How much is your identity worth?

HOW curious. Early this year my bank sent me a replacement credit card. I hadn't asked for one, and the bank did not elaborate except to refer vaguely to "security" issues. [via newscientist]

I still don't know why my card was replaced, but I have a hunch: a massive electronic heist at a New Jersey-based company called Heartland Payment Systems. Heartland acts as a middleman between retailers and credit card companies, and processes about 100 million transactions every month. At some point in March 2008, a group of hackers is believed to have broken through the firm's cyber-defences. They installed software that, for about four months, secretly relayed credit and debit card details to an external computer. It is likely that tens of millions of cards were hacked.

Like many other people, I initially missed the news about Heartland - perhaps because it was announced on the day of Barack Obama's inauguration. But my belated discovery made me wonder what would have happened to my credit card details if they had been stolen. So I called internet security company Team Cymru, based in Burr Ridge, Illinois. A few weeks later, cybercrime experts Steve Santorelli and Levi Gundert introduced me to a sprawling criminal underworld so large and pervasive that no one can control it.

This underworld is surprisingly easy to access. It consists of a network of online chatrooms and web forums where stolen information is openly traded, along with off-the-shelf software tools needed to pull off just about every kind of online scam going. "This is an economy that is worth billions of dollars," says Dean Turner of the security company Symantec in Calgary, Canada. "It's highly organised. Everything that criminals need is available for sale."

It was not always like this. In the early days, criminal hacking required advanced technical skills. But organised crime has moved in and the black market has become a service economy where anybody can buy a career in cybercrime.

As soon as Santorelli and Gundert log me onto a chatroom, messages start to appear.

: I got fresh hacked UK cvv2's

My guides explain. This means that a criminal by the name of "cinch"* is selling stolen British credit card details. "CVV2" means he or she has the full credit card numbers, expiry dates, billing addresses and the three-digit security codes on the back of the cards - all the details you need to make a purchase at most online retailers. These will cost you anything from about 50 cents to $12 depending on the card's credit limit, where it comes from and how many you want to buy.

Gundert says that cinch or an associate probably obtained these details by hacking an online retailer or an intermediary like Heartland. Web retailers routinely employ tough electronic protection, but hackers are frighteningly adept at finding and exploiting holes in their defences. Once hackers are in, they can scoop up credit card details and start selling them. The retailer may never know its defences have been breached.

Symantec estimates that almost a third of all adverts in the underground economy are for credit card information of some type, (see diagram). While I've been talking to Santorelli and Gundert, a new, more sinister message has appeared:

: Uk US Dump Track 1 Track 2

Loopz is selling "dumps" - CVV2s plus all the information encoded in the card's magnetic stripe, known as Track 1, or that stored in the chip that is built into many European cards, which is called Track 2.

Dumps are more valuable. Access to these details allows criminals to print "cloned" credit cards and shop almost anywhere. The card-printing equipment costs $20,000 to $30,000, but is available legally. If that investment is too great, traders can email the details to criminal specialist printers who will run off cards and return them by mail for just a few dollars per card.

I send a message to loopz asking about price and availability. Minutes later I get a reply: he has 10 dumps and wants $15 for each.

That seems ridiculously cheap for details that could potentially be "cashed out" for thousands of dollars. A few months back, loopz might have been asking several times that. But supply and demand shape this market, just like any other, and recently prices have slumped. It is impossible to say why, though the economic slowdown is probably not the cause: credit card fraud, says Turner, is a recession-proof business. Santorelli's guess is that the market has been flooded with information stolen from Heartland.

As in any transaction, however, let the buyer beware. Anyone who took loopz up on the offer would probably have come away empty-handed. Santorelli says that 9 out of 10 traders in the chatroom are "rippers" - con artists who take the money and run. To combat this, many chatroom operators impose a ratings system not unlike the ones you find on eBay or Amazon. Most of the 340 people in the room are, like loopz, unrated, but a few have coloured dots next to their name which indicate that they have shown some level of trustworthiness in their previous transactions: the colour changes from yellow to blue to green to red as the trader's reputation grows. I guess that's what they mean by honour among thieves.

Some chatrooms rate the traders' trustworthiness. I guess that's what they mean by honour among thieves

There are a handful of "reputable" traders in the room, including one called netter who has a blue dot next to his name.

: Selling USA Fulls Cvv2 Info + SSN MMN DOB 8$ Per 1

This marks netter out as an identity thief. "Fulls" is jargon for a collection of information that includes credit card details but also more personal details: SSN for social security number, MMN for mother's maiden name and DOB for date of birth. Criminals can use these details to apply for credit cards, take out loans or set up bank accounts to launder money.

Retail systems like Heartland's do not generally contain personal information, but hackers find it surprisingly easy to dupe people into handing it over. "Netter is almost certainly getting his information by phishing," says Gundert. He's referring to scams that direct users to websites that look almost identical to those operated by major banks. In reality, the sites are run by criminals, who use them to trick people into giving away the kind of information that netter is selling.

