Credit card fraud - want to join the party?

Filed Under: Data loss, Featured, Law & order, Security threats, Spam

Usually, when you see those little icons of payment cards put up on a web page, you assume it's a list of the cards you can use when you pay for something on the site:

Sometimes, though, it's a list of cards available to buy.

How does that work?

Let's take a look.

Like me, you probably get a persistent stream of bogus email from phishers, carders, scammers and the like. They're trying to trick you out of your money, your passwords and your digital identity.

That's hardly unexpected. Scamming is, after all, what scammers do.

But sometimes you'll get legitimate emails from the crooks.

OK, perhaps legitimate is the wrong word. What I mean is that they are overtly proposing criminality - not with you as the victim, but as a co-perpetrator:

In short, they sometimes use marketing EDMs (electronic direct mails - spam, in the vernacular) just like regular, legitimate companies.

They want your details not to steal from you, but to sell you things so you can steal from others:

They're happy for you to be anonymous - indeed, it's paradoxically probably slightly safer for them if they don't know who you are. They only really need to care whether you're an undercover cop or a genuine crook.

The terminology speaks largely for itself. Scam pages, bank accounts and credit cards are obvious. The others are common in carder-speak:

CVV Card Verification Value: the digits stamped on the back (or sometimes on the front) of your card that are not encoded on the magnetic strip. These are often used in online transactions to "prove" you have the card in your hand, not just a skimmed copy of the magstripe data.
SSN+DOB Social Security Number (the closest thing to a national ID number you get in the USA) and date of birth.
FULLZ Detailed ("full") database records of personally identifiable information. For any individual, this might include full name, address, telephone number, full bank account details, SSN, DOB, employment details, and more.
DUMPS Copies of the raw data off payment card magnetic strips. Handheld or device-mounted skimmers capture and record dumps directly off the card. Modern malware also sniffs for raw card data in memory. Writing a dump to a blank magstripe creates a clone of the skimmed card.
PLASTICS Blank plastic cards for writing dumps onto. They may be plain, if they don't have to pass human inspection (for example in an ATM). Or they may be counterfeits of cards in circulation, with varying degrees of quality and verisimilitude.

That's really all you need to know. Unless you genuinely intend to become a criminal, keep clear of this stuff. Don't sign up and play around with the Baddies just to see what happens. It's tempting, but not a good idea.

It's hard to keep perfectly anonymous online (whatever the legislators who are baying for yet more internet surveillance regulations might say). And if you aren't as anonymous as you think, you might well end up on the radar screens of both the crooks and the cops.

As Mr Miyagi, of Karate Kid fame, pointed out, "Best way to avoid punch - no be there."

, , , , ,

You might like

5 Responses to Credit card fraud - want to join the party?

  1. Good article. Informative with a lack of moral highground.

  2. MikeP_UK · 1065 days ago

    Agree, good article. But in the EU we use CSC instead of CVV. Also in the UK we don't have a 'social security number, instead we have a National Insurance Number (NI number). We don't have a National ID number, as yet! I believe many mainland European countries do have a national ID scheme.

    • Paul Ducklin · 1065 days ago

      You'll need to extrapolate (is that the right word here?) to non-US regions.

      For SSN read "whatever is the closest thing to an ID number you have in your country". For CVV there are many synonyms - CSC, CVD, CVC and various permutations of "validation", "security", "card" and "code".

  3. This was a very informative piece well done to the writer, and like the writer says avoid at all cost, you don't want to get into trouble because of my curiosity.

  4. Mick A · 1000 days ago

    You should get lots of new readers now - with the headline 'Credit card fraud - want to join the party?' A space to put your email address and a button that says 'Do It!' right underneath... Made me chuckle; brilliant article though Paul - well done.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog