
When Undercover Credit Card Buys Go Bad - kawera
http://krebsonsecurity.com/2015/12/when-undercover-credit-card-buys-go-bad/
======
robotcookies
I propose that a few fake credit card numbers and names be issued to different
companies and that they place them in their records. If there is a breach,
finding those fakes will identify where the breach came from. Each set of
fakes would only be given to a specific company.

This is similar to how dictionaries (before the internet) would post fake
entries to discover if competitors were copying them. Or how (some claim) map
makers would plant fake places to identify similar copying. In the credit card
case though, it wouldn't harm innocent users who may mistakenly think the fake
is real.

~~~
Someone1234
That wouldn't work.

Your assumption is that these retail companies are storing full credit card
information in some large database somewhere, that is not the case at all.
Most large retailers only store the full credit card information for seconds
while they process the transaction, when the transaction is complete it is
discarded.

What the criminals are targeting is the card terminals themselves. Meaning
when you swipe your card, as the transaction is being conducted they take a
copy of the information and re-transmit it to a host somewhere they control
(or to a C&C machine on that network, which they then exfiltrate somehow).

Plus even if you could get your "gotcha" credit cards into the criminal's
hands, the chance of law enforcement buying one back is tiny, since the stolen
batch is mixed with other cards, and only then a small sub-set is sold (since
they verify if the card is still active, and meets other conditions).

My point is, it just won't work with the situation we're dealing with today.
Chip & Pin may help reduce retail card theft as it is harder to reproduce a
physical card to later use, and internet transactions should require the CSC
which a brick and mortar store won't record (even momentarily).

~~~
hobs
Not downvoting, but the number of corporations storing credit card information
would terrify you.

Seen it at former jobs as a dba, helped to change that at some, and its among
the top ten list of things to check when I start at new one.

~~~
Someone1234
If they got caught doing that, both VISA and Mastercard will essentially ban
them. At least if it is an insecure as you make it sound and they haven't met
PCI DSS.

So instead of storing known gotcha cards in these databases, a likely better
solution would be to discontinue the use of these databases.

Most major retailers don't store credit card numbers. The full information
never leaves the terminal, and is discarded when the transaction is complete.

PS - Thanks for "Not downvoting" but why would you anyway? Nothing I said
contradicts anything you've said. I said large retailers aren't storing CC
information. Are you claiming they do? If so, name names.

~~~
jeffmould
There are plenty of small "mom & pop" sites out there that store full credit
card info, in plain text, in unsecured databases, in blatant disregard of card
company policies. They go with the thinking that it costs to much to implement
security and nothing will ever happen to us. We hear about the big breaches on
the news, but I would bet for every big breach we hear about on the news there
are thousands of smaller breaches that don't get recognized.

For example, about two years ago I had a property management company ask me to
build out a site to handle rent payments for them. They wanted to store and
have access to the full credit card numbers to manually process transactions
for failed or late payments. When I told them they were not allowed to do that
they terminated the contract with me. I know they went on to hire a developer
to build out a site for them and store credit card numbers. While I don't know
if they are still doing it, it did happen for an extensive period of time.

~~~
sbov
I prefer to put consequences in terms of money.

That said, on the flip side, because of things like "Dual Control" the PCI DSS
is physically impossible for some small companies to abide by. In the past we
dealt with credit cards and had a few audits, and they admitted that many of
the points are aimed at companies that don't consist of just two people.

Also, look at it from their POV. In a normal course of business a lot of these
mom and pops probably already are storing credit card information on paper
and/or in word documents. So you're saying the system you build for them is
going to be, in some ways, less useful than their current ad-hoc system.

My mom & pop tax guy emails me my tax return as an encrypted pdf, with the
password being... the last 4 digits of my SSN.

~~~
jeffmould
Oh there is no question if you bring paper records in to the mix there are
enormous opportunities. I worked at a mom & pop restaurant for several years.
In the attic of the restaurant were stacks of boxes with credit card receipts
dating back to the mid-80s at least. While the chances of many of these cards
being valid now are significantly reduced, there is always that slight chance.
I have a credit card from the early 90s that the number has not changed (kind
of nice in a way as I can recite the number by memory now).

On the flip side though, to some extent, I would consider these records safer
than a website. At least to gain access to these records you would have to
physically enter the building, climb in the attic, sift through hundreds of
boxes, gather the info you want, and then leave. This would also require you
be in the general location of the building and have knowledge of the records
being there. Hacking a website database from across the globe is a whole lot
easier, so you I would say that their existing paper system is more secure to
a degree.

