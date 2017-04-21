Hacker News new | comments | show | ask | jobs | submit login
Behind Carder Kingpin Roman Seleznev's Record 27 Year Sentence
63 points by ilamont 243 days ago | 64 comments



I had a merchant account so I could accept credit cards online. This was fine for years, and then I got a persistent carding attack, about one every minute or so. It happened at night, so my desperate calls to the bank to shut off the account went unanswered.

By morning, I had thousands of fake transactions and a whopping bill for it. I refused to pay, because the fraud happened at their end, I did my best to stop it in a timely manner, and their staff didn't answer the phone at night.

I did get the charges stopped, but the merchant bank said in the future I'd be held responsible. They could not offer me any solution that they'd stand behind. So I cancelled my account, and switched to other providers that stood behind their security.


The whole 'pass the risk to the merchant' system is broken by design. Everybody that could do something about it passes the buck and the only part that can't do anything about it is held responsible. Merchant contracts are terrible, especially the on-line variety.


Here is a weird example of where I'm going to be the one saying this sentence is too long, while lots of HN people will be saying this is finally(!) an example of someone who actually deserves a harsh sentence.

Not because Seleznev merits any sympathy. He does not. Moreover, he's part of a class of people who I think deserve the very least amount of empathy in our public policy (people with ability and opportunities who weren't forced by circumstance into crime, but pursued it out of vanity and avarice).

Rather, the problem is that 27 years doesn't accomplish anything that 5 years wouldn't. Presuming that the result of this conviction is that the USG can effectively claw back much of the proceeds of the crimes, then 5 years would presumably have the same retributive and deterrent effects.

Our sentences are too long across the board.


"Presuming that the result of this conviction is that the USG can effectively claw back much of the proceeds of the crimes, then 5 years would presumably have the same retributive and deterrent effects."

I can see a strong argument for same, or close to the same, deterrent effects -- it's a pretty straightforward marginal argument supported in the literature (i.e. the swiftness and sureness of a punishment has more of an influence on deterrence than the severity of the punishment).

But I don't see how you can make that argument for retributive effect. The worse the punishment the stronger the retributive effect. In order for the retributive effect to be about the same for five years and 27 years there'd have to be diminishing marginal disutility to offender for additional years of prison. I don't think that's empirically observed -- prisons use the threat of additional time, along with privileges, as a management tool inside prisons.

Whether or not we as a society should be satisfied with the disutility of five years worth of prison for this particular crime and whether retribitutivism is an appropriate measure of justice to begin with are different questions.


The harm to the government and to financial institutions was acute, but the harm to individuals was (mostly) diffuse. What single victim of Seleznev's would have an argument for suffering beyond (say) 5 years?

It's not actually the case that more punishment = more retribution. The concept of retributive justice is that society should mete out a proportionate punishment, rather than see justice miscarried in either direction, or carried out haphazardly by victims themselves.


Likely there is a political angle here, given that dad is a big-name Russian. I can't see any reasonable explanation why this guy should get 27 years and others get away with much less.

I do want to remind you of all your past comments where you were adamant that people are not sentenced to such lengths and that therefore we should not take any of those long prison threats terms serious.


The sentence probably isn't political. Seleznev really was working at a scale that surpasses that of pretty much anyone else the FBI was tracking for similar crimes. It was a monumentally brazen and damaging operation.


That's twice the average for murder.


No, it's not. The average federal sentence for murder, which takes into account as many cases in which there are mitigating factors as ones where there are aggravating factors, is 20 years.

There are in this particular case no mitigating factors we can see, and several aggravating ones.


http://www.iapsonline.com/sites/default/files/Prison%20Sente...

Has the average time served at 48% of the sentence at 71 months.

140 months is a shade under 12 years.


You're comparing federal to state sentences. Nothing harmonizes the two, and states generally parole inmates, which the federal system does not. That's not an apples-to-apples comparison.


[deleted]


Since it's a federal charge, unless he cuts some kind of deal that moots this whole sentence, he will likely serve most of it. There's no federal parole, only a marginal reduction in time for good behavior.


I'll delete my comment and point people to yours, which is more correct :)


So if he defrauded 100k people we can say that defrauding one person is 1/50k as bad as murder?


Only if you consider prison to only be punishment and that punishment should scale linearly to the 'badness' of the crime


I think it's disingenuous to think that there is no political aspect to the sentencing, not necessarily because he is the son of a Russian politician but rather because Russia refuses to cooperate with attempts to arrest these criminals the US are going to nail those that they can to make a point.


Given the amount of evidence brought against him, it's very hard to have sympathy. He defrauded literally millions of people. He made a fortune doing so.


This guy is a scumbag and a criminal but he defrauded banks and card networks, and those banks and networks attempted to pass that liability onto their customers. It's an important distinction.


It's also been attributed that businesses had to close due to his actions. I believe one group of restaurants in Seattle in particular attributed his attack as the reason they had to close. It's not a crime that only affects banks. The impact hits everyone with further stresses and issues regardless of whom pays back in the long term.


