Wednesday, May 6, 2015

How Hackers Profit

Today, I am a hacker.

I have breached your system; I have stolen your customer and employee data, your financial account information and your intellectual property.  I have your databases of stored email accounts and a large supply of employee personal data you did not know was stored on your system. (ITunes accounts, Facebook logons, software credentials, etc.)

So now, how do I make money?  I mean that's why I attacked you, I’m a financially motivated hacker.  I didn’t attack you because I’m a spy or I wanted to destroy your network or even to embarrass you for your corporate politics, beliefs or lifestyle. 

I attacked you to make money.

The easiest play is to use the credit cards right?  No not really, carding is a more of an art now as it requires special know how to circumvent address verification systems.  In addition, I need "mules" to collect the goods I buy and then reship them. 

The credit cards, I have stolen I will sell or trade.  Going rate is about $.06 per card.  Alternatively, I can trade them to other hackers for services, software or exploits.

Next up is banking details.  If I have full access to your bank accounts I can make transfers to accounts I own.  Again, this takes some planning, as I need to make sure the accounts the money will be paid into are not in my real name and that as soon as the money arrives in those accounts, I transfer to a second and third account, thus hiding the trail.  This takes pre-planning and a good network of people to move the money around and extract the cash.

Now to the email address and employee/customer data.  Much of this can be sold to others who are set up to use it for various schemes like phishing to spread malware and botnets. 

I’m going to use it for advertising.  I have a program that will try to access all the email addresses, social media and other online system by inputting the email addresses and passwords I stole.  Since 85% of people use the same password for everything, this should be very successful. 

Once I access their (your employees' and customers') email and social media accounts, Ill harvest various data sets like financials to commit fraud.  Ill likely use the access to install ransomware, encrypting the user’s hard drives and demanding payment of about $500 to provide the password to free up the data.  However, Ill also start impersonating the real account holder.

It’s not really identity theft as most call it it’s more like as account takeover.

I’ll send out email and posts, comments and tweets as the true owner of the account encourage people to go to websites or click on links.  Why?  Because I get paid by advertisers to drive traffic to websites with a bonus if I can get them to click on ad links (it’s called performance marketing)

The payment ranges for $2 to $200 per sign up.  So I take all the data I have, bounce through VPN's, proxies and TOR to sign your employees up for Teeth Whiting ads, Netflix, Airline Miles, Ringtones, etc.  All of which pay me cash and the victims have no idea "How those companies got their details!"  On a good day, this will pay me $500-700/day.

Now for the other data, your intellectual property will go to the highest bidder, as there are always people interested in what new products your company has or the real numbers behind your earnings reports.  I will also extort you offering to return the data if you pay me.  Of course, if you negotiate, it means the data is valuable and I can use that when selling to the bidders on the underground. 

The vulnerability I exploited, will garner cash and a reputation online, when I publish it. 
Equally, the software and ITunes credentials can be sold or traded on the underground market, just as accounts on various online games like World of Warcraft have a special marketplace.

So let’s see because I stole data from you and your company I (Actually me and the crew I work with) can:

  • Extort you, your company, your employees and your customers
  • Commit fraud against everyone's accounts
  • Sell or publicize your intellectual property
  • Impersonate everyone to drive traffic and sales
  • Sell the program I used to exploit the vulnerability in your system
  • Create a bot net to steal and monetize more data
  • Trade the data for service and build my hacker reputation
  • And if I want to, do some stalking, attack your reputation and/or spread corporate lies.


All this without actually applying myself and reading the data stolen to extrapolate other ways to use it like stock manipulation or M&A activities.

Best thing about all this is you will not try to come after me because you are afraid of the reputational damage.  You might ask the police or FBI or some LE to chase me down but that will take several years and I may not live in a country where they have jurisdiction.
See, when most breaches or attacks occur, everyone talks about the data stolen and the cost to the company to fix the "hole" but no one talks about how I, the hacker, will use the stolen data.

A cyber attack's impact depends on the motivation of the attacker.  

Crime is for money, Espionage is for secrets, Warfare is for destruction and Activism is to embarrass. 

The way the attack occurs; phishing, social engineering, malware installs, etc. is likely the same but, what is taken and how it will be used, is often dramatically different.  So is the response.  Most Incident Response deals with how the bad guys got in and stops there.  But, that is only a fraction of the impact. 


But then again, I’m the hacker, I encourage you to continue to do the same thing as has been done for the past 15 years when an attack occurs.  Just worry about how I got in and plug that hole.  I’ll find another hole.   

Right now, I’m busy making money off of what I stole.

Friday, January 30, 2015

The Perfect Cyber Security Firm?

