Smart SpendingSmart Spending

Who's stealing your credit card data?

The superhacker who obtains your credit card information in a data breach is many steps removed from the 'mules' who use it to make fraudulent purchases.

By MSN Money Partner Jul 11, 2012 5:04PM

This post comes from Jeanine Skowronski at partner site Bankrate.com.

 

Bankrate.com on MSN MoneyData breaches have become the new normal with big-name companies such as Global Payments -- which services Visa and MasterCard -- and online retailer Zappos disclosing that hackers stole consumer credit card information in 2012.

 

Image: Man surprised (© Spohn Matthieu/PhotoAlto Agency/Jupiterimages)The breaches build on an equally active 2011, a year in which security software company Symantec estimates 232 million identities were exposed.

 

Fortunately, this doesn't mean every affected consumer discovered fraudulent charges on his or her monthly credit card statement. What happens to account numbers following a data breach largely depends on who stole the information.

 

According to Stu Sjouwerman, the CEO of network security firm KnowBe4 LLC in Clearwater, Fla., there are three major types of hackers. Digital delinquents will try to infiltrate big-name data sources such as national retailers or financial institutions for fun and recognition, while "hactivist" groups, such as LulzSec, target similar sources to prove the companies' security systems are severely lacking.

 

"They're trying to make a point," Sjouwerman says.

 

They're not necessarily looking to make money off of compromised consumer data, but there is always a chance it could fall into the wrong hands. However, that's the top priority for the third type of hacker: seasoned criminals who digitally break into company databases to make a living.

 

But, while these masterminds are looking to monetize the massive amounts of data their breaches obtain, they aren't going to rack up big bills with stolen credit card numbers. (Post continues below.)

A complex pyramid

Instead, the original hackers are going to make money by selling account information in bulk to criminal third parties, says Chester Wisniewski, a senior security adviser at United Kingdom-based computer security firm Sophos.

 

After potentially trading hands a few times, "a lot (of card numbers) wind up being sold in Internet forums," Wisniewski says. This allows the network of dealers to maximize profits while minimizing the risks of getting caught, especially since card forums have become increasingly difficult to enter. A "carder" is someone who buys, sells and trades stolen credit card data online.

 

"They're a lot more underground than they used to be because a few big dealers got busted," Wisniewski says, referencing the 2010 conviction of Max Ray Vision, the former computer security consultant who turned superhacker. "Now you need to have multiple people vouch for you to get access."

 

Those who do gain access to these forums will pay different prices for the data, depending on how much information was illegally obtained.

 

"Each piece of information stolen in a breach has a different value," says John Harrison, a group product manager for endpoint threat protection, security technology and response at Symantec, based in Mountain View, Calif.

 

For instance, a 2008 Symantec study on the underground economy found account numbers paired with expiration dates and card verification values -- the security codes on credit cards -- ranging from 50 cents to $12, with packages ranging in size from five accounts to 500 accounts. Cards without these supplemental codes went for about 10 cents apiece.

 

Prices also vary depending on how close a card's expiration date is, whether other personal information on the account holder is available and/or the reputation of the hacker/seller.

 

It's important to note, even at this stage of the game, that the individual who buys the data may not use your credit card information. To add another level of security to their own dirty dealings, local organized crime groups or other career criminals will hire people to make purchases with the stolen data via advertisements on select jobs boards.

 

"These people are essentially mules," Harrison says. In addition to simply purchasing the products, they may be asked to resell high-ticket items on online auction sites. These profits are then wired to the crime group minus whatever percentage the mule has been promised as payment. The role represents the final rung in a long and highly specialized supply chain.

 

What thieves are buying

Once the crime pyramid is complete, the stolen accounts can be used by either the mule or the thief to purchase virtually anything.

 

"It's generally stuff that is easy to sell or has a high resale value," Harrison says. This typically includes electronics, clothing and gift cards, which all net fast cash on the Internet. Some criminals also imprint gift cards with the stolen card numbers so the accounts can be used to buy merchandise at brick-and-mortar stores. "You're not going to ask for identification when a person is using a gift card," Harrison says.

