With the fruitless/mindless attacks from the comments, I can see the crowd is still about the same. Lots of low hanging fruit with a few guys getting rich (like most schemes).
It is funny how this business has not changed since 1998. The communication channels changed, but the ideas and market is still the same. My first introduction to this was with the Windows RPC remote exploit vulnerabilities. I setup some honeypots to determine what the botnets were up to (most were manual B/C class scans at that time, the good old days before decentralized command). I ended up following the trail of controllers up to a random efnet IRC chatroom and finally to a more private area. That's where they sold/traded data from the botnets. This was prior to the 'rent a botnet to DDoS' era.
Back then, credit cards without CVV2s (from Windows IIS Servers exploited with that long string bug leaking out plain text documents) were worth about 50 cents a piece. CVV2 brought it up to around $2-3 for US, $4-6 for UK/CA. Address information was around $15. It seems the market has deflated a lot, the credit cards are probably from targeted companies rather than scripted botnets looking for vulnerable boxes, and the data can just be bought from a website rather than having to get a third party to moderate the exchange.
Once again,the comments reminded me the most of that community. Someone mentioned about entering CC info on a CC theft site. There used to be a RTF document exploit where you could execute something or another from them, the dump sellers would infect their dump files (RTF docs) and steal the client's data. These communities are cutthroat.
I wonder why someone would trust "McDumpals" with their payment information to subscribe and purchase items, given that it is a site dedicated to stealing payment information?
(Just kidding, I know it's obviously because they aren't using a broken, insecure payment mechanism for transactions, like our credit card system.)
How does* Krebs get into these sites? How many alternative names does he have? Does he spend months gaining people's trust to get into these sites? It amazes me, he does such a great job for the community. Does he take donations? I want to give back for all the stuff I've learned from him.
10% of users on these sites are actual crooks. 40% are wannabe crooks who heard about it on the news and thinking carding is both easy and will make them millions. The other 50% are people working for security companies, banks, retailers, law enforcement etc. pretending to be crooks so they blend in.
Krebs gets invited in, vouched for, and shown new forums by that last group.
Competition also gives him this info to bring heat to their rivals in the game. One forum used a unique marker that appeared to be a benign msg count number so they could identify krebs from screenshots he puts on his site and ban his account but he figured out what the marker was, cropped it out and was back with a new account.
Well if this isn't the most timely post I've ever found. I just had the details from my debit card stolen on Sunday and the attached account completely drained. It's so cool to be reading about how part of this process works.
Sorry to hear that. In the future, I suggest not using your debit card online or anywhere else it could get stolen. As you've seen, you have much less protection than with a credit card.
I even have two completely separate checking accounts, at two different banks. One is only used at ATMs, and the other is only used to pay my CC bill. Neither are ever used online or at any physical merchant.
ATMs aren't safe either. The ATM at my local Chase branch got skimmed and $8,500 taken from my account.
The branch manager showed me photos of the skimmer gear and the police report. It was made to look like part of the ATM housing. She said over 200 customers were ripped off in one weekend.
Even though they knew it was their own machine that was compromised, it still took almost a month and many hours of phone calls and letter-writing to get my money back.
I've taken to never carrying the debit card attached to my primary checking account, the one that I receive paychecks in and pay most bills from. I opened a separate account to carry the debit/ATM card from, and periodically transfer extra money into that. I figure that limits the potential damage and hassle in case the card is ever lost or stolen. Even with that, I never use that card anywhere but the ATM.
I suppose you have to be a bit more careful about these things with how easy the internet makes it to steal cards and sell the info to somebody else who can exploit the stolen card info with less risk.
The primary difference is in the case of fraud on a debit card, you don't have access to the stolen funds until your financial institution issues a provisional credit. (They have a short statutory time frame to do this.)
At most. If you dispute fraudulent charges in time, you're not liable for anything. I've even had my CC bank actively call me to discuss fraudulent charges, and that my card would be replaced by the next day.
This is true. The bank told me that _any_ debit card, if you report fraud within 2 business days, should have zero liability. I have never found a reference for that information.
Someone spent $2,000 at Comcast and Neiman Marcus on my card in one night. I reported it the following day and it was reversed and I was given a new card the same day.
I would love more information from a banker on how the fraud disputes are won. Sometimes the merchant pays, sometimes the bank pays, sometimes it split in percentages. I know it has to do with how the merchant processed the payment or if a pin number was used for the transaction.
The merchant is always the loser unless the fraud was so high the merchant goes bankrupt (this happens) at which point the payment processor is on the hook.
