Friday, July 28, 2006

The Face of Another Threat

Kim Zetter wrote a great piece for Wired called Confessions of a Cybermule. It's the story of a criminal who converted stolen credit card numbers into actual cards, then withdrew money at ATMs. In the words of the article:

They are the mules of electronic fraud, filling a vital role at the intersection of the virtual and the real: converting stolen account information into cold, hard cash.

That's a central challenge for digital criminals. The criminal, who in the story uses the nick John Dillinger, started out converting credit cards into cash this way:

Dillinger got several stolen credit-card numbers and spent two months traveling California with a partner, buying high-end laptops and reselling them. He'd never had disposable income, and got a rush from entering a store with a credit card stamped with someone else's account and walking out with expensive products.

Later Dillinger created fake cards for use at ATMs:

[A] spammer collected hundreds of account numbers, then distributed them to Dillinger and other "cashers" who encoded them onto blank plastic cards with an MSR206 and fanned out to hit ATMs. In two days, Dillinger says he collected $20,000 using the counterfeit cards and stolen PINs.

He wired the money, minus his take, to the Russian via Western Union. The operation lasted only a couple of weeks, though, before Western Union started blocking the money transfers.


This guy was a small fish:

U.S. Postal Inspector Greg Crabb confirmed that Dillinger was involved in cashing, though he and other investigators Wired News spoke with consider him relatively small-time compared to other cashers who made hundreds of thousands of dollars. This could explain why authorities didn't arrest Dillinger in 2004 when the Secret Service nabbed dozens of carders and identity thieves in a yearlong sting operation that targeted Shadowcrew and other carding sites.

This is why addressing the threat is important:

Dillinger said weeks before he was arrested that he was tired of cashing. "It's hard. It's scary," he said. "I don't want to get arrested. You go to ATMs, your picture's being took. You always have to look over your shoulder. Even when you're done with it, for the rest of your life pretty much you've got to look over your shoulder."

If law enforcement had more resources to identify, arrest, and prosecute these threats, we'd have less cybercrime.

3 comments:

Anonymous said...

Yeah...and if end users had a clue how to use and protect their computer and personal information...the target base would be much smaller.

Anonymous said...

If law enforcement had more resources to identify, arrest, and prosecute these threats, we'd have less cybercrime.

It really begs the question, "Which came first, the chicken or the egg?"

This has nothing to do with prosecuting criminals and everything to do with proactive threat elimination. If someone breaks into your house and steals your jewelry, do you simply shut and lock the door the same way you did before, knowing it is entirely unfit for protection?

The burden of repair should be on those who manufacture the systems by which the abuse occurs. This type of garbage is only taxing the rest of us who have identified it as a poor means of financial control and eliminated it from our routines. Unfortunately, law enforcement must tie up valuable resources due to laziness on the part of banks and financial institutions instead of putting it in areas where it is greatly needed.

Richard Bejtlich said...

Negligence can be an issue. However, the criminal is always at fault.