This is a a good illustration of how hard it can be to stay anonymous online.
With that being said, I don't see how Krebs reaches the conclusion that this guy "probably" knows who stole the Target cards or how they were stolen. They were just posted on his crappy carding forum.
It seems a bit disingenuous to me to plaster this person's dox under this headline; yes, he seems pretty scummy and runs several criminal enterprises but there's no actual evidence in the article linking him to the Target fraud beyond someone else using his forum to hawk their stolen goods.
Krebs doxxes people frequently and it seriously undermines any moral argument he may have, since a good deal of his time has been spent complaining about people doxxing him. There's a fine line between exposing crime and opening someone up to vigilante justice. Send the information to the police, but the public has no need for it.
It's more a lesson in how you can't take a non-anonymous account and turn it anonymous. If a pseudonym has ever linked to sensitive information, you have to abandon it entirely.
I was in line and made a short conversation (short so as to not hold up the line) with the cashier at Target. The elderly lady behind me was pretty worried about the credit card theft, and the cashier knew about it too. It's cool at least that news about this stuff is reaching more people.
In my opinion just get a new card, don't wait for suspicious activity. Check it to see if it was already used. Also given that the 3 letter pins weren't from the back are not included I'm not sure if it's going to be very easy to make use of this card data. Having said, still get a new card if you used it at Target recently.
Many merchants require the CVC code to protect themselves against fraud/chargebacks and because they can get lower processing fees, but strictly speaking, it's not necessary to make a transaction (IIRC, the only thing you need is the card number and expiration date).
Notably, Amazon does this for their 1-click checkout. Saving CVC codes is against PCI compliance, so in order to provide that low-friction experience, they simply post the saved card information without it.
"the only thing you need is the card number and expiration date"
If the dollar amount charged is low enough you don't even need the expiration date. You just use the current month.
We've frequently have to charge expired customer credit cards (expired by years in many cases) and as long as the dollar amount is low enough (off the top +- $40 [1]) and the card number hasn't been changed the charge will go through. Very convenient instead of having to contact the customer to get a new credit card expiration date. Also helps because that way you don't give the customer a chance to rethink what they are paying for and whether they need it or not.
[1] May be higher but I'm not certain if it's $60 or $100 so I will go with an amount that I know works.
Who are you using as a payment processor? Are you sure they're not running the Account updater service against your card on files and automatically updating expired ones for you?
I'm sure. And it's paypal. No cards are on file. These are literally credit cards that are stored in file folders (quite an air gap, huh?) and they are typed in MANUALLY in the paypal interface. Nothing is stored with the processor for repeat transactions. This has been going on since the mid 90's and while using other processors as well as even (in another business) at a credit card processing machine where the cards were keyed into that. CVV is not relevant either.
The magnetic track data was compromised, which means once the data trickles back through the black market crooks can write the cards back out and use them as card-present. Definitely harder than sitting around ordering things online, but there's no reason to need the CSC to use the data they stole.
Several years ago I received an email offering to sell me 100k stolen credit cards, and it included a sample of 12k cards. They had card number, issuing bank, customer name, expiration date, customer address, and I think phone number. I don't remember if they had the CSC or not.
Some of these were from banks that would let you try to login given a card number and password, and told you on failure if you got the card number wrong or the password wrong, so I was able to do a check using that on some of the cards and found they were legit card numbers for accounts at those banks.
This was on a Friday late afternoon Pacific time.
I called the FBI to see if they were interested. They were not, and suggested that the Secret Service might be more appropriate. The Secret Service was also not interested. I then tried the credit card associations, and most of them told me that this would be an issue for their security department and suggested that I call back Monday morning as the security department had gone home for the weekend. One did give me the email I could forward the mail to.
I had thought someone would be interested in this, at least enough to want to look at the card numbers I had to determine if they came from a known breach or were from something new.
Is this due to the CC processors fraud detection? They just figure it's the cost of business and most of the time, the merchant ends up footing the bill, right?
Is it possible the CC companies are worried that if the government steps in, it reduces their role in anti-fraud and helps their competitors?
A lot of value of stolen credit cards comes from the reluctance of businesses and law enforcement to go after the users of such stolen cards, as the transactions are "small" - sub-1000$.
Last year, I had four fraudulent transactions appear on my card. I am a very cautious user - Linux on the desktop, seperate user and browser profile for e-shopping etc. This was the first time it happened in over 15 years of extensive online card-use.