What is the perfect cyber security firm? What does it offer?
This was a question asked of me at a recent talk with start-ups and people looking to get into the cyber security market.
My initial response was that "I’m not qualified to answer that" but me being me (you would understand if you ever saw one of my talks) I answered the question.
First there is no such thing as a cyber-security firm because that assumes the firm is engaged in protecting "cyber" and after 15+ years I’m not sure what a "cyber" is.
A firm dedicated to the protection of information is a different animal. Such a company has to address several different client requirements to include:
  • Protect the data
  • Don't slow down business
  • Educate the employees
  • React to breaches
  • Find the bad guys
  • Explain how it the attack happened
  • Fix it
  • Save the client money
Most companies in the "cyber" security space focus on the "React to breaches" business as cyber breaches are no longer a matter of if but when and how many times. For many this is a great money making model and has been supported by mandatory audits, reporting requirements and legal risks.
However, that approach is limiting and given the number of new security related companies joining the mix, good or bad, the profit margin shrinks. Incident response relies on people/companies not knowing how or not having the tools to respond themselves, which is simply no longer the case.
Other firms sell equipment, software, hard ware, or even claim to manage the whole security world for you but again this is limited. Equipment and intel is only as good as the people using it. Just as a managed solution will require in house actions by the client or it is a pointless service. (Lack of employee action is always blamed on the service provider). In addition, if you do not understand the business you are selling into, you do not understand which risks on the threat matrix really apply to them or how employees will circumvent your “fix”.
The firms that will survive and expand need to change their focus.
Cyber/Information security needs to focus on information management first. What information do you have, why, who has access and how do you know.
Understanding the business implications of information and the security apparatus are equally if not more important that what type of firewall or IDS/IPS system is in place.
Clients do not often realize these two key elements as the backgrounds and educations of those in charge are narrowed to specific fields such as IT, Sales, Marketing, etc. Security touches all of those and is often a revenue generator for each if management and business principles are applied.
So back to the question, the perfect Information Security firm would address all of the client needs starting with a business understanding and information management focus, not a sell my limited solution.
The firm will offer threat intel that highlights the viable client risks amongst those threats. This information can be offered at low cost, as it is really a relationship builder.
Pro-active security assessments that highlight potential issues based on an understanding of the data controlled the access to it, the monitoring and the most importantly the business itself is the growing trend. Companies need to know the risks in a language they understand so they can make informed decisions on how to address the risks.
Education or awareness programs go hand in hand with proactive assessments. These programs need to be tailored to the audience and personal in nature. In the "cyber" world, as it is misunderstood by most, personal relevance is the key to building secure practices. You learn to lock your doors because you do not want to be robbed not because your employer told you to!
Incident Response needs to give way to Incident Management, the response is first 24-48 hours after that management starts, and this includes the investigation, remediation, communications (internal and external) and resiliency. Any consultancy firm needs to be able to walk their client through the whole issue and not just air drop in, do some forensics and disappear.
Managed Services is a new a tricky offering because effectiveness requires spending time understanding the clients’ business processes and procedures rather than just applying some generic filters to the monitoring. Clients are looking for a turnkey solution but unless the firm is handling five other companies in the same industry, the solution needs to be bespoke. In addition, managed services rely on a competent internal client resource to act on the information being provided. Clients need to be educated that a managed solution only works if the company is prepared to react to situations.
Remediation and Resilience are the new buzzwords because we all know "cyber" incidents occur and you have to be able to bounce back. Companies need sounding boards to in essence hold their hands and get them back to fighting strength. A firm that can offer their clients that sympathetic ear without gouging them on price will see return business. Offering general consulting contracts where the client can call anytime over the course of the year at a fixed cost per hour is one way to address this.
In my opinion, the perfect "Cyber" Security firm is proactive before the incident, responsive to the incident and reactive, post incident. Above all else, the consultancy business is based on personal relationships where you understand the client, their needs and what they want:
  • Protect the data
  • Don't slow down business
  • Educate the employees
  • React to breaches
  • Find the bad guys
  • Explain how it the attack happened
  • Fix it
  • Save them money
Even if they do not.

Wednesday, December 3, 2014

Was Sony the Victim of an Activist Attack

Last Thursday, Thanksgiving in the US, details of an extremely damaging hack into Sony Pictures began to spread across the web.

The latest reports indicate that Sony's internal communications were knocked offline and all the internal files of Sony were taken and are now readily available on the web. One report states that the data stolen totals in the terabytes.

Putting aside how it happened and why such an attack/exfiltration of data was not seen and stop, the Sony hack is being reported as unique and a "cyber landscape game changer."

The reason for these claims is that purportedly the hack was state sponsored by the North Koreans. Even more unique is the motivation. The attack is in response to a movie Sony has produced, a comedy about killing the Premier of North Korea. (Again let’s put aside the decision to make such a movie.)

In essence, the North Koreans are upset because a company has decided to poke fun at its leader. Their ire has manifested itself in an attack to steal all the companies’ secrets and lay them bare to the public for inspection.

As I stated, a number of cyber security pundits are calling this unique and game changing and a new chapter in cyber-attacks. Nevertheless, they are wrong.

For years, I and several others in the information security/cyber world have been pointing out the 4 true cyber threats:

  • Crime- focus is profit
  • Espionage- focus is information theft
  • Warfare- focus is destruction of system
  • Activism- focus is to embarrass or discredit

Of the four, the last, Activism, is the scariest because of the motivation. The attacks are intended to "lay bare" a company's, government's or person's secrets. Once this data is made public, the other cyber underground actors can then use it for their purposes, namely Crime, Espionage and/or Warfare.

The attack on Sony is no different than the attack on JP Morgan or any of the "Ops" launched by Anonymous. The intention is the same. The attackers want the information to force a change and are willing to go public with it to effectuate the change. "To Hell" with all the others hurt by the attack, who identities and credentials are now in the public domain or whose businesses will go under because the victim can no longer operate as normal. For the attacker, those companies never should have started working with such corrupt businesses, like Sony. Because making a bad comedy about Kim Jong un, the Megalomaniac Dictator with horrible hair, makes you corrupt.

My point is that the reason for attacks is not always what we assume. The motivation of attackers is equally if not more important than the methodology of the attack. (In the Sony case, Ill bet it turns out to be a phishing attack where malware was installed by someone with admin access to their computer and from there a version of Shamoon was installed to infect the network. Thanksgiving was the targeted launch date because it would generate the most press and potentially the most damage if the virus ran its course over the 4-day weekend, but that is just a guess.)

Companies need to understand what data they hold and how valuable it is. It’s not always about credit card or financial data.

How many deals, operations, projects have fallen apart because of leaks of information? How many will fall apart because of the Sony hack?

Stop waiting for the attack and take proactive steps to secure your company.

Sony's hack will cost upwards of $400 million by the time it’s done, all totaled. If only they had spent 1% of that on a proactive review.

One parting thought, I asked this before but Ill share it again. If you run a business, sit on a board or are in management in any way you need to be able to answer these ten questions:

  1. Who specifically is responsible for information security within your company and your supply chain?
  2. What company data is the most valuable, who has access to it and why?
  3. Who decides who has access to what information stored within your company?
  4. Can you see what is coming into AND out of your system?
  5. Do you have a cyber-incident response, management, remediation and resiliency plan?
  6. Does your company have a threat awareness program for employees, management and day-to-day operations?
  7. Who is responsible for monitoring social media and the internet for threats and attack information?
  8. When was the last cyber security audit conducted, by whom and where is the report?
  9. Do you do Information Security Due Diligence on your suppliers?
  10. Does anyone in your security team think like a bad guy?

Thursday, October 9, 2014

Every Company Must Be Able to Answer These Questions

I give a number of presentations on cyber security, cyber threats and cyber investigations each year.  And by a "number" I mean 50 in the last 14 months.

No matter the talk, the audience or the venue the follow on question is always the same; "What do you recommend we do?"

To that end, below are 9 questions that every company must be able to answer when addressing Cyber Security issues-

Who specifically is responsible for information security within you company?

Who decides who has access to what information within your company?

What company data is the most valuable, who has access to it and what are the threats against it?

Can you see what is coming in AND going out of your system?

When was the last cyber security audit conducted, by whom and where is the report?