Online credit card fraud is paid for by merchant sellers...not banks or credit card companies. The banks and CC companies make money from the fraud, assuming the charge back fees they levy exceed their internal costs. At least in the US.


This isn't chargeback-type fraud though, also not limited to card-not-present scenarios (the crooks actually print physical "copies" with stolen card info on the magstripe).

If someone buys goods/services with a stolen CC and money between the issuing and acquiring banks exchanges hands, unless there's something very specific there that can shift liability towards the merchant - it's not that easy for the banks to demand the funds from the merchant.


It is for online purchases. The charge back isn't fraud. It is the end user whose card was stolen reporting the purchase made by the fraudster. The bank then takes the money back from the merchant vendor, throws on a chargeback fee, and done...

The only time the bank or cc is left holding the bag is card present.

I'm not guessing either. This is how it works for card not present... vendor merchant bears all the cost.


The "I don't recognize this transaction" and "the goods were not delivered as promised" chargebacks trigger different resolution flows and if the merchant can prove they are following the procedure they agreed to when signing up with the payment processor (especially when requesting a CVV to be provided by the end user and signing up for some sort of fraud detection service) they have a decent chance of fighting against the chargeback.


Sorry that's just not how it works for card not present (all online purchases).

Once the buyer files a chargeback indicating the purchase was fraudulent, there's no practical chance of escaping it.[1] The merchant ends up holding the bag (whatever was shipped lost, whatever was paid lost + chargeback fee), and the bank loses nothing...they, in fact, gain a chargeback fee.

[1]Maybe some tiny chance, in the sole case that the card wasn't actually stolen, and that the buyer was trying to trick everyone. That doesn't happen much, and you would still need compelling evidence. The entity that decides is the end customer's card issuer. They don't care about merchants. They care about customers.


In what sense? The law does not much care how poorly the banks and card networks secured or underwrote their services; it cares mostly about the person who had the intent to defraud and harm people, and then carried that intent to fruition.


I guess the argument is that if they should get the profit margin, they should also own the losses.

I think I agree.

(Doesn't change a thing about this guy's criminal responsibility, of course.)


The letter he wrote to the court was an interesting read(https://www.nytimes.com/interactive/2017/04/21/technology/do...), still don't know what to make of it though.


The article mentions that he's the son of a powerful man and that letter starts saying that he was poor. How's that? Also, where did the millions he stole go?


A legislator from Russia's third largest party likely isn't that powerful, and he definitely would not have been when Roman was a child. Plus, doesn't sound like he was very involved, divorcing his mother and having three other sons in other marriages plus starting a business career.


> The U.S. Justice Department says the laptop found with him when he was arrested contained more than 1.7 million stolen credit card numbers

How it's possible that one of the world's top criminals highly skilled in computer security had these credit card numbers on his own laptop and even unencrypted?


1) OpSec is hard

2) When you get away with something for long enough you get a sense of invulnerability

3) OpSec is hard


Possibly the same way that the Dread Pirate Roberts (Silk Road) was captured - the FBI simply grabbed him before he could turn off his laptop.


Likely as he thought he was in a non extradition country so probably didn't think his arrest was likely.


> In chat messages between Seleznev and an associate from 2008, Seleznev stated that he had obtained protection through the law enforcement contacts in the computer crime squad of the FSB.

What the hell? That is all kinds of messed up.


But sadly not uncommon. If you have a lot of money you can induce people who want or need money to act against their better judgement. It works even better if you have some way of threatening their lifestyle and is standard trade craft for intelligence agencies trying to develop assets.


Cached copy: https://webcache.googleusercontent.com/search?q=cache:7JW-NV...


How does jurisdiction work in a case like this? He presumably never set foot in the US so how does the law claim jurisdiction for the crime? If someone uses telephones to defraud US citizens in a similar way, ie remotely, do the same jurisdiction rules apply? How about selling fraudulent goods in the US shipped in from abroad?


It's based on where the harm occurs; in this case, there's a clear connection to specific locations in the US. The US doesn't have trials in absentia, so the important issue here is mostly extradition, and that boils down "if you're caught in a country that (a) recognizes the crime you're being charged with in its own jurisdiction, (b) has an extradition treaty with the US, and (c) believes based on the US's extradition filings that the US has a legitimate case, you're going to end up standing trial in the US.

This case is a little more complicated in that Interpol appears to have been the controlling authority for extraditing Seleznev from Maldives, but again, the principle is less that of jurisdiction than of the propriety of extradition.


> a group that hacked into restaurants ... and planted malicious software to steal card data from store point-of-sale devices

I've started compartmentalizing my spending a few years ago, using different cards for different purposes. For instance using debit cards for the riskiest locales. On several occasions I asked to lower the credit limit to reduce the risk of underwriting the entirety of losses.

Also, the sentence is harsh. I don't think sentencing a criminal for more years than he deserves just 'to send a message' is called justice. 


  For instance using debit cards for the riskiest locales
Do not do this. Credit can be fought because it is a future debt, debit is much more difficult because the money is already gone.

Do not, do not, do not use your debit/check/atm card at riskier places.


I agree with this, with a caveat. Some banks will allow you to create a 'prefunded' debit card, where you add funds to it and those are the only funds it has available. It has no overdraft, it has no ability to acquire any funds other than those allocated. Those cards are quite useful for risky places because you can use them and then burn them after you're back in safety. (just withdraw the final balance and destroy the card)

Oddly, the first experience I had with fraudulent card withdrawals was when the cards were compromised in the self checkout line of the Sunnyvale Safeway store. The self checkout stations had internal skimmers installed at some point.


Interesting, never heard of this option. The bank I use provides a switch in their online banking UI to instantly enable/disable cards. I find it useful.


To be fair, I haven't had a single case of fraudulent withdrawals happen to me. But I'm curious why would a credit card transaction be more protected? It's the same purchase 'in obligation', isn't it? My checking account balance is way smaller compared to much larger credit card limits, so there is less risk in absolute terms.


Because most credit cards and debit cards follow different regulatory protections.

Credit Card: FRB Regulation Z Debit Card: FRB Regulation E

From a Fraud Prevention perspective, the companies are incentivized to take measures to prevent suspicious transactions from happening to begin with. With debit cards, there is a $500 liability that can be shifted to the consumer*, so less "pressure" to develop more stringent controls.

Lastly, this calls for different customer experiences when you dispute Fraud (http://www.creditcards.com/credit-card-news/4-keys-zero-liab...).


A checking account is money that the bank owes you. A credit card balance is money that you owe the bank. The bank cares a lot more about getting its money back than it does about getting your money back.


Depends on your country. For example, in Canada we have a new Interac Flash (tap card debit) system which has 0 liability for buyers or sellers.


Unless it uses chip-and-pin.


> For instance using debit cards for the riskiest locales

That seems counter-intuitive to me. If there's going to be a fraudulent charge on my account, I'd rather it be a temporary charge that can be resolved instead of actually taking money from my checking account until the bank decides to refund the fraud. I almost never use my debit card for this exact reason and use credit cards for everything possible.


Yeah, GP is wrong, I think that's common knowledge.


The Chief Justice of the Canadian Supreme Court agrees with you regarding the "sending a message" sentiment. But the other eight justices disagreed. Personally I think it's unsupportable too.

For example the first guy to commit that crime gets the full "sending a message" sentence but the following violators just get the standard "proportional justice" sentence? Not sure King Solomon would go for that.


>the sentence is harsh.

EDIT: inaccurate -- see 'tptacek below

Sentences in the United States have a de jure length which is longer than the de facto length. Usually a 27-year convict will be eligible for parole after about 9 years. I didn't see anything in the article about denying parole (which is very rare). Considering the number of people Selezny harmed and the fact that he continued to do so after he knew that there were warrants for his arrest, I think that a decade in prison is a reasonable sanction.

Also, the extended sentence is not so much "to send a message" as it is in response to his evasion of the authorities. That message was sent a long time ago.


There is no parole in the federal system. 27 years will mean almost 27 years (maybe something closer to 23 if everything breaks Seleznev's way in prison).


Looks like Skilling got 10 years off the 24 year sentence and will be out of jail this year. It's not a parole but it's close.

http://www.reuters.com/article/us-enron-skilling-idUSBRE95K1...


By striking a deal with prosecutors and the court, not by availing himself of some process available to federal convicts generally.

It could indeed be that Seleznev will serve drastically less time by making a deal to (e.g.) rat out co-conspirators.


HE was illegally kidnapped from a country to be brought to the US. Anyone thinks Russia can't do the same live in lalaland.


Sure. 2 points; I subjectively view this crine as much less admirable than a simple bank robbery or Ross ulbricht (less the alleged murder attempts) as this causes individuals direct harm. This is subjective, I think others may agree that identity theft is pretty malicious.

Also, yes Russia could kidnap you if you committed enough crimes for them to dub you worth tracking, capturing, negotiating a diplomatic extradition and then trying in court. Its not likely many "regular" people will be carted away from a Bahamian Vaca.


Still waiting for one wall st exec to be charged for their roles in the crash ...


If you take this argument to its logical conclusion, we should never convict anybody of any crimes ever.


Not necessarily - wanting even justice to be dispensed isn't the same thing as saying if one person gets away with it everyone should.

It's quite a bit meta to the article, but relevant in that both defrauded money from the general public, made a fortune from it, but Seleznev is paying while the others are not. It's a little strange to focus just on Seleznev when we have people who make it a practice to skim money and don't get in trouble for it when they do cost the US public billions.


can't speak for you but for me the logical conclusion would be bringing them to justice.


How? Gut feel? The laws we have today are inadequate to bringing cases, and we have a Constitutional prohibition on ex post facto laws.


Dunno how, IANAL. But I trust that the US government, or the establishment in general, can make anyone's life miserable if there is a political will.

Also, have the laws been amended to deal with similar offenses in the future?


not sure why he's getting downvoted. even the tip of the iceberg that is known to us warrants all sorts of prosecution.