Two of the transactions were with Netflix to register new streaming accounts. I called up Netflix, and within a couple minutes had a block placed on my card and both the accounts deleted with refunds to my card.
The other two transactions were on frys.com. One was for a laptop and the other, much higher value, for a smartphone. Shockingly enough, while one transaction got security flagged and did not go thru, the laptop one cleared and the laptop had been shipped out before I contacted frys. Frys rep told me on the phone that the information submitted was very clearly and obviously phony - the email address was a string of random letters @gmail.com, name etc everything was fake. Even with the credit card info, the only piece of correct info was the credit card number. No CVV was submitted, no correct billing address, not even the name on the card was correct. Heck, as my credit card is NOT US based, even the country of the card was not correct. Yet Frys shipped it.
I tried to get more information about the fraud but frys refused: they told me point blank, that they will not give me information, they will not initiate a police case, and they will not refund my money even though they were clearly at fault for having the transaction to go thru.
I, not being based in the US, had few options. I filed an online police report with San Jose police, where Frys is based. I also filed an online report with the FBI online fraud division. Both of them assumed I was filing these reports for insurance/reporting purposes, but told me outright that no investigation would take place.
Later, when my bank provided me with more info about the fraud I found out that frys actually challenged my chargeback and provided the transactions details to my bank. As expected they had no case, but I found out from the details that the laptop had been shipped to an address in Abilene, TX. I immediately registered an online report with the Abilene PD as well.
None of the authorities were interested in following up. Considering how trivial it would have been to atleast checkup on the address, this seems like a bad lapse.
I believe it creates a moral hazard: In the end, frys was the one that was out a few hundred dollars, and they refuse to prosecute. Police does not act on my complaint. Once it becomes known that a company has such lax policies, its open season.
Side note: if you have a fraudulent transaction on your credit card, don't call your credit card company and "dispute" a charge or ask for a "chargeback". Instead, call them and tell them you had a fraudulent transaction.
I had a clearly fraudulent charge on my Amex a few years ago (a Wal-Mart gift card was shipped to somewhere in Central California). I called Amex and asked to dispute the charge. Wal-Mart then provided Amex with the tracking info showing the package was signed for, and so they said that they had rendered the services paid for, and the case was closed in the merchant's favor.
It turns out that "fraud" is the magic word, not "dispute". I called Amex back and got into the fraud process instead, which of course fixed the issue.
Sorry, you are right, of course. Here, I used "chargeback" as a shortcut for saying I asked the bank to not pay out. My banks dispute form - a simple 1-pager - essentially leaves very little room for confusion in the nature of the dispute in any event. They have some 10-odd descriptions and one is supposed to pick the right, or closest one. I picked "I did not authorize nor was involved in this transaction".
In my country the "terminology" of credit card use isn't as evolved as it is in the US - we don't actually have well defined terms like "chargeback", "dispute" etc.
> Sorry, you are right, of course. Here, I used "chargeback" as a shortcut for saying I asked the bank to not pay out.
Which is what a chargeback is. In many cases if you let them know it was a case of identity theft, a different process is used and you are more likely to get your money back.
Experience as a merchant. If we give Amex reasonable evidence that merchandise was received and a chargeback is unwarranted, there is a chance they will find in our favor, whereas Visa/Mastercard take the consumer's side almost unconditionally.
I suspect this because Amex is better staffed in this area.
A company I worked with had a dispute with a client over charges (fee for services + restocking fee) on her Amex. Amex allowed the client to keep disputing the charge multiple times. If the charge re-appears on her bill she'd file a new dispute.
Amex also directly provision merchant accounts for accepting Amex (separate to normal Visa/MC accounts) so they control both sides of the transaction.
OK, Interesting, I haven't had the same experience, having won a few Visa chargeback attempts from customers that received merchandise as ordered. My experience is primarily B2B though, where there are credit card authorization and tax exempt forms involved. So, it's not like the customer can claim they can't recall ordering something, etc.
Based on what everyone else says, it's probably sample size. The number of people we have who buy something with their own card and then chargeback is pretty small for us (and it's usually in error).
This is reasoning by anecdote; your experiences are not a valid sample size with which to draw such general conclusions about the whole field. Look how many are saying the opposite is true, your experience is probably an outlier, not the norm.
Many retailers don't take Amex because they charge higher fees, not because they are consumer friendly (which they are).
In my experience, Amex is more likely to respond to a merchant presenting evidence that a chargeback is unwarranted. Visa/Mastercard essentially just say "tough luck," except in the case that a consumer has charged back by mistake.