 

Thieves also are known to target retailers that have generous return policies as an alternate way of monetizing stolen accounts.

 

But cautious consumers shouldn't only be on the lookout for unfamiliar bulk buys. "The first thing thieves will do is make a small purchase online or at a convenience store to determine if the card is valid," Harrison says. These charges, which could be for something as small as a single music download or a pack of gum, may appear intermittently between larger purchases because fraudsters will continually check the status of the account to avoid getting caught red-handed.

 

What if your card is compromised?

If you discover your account was stolen in a data breach, you should immediately call your issuer and replace the card. You also should change usernames and passwords for all of your online accounts to prevent thieves from obtaining additional access now that you're on their radar, Harrison says.

 

If a Social Security number has been obtained alongside credit card information, "you do need to put a fraud alert on your credit report," Wisniewski says. You also may want to sign up for some type of credit monitoring since your identity may be shopped around alongside your credit card numbers.

 

Of course, the best line of defense is to minimize the chances of your card falling into the wrong hands. Wisniewski suggests limiting the number of credit cards you use to purchase items online. You also might want to look into services such as Google Checkout, PayPal and Checkout by Amazon, which eliminate the need to share credit card numbers with every single seller you patronize online.

If you use one particular payment method, it might be good to "freshen" the data associated with that card.

 

"Once a year, I ask for a new credit card number," Sjouwerman says, regardless of whether the account's been involved in a publicized breach. "I tell them my card's been lost and I need a new one."

 

More on Bankrate.com and MSN Money:

11Comments
Jul 12, 2012 7:07AM
avatar

We have one credit card that is used only for online purchases, so we can monitor it more easily.  Despite trying to be very careful about whom we shopped with, the card got hacked.  Fortunately the issuing bank is very good and spotted the fraudulent activity quickly, contacted us, and killed the card.  Other than doing a little paperwork and returning some fraudulent items we have had to do little to clear this up, and have not had to pay for any of it.  So far our other accounts have been clean, but we did change user IDs and passwords as the article suggests, and we check them frequently.  To replace the hacked card we are getting a card that has a $500 limit so our exposure will be much smaller.   Since we do need to buy online, and we suspect that credit cards will continue  to get hacked, we try to limit our risk with a low limit card and frequent account monitoring.

Jul 12, 2012 4:43AM
avatar
The biggest problem is that. bottom line. banks don't care. We had our data stolen and a crook in Alabama was using it.  We found the first charge, alerted the card company. Canceled the card. The crook used it several more times, all with the US Mint to purchase proof sets. We contacted the mint. They gave us the shipping address and all purchaser information. We contacted the police out there.  They did not care (we're talking almost $10,000 in coins here!) The card company kept honoring the charges. We finally had them change the number and close the account.  The crook called them - and they gave him the new number! Plus he changed the billing address, phone, etc., even though the bank knew the card data was stolen by someone in Alabama - we gave them all that information!

Took months to fix this. They just kept honoring the canceled card, and changed the billing address to the idiot in Alabama. We'd call. He'd call. We'd call. He'd call. The **** credit card company kept changing the card information! He used three different addresses. So our credit report now has four different home addresses in the past year! Took about 40 points of the credit score.

The bank wound up eating the $10,000 and the crook got away scott free.

Jul 12, 2012 1:31AM
avatar

Someone tried to buy stuff from a hacked account but the joke was on them. My spouse had already maxed out the card. Of course If a thief did it i might have got my money back.

