Indentifty Theft
A word to the wise from NEW YORK PRIVATE INVESTIGATOR
Tammy Martin, a 37-year-old instructor at the University of Hawaii,
couldn't
believe it.
"This is wild," she said. "You can't live your life in a balloon, you know? But this is just wild."
Her shock was warranted. I had just called her on an unlisted cellphone number and informed her that I had her Social Security number, Visa card number, bank account and personal identification numbers, and eBay account name and password.
If I chose, not only could I drain her bank account and rack up charges on the Visa, but with her Social Security number, I could probably open new credit cards - maybe even a mortgage - long before she discovered a problem. Ultimately, she would likely not be responsible for the charges, but it might take days - or months - to rectify her credit.
Martin was not a victim of identity theft. But the information was in the hands of a self-proclaimed identity thief. I received the information during an interview with someone who goes by the online nickname Bart Maza. He said he is an 18-year-old high school dropout in Russia. In total, he gave me the data of 17 people.
I'd written several articles about identity theft for the Globe, but this was the first time I attempted to directly contact an apparent identity thief. Although I had spoken to many law enforcement officials, private security investigators, victims, and consumer advocates about the issue, I decided to go to the source to truly understand how the identity theft supply chain operates - from the time that the data are stolen to the time that information is used fraudulently.
Over a six-week period, I talked or had online conversations with 17 "carders." These are thieves who obtain credit card numbers to resell or use for profit. A couple even promised to make me a "made guy" in their underground network. I never put the advice into action, but I did learn that becoming an identity thief is frighteningly simple.
None of the apparent identity thieves interviewed would reveal their identities. I took whatever steps I could to verify that the people whom I wrote to actually were identity thieves. I never asked for stolen information, but several thieves became so eager to prove that they were criminals that they sent me stolen data, like that from Bart Maza, or showed me evidence of criminal transactions.
I also couldn't confirm the details of each of their stories, but the general outline of such scam operations was confirmed as plausible by investigators at private security firms Cyota and VeriSign/iDefense and by Larry Johnson, a special agent in charge of the Secret Service's criminal investigative division.
Finding an identity thief is not difficult. I searched for "credit card dumps" on Google - "dump" is slang for the information contained on a credit card's magnetic strip - and found posts on message boards where people purported to sell stolen information.
A self-described 18-year-old college student in Brazil who called himself Tony was my first contact in the stolen credit card market. He said he started his identity theft business about two months ago.
He said his first two weeks of business brought in $1,500. Once he becomes a well-known distributor of the product, he expects that he can make at least twice that much per week.
In a phone interview, he said that he read about credit card scams in a newspaper article, performed a quick Internet search, and found some of the same message boards that I used to contact thieves. He got in touch with thieves through the Internet, bought some of their product, and was reselling stolen credit card dumps before the week was out.
"My parents would be really mad," Tony said. "I do get worried, but I find it's really hard to get caught."
Tony, like all savvy Internet thieves, uses a virtual private network that masks his computer's true Internet Protocol address every time he logs on. An IP address is a unique identifying number assigned to every computer connected to the Internet. Without the network, Tony's computer could easily be tracked by authorities.
Another apparent thief, who uses the name Ast--wave, said he is a 20-year-old Romanian expatriate living in New York City and makes as much as $50,000 a month.
He buys stolen credit card information, encodes it onto forged plastic credit cards to make purchases, and then resells the items on eBay. An eBay spokesman says the online auction house cannot authenticate the origin of goods sold on its site so it doesn't know if some are stolen.
Although Ast--wave declined to give his name, he provided a Bank of America account number and personal identification number that allegedly could be used to log onto a stolen account online. He intended for me to log in myself and verify that it was stolen. Doing so would be illegal, so I didn't try.
How much can someone make? It depends on what part of the supply chain you decide to be on.
A 24-year-old college dropout from the Los Angeles area who is known in the online underground as G152xx says he runs a typical scam operation. He told me that he pays six waiters at four upscale restaurants to steal customers' credit card information when they charge a meal.