I work at a bank and have extensive experience with this. Visa and Mastercard protect merchants while American Express protects consumers. Neither are absolute of course but these are the biases that each one has.
So ten years ago I was fresh out of high school. Not a lot of money and I had accidentally left my debit card at a fast food joint. Fraud services called me later that day to inform me of various odd charges, none of which were mine.
Enraged I asked for the places and date/time stamps of transactions. I tracked the persons footsteps, some business owners allowed me to see security camera footage.
There she was, in her fast food uniform (the place I had ordered from earlier that day) in 3 different businesses at the exact same time of the debit card time stamps.
I took this information directly to the police were I was dismissed saying that my bank would do the investigation and not too worry about it. I went a head and spoke with the manager of the fast food joint as well. Morale of the story, the police don't do shit.
Try driving 40 mph in a 30 mph zone and see how quickly you are pulled over. It can't be in any area though; it needs to be in a mostly white middle to upper class area.
My theory is that police know that people pulled over in those areas are likely to be the responsible type who would pay for a ticket. And the person who stole and used your credit card is likely the type who would not pay tickets or fines but would end up having to spend time in jail. So, they target those who will pay tickets (a source of revenue) and ignore cases like yours that would result in no revenue.
As a business accepting credit card payments, we attempted to be good citizens at first. We would try to notify the credit card company or the banks when an obviously fraudulent transaction came in and that kind of thing. We even tried calling the police at one point with IP logs and so on.
Nobody gave a shit.
We asked our credit card processor, Stripe, what to do about fraudulent transactions. They told us that they had no way of notifying a bank about that kind of thing and to just refund it.
So now our policy is just to refund fraud and forget about it. It's a position we were forced in to. This means that the person whose credit card was stolen will continue to be abused and there really isn't anything we can do about it.
It seems that everyone has plenty reason to be irritated with credit card technology except the thieves. Hopefully there will be sufficient incentive to replace credit cards with something more secure in the next 5-10 years.
"Last year, I had four fraudulent transactions appear on my card. I am a very cautious user - Linux on the desktop, seperate user and browser profile for e-shopping etc. This was the first time it happened in over 15 years of extensive online card-use."
As a merchant who frequently gets bogus credit card order over the net I will confirm that nobody seems to particularly care about being notified that we feel it's highly probably that a credit card has been stolen. In other words there isn't a system in place even where a merchant who notices they have a stolen card being used can say "hey you should freeze this card or at least look into it".
It probably differs from issuer to issuer. In my experience Amex is very on top of it and they have always flagged every transaction I have not made myself, immediately sending push notification and SMS where I can ack/nak an automated transaction prompt. If I nak it they freeze the card and overnight a new one. I suppose they don't really care about handling it manually because that would be prohibitively expensive and they prefer to act on the patterns in an automated way. Would be interesting to see aggregate stats by card issuer of how good they are at detecting it.
Amex really is awesome about this. I was traveling not long ago and called them so they could put a travel flag on. I got to an automated response that their systems were smart enough to know if I was traveling and I no longer needed to call prior.
IME, Amex is much better at flagging than the Mastercard I have.
This is only the tip of the iceberg. I would say the bigger issue and thr lower hanging fruit is that we don't use Chip+Pin or Chip+Signature here in the US. Using either tech will go much further than just having police departments investigate after the fact.
That doesn't really help for online transactions. I'm not aware of any 2-factor authentication being used for online credit card transactions anywhere.
Most online card transactions in the UK use a system called verified by visa (or it's MasterCard equivalent), which shows you a phrase you previously specified (to prove it is legitimate) then asks you to enter 3 characters of your password.
That is true, I was referring solely to Target where it was physical transactions. There are other solutions that can be implemented for card not present transactions.
> Two of the transactions were with Netflix to register new streaming accounts.
I had Netflix and one day noticed I was billed twice on my credit card for Netflix service, one was OK but the other just appeared on my bill.
I used the online chat to talk to a Netflix rep who seemed unimpressed and not the least bit concerned (no frowny emoticon). I asked how a new charge I didn't authorize could appear on my credit card, she had no idea and just kept repeating the company line their system is unable to credit me, so I said but somehow it can magically take double the money? Nice.
In these situations, where it's pretty black and white, writing or emailing a senior executive, such as the EVP of Customer Relations (contact into on company website) typically will get the result you want.
>> I filed an online police report with San Jose police, where Frys is based.
