
Peek Inside a Professional Carding Shop - acdanger
http://krebsonsecurity.com/2014/06/peek-inside-a-professional-carding-shop/
======
ambiate
With the fruitless/mindless attacks from the comments, I can see the crowd is
still about the same. Lots of low hanging fruit with a few guys getting rich
(like most schemes).

It is funny how this business has not changed since 1998. The communication
channels changed, but the ideas and market is still the same. My first
introduction to this was with the Windows RPC remote exploit vulnerabilities.
I setup some honeypots to determine what the botnets were up to (most were
manual B/C class scans at that time, the good old days before decentralized
command). I ended up following the trail of controllers up to a random efnet
IRC chatroom and finally to a more private area. That's where they sold/traded
data from the botnets. This was prior to the 'rent a botnet to DDoS' era.

Back then, credit cards without CVV2s (from Windows IIS Servers exploited with
that long string bug leaking out plain text documents) were worth about 50
cents a piece. CVV2 brought it up to around $2-3 for US, $4-6 for UK/CA.
Address information was around $15. It seems the market has deflated a lot,
the credit cards are probably from targeted companies rather than scripted
botnets looking for vulnerable boxes, and the data can just be bought from a
website rather than having to get a third party to moderate the exchange.

Once again,the comments reminded me the most of that community. Someone
mentioned about entering CC info on a CC theft site. There used to be a RTF
document exploit where you could execute something or another from them, the
dump sellers would infect their dump files (RTF docs) and steal the client's
data. These communities are cutthroat.

------
drcode
I wonder why someone would trust "McDumpals" with their payment information to
subscribe and purchase items, given that it is a site dedicated to stealing
payment information?

(Just kidding, I know it's obviously because they aren't using a broken,
insecure payment mechanism for transactions, like our credit card system.)

~~~
squeaky-clean
Because they're using bitcoins, you don't have to give them your payment
information. They gave you their address, and you send the money over.

I feel like that's the point you were making with that last sentence, but I
missed the sarcasm until typing all the above out.

~~~
newaccountfool
Bitcoins, WebMoney, WesternUnion, Liberty Reserve, although most of them have
been phased out for BTC.

------
darksim905
How does* Krebs get into these sites? How many alternative names does he have?
Does he spend months gaining people's trust to get into these sites? It amazes
me, he does such a great job for the community. Does he take donations? I want
to give back for all the stuff I've learned from him.

~~~
nikcub
10% of users on these sites are actual crooks. 40% are wannabe crooks who
heard about it on the news and thinking carding is both easy and will make
them millions. The other 50% are people working for security companies, banks,
retailers, law enforcement etc. pretending to be crooks so they blend in.

Krebs gets invited in, vouched for, and shown new forums by that last group.

~~~
dobbsbob
Competition also gives him this info to bring heat to their rivals in the
game. One forum used a unique marker that appeared to be a benign msg count
number so they could identify krebs from screenshots he puts on his site and
ban his account but he figured out what the marker was, cropped it out and was
back with a new account.

------
seanccox
Well if this isn't the most timely post I've ever found. I just had the
details from my debit card stolen on Sunday and the attached account
completely drained. It's so cool to be reading about how part of this process
works.

~~~
dublinben
Sorry to hear that. In the future, I suggest not using your debit card online
or anywhere else it could get stolen. As you've seen, you have much less
protection than with a credit card.

I even have two completely separate checking accounts, at two different banks.
One is only used at ATMs, and the other is only used to pay my CC bill.
Neither are ever used online or at any physical merchant.

~~~
arecurrence
Are you saying they wont be able to easily recover their money? I thought
there were guarantees behind this.

~~~
awda
Debit card fraud recovery is only backed by guarantees from the bank, if they
choose to guarantee that.

Credit card fraud recovery is mandated by the federal government.

~~~
oasisbob
Consumer liability limits are mandated for both. See regulation E for more
details.

