Card data thieves are only part of a chain of credit/debit card cyber fraud – “carding” rings – that were fast to identify the possibilities of the Internet – if they were legal businesses, we’d call them “supply chain innovators” instead of “hackers” and “carders.”
The chain begins with online marketplaces such as Tradekey.com where dealers such as New Russia Tech from – where else – Russia, and Honey Badger Ltd from Kenya openly sell card “skimmers” and PIN pad “overlays” for about $1,500.
Hackers install the devices on ATMs and POS terminals, where they collect PIN and magnetic strip information – before it’s encrypted – from the keypad (no visuals required) and transmit information back to the hackers. For example, New Russia Tech advertises “attach the skimmer and the PIN pad to the ATM and you just sit at home and receive the information trough [sic] SMS-messages.”
Batches of stolen card information – “dumps” – are bought, sold and traded online on forums such as Vandump.biz, PKHackerz.com, and Master-dumps.com for anywhere from about $5 to $25 per card. As in other businesses, higher quality commands higher prices, and quantity buyers and regular customers get discounts. Buyers clone the cards with encoders – also available for sale at Tradekey.com. Cloned cards can be created from hotel key cards and used gift cards, as well as new card stock.
With the fake cards in hand, it’s time to go shopping. But not before putting through a small charge to verify that the card will work – often at a gas station, explains SCPD’s Sgt. Akana, because gas stations don’t usually have cameras on the pumps.
To move the stolen merchandise, fraudsters turn to flea markets, and online markets and auctions. And just like in the offline world, there are e-fences who’ll unload those ill-gotten gains for a price. Fraudulent purchases from Southern California often find their way to Mexico, according to Akana.
In other words, if that Juicy Couture handbag on Craigslist sounds like a steal there’s a good chance it is.