Does your company have a threat awareness program for employees, management and day-to-day operations?

Who is responsible for monitoring social media and the internet for threats and attack information?

Do you have a cyber incident response, management, remediation and resiliency plan?

Are you willing to go public to stop a breach?

If you cant answer these questions you have a problem

Wednesday, September 3, 2014

Addressing Cyberbullying

Sadly, there has been considerable news about cyber bullying and the devastating impact on its victims.
As a former Director of Security for MySpace, a former FBI agent addressing cybercrime and crimes against children and a former high school teacher I have spent a great deal of time dealing with bullying, bullies and their victims both on and off the Internet
The problem of bullying has been around forever and is not limited to one race, culture or geolocation. There are always those who feel the need to beat others down often in an attempt to build themselves up. Many considering dealing with the put-downs, taunting and jabs (both verbal and physical) as part of growing up and just has to be dealt with. Others disagree and feel major penalties should be in place for bullying. But neither side can say definitely what is or is not bullying.
This problem is compounded by the use of social media as the primary source of interaction between kids, teens and young adults. The nuances of face to face communication are lost in the online world, nuances that serve as filter on statements when we communicate in person. Compound that with the fact that online comments are not one to one put one to an infinite number of people and the belief that the bully has anonymity behind a computer screen and there is no stopping the mean, hurtful and degrading flow of bullying comments online.
At this point in time there are no laws that effectively address cyber bullying. The Internet and subsequently social media sites are seen as censor free zones where free speech is allowed and encouraged. But this does not mean there are not steps individuals can take to deal with cyber bullying.
  1. Do not put anything online that you would not share with your Grandma. Everything you place online stays there forever and will be used against you if a bully decides to target you.
  2. Limit access to your online world to true friends. There is no reason to befriend every person online. If you don’t know them in the real world you should not be sharing secrets with them in the virtual world
  3. Walk away. When a bully starts attacking you online, do not respond, do not get mad, do not retaliate, report them via the online tools and walk away
  4. Report it. If you are being bullied or you are aware of others being bullied report it. Every site has a way to report abuse online, in some cases you have to dig for the link but it will be there. Report them and get their accounts shutdown.
  5. Tell a Trusted Adult. 99% of what bullies say is made up. And the 1% that is not, you should embrace as that is who you are. There is nothing so embarrassing in the world that will cause your life to be over. Talk to a trusted adult, they will help you through it
For the adults/parents, please do not discount those who report bullying. If they are hurt enough to bring it to your attention it means it is truly affecting them and they need your support and help. Do not judge the victim, whatever the reason for the bullying they are victims suffering through what most adults suffered through but at 1000 times the reach.
As for websites, namely social media sites, cyber bullying is real and you must be prepared to address it. It has been reported the Ask.fm will be placing a larger abuse button near postings rather than a button labelled with a “v” symbol. Sites must have an easy and simple way for users to report abuse. And they must know they are reporting abuse by having a button that says ABUSE
The website’s Abuse department needs to take every reported abuse posting, profile, comment etc. seriously with real penalties for abusive users, such as freezing the account, notification the account was used for cyber bullying and/or blocking that user, deleting the account and any new account they may create based on the IP addresses from which the abusive account was created and logged into from the most
Also sites need to create a FAQ (Frequently Asked Questions) page for cyber bullying so that when a user conducts a search for bullying the first result is the websites FAQ with a how-to for addressing the issue and staying safe online including links to outside resources for addressing the issue.
Most in the Geek community were the targets of bullies as we grew up. And many of us, have become successful in our fields in part to stick it to those bullies. Now the geek community is in a position to stop others from suffering through the humiliations we did.

Friday, August 15, 2014

Credit Card Fraud- A How To From 2002

I wrote this in 2002 when I was with the FBI as a primer for other law enforcement agencies to understand how cyber criminals were making money from stolen data.  

Whats scary is how in 12 years very little from this has changed!

Hacking for Profit:
Credit Card Fraud
A Beginners Guide
August 2002 
Revised Intro 2004



Introduction

This paper is intended to detail how financially motivated hacking groups convert stolen data to monetary instruments. The primary premise for this paper is based on Eastern European hacking groups but recently, the “financially motivated” hacker sub group has expanded to include hackers from the Far and Middle East Hackers as well as here in the States. What the individuals are doing with the illicit profits of their activities range from childish purchases to funding terrorist attacks as was detailed in the recent autobiography, “Aku Melawan Teroris” (Me, Fighting the Terrorists) by the Bali nightclub bomber. In the chapter “Hacking, Mengapa Tidak” (Hacking, Why not?), Iman Samura, a computer scientist provides a primer to Islamic Extremists of how to learn the trade of credit card fraud and hacking.

To quote BigBoss, from forum.Carderplanet.com, “Carding shouldn’t be something you do for fun; it is something you do to survive.”

Financially motivated hackers consider hacking and carding as their career. The employment opportunities are in their home countries, particularly those whose salaries are enough to pay for the life styles these individuals have become accustomed, are extremely limited. They come from a society where the average pay is $200 per month but Internet connectivity costs $40 per month. Thus, they are willing to spend one fifth of their monthly salary to be online. A $1000 profit is more money than most Eastern European hackers have ever seen at one time.

Though they understand the process of credit cards, most International hackers do not understand the impact of committing credit card fraud. Most come from cash economies and the use of a credit card by regular citizens is extremely uncommon. They feel the attack is directed at a big corporation and not an individual. The idea of rising interest rates, chargeback fees or economic instability are not concepts they cannot understand nor are they their concern. Money is the object of their actions. At the time of the first version of this paper in August 2003, many financially motivated hackers could be found chatting in the forums of the web sites carderplanet.com, shadowcrew.com and/or darkprofits.com. These sites are still referenced in this paper because the information provided on the sites is still relevant.

Since that time, many of the referenced sites have been shut down or taken over by script-kiddies and the real profiteers have moved deeper underground. Many have also become allied with organized crime groups or created their own hacking teams. Also at the time of original publication, EFnet and DALnet on IRC initiated a crackdown on channels dedicated to cybercrime. Since that time, the criminals have found loopholes in the crackdown, such as renaming the groups, attaching messages of the day (MOTD) forbidding criminal activity or making the channels private. Many of the channels have also gone native; meaning they are dedicated to a particular language group and all posts to the channel utilize that language and the corresponding slang for carding.

