The dark underbelly of the Internet can be a lonely place. But the poor souls who venture there don’t have to spend much to find real world comforts. In fact, a person’s identity — including a U.S. bank account, credit card, date of birth and government issued identification number — can be bought for about $10.
This, according to Symantec Corp.’s Internet Security Threat Report, is one of the many identity theft deals available for purchase online. Topping the black market purchase list, however, are credit card numbers for sale. Prices start at about $0.50:
||Range of prices
||Social security numbers
||Compromised Unix shells
Yes, readers, Internet insecurity abounds.
Just last month a computer tape went missing that contained account information for more than 650,000 customers of JCPenney and other major retailers. The tape also included 150,000 Social Security numbers, according to the Better Business Bureau.
There are several steps you can take to insure your privacy and combat identity theft if you suspect your identity has been compromised. But, as a former homeland security reporter, security breaches such as this leave me asking: Where exactly does stolen account information go? Who gets it? When it gets to them, what do they do with it? And how do they get away with it?
Now for an obligatory note of caution: Please, don’t try this at home!
I ventured into the bowels of the Internet to try to figure out where these numbers turn up. First up was Craigslist, a network of local online communities that features free classified listings and forums on various topics.
From Shanghai to Micronesia, my search for illicit identity information sales was off to a bad start. The international Craigslist forums were pretty sparsely populated with only a few get-rich-quick schemes posted on their financial discussion boards.
I got a tip from a friend that Malaysia might be a possible mecca for fraudulent account information after I was forwarded a news release that it had been the site for a huge Interpol bust of credit card counterfeiters last year. In the release, it said that Malaysia was particularly good credit card counterfeiting ground because it was, until recently, the only place in Asia that classified making phony credit cards as document fraud, amounting to a two-week jail sentence as its penalty, rather than a much more serious charge of counterfeiting. Nonetheless, its boards were bare, only offering a couple of amusing non sequiturs such as “Don’t Miss … it’s FREE Money.” Uh-huh. Right.
It wasn’t until I looked at the Craigslist for New York City that I found a virtual smorgasbord of seemingly illicit card offers. But these places weren’t selling account numbers, they were just collecting personal information in exchange for a credit card, though I’d guess not the real sort. Needless to say, I didn’t apply for any credit cards there, but noticed proxy, or remote, Web site addresses that differed from the ones actually displayed in a browser.
Then, I hit a wall. So I read an article from The New York Times with the headline “Black Market in Stolen Credit Card Data Thrives on Internet.” I thought, “thrives?!” Then where the heck was it? Or had so much changed in the last couple of years that it went from thriving to bare-bones existence? Surely not.
The article outlined a couple of slang terms, code words used in 2005 in the black market of credit card forgeries. A “dump” is code for a credit card number, a “cob” is a change of billing address and “drops” are safe havens where goods or services charged to a fake card might be delivered. Then of course there are carders, which are stolen credit card number smugglers, buyers, sellers and users.
I logged onto IRC, which stands for Internet relay chat and is a legacy online chat service. Allegedly, IRC is a safe haven for illicit online activity, because a user doesn’t have to register in order to chat. The IRC chat network is about as anonymous as Internet communications get, and further anonymity on IRC rests in the fact that there are literally hundreds of thousands of chat rooms. In other words, finding where legitimately illegitimate credit card account information sales were happening would be like finding a needle in a haystack.
I performed dozens of searches for “dump” and “cob” and “drop” and “carder” and “cc” (lingo for credit cards) and “cardz,” a term passed onto me by my boss, on innumerable IRC channels. Several chat rooms showed up with the term “carder” and “cc,” and wading through a few of them I finally found one that seemed suspect, having a lot of people in the room saying very little in the public forum with names like “ccpawned.”
Nonetheless, I was a newcomer with an anonymous name. I stared at the main forum for about 20 minutes, and not a word was said. All 70+ users in the channel stayed logged on while I was there, but it was clear to me that I had nothing on the hundreds of law enforcement organizations that had probably thought of this before. I chickened out when I read the logon message, “Users of [room name] are subject to having their computers scanned while chatting.” It sadly took me 20 minutes to notice that message, but I was out of there in two seconds flat.
I make a horrible criminal, and am pretty sure my name is now on at least a couple “persons-of-interest” lists. The thieves who deal in stolen account information, however, are real pros. Luckily, law enforcement agencies are getting smarter. Stay tuned.