law

Illegality practices by the US in the “War on Terror”

From Tony Judt’s “The New World Order” (The New York Review of Books: 14 July 2005):

The unrepublican veneration of our presidential “leader” has made it uniquely difficult for Americans to see their country’s behavior as others see it. The latest report from Amnesty International – which says nothing that the rest of the world doesn’t already know or believe but which has been denied and ridiculed by President Bush – is a case in point. The United States “renders” (i.e., kidnaps and hands over) targeted suspects to third-party states for interrogation and torture beyond the reach of US law and the press. The countries to whom we outsource this task include Egypt, Saudi Arabia, Jordan, Syria (!), Pakistan – and Uzbekistan. Where outsourcing is impractical, we import qualified interrogators from abroad: in September 2002 a visiting Chinese “delegation” was invited to participate in the “interrogation” of ethnic Uighur detainees held at Guantánamo.

At the US’s own interrogation centers and prisons in Iraq, Afghanistan, and Guantánamo Bay, at least twenty-seven “suspects” have been killed in custody. This number does not include extrajudicial, extraterritorial “targeted assassinations”: a practice inaugurated by Benito Mussolini with the murder of the Rosselli brothers in Normandy in 1937, pursued with vigor by Israel, and now adopted by the Bush administration. The Amnesty report lists sixty alleged incarceration and interrogation practices routinely employed at US detention centers, Guantánamo in particular. These include immersion in cold water to simulate drowning, forced shaving of facial and body hair, electric shocks to body parts, humiliation (e.g., being urinated upon), sex-ual taunting, the mocking of religious belief, suspension from shackles, physical exertion to the point of exhaus-tion (e.g., rock-carrying), and mock execution.

Any and all of these practices will be familiar to students of Eastern Europe in the Fifties or Latin America in the Seventies and Eighties – including the reported presence of “medical personnel.” But American interrogators have also innovated. One technique has been forcibly to wrap suspects – and their Korans – in Israeli flags: a generous gesture to our only unconditional ally, but calculated to ensure that a new generation of Muslims worldwide will identify the two countries as one and hate them equally.

All of these practices – and many, many others routinely employed at Guantánamo, at Kandahar and Bagram in Afghanistan, at al-Qaim, Abu Ghraib, and elsewhere in Iraq – are in breach of the Geneva Conventions and the UN Convention against Torture, to both of which the US is a signatory

Illegality practices by the US in the “War on Terror” Read More »

America, a militarized society

From Tony Judt’s “The New World Order” (The New York Review of Books: 14 July 2005):

[Andrew] Bacevich is a graduate of West Point, a Vietnam veteran, and a conservative Catholic who now directs the study of international relations at Boston University. He has thus earned the right to a hearing even in circles typically immune to criticism. What he writes should give them pause. His argument is complex, resting on a close account of changes in the US military since Vietnam, on the militarization of strategic political thinking, and on the role of the military in American culture. But his conclusion is clear. The United States, he writes, is becoming not just a militarized state but a military society: a country where armed power is the measure of national greatness, and war, or planning for war, is the exemplary (and only) common project.

Why does the US Department of Defense currently maintain 725 official US military bases outside the country and 969 at home (not to mention numerous secret bases)? Why does the US spend more on “defense” than all the rest of the world put together? After all, it has no present or likely enemies of the kind who could be intimidated or defeated by “star wars” missile defense or bunker-busting “nukes.” And yet this country is obsessed with war: rumors of war, images of war, “preemptive” war, “preventive” war, “surgical” war, “prophylactic” war, “permanent” war. As President Bush explained at a news conference on April 13, 2004, “This country must go on the offense and stay on the offense.”