The point being, the groups have not gone away. They still exist and communicate on the Internet by adapting to the rules. Law Enforcement must adapt in kind. By no means is this paper intended to be the end-all authority on this crime. Comments, questions and revision are always welcome. In addition, this paper is not how-to, specific aspects of the schemes have been left out in order to ensure those who only use this information will fail in their attempts or more likely get caught trying.


Definitions, Concepts and Statistics

Since the readers of this paper will range from skilled investigators to neophytes, some basic terms and concepts need to be set forth. These are the definitions as they appeared online from the hackers/ carders and fraudsters.

Hacker - Individual who gains unauthorized access to computer networks and systems

Carder - Individual who uses stolen data, usually Credit cards, to fraudulently purchase items or convert the credit into cash.

Credit card - a monetary instrument, often referred to as plastic, used in place of cash to make purchases. Credit cards are assigned to entities and have specific monetary limits and an interest rate associated with payoff. Since credit cards do not have to be paid off each month, the available limit will fluctuate. Visa or MasterCard does not issue Visa and MasterCard credit cards. They are issued by an issuing bank in conjunction with a use agreement between the bank and Visa or MasterCard. This agreement is for the use of the Visanet or the MasterCard equivalent for verification and authorization of the card.

Charge card - same as credit card however, a charge card must be paid off each month or risk an extremely high interest rate or the card being shut down.

Debit Card - Card associated with a bank account and limited by the amount of money in said account, which resembles the credit card by the method of purchase. However, these cards may only be used with the owners Personalized Identification Number.

Hacker knowledge

Below is the “Beginning Carders Dictionary’” as posted online by the Russian hacker, KLYKVA on forum.carderplanet.com. It is presented in its original form to illustrate the level of knowledge from which these individuals are working.

Bank-emitent (Issuing bank) - bank which has issued the card
Billing address - the card owner address
Drop - innerman. His task is to receive the money or goods and accordingly, give the part of the earnings to you.
Drop/Pick-Up guy/Runner - person or location that is setup to accept packages or to receive the money. He should be paid nicely for this position.
Billing - office, which has agreement with a bank and assumes payments for the cards.
COB - Change of Billing address
Card bill - a Bank emitent card bill.
Bank-aquirer - bank, in which the store opens the account.
Merchant account - bank account for accepting credit cards.
Merchant Bank - bank, through which occur the payments between the buyer and the seller (frequently it is used as synonym “bankequirer”).
Cardholder - owner of the card.
Validity - suitability of card.
White plastic - a piece of pure plastic, where the information is plotted/printed.
CR-80 - rectangular piece of pure white plastic (without the drawing image) the size of a credit card with the magnetic strip.
Transaction - charge to the credit card
POS terminal (Point Of Sale terminal) - reading card device, which stands at commercial point.
PIN-code – (Personal Identification Number) the sequence, which consists of 4-12 numbers, known only to the owner of card. A simple word password for an ATM and so on.
AVS - the card owner address checking. It is used for the confirmation of the card belonging exactly to its holder.
“Globe” - card holographic gluing with the image of two hemispheres (MasterCard).
Pigeon (hen) - card holographic gluing with the image of the flying pigeon (VISA).
Reader - information reading device for the readout from the magnetic strip of card.
Encoder - read/write device for the magnetic track of the card.
Embosser - card symbol extrusion device.
Card printer - card information printing device.
Exp.date - card validity period.
Area code - the first of 3 or 6 digits of the card owner’s phone number.
CVV2, cvv, cvn - 3 or 4 additional numbers, which stand at the end of the number of card.
ePlus - program for checking the cards.
BIN - first 6 numbers of the card number which make it possible to learn what bank issued the card and what type of card (ATM-card, credit, gold, etc.). Synonym of word “Prefix”.
Chargeback - the cardholder’s bank voids the removal of money from its card.
Dump - information, which is written to the magnetic strip of the card, it consists of 1,2 or 3 tracks.
MMN - Mothers Maiden Name (generally the primary account holder’s mother)
Track (road) - a part of the dump with specific information. Every 1st track is the information about the owner of the card.
2nd track - information about the owner of card and about the bank who issued the card, etc. 3rd track - it is possible to say - spare, it is used by stores for the addition of the points and other.
Slip - synonym to the word “cheque” (conformably to card settlings).
Card balance – amount of credit remaining for spending in the card account.
Automated Clearing House (ACH) - the automated clearinghouse. The voluntary association of depositors, which achieves clearing of checks and electronic units by the direct exchange of means between the members of association.
Continuous Acquisition and Life-cycle Support (CALS) – the integrated system of the production guaranteeing, purchase and exploitation. This system makes possible to computerize all data about the design, development, production, servicing and the propagation of the production.
Debit Card - Card, which resembles the credit card by the method of using, but making possible to realize direct buyer account debiting at the moment of the purchase of goods or service.
Delivery Versus Payment (DVP) - the system of calculations in the operations with the valuable papers, which ensures the mechanism, that guarantees the delivery will occur only in the case of payment and at the moment of payment.
Direct debit - payment levy method, mainly, with the repetitive nature (lease pay, insurance reward, etc.) with which the debitor authorizes his financial establishment to debit his current account when obtaining calculations on payment from the indicated creditor.
Electronic Fund Transfer (EFT) - the remittance of means, initiated from the terminal, telephone or magnetic carrier (tape or diskette), by transfer of instructions or authorities to financial establishment, that concern the debiting or crediting of the account (see Electronic Fund Transfer/Point of Sale - EFT/POS).
Electronic Fund Transfer/Point of Sale - EFT/POS - debiting from the electronic terminal, for the transfer purpose from the account of a buyer into the payment on the obligations, which arose in the course of transaction at the point of sale.
Integrated Circuit (IC) Card - It is known also as chip card. Card equipped with one or several computer micro-chips or integrated microcircuits for identification and storing of data or their special treatment, utilized for the establishment of the authenticity of personal identification number (PIN), for delivery of permission for the purchase, account balance checking and storing the personal records. In certain cases, the card memory renewal during each use (renewed account balance).
Internet - the open world communication infrastructure, which consists of the interrelated computer networks and provides access to the remote information and information exchange between the computers.
International Standardization Organization (ISO) – International organization, which carries out standardization, with the staff office in Geneva, Switzerland.
Magnetic Ink Character Recognition (MICR) - System, which ensures the machine reading of the information, substituted by magnetic inks in the lower part of the check, including the number of check, the code of department, sum and the number of account.
RSA - the coding and authentication technology, developed in 1977 in MIT by Rivest, Shamir and Adel’man, which subsequently opened their own company RSA Data Security, Inc., purchased recently by the company Security Dynamics Technologies, Inc.
Real-Time Gross Settlement (RTGS) - the payment method, with which the transfer of means is achieved for each transaction in obtaining instructions about the payment. Decrease the risk with the payment.
Smart Card - card equipped with integrated circuit and microprocessor, capable of carrying out the calculations.
System risk - the risk, with which the incapacity of one of the payment system participants either financial market participants as a whole to fulfil their obligations, causes the incapacity of other participants or financial establishments to fulfil its obligations (including obligations regarding the realization of calculations in means transfer systems) properly. This failure can cause significant liquidity or crediting problems and, as result, it can cause loss to the stability of financial markets (with the subsequent action on the level of economic activity).
Truncation - procedure, which makes it possible to limit the physical displacements of a paper document (in the ideal version) by the bank of the first presentation, by the replacement by electronic transfer of entire or part of the information, which is contained on this document (check).
Card Balance - Current used Credit
Avail Credit - Actual credit avail for Spending
Cash Advance Avail - Actual amount avail as Cash for ATM usage.
Integrated Circuit (IC) Card - It is known also as chip card. Card equipped with one or several computer micro-chips or integrated microcircuits for identification and storing of data or their special treatment, utilized for the establishment of the authenticity of personal identification number (PIN), for delivery of permission for the purchase, account balance checking and storing the personal records. In certain cases, the card memory renewal during each use (renewed account balance).
LE - Law Enforcement, Coppers, Piggies, The Fuzzzzzzzzzzzz
Lappie- Laptop

