Interview with a Debit Card Scammer

Podcast:

We discuss credit card data centers getting hacked; why banks getting hacked doesn't make mainstream media; reissuing bank cards; how much he makes cashing out bank cards; how banks cover money stolen from credit cards; why companies are not cracking down on credit card crimes; how to prevent credit card theft; ATM scams; being "legit" in the criminal world; how he gets cash out gigs; getting PINs and encoding blank credit cards; how much money he can pull in a day; e-gold; his chances of getting caught; the best day to hit the ATMs; encrypting ICQ messages.

Posted on June 5, 2006 at 6:23 AM • 45 Comments

Comments

ChrisJune 5, 2006 7:13 AM

I know it's a bit off topic, but have any of you had to test for NIST SP 800-63 compliance? I made a spreadsheet to help speed me do so:

http://www.chrisnowell.com/downloads/...

However, I'm quite surprised at how generous password policies can be. If the formulae are correct, I wonder why organizations don't allow such long password lifespans.

Can you spot any errors in the formulae? Do you know of any other such tools?

mpJune 5, 2006 9:35 AM

Interesting but that is how I had guessed this worked. I sort of agree with his idea that the banks are liking debit/credit card fraud as it has opened a whole new business model to them however I think he is being rather nieve if he seriously thinks they are not doing something to stop or and are not reporting it. He said he had know idea on how banks deal with certain things so he has no idea if they are reporting this to the government/authorities on not. It could be that they are it is just nothing is being done yet, perhaps some political motive behand it? Who knows.

His two biggest problems are he needs to physically take cash from the ATM. This means it is possible to catch him red handed. Even if they do so by accident. Secondly the guy who takes his cash for e-gold is a problem. Does he always use the same guy? Does the guy know where he got the cash?

One thing is clear though, it is very easy to get away with such crimes. I disagree with him that there is no victim. There is and its the debit card holder. As he admitted the banks balance this out by having higher rates for other items and selling identity protection. This means the consumer is getting over chareged for something or purchasing something they shouldn't need to purchase all because of this guy.

There is also the problem of the money going back to Russia, the money is obviously going back to dangerous people most likely using their cut of it for drugs, weapons and/or people trafficing.

JungsonnJune 5, 2006 9:42 AM

I listened to it, but have some doubts about the authority from the one who talks there, to me it sounds a bit like he is the one who cashing out on the work that russians did when they hacked the creditcard datacenters, as i hear him mumble and stumble on winzip, ICQ, encryption etc... and dressing up with mustache before he hits the ATM's. IMO: Doesn't sounded very convincing to me.

When one talks about multiple withdrawel from about 300 creditcards in one night,it seems the banks do not have the science down to notice such acts. Like behaviourlayers which can detect such things.There are ways like Bayesian probability which can prevent such acts. Or even to implement a kind of random scattering of luminent particles placed on the card itself, to authenticate it at an ATM, so copying the card would be useless with ATM's. Those ATM machines are like tape-decks to me.

I don't understand that the banks do not report these cases to the cops.

In my country(nl) they do. Even for couple of hundred bucks, video/images of persons are shown on national T.V. while they act on the ATM.

James WalkerJune 5, 2006 11:51 AM

Well, the site's been hit alright... "Daily Bandwidth Exceeded"

Anyone got the .mp3 on a mirror?

Grant GouldJune 5, 2006 12:10 PM

The link seems to be down -- "bandwidth exceeded." Anyone know of a mirror anywhere?

meJune 5, 2006 12:19 PM

I think people are mistaken when they think that debit cards are covered totally. Often you will find the case that credit cards are protected against fraud, whereas banks are only liable for a certain amount when taken from a debit card- for instance where I live and such the banks are only liable for $50.

ShawnJune 5, 2006 12:58 PM

@me

I don't believe it's the banks that are liable. If the marketing it to be believed it is VISA, and probably MasterCard, that are guaranteeing the full return of stolen money.

Also with CC transactions the consumer is only liable for $50 when it's reported stolen. The CC company is responsible for the rest; though this often falls back to the original vendor who accepted the card.

PhilJune 5, 2006 1:02 PM

I've not listened completely through yet ... but my opinion is that the financial services companies are unethical (at best) and complicit in the fraud (at worst).

The fact that they knowing continue to offer services that can so easily be used to commit fraud *AND* that without their act of "commission" in the process a fraud would have been commmitted can only be interpreted in one way: 1) they want this to happen for the ancillary fees and service revenues that it creates for them AND 2) they know that they are powerful enough in their lobbying to shift the blame/thought somewhere else.

