May 13, 2002

The New York Times

Credit Card Theft Thrives Online as Global Market

By Matt Richtel

Tens of thousands of stolen credit-card numbers are being offered for sale each week on the Internet in a handful of thriving, membership-only cyberbazaars, operated largely by residents of the former Soviet Union, who have become central players in credit-card and identity theft.

The marketplaces - where credit card prices fluctuate with supply and demand in a sort of black stock market - offer a window into a crime that costs the financial system $1 billion or more a year. They also show how readily personal information is being stolen and traded in the computer age.

But the same Internet technology that has enabled the theft and sale of credit cards also provides a veritable transcript of the criminal activity, and a real-time peephole into the attitudes, ethic - and sometimes honor - among the thieves. The chat forums indicate as well that several dozen of the top participants recently have discussed gathering at a credit-card reseller's conference in Odessa, Ukraine, at the end of this month.

"It's straight out of Capitalism 101 - it's become a big industry," said one high-technology executive who surreptitiously monitors the Internet card markets, and who noted that the market price of credit cards fluctuates daily based on supply - which, he said, is copious. "There appears to be an endless supply of cards out there," he said.

In recent days, the cost of a single credit card has been between 40 cents and $5 depending on the level of authenticating information provided. But the credit-card numbers typically are offered in bulk, costing, for example, $100 for 250 cards, to $1,000 for 5,000 cards, with the sellers offering guarantees that the credit-card numbers are valid.

Security experts say the buyers of the card numbers in these forums are all over the world, but often come from the former Soviet Union, Eastern Europe and Asia, specifically Malaysia. The buyers use the numbers in a variety of frauds, including making purchases over the Internet, having them fenced in the West, or even extracting cash advances directly from the credit-card accounts.

Security experts say the people living in the former Soviet Union - often in Russia and Ukraine - who are operating the marketplaces are typically buying the card numbers from so-called black-hat computer hackers. These hackers obtain the card numbers by breaking into computer systems of online merchants and getting access to thousands of credit-card records at a time.

"This is highlighting a tremendous lack of security," said Richard Power, editorial director of the Computer Security Institute, an association of computer security professionals that recently published a report with the Federal Bureau of Investigation on computer crime. "In the old days, people robbed stagecoaches and knocked off armored trucks. Now they're knocking off servers."

The ultimate cost of this is hard to estimate, according to financial analysts, though they say it is a fraction of the total size of the credit-card industry. A recent survey from Celent Communications, a market research firm, found that credit-card payment fraud will cost online merchants a minimum of $1 billion a year, which is not insignificant, though it pales in comparison to the more than $900 billion that Visa alone processes annually.

The cost to individual businesses, however, can be dramatic. In January 2000, an extortionist based in Russia demanded $100,000 from an Internet music retailer, CD Universe, by posting credit-card numbers stolen from the company's database to a Web site, which was subsequently shut down by the F.B.I. Last year, people close to Flooz.com, a bankrupt purveyor of certificates used for online purchases, said one reason the company failed was that it had unknowingly sold $300,000 of its currency to credit-card thieves in Russia and the Philippines.

Generally speaking, the Celent report found that the fraud rate on the Internet is 0.25 percent for Visa and MasterCard transactions, significantly higher than the 0.08 percent for Visa and 0.09 percent for MasterCard in the offline world. The typical consumer is generally protected from these costs, since consumers are not held liable for most fraudulent charges, but credit-card interest rates can rise because of crime, and consumers may have to deal with the aggravation of removing charges they did not make.

Mr. Power, from the Computer Security Institute, said: "You don't want to be an alarmist and say, `The sky is falling, and Visa is going to crumble.' But the financial losses involved in this kind of theft are underestimated, underreported and underacknowledged," estimating the worldwide cost is in the "double-digit billions."

"There's a lot more hemorrhaging going on than some people believe," he said.

The Internet sites of the online marketplaces are mostly known only to their participants - though that number can run as high as 2,000 registered users. The site operators change their online addresses frequently to prevent monitoring by law enforcement. In the past, credit-card traffickers did business in private chat rooms on the Internet Relay Chat, a communication network, and now they also use the World Wide Web, where it is easy to start and shut down sites to avoid detection.

But there are security professionals who surreptitiously listen in, tracking the supply of card numbers and prices.

John Shaughnessy, senior vice president for risk management and fraud control at Visa USA, said the company was aware of online marketplaces and sought to monitor them, when it could find them. He said it appeared that many of the buyers and sellers of cards were in Asian countries and the former Soviet Union. Some people familiar with the trend have also said that stolen credit cards were being purchased by people in Saudi Arabia and Dubai, United Arab Emirates.

Mr. Shaughnessy said Visa had worked closely with the F.B.I. on these issues. Officials at the F.B.I. did not return calls for comment.

Even though the activities of the marketplace can be monitored, this does not mean participants can be easily caught, since they do not use their real names or give their whereabouts, and they make their payments through secure money transfers over the Internet that are not easily traced. But the Web sites offer a profile of the typical participant and of the way they do business.

A security expert who monitors several of the bazaars said one of the most active was run by a Ukrainian 18 or 19 years old who went by the name "Script." The operator lives in Odessa. He is among about nine members of a clique, whose members call it "the family," and who are considered the most powerful and reliable of the middlemen.

In a recent transcript, the dealer who operates the forum posted in a typical note: "I am selling Visa and MC (American cards)." He added, "The minimal deal size is 40$."

He also listed a higher price if the deal included the card's CVV2 code, a printed security code that appears on credit cards and is supposed to prevent fraud. Merchants are not supposed to record the code in their databases, but they sometimes do, which means that hackers can get access to this higher level of information. On the online forum, the seller noted that 100 cards with the CVV2 code cost $300.

A discussion then ensued involving his former buyers, attesting to the seller's reliability. One buyer wrote, "This guy's always slightly more expensive, but his stuff is good." Another wrote: "This guy is awesome. He always gave me three times the number of cards I paid for."

The endorsements are a somewhat surreal reproduction of the rankings given to sellers on legitimate e-commerce sites, like the auction site eBay, or to authors by readers on Amazon.com. The feel of the site is one of pure capitalism, replete with marketing. The seller who operates the site sometimes posts online banner advertisements for his service.

The sellers usually ask for payment to be made through online accounts, like www.WebMoney.ru, where money can be electronically deposited, wired, then transferred to a bank account.

The discussions on the forum have a definite anti-Western bent, particularly anti-American. They are critical of American foreign policy. Some of the members of the forum also express anti-Semitic views.

There is not much social interaction, but it is not unheard of. The participants will brag about using their spoils to take vacations, for instance, to Bulgaria or Dubai.

Recently, there was a discussion that nearly 40 members of the group would meet in Odessa on May 31, at the first "World Carders" conference, though the organizers appear to have moved the talk to a more private setting.
Privacy Policy | Customer Service | Jobs | FAQs | Feedback | Terms of Use | Contact Us

Copyright © 2000-2002 Verifia™ Inc. All rights reserved. The Verifia name and the Verifia design are trademarks of Verifia Inc., a private company. Any other organizations using the Verifia name and/or design are in violation of trademark laws. All other trademarks are properties of their respective owners.