Forgot your password?
typodupeerror
Security Privacy Your Rights Online

An FBI Agent's 3 Years Undercover With Identity Thieves 196

Posted by timothy
from the doing-my-best-nelson-laugh dept.
snydeq writes "InfoWorld offers the inside story of how FBI Supervisory Special Agent J. Keith Mularski, aka Master Splynter, penetrated and took over DarkMarket.ws, the infamous underground carding board hacked by Max Butler and later transformed by Mularski into an FBI sting operation. The three-year tour sent Mularski deeper into the world of online computer fraud than any FBI agent before, resulting in 59 arrests and preventing an estimated $70 million in bank fraud before the FBI pulled the plug on the operation in October."
This discussion has been archived. No new comments can be posted.

An FBI Agent's 3 Years Undercover With Identity Thieves

Comments Filter:
  • Actually (Score:5, Funny)

    by DoofusOfDeath (636671) on Wednesday January 21, 2009 @04:29PM (#26551349)

    InfoWorld offers the inside story of how FBI Supervisory Special Agent J. Keith Mularski, aka Master Splynter, penetrated and took over DarkMarket.ws,

    How on earth are we supposed to believe it's the real Agent Mularski now?

  • by jollyreaper (513215) on Wednesday January 21, 2009 @04:30PM (#26551363)

    Cool hacker name = geek culture reference + creative misspellings/capitalizations

    Sample names:
    Dark JedEYE
    FeloniouS MonK
    POPP3R SMRF
    TERRORByTE
    G\/\/B

    I predict you will hear of these handles in future busts.

  • Fencing (Score:5, Insightful)

    by planckscale (579258) on Wednesday January 21, 2009 @04:44PM (#26551577) Journal
    From an article I read on Wired what seemed to have brought the downfall upon Butler was some of his associates got nabbed for trying to use stolen cards to buy expensive retail items and then fence them on Ebay for cash. Seems to me that old fashioned F**k-ups are the way these guys usually get taken down. Also from the article I read that corrupt retailers and waiters use portable card readers to steal all mag data on the card. How would you protect yourself against that kind of attack?
    • Re:Fencing (Score:4, Insightful)

      by CannonballHead (842625) on Wednesday January 21, 2009 @04:48PM (#26551643)

      Don't ever buy anything, and never eat out?

      • Patience (Score:4, Interesting)

        by copponex (13876) on Wednesday January 21, 2009 @05:22PM (#26552113) Homepage

        Buy things at small retailers unlikely to have complicated security policies or good video surveillance. Use local criminals to do the deal for you, promising a cut if they are successful getting the item out of the store. Keep the purchases under $2,000.00

        Sell those things for cash on the street. Don't sell in the same area that you bought the items. Stick to big cities, as the police have way more to deal with than small-time theft. Once you get a big enough stash, use it to start a cash friendly business or find a way to get it to a trusted party in the third world and do the same thing.

        The object is to not piss one person off to the point where they dedicate themselves to finding you. As long as the victim has the credit card company to turn to for a refund, and the police don't think the fraud is connected, no one will even bother opening up a case number.

        • Re:Patience (Score:5, Insightful)

          by Otter (3800) on Wednesday January 21, 2009 @06:08PM (#26552753) Journal

          Sell those things for cash on the street. Don't sell in the same area that you bought the items. Stick to big cities, as the police have way more to deal with than small-time theft. Once you get a big enough stash, use it to start a cash friendly business or find a way to get it to a trusted party in the third world and do the same thing.

          In other words, crime is more work with less reward than just keeping your day job writing Java middleware.

      • by Grimbleton (1034446) on Wednesday January 21, 2009 @05:27PM (#26552201)

        My girlfriend would NOT approve if I stopped eating out.

        • by Bemopolis (698691) on Wednesday January 21, 2009 @06:50PM (#26553345)
          Does it really take that many calories to reinflate her?
        • by pbhj (607776)

          I see what you did there ... ... better get some curtains.

        • Re:Fencing (Score:4, Interesting)

          by garett_spencley (193892) on Wednesday January 21, 2009 @09:06PM (#26554815) Journal

          I have a serious solution to that problem: learn how to cook. As in, learn how to cook SERIOUSLY GOOD food.

          I can spend more on raw ingredients for a single meal than it would cost to take my wife out to a fancy restaurant (not that I do often, just saying that I can), or I can make something amazing for cheaper. And girls dig guys who can cook! Most geeks should like cooking too because there's tons of science involved and most of us like to tinker and make things. Plus when you're done you've got the most amazing meal that, unless you live in New York or LA, can afford to eat at a fine dining restaurant and are lucky enough to get a reservation, you're not going to get eating out.

          My wife and I never eat out any more. We're in a mid-sized town and every time we eat out it's always disappointing. Over priced and something I could make way better at home.

          I recommend "Zingerman's Guide to Good Eating" as a starting point for anyone looking to get into cooking. It explains how to choose the best ingredients, gives you the history of food's as well, and has some simple recipes too.

