Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground by Kevin Poulsen Page B
Authors: Kevin Poulsen
Tags: United States, General, Social Science, Biography & Autobiography, Computers, True Crime, Criminology, Criminals & Outlaws, Case studies, Technology & Engineering, security, Computer Hackers, Computer crimes, Engineering (General), Commercial criminals - United States, Commercial criminals, Butler; Max, Computer crimes - United States, Computer hackers - United States
Ads: Link
Denver could buy credit card numbers from a hacker in Moscow, send them to Shanghai to be turned into counterfeit cards, then pick up a fake driver’s license from a forger in Ukraine before hitting the mall.
Max shared his discovery with Chris, who was fascinated. Chris logged on to the forums and studied the content like a textbook. A lot of things hadn’t changed since he’d dealt in credit card fraud in the 1980s. Other things had changed a lot.
There was a time when crooks could literally pull credit card numbersfrom the trash by Dumpster-diving for receipts or the carbon-paper slips left over from retailers’ sliding imprint machines. Now mechanical imprinting was dead, and Visa and MasterCard insisted that receipts not include full credit card account numbers. Even if you got the numbers, that was no longer enough to make counterfeit cards. The credit card companies now added a special code to every magnetic stripe—like a PIN, but unknown even to the cardholder.
Called a Card Verification Value, or CVV, the code is a number distilled from other data on the stripe—primarily the account number and expiration date—and then encrypted with a secret key known only to the issuing bank. When the magstripe is swiped at the point-of-sale terminal the CVV is sent along with the account number and other data to the issuing bank for verification; if it doesn’t match, the transaction is declined.
When it was introduced by Visa in 1992,the CVV began driving down fraud costs immediately, from nearly .18 percent of Visa transactions that year to around .15 percent a year later. In the 2000s, the innovation proved a strong bulwark against phishing attacks, in which a spammer spews thousands of falsified e-mails aimed at luring consumers into entering their credit card numbers into a fake bank website. Without the CVV on the magnetic stripe—which consumers didn’t know, and thus couldn’t reveal—those stolen numbers were useless at real-world cash registers. Nobody could walk into a Vegas casino, slap down a card derived from a phishing attack, and get a pile of black chips to carry to the roulette table.
MasterCard followed Visa’s lead with its own Card Security Code, or CSC. Then in 1998, Visa introduced the CVV2, a different secret code printed on the backs of cards for consumers to use exclusively over the phone or the Web. That further reduced crime losses and completed the Chinese wall between fraud on the Internet and in real life: Accounts stolen from e-commerce sites or in phishing attacks could only be used online or over the phone, while magstripe data could be used in-store but not on the Web, because it didn’t include the printed CVV2.
By 2002, the security measure had turned raw magstripe data into one of the underground’s most valuable commodities and pushed the point of compromise closer to the consumer.
Hackers began breaching transaction-processing systems for the data, but the most straightforward way for ordinary crooks to steal the information was to recruit a cash-hungry restaurant employee and equip him with a pocket-sized “skimmer,” a magstripe reader with built-in memory. As small as a cigarette lighter and readily concealed in the apron pocket of a fast-food worker or the suit jacket of an upscale maître d’, a skimmer can hold hundreds of cards in its memory for later retrieval through a USB port. A server needs only a second of privacy to swipe a customer’s card through the device.
In the late 1990s, thieves began fanning out in big cities across the United States, eyeing waiters, waitresses, and drive-through attendants who might be interested in a little extra cash, typically $10 a swipe. Though it was riskier, gas station managers and retail workers could get in on the action as well by installing tiny skimming circuit boards in pay-at-the-pump readers and point-of-sale terminals. Some of the data would be exploited locally, but much of it was sent to Eastern Europe,
Max shared his discovery with Chris, who was fascinated. Chris logged on to the forums and studied the content like a textbook. A lot of things hadn’t changed since he’d dealt in credit card fraud in the 1980s. Other things had changed a lot.
There was a time when crooks could literally pull credit card numbersfrom the trash by Dumpster-diving for receipts or the carbon-paper slips left over from retailers’ sliding imprint machines. Now mechanical imprinting was dead, and Visa and MasterCard insisted that receipts not include full credit card account numbers. Even if you got the numbers, that was no longer enough to make counterfeit cards. The credit card companies now added a special code to every magnetic stripe—like a PIN, but unknown even to the cardholder.
Called a Card Verification Value, or CVV, the code is a number distilled from other data on the stripe—primarily the account number and expiration date—and then encrypted with a secret key known only to the issuing bank. When the magstripe is swiped at the point-of-sale terminal the CVV is sent along with the account number and other data to the issuing bank for verification; if it doesn’t match, the transaction is declined.
When it was introduced by Visa in 1992,the CVV began driving down fraud costs immediately, from nearly .18 percent of Visa transactions that year to around .15 percent a year later. In the 2000s, the innovation proved a strong bulwark against phishing attacks, in which a spammer spews thousands of falsified e-mails aimed at luring consumers into entering their credit card numbers into a fake bank website. Without the CVV on the magnetic stripe—which consumers didn’t know, and thus couldn’t reveal—those stolen numbers were useless at real-world cash registers. Nobody could walk into a Vegas casino, slap down a card derived from a phishing attack, and get a pile of black chips to carry to the roulette table.
MasterCard followed Visa’s lead with its own Card Security Code, or CSC. Then in 1998, Visa introduced the CVV2, a different secret code printed on the backs of cards for consumers to use exclusively over the phone or the Web. That further reduced crime losses and completed the Chinese wall between fraud on the Internet and in real life: Accounts stolen from e-commerce sites or in phishing attacks could only be used online or over the phone, while magstripe data could be used in-store but not on the Web, because it didn’t include the printed CVV2.
By 2002, the security measure had turned raw magstripe data into one of the underground’s most valuable commodities and pushed the point of compromise closer to the consumer.
Hackers began breaching transaction-processing systems for the data, but the most straightforward way for ordinary crooks to steal the information was to recruit a cash-hungry restaurant employee and equip him with a pocket-sized “skimmer,” a magstripe reader with built-in memory. As small as a cigarette lighter and readily concealed in the apron pocket of a fast-food worker or the suit jacket of an upscale maître d’, a skimmer can hold hundreds of cards in its memory for later retrieval through a USB port. A server needs only a second of privacy to swipe a customer’s card through the device.
In the late 1990s, thieves began fanning out in big cities across the United States, eyeing waiters, waitresses, and drive-through attendants who might be interested in a little extra cash, typically $10 a swipe. Though it was riskier, gas station managers and retail workers could get in on the action as well by installing tiny skimming circuit boards in pay-at-the-pump readers and point-of-sale terminals. Some of the data would be exploited locally, but much of it was sent to Eastern Europe,
Similar Books
