A look into the dark underbelly of data breaches

The process by which large volumes of data are stolen, resold, and ultimately used by criminals to commit fraud, has evolved from the sale of a few pieces of sensitive information, such as credit card numbers and expiration dates, to full blown identity packages containing multiple types of sensitive personal information.

That is but one of the disconcerting details of a Department of Justice-penned report that looks at the rapidly morphing, dark side of stolen personal information set to appear in next month’s issue of the Santa Clara Computer and High Technology Journal.

The article goes on to say the large volumes of stolen data are priced to sell and charges are determined by the degree of difficulty in obtaining the data, according to the paper’s author, DOJ attorney Kimberly Kiefer Peretti. In the first half of 2007, for example, credit card information ranged from $0.50 to $5.00 per card, bank account information ranged from $30.00 to $400.00, and full identity information ranged from $10 to $150.79. Such information is available on illegal Web sites known as carding forums.

Indeed “carding” is at the heart of the issue, which the paper describes as the process by which large volumes of data are stolen, resold, and ultimately used by criminals to commit fraud. In its narrow sense, the term “carding” refers to the unauthorized use of credit and debit card account information to fraudulently purchase goods and services, the article states. The term has evolved in recent years, however, to include an assortment of activities surrounding the theft and fraudulent use of credit and debit card account numbers including computer hacking, phishing, cashing-out stolen account numbers, re-shipping schemes and Internet auction fraud, Peretti states.

The prosecution of such card forums has been ongoing. A few of the more well known include:

·          Shadowcrew: A global organization of thousands of members that was dedicated to promoting and facilitating the electronic theft of personal identifying information, credit card and debit card fraud, and the production and sale of false identification documents. The organization operated and maintained the Internet website www.shadowcrew.com from 2002 until October 2004, when it was taken down by the U.S. Secret Service as the result of an undercover investigation known as “Operation Firewall.”

·          Carderplanet: The Carderplanet organization operated and maintained the website www.carderplanet.com for its criminal activities and was founded in May 2001.47 By August 2004, the site had attracted more than 7,000 members. The site provided its members with a marketplace for millions of stolen accounts. Although most of the postings on the forum were in Russian, and most of Carderplanet members were from Eastern Europe and Russia, the forum had a significant English-speaking component.  Senior members of the organization shut the website down in the summer of 2004 following some arrests of high-ranking members and law enforcement scrutiny.

·          Cardersmarket: The Cardersmarket organization allegedly operated and maintained the website www.cardersmarket.com for its criminal activities and was founded in June 2005. Similar to other carding forums, Cardersmarket was allegedly dedicated to the unlawful acquisition, use and/or sale of unauthorized credit card account information, and other personal identification and financial information. As of September 5, 2007, Cardersmarket allegedly had thousands of members worldwide. In August 2006, the forum’s administrator, known by the nickname “Iceman,” allegedly took over four rival carding forums and thereby increased the Cardersmarket membership to 6,000. The DOJ helped indict Iceman, AKA Max Ray Butler in Sep. 2007 on charges of wire fraud and identity theft related to an online scheme to steal credit card and other identity information. 

The paper goes onto to suggest key ways to continue fighting the carder war.  For one it advocates broadening the notification laws.  Over 36 states have laws that require consumer notification in the event of a security breach. Many of these state laws allow victim entities to delay notification if a law enforcement entity informs the entity that notification may impede a criminal investigation, the paper  notes.

Another key is bolstering the tools prosecutors can use to bang on such criminals.   For example, the Privacy and Cybercrime Enforcement Act of 2007 that amends the federal criminal code relating to computer fraud and unauthorized access to computers to: (1) include computer fraud within the definition of racketeering activity; (2) provide criminal penalties for intentional failures to provide required notices of a security breach involving sensitive personally identifiable information; (3) expand penalties for conspiracies to commit computer fraud and extortion attempts involving threats to access computers without authorization; (4) provide for forfeiture of property used to commit computer fraud; and (5) require restitution for victims of identity theft and computer fraud.  The bill is still in committee.

Finally the paper recommends strengthening sentences for such crimes.  “Hackers and identity thieves receive light sentences in many cases either because of their young age or because the sentencing judge may not view these non-violent crimes as serious. Indeed, a recent identity theft bill passed by the Senate directs the Sentencing Commission to review its guidelines to reflect the intent of Congress that penalties for identity theft-related offenses should be increased.” 

Layer 8 in a box

Check out these other hot stories:

NASA picks “bargain basement” space technology candidates

Airborne laser weapons heating up

The HP pretexting ghost hovers over FTC’s latest settlement 

Icy reception awaits new robots 

Internet-based realtors win monster settlement

FBI: Corporate, mortgage fraudsters actively threaten your financial future

Is the FAA losing battle of flight delay hell? 

Copyright © 2008 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022