You can forget about police doing anything to catch the criminals. The only good you get out of contacting police of such ID theft cases is that you can use the resulting paperwork to file claim with credit card company. Forget about police doing anything to actually go out to look for the criminals.
IMO, US police departments are firmly stuck in the mode of 'only-criminal-we-go-after-is-someone-with-a-gun-or-drug'.
It's been a while so the sequence of events is a bit fuzzy but basically I was a victim of ID theft a few years ago. A few checking/credit accounts opened using my name. 2 iPhones purchased using my name (not approved by me of course) at an official phone company store (meaning they were captured on security camera in the store). On Credit Report I pulled immediately after I learned what was happening, I saw my actual addresses and the criminals' addresses on the report. Interestingly the criminals were living in a 'dump' 1 year earlier but had since moved into a rental in a brand new condo complex. I mean a brand new, nice condo complex, also in San Jose area. I found out through Google Street View.
Now I had leads on their addresses and VIDEO FOOTAGE (in possession of the phone store in San Jose) of them existed. I was excited as I was headed to police station to file report. Well, what a disappointment. It seemed no one seemed interested in seeing the video footage. They just took my report (took me about 1+ hours in there). I got a generic confirmation letter from my police dept weeks later. I heard nothing from the police in San Jose. Weeks (or months later ?) I got a call from a US Postal Inspection Service investigator. He gave me names of 2 suspects and asked again if I knew them. I did not and am pretty sure they were the criminals. Thus the crime was being investigated by US Postal Inspection Service. So a potentially slam dunk case was being pushed around between 2 local police departments and a Federal agency. And the result was I was actually interviewed on the phone weeks/months after the crimes had occurred.
These pulps committed a crime that potentially cost someone else a few thousands bucks (cost of phone and fee and late fee), not to mention hours I had to spend to clean up the mess. But because the victim and criminals are in separate/distant jurisdictions, the police essentially did not do much on their own. They simply pushed the case off to a federal agency.
Had someone in my police department called San Jose police department to go look at a video foorage at a phone store and visit a local address up there, they could've caught the guys in a matter of hours or days.
Interestinly, months later I got a letter from landlord of the condo rental the criminals had rented. The landlord was demanding unpaid rent. The pulps had rented the complex using my name and when the fraudulent accounts were cut off and their money dried up, they fled without paying rent. The landlord's collector of course searched for my name and found the real 'me'.
The US police seems helpless with these crimes that cross multiple jurisdictions.
Anecdotal counterpoint: when a waiter started skimming cards in a town I used to live in, the county sheriff actually did track them down and arrest them. Charges were filed but I don't remember what happened after that.
Of course, they also tracked down someone who stole a pair of sunglasses out of my car so my experience is likely atypical.
This might be a midwest thing but the police departments around me (Milwaukee, WI suburbs) will chase down something as insignificant as a kid using their friend's parent's credit card to buy a hundred dollars of Xbox points online.
How on earth are the sellers "cashing out" and how are they taking payments?
Why can't the money be followed?
If the NSA is such a powerhouse with billions of dollars of assets to track every electronic communication, why aren't they focusing their entire resources on people like the sellers?
Or is it like the TSA where they just hassle the completely innocent people at the airport for show while the real criminals take other paths.
The NSA does not investigate crimes. It is part of the U.S. national intelligence apparatus, so it focuses on targets and topics of interest to military and diplomatic leaders.
The FBI would be investigating this, and they are probably actively following these transactions right now. But since they are a criminal investigation agency, they will be focused mostly on carefully collecting evidence, so that it can be used in trials to obtain convictions.
So: this exposes a gap in how the U.S. federal government approaches the Internet. The NSA is willing to react in real time to threats, but they don't care about crimes like carding. The FBI cares, but they seek to collect evidence, not react in real time.
The result is that when it comes to real-time reaction to cybercrime, companies are largely on their own. I'm sure Target is spending a good bit of money on cybercrime and cybersecurity consulting firms right now.
How are they "cashing out"? Once upon a time eastern european hackers used to run a IRC chats under a .CC domain. They would post a bunch of CC numbers with their info and random forum members would grab and test/empty the cards. If the responsibility for cashing out is distributed, likely the culprits can stay hidden in the crowd of purchasers. However a kid in Eastern Europe did get arrested at a shipping port because he was waiting on a Ferrari he ordered with stolen credit cards.
> If the NSA is such a powerhouse with billions of dollars of assets to track every electronic communication, why aren't they focusing their entire resources on people like the sellers?