------
sandworm101
Pig notice only on checkout? That doesn't necessarily point to some issue with
his payment method. The checkout server is likely different than the content
server and may be subject to different protections.

Imho they are running the standard 'enemy IP' blocklists used by p2p
filesharers for may years. Where one sees law enforcement using computers, one
must first assume incompetence. In all likelihood he/she was using a machine
at a known cop shop (Windows) without any sort of IP masking.

Some cops are highly trained IT specialists, but many investigators are
actually just senior traffic enforcers who have been promoted into "technology
crime" units. They have training and paper certifications, but lack any deep
knowledge re technology. They make lots of mistakes. Think flowers by irene.

~~~
Zikes
You missed an important point: if they wait until checkout then the payment
process will complete and they'll get to walk away with law enforcement's
money.

They have every incentive to wait until the very end to tip their hand.

~~~
pakled_engineer
These fraud shops make you deposit first then you go shopping much like how
silk rd worked, so at anytime could have seized the coins.

For all we know this screen upon checkout is random, and whoever doesn't
complain to get their money back is the cop. Most fraud outfits have major
customers they deal with or cashout teams they offer specific BINs over chat,
the online store is for bottom tier thieves on public sites.

------
probablyfiction
You would think that law enforcement would already be using a VPN or Tor for
stuff like this.

~~~
chiph
I would think they'd block any IP that wasn't from a known VPN or Tor exit as
a noob filter.

~~~
Someone1234
If criminals stopped selling to stupid people, they wouldn't have much of a
market.

Smart crooks don't break the law. Stupid ones do.

Breaking the law isn't cost effective, and I am not talking about morals, I am
saying that the additional overhead involved in covering your tracks and the
potential liabilities (years of $0 or negative dollars income, legal fees)
doesn't make sense.

Only rarely do you get a legitimately intelligent criminal, and that is often
the result of personality issues/emotional problems.

~~~
brwnll
This is nonsense. Without writing an essay here, you are apparently focusing
on the criminals in jail.

There are plenty of very successful and intelligent criminals that have long,
prosperous careers in theft.

Bernie Madoff ran a very successful, very illegal Ponzi scheme until he was
nearly 80.

And that's not even to touch on the internet ability to let you violate the
laws of counties you aren't physically in against citizens your gov doesn't
care about (eg Russia to US), and therefore greatly reduce the risk for
punishment.

------
ubersync
Why are we still using Credit Cards as payment processing? Why can't we have
something with a "Push" mechanism, instead of the "Pull" with the CCs.

------
mkristian
I went to Rescator mentioned in the article and noticed they are using ICQ for
contact..

Anyone know why?? Seems like an odd choice.

~~~
pakled_engineer
Tradition, all the Russian/CIS carders have always used jabber or ICQ mainly
because they aren't worried about being caught and don't care about the
security of their customers either. The bigger fraud outfits like Rescator are
likely politically protected being a nephew to a cabinet minister or son of a
Novosibirsk police captain. If you are a non connected Russian and try to run
a fraud superstore the US feds can bribe lower level police agencies there to
go make your life hell.

~~~
TinyRick
Your first sentence insinuates that Jabber is insecure. Could you elaborate on
that? Just genuinely curious, since I used jabber/otr for a while to
communicate with friends.

~~~
pakled_engineer
They seldom use OTR, I think infraud (in fraud we trust) still uses a group
server in Azerbaijan to cleartext chat on none of these guys really care, some
of the boards still use cloudflare.

~~~
TinyRick
Thanks for the clarification!

------
ck2
I've never actually heard of successful anti-fraud busts.

Does law enforcement have any achievements or are they wasting time?

These don't even know to use vpn exit points and not use government ip
addresses? Seriously?

~~~
jedberg
They have lots of success, you just don't usually hear about it. Here is one
of the few that actually got press:
[http://www.ecommercebytes.com/C/abblog/blog.pl?/pl/2011/11/1...](http://www.ecommercebytes.com/C/abblog/blog.pl?/pl/2011/11/1320261605.html)

~~~
ck2
That's a really poor example of success.

 _The Romanian court handed down [a] suspended sentence_

~~~
jedberg
Because he already spent two years in prison.

