An FBI Agent's 3 Years Undercover With Identity Thieves

snydeq writes "InfoWorld offers the inside story of how FBI Supervisory Special Agent J. Keith Mularski, aka Master Splynter, penetrated and took over DarkMarket.ws, the infamous underground carding board hacked by Max Butler and later transformed by Mularski into an FBI sting operation. The three-year tour sent Mularski deeper into the world of online computer fraud than any FBI agent before, resulting in 59 arrests and preventing an estimated $70 million in bank fraud before the FBI pulled the plug on the operation in October."

Re:Yeah, well...

[Volante3192]

You mean like at http://www.fbi.gov/quickfacts.htm [fbi.gov] ?

The FBI's jurisdiction is essentially being the nation's police force as opposed to your local city force. You can't say "ignore these sections of the state, county or city code" to a local police force just like you can't tell the FBI to ignore the U.S. Code.

Re:Yeah, well...

[morgan_greywolf]

The FBI does have certain, specific areas of jurisdiction. Ever read the FBI website? They say with specificity [fbi.gov] what their areas of jurisdiction and current criminal priorities are.

Re:This is SOOO cool.

[betterunixthanunix]

He probably wants a new assignment that involves less time at a computer. Did you RTFA? He was spending 18 hours a day on his computer, and was online every day of the week. His relationship with his wife was strained because he had to be available on his computer as often as possible to avoid suspicion and to keep his credibility up. He had to report his vacations to the people he was trying to bust weeks ahead of time, to keep up that reputation. To me, that sounds like the sort of assignment that you only participate in once, if only to keep your heart healthy.

Re:Fencing

[samkass]

I think you're right here in the US. When I visited London last year, though, it seemed like every single person had chips in their cards. I felt like a Luddite asking the guy to actually swipe the magnetic strip on a card (and him having to try a couple times before it took), then go find a pen, sign it, then find a place to put the paper signature. Us old-fashioned Americans.

Re:Fencing

[Anonymous Coward]

Easiest defence is to put a sticker over the 3-digit CVS number on the back of your card.

One of the most effective ways to pull off a card-not-present fraud is to get the card number and expiry date from the receipt. Some terminals *** out part of the number on the receipt, but a lot don't (especially in Chip-enabled locations such as Europe). The fraudster doesn't need to double swipe anything - just memorize the CVS when they 'check your signature', and then copy down the card number/expiry off the merchant's copy once you've left.

Re:Reloadable cards.

[Anonymous Coward]

Looks like you invented the e-wallet. Don't know about the 'states, but it exists in France (called Moneo) and Belgium (called Proton). It's money stored on your bank card, that you can reload at any terminal using your PIN. Purchases made using this system are quick, as they don't require you to enter the PIN nor sign the recipt upon payment.

So it's pretty much like cash in that it's for small amounts (up to 125 Euros IIRC), there's no authentication, and if your card is stolen whatever e-money you had loaded on the chip is lost forever (whereas your bank will obviously still cover for purchases made using the regular "debit card" function, under certain circumstances).

Re:Fencing

[Cramer]

According to Visa and Mastercard policies, it is illegal for the terminal to record the number -- either in print or memory. If you see anyone still printing the card number on your receipt, report them immediately. Once the transaction is processed, they have a transaction ID and authorization code and no longer need the card number.

I'd recommend writing the verification number down somewhere else and removing it from the card.

Re:Reloadable cards.

[tubapro12]

This makes sense to me and I believe there are some services attempt to do stuff like this.

OTOG (Off the Top of Google):

• Citi Card Virtual Account Numbers [citicards.com]
• AmEx disposable credit cards [cnet.com]
• PayPal Virtual Credit Card Payment [techcrunch.com]

Re:Reloadable cards.

[kb9vcr]

For online purchases one-use card numbers already are available.

Bank of America has them, it's called 'Shopsafe' and it's a free feature if you have a card with them. I've used it for every web purchase now for years and it works great. You set your limit & expiration date, generate a number and your set. Easy and it limits your exposure.

(MBNA developed shopsafe and then Bank of America got it when they bought them out. Probably other companies have something similar)

Re:rarely asked for my ID

[Achromatic1978]

Because the merchant agreement specifically states that they are not to use the "Ask For ID" thing as a credit card processing mechanism. In fact they can have their merchant account revoked if sufficient complaints are received about requesting ID for CC transactions and not others (though I know in your case you're asking for it).

TECHNICALLY, under YOUR agreement with Mastercard, Visa, or Amex, NOT signing your card with your signature is a breach of your cardholder agreement. In fact (though granted, in practice rarely), Visa requires merchants who come across an unsigned / ASK FOR ID card are supposed to not finish the transaction until the card is signed. If you refuse to sign, at least up until recently, the last time I looked at a merchant contract, they're meant to retain your card (uh oh, you do remember the clause in your cardholder agreement that states that the card remains the property of the issuer, not you, right?).

Not good advice.

Re:Fencing

[Anonymous Coward]

) Tons of places won't accept 50's or 100's anymore.

If someone refuses to accept cash in order to settle a debt, then they release you from that debt obligation. (provided you are paying in full)

Read your money, it's on there in plain English.

This doesn't usually work at retail stores, since they can just refuse to conduct business with you at all, but can be good for some fun at the gas station if they don't make you pre-pay.

Just remember, it's only required when settling a DEBT.

As for safety, I keep several bank accounts. One is used just for online purchases, and is a pre-paid credit card which I have to load up ahead of time. Another is for paying bills, and unless you are on the approved vendor list you simply can't get an auth for a transaction on it.

If you think having your identity stolen is just a "hassle", then you've never had someone run all over the internet trying to buy kiddie porn with your credit card. Even after you get the financial side sorted out, you'll spend years trying to find all the law enforcement databases that list you as a sex offender and get removed.

Re:Fencing

[dotancohen]

The problem with that system is that it protects the banks and not the customers. Before you could contest the signature: now all they have is a PIN, and there's no way of proving who typed it in. It would be better to use chip, PIN and signature, but people will usually choose convenience over security.

I had to contest a cash withdrawl recently, and because the PIN was entered correctly the bank concluded that it was an authorized purchase and would not be covered. They treat the 4-digit PIN just as they treat a signature.