Monday, February 17, 2014

Threat Agent Profile: Payment Card Data Thieves and Stolen Card Markets

My wife’s friend walked in to a grocery store and quickly realized that she had left her purse in the car. During the minute she was gone a thief had smashed her window and stolen her purse. She immediately called her bank and her two credit card companies. Within thirty minutes she had a hold placed on her accounts, but it wasn’t fast enough. In that time the thief had withdrawn $1200 from her bank account from a teller at a bank branch and had charged over $400 on the cards. That is what the small-scale, petty payment card theft looks like.

Grand scale payment card theft looks like Albert Gonzalez’s ‘Operation Get Rich or Die Tryin’, a payment card hacking crew that stole over 90 million payment card numbers from companies including Heartland Payment Systems, TJ Maxx, 7-Eleven, and Office Max and caused over $200 million in damages. Gonzalez and crew compromised the ATM card and payment card processing systems at these companies by exploiting well-known vulnerabilities in their wireless networks and web applications. Upon arresting Gonzalez, agents found $1.6 million in his several bank accounts. His goal was $15 million, at which point he planned to buy a yacht and retire.[1]

What does one do with 90 million stolen payment cards? At one point, after raiding numerous ATMs with stolen debit cards he had manufactured Gonzales is reported to have complained about having to count over $300,000 in twenty-dollar bills because his cash counter had broken. It’s not as if a small crew can handle even a small fraction of that number.  What happens with much of the data is the thieves offer it for sale on the Internet for purchase by ‘carders’, people who specialize in converting stolen card information in to useable credit and ATM cards and using the cards to commit fraud.

In 2007, when I first explored the online carder markets where hackers sell and carders buy stolen data and other related goods and services, I easily found 17 carder sites, such as,,, and In early 2010, only three of those same sites were still available. Carder sites are still out there, but most have gone underground due to some high profile federal prosecutions, such as the takedown of in 2008. You’ll see in the screenshot below of, that FraudMarket was offering Visa and MasterCard dumps at the time for $25 each for low volume purchases and for $18.50 each when buying 50 or more. Another site,, was selling batches of 700 for $3500 and 900 for $4700.