Not so very long ago, cash was the standard method of payment around the world. But then the credit card began its unstoppable rise. After all, paying for something on the Internet doesn't require photo ID, or a signature, just the credit card number. And e-commerce sites don't seem to care too much about whether these numbers are on the user's card, or on an illegal website.
Understandably, this has roused the interest of the criminal underground. Last year, Card Systems hit the headlines after the details of 40 million credit cards were stolen via a security loophole in the payment system. If you're on holiday, someone can use a card reader not only to process a transaction, but also to record all your credit card details for later use. The result: a nasty shock when you get home, and find charges have been made to your credit card that you were not responsible for. And you don’t even have to be on holiday in one of the countries where credit card data theft is rife, as the arrest two years ago in Germany of an eight man group which copied tourists' credit card details in restaurants showed. Finally, spyware, phishing attacks and social engineering can also of course be used to steal data. The opportunities for data theft are numerous, although they vary in terms of complexity.
Normally, the people who steal the data are not the ones to use it. Instead, large numbers of credit card details are bundled together, and sold on for about a dollar a bundle. This sounds like a low price, but the vendor is less at risk than the buyer. Those who buy the data either use lots of cards to make lots of small purchases (in order to minimize the risk of being caught) or use a single card up to its limit. Credit card issuers often display leniency towards victims; however, there's no guarantee that a victim won't have to pay the charges run up on his/ her card.
On 4th August 2006, while researching this topic, Kaspersky Lab came across a Russian website which included stolen credit card data. There were approximately 300 sets of data; some had clearly been on the site for a while, but on the day we discovered the site, 60 fresh sets of fresh data were added. Of course, compared to the coup of 40 million numbers last year, this is nothing. On the other hand, the credit card details on this site are being offered free of charge. And ultimately, it doesn’t make any difference to a victim whether his/ her data is one entry in 300 or in 40 million.
In order to check the authenticity of the data, we called one of the German victims. On 15th May, the owner of the credit card noticed that about 10 euros had been charged to his card for a purchase which he hadn’t made. On 26th May his credit card details were published on the site, and further purchases were made. He blocked his card, and Mastercard was obliging enough to reimburse him to help him get over the shock.
The victim explained that he did not normally use his credit card to make purchases online. But in May he had gone on holiday to the Czech Republic, where he’d used his card in restaurants and to buy petrol; it was clear from the date of the fraudulent purchases where the data had been stolen.
The format of other credit card details on the website showed that they clearly came from databases. It wasn't only Mastercard customers who were affected, but holders of Visa, American Express and Discovery cards too, including some platinum card holders.
One more interesting fact: a lot of the entries on the website were numbered with a six digit number. This makes it seem likely that the data on the website was only a small part of a far larger collection which contained more than 100,000 sets of data. A lot of these cards are only valid until 2008, so it's clear that the data is recent.
In the meantime, we informed the authorities in Germany, the USA and Russia. The US office of Kaspersky Lab contacted Visa and Mastercard. As we wrote in our blog, communication with the authorities didn't go as smoothly either as we hoped, or as we had imagined it would.
A lot of questions remain unanswered. Where did the data come from? Did the members of the site steal it themselves? Did they really have access to large collections of credit card data? If so, then many more credit card holders were affected without knowing it.
Originally we planned to publish further details shortly after we published our blog. However, the authorities are still investigating, and we don't want to jeopardize the results of their investigation by revealing details prematurely This article therefore doesn't contain any screenshots.
Interesting as the background to this dubious site may be, credit card customers are probably more learning how they can protect themselves and prevent their data from ending up on similar sites.
The opportunities for abuse are numerous, and the list of steps you should take to protect yourself is equally long:
Even after many years of e-commerce the relationship between credit cards and the Internet is an uneasy one. Whether credit card data is stolen over the Internet or the card details are published on a website is actually of secondary importance - the main issue is that credit card details can be stolen. This isn’t the first such case, and it certainly won’t be the last, at least for the foreseeable future.
After we blogged about this case, we received a lot of emails from victims whose credit cards seemed to have taken on a life of their own. This wasn’t necessarily connected to the site which we found, but rather indicates that there's a lack of clarity about how the data could have been stolen in the first place.
As long as credit card issuers show tolerance towards their clients, and don’t demand payment for fraudulent charges, the losses which the cardholder suffers will be limited. However, these losses will impact on the cost of service, and these costs will therefore finally be borne by customers. Even though stolen cards can be blocked, it's not much consolation for the card holder who knows that his/ her home address had been published on a resource visited by criminals. Blocking a card is merely a temporary solution; both for the card holder and for the card issuer.
As stated above, Kaspersky Lab has forwarded all the relevant information to the authorities, so the case is now in their hands. However, it'll take days, if not weeks, before this story is concluded: we'll keep you posted on the developments.