Communication Methods

As in all endeavours, hackers and carders need a means or several means of communication. Given the international make-up of most hacking groups and the fact of Cybercrime being truly borderless, the communication methods chosen by these groups must be internationally accessible, cost effective and have a high level of anonymity. Listed below are several of the primary communications methods used by hackers and carders:

IRC - Internet Relay Chat, a series of interconnected computer servers on various networks, which enable users to chat in, channels and one to one. The channels are also referred to as rooms and are controlled by the user who first established the room.
ICQ - America Online (AOL) owned peer-to-peer chat application. Chat rooms can be established within the ICQ network but entrance is by invitation only.
AIM- AOL Instant Messenger
Forums - Website sponsored bulletin boards where public and private messages can be posted about various topics. Examples: forum.carderplanet.com,  eraser.hostmos.ru, www.darkprofits.com and www.carderclan.net
Email - Electronic mail

A Credit Card (VISA) Transaction

There are two parts to every transaction. First, a customer presents a Visa product, usually a card, to a merchant, who needs immediate authorization of the transaction. Second, at the end of the day, the merchant needs to receive the funds for the transaction via its financial institution and ultimately from the customer’s issuer. The specifics will vary depending on transaction type, complexity, technology, and processing services but the typical flow is illustrated here.



How a Purchase is Made

Authorization at the Point of Sale
Maria presents a Visa card (credit or debit) at ABC Stores. ABC uses an electronic terminal or the telephone to request an authorization from its financial institution (DEF Merchant Services).

DEF checks to see if the account is valid and has sufficient funds. It sends an authorization request message, including months before the theft. During the theft portion, the hacks begin to glean specific information, i.e., credit card numbers from the system as needed. The theft phase can last for years and the hackers usually leave a very small footprint of their activities. The dump stage occurs when the hackers steal everything in a very “noisy” manner. This stage is used to burn all those “script-kiddies” and “lamerz” who are taking advantage of the original hackers’ backdoors. The dump phase usually results in press coverage and the “red-flagging” of all the credit cards in the system at that point in time. The victim company makes security changes and over time lets their guard down. The hackers then attempt to use the old backdoors they created. If they are still in place, the theft stage begins again. The hacks normally take advantage of known vulnerabilities, which have not been patched by the various victims. Most hacks occur against Microsoft Windows platforms and utilize the Msdac exploit, the MSSQL exploit or the IIS exploit. A wealth of information is available about these exploits on the Internet. The truly skilled hackers have developed their own tools and place backdoors on systems such as, installing Telnet and secure shell daemons on high port numbers or creating their own user id’s and passwords after installing a sniffer to steal the root level passwords. These are the first things System Administrators should look for, as well as changing all root level passwords via face-to-face meetings with all root level users. Sending the change of passwords via email will be intercepted if a sniffer has been installed on the system. Sometimes, the hack is automated using a “bot” which makes it impossible for the System Administrators of the victimized networks to stop because they are physically not fast enough to fight the bot. The only way to stop the bot is to take the network offline.

Investigations thus far indicate the following items are being stolen for use in various schemes detailed later in this paper:
Credit card databases
Personal information (name address telephone numbers)
Bank accounts
Bank routing numbers
Social Security numbers
Email addresses and passwords
Computer logon names and passwords
ACH transfer records
Merchant accounts
Order histories
Client lists
Partner lists
Company telephone directories
Website Source code
Shipment tracking numbers
Ebay accounts
Escrow accounts
Proprietary Software

Getting Credit Cards

Of all the data sought by hackers, credit card databases are the highest priority. This is because they are the easiest to use. There are nine basic methods to obtain credit card numbers:

Phishing – This is the practice of sending fraudulent e-mails that appear legitimate. The email often appears to be from a bank or financial institution and request the recipient update their account information by utilizing the link included in the email. The link takes the recipient to a bogus web page where all the requested information is captured and later transmitted to a site controlled by the criminal for their use in cybercrime. Amongst the information often requested are the recipients’ social security number, credit card number, PIN and cvv2.

Buy – There are literally thousands of “Vendors” on web sites such as Forum.carderplanet.com, darkprofits.net and Shadowcrew.com willing to sell dumps of credit cards at varying rates. If a carder knows how to use cards, expending $200 up front for cards is easily recouped.

Trade – Through the different communication methods discussed above, hackers and carders trade credit cards online. Many cards are offered free of charge. The individual who stole the cards often has used these cards for fraudulent purchases. They are then offered to the community as a whole with the intention of having multiple people use the cards. Law enforcement will therefore have a harder time identifying the original hacker from the various carders.

Generate – There are numerous software packages freely available on the Internet, which generate credit card numbers. Many of the programs use a secure algorithm just like the legitimate credit card companies. The problem for the carder with generated cards is that less than 1% of the cards are valid. This means the carder will need to have access to obtain validity and authorization before trying to commit fraud. A common method would be a merchant account.