Thing is, I'm in Turkey, where you can't actually use debit cards for online transactions. It was my Turkish lira account, the only one attached to the card and the one that was running low anyhow, because it was the end of the month and I hadn't bother exchanging foreign currency for lira recently. There was no way to access the other accounts via the card at an ATM.
A conversation with a banker revealed that the common trick here is for thieves to attach cameras to ATMs to grab details, and then build mimic cards to drain accounts. The bank was pretty cooperative in processing my claim, and said they should have the money back to me in about 45-180 days. So, that's kinda lucky.
I'm going to be extra observant at ATMs from now on though.
Alternatively you can just keep two bank accounts one for online transactions. You're not liable for overdraft fees or anything if your details were stolen.
What you do gotta look out for is forgetting to add money in, but if you get a bank that is good about not allowing overdrafts to occur you can mitigate overdraft fees.
Anyway, yeah you might be safer with a credit card, but then you have a credit card.
My card was skimmed at a gas station a few months back. What impressed me was the speed with which it was used. The charges started maybe 2 hours after visiting the gas station in Los Angeles. But I live 3 hours North of LA.
How are people capturing the numbers, transferring them, and (I assume) creating fake cards to use in-store so fast?
Install blue tooth enabled skimmers. Get runners to drive around and go near hit machines, from where the data is pushed over mobile. Or maybe, the skimmers have an embedded mobile chip that pushes the data as soon as it's skimmed.
It's common to have cameras mounted to record you typing your PIN along with skimming your card. It's good practice to cover the pad with your other hand.
I have never put this card in an ATM. It must have been skimmed from a swipe machine in a restaurant.
I still don't know how they got my pin. I can't imagine anyone looking at my pin in a restaurant. It seems like such a hard and non-scalable way to do this kind of thing.
I think that a pinpad is not that hard to hack. OTOH whenever I read about skimmers getting caught, they seem to use really low tech methods - keen eye, perhaps aided with a mirror or a small camera.
Most of the card dumps discussed in this article come from compromised merchants (retail stores, restaurants, etc.) not ATMs. They are credit card numbers after all, not debit cards.
The criminals don't use the Dumps online, they use them instore. They use a PVC printer to print the bank logo and design on the card, they press the details onto the card and then they UV light the card and add silver foil to the raised letters. That means they have a fully working blank card, they then put the track data onto the card and go spend in the shops. If its a high priced card, such as Platinum or business they they will make a fake ID to go with it.
That's easier to counter when you will be returning your money from bank, since you physically will be in another place. And of course you should always see your card when paying in restaurant, store etc, so nobody can copy it.
Maybe it is different in the US then in other countries, but every restaurant I have ever been in the waitress has taken the credit card away inside of the check and come back with a receipt to sign.
Even so, just because you can see your card doesn't mean someone cannot copy it. They could even have a modified device that automatically log all cards while also performing transactions. In such a scenario you would see nothing out of the ordinary.
Even with handheld POS machines, those can still be modified to contain skimming equipment, everything has been done. Its crazy. If everyone went back to cash would save us all a lot of hassle.
Chip + pin debit cards are reasonably safe. Credit cards are much less safe, essentially every time you enter your details there is one more party in on the secret.
I try to use my CC online as little as possible and in the real world only when I have the card in view at all times and the pin verification terminal is under my control while I enter the pin, and crucially, contains the card (so I won't use it if the terminal is in one spot and the card in another).
It is funny how this business has not changed since 1998. The communication channels changed, but the ideas and market is still the same. My first introduction to this was with the Windows RPC remote exploit vulnerabilities. I setup some honeypots to determine what the botnets were up to (most were manual B/C class scans at that time, the good old days before decentralized command). I ended up following the trail of controllers up to a random efnet IRC chatroom and finally to a more private area. That's where they sold/traded data from the botnets. This was prior to the 'rent a botnet to DDoS' era.
Back then, credit cards without CVV2s (from Windows IIS Servers exploited with that long string bug leaking out plain text documents) were worth about 50 cents a piece. CVV2 brought it up to around $2-3 for US, $4-6 for UK/CA. Address information was around $15. It seems the market has deflated a lot, the credit cards are probably from targeted companies rather than scripted botnets looking for vulnerable boxes, and the data can just be bought from a website rather than having to get a third party to moderate the exchange.
Once again,the comments reminded me the most of that community. Someone mentioned about entering CC info on a CC theft site. There used to be a RTF document exploit where you could execute something or another from them, the dump sellers would infect their dump files (RTF docs) and steal the client's data. These communities are cutthroat.