Phishing sounds like a complex operation, and five years ago it was. But like e-commerce in general the black economy has matured. Now a relatively unskilled criminal can buy everything they need to go phishing. I saw several adverts for off-the-shelf phishing kits, and others for hacked access to internet servers, which phishers need to host their fake websites. Still others were hawking scanners - software that roams the internet looking for holes in servers' defences. I could also have bought hacked email logins, which can be used to squat on the web space that comes free with most internet accounts but which few people use.

Phishing is not the only way to steal logins. Hackers can also covertly install "keylogger" software, perhaps by attaching it to an email that appears to come from a friend. Once installed, the keylogger monitors every keystroke a user makes and relays details to a remote computer known as a dropzone.

Last year, Thorsten Holz at the University of Mannheim in Germany took a close look at keylogging. He and colleagues tracked down 240 dropzones and took a peek inside 70 of them. They found usernames and passwords for around 5700 eBay accounts, login details for over 10,000 bank accounts and 5700 credit card numbers. Holz estimates that this information was worth $16 million.

So if just 70 dropzones open the way to such a large sum of money, how much is the entire black economy worth? Since criminals do not file company reports, it is hard to be precise. In one of only a handful of independent studies, Vern Paxson of the International Computer Science Institute at the University of California, Berkeley, monitored chatroom trading over a seven-month period in 2006. He saw over 13 million messages sent under 100,000 different names. Every day, more than 400 credit card numbers were posted, and hacked access to bank accounts containing millions of dollars offered. Almost 4000 valid social security numbers were posted in total. All in all, Paxson observed trades worth $93 million.

The underground economy is almost certainly much larger than that now. A year-long monitoring exercise run by Symantec in 2007 and 2008 identified credit card details, bank accounts and other stolen information worth $276 million on just a small sample of underground chatrooms.

Not surprisingly, individual criminals can make a fortune. For example, the US government is currently trying to take possession of $1,650,000 in cash, a condominium in Miami and a BMW owned by hacker Albert "CumbaJohnny" Gonzalez, who was charged last August along with 10 alleged accomplices from the US, China, Belarus, Ukraine and Estonia.

I found it unsettling to watch people like this doing business in the chatrooms. The fact that the conversation was public didn't stop me feeling that I was eavesdropping: it was as if I was overhearing a gang discussing plans for a bank robbery. But there is a crucial difference. In the real world, I could call the police and identify the plotters. Tracking down the people hiding behind usernames like netter and cinch is close to impossible.

The first layer of anonymity is provided by the servers running the chatrooms, which are programmed to mask the identity of traders. I asked the server to supply information on loopz. Here's what came back:

< >:

Even to an expert eye, this means little except that the chatroom server is set up to hide the trader's identity. The last parts suggest that that loopz may be connected via Belgacom, a Brussels-based internet service provider, but there is no guarantee of that, as there are numerous ways for hackers to obscure the route they use to connect. Some rent time on legitimate servers and send their messages from them rather than their home computers. Others use bots - illegal software installed covertly on other computers - to relay messages for them. Either method makes it very difficult for law enforcement officers to identify the location of the sender.

Tracking down the chatroom servers is equally difficult. I ran a standard search, known as a "whois query", to establish the internet address of the chatroom. It revealed only that the operators have an appreciation of irony: they had registered the server under the name and address of the New York State Division of Criminal Justice Services.

Law enforcement experts, such as the cyber-security team run by the FBI, have more sophisticated methods for locating chatroom servers, but the trail often leads to countries such as China or Russia, where foreign agencies can find it time-consuming to collaborate with the police. Security experts say better international cooperation is producing results, such as last year's arrest of two prominent Turkish hackers. There will always be some governments, however, that will not work with authorities in the west, where most victims of cybercrime live.

With no technological fix, law enforcement has to rely on old-fashioned detective techniques, such as sting operations and the use of informants. The police can also work up the trading chain by catching criminals using stolen credit cards in stores and then tracing the traders who supplied the forged plastic.

All these techniques have played a part in the big police successes of recent years, including the September 2007 arrest of Max "Iceman" Butler, a trader from San Francisco who is alleged to have run a site known as Cardersmarket and to have personally sold tens of thousands of credit card numbers. A month earlier, a US Secret Service investigation culminated in the arrest of 11 people in what federal officials said was the biggest ever identity-theft and hacking bust.

Victories like that are causes for celebration, and not just for card issuers and retailers. If somebody hacks your credit card, they pick up the bill. But both ultimately pass the cost onto consumers. So in the end, we all pay for the ill-gotten gains of cinch and netter.

The cost would be smaller if we all took steps to defend ourselves (see "Beat the cybercrooks"). But with so much money to be made, the threat is not going to go away. "There is never going to be a silver bullet," says Santorelli. "We can make it harder for these criminals, but we'll never stop them."

* The names of all traders have been changed, and some of the messages edited for clarity

Did you like this post? Leave your comments below!
Found this Post interesting? Receive new posts via RSS (What is RSS?) or Subscribe to CR by Email

More Post From The Web