Visa and MasterCard do not issue or generate cards; however, they allow banks to issue cards with the respective logos/brands. American Express differs from Visa and MasterCard in this respect. American Express controls all cards and card numbers using their logo. American Express actually generates card numbers in advance, which are stored in an active state awaiting issuance to a customer. If a carder generates one of the stored American Express cards, any merchant receiving the card for payment will receive authorization for the purchase.

Extrapolate – Once a Carder obtains a valid card through any of the different means listed herein, he can extrapolate additional cards based on the valid card number and the expiration date. Various extrapolation programs are freely available on the Internet. These programs utilize the valid card as a base for creating additional cards, particularly the first six digits. Extrapolation increases the likelihood of obtaining valid credit cards to approximately 18-20%. Once again, a method to determine the validity via authorization is required.

Fake Shops – It seems every business must now have a presence on the Internet in order to do business. Couple this fact with the publics’ belief that web sites are not easy to set up. It is not difficult to understand why many feel if the company has a nice web site, the company must have money and be a reputable company. Many hackers and carders will use these beliefs to their advantage by setting up fake online shops offering products for sale at cut-rate prices. Good hackers and carders will spend the extra time to post fake recommendations on rating sites to help move their fake shop into the top ten slots on search engines.

When customers place an order at the shop, they will be informed via email; their product will be shipped in 4-6 weeks. While the customer is waiting for their product, the shop owners continue to collect credit card numbers. At this point, there are three possible scenarios:

The first is that the product is simply not shipped and the credit card is never charged. The second is the product is not shipped but the credit card is charged. In the third scenario, the product is shipped and the customer is happy. The details of this scheme will be covered in depth later in the paper but, in all three scenarios it should be noted, the hackers and carders received legitimate credit card numbers with full information.

Intrusions - The method of obtaining credit cards that has received the most press is Intrusion. The hacker simply gains unauthorized access to a system and steals the database. The systems targeted by hackers include the following:
Online shops running shopping card programs
E-Commerce payment solution sites, which handle online orders for online shops
Credit Card processing companies such as Authorize.net, creditcards.com and CCBill.com
Online monetary exchange sites where a person can purchase monetary units using credit cards
Online Casinos
Pornographic websites (victim often do not notify Law Enforcement of intrusions)
Banks and Financial institutions

Each of these targets will have credit card information stored in some variation. Some will include full information including CVV2 numbers while others will simply store the credit card number and expiration date.

Identity Theft - This method is labor and time intensive but, once the credit card is obtained, the card is valid and often has a high credit limit. Using stolen identities, the carder simply applies for a credit card. How the identities are obtained range from simply web searches to buying access to ChoicePoint or Lexus/Nexus gaining data from their databases. This scheme will also be covered more in depth later in this paper.

Social Engineering (SE) - By far the most low-tech method of obtaining information, the hackers and carders will simply try to get the individuals to provide the information. This is done through telephone calls, faxes or email. A very common SE method is the email sent to particular customers stating there is some issue with their account. The customer is asked to log on using the link contained in the email. Once the customer logs on, all the information they input into the web site is collected for use by the hacker. When the individual selects the submit button on the web page, a message stating some computer glitch appears and the customer is asked to select the continue button which will redirect the customer to the legitimate site and the customer re-enters their information. This time, the proper site accepts whichever change the individual makes, and the customer has unknowingly provided the hacker/carder with full account information. This method has been reportedly used for gathering email, PayPal, bank and credit card account information.

The Schemes
Each hacking and carding group try to develop their own original scheme to make money from the stolen data however, there are several primary schemes for converting stolen data into cash or product upon which all the others are based. Below, the primary schemes and a few widely used variations are detailed. It is important to note, the variations are only limited by the imagination and knowledge of the subjects.

Sell - The easiest and quickest method to make money from stolen cards is to simply sell them online. The sale of card data is called a “dump” in which the hacker/carder offers the data for trade or sale, often track 1 and 2. The going rate online is approximately $.35-$.50 for credit card numbers and expiration dates. Cards with full subscriber information and CVV2 numbers range in price from $2.00 to $4.50. In addition, cards are sold based on their verified credit line i.e., $100 for a card with an available credit line of $10,000.

Auction Fraud - Also an incredibly easy scheme, auction fraud has been somewhat limited by the establishment of online escrow companies. However, note, fake online auction companies can easily be created as well. In this scheme, the subject simply posts a fake auction item and sells it to the highest bidder. The buyer sends the seller money or a credit card number but never receives the product.

A couple variations of this scheme are as follows:

A. The hacker/carder uses the stolen credit card to make purchases of auction items. This can be done on a person-to-person sale or using an escrow account. If an escrow account is involved, the hacker/carder will either open an escrow account based on the stolen information or will steal an escrow account and use whatever funds are in the account to make purchases. The purchases will be shipped to a drop and picked up later by either the subject or his associate to be re-packaged and shipped elsewhere, usually overseas. The use of a drop and an associate is called a trans-shipper. How trans-shippers are obtained is discussed later.

B. The second variation is more sophisticated and forces the escrow account to serve as a money laundering conduits. The hacker/carder will open several escrow accounts, one based on a bank account controlled by the hacker/carder and the others based on stolen credit card or bank account information. Often times neither account is in the subject’s true name. The real account is used to post numerous online auctions. The auctions take place for a limited period and the hacker wins his own auctions using one of the fraudulent accounts. This fraudulent account is then used to pay the escrow company. The seller informs the escrow account the product has been sent, the buyer states he received the product and instructs the escrow company to release the funds. The funds are transferred to the real escrow account from which they are immediately withdrawn and transferred to a bank account or withdrawn via an ATM. At no time during the transaction did any product change hands. All the money was transferred via the escrow company thus, in 30-days when the cardholders whose cards were used for the fraudulent accounts file chargebacks, the chargeback is sent to the escrow company.

Fraudulent Purchases - This scheme is also simple in that the hacker/carder simply makes a purchase online using the stolen credit card. The difficulty for this scheme is that merchants often will not ship overseas therefore; the subjects need an address within the U.S. to which to ship the product. On Fraudulent Purchases, the hacker/carders need a drop, a person or location to send the packages without identifying themselves. Drops can be obtained in various ways...

The most common is to post on a hacker/carder forum the need of a partner and establish a working relationship with whoever answers the postings.