We can only assume that public record information on each and every person (not even citizen) who either has a credit card, bank account, and/or drivers license/insurance policy (health or auto)/automobile registration is already in the public record or some relatively easily accessible semi-private data warehouse. My fiance works in insurance ... claims adjusters have access to this information in order to do their jobs. It's available on web pages -- not necessarily index'able by Google et al ... but one VPN, firewall, or password away.

Given last week's stories about the failure of banks to even use HTTPS ... how many of these data marts are similarly "protected". Not all is an easy assumption.

So, given all of that (VA data stories aside) ... how is it that we can assume that anything is private or that reasonable measures are being taken to protect this information.

I think it completely bogus that there are laws that give me the right to put an alert on my identify at the three big credit clearinghouses. What if it was the law that a bank could only issue credit after a 14-28 day holding period and that I had to physically appear and provide multiple forms of identification. I'd sign up for that in a heartbeat. The idea of easy credit and "customer convenience" are simply code words for "fee-based revenue streams". There are a group of financial services companies whose business is solely based on providing credit to un-credit worthy inviduals and profiting on the exhorbinant fees, fees for paying by phone/electronically, fees to extend your credit line, interest-free escrow to back your "credit", etc.

A rush away from debit/credit and back to cash would probably result in laws quickly being passed that made it criminal to not leave cyber-prints ... why else would you be doing that? You must be a terrorist or something!

Nicholas weaverJune 5, 2006 1:02 PM

However, who is left holding the bag at the end is very different from who's left in the middle until its resolved.

With credit card fraud, it is the credit card company and/or merchants who are left holdnig the bag the whole time.

With debit card fraud, UNTIL it is resolved, it is the account holder left holding the bag.

As a result, I've adopted the following policy.

My debit card is ATM only (NO credit card imprint). I ONLY use it at ATMs belonging to my bank (and I inspect the reader first). If traveling, I'll use it at in-bank ATMs elsewhere. OTHERWISE it is not used for anything.

My credit cards, on the other hand, are used for everything. If a thief breaks the point of sale system and steals the track data, I don't care. Its not MY money that got stolen.

Yeah, I'll take reasonable care (it is a hastle when a CC# is stolen, it happened to me once), but if it gets hacked along with a bunch of others, who cares?

PhilJune 5, 2006 1:02 PM

I've not listened completely through yet ... but my opinion is that the financial services companies are unethical (at best) and complicit in the fraud (at worst).

The fact that they knowing continue to offer services that can so easily be used to commit fraud *AND* that without their act of "commission" in the process a fraud would have been commmitted can only be interpreted in one way: 1) they want this to happen for the ancillary fees and service revenues that it creates for them AND 2) they know that they are powerful enough in their lobbying to shift the blame/thought somewhere else.

We can only assume that public record information on each and every person (not even citizen) who either has a credit card, bank account, and/or drivers license/insurance policy (health or auto)/automobile registration is already in the public record or some relatively easily accessible semi-private data warehouse. My fiance works in insurance ... claims adjusters have access to this information in order to do their jobs. It's available on web pages -- not necessarily index'able by Google et al ... but one VPN, firewall, or password away.

Given last week's stories about the failure of banks to even use HTTPS ... how many of these data marts are similarly "protected". Not all is an easy assumption.

So, given all of that (VA data stories aside) ... how is it that we can assume that anything is private or that reasonable measures are being taken to protect this information.

I think it completely bogus that there are laws that give me the right to put an alert on my identify at the three big credit clearinghouses. What if it was the law that a bank could only issue credit after a 14-28 day holding period and that I had to physically appear and provide multiple forms of identification. I'd sign up for that in a heartbeat. The idea of easy credit and "customer convenience" are simply code words for "fee-based revenue streams". There are a group of financial services companies whose business is solely based on providing credit to un-credit worthy inviduals and profiting on the exhorbinant fees, fees for paying by phone/electronically, fees to extend your credit line, interest-free escrow to back your "credit", etc.

A rush away from debit/credit and back to cash would probably result in laws quickly being passed that made it criminal to not leave cyber-prints ... why else would you be doing that? You must be a terrorist or something!

Davi OttenheimerJune 5, 2006 3:55 PM

Bazooka Joe is worried about "fidelity" of an mp3? Yeah, me too and sometimes I really get worried about how AM radio broadcasts of Baseball games are such low fidelity, or why my bicycle seems to go so much slower than my car...sorry, couldn't resist.

