrooks

Online crime is not going to go away, but there is no reason to be a sitting target. Here鈥檚 how you can stay one step ahead of the fraudsters:

  • Use hard-to-guess passwords, not ones with obvious personal links, such as your birthday or the name of your street. Good passwords include a combination of upper and lower-case letters, numbers and other characters.
  • Change your passwords often.
  • Use an up-to-date browser, operating system and antivirus software. Turn your computer鈥檚 firewall on and, if you are using Windows, set up your computer to automatically download new security patches from Microsoft.
  • Never download email attachments from people you do not know or trust. Avoid attachments that you were not expecting, even if they are from a known source.
Topics: Computer crime