

I’ll Take 2 MasterCards and a Visa, Please - mads
http://krebsonsecurity.com/2010/09/ill-take-2-mastercards-and-a-visa-please/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+KrebsOnSecurity+(Krebs+on+Security)
When you’re shopping for stolen credit and debit cards online, there are so many choices these days.
======
joblessjunkie
Wait a minute... there's a website advertising stolen credit cards for $1.50,
and the author is complaining that they tacked on an extra 0.60 fee?

I'm pretty sure this article was written with tongue firmly in cheek, but it's
just so... out there.

I dare the author to make this $2.10 purchase using one of his own valid
credit cards.

~~~
vcadambe
Hmm..I wonder if there is a way to charge the $2.10 to the card that you are
purchasing.

------
jrockway
If I were a bank, I would be buying as many of these as possible and canceling
them before someone else buys them. $1.50? That's the fee on like one
transaction!

~~~
nopassrecover
Amusing response on the thread to this same proposal - "The cynic in me
suspects that the net profit they make from allowing fraudulent transactions
to go ahead exceeds the costs associated with preemptive cancellation,
particularly since they try to make the merchants eat the costs of fraud as
much as possible."

Obviously this is just cynicism. I assume the main reasons are 1) imagine
justifying that to shareholders, 2) it creates a market.

Having said that, the banks could offer a "reward" system for anyone who
manages to report a stolen credit card number.

~~~
9ec4c12949a4f3
How exactly will a bank make money on a fraudulent transaction? I had my
accounts emptied and had the bank give me back everything that was stolen. I
fail to see how thousands of dollars being reimbursed is a profitable model.

~~~
dangrossman
Your mistake is in assuming the bank is who reimburses their account holders
for stolen funds. It's not. Every store your card/account was used at was
forced to return those funds to your bank, even if they already provided the
products or services that were purchased. They also each had to pay a
chargeback fee (usually $15-20).

Say your credit card is stolen, and used to purchase 5 items from 5 stores.
Each of those 5 stores will be forced to return all of the money they charged,
no matter how impossible it might be for them to know the credit card was
stolen. They will also collectively pay $100 in chargeback fees to your bank,
which is likely more than it cost to move the couple pieces of paper it took
to handle the situation and inform the customer.

The bank has now made a profit.

Each store that accepted the stolen credit card has lost:

\- The payment they accepted

\- The transaction fees paid on the payment they accepted

\- The product they shipped, potentially hundreds or thousands of dollars

\- The chargeback fee

And if chargebacks ever amount to more than about 1% of any of those store's
transactions, their processing fees can go up, they can have their cash flow
abruptly cut as a reserve fund is created to hold their future charges for
some time, or they can lose their ability to accept credit cards entirely.

~~~
bananaandapple
That's not true. This clearly depends on the country you are in, the payment
processor you use, and the type of credit card you got. (eg with chip or no
chip).

~~~
dalore
Which part isn't true?

Also chip or no chip doesn't matter for online/telephone/mail order purchases
which I would guess would be the only place you can use this stolen credit
card info.

~~~
bananaandapple
That you don't get your money when somebody pays with a stolen card or does a
chargeback.

------
bediger
This is a direct consequence of the global near-real-time credit card payment
authorization system being the Biggest Ball of Mud design you can imagine.
Clearly, at each and every stage of getting to where we are now, people did
the bare minimum of change to add new functions to the system.

The other aspect of the problem is the length of time the NSA sat on public
key encryption. It's within the realm of possibility for credit card companies
to have used public key encryption to at least validate that the human user of
a card number knew something, a PIN or whatever, related to the card number.
The payment authorization system grew up without that math, so it pretty much
depends on everyone (like the call center reps or the programmers of shopping
cart software) keeping the card number and the CID/CVC/CVV secret and off
their disks.

~~~
mayank
What does public key encryption have to do with it? Password or pin + salt +
hash function like MD5/SHA would be all it takes to securely verify that the
CC holder knew a secret.

------
tsycho
Am I the only one who finds it shocking that it's apparently so cheap and easy
to buy stolen credit cards? Why are the law enforcers (or the banks, or other
appropriate organizations) not going after these "re-sellers", atleast to
find/track the original thieves?

Or am I missing something? Are these cards all (or mostly) deactivated? And so
the buyers are not using them directly, and rather using them as
leads/information to do some other nefarious activity?

~~~
pavel_lishin
> Why are the law enforcers (or the banks, or other appropriate organizations)
> not goiging after these "re-sellers", atleast to find/track the original
> thieves?

Um, who says they're not?

~~~
mvalle
I know someone who works for an insurance company that covers credit card and
identity fraud. They are actively monitoring these sites for their costumers
information. Even though that's a private company, I wouldn't be surprised if
government organisations do the same.

~~~
Hoff
And following LeCarré, I could easily envision some entities searching for and
holding certain of these acquired credit card numbers in reserve, should there
be a need to charge p*rn or some financially questionable charges onto those
account holders they care to call into question.