Incidentally, I like it when the interviewee says "Routers" news. And it's always good to hear someone say "I'm a pretty big person in the scene". That just screams credibility.

Even better: "It's like if they eradicated cockroaches from the planet it would kill off the whole industry." That's his explanation for why banks don't stop fraud?

This guy obviously isn't the brains of the operation. At the end of the day this just demonstrates that numbers can be stolen, amassed abroad, and then used many years later by mules who follow simple directions for a small fee.

Clearly consumers have a reason to proactively change their numbers/protect their ID when notified of a breach, and a very good reason to support breach disclosure regulations, despite the studies that suggest stolen IDs are not used fraudulently right away.

Anonymous CowardJune 5, 2006 4:03 PM

He went through the trouble of erasing the guy's name with that weird digital noise thing, but he missed one of the times when the interviewee mentions his online handle.

guyfromtheinterviewJune 5, 2006 4:10 PM

in my interview I only guessed that it was the data centers of the banks that were hacked by the Russian I was dealing with, He never told me directly and I never asked him. I got that story from google about the data centers being hacked and asumed it was him. You guys think I am the only one who has doen this however there are hundreds of peolpe doing this maybe thousands. I stopped doing it and thought I would do an interview about it because I stopped. The guy who says there are two ways to catch a someone doing this, 1: there is no way for banks to know were any ATM is going to get hit. and 2: the egold exchanger does not know were the money is from and I dont tell him. to the guy who says I dont sound very convincing about using a fake mustache and using encryption in ICQ and what not: I couldnt touch on that in detail as we didnt have enough time in the interview to go into that. Im in poland rite now I will comment later on but I have to go now.

Bob's Your UncleJune 5, 2006 4:22 PM

Ottenheimer shows his lack of knowledge in the scene. The podcast interviewee is one of the bigger guys in that scene, and while he stumbles around on this podcast, his other podcasts have more clarity and he is more at ease in them.

Banks are clearly at fault for covering up their security problems. According to the FBI and Secret Service, banks are responsible for refusing to allow most LE investigations to take place. The interviewee found this out and wanted to let people know that the reason he and others like him get away with it, is because the banks are covering the losses to the victim, and once they do, the bank then becomes the victim, and does not have to file a report with the police about it. Thus, no victim and no way LE can investigate or open a case on a criminal doing this type of operation.

The banks claim that LE wont do anything, therefore they wont call them. This is often true, most Federal LE agents refuse to open a case against anyone unless the loss threshold is large.

I have seen LE refuse to do anything about a victim losing 200 thousand dollars. They had a chance to save the victim and refused, citing it wasn't worth their time to look into it as the dollar amount was to small.

So, the banks are right as well. They don't want to waste their time calling in LE on some casher who uses pins ripped from some other companies database who refuses to be named (Office Max) and refuses to press charges due to the bad publicity. So, why should the banks take the hit for some company who left the door open?

LE says why should they investigate when no one will complain about it?

If you ask me, everyone is responsible except the hapless victim whom everyone seems to forget.

If you want to know what is going on, I suggest you visit sites that are enabling this type of fraud to exist. These sites are easy to find, and even easier to shut down. However, LE says they cant do anything about them, which is another excuse for LE running these sites to get information, so they can go out and bust a few kids later on.

They never get the main players because they claim they cannot touch them. So, they are content to just get the smaller players who fall into those schemes.

Take cardersmarket.com

Here is a site hosted in Ft Lauderdale Florida. Matter of fact, its hosted right out of a guys house. Yet, LE refuses to shutter them. Instead, this site promotes vending of pins and numbers and paypals and ebays and so forth, all the while LE looks on at all the players.

LE claims they cant do anything to a site hosted on US soil. Yet, truth be told, its LE running the site just like they ran Shadowcrew. They build these sites hoping criminals will come to them and start trading. After a few years of victimizing and people from all over getting ripped off, they bust in and close it down and arrest a few token suspects. Then another site is opened up and the story is repeated over and over and over.

That is LE's way of trying to do something. However, LE is just enabling others to find a spot to trade, which in turn makes the data valuable. If you close the sites that trade the info, the data eventually loses its value because there is no buyers.

LE just wants to run crime sites so they can track it all. In order to run a crime site though, one must BE a crime site, therefore LE is involved in running crime sites unbeknowst to the general public.

