Credit cards sold in the Underground

From David Kirkpatrick’s “The Net’s not-so-secret economy of crime” (Fortune: 15 May 2006):

Raze Software offers a product called CC2Bank 1.3, available in freeware form – if you like it, please pay for it. …

But CC2Bank’s purpose is the management of stolen credit cards. Release 1.3 enables you to type in any credit card number and learn the type of card, name of the issuing bank, the bank’s phone number and the country where the card was issued, among other info. …

Says Marc Gaffan, a marketer at RSA: “There’s an organized industry out there with defined roles and specialties. There are means of communications, rules of engagement, and even ethics. It’s a whole value chain of facilitating fraud, and only the last steps of the chain are actually dedicated to translating activity into money.”

This ecosystem of support for crime includes services and tools to make theft simpler, harder to detect, and more lucrative. …

… a site called TalkCash.net. It’s a members-only forum, for both verified and non-verified members. To verify a new member, the administrators of the site must do due diligence, for example by requiring the applicant to turn over a few credit card numbers to demonstrate that they work.

It’s an honorable exchange for dishonorable information. “I’m proud to be a vendor here,” writes one seller.

“Have a good carding day and good luck,” writes another seller …

These sleazeballs don’t just deal in card numbers, but also in so-called “CVV” numbers. That’s the Creditcard Validation Value – an extra three- or four-digit number on the front or back of a card that’s supposed to prove the user has physical possession of the card.

On TalkCash.net you can buy CVVs for card numbers you already have, or you can buy card numbers with CVVs included. (That costs more, of course.)

“All CVV are guaranteed: fresh and valid,” writes one dealer, who charges $3 per CVV, or $20 for a card number with CVV and the user’s date of birth. “Meet me at ICQ: 264535650,” he writes, referring to the instant message service (owned by AOL) where he conducts business. …

Gaffan says these credit card numbers and data are almost never obtained by criminals as a result of legitimate online card use. More often the fraudsters get them through offline credit card number thefts in places like restaurants, when computer tapes are stolen or lost, or using “pharming” sites, which mimic a genuine bank site and dupe cardholders into entering precious private information. Another source of credit card data are the very common “phishing” scams, in which an e-mail that looks like it’s from a bank prompts someone to hand over personal data.

Also available on TalkCash is access to hijacked home broadband computers – many of them in the United States – which can be used to host various kinds of criminal exploits, including phishing e-mails and pharming sites.