Carders, Dumps, and Identity Theft

Albert Gonzalez and his gang of criminal hackers, were responsible for data breaches in retailers and payment processors with some estimates saying they breached over 230 million records combined.

Gonzalez, considered a proficient criminal hacker, provided “Dumps” which is credit card data he stole from the breaches and supported the supply of “Carders”. “Carders” are the people who buy, sell, and trade online the credit card data stolen from phishing sites or from large data breaches at retail stores. Here is a video providing an example of what an online IRC forum looks like where data is bought and sold

Gonzalez who pleaded guilty to his crimes will be serving the next 15 years in jail. The techniques he and his gang used were a combination of fraud schemes that have led to a significant increase in counterfeit fraud.

Some of their tactics may have included:

Wardriving; seeking out wireless networks to crack, then installing spyware

Phishing; spoofed emails prompting the user to enter account information

Phexting or smishing; spoofed text messages prompting the user to enter account information

Key logging; using hardware or software to spy on the users PCs

ATM skimming; affixing hardware to the face of ATMs and gas pumps skimming card data

Another more advanced technique they used was called a “SQL injection”. SQL is abbreviation of Structured Query Language.  Pronounced ”Ess Que El” or ”Sequel” depending on who you ask.

According to Wikipedia, a “SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application.”

In other words, a SQL injection is a virus or bug that effects an application that is not properly coded or secured. There are many different configurations of various software used to build and run a website. An example would be the common Wordpress blog platform that many use and that has been found to be vulnerable. This is just one of hundreds of applications that can be hacked in this way.

IBM Internet Security Systems discovered 50% more web pages infected in the last quarter of 2008 than in the entire year of 2007.

In 2005, a now defunct 3rd party payment processor called CardSystems suffered a SQL injection, compromising a reported 40 million credit cards.

While Gonzalez has gone down, Carders are still very active. The Register reports Carder forum drops offline after hack attack. A Pakistan-based carder site has dropped off the net, after white hat hackers broke into the forum and posted details of the hack on a full disclosure mailing list.

Pakbugs.com provided a forum for ne’er do wells to discuss hacking tactics and trade malware, bank logins details and stolen credit card credentials. However this activity was interrupted after login details for the forum and email addresses were posted online following a break-in by the good guys. The white hats published a list of the Carders usernames and email addresses here.

There are:

• 213 million card holders; 1.2 billion cards in US
• 1.5 billion payment cards are in circulation
• 656 breaches reported data breaches in 2008
• 47% more fraud in 2008 than 2007
• 22 $billion fraud losses in 2008
• Cloned Cards are up by 22%

There doesn’t seem to be a shortage of opportunity for Carders to keep up at their current pace. When a Carder hacks your credit card info that’s called “account takeover”. When they open up a new credit card account that is “new account fraud” or “application fraud”.

1. Protecting yourself from account takeover is relatively easy. Simply pay attention to your statements every month and refute unauthorized charges immediately. I check my charges online once every two weeks. If I’m traveling extensively, especially out of the country, I let the credit card company know ahead of time, so they won’t shut down my card while I’m on the road.

2. Protecting yourself from new account fraud requires more effort. You can attempt to protect your own identity, by getting yourself a credit freeze, or setting up your own fraud alerts. There are pros and cons to each.

3. Invest in Identity Protection and Prevention. Because when all else fails you’ll have someone watching your back.

Robert Siciliano Identity Theft Speaker discussing credit card and debit card fraud on CNBC