Among democracies, only in America do soldiers and other uniformed servicemen figure ubiquitously in political photo ops and popular movies. Only in America do civilians eagerly buy expensive military service vehicles for suburban shopping runs. In a country no longer supreme in most other fields of human endeavor, war and warriors have become the last, enduring symbols of American dominance and the American way of life. “In war, it seemed,” writes Bacevich, “lay America’s true comparative advantage.” …

For Bacevich’s deepest concern lies closer to home. In a militarized society the range of acceptable opinion inevitably shrinks. Opposition to the “commander in chief” is swiftly characterized as lèse-majesté; criticism becomes betrayal. No nation, as Madison wrote in 1795 and Bacevich recalls approvingly, can “preserve its freedom in the midst of continual warfare.”[12] “Full-spectrum dominance” begins as a Pentagon cliché and ends as an executive project.

America, a militarized society Read More »

International Law in the modern world

From Tony Judt’s “The New World Order” (The New York Review of Books: 14 July 2005):

Things go wrong, and not just in Iraq. International law – like the UN itself – was conceived in a world of sovereign states, a world where wars broke out between countries, peace was duly brokered among states, and a major concern of the post–World War II settlement was to guarantee the inviolability of borders and sovereignty. Today’s wars typically happen within states. The distinctions between peace-making and peacekeeping – between intervention, assistance, and coercion – are unclear, as are the rights of the conflicting parties and the circumstances under which foreign agencies may resort to force. In this confusing new world, well-meaning Western diplomats and observers have sometimes proven unable to distinguish between warring states – operating under conventional diplomatic norms – and locally powerful criminal tyrants, such as the leaders of Sudan. Negotiation with the latter all too often amounts to collaboration and even complicity.

International Law in the modern world Read More »

Fouche’s daily list for Napoleon

From Central Missouri State University’s “Joseph Fouche“:

Fouché established an organization of policing and intelligence gathering that was decades ahead of its time. Napoleon, frequently on military campaigns, depended on Fouché’s information to maintain control over France and his military effectiveness. Six days a week, every week, Fouché sent secret reports to Napoleon. The information represented an incredible array of topics:

1. Palace gossip.

2. Audience reaction to a new play.

3. Stock market prices.

4. Desertions from the army.

5. Arrests of foreign agents.

6. Results of interrogations.

7. News of crime.

8. Offenses by soldiers.

9. Fires.

10. Rebellion against the Gendarmarie.

11. Intercepted correspondence.

12. Visiting personages.

13. Public reception of news of victories.

14. Shipping news.

15. Indiscretions of Fouché’s enemies.

16. Contractor’s tenders.

17. Agitation against the draft.

18. Suicides.

19. Prison epidemics.

20. Progress of construction.

21. Unemployment figures.

22. Extracts from inter-ministerial correspondence.

23. Persons detained or under special surveillance (Stead, 1983, pp. 41-48).

Fouche’s daily list for Napoleon Read More »

Japanese nuclear secrets revealed on P2P network

From Mike’s “That’s Not A New Hit Song You Just Downloaded — It’s Japan’s Nuclear Secrets” (techdirt: 23 June 2005):

While IT managers may not see the importance of security software for themselves, you would think they would be a little more careful with things like interns and contractors. Not so, apparently. Over in Japan, a lot of people are not happy after discovering that a lot of classified technical data on nuclear power plants was leaked onto the internet by a contractor using a computer with a file sharing app that was apparently left open to sharing everything on the machine. First off, what kind of nuclear plant contractor is putting a file sharing app on his work laptop? Also, the article notes that the laptop was infested with viruses, but later seems to blame the file sharing app rather than the viruses — so it’s not entirely clear what the viruses have to do with this story. Update: Another article on this story notes that it was the virus that made the material available via the file sharing app. It also notes that the guy was using his personal computer — and somehow this was allowed. It also details the information leaked, including inspection data, photographs and names of inspectors, as well as where they stayed when they did the inspections. No matter what, you have to wonder why the guy was allowed to use his personal computer or to use any computer for this data that hadn’t been checked first for viruses or other vulnerabilities.

From Mike’s “Security Through Begging” (techdirt: 16 March 2006):

Last summer, the surprising news came out that Japanese nuclear secrets leaked out, after a contractor was allowed to connect his personal virus-infested computer to the network at a nuclear power plant. The contractor had a file sharing app on his laptop as well, and suddenly nuclear secrets were available to plenty of kids just trying to download the latest hit single. It’s only taken about nine months for the government to come up with its suggestion on how to prevent future leaks of this nature: begging all Japanese citizens not to use file sharing systems — so that the next time this happens, there won’t be anyone on the network to download such documents.

Japanese nuclear secrets revealed on P2P network Read More »

Why disclosure laws are good

From Bruce Schneier’s “Identity-Theft Disclosure Laws” (Crypto-Gram Newsletter: 15 May 2006):

Disclosure laws force companies to make these security breaches public. This is a good idea for three reasons. One, it is good security practice to notify potential identity theft victims that their personal information has been lost or stolen. Two, statistics on actual data thefts are valuable for research purposes. And three, the potential cost of the notification and the associated bad publicity naturally leads companies to spend more money on protecting personal information — or to refrain from collecting it in the first place.

Why disclosure laws are good Read More »

Why airport security fails constantly

From Bruce Schneier’s “Airport Passenger Screening” (Crypto-Gram Newsletter: 15 April 2006):

It seems like every time someone tests airport security, airport security fails. In tests between November 2001 and February 2002, screeners missed 70 percent of knives, 30 percent of guns, and 60 percent of (fake) bombs. And recently, testers were able to smuggle bomb-making parts through airport security in 21 of 21 attempts. …

The failure to detect bomb-making parts is easier to understand. Break up something into small enough parts, and it’s going to slip past the screeners pretty easily. The explosive material won’t show up on the metal detector, and the associated electronics can look benign when disassembled. This isn’t even a new problem. It’s widely believed that the Chechen women who blew up the two Russian planes in August 2004 probably smuggled their bombs aboard the planes in pieces. …

Airport screeners have a difficult job, primarily because the human brain isn’t naturally adapted to the task. We’re wired for visual pattern matching, and are great at picking out something we know to look for — for example, a lion in a sea of tall grass.

But we’re much less adept at detecting random exceptions in uniform data. Faced with an endless stream of identical objects, the brain quickly concludes that everything is identical and there’s no point in paying attention. By the time the exception comes around, the brain simply doesn’t notice it. This psychological phenomenon isn’t just a problem in airport screening: It’s been identified in inspections of all kinds, and is why casinos move their dealers around so often. The tasks are simply mind-numbing.

Why airport security fails constantly Read More »

L.A. police using drones to spy on citizens

From Zachary Slobig’s “Police launch eye-in-the-sky technology above Los Angeles” (AFP: 17 June 2006):

Police launched the future of law enforcement into the smoggy Los Angeles sky in the form of a drone aircraft, bringing technology most commonly associated with combat zones to urban policing.

The unmanned aerial vehicle, which looks like a child’s remote control toy and weighs about five pounds (2.3 kilograms), is a prototype being tested by the Los Angeles County Sheriff’s Department. …

“This technology could be used to find missing children, search for lost hikers, or survey a fire zone,” said Commander Sid Heal, head of the Technology Exploration Project of the Los Angeles County Sheriff’s Department. “The ideal outcome for us is when this technology becomes instrumental in saving lives.”

The SkySeer would also be a helpful tool to nab burglary suspects on rooftops and to chase down suspects fleeing on foot. The drone comes equipped with low-light and infrared capabilities and can fly at speeds up to 30 miles (48 kilometers) per hour for 70 minutes. …

A small camera capable of tilt and pan operations is fixed to the underside of the drone which sends the video directly to a laptop command station. Once launched, the craft is set to fly autonomously with global positioning system (GPS) coordinates and a fixed flight pattern.

As technology improves, the drone will be outfitted with zoom capabilities. For now, the craft simply flies lower to hone in on its target. …

“The plane is virtually silent and invisible,” said Heal. “It will give us a vertical perspective that we have never had.”

The Los Angeles Sheriff’s Department operates a fleet of 18 helicopters, priced between three and five million dollars each. The SkySeer will cost between 25,000 and 30,000 dollars.

L.A. police using drones to spy on citizens Read More »

4 ways to eavesdrop on telephone calls

From Bruce Schneier’s “VOIP Encryption” (Crypto-Gram Newsletter: 15 April 2006):

There are basically four ways to eavesdrop on a telephone call.

One, you can listen in on another phone extension. This is the method preferred by siblings everywhere. If you have the right access, it’s the easiest. While it doesn’t work for cell phones, cordless phones are vulnerable to a variant of this attack: A radio receiver set to the right frequency can act as another extension.

Two, you can attach some eavesdropping equipment to the wire with a pair of alligator clips. It takes some expertise, but you can do it anywhere along the phone line’s path — even outside the home. This used to be the way the police eavesdropped on your phone line. These days it’s probably most often used by criminals. This method doesn’t work for cell phones, either.

Three, you can eavesdrop at the telephone switch. Modern phone equipment includes the ability for someone to listen in this way. Currently, this is the preferred police method. It works for both land lines and cell phones. You need the right access, but if you can get it, this is probably the most comfortable way to eavesdrop on a particular person.

Four, you can tap the main trunk lines, eavesdrop on the microwave or satellite phone links, etc. It’s hard to eavesdrop on one particular person this way, but it’s easy to listen in on a large chunk of telephone calls. This is the sort of big-budget surveillance that organizations like the National Security Agency do best. They’ve even been known to use submarines to tap undersea phone cables.

4 ways to eavesdrop on telephone calls Read More »

A new way to steal from ATMs: blow ’em up

From Bruce Schneier’s “News” (Crypto-Gram Newsletter: 15 March 2006):

In the Netherlands, criminals are stealing money from ATM machines by blowing them up. First, they drill a hole in an ATM and fill it with some sort of gas. Then, they ignite the gas — from a safe distance — and clean up the money that flies all over the place after the ATM explodes. Sounds crazy, but apparently there has been an increase in this type of attack recently. The banks’ countermeasure is to install air vents so that gas can’t build up inside the ATMs.

A new way to steal from ATMs: blow ’em up Read More »

A profile of phishers & their jobs

From Lee Gomes’s Phisher Tales: How Webs of Scammers Pull Off Internet Fraud (The Wall Street Journal: 20 June 2005):

The typical phisher, he discovered, isn’t a movie-style villain but a Romanian teenager, albeit one who belongs to a social and economic infrastructure that is both remarkably sophisticated and utterly ragtag.

If, in the early days, phishing scams were one-person operations, they have since become so complicated that, just as with medicine or law, the labor has become specialized.

Phishers with different skills will trade with each other in IRC chat rooms, says Mr. Abad. Some might have access to computers around the world that have been hijacked, and can thus be used in connection with a phishing attack. Others might design realistic “scam pages,” which are the actual emails that phishers send. …

But even if a phisher has a “full,” the real work has yet to begin. The goal of most phishers is to use the information they glean to withdraw money from your bank account. Western Union is one way. Another is making a fake ATM card using a blank credit card and a special magnetic stripe reader/writer, which is easy to purchase online.

A phisher, though, may not have the wherewithal to do either of those. He might, for instance, be stuck in a small town where the Internet is his only connection to the outside world. In that case, he’ll go into an IRC chat room and look for a “casher,” someone who can do the dirty work of actually walking up to an ATM. Cashers, says Mr. Abad, usually take a cut of the proceeds and then wire the rest back to the phisher.

Certain chat rooms are thus full of cashers looking for work. “I cash out,” advertised “CCPower” last week on an IRC channel that had 80 other people logged onto it. “Msg me for deal. 65% your share.”

The average nonphisher might wonder what would prevent a casher from simply taking the money and running. It turns out, says Mr. Abad, that phishers have a reputation-monitoring system much like eBay’s. If you rip someone off, your rating goes down. Not only that, phishers post nasty notices about you on IRC. “Sox and Bagzy are rippers,” warned a message posted last week.

Phishers, not surprisingly, are savvy about their targets. For instance, it wasn’t just a coincidence that Washington Mutual was a phisher favorite. Mr. Abad says it was widely known in the phishing underground that a flaw in the communications between the bank’s ATM machines and its mainframe computers made it especially easy to manufacture fake Washington Mutual ATM cards. The bank fixed the problem a few months ago, Mr. Abad says, and the incidence of Washington Mutual-related phishing quickly plummeted. …

Mr. Abad himself is just 23 years old, but he has spent much of the past 10 years hanging out in IRC chat rooms, encountering all manner of hackers and other colorful characters. One thing that’s different about phishers, he says, is how little they like to gab.

“Real hackers will engage in conversation,” he says. “With phishers, it’s a job.”

A profile of phishers & their jobs Read More »

Do it yourself phishing kits

From John Leyden’s DIY phishing kits hit the Net (The Register: 19 August 2004):

Do-it-yourself phishing kits are being made available for download free of charge from the Internet, according to anti-virus firm Sophos.

Anyone surfing the Web can now get their hands on these kits, launch their own phishing attack and potentially defraud computer users of the contents of their bank accounts. These DIY kits contain all the graphics, web code and text required to construct bogus websites designed to have the same look-and-feel as legitimate ecommerce sites. They also come with spamming software.

Do it yourself phishing kits Read More »

Offshoring danger: identity theft

From Indian call centre ‘fraud’ probe (BBC News: 23 June 2005):

Police are investigating reports that the bank account details of 1,000 UK customers, held by Indian call centres, were sold to an undercover reporter.

The Sun claims one of its journalists bought personal details including passwords, addresses and passport data from a Delhi IT worker for £4.25 each. …

The Sun alleged the computer expert told the reporter he could sell up to 200,000 account details, obtained from fraudulent call centre workers, each month.

Details handed to the reporter had been examined by a security expert who had indicated they were genuine, the paper said.

Offshoring danger: identity theft Read More »

Evil twin hot spots

From Dan Ilett’s Evil twin could pose Wi-Fi threat (CNET News.com: 21 January 2005):

Researchers at Cranfield University are warning that “evil twin” hot spots, networks set up by hackers to resemble legitimate Wi-Fi hot spots, present the latest security threat to Web users.

Attackers interfere with a connection to the legitimate network by sending a stronger signal from a base station close to the wireless client, turning the fake access point into a so-called evil twin.

Evil twin hot spots Read More »

Most PCs are rife with malware, & owners don’t know it

From Robert Lemos’s Plague carriers: Most users unaware of PC infections (CNET News.com: 25 October 2004):

A study of home PCs released Monday found that about 80 percent had been infected with spyware almost entirely unbeknownst to their users.

The study, funded by America Online and the National Cyber Security Alliance, found home users mostly unprotected from online threats and largely ignorant of the dangers. AOL and the NCSA sent technicians to 329 homes to inspect computers. …

Nearly three in five users do not know the difference between a firewall and antivirus software. Desktop firewall software regulates which applications on a PC can communicate across the network, while antivirus software detects malicious code that attempts to run on a computer, typically by pattern matching. Two-thirds of users don’t have a firewall installed on their computer, and while 85 percent of PC owners had installed antivirus software, two-thirds of them had not updated the software in the last week. The study found one in five users had an active virus on their machines.

Most PCs are rife with malware, & owners don’t know it Read More »

Identity theft method: file false unemployment claims

From Michael Alter’s States fiddle while defrauders steal (CNET News.com: 21 June 2005):

More than 9 million American consumers fall victim to identity theft each year. But the most underpublicized identity theft crime is one in which thieves defraud state governments of payroll taxes by filing fraudulent unemployment claims.

It can be a fairly lucrative scheme, too. File a false unemployment claim and you can receive $400 per week for 26 weeks. Do it for 100 Social Security numbers and you’ve made a quick $1.04 million. It’s tough to make crime pay much better than that.

The victims in this crime–the state work force agencies that tirelessly oversee our unemployment insurance programs and the U.S. Department of Labor–are reluctant to discuss this topic for obvious reasons. …

The slow response of state and federal agencies is quickly threatening the integrity of the unemployment insurance system. It turns out that crime is a very efficient market and word spreads quickly. Got a stolen Social Security number? You can more easily turn it into money by defrauding the government than by defrauding the credit card companies.

The net result of this fraud is that unemployment taxes are going up, and that makes it that much harder for small businesses and big businesses to do business. Even more, higher payroll taxes slow down economic growth because they make it more expensive to hire new employees.

Identity theft method: file false unemployment claims Read More »

Arrested for directory truncation

From Sol Terra’s [IP] Use the Dots, Go to Jail – that’s the law (Interesting People: 24 October 2005):

Today, Daniel Cuthbert was found guilty.

Daniel Cuthbert saw the devastating images of the Tsunami disaster and decided to donate £30 via the website that was hastily set up to be able to process payments. He is a computer security consultant, regarded in his field as an expert and respected by colleagues and employers alike. He entered his full personal details (home address, number, name and full card details). He did not receive confirmation of payment or a reference and became concerned as he has had issues with fraud on his card on a previous occasion. He then did a couple of very basic penetration tests. If they resulted in the site being insecure as he suspected, he would have contacted the authorities, as he had nothing to gain from doing this for fun and keeping the fact to himself that he suspected the site to be a phishing site and all this money pledged was going to some South American somewhere in South America.

The first test he used was the (dot dot slash, 3 times) ../../../ sequence. The ../ command is called a Directory Traversal which allows you to move up the hierarchy of a file. The triple sequence amounts to a DTA (Directory Traversal Attack), allows you to move three times. It is not a complete attack as that would require a further command, it was merely a light =knock on the door˜. The other test, which constituted an apostrophe( ‘ ) was also used. He was then satisfied that the site was safe as his received no error messages in response to his query, then went about his work duties. There were no warnings or dialogue boxes showing that he had accessed an unauthorised area.

20 days later he was arrested at his place of work and had his house searched. In the first part of his interview, he did not readily acknowledge his actions, but in the second half of the interview, he did. He was a little distraught and confused upon arrest, as anyone would be in that situation and did not ask for a solicitor, as he maintained he did nothing wrong. His tests were done in a 2 minute timeframe, then forgotten about.

Arrested for directory truncation Read More »

Banks have more to fear from internal attacks than external

From electricnews.net’s Internal security attacks affecting banks (The Register: 23 June 2005):

Internal security breaches at the world’s banks are growing faster than external attacks, as institutions invest in technology, instead of employee training.

According to the 2005 Global Security Survey, published by Deloitte Touche Tohmatsu, 35 per cent of respondents said that they had encountered attacks from inside their organisation within the last 12 months, up from 14 per cent in 2004. In contrast, only 26 per cent confirmed external attacks, compared to 23 per cent in 2004. Click Here

The report, which surveyed senior security officers from the world’s top 100 financial institutions, found that incidences of phishing and pharming, two online scams which exploit human behaviour, are growing rapidly.

Banks have more to fear from internal attacks than external Read More »

Lawyers playing childish games

From Adam Liptak’s “Lawyers Won’t End Squabble, So Judge Turns to Child’s Play” (The New York Times: 9 June 2006):

Fed up with the inability of two lawyers to agree on a trivial issue in an insurance lawsuit, a federal judge in Florida this week ordered them to “convene at a neutral site” and “engage in one (1) game of ‘rock, paper, scissors’ ” to settle the matter.

… The judge, Gregory A. Presnell of Federal District Court in Orlando, wrote that his innovation was “a new form of alternative dispute resolution.”

The proximate cause of Judge Presnell’s ruling, issued Tuesday, was a motion saying the two lawyers in the case could not agree about where to conduct the deposition of a witness. The choices were the building where they both work, four floors apart, or a court reporter’s office down the street.

… wary that the lawyers would start a new battle over where to conduct the rock-paper-scissors showdown, Judge Presnell gave them a default site: the front steps of the federal courthouse in Tampa.

That will not be necessary, said David J. Pettinato, a lawyer for the plaintiff. He and his adversary have agreed to meet on June 30, Mr. Pettinato said, at “an undisclosed location.”

Mr. Pettinato added that he had been wasting no time since the order came down and had been training with his daughters, who are 5 and 9. They have advised him to open with rock. Mr. Pettinato said he was inclined to agree “because my case is solid as a rock.”

That would be an unusual opening for a lawyer, said Matti Leshem, the co-commissioner of the USA Rock Paper Scissors League, which he described as the governing body of the sport, whose headquarters are in Los Angeles.

“I guarantee you right now,” Mr. Leshem said, “that both lawyers will open with paper. Lawyers open with paper 67 percent of the time, because they deal with so much paper.”

Mr. Leshem offered to officiate the match. “What I don’t want,” he said, “is some rogue element of rock-paper-scissors coming down from the bench. When the law takes rock-paper-scissors into its own hands, mayhem can occur.”

The second lawyer in the case, D. Lee Craig, declined through a spokesman to preview his strategy. Judging from the spokesman’s tone, Mr. Craig did not find the matter especially amusing. …

“Apparently you think it is in your client’s interest to create as much misery and bad feeling as you are able,” Mr. Craig wrote [in a letter to Mr. Pettinato last week]. “In those endeavors, you are most able.”

Lawyers playing childish games Read More »

Credit cards sold in the Underground

From David Kirkpatrick’s “The Net’s not-so-secret economy of crime” (Fortune: 15 May 2006):

Raze Software offers a product called CC2Bank 1.3, available in freeware form – if you like it, please pay for it. …

But CC2Bank’s purpose is the management of stolen credit cards. Release 1.3 enables you to type in any credit card number and learn the type of card, name of the issuing bank, the bank’s phone number and the country where the card was issued, among other info. …

Says Marc Gaffan, a marketer at RSA: “There’s an organized industry out there with defined roles and specialties. There are means of communications, rules of engagement, and even ethics. It’s a whole value chain of facilitating fraud, and only the last steps of the chain are actually dedicated to translating activity into money.”

This ecosystem of support for crime includes services and tools to make theft simpler, harder to detect, and more lucrative. …

… a site called TalkCash.net. It’s a members-only forum, for both verified and non-verified members. To verify a new member, the administrators of the site must do due diligence, for example by requiring the applicant to turn over a few credit card numbers to demonstrate that they work.

It’s an honorable exchange for dishonorable information. “I’m proud to be a vendor here,” writes one seller.

“Have a good carding day and good luck,” writes another seller …

These sleazeballs don’t just deal in card numbers, but also in so-called “CVV” numbers. That’s the Creditcard Validation Value – an extra three- or four-digit number on the front or back of a card that’s supposed to prove the user has physical possession of the card.

On TalkCash.net you can buy CVVs for card numbers you already have, or you can buy card numbers with CVVs included. (That costs more, of course.)

“All CVV are guaranteed: fresh and valid,” writes one dealer, who charges $3 per CVV, or $20 for a card number with CVV and the user’s date of birth. “Meet me at ICQ: 264535650,” he writes, referring to the instant message service (owned by AOL) where he conducts business. …

Gaffan says these credit card numbers and data are almost never obtained by criminals as a result of legitimate online card use. More often the fraudsters get them through offline credit card number thefts in places like restaurants, when computer tapes are stolen or lost, or using “pharming” sites, which mimic a genuine bank site and dupe cardholders into entering precious private information. Another source of credit card data are the very common “phishing” scams, in which an e-mail that looks like it’s from a bank prompts someone to hand over personal data.

Also available on TalkCash is access to hijacked home broadband computers – many of them in the United States – which can be used to host various kinds of criminal exploits, including phishing e-mails and pharming sites.

Credit cards sold in the Underground Read More »