        • So buy her something nice. Oh, wait...
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Cash

    • Re:Fencing (Score:5, Interesting)

      by AKAImBatman (238306) * <akaimbatman@gmai[ ]om ['l.c' in gap]> on Wednesday January 21, 2009 @05:00PM (#26551825) Homepage Journal

      Also from the article I read that corrupt retailers and waiters use portable card readers to steal all mag data on the card. How would you protect yourself against that kind of attack?

      As long as we use credit cards, you and I can't protect ourselves. However, the credit card companies could. Using public key authentication via smartcard technology would make it easy to verify physical access to a credit card. Yet the only instance I can think of, of anyone trying to roll this out is American Express's Blue card. Even that was mostly ineffective as the smart card circuitry appears to go mostly unused.

      • Reloadable cards. (Score:5, Interesting)

        by khasim (1285) <brandioch.conner@gmail.com> on Wednesday January 21, 2009 @05:28PM (#26552217)

        I'm still wondering why the various banks don't offer reloadable cards for their customers. Why wander around with your ENTIRE credit limit in your wallet?

        And for debit cards, your ENTIRE checking account balance.

        Instead, allow the user to transfer the amount that he thinks he will need to a secondary card. That way, if anything compromises that card, the MOST they can get is whatever he put on that card.

        As for online purchases, how about one-use card numbers? Just go to the bank site, put in how much you want to pay and the bank will give you a one use number for that amount. Then the maximum you lose if the online site is fake is that specific amount. They never get the real numbers to your real accounts.

        • Re: (Score:2, Informative)

          by Anonymous Coward

          Looks like you invented the e-wallet. Don't know about the 'states, but it exists in France (called Moneo) and Belgium (called Proton). It's money stored on your bank card, that you can reload at any terminal using your PIN. Purchases made using this system are quick, as they don't require you to enter the PIN nor sign the recipt upon payment.

          So it's pretty much like cash in that it's for small amounts (up to 125 Euros IIRC), there's no authentication, and if your card is stolen whatever e-money you had loa

          • by wiz_80 (15261)

            In Italy you can get reloadable Visa Electron cards from the post office. Lots of people use these exclusively for online purchases, since even if the card info gets stolen there isn't much that can be done with it.

            Since they can't make money by delivering mail any more, the post office has branched out into banking and mobile telephony, and operates an airline as well.

        • by Zironic (1112127)

          It's relatively trivial and not very expensive to just set up a second account with a second debit card with alot less money on it.

        • Re:Reloadable cards. (Score:4, Informative)

          by tubapro12 (896596) <ubelkatze2004 AT gmail DOT com> on Wednesday January 21, 2009 @06:41PM (#26553225) Journal
          This makes sense to me and I believe there are some services attempt to do stuff like this.

          OTOG (Off the Top of Google):
        • by DamonHD (794830)

          Umm, a company I co-founded (entropay.com) does this, and is not alone.

          Rgds

          Damon

        • by Urza9814 (883915)

          That's essentially what I do already. Why do you need thousands of dollars in your checking account to begin with? Why not just transfer over only what you need? I mean, I can understand doing that a couple years ago, but my bank doesn't even really have physical banks anymore. If you walk into the building they have a few computers open to their website, an ATM, and one teller off to the side to help with things like opening new accounts. That's it. Everything is done online. And they reimburse you for ATM

        • Re:Reloadable cards. (Score:5, Informative)

          by kb9vcr (127764) on Wednesday January 21, 2009 @07:02PM (#26553529)

          For online purchases one-use card numbers already are available.

          Bank of America has them, it's called 'Shopsafe' and it's a free feature if you have a card with them. I've used it for every web purchase now for years and it works great. You set your limit & expiration date, generate a number and your set. Easy and it limits your exposure.

          (MBNA developed shopsafe and then Bank of America got it when they bought them out. Probably other companies have something similar)

          • by Raenex (947668)

            Bank of America has them, it's called 'Shopsafe' and it's a free feature if you have a card with them.

            By the way, it only works on their credit cards, so if you just have a debit card you're out of luck.

      • Re:Fencing (Score:5, Informative)

        by samkass (174571) on Wednesday January 21, 2009 @05:30PM (#26552243) Homepage Journal

        I think you're right here in the US. When I visited London last year, though, it seemed like every single person had chips in their cards. I felt like a Luddite asking the guy to actually swipe the magnetic strip on a card (and him having to try a couple times before it took), then go find a pen, sign it, then find a place to put the paper signature. Us old-fashioned Americans.

        • Re:Fencing (Score:5, Interesting)

          by atamido (1020905) on Wednesday January 21, 2009 @05:38PM (#26552353)

          I had an experience nearly identical to this in London when a shop clerk asking if we had a card with a chip in it to use. The friend I was with didn't even know what he was talking about. I explained things to her, and then told the clerk we didn't, but could wander off and find an ATM to use instead. He dug around some and found a card reader, but it was obvious he hadn't used it in a while.