Drops can also be obtained by posting a job offer onHotjobs.com or Monster.com for an individual to work at home. Individuals will be paid via Western Union to accept and repackage items and send them overseas. A skilled Social Engineer can convince people of the legality of accepting packages in this method and the newly hired employee is unaware they are facilitating a crime. When it comes to paying these employees, the hackers/carders vary as well.

Many will simply not pay their employees and leave them “holding the bag” when complaints are filed. Others choose to pay their employees through Western Union. Still others act as if they are paying the employee by sending them a counterfeit check.

The checks will be drawn for substantially higher amounts then are owed the new employee. When the employee comments regarding the value of the check, the employer states it was an oversight and asks the employee to simply wire the employer the remaining funds after the subtraction of the monies owed the employee plus a bonus for being honest. The employee sends the wire transfer overseas and two to three days later finds out the check is counterfeit. The employee is out not only their salary but also additionally the amount wired overseas.

The third variation is called COB (change of billing). Most credit card companies allow their customers online access to their account. With this online access, the customer can change billing addresses; telephone numbers, passwords and soon. The intriguing aspect is that most people do not activate their online access. When a hacker/carder steals a credit card with full information, they can then go online and change the billing address to match that of one of the drops they control. The COB is extremely useful when the company the items are being purchased from, will only ship to the billing address.

If the drop is worried about having the packages shipped to their address, P.O. boxes are used and an ingenious method is to send the packages to vacant homes. An individual can contact a local real estate agent to determine which homes are for sale and when the occupants plans to move out. During the brief time the house is vacant, the drop can simply pick up the packages from the mailbox of the vacant house.

A final variation involves some sophistication, but it limits the need for an associate. When an item is fraudulently purchased, the hacker/carder has the package shipped to the credit card holder’s real address. A slow shipment method is requested as well as a fax or email of the scanned shipping bar code. When the hacker/carder receives a copy of the shipping bar code, they can utilize a bar code scanner to read the code. They then contact the shipping company, provide the information contained in the bar code and a change of the shipping location. The new cost for the shipment is billed to the defrauded company or can be charged to another stolen credit card. Merchant Account - One of the more popular schemes is Merchant Account fraud. In this scheme, the hacker steals the credit card database of one company and the merchant account of a second. The
carder charges an amount on each card to the merchant account. Once the charges have cleared, approximately one hour later, the carder issues a refund from the merchant account for the total amount charged on the cards to the hacker controlled debit card account overseas.

A “drop” is then used to retrieve the stolen money from the ATM using the hackers’ debit card and the money is forwarded via Western Union, Money Gram or Webmoney to the hacker. Often times the money is bounced through several bank accounts before reaching the hacker/carder or the hacker/carder will forego the use of a drop and pick up the money themselves. The victim is not aware of the charges and the refund until their merchant account is reconciled, usually at the end of the month. When the card members notice the unauthorized charges on their cards, they request the charges be cancelled. This results in a charge back to the merchant for the cost of the charge as well as a fine for bad charges.

Western Union/Money Gram/Egold - This scheme is similar to fraudulent purchases however, the purchase is credits, which can be translated into cash or traded for goods. The hacker/carder uses the stolen credit card as collateral for online monetary units such as money orders, Egold dollars or Webmoney dollars. The use of these monetary mediums is expensive in terms of fees and percentages but, since the money is stolen in the first place, hackers/carders do not complain about the charges.
A hacker/carder can use these online dollars to purchase money orders at Western Union and have the money orders forwarded to companies to pay for goods and services. A notable purchase through money orders is the monthly payment for maintenance of websites associated with hacking or carding.

Bank Attacks - Bank account information can be used for opening escrow accounts, online brokerage accounts (i.e., E*trade, Datek or Ameritrade) or initiating wire transfers. Currently, most banks with online presence do not allow wire transfers online for the regular customer. However, brokerage accounts and corporate accounts issue credit cards and do allow online wire transfer requests. These accounts often have a significant credit limit or bank balance. These are the targets of the truly financially motivated hackers and their organized crime backers. In order to cause a wire transfer to travel overseas, the hackers will have to compromise the SWIFT transfer system. It has been reported online, several hackers have found a way to compromise the system but no reported cases have been found. For wire transfers in the United States, the Automated Clearinghouse (ACH) network is used. A hacker who has researched the ACH system could cause an ACH re-route to occur thus, having money deposited into a hacker-controlled bank account, which could be access online, or through International ATM machines. Most companies allow and encourage the use of direct deposit for paychecks and accounts receivable transactions. These transactions utilize the ACH network. If the company uses an outside payroll company or accounting firm, they very likely use an outside company to handle all ACH transfers. These ACH transfer companies are the targets for hackers. If a hacker can gain access to an ACH processing company, they can change the database to reflect a new bank account for a client. This will cause all transfers normally sent to the victim’s bank account to be re-routed to the new bank account controlled by the hacker/carder. If the new account is a corporate account, the bank has 72 hours to clear the transaction. After 72 hours, any discrepancies are the responsibility of the bank. In essence, are-route of an ACH transfer for one week could bankrupt a company.

Identity Theft - When a hacker/carder steals personal data from any location, this information can be used to create fake id’s, known as novelty id’s to hackers, credit cards, bank accounts, loans and numerous other fraudulent media. If a hacker obtains a Social Security Number (SSN), they can use that information to apply for credit cards online in the real name of the SSN holder. They can also open bank accounts online at sites such asNetBank.com. These bank accounts will have credit cards or debit charges associated with them which can be sent via a re-mailer, trans-shipper or U.S. based associate to the hacker/carder’s location.  A notable trend has been the use of stolen credit cards to buy access to information sites such as Consumer Info, ChoicePoint or Lexus/Nexus. From these sites, the hackers/carders can identify addresses and telephone numbers for cardholders whose cards were stolen but the full cardholder information was not obtained. These sites and the information provided by them have enabled hackers/carders to commit identity theft at will.

Fake Sites - Similar to the fake store sites detailed above, hackers/carder will create fake auction, escrow and bank sites. As stated above the three possibilities for these shops are:
the product is not shipped and the card is not charged
the product is not shipped and the card is charged or
the product is shipped and the card is charged.

