Credit card thieves donate to charity

Small contributions test validity of cards while avoiding suspicion

Symantec says it has noticed an increase in the use of stolen credit cards to make charitable contributions as a way to check out whether card numbers are legitimate before the thieves attempt to sell them or make large purchases with them.

If the cards prove usable, the criminals can use them without worrying whether they will prove invalid and draw down law enforcement authorities, Symantec says.

The thieves donate just a small amount to the charities so as not to raise suspicion among credit card security teams that seek transactions that fall outside the normal pattern for individual card holders, the company says.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Symantec says it has noticed an increase in the use of stolen credit cards to make charitable contributions as a way to check out whether card numbers are legitimate before the thieves attempt to sell them or make large purchases with them.

If the cards prove usable, the criminals can use them without worrying whether they will prove invalid and draw down law enforcement authorities, Symantec says.

The thieves donate just a small amount to the charities so as not to raise suspicion among credit card security teams that seek transactions that fall outside the normal pattern for individual card holders, the company says.

Symantec speculates that behavior monitors within credit card companies are less likely to contact customers to verify the legitimacy of a small charitable transaction than they would be for an extravagant expense.

Because legitimate charitable transactions are not everyday occurrences for individuals, they likely wouldn’t raise any flags, especially if they are for relatively modest amounts.

By sitting in on Internet chat rooms where credit card numbers are traded, Symantec tuned into this trend, says Zulfikar Ramzan, a senior principal researcher for the company. U.S. cards sell for $1 to $6 each and U.K. cards sell for $2 to $12, he says.

Before the charity contributions, the criminals would make small transactions, often to Web sites where they knew security checks are lax, he says.

Testing that a card is active is so important that thieves have set up a specific Internet relay chat command to handle it. A thief types in a card number and the script automatically makes a small transaction, Ramzan says.

He says thieves also have scripts that use the credit card numbers to tap into the user’s name, Social Security number and the upper limit on the card. “It’s pretty chilling to see someone’s Social Security number and credit card number fly by,” he says.

Bank investigators will likely become attuned to the charity donations and try to react to it, but that is a tricky game, says Ramzan. The banks don’t want to overreact and start blocking or verifying legitimate donations. “If they detect too much stuff that’s not fraudulent they may cause more trouble than they can handle,” he says.

“I guess one thing to note here is that at least some of the stolen money is going to a good cause,” says Symantec blogger Yazan Gable.

Read more about security in Network World's Security section.