My wife’s friend walked in to a grocery store and quickly
realized that she had left her purse in the car. During the minute she was gone
a thief had smashed her window and stolen her purse. She immediately called her
bank and her two credit card companies. Within thirty minutes she had a hold
placed on her accounts, but it wasn’t fast enough. In that time the thief had
withdrawn $1200 from her bank account from a teller at a bank branch and had
charged over $400 on the cards. That is what the small-scale, petty payment
card theft looks like.
Grand scale payment card theft looks like Albert
Gonzalez’s ‘Operation Get Rich or Die Tryin’, a payment card hacking crew that
stole over 90 million payment card numbers from companies including Heartland
Payment Systems, TJ Maxx, 7-Eleven, and Office Max and caused over $200 million
in damages. Gonzalez and crew compromised the ATM card and payment card
processing systems at these companies by exploiting well-known vulnerabilities
in their wireless networks and web applications. Upon arresting Gonzalez,
agents found $1.6 million in his several bank accounts. His goal was $15
million, at which point he planned to buy a yacht and retire.[1]
What does one do with 90 million stolen payment cards? At
one point, after raiding numerous ATMs with stolen debit cards he had
manufactured Gonzales is reported to have complained about having to count over
$300,000 in twenty-dollar bills because his cash counter had broken. It’s not
as if a small crew can handle even a small fraction of that number. What happens with much of the data is the
thieves offer it for sale on the Internet for purchase by ‘carders’, people who
specialize in converting stolen card information in to useable credit and ATM
cards and using the cards to commit fraud.
In 2007, when I first explored the online carder markets
where hackers sell and carders buy stolen data and other related goods and
services, I easily found 17 carder sites, such as carderplanet.com, www.fraudmarket.net,
www.carder.info, and dumpz.biz. In early 2010, only three of those same sites
were still available. Carder sites are still out there, but most have gone
underground due to some high profile federal prosecutions, such as the takedown
of carderplanet.com in 2008. You’ll see in the screenshot below of
FraudMarket.net, that FraudMarket was offering Visa and MasterCard dumps at the
time for $25 each for low volume purchases and for $18.50 each when buying 50
or more. Another site, Dumpz.biz, was selling batches of 700 for $3500 and 900
for $4700.