
Behind Carder Kingpin Roman Seleznev’s Record 27 Year Sentence - ilamont
https://krebsonsecurity.com/2017/04/the-backstory-behind-carder-kingpin-roman-seleznevs-record-27-year-prison-sentence/
======
WalterBright
I had a merchant account so I could accept credit cards online. This was fine
for years, and then I got a persistent carding attack, about one every minute
or so. It happened at night, so my desperate calls to the bank to shut off the
account went unanswered.

By morning, I had thousands of fake transactions and a whopping bill for it. I
refused to pay, because the fraud happened at their end, I did my best to stop
it in a timely manner, and their staff didn't answer the phone at night.

I did get the charges stopped, but the merchant bank said in the future I'd be
held responsible. They could not offer me any solution that they'd stand
behind. So I cancelled my account, and switched to other providers that stood
behind their security.

~~~
jacquesm
The whole 'pass the risk to the merchant' system is broken by design.
Everybody that _could_ do something about it passes the buck and the only part
that _can 't_ do anything about it is held responsible. Merchant contracts are
terrible, especially the on-line variety.

------
tptacek
Here is a weird example of where I'm going to be the one saying this sentence
is too long, while lots of HN people will be saying this is finally(!) an
example of someone who actually deserves a harsh sentence.

Not because Seleznev merits any sympathy. He does not. Moreover, he's part of
a class of people who I think deserve the very least amount of empathy in our
public policy (people with ability and opportunities who weren't forced by
circumstance into crime, but pursued it out of vanity and avarice).

Rather, the problem is that 27 years doesn't accomplish anything that 5 years
wouldn't. Presuming that the result of this conviction is that the USG can
effectively claw back much of the proceeds of the crimes, then 5 years would
presumably have the same retributive and deterrent effects.

Our sentences are too long across the board.

~~~
bradleyjg
"Presuming that the result of this conviction is that the USG can effectively
claw back much of the proceeds of the crimes, then 5 years would presumably
have the same retributive and deterrent effects."

I can see a strong argument for same, or close to the same, deterrent effects
-- it's a pretty straightforward marginal argument supported in the literature
(i.e. the swiftness and sureness of a punishment has more of an influence on
deterrence than the severity of the punishment).

But I don't see how you can make that argument for retributive effect. The
worse the punishment the stronger the retributive effect. In order for the
retributive effect to be about the same for five years and 27 years there'd
have to be diminishing marginal disutility to offender for additional years of
prison. I don't think that's empirically observed -- prisons use the threat of
additional time, along with privileges, as a management tool inside prisons.

Whether or not we as a society should be satisfied with the disutility of five
years worth of prison for this particular crime and whether retribitutivism is
an appropriate measure of justice to begin with are different questions.

~~~
tptacek
The harm to the government and to financial institutions was acute, but the
harm to individuals was (mostly) diffuse. What single victim of Seleznev's
would have an argument for suffering beyond (say) 5 years?

It's not actually the case that more punishment = more retribution. The
concept of retributive justice is that society should mete out a
_proportionate_ punishment, rather than see justice miscarried in either
direction, or carried out haphazardly by victims themselves.

------
mabbo
Given the amount of evidence brought against him, it's very hard to have
sympathy. He defrauded literally millions of people. He made a fortune doing
so.

~~~
droopyEyelids
This guy is a scumbag and a criminal but he defrauded banks and card networks,
and those banks and networks attempted to pass that liability onto their
customers. It's an important distinction.

~~~
086421357909764
It's also been attributed that businesses had to close due to his actions. I
believe one group of restaurants in Seattle in particular attributed his
attack as the reason they had to close. It's not a crime that only affects
banks. The impact hits everyone with further stresses and issues regardless of
whom pays back in the long term.

------
abhirag
The letter he wrote to the court was an interesting
read([https://www.nytimes.com/interactive/2017/04/21/technology/do...](https://www.nytimes.com/interactive/2017/04/21/technology/document-
Seleznev-Letter.html)), still don't know what to make of it though.

~~~
narag
The article mentions that he's the son of a powerful man and that letter
starts saying that he was poor. How's that? Also, where did the millions he
stole go?

~~~
boomboomsubban
A legislator from Russia's third largest party likely isn't that powerful, and
he definitely would not have been when Roman was a child. Plus, doesn't sound
like he was very involved, divorcing his mother and having three other sons in
other marriages plus starting a business career.

------
ungzd
> The U.S. Justice Department says the laptop found with him when he was
> arrested contained more than 1.7 million stolen credit card numbers

How it's possible that one of the world's top criminals highly skilled in
computer security had these credit card numbers on his own laptop and even
unencrypted?