        • Re:Fencing (Score:4, Insightful)

          by pjt33 (739471) on Wednesday January 21, 2009 @06:41PM (#26553233)

          The problem with that system is that it protects the banks and not the customers. Before you could contest the signature: now all they have is a PIN, and there's no way of proving who typed it in. It would be better to use chip, PIN and signature, but people will usually choose convenience over security.

          • Re:Fencing (Score:4, Informative)

            by dotancohen (1015143) on Thursday January 22, 2009 @03:46AM (#26557299) Homepage

            The problem with that system is that it protects the banks and not the customers. Before you could contest the signature: now all they have is a PIN, and there's no way of proving who typed it in. It would be better to use chip, PIN and signature, but people will usually choose convenience over security.

            I had to contest a cash withdrawl recently, and because the PIN was entered correctly the bank concluded that it was an authorized purchase and would not be covered. They treat the 4-digit PIN just as they treat a signature.

        • Australia is migrating to swipe and pin for credit cards right now. But then our merchant payment systems have allowed swipe and pin for paying with a savings account for a long time, so I don't think the limitations were for technical reasons.
      • by SuperG (83071)

        Actually, Visa USA was big into trying to roll out smart cards as well. I used to work for a start-up company that had a loyalty application to be used on the smart card, though we never got out of the pilot phase (for Target most notably). Visa USA's big push was because of the increased security, and hoped that loyalty would be the killer app to get it out in the marketplace.

      • Re:Fencing (Score:4, Interesting)

        by halcyon1234 (834388) <halcyon1234@hotmail.com> on Wednesday January 21, 2009 @07:40PM (#26553975) Journal

        It's coming to North America, but slowly. Mainly because it will be expensive, and only serves to protect the consumer.

        Contrast that with the UK banks that have implemented the "chip and pin", where the courts ruled that due to the PIN, they aren't responsible for theft. The banks practically orgasamed all over themselves to get it going.

        It still doesn't offer complete protection. You can take the UK card to Germany, where merchants have not implemented the PIN. Or you can still shop inside the UK; just damage the chip. The card will fallback into "swipe and sign" mode that is used for cards without a PIN (such as those visiting from America).

        Or, even with the chip and pin, all one needs to do is some shoulder surfing. Everyone covers their PIN at an ATM. In other situations, people aren't used to doing that (restaurant, etc). Once you've identified a PIN, pick the person's pocket.

        Or buy things online.

        Or steal a lot of cards, and attempt to brute-force the PIN.

        Or there's an interesting relay attack:

        Consider the following scenario: You go for lunch in a small restaurant in London, and pay using your chipcard at the end of the meal. What you don't know is that the waiter at the restaurant is corrupt. You ask for the bill, and the waiter goes off to fetch a handheld Chip and PIN machine that he brings over to you. Meanwhile, on the other side of town, his accomplice is loitering in a jeweller's store. The waiter sends an SMS message to his accomplice, who goes up to make a purchase. Just as you insert your card into the waiter's terminal, the accomplice puts a fake card into the jeweller's terminal. The waiter's sabotaged reader simply forwards all the traffic from your card wirelessly to the card in the reader at the jewellers, and pretends to ask you to pay for lunch. You enter the PIN, thinking you're paying for lunch, but in fact you're buying the crooks a diamond!

        - "Chip and Spin", http://www.chipandspin.co.uk/ [chipandspin.co.uk]

        • The real flaw with chip and pin is that we've known it was possible to extract keys from these things with targeted damage for about the last 15 years to my memory. I remember hearing about cracking "smartcards" in Science News sometime in middle school.
    • by thewils (463314)

      I read that corrupt retailers and waiters use portable card readers to steal all mag data on the card. How would you protect yourself against that kind of attack?

      Er, pay with cash?

    • by Ihmhi (1206036)

      Pay cash?

      Either that, or carry around a pocket EMP and set it off every time the waitress comes by.

    • by BountyX (1227176)
      Load up a prepaid visa gift card with cash. Refill when done. Chepaer than using credit card too.
  • It's like being an undercover mob boss. Except you don't get to: Bang models on their way to the street, Drown rats or wear a cool ring.

    Here is my question: Now that Darkmarket is all busted and closed, will this cop just enjoy a 2nd honeymoon before starting again with a new alias and hitting on a different set of crooks.

    Hell, if he plays his cards right he could enter the private sector and make millions off the MPAA and RIAA.
    • by betterunixthanunix (980855) on Wednesday January 21, 2009 @05:14PM (#26552017)
      He probably wants a new assignment that involves less time at a computer. Did you RTFA? He was spending 18 hours a day on his computer, and was online every day of the week. His relationship with his wife was strained because he had to be available on his computer as often as possible to avoid suspicion and to keep his credibility up. He had to report his vacations to the people he was trying to bust weeks ahead of time, to keep up that reputation. To me, that sounds like the sort of assignment that you only participate in once, if only to keep your heart healthy.
  • Just goes to show you cannot trust anyone you meet online. They may not be who they claim to be.

APL is a write-only language. I can write programs in APL, but I can't read any of them. -- Roy Keir

Working...