G152xx says he then resells the information for between $6 and $20, depending on the credit card type, and gives the waiters a 40 percent cut. He charges $6 for stolen Visa Classic and MasterCard accounts. More lucrative American Express or Discover accounts are $20, since they typically have higher limits.
Officials at American Express and other credit card companies have said they are aware of identity thieves, and they have systems to monitor identity theft rings and software that alerts them of unusual activity.
The final purchaser of the credit card numbers makes the most money but bears the most risk, encoding the data onto a blank credit card and using it at stores that give cash back until the limit is reached or the card is reported as stolen.
To make sure that he or she isn't caught redhanded when the card is reported, the thief periodically tests it anonymously at a place like a self-serve gas station. If the card does not work at the gas station, the thief knows to discard it and move on to the next credit card.
G152xx told me that he runs his ring like any other successful small company and sometimes runs marketing gimmicks to draw customers. In addition to posting on message boards to promote himself as a source of stolen information, for $600 per month he purchased a banner advertisement - much like the online advertisements that appear on other websites - from a message board frequented by thieves. The banner asks "Why pay for anything?" followed by his contact information, which I used to reach him.
During one of many interviews with G152xx, he explained why he breaks the law. "The cash! and that ATM feeling - money counting," he wrote.
Back when G152xx "cashed out" stolen bank accounts and bought goods with stolen credit cards, he says he made about $10,000 to $15,000 per week. Now that he's just selling the information to other criminals, he says his take has dropped to a few thousand dollars per week, depending on customer traffic.
To get a business started that would use information stolen by G152xx's ring, criminals from the network that I tapped into said I would need to buy two things: a machine to encode the magnetic strips on the back of credit cards and a virtual private network to protect my computer's identity.
Although identity theft can occur in a number of ways, G152xx's information would be used to create fake plastic credit cards that could be used in stores.
My own research on eBay showed that about $500 could buy a machine needed to encode credit cards with stolen information. Another $50 would go to subscribe to a virtual private network, much like the one described by Tony, to shield my computer's identi . A final $300 might be spent on the data itself and could buy a small lot of 15 American Express accounts from G152xx.
My informants said that my chances of getting caught would be slim to none, although law enforcement officials say the criminals can be caught.
Experienced thieves like G152xx and Bart Maza use multiple virtual private networks, much like the one used by Tony, to decrease the likelihood of being located. Even if government agents managed to compromise the first network, they would need to compromise several others before reaching my computer.
And if I were particularly bold, I could not only empty the accounts of targets provided by Maza, but I could use the information to open new lines of credit under the target's name.
"His balance may be like $15,000. So, you just take everything from him," G152xx said. "It makes you feel powerful."
Maza's persistence in proving that he was an identity thief put me in an awkward position. After giving me personal information belonging to 17 people, I began contacting them to verify - and warn them that they could be potential victims of theft. They were located in six different countries, and many did not speak English. I warned 10 of them.
Most were grateful to be warned but as can be expected, some were deeply suspicious.
When I asked the daughter of an Illinois resident to tell her mother that I had her financial information, she politely took down my information and hung up the phone. A couple minutes later, I got a call from her local police department. It took some time, but I did convince the officer that I was a reporter and wouldn't use the information illegally.
Others on the list channeled shock into anger.
"I'm going to fry him," said Joseph Berning, a 45-year old living in Cincinnati and another potential victim on my list. When I informed him that the thief said he was in Russia, he calmed down. An officer from his local police department called me to verify my identity.
Although Maza declined to give the source of his data, some of the people on the list, including Tammy Martin and Berning, remembered receiving an e-mail that looked like it came from the online payment system PayPal. The e-mail asked to verify their information, and they responded to it. Martin and Berning were likely victims of "phishing" - spam purporting to come from banks or services such as PayPal that dupe customers into divulging financial information.
"I have other data," Maza promised. I asked him not to send any more.
--------------------------------------------------------------------------------
(c) 2005 The Boston Globe
R
Tammy Martin, a 37-year-old instructor at the University of Hawaii,
couldn't
believe it.