Jul 12, 2012 12:34AM
avatar
Its getting hot and heavy. Left my card inside while buying fuel because supposedly the outside receptacles were 'broken'. Within a few days I was compromised and 48 hours after the event I had my provider on the phone, and we traced purchases on my card to Cambridge, England.  For whatever reason the thieves aborted, and I suffered not a cent loss. 80 in December and still learning. 
Jul 11, 2012 11:16PM
avatar

CC users have to keep a close relationship with their CC issuers.  Telling them if a transaction might've put the account on a risky position, in danger of being abused and to change the acct. number 

Ask the issuer of the card to contact you when purchases are over a certain amount or if purchases are not typical. These are only several defenses we can use to protect our card, I know that nowadays we  don't have to pay for fraudulent purchases but it takes a long time to clear one of those...better not to let them happen

Jul 11, 2012 11:49PM
avatar

cacique,

Global Payments is not an issuer.  They don't issue credit cards to consumers.  They process the transactions when a purchase is made, that is they move the funds from the cardholder's account to the merchant's account.  That's where the breech took place.  The issuer had nothing to do with this breech. 

Jul 11, 2012 11:52PM
avatar

I posted my comment before I meant to.  I was not criticizing your comment. Your point is a good one and well taken.

Jul 12, 2012 7:19AM
avatar
CARETAKERS FOR ELDERLY ON HOSPICE A GREAT Target bankersvtell mr it is rampant as many ofbthses people die beforebthey can stop fraud and the estate is obliviousntomit   i survived my hospice goy better my 830 py credit rating detroyrd credit card compsnys some of thrum  cover such fraud some don't either way its months   of   trouble ruined credit ratings forgerysbon an on not a lll organized criminals many just home care low income mostly  non american born immigrants and drug addicted cans looking fornfree drugs and all else they can get 


itbis obsence and a reflection of our health care system outsourseing  to the bone picking so-called caretakers
Jul 12, 2012 7:10AM
avatar
ORDER PLACED ON LINE PHONE REP CALLED TO GET CREDIT CARD INFO YA THINK CALIFORNIA AND ARIZONa have probs with green card immigrants think twice they are rampANT WISE AND SLICK THEY NO OUR SYSTEM CON THIERVWAY INTONA COMPANYNLIKE BESTBBUY AND WORK CUSTOMERS WHO ARE FORTHRIGHTIN ASKING FOR HELP BECAUSE OF ILLNESS  STROKES CANCER ETC NEVER GIVE CARD INFO OVER PHONE ESPECIALLY TO ANYONE WITH AN ACCENT   BEST BUY HAS CAUSED ME MUCH PAIN
WITH NO SUPERVISOR HELP ON LINE RUDE GREEN CARD EMPLOYEES I WILL NEVER SHOP THERE THIS KIND OF UNSUPERVISED EMPLOYEES ARE A MAJOR CAUSE OF CRDIT CARD FRAUD
Jul 12, 2012 8:10AM
avatar
I used to worry about ID theft.  But then, I also used to try to make money and pay taxes.  Now, I've embraced the Obama lifestyle and quit trying.  Work as little as possible.  Pay no taxes.  Collect unemployment, food stamps, welfare.  Now free healthcare!!

Life is GREAT!  I only have a Visa debit card and lousy credit - I never worry about ID theft.

Give up, people.  The crooks and deadbeats have won.  Like all addicts, America has to hit rock bottom before things will improve.  I'm doing my part.  After the civil war, I'll try again.

Report
Please help us to maintain a healthy and vibrant community by reporting any illegal or inappropriate behavior. If you believe a message violates theCode of Conductplease use this form to notify the moderators. They will investigate your report and take appropriate action. If necessary, they report all illegal activity to the proper authorities.
Categories
100 character limit
Are you sure you want to delete this comment?

DATA PROVIDERS

Copyright © 2014 Microsoft. All rights reserved.

Fundamental company data and historical chart data provided by Morningstar Inc. Real-time index quotes and delayed quotes supplied by Morningstar Inc. Quotes delayed by up to 15 minutes, except where indicated otherwise. Fund summary, fund performance and dividend data provided by Morningstar Inc. Analyst recommendations provided by Zacks Investment Research. StockScouter data provided by Verus Analytics. IPO data provided by Hoover's Inc. Index membership data provided by Morningstar Inc.

ABOUT SMART SPENDING

Smart Spending brings you the best money-saving tips from MSN Money and the rest of the Web. Join the conversation on Facebook and follow us on Twitter.

VIDEO ON MSN MONEY

TOOLS

More