Cybercriminals Learning To Filter Out Undercover Cops (krebsonsecurity.com) 63
An anonymous reader writes: Credit card numbers are constantly being stolen, but the people who take them don't usually use them. Instead, they sell them to others who will. Many cards are traded at online forums and markets. Law enforcement investigators know this, and they use these forums to gather intelligence on breaches. But Brian Krebs writes that one of the biggest markets, Rescator, has implemented methods to screen out suspected law enforcement agents. Krebs says of a law enforcement source of his: "The criminals running the fraud shop seized his carding store account and bitcoin balance after the pig alert flashed on my source's screen — effectively stealing hundreds of taxpayer dollars directly from the authorities. .. I found his case fascinating and yet another example of the growing sophistication of large-scale cybercrime operations."
Re: Oink! (Score:1)
My thoughts exactly. They're just stealing from customers under the premise they're a pig.
Maybe there is a customer service number to get your bitcoin back.
Re: (Score:1)
They're fellow criminals, not customers. Some criminals stealing from other criminals. No big deal.
Re: (Score:1)
They are crooks, do false positives matter?
only those who care about innocents worry about false positives.
Re: (Score:2)
Re: (Score:1)
Re: (Score:1, Flamebait)
Ah, I see you support criminals who steal from innocent people. Well done.
Re: (Score:1)
We have here two competing criminal gangs. I can't see how express some joy at seeing one take a hit is the same as a show of support for the other criminal gang.
Isn't it good when any criminal organization takes a knock on the chin?
Re: (Score:2)
Re: (Score:2)
Ah, I see you support criminals who steal from innocent people. Well done.
No, I think he is opposed to the police in this matter.
https://www.aclu.org/issues/cr... [aclu.org]
Stealing wasn't the point (Score:5, Insightful)
Krebs says of a law enforcement source of his: "The criminals running the fraud shop seized his carding store account and bitcoin balance after the pig alert flashed on my source's screen — effectively stealing hundreds of taxpayer dollars directly from the authorities..."
I think it's hilarious that the angle they took was the seizing of the police's resources committed to the transaction system. The point wasn't to steal the police's resources, that was a drop in the bucket compared to the size of the operation. The point was to prevent the suspected law enforcement agency from continuing to play and to preserve the information that might be linked with the account to use that information to help spot other law enforcement accounts.
If anything, the lack of size of the law enforcement operation was probably the initial red flag. Sure, actual criminals will start out small too, but usually an unwillingness to go all-in is a warning flag. Flat out, usually the, "good guys," have limits on their behavior either because they're attempting to do as little harm as possible or being limited in funding since they're not actually running a criminal for-profit enterprise, or a combination thereof.
It'll probably take a turned-insider to break this stuff. That's what it usually takes. Actually find a person involved, use the carrot-and-stick approach to give them reduced charges or some degree of immunity in exchange for breaking the organization from within, and let that person both take the risks associated with data collection and give them time to build up enough information to make further prosecution possible.
Re:Stealing wasn't the point (Score:5, Insightful)
After Snowden sold the US out, it was quietly reported about a large number of people on the US payroll in other countries (and their families) disappearing quietly, and permanently.
It was quietly reported by the very same people who have evidence that 9/11 was in inside job, if I'm not mistaken. Maybe a better quality source of information would be the best way forward, don't you think?
Re: (Score:2)
[Citation]
Re: (Score:2)
Re: (Score:2)
That's ironic. maybe you don't wear a tin-foil hat while sucking dick, but the fact that you remove it to get a better angle for your mouth doesn't really help your AC ass.
Re: (Score:2)
Lucky you, AC! You haven't picked a Slashdot name yet. Might I suggest an appropriate one such as " Captain Douchebag?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Oh please! If the government had lost a single agent that they could tie in anyway to the Snowden leak they would have trumpeted that from the mountain tops. As it is they've yet to put forward a single case where his actions resulted in the death or capture of a single person. Which is unsurprising considering they've yet to put forth a single creditable incident that was prevented by the systemic abuses Snowden revealed.
Re: (Score:2)
amateurs (Score:5, Insightful)
When you detect the unwanted customer, don't block them ... sell them randomized fake CC info. Their evil genius is weak sauce.
your faith in cryptographic pixie dust is cute (Score:3)
So there is a sophisticated ecosystem of criminals and undercover cops that exists because credit card transactions are insecure. Make credit card transactions secure using cryptography available in 1980 and it all goes away.
Nearly all cryptography in use in 1980 would be trivially breakable from even a brute-force attack today.
We humans are very poor at building secure systems. We don't really have any theoretical basis for building cryptographic algorithms. The methodology used is basically propose some idea and if enough people look at it and can't compromise it generally after a few years we figure it is good to go. In practice what happens with most public-key systems is that some special cases are discovered where the
"Credit card numbers are constantly being stolen" (Score:4, Interesting)
Re: (Score:2)
Your credit reports contain that information: past addresses, known family members, etc.
(So never use that kind of info as an answer for a secret security question.)
