The Net's not-so-secret economy of crime
The people who want to rip you off are very polite with each other when they're buying and selling credit card numbers.
NEW YORK (FORTUNE) - Raze Software offers a product called CC2Bank 1.3, available in freeware form - if you like it, please pay for it. Raze's attractively designed Web site, registered in Belarus, may suggest a shaky command of English -"I shall pleased any estimation in respect of my programs and this page," it reads - but it displays the classic characteristics of web commerce, like visitor statistics, advertising, and links to Web sites of partners.
But CC2Bank's purpose is the management of stolen credit cards. Release 1.3 enables you to type in any credit card number and learn the type of card, name of the issuing bank, the bank's phone number and the country where the card was issued, among other info.
The ad on Raze's site, in Russian, leads to another Belarus address that appears to be a market for stolen products.
The Internet economy, as we journalists like to write, has a lot to do with sharing. And commerce, at sites like eBay, is based largely on trust. But until recently I didn't realize that these same principles govern online dealmaking among criminals.
My naiveté was alleviated with an eye-popping tour of underground Web sites, conducted by two executives from RSA Cyota, an online security firm that works for banks like Barclays (Research) and Washington Mutual (Research). They showed me a variety of sites frequented by people who steal and trade credit card numbers and then use them to steal money.
This infrastructure for online crime is far more multi-layered and sophisticated than I ever imagined.
Says Marc Gaffan, a marketer at RSA: "There's an organized industry out there with defined roles and specialties. There are means of communications, rules of engagement, and even ethics. It's a whole value chain of facilitating fraud, and only the last steps of the chain are actually dedicated to translating activity into money."
This ecosystem of support for crime includes services and tools to make theft simpler, harder to detect, and more lucrative.
Gaffan and his colleague Yohai Einav showed me, for example, a site called TalkCash.net. It's a members-only forum, for both verified and non-verified members. To verify a new member, the administrators of the site must do due diligence, for example by requiring the applicant to turn over a few credit card numbers to demonstrate that they work.
It's an honorable exchange for dishonorable information. "I'm proud to be a vendor here," writes one seller.
'A very nice person'
"Have a good carding day and good luck," writes another seller, who notes "I do replace new cards in case any died." In response, a different poster comments "He delivers fast and he is a very nice person to deal with!" It's as if he was talking about a local florist.
These sleazeballs don't just deal in card numbers, but also in so-called "CVV" numbers. That's the Creditcard Validation Value - an extra three- or four-digit number on the front or back of a card that's supposed to prove the user has physical possession of the card.
On TalkCash.net you can buy CVVs for card numbers you already have, or you can buy card numbers with CVVs included. (That costs more, of course.)
"All CVV are guaranteed: fresh and valid," writes one dealer, who charges $3 per CVV, or $20 for a card number with CVV and the user's date of birth. "Meet me at ICQ: 264535650," he writes, referring to the instant message service (owned by AOL) where he conducts business.
Other discussants on the TalkCash forums politely request login IDs and passwords for accounts at HSBC and National Bank of Canada.
Gaffan says these credit card numbers and data are almost never obtained by criminals as a result of legitimate online card use. More often the fraudsters get them through offline credit card number thefts in places like restaurants, when computer tapes are stolen or lost, or using "pharming" sites, which mimic a genuine bank site and dupe cardholders into entering precious private information. Another source of credit card data are the very common "phishing" scams, in which an e-mail that looks like it's from a bank prompts someone to hand over personal data.
Also available on TalkCash is access to hijacked home broadband computers - many of them in the United States - which can be used to host various kinds of criminal exploits, including phishing e-mails and pharming sites.
RSA's Einav says there are about a dozen marketplace sites like TalkCash in operation at any given time. Unfortunately, he and Gaffan suggest it's unlikely this nefarious activity will end anytime soon (though of course that's good for their business).
"When the FBI shuts down a site they just move to another site," says Einav, "The URL changes but the community stays intact."
RSA doesn't even bother trying to shut down such sites, because by monitoring them it can help banks protect themselves. Says Einav: "If you see abnormal demand for accounts from a specific bank, you can assume an exploit is underway."
That's when it goes into action. RSA Cyota claims to have shut down 10,000 phishing and other schemes since Cyota was formed in 1999. (RSA Security bought Cyota last December.) The company maintains a blacklist of sites, which partners use to warn customers.
Microsoft's (Research) new Internet Explorer 7 browser, for example, uses the blacklist data to warn users that a site they have requested is likely to be fraudulent. RSA also works with ISPs to get them to shut down fraudulent sites.
Don't visit any of these sites. Tapping into them could lead to unpleasant consequences. I only looked at them via the safety of RSA's computers.
But it's worth knowing this ecosystem exists, if only as a cautionary reminder of how woefully unprotected our financial systems remain in the age of the Internet.
Fast Forward is a weekly column by David Kirkpatrick of FORTUNE magazine. E-mail questions and comments to firstname.lastname@example.org. Read this column online.