"This is wild," she said. "You can't live your life in a balloon, you know? But this is just wild."
Her shock was warranted. I had just called her on an unlisted cellphone number and informed her that I had her Social Security number, Visa card number, bank account and personal identification numbers, and eBay account name and password.
If I chose, not only could I drain her bank account and rack up charges on the Visa, but with her Social Security number, I could probably open new credit cards - maybe even a mortgage - long before she discovered a problem. Ultimately, she would likely not be responsible for the charges, but it might take days - or months - to rectify her credit.
Martin was not a victim of identity theft. But the information was in the hands of a self-proclaimed identity thief. I received the information during an interview with someone who goes by the online nickname Bart Maza. He said he is an 18-year-old high school dropout in Russia. In total, he gave me the data of 17 people.
I'd written several articles about identity theft for the Globe, but this was the first time I attempted to directly contact an apparent identity thief. Although I had spoken to many law enforcement officials, private security investigators, victims, and consumer advocates about the issue, I decided to go to the source to truly understand how the identity theft supply chain operates - from the time that the data are stolen to the time that information is used fraudulently.
Over a six-week period, I talked or had online conversations with 17 "carders." These are thieves who obtain credit card numbers to resell or use for profit. A couple even promised to make me a "made guy" in their underground network. I never put the advice into action, but I did learn that becoming an identity thief is frighteningly simple.
None of the apparent identity thieves interviewed would reveal their identities. I took whatever steps I could to verify that the people whom I wrote to actually were identity thieves. I never asked for stolen information, but several thieves became so eager to prove that they were criminals that they sent me stolen data, like that from Bart Maza, or showed me evidence of criminal transactions.
I also couldn't confirm the details of each of their stories, but the general outline of such scam operations was confirmed as plausible by investigators at private security firms Cyota and VeriSign/iDefense and by Larry Johnson, a special agent in charge of the Secret Service's criminal investigative division.
Finding an identity thief is not difficult. I searched for "credit card dumps" on Google - "dump" is slang for the information contained on a credit card's magnetic strip - and found posts on message boards where people purported to sell stolen information.
A self-described 18-year-old college student in Brazil who called himself Tony was my first contact in the stolen credit card market. He said he started his identity theft business about two months ago.
He said his first two weeks of business brought in $1,500. Once he becomes a well-known distributor of the product, he expects that he can make at least twice that much per week.
In a phone interview, he said that he read about credit card scams in a newspaper article, performed a quick Internet search, and found some of the same message boards that I used to contact thieves. He got in touch with thieves through the Internet, bought some of their product, and was reselling stolen credit card dumps before the week was out.
"My parents would be really mad," Tony said. "I do get worried, but I find it's really hard to get caught."
Tony, like all savvy Internet thieves, uses a virtual private network that masks his computer's true Internet Protocol address every time he logs on. An IP address is a unique identifying number assigned to every computer connected to the Internet. Without the network, Tony's computer could easily be tracked by authorities.
Another apparent thief, who uses the name Ast--wave, said he is a 20-year-old Romanian expatriate living in New York City and makes as much as $50,000 a month.
He buys stolen credit card information, encodes it onto forged plastic credit cards to make purchases, and then resells the items on eBay. An eBay spokesman says the online auction house cannot authenticate the origin of goods sold on its site so it doesn't know if some are stolen.
Although Ast--wave declined to give his name, he provided a Bank of America account number and personal identification number that allegedly could be used to log onto a stolen account online. He intended for me to log in myself and verify that it was stolen. Doing so would be illegal, so I didn't try.
How much can someone make? It depends on what part of the supply chain you decide to be on.
A 24-year-old college dropout from the Los Angeles area who is known in the online underground as G152xx says he runs a typical scam operation. He told me that he pays six waiters at four upscale restaurants to steal customers' credit card information when they charge a meal.