Banks just make money off it all. The losses are a fly speck on profits. The more they lose, the more they charge people for those losses. The banks are scamming the public, LE is scamming the public and the victims are having to deal with it after its all said and done, while everyone else looks the other way and points their fingers at the other guy, blaming him for the victims woes.

That is the game.


http://www.thegrifters.net

http://www.shadowcrewthebook.com


Yeah, a hapless plug..


akaJune 5, 2006 5:13 PM

I'm a victim of ID theft. Somebody had some how made a copy of my debit card (I never lost my wallet or card), yet they did not have my pin. Without my pin or even my id, they were able to go to Wal-Mart, Toys R Us, Staples and other places and managed to spend nearly $3000 within three hours. None of the places they went to carded them. They just swiped the card, forged a signature and went on their merry way. The bank proceded to do an investigation where they called all the merchants the thieves went to. The bank got the money back from the merchants. It is the merchants (and eventually their customers) that get the short end of the stick.

guyfromtheinterviewJune 5, 2006 7:04 PM

lets get one thing str8 here you were not a victim of ID theft you were a victim of credit card fraud. And those stores do ask for ID the criminal had a fake ID made up in your name, and the criminal most likely got your credit card number in the form of whats called a "dump" actualy he probably didnt need an ID in your name since those stores do not check last 4 digits on the from of the card to match on the reciept or in there register. all the criminal does is encode your card number to any hard plastic card he has and puts any name he wants to it so when a purchase is made it reflects that on the register and the reciept.

So ID theft is when all your info like you DOB, SSN, and full name is used to ubtain goods and services. witch is way worse than just getting your card used.

Davi OttenheimerJune 5, 2006 9:46 PM

"Ottenheimer shows his lack of knowledge in the scene."

Glad I got someone's attention. I was afraid someone might think I knew to much or was part of the cool crowd so I appreciate you putting that to rest with a nice ad hominem.

Seriously though, how do you explain the foundation of this cockroach theory of fraud? I'm still at a loss how the analogy makes any sense at all, and you haven't done anything to dissuade me of the fact that someone who gets a bunch of numbers, follows simple instructions to make cards with them, and then goes to withdraw money from ATMs is anything more than a mule.

"Banks are clearly at fault for covering up their security problems."

A business has to make trade-offs so the issue is always much harder than just trying to argue that there is imperfect security afoot. I'm not defending the banks, but I also don't think a blanket conspiratorial "cover up" theory is very insightful. Maybe if you said that paying off customers who complain is cheaper than paying to upgrade the system controls I could see your point (the bank is making a decision to factor the cost of fraud into their system). However, since the market is regulated, if you add in liability issues, consumer blowback and penalties that banks will face when caught with weak controls...what then?

Davi OttenheimerJune 5, 2006 9:52 PM

"The losses are a fly speck on profits. The more they lose, the more they charge people for those losses."

Isn't that a contradiction in reasoning? Are they a "fly speck" or are they "more" -- enough to charge people for real "losses".

Davi OttenheimerJune 5, 2006 9:55 PM

"those stores do ask for ID the criminal had a fake ID made up in your name"

Or they could print a CC with a fake name to match the fake ID, even though the PAN is the same as the real card, no?

Bob's Your UncleJune 6, 2006 12:18 AM

"Glad I got someone's attention. I was afraid someone might think I knew to much or was part of the cool crowd"

Being flippant under the circumstances of how people lose money and their identities shows your lack of understanding of the situation. Nay, its shows your lack of actually caring what a victim goes through.

Most of these stories leave the victim out of it. The victim is the lone person out there trampled on by everyone else. No one see's the loss through the victims eyes. They only see it on paper. No one truly knows what a victim feels when first discovering what the debit card interviewee has done to them.

Its not the cashers fault that the banks or stores he gets his numbers from are loose in security. They tell the public that they are secure. I mean here you are at some big box store, and the thought is these people wouldn't store your pin number on their office computer where someone ONLINE can come by and pick right through it with a modicum of skills.

No, you think that you are safe entering that pin data into the POS system. Well truth is, your not. No one is, matter of fact, everyone that does business in this world with cards, numbers, id cards, banks, stores, and all merchants, are all easy targets for these fraudsters.

Matter of fact, if that is your name Ottenheimer, in the space of a few minutes, one from these boards could find you, get your credit report, your ssn number, and everything about you and your life, and that of your neighbors, and their credit profiles and ssn numbers, and drivers license numbers, and easily become you.