Because they didn't invest that kind of money to find the logs in a haystack that are eastern bloc cyber criminals. They are looking for a needle in a haystack dammit. A needle. (and possibly if some of their wives are cheating on them).
They know who the people are, but if the perpetrator's home governments don't want to give them up (article refers to Ukraine) there isn't a lot that can be done. Do we know that they aren't cooperating? No, but you can just look at the forums in question without an invitation so it's not like it would be hard if they wanted to.
You mean the bitcoin that maintains a public record of every transaction ever made on the network? There are still ways to anonomously cash out (payments to an anonomous account that forwards the funds to a mixing service, for example), but bitcoin is not a silver bullet for getting away with it.
So, granted the perpetrator can easily be considered to be a scumbag, but is doxxing him really the best way to address this situation? What if this guy ends up lynched by a vindictive mob? What if this information is wrong?
This is a fascinating bit of research. Has any one posted yet information on how the actual card info was stollen? I read somewhere that the point of sale units were infected, but with no evidence to back that claim up.
Not the details of how it was done - but Bob Cringely has an interesting bit of conjecture on how the attack might have been introduced. It is a bit controversial because it hypothesizes that it was a lack of proper change control processes and possible outsourcing.
That article is pretty worthless. First, he says "clearly the terminals had access to the Internet", and that if they used a private network, it'd not have been a problem. That's just wrong. Let's assume the POS terminals connected via IPSec over a frame relay linkup to several datacenters. A compromise in the processing center could cause an issue. Or, you could attack the POSes and have them record data to some internal site which you can access from another point in the intranet.
Second, his only actual argument is: "Someone probably made an out of process change to Target’s POS system and nobody noticed."
Sure, maybe. Or maybe someone subverted some other security system first. Who knows. Useless conjecture is just that.
Then he goes on about how the NSA should be fixing these issues. Okie dokie.
This is the same guy that doesn't understand how search engines work, and asked Eric Schmidt to manually fix his sister's website ranking in Google. I wouldn't take him as a useful source.
I (half-)heard on the radio a couple of days ago something about the infection being at (or getting into) a processing center for Target, which was why so much was able to be taken. Sorry I don't have more info, I only caught the tail-end of what they were saying (and I haven't looked it up elsewhere).
Target hasn't said, and Target is the only one who know the "how". I believe the credit card processors were independently able to determine that Target was hacked by buying some of these card numbers and determining their commonality, and then telling Target.
Unfortunately, I was one of the shoppers at Target. It's fascinating how different issuers are dealing with the problem. It seems that many are waiting to reissue the cards, so the consumer can continue to shop during the busy time.
Of course all this hinges on the admission that he was Hel in the first place .... which seems plausible to the amateur but requires more evidence for courts, I suspect. Though the name-clash of that service and the bribery is intriguing.
As to Target, there had to be a group. Somebody funding, someone inside, and then you've distribution networks for what effectively ends up as money laundering. At least that's the way I imagine it :)
I am fascinated how the black market operates. With law enforcement probing every corner, going undercover, I can't imagine myself getting involved in a blackmarket at all. Well, I guess there is always the risk which says high risk yields high return.
Russia and CIS countries don't care about US fraud so won't allow citizens to be extradited. FBI/Secret Service prob know who they are and will just wait until they go on vacation somewhere and kidnap them like they usually do.
Also Maksim Yastremsky (sp?) who the SS had Turkey work over for his FDE key because when they broke into his hotel room in Dubai couldn't extract info. That was from the 2007 big TJmax carding heist.
I'm confused, are you implying it's not okay for these criminals to be brought to justice, in accordance with various international laws, when their parent state acts belligerent and refuses to cooperate? These people hurt others for a living. They deserve punishment.
So does the Pentagon but you never see them punished for blowing up a wedding. US does not act within international law if they did CIS/Russia wouldn't be complaining about these kidnappings
> Moscow voiced outrage over the arrest of a Russian national in the Dominican Republic and his swift transfer to a US jail without Russia’s consent or knowledge last month.
Not just law enforcement, but the credit card companies themselves have a very high incentive to stop the trafficking of these numbers. They won't get you thrown in jail, but they can render all your hard work useless.
With that being said, I don't see how Krebs reaches the conclusion that this guy "probably" knows who stole the Target cards or how they were stolen. They were just posted on his crappy carding forum.
It seems a bit disingenuous to me to plaster this person's dox under this headline; yes, he seems pretty scummy and runs several criminal enterprises but there's no actual evidence in the article linking him to the Target fraud beyond someone else using his forum to hawk their stolen goods.