~~~
alasdair_
Possibly the same way that the Dread Pirate Roberts (Silk Road) was captured -
the FBI simply grabbed him before he could turn off his laptop.

~~~
celticninja
Likely as he thought he was in a non extradition country so probably didn't
think his arrest was likely.

------
conistonwater
> _In chat messages between Seleznev and an associate from 2008, Seleznev
> stated that he had obtained protection through the law enforcement contacts
> in the computer crime squad of the FSB._

What the hell? That is all kinds of messed up.

~~~
ChuckMcM
But sadly not uncommon. If you have a lot of money you can induce people who
want or need money to act against their better judgement. It works even better
if you have some way of threatening their lifestyle and is standard trade
craft for intelligence agencies trying to develop assets.

------
pcl
Cached copy: [https://webcache.googleusercontent.com/search?q=cache:7JW-
NV...](https://webcache.googleusercontent.com/search?q=cache:7JW-
NVLXRAsJ:https://krebsonsecurity.com/2017/04/the-backstory-behind-carder-
kingpin-roman-seleznevs-record-27-year-prison-
sentence/+&cd=2&hl=en&ct=clnk&gl=us)

------
sunstone
How does jurisdiction work in a case like this? He presumably never set foot
in the US so how does the law claim jurisdiction for the crime? If someone
uses telephones to defraud US citizens in a similar way, ie remotely, do the
same jurisdiction rules apply? How about selling fraudulent goods in the US
shipped in from abroad?

~~~
tptacek
It's based on where the harm occurs; in this case, there's a clear connection
to specific locations in the US. The US doesn't have trials in absentia, so
the important issue here is mostly extradition, and that boils down "if you're
caught in a country that (a) recognizes the crime you're being charged with in
its own jurisdiction, (b) has an extradition treaty with the US, and (c)
believes based on the US's extradition filings that the US has a legitimate
case, you're going to end up standing trial in the US.

This case is a little more complicated in that Interpol appears to have been
the controlling authority for extraditing Seleznev from Maldives, but again,
the principle is less that of jurisdiction than of the propriety of
extradition.

------
rodionos
> a group that hacked into restaurants ... and planted malicious software to
> steal card data from store point-of-sale devices

I've started compartmentalizing my spending a few years ago, using different
cards for different purposes. For instance using debit cards for the riskiest
locales. On several occasions I asked to lower the credit limit to reduce the
risk of underwriting the entirety of losses.

Also, the sentence is harsh. I don't think sentencing a criminal for more
years than he deserves just 'to send a message' is called justice.

~~~
mmanfrin

      For instance using debit cards for the riskiest locales
    

Do not do this. Credit can be fought because it is a _future_ debt, debit is
much more difficult because _the money is already gone_.

Do not, do not, do not use your debit/check/atm card at riskier places.

~~~
rodionos
To be fair, I haven't had a single case of fraudulent withdrawals happen to
me. But I'm curious why would a credit card transaction be more protected?
It's the same purchase 'in obligation', isn't it? My checking account balance
is way smaller compared to much larger credit card limits, so there is less
risk in absolute terms.

~~~
treyfitty
Because most credit cards and debit cards follow different regulatory
protections.

Credit Card: FRB Regulation Z Debit Card: FRB Regulation E

From a Fraud Prevention perspective, the companies are incentivized to take
measures to prevent suspicious transactions from happening to begin with. With
debit cards, there is a $500 liability that can be shifted to the consumer*,
so less "pressure" to develop more stringent controls.

Lastly, this calls for different customer experiences when you dispute Fraud
([http://www.creditcards.com/credit-card-news/4-keys-zero-
liab...](http://www.creditcards.com/credit-card-news/4-keys-zero-liability-
policies-debit-credit-1282.php)).

------
tomsaj
HE was illegally kidnapped from a country to be brought to the US. Anyone
thinks Russia can't do the same live in lalaland.

~~~
wand3r
Sure. 2 points; I subjectively view this crine as much less admirable than a
simple bank robbery or Ross ulbricht (less the alleged murder attempts) as
this causes individuals direct harm. This is subjective, I think others may
agree that identity theft is pretty malicious.

Also, yes Russia could kidnap you if you committed enough crimes for them to
dub you worth tracking, capturing, negotiating a diplomatic extradition and
then trying in court. Its not likely many "regular" people will be carted away
from a Bahamian Vaca.

------
rajacombinator
Still waiting for one wall st exec to be charged for their roles in the crash
...

~~~
Analemma_
If you take this argument to its logical conclusion, we should never convict
anybody of any crimes ever.

~~~
igivanov
can't speak for you but for me the logical conclusion would be bringing them
to justice.

~~~
tptacek
How? Gut feel? The laws we have today are inadequate to bringing cases, and we
have a Constitutional prohibition on _ex post facto_ laws.

~~~
igivanov
Dunno how, IANAL. But I trust that the US government, or the establishment in
general, can make anyone's life miserable if there is a political will.

Also, have the laws been amended to deal with similar offenses in the future?