------
callmeed
My card was skimmed at a gas station a few months back. What impressed me was
the speed with which it was used. The charges started maybe 2 hours after
visiting the gas station in Los Angeles. But I live 3 hours North of LA.

How are people capturing the numbers, transferring them, and (I assume)
creating fake cards to use in-store so fast?

~~~
newaccountfool
GSM skimmers are used, meaning the criminals get the details through a device
on the skimmer that sends the details via text message.

------
croggle
Good timing. Someone skimmed by credit card and took $1600 AUD out of two cash
machines in $800 batches.

I've never used this card in an ATM so it must be from a store that swiped my
card.

Here's my questions though, how did the fraudster know my pin number to be
able to use the cloned credit card in an ATM?

~~~
consideranon
It's common to have cameras mounted to record you typing your PIN along with
skimming your card. It's good practice to cover the pad with your other hand.

~~~
croggle
I have never put this card in an ATM. It must have been skimmed from a swipe
machine in a restaurant.

I still don't know how they got my pin. I can't imagine anyone looking at my
pin in a restaurant. It seems like such a hard and non-scalable way to do this
kind of thing.

~~~
praptak
I think that a pinpad is not that hard to hack. OTOH whenever I read about
skimmers getting caught, they seem to use really low tech methods - keen eye,
perhaps aided with a mirror or a small camera.

~~~
croggle
All the keypads I've used in stores have been physically removable and I
always cover. I'm guessing the key pad was also tampered with.

------
Scoundreller
How did the "Professional Carding Shop" infringe on McDonald's Inc's
Trademarks? Can I buy credit card numbers at their fast food restaurants?

Did people think they could buy Big Mac Hamburgers online with bitcoins and
get delivery over email?

------
boobsbr
How is this kind of information stolen? Only on ATMs with card reader and
keyboard covers?

~~~
dublinben
Most of the card dumps discussed in this article come from compromised
merchants (retail stores, restaurants, etc.) not ATMs. They are credit card
numbers after all, not debit cards.

~~~
aquadrop
Looks like good decision would be to have dedicated card for physical stores,
restaurants etc. and to disable internet transactions for that card.

~~~
newaccountfool
The criminals don't use the Dumps online, they use them instore. They use a
PVC printer to print the bank logo and design on the card, they press the
details onto the card and then they UV light the card and add silver foil to
the raised letters. That means they have a fully working blank card, they then
put the track data onto the card and go spend in the shops. If its a high
priced card, such as Platinum or business they they will make a fake ID to go
with it.

~~~
aquadrop
That's easier to counter when you will be returning your money from bank,
since you physically will be in another place. And of course you should always
see your card when paying in restaurant, store etc, so nobody can copy it.

~~~
thefreeman
Maybe it is different in the US then in other countries, but every restaurant
I have ever been in the waitress has taken the credit card away inside of the
check and come back with a receipt to sign.

Even so, just because you can see your card doesn't mean someone cannot copy
it. They could even have a modified device that automatically log all cards
while also performing transactions. In such a scenario you would see nothing
out of the ordinary.

~~~
walshemj
er no that's a common way to clone cards which is why restaurants in the UK
have hand held readers they bring to the table.

Though I normally pay cash in restaurants I don't trust absolutely.

~~~
newaccountfool
Even with handheld POS machines, those can still be modified to contain
skimming equipment, everything has been done. Its crazy. If everyone went back
to cash would save us all a lot of hassle.

------
espennilsen
And this is why I only got some spending money on my debit card. The question
isn't when you get skimmed, it's when.

~~~
jacquesm
Chip + pin debit cards are reasonably safe. Credit cards are much less safe,
essentially every time you enter your details there is one more party in on
the secret.

I try to use my CC online as little as possible and in the real world only
when I have the card in view at all times and the pin verification terminal is
under my control while I enter the pin, and crucially, contains the card (so I
won't use it if the terminal is in one spot and the card in another).

I never use swipe.

~~~
melvinmt
You must be European.

------
lectrick
Fuck everything about these people.