G152xx says he then resells the information for between $6 and $20, depending on the credit card type, and gives the waiters a 40 percent cut. He charges $6 for stolen Visa Classic and MasterCard accounts. More lucrative American Express or Discover accounts are $20, since they typically have higher limits.
Officials at American Express and other credit card companies have said they are aware of identity thieves, and they have systems to monitor identity theft rings and software that alerts them of unusual activity.
The final purchaser of the credit card numbers makes the most money but bears the most risk, encoding the data onto a blank credit card and using it at stores that give cash back until the limit is reached or the card is reported as stolen.
To make sure that he or she isn't caught redhanded when the card is reported, the thief periodically tests it anonymously at a place like a self-serve gas station. If the card does not work at the gas station, the thief knows to discard it and move on to the next credit card.
G152xx told me that he runs his ring like any other successful small company and sometimes runs marketing gimmicks to draw customers. In addition to posting on message boards to promote himself as a source of stolen information, for $600 per month he purchased a banner advertisement - much like the online advertisements that appear on other websites - from a message board frequented by thieves. The banner asks "Why pay for anything?" followed by his contact information, which I used to reach him.
During one of many interviews with G152xx, he explained why he breaks the law. "The cash! and that ATM feeling - money counting," he wrote.
Back when G152xx "cashed out" stolen bank accounts and bought goods with stolen credit cards, he says he made about $10,000 to $15,000 per week. Now that he's just selling the information to other criminals, he says his take has dropped to a few thousand dollars per week, depending on customer traffic.
To get a business started that would use information stolen by G152xx's ring, criminals from the network that I tapped into said I would need to buy two things: a machine to encode the magnetic strips on the back of credit cards and a virtual private network to protect my computer's identity.
Although identity theft can occur in a number of ways, G152xx's information would be used to create fake plastic credit cards that could be used in stores.
My own research on eBay showed that about $500 could buy a machine needed to encode credit cards with stolen information. Another $50 would go to subscribe to a virtual private network, much like the one described by Tony, to shield my computer's identi . A final $300 might be spent on the data itself and could buy a small lot of 15 American Express accounts from G152xx.
My informants said that my chances of getting caught would be slim to none, although law enforcement officials say the criminals can be caught.
Experienced thieves like G152xx and Bart Maza use multiple virtual private networks, much like the one used by Tony, to decrease the likelihood of being located. Even if government agents managed to compromise the first network, they would need to compromise several others before reaching my computer.
And if I were particularly bold, I could not only empty the accounts of targets provided by Maza, but I could use the information to open new lines of credit under the target's name.
"His balance may be like $15,000. So, you just take everything from him," G152xx said. "It makes you feel powerful."
Maza's persistence in proving that he was an identity thief put me in an awkward position. After giving me personal information belonging to 17 people, I began contacting them to verify - and warn them that they could be potential victims of theft. They were located in six different countries, and many did not speak English. I warned 10 of them.
Most were grateful to be warned but as can be expected, some were deeply suspicious.
When I asked the daughter of an Illinois resident to tell her mother that I had her financial information, she politely took down my information and hung up the phone. A couple minutes later, I got a call from her local police department. It took some time, but I did convince the officer that I was a reporter and wouldn't use the information illegally.
Others on the list channeled shock into anger.
"I'm going to fry him," said Joseph Berning, a 45-year old living in Cincinnati and another potential victim on my list. When I informed him that the thief said he was in Russia, he calmed down. An officer from his local police department called me to verify my identity.
Although Maza declined to give the source of his data, some of the people on the list, including Tammy Martin and Berning, remembered receiving an e-mail that looked like it came from the online payment system PayPal. The e-mail asked to verify their information, and they responded to it. Martin and Berning were likely victims of "phishing" - spam purporting to come from banks or services such as PayPal that dupe customers into divulging financial information.
"I have other data," Maza promised. I asked him not to send any more.
--------------------------------------------------------------------------------
(c) 2005 The Boston Globe
R
posted by Trailblazer Investigations Inc Trailblazer Investigations Florida | Saturday, October 01, 2005
0 Comments:
Post a Comment
<< Home