
Confessions of an ID Theft Kingpin, Part II - todsacerdoti
https://krebsonsecurity.com/2020/08/confessions-of-an-id-theft-kingpin-part-ii/
======
psadauskas
> “I don’t know of anyone who has come close to causing more material harm
> than Ngo did to the average American,” O’Neill said.

> Throughout the court proceedings, Ngo sat through story after dreadful story
> of how his work had ruined the financial lives of people harmed by his
> services.

He made it easier for people to steal money from banks and credit card
companies. Its a pretty stupid system that forces the "average American" to be
on the hook for that. We shouldn't even be calling it "Identify Theft", this
is just bank fraud.

[https://www.youtube.com/watch?v=CS9ptA3Ya9E](https://www.youtube.com/watch?v=CS9ptA3Ya9E)

~~~
meowface
What about cases where card-holders don't check their credit statements or
transaction history or have alerts set up? Many may never even notice some of
the fraudulent transactions.

It's true that this is largely bank fraud rather than theft of consumers'
money, but it's still technically both, and in some cases literally both.
Carders justify their actions by saying they're just ripping off huge
corporations, and, yes, it's undoubtedly more ethical than burglarizing
someone's home or something, but it's still major fraud.

~~~
droopyEyelids
Two things can be true at the same time.

The other thing thats true is that the most wealthy corporations on earth have
twisted language and law to make these breaches of their [bank] security the
failing and responsibility of the individuals who trust the bank-- or, often
didn't even have anything to do with the bank (in the case of new lines of
credit being opened in your name at a different institution)

~~~
meowface
I'm certainly no fan of giant banks, but this isn't concerning breaches of
bank security. The fraudsters discussed in the article are generally stealing
people's credit card numbers by installing malware on their devices. Sometimes
it's them putting a skimmer on ATMs, but the bank's security isn't necessarily
to blame for that if they aren't the ones that operate the ATM. Sometimes it's
hacking a company like Target and compromising all of their payment systems;
but Target is really at fault, there.

>to make these breaches of their [bank] security the failing and
responsibility of the individuals who trust the bank

It's really the opposite: the consumer fucks up, by torrenting something and
running Game of Thrones.exe, or whatever, and the bank is 100% on the hook for
the consumer's lack of caution. It's actually quite amazing that anyone who
has their money stolen gets all of their money back if it was stolen using a
credit or debit card. The banks could easily just say "unless you can prove
this was our fault (and it rarely is), you're on your own", but they reimburse
you with no questions asked every time.

This is due to laws, not the banks' own good will, but it's still quite a nice
situation for card-holders, if they realize their card has been used without
their knowledge. (Often it's the bank who detects it and informs them.) That's
why the fraudsters justify the ethics of their actions: the bank takes the
hit, not the card-holder.

~~~
psadauskas
> The fraudsters discussed in the article

Your comment almost directly contradicts the article. This isn't about just
stealing credit cards:

> “Many of them told us the same thing: Buying identities was so much better
> for them than stolen payment card data, because card data could be used once
> or twice before it was no good to them anymore. But identities could be used
> over and over again for years.”

And your part about "The banks could easily just say "unless you can prove
this was our fault (and it rarely is)":

> “But during my case, the federal court received like 13,000 letters from
> victims who complained they lost their houses, jobs, or could no longer
> afford to buy a home or maintain their financial life because of me. That
> made me feel really bad, and I realized I’d been a terrible person.”

That doesn't sound like the banks were very forgiving for those 13,000 people,
and it is 100% not their fault that Experian published on the public internet
enough personal data about them to open new credit cards.

~~~
meowface
Sorry, you're absolutely right, I was mistaken and somehow ended up only
skimming the parts of the article that were more about his personal story (and
I guess overlooked the thread and article title, as well). Maybe partly due to
reading some other previous Krebs posts about carders. Identity theft
definitely is far more damaging to consumers than carding is, and banks and
financial institutions are definitely a lot less forgiving.

People should disregard my above post. I think I just fell into the
unfortunate HN stereotype of getting wrapped up in the comment section instead
of RTFA.

------
driverdan
> But based on the records they did have, the government estimated that Ngo’s
> service enabled approximately $1.1 billion in new account fraud at banks and
> retailers throughout the United States...

Krebs really should have pressed this issue. Law enforcement always inflates
these numbers significantly. They use sentencing guidelines to arrive at
"financial losses" that aren't real.

For those who aren't aware, US Federal Sentencing Guidelines are how federal
courts determine what punishment someone will receive. In many types of crimes
they don't use true loss values because it would be very hard or impossible to
determine. Instead they assign a fixed amount per instance.

For example, a single stolen credit card number may be considered $500 in
fraud, even if the card was never used by the person being sentenced. I don't
know if this is the current amount but it was 15 years ago when I was
sentenced.

If someone has a database of 1000 credit card number they hacked, the court
considers it to be $500,000 worth of fraud.

It makes sense in small cases but in larger ones like this it vastly inflates
the amount of actual fraud.

~~~
caseysoftware
From Part 1 of the article:

> _“He was selling the personal information on more than 200 million Americans
> and allowing anyone to buy it for pennies apiece.”_

If 1% of those is used to commit $500 in credit card fraud that's $1B in hard
losses without considering the cost to those 2M people cleaning up the mess.