If the product is not shipped and the card is not charged, the hacker is simply collecting cards to use later. Often times the customer will forget about the purchase or will not worry about the lack of receipt because their card was never charged. If the product is not shipped and the card is charged, the hacker was just stealing the money and will have to re-establish the fake site under a different name after approximately 6 weeks. The customer will often complain in these cases resulting in a chargeback to the fake sites merchant account. When the chargeback is not paid, the merchant account will be shut down and the hacker will start a fresh. 
If the product is sent and the card is charged, then the hackers have coupled their schemes. Meaning they are using one of the other schemes to obtain products to then sell on their site. The stolen goods will be shipped to the unsuspecting customer per the deal, but the hacker/carder will now have the customer’s credit card. If the hacker/carder is patient and waits three to six months before making a charge, it will be nearly impossible for the customer to determine from which site the card was stolen. The added bonus is, if the original retailer of the re-sold goods reported the serial numbers of the equipment as stolen, when the new customer tries to register the equipment, it will red flag the customer. By that time, the transactions are sorted out, the hackers/carders and their site will be long gone with the money from the sale of stolen merchandise.

Extortion – When all other methods have been exhausted, many of which have been successful, hackers and carders will turn to basic extortion to obtain money. The most common extortion is phrased similar to the following: “Hello, I have found holes in your system, for $2000 dollars I will fix the holes and make sure no other hackers gain access to your system. I would hate to have to tell your customers about you lack of security. “This threat usually comes in the form of an email or fax. If the victim does not respond a second email and/or will be sent stating if the victim does not pay, the extortionist will be forced to post the stolen information on the Internet. The interesting thing about extortion is often two or more members of the group responsible for the intrusion and theft will try to extort the same company independently. This results in confusion for the victim and the extortionist.

DDOS – Distributed Denial of Service (DDOS) attacks are not often considered part of profit making but recent trends show the use odds attacks are being used in association with extortion. Once hackers have created a BotNet with tainted (files/programs containing a virus/worm payload as well as IRC client with instruction to call home periodically) viruses, file sharing downloads (warez, mp3s, etc.) or straight hacking, DDOS attacks will be launched knocking particular sites offline for days at a time. (Those sites on the same network as the targeted site will suffer a loss of service as well making them collateral damage and future extortion victims.) Victims will often pay extortionists the requested sum rather than suffer the loss of business. Some enterprising individuals, known as botmasters, who have successfully build large botnets, will hire themselves out. They are in essence cyber mercenaries willing to DDOS any and all sites if the price is right.

Collecting the Money
Once all the fraud is committed and the profits have been reaped, the hackers and carders need to convert the money to cash. The most common request is to have the money wired via WesternUnion (WU). For a small percent of the profit, WU clerks in Eastern Europe will look the other way if the recipients’ Id does not match the name of the individual retrieving the cash. If a passphrase is used, there is no need for an Id. Finally, WU transfers can be used to fund ATM cards, which then require no ID’s and no personal contact to obtain the funds. All of the schemes allow the hackers and carders to convert the money into electronic credit that must be sent to a bank account or e-currency repository. These repositories can be as simple as an online bank account such as NetBank and INGDirect or normal bank accounts at banks that have less stringent banking requirements, i.e., off shore banks in Latvia, the Republic of Nauru or Cyprus. The problem with these methods is the paper trail associated with keeping money in a bank. With the advent of e-currency/online escrow accounts, came the advent of e-currency ATM cards, also known as pre-paid credit/debit cards. These cards can be purchased for a small fee and funded using any of the e-currencies currently available including, EVOCash, Egold, LogixPay, eBullion, GoldMoney, Pecunix and NetPay. The cards are in essence pre-paid ATM cards that are funded by sending money to the particular e-currency broker. The cash is then withdrawn at any ATM that accepts the respective ATM cards.

Providers of prepaid Debit cards or e-Currency ATM cards include, SwiftPay, WMcards, Ecount, Wired Plastic, Green Card, Citi Cash Card, Eufora, as well cards issued by the e-currency companies and hundreds of others. Many enterprising subjects have set themselves up as middleman for the carders. These individuals set up online businesses that handle the money-laundering and stolen property sales (“consignment shops”) aspects of the schemes for the carders. The sites will offer bank accounts, debit cards and drop addresses to the carders in exchange for a fee. The carders will then have the profits from extortions, PayPal fraud, Auction fraud or any of the other schemes deposited into the account or shipped to the address. However, no real bank account will be set up for the carders. The site owner will open one bank account and using an Excel type spreadsheet, assign accounts to each of his clients. When money is deposited into the bank account of the site owner, a special denotation will be required indicating into which client account the money is to be deposited. This denotation will mean nothing to the legitimate bank at which the site owner’s account resides. The site owner will deduct his percentage and denote the remaining amount on his spreadsheet as belonging to the specified client. The client can then have this money transferred to a bank account, a pre-paid debit card or use the money to purchase ecurrency.  The site owner has created their own bank without the regulations or oversight of a legitimate bank.

Conclusion
An organized use of the above detailed schemes could result in the de-stabilization of the banks and the credit card industry being victimized. These schemes have already been attributed to the collapse of several businesses and were utilized to finance at least one terrorist attack (the Bali bombing). At a minimum the loss, which exceeds $10 billion a year in fraud and damage to computer networks, can being blamed for the rise of purchase prices to consumers and the rise of interest rates on credit cards.

International financially motivated hackers are talented, educated and willing to do anything for money. They do not fear law enforcement because they think they cannot be caught. They do fear the FBI but only if they come to the United States. They are overseas therefore; they are invincible.

However, plans are being made to work with the respective law enforcement agency in each of the countries where hackers and carders have been identified. The intention of these cooperative efforts is to provide law enforcement with the proper training to catch the hackers and carders, to arrange their prosecution either in their home countries or in the U.S. and to obtain copies of their computer hard drives for use against additional targets. This cooperation has already worked in Belarus, England, Canada and has been requested by Turkey, Ukraine and Russia. Finally, these hackers/carders offer up information regarding hacking and carding freely online. Thus far, all indications are the schemes are being used by loosely connected groups who join force for one or two jobs and then part ways.

Given the availability of the information and the changing climate of the world, in the near future, these attacks/schemes will be operated by highly organized groups with various political agendas.


Online chatter has begun regarding “big hits” such as attacking various countries’ central banks, shutting down systems and bilking large corporations for millions of dollars. All indications are this type of crime will continue unfettered if law enforcement does not increase our knowledge base and cooperate internationally. However, we will never stop this type of crime, by understanding, what they are doing and how they are profiting, we may be able to limit the criminal’s effectiveness while dissuading others from trying to hack and card in the first place.