
Romanian Skimmer Gang in Mexico Outed by KrebsOnSecurity Stole $1.2B - feross
https://krebsonsecurity.com/2020/06/romanian-skimmer-gang-in-mexico-outed-by-krebsonsecurity-stole-1-2-billion/
======
gundmc
I remember watching a talk Brian gave where he touched on the meatspace
implications of his reporting. Private security, threats of violence, doxxing.

This is the kind of stuff that people kill over. I'm really glad he's doing
the work he does, I don't know if I'd be brave enough to if I were in that
position.

~~~
acruns
Brian has already been through swatting, had a hacker send heroin and police
to his home. I believe there was another article where he was warned by the
FBI to take precautions as there was a threat against his life (I might be
confusing him with someone else... it's been a while since I worked in
infosec).

[https://krebsonsecurity.com/2017/02/men-who-sent-swat-
team-h...](https://krebsonsecurity.com/2017/02/men-who-sent-swat-team-heroin-
to-my-home-sentenced/)

~~~
Thorrez
Some lady in a mask went to his house and cut down a tree in his front
yard[1].

He's been sent flower arrangements mourning the "death" of his wife[2].

His site is also the benchmark against which every DDOS system is tested.

[1]
[http://www.hackerfactor.com/blog/index.php?/archives/596-Lif...](http://www.hackerfactor.com/blog/index.php?/archives/596-Life-
of-Brian.html)

[2] [https://krebsonsecurity.com/2015/10/hacker-who-sent-me-
heroi...](https://krebsonsecurity.com/2015/10/hacker-who-sent-me-heroin-faces-
charges-in-u-s/)

------
credit_guy
The $1.2B doesn't sound right. It's probably an overestimate by a factor of
100 or 1000.

Let's see:

"Investigators say each skimmer captured on average 1,000 cards per month,
siphoning about $200 from individual victim accounts. This allowed the crime
gang to steal approximately $20 million monthly."

To begin with: $200 x 1000 = $200,000 not $20 million.

But wait, maybe they use a card for more than a month, maybe they buy
$200/month for several months. That's very unlikely. All credit card companies
have very sophisticated fraud detection algorithms, and probably most people
on HN can recount instances when they received a text or email from their card
company about some suspicious activity. Fraudulent activity on a card to go
undetected for multiple purchases, going over a period of months, that's
virtually impossible.

Second: how does this square with the official statistics? The FTC publishes
an annual report about consumer losses due to various types of fraud (such as
credit card, identity theft, phishing, etc). The grand total for all types of
such fraud was $1.9B for 2019 [1]. This counts everything, not only card
skimming. Now, one can say this happened in Mexico, not in the US, but then
the numbers look even more suspicious.

Third: the way this scam works is that the skimmers collect card information
then pass that along. They sell lists of such cards on the black market. Some
other people buy such cards and try to make fraudulent purchases. Some of the
purchases will be rejected, but some will go through. The original skimmers
are not involved in this part of the crime, and have no idea how much stuff
was eventually bought with the cards they "sourced". So when they sell the
lists on the black market, they won't get anywhere near $200 per card. I have
never seen any numbers, but it wouldn't surprise me if they can't get more
than $2-$5 per card.

All in all, it's likely that these guys pocketed at most a six-digit amount,
and created total losses of the order of millions of dollars, but nothing
withing shooting distance of $1B.

[1]
[https://www.ftc.gov/system/files/documents/reports/consumer-...](https://www.ftc.gov/system/files/documents/reports/consumer-
sentinel-network-data-book-2019/consumer_sentinel_network_data_book_2019.pdf)

~~~
bagacrap
$200k monthly for _each_ skimmer device, of which there were 100 across
various tourist destinations around Mexico.

------
mindfulhack
Brain wave: CIA agents (etc.) must have methods like this to gain cash from
ATMs all around the world to survive and get by (etc.), with the assistance of
NSA 0-days.

Makes sense. I'd do that if I were the intelligence community.

~~~
Google234
Why not just use a credit card?

~~~
Markoff
anonymity

~~~
Google234
Option 1) rob a bank to get money. Option 2) use credit Card with fake name
like a normal person.

------
ReticentVole
This is why we need strong border control (including walls) and deportations
in the USA:

"the group... built a human smuggling ring that helped members of the crime
gang cross into the U.S. and ply their skimming trade against ATMs in the
United States."

~~~
NicoJuicy
The are currently non-immigrants who are skimming way more for him and his
buddies.

If you don't you think "the wall" includes some bribes and being constructed
at a premium, than you aren't paying attention