Then, all it takes to destroy you and leave you weeping on the sidewalk of poverty is a calculated series of attacks on your good credit. After a few months, boom, your toast. Your mortgage will probably be called in, your credit cards all canceled, your lines of credit put on hold or called in or removed, your car reposessed, your job lost after they find out you visited and downloaed child porn files, and eventually you end up committing suicide over it. Because the road down is easy while the road back up for a victim is very hard.

Putting your real name out on any blog, or any web interface is about as dumb as it can be. And, if anyone wanted to, they could blow you out of the credit water with ease because of it.

I know, you think I jest, but truly I don't. That was the mentality of people on Shadowcrew.

There are many boards out there now which are being run just like that board was ran. Most of these guys are so good at what they do, you would never know what happened, nor why it happened to you. In the case of card cash outs, this is the least of one's worry. Its a rather easy crime on the victim. He usually gets his money back quickly, while the average identity theft victim, goes through YEARS of hell trying to correct the wrongs done to him by the average Shadowcrew member.

As for losses and being a contradiction in reasoning. The banks look at it as nothing compared to the profits they make. And they do tell the public they have to increase rates to cover fraud losses. This is not a contradiction this is a fact.


While the banks make billions of dollars, they refuse to stem the flow of losses by maintaining their own security so that their customers can be safe. They say implementing security is not what the customer wants, the customer wants ease of use. Therefore they use last 4 of your social security number to identify you over the phone.

Why if I knew your social or the last 4, and knew your bank, I could call them up, pretend to be you, and wire out all your money to my private offshore account in Latvia, after changing your passwords, your phone number, and your billing address.

It is that easy. Then, its up to you to prove you didn't take all that money and merch. The bank will say you called. You will say you didn't. Tough world to prove it.

Also, not just anyone can get numbers and cash out for the Russians. Too many guys get numbers, see the money, and rip it off. So, the Russians are very careful in who they do business with. So, it takes major guys like the interviewee to be able to even get a deal to go cash out. Its not some deal where you can just go in and get premium numbers from a premium hack to go out and cash out.

More than likely, n00bs come in and get numbers that have been cashed out already 4 or 5 times, and are assigned to continue to try and cash out. The hope is that it will cover the pro's trail by the n00b getting busted for the op.

Sometimes its just to clean the very last dollar out of the card or debit holders account.

As for printing fake id's for instore, yes, that is done all the time. However there are a huge amount of stores that don't even check ID's. Plus, its easy to make track 1 data, which is the name portion, in any name you want. So, if you have some handy cards lying about with other names on them, its easy to just change the track 1 data to say what you want on it with any name you want. There is no authorization on track 1 and track 2 data matching up. Banks think its just a waste of time to authenticate both.


As for Shadowcrew members who raked in HUNDREDS OF MILLIONS OF DOLLARS according to the US Attorney's office in New Jersey, most are getting off with probation and house arrest, as Kevin O'Dowd, the prosecuter in the case, DROPPED ALL THE CHARGES except for conspiracy, which is the lowest charge there is. Leaving most to plead out and get nothing in time. His idea was to send a message to fraudsters worldwide, and that message was LOUD AND CLEAR!!!!

You can make that money and get away with it. Especially if you have O'Dowd prosecuting you.

He sent the best possible message the government could send to fraudsters.

CRIME DOES PAY!!!! And today, it pays very well.

Just look at the numbers and see what the Shadowcrew case got the fraudsters. Millions, no, HUNDREDS OF MILLIONS of dollars, and only house arrest and probation and dropped charges for a quick plea deal to the low charge of conspiracy.


Great Message..


Just great.

DavidJune 6, 2006 12:20 AM

I agree with Jungsonn. The guy sounds like he has done a lot of reading but never actually done anything. You can hear him making up details that he didn't think he'd get asked about. If I were this guy's boss, I would be making a note not to assume that his project is as far along as he says it is.

Bazooka JoeJune 6, 2006 3:27 AM

This is Bazooka Joe from the Small World podcast and I just wanted to let you know the website is back up.

I have a one-size-fits-all package for my site and usually it's not a problem. Unfortunately, Monday morning the Small World podcast was mentioned not only on Bruce Schneier's blog but on Spamroll and Boing Boing to boot. My poor website simply collapsed under the visits and downloads. Actually, if more people are listening that's a problem I welcome.

A couple quick notes...