Puritan virtue (Score:3)
But I guess credit cards are becoming more commonplace (damned as I see someone buying lousy cup of coffee for $1.25
Yeah, so? You should be able to make small purchases with them, because the real costs to provide the service are 1) reliably communicate an almost vanishingly small amount of data over a vast network that is mostly used for streaming video, 2) production of the cards themselves.
Why should you have to carry cash around and make change and carry that any more if you don't want to? Because some people don't get finances and will overspend, therefore all uses of credit cards are irresponsible?
Re: (Score:2)
Stored value cards are better for that use case. No loan so no need for a credit check, you just load them up front with cash and then spend. No need to handle loss of the card like credit cards do for fraud prevention; it's essentially the same as losing cash.
Such cards are also somewhat anonymous, in that the card ID isn't tied to an individual and cards can easily be shared or traded.
Re: (Score:1)
Re: (Score:2)
Credit card fraud is an easy problem to solve, one simple solution. Gather biometrics of the purchaser at point of sale or product receipt (for online sales). Fraudulent purchase and they have given themselves away and even if they use a gullible mule, that mule will turn them in. So easiest way to gather biometric data, require a finger print on a seal able adhesive material along with a photo, that is kept and turned in at end of shift and stored (you gain the print and skin cells and an image of the per
Re: (Score:3)
I live in northern Europe. I never carry cash around. Stores and coffee shops don't want to handle cash. They want me to pay by card. And I want to pay by card, using chip and PIN, because that is safer for me than carrying around cash.
I can't even pay for the bus in my town using cash. There was one attempted robbery of a bus driver, and all buses went cashless overnight.
Credit card for small purchases (Score:2)
damned as I see someone buying lousy cup of coffee for $1.25 with their credit card
I think this insinuates that people are using credit for small things because they lack funds, but there's plenty of other good reasons for this. I don't carry a lot of cash, particularly small change. I'm Canadian so mine might vary from yours a bit:
a) In Canada, small change ($0.5, $0.10, $0.25, $1.00, $2.00) comes in the form of coins. These are heavy, bulky, and frankly most wallets don't even have a coin purse in them an
Great Article....uh... (Score:3)
....exactly what countermeasures beyond them mentioning they used to use IP range blacklists, exactly?
Where are the details?
This is like some old story about a guy he used to know who did some thing one time...
Re: (Score:3)
Perhaps they have blacklisted some Bitcoin based upon its previous seizure by law enforcement.
Immature Terminology (Score:5, Interesting)
I'm serious by the way, this isn't an attempt to be funny. Appending the cyber- prefix automatically sets them apart and I think that's a bad thing. They're thieves, and we already have plenty of words for those.
Re:Immature Terminology (Score:5, Insightful)
Okay, I know this is off topic and I apologize, but can we agree that its time to stop calling them "Cybercriminals"?
These people are called cybercriminals to provide information about what kind of criminals they are; it doesn't mean they are to be looked at as privileged or special; You don't call a serial killer just a "criminal"; These people who deal in batches of stolen credit card or social security numbers for mortgage or Tax Refund fraud are much worse than common criminals, just like you refer to criminals who are serial killers differently than you refer to muggers or jaywalkers. A thief probably only robs from a few people, cybercriminals are "Mass Thieves", and the penalties should be more severe --- they are criminals that use what the average person would consider technically sophisticated methods or tools involving the abuse of technology as a fundamental aspect in the commission of their crimes.....
They are not thieves in the traditional sense, other than their intention is essentially to get money they have not earned, E.g. those selling copies of other peoples' credit card numbers, And their chance at a profit is supported by another criminal's expectation of using those numbers to defraud banks out of $$$, but some of these criminals are also referred to as frausters and identity thieves.
Re: (Score:2)
Re: (Score:2)
Cyber drug dealers.
Re: (Score:2)
Someone who, for example sells illegal drugs online rather than by phone, is a drug dealer
It's not cybercrime for some guy to be selling illegal drugs online. The guy already broke the law in the real world, and the actual exchange will definitely occur in the real world (If he he/she is indeed selling), the online / website type platform is just a communication channel.
That's like suggesting that if he used a telephone to make the deal, that it would be a phone crime.
It's not (But there really a
cyber (Score:1)
Unfortunately, this is just horrible. It doesn't even help the little guy who cannot himself check through the forums and have to wait for second-third hand information to stop this nonsense.
civil forfeiture? lol (Score:1)
civil forfeiture? lol
or should this have another name?
and ironically this presents the same problems for the 'legitimate' clientele who now have to be worried about being falsely 'forfeited'.
LOL, pwn3d!! (Score:2)
Essentially this boils down to the police lack the skills and sophistication of the people they're trying to stop, and in the process they're getting their asses handed to them and losing the money they have as bait.
You have to admire the audacity, but you can't go around thinking law enforcement has the right skillset to fight these people on their own turf.
In an ever on-going arms race, the bad guys are more numerous, likely have more resources and time, and are quite motivated.
I mean, it's not like in th