It sounds like $1.1B is on the absolute low end.

~~~
driverdan
This is also misleading. He had _access_ to data on 200 million people. He
didn't sell that many records.

------
Nextgrid
It seems like the data brokers did most of the dirty work of collecting,
storing and giving away the data to anyone who asked nicely. This guy managed
to get access to all that sensitive data by just a single instance of social
engineering. The data brokers' executives should be rotting in jail alongside
him on much longer sentences.

~~~
rectang
The data brokers have accumulated towering piles of toxic data, creating a
situation where spillage — and the resulting terrible harm to the innocent —
becomes statistically inevitable.

~~~
phkahler
Some people consider such piles of data a liability.

~~~
Ruthalas
Probably including your parent comment, given that they described them as
piles of toxic waste.

~~~
rectang
"Data is a toxic asset."

— Bruce Schneier

It is an asset, not waste.

------
mgleason_3
Equifax and Experian took our most personal financial information without our
permission, made money from it and completely failed to protect it. These
A-#&@# are the ones who should have gone to jail.

~~~
kyuudou
The big 3 are so wedded to big finance. The credit reporting market needs
serious disruption.

------
PeterStuer
“I don’t know of anyone who has come close to causing more material harm than
Ngo did to the average American,” O’Neill said.

Noit trying to minimize his crime, but since he was reselling data from
_legit_ data brokers, would that not imply the latter are also “causing
material harm to the average American,”?

------
laksdjfkasljdf
best quote (of a quote):

> “We interviewed a number of Ngo’s customers, who were pretty open about why
> they were using his services,” O’Neill said. “Many of them told us the same
> thing: Buying identities was so much better for them than stolen payment
> card data, because card data could be used once or twice before it was no
> good to them anymore. But identities could be used over and over again for
> years.”

<sarcasm>good thing the few companies who had to pay damages to those leaks
covered a few dollars for one or two years of some useless data-protection
scams, who do no good other than having your data pulverized to another
potential data leak</sarcasm>

Can't wait for a time where PGP is part of the k12 curriculum and we can have
a decent solution for all that.

------
miohtama
Outside the US, it is a norm to have government sponsored hard online
verification with two-factor authentication. Examples include Estonian
eResidency, online bank verification in Nordics and infamous Aadhaar in India.

Though this gives government more power, it makes simple online identity
fraud, like tax refund schemes, impossible.

~~~
ClumsyPilot
I am not sure you can call it the norm- it's not that common. However it is
very sensible, and I am not sure why you-are being down voted.

------
BJBBB
“When I was in jail at Beaumont, Texas I talked to one of the correctional
officers there who shared with me a story about her friend who lost her
identity and then lost everything after that,” Ngo recalled. “Her whole life
fell apart. I don’t know if that lady was one of my victims, but that story
made me feel sick. I know now that was I was doing was just evil.”

Earnest question. Other than a sociopath or psychopath, how could an adult
human not know from the beginning that their actions are immoral and
unethical?

~~~
jandrese
Maybe he figured it would be no problem. The credit card company would reverse
the fraudulent transactions and issue a new number and the person would be on
their way.

~~~
ev1
Anecdote: I help run a gaming community (think public large Rust, Ark, etc.
servers); we routinely have players, anywhere from 14-20+ age, try to "help us
out" by donating large amounts with stolen cards, hacked PayPal accounts, and
the like. Almost always the country is BD/PK/BR/VN/ID/LK. We don't have CIS
(RU/UA/...) players, so assume that's excluded from this anecdote.

I'm unsure why, whether it's cultural or socioeconomic or otherwise. They
don't see anything wrong in doing it, and when aggressively questioned
(because we've banned their game accounts from our servers for fraud) the
answer is always "what's wrong I am just trying to help" and "everyone here
does this, no one wants to pay $[50+] for [GTAV/other AAAgame/etc], everyone
buys hacked or keylogged accounts off secondhand market for $2"; some of them
outright just try to offer lists of cards ("dumps?") in exchange for
privileges/virtual titles on the forum/etc because they don't want to go
through the effort of cashing them out. Of course we're like WTF in response.

If you look on r/gaming or other forums, it's super common to have someone
"buy" your hacked account and when you reset it and recover it, you get a
barely-comprehensible angry email asking why you stole the account they
purchased legitimately and paid $1-2 for.

~~~
outworlder
Interesting anecdote.

Some of us may try to claim the moral high ground, but we aren't fully in
control - not until much later in life.

If you are a teen and all your friends do this, you'd be a sucker for paying
the "full" (read: non-stolen) price. Because they don't fully realize what's
involved in getting these 'goods' to them.

From the article:

> “When I was running the service, I didn’t really care because I didn’t know
> my customers and I didn’t know much about what they were doing with it,” Ngo
> said. “But during my case, the federal court received like 13,000 letters
> from victims who complained they lost their houses, jobs, or could no longer
> afford to buy a home or maintain their financial life because of me. That
> made me feel really bad, and I realized I’d been a terrible person.”

He may be a psychopath and faking it. But probably not. When harm happens that
far away from you, it's easy to brush aside.

I'm from one of the countries in your list - won't specify which so as not to
invite flames. Suffice to say that there's a baseline level of corruption
that's tolerated, if not encouraged. Tax evasion, pirated software,
contraband, you name it. The population is really abused by the government
(very high taxes, lots of bureaucracy, terrible public services, corrupt
officials) so I guess that's how some people survive. And then it creeps into
other areas in their lives via network effects. That's one of the reasons I
left.

