Trading in Stolen Credit Card Data

21 Jun ’05

More news about the CardSystems security breach continues to percolate out.

Equally interesting though is Tom Zeller’s behind the scenes look at the online black market in stolen credit card numbers. This is a very disturbing look at where many stolen credit card numbers end up. Quote:

A user by the nickname Sirota is peddling account information so detailed, and so formatted, that it clearly came from a credit report. He is asking $200 per dump [credit card number] on accounts with available balances above $10,000, with a minimum order of five if the buyer wants accounts associated with a particular bank. “Also, I can provide dumps with online access,” he wrote. “The price of such dumps is 5% of available credit.”

Those buying fresh batches of account numbers may try to make purchases online, having goods delivered to a drop and then fencing them through online auctions.

More sophisticated thieves will seek out a vendor of encoding devices, and others who sell “plastic,” or blank credit cards, and “algos,” algorithms that are needed to properly encode the magnetic strip and produce a usable card. And “cash out” services can be arranged with those offering to take the encoded plastic to a cash machine and make daily withdrawals until the account is depleted. (The cash-out risk commands a premium – often 50 percent or more of the total balance.)

Mark Rasch, the former head of cyberinvestigations for the Justice Department and now the senior vice president of Solutionary, a computer security company, said the numbers taken in the CardSystems breach – at least 200,000 are said to have been in stolen files – are almost certain to end up in one of these trading posts.

Previous post:

Next post: