Every time I use my credit card online I suffer a momentary
feeling of anxiety, even though I know that
it's still safer than handing my card over to a
waiter. The impersonal nature of the Internet and the
perception that I lose control of my data after I hit "submit"
contributes to this lack of sense of security.
Also contributing to this paranoid feeling are all the reports of
phishing scams, including IRS and
tax-related scams; data breaches at
retailers like TJX, where more than 45
million accounts were exposed.
This all got me to wondering exactly how the data gets from my credit
card or keyboard ends up as money in the
pockets of criminals.
How does the data get stolen from my computer?
There are many ways sensitive data can be pried out of computer users.
In a typical social-engineering phishing attack, a consumer opens an
e-mail that looks like it was sent by the consumer's bank, Amazon,
PayPal, or some other trusted source. With a bogus excuse, such as
suggesting there was a security incident and the user needs to verify
his or her account details, the e-mail will prompt the recipient to
provide username and password via a link to a Web site that looks
legitimate but isn't. The consumer enters the information and continues
on, not knowing that the data is now being sent to criminals.
In other cases, criminals create fake e-commerce Web sites where
consumers provide their credit card information to pay for a product
that will never arrive. Attackers also have ways of rendering legitimate
Web sites risky by injecting malicious code into the Web sites with
cross-site scripting, SQL injection, and click jacking attacks. Such
attacks, typically invisible to the consumer, can be used to steal data
that a consumer types in.
Other attacks are accomplished by getting spyware onto a victim's
computer. For instance, attackers can distribute a worm via an e-mail
attachment that downloads a keystroke logger onto the recipient's
computer when it is opened. Attackers also can create programs that
exploit unpatched holes in Windows or holes in a browser that haven't
been fixed and download keyloggers onto computers. The keyloggers can be
written to send data to a remote server every time the computer user
types a password or social security number, for example.
If I don't use my credit or debit card on the Internet, how does
the data get stolen?
Attackers can steal data by planting a skimming device that reads the
magnetic-stripe data from the card when a user slides it through a
payment card reader at a register or using a skimmer on an ATM machine
combined with a video
camera that records the PIN when
someone is making a transaction. The magnetic-stripe data includes name,
credit card number, and expiration date.
Attackers can steal more people's payment card data at a time by
hacking into a retail firm or payment processor's computer network. In
the TJX incident, experts believe attackers made their way into the
company's system by first gaining access through a wireless regional hub
for the company's store controllers, which handle the point-of-sale
system. Attackers also can grab unencrypted PINs from bank systems
during the authorization process using specially crafted malware that
scrapes the data from the memory of the bank's computer. Or attackers
can trick a misconfigured hardware security module, which decrypts and
re-encrypts PINs as they make their way across various bank networks,
into revealing the encryption key.
What do the criminals do with the data when they get it?
Cybercriminals tend to have specialties. The data thieves, also called
"harvesters," sell it to brokers who either use the data themselves,
hire others to do the leg work to withdraw the money, or sell it to
others, private peer-to-peer networks, carder sites, and other
organized underground marketplaces.
Often, the data is sold with a money-back guarantee in the event that
the cards are found to have been reported as stolen or if the data is
incorrect. Brokers have a number of ways of verifying cards. They can
break into an e-commerce Web site and process small transactions on the
card with a payment processor to see if the transactions go through. Or
they can use the card data to make a $1 donation to a charity.
Once the data is verified, the criminals can turn it into cash by
either moving the money from the victim's account to an account they
control, wiring themselves the money, creating counterfeit checks, or
even just withdrawing small amounts (under $50) on a regular basis that
may not get noticed by the cardholder.
Many of the criminals are located outside of the data's country of
origin and will need to be able to either transfer funds or make
international purchases without alerting the authorities. To do this,
criminals have elaborate schemes using middlemen, also known as "drops."
For instance, criminals will advertise work-from-home jobs in the U.S
over the Internet and by e-mail. The drop is merely asked to provide a
local address or bank account and when money or goods arrive, they are
instructed to transfer it on to a foreign address. The criminal then
takes over the bank or credit card account for which data was stolen,
and changes the address or bank account to that of the middleman.
The criminals also can make blank plastic cards that are encoded with
the stolen magnetic-stripe data. Often, cards are produced in one
country and shipped back to the country where the account is located.
The cards then can be used by "runners" to make withdrawals from ATM
machines if the PIN codes are known.
Criminals have been known to use private databases to get more
complete information on victims, such as address, date of birth, and
even social security number. For instance, the
U.S. Postal Service says someone accessed
LexisNexis and Investigative Professionals databases without
authorization and used personally identifiable information from there to
obtain fraudulent credit cards.