1. I can't vouch for the credibility of my guest. I'm not part of his community but El Mariachi, a previous guest on the Small World, holds him in high regard. El Mariachi has a lot of pull in his circles so I trust my interviewee was, in his own words, "legit."

I do know that my guest was a bit nervous during the interview so that might explain why he doesn't sound very convincing. And as Jungsonn mentioned towards the top of this page, my interviewee didn't hack the hacked the credit card data centers. I got the impression he was just one man among many working on this operation

2. I agree with mp that the cardholder is indeed the victim. If the bank is going to cover the lost then that money is going to have to come from somewhere and the obvious source is going to be increased rates to cardholders.

I suppose I could have grilled him over that but that's not what my show is about. There are enough television shows, radio programs and articles that do what I call "attack pieces." While those are entertaining I don't think they really add to discourse and the world can be an ugly enough place as it is and I don't want to add to it an iota. I'm just hear to bear witness and ask questions.

Several listeners did raise similar questions at my website and you can read the comments and exchanges if you care to at http://smallworldpodcast.com/?p=391

3. If you enjoyed the show you might be interested in previous Shadow Crew segments (http://smallworldpodcast.com/?cat=5). In the past the interviews have focused on the above mentioned El Mariachi as well as digital security expert and commentator, Richard M. Smith.

Please be aware that the theme of the Small World is that I interview people from all walks of life from all over the planet. I do the show as a labor of love and not as a paying gig. As such, I do everything on a shoestring budget and can only approach each interview from a layperson's perspective.

Speaking of which, Wednesday's show features an interview with Michael Lahey who directed the documentary Making Waves, which is about independent and pirate radio stations. Different topic, granted, but I think you might enjoy it.

Stay stuned!

Bob's Your UncleJune 6, 2006 4:45 AM

I want to say that Bazooka Joe has one of the finer programs on the air today. I have been both a guest on his show as well as a frequent listener. He has without a doubt one of the better voices out there for doing interviews and his style of interviewing is fantastic.

He is a great guy and deserves all the accolades one could give him.

I want to thank him for producing shows like he has on such a shoestring for the listening public, because every show I have heard is without a doubt a great show to listen to.


Thanks bazooka for another great smallworld podcast...

JungsonnJune 6, 2006 7:28 AM

@Bob

I'm curious who you are...

Besides from that, overall it sounds like a cowboy score to me, hitting 300 ATM's in a night.

PeteJune 6, 2006 8:22 AM

The way that different parties are involved in banking fraud is an interesting aspect of this interview that hasn't been picked up in the mainstream press yet. RSA Security's blog recently featured two articles that discussed this element of banking fraud ...
Part 1 - http://www.rsasecurity.com/blog/entry.asp?id=1088
and Part 2 - http://www.rsasecurity.com/blog/entry.asp?...

The RSA articles were focused on phishing, but the key point is the same: electronic fraud (cards or online banking) has become a significant operation, and is made up of a series of loosely-coupled markets that deal in tradeable goods. Some people do the harvesting of CC data or online banking logon details; others buy this info for the cashout part.

I do find it odd that the press is generally so obsessed about online banking fraud, when CC fraud is costing dramatically more. [And of course the mainstream press - and some of the security industry - seem to call *all* of this identity fraud.]

I don't have direct experience with the US banking industry, but in my part of the world the banks end up wearing the liability for debit card fraud, and are taking on more of the credit card fraud liability over time. The banks don't like bad publicity of course, which means that they tend to pay out quickly on fraud cases so that customers don't get upset and sue. And of course as the bottom line costs go up the banks end up spending money on better transaction monitoring etc. to manage the fraud.

It's hard to manage the economics of fraud to cut down the overall levels; since the fraud losses are spread over so many banks they are each able to afford a certain amount of loss. This means that there are a substantial number of people who end up being victims of this fraud, since it is not currently cost-effective for the banks to cut out this type of fraud.

Fraud losses are like lending write-offs; they'v'e always been part of banking. The only thing that's new is the leverage - our Eastern Bloc friends have never had such good access to the Western financial markets!

RossJune 6, 2006 9:21 AM

Interesting interview. Right at the moment there's an epidemic of ATM fraud in Britain too, and the introduction of smartcards has not really helped to contain it. There are several relevant posts on our blog at

http://www.lightbluetouchpaper.org/category/...

Old-timers may recall that Citibank got a gagging order against us in the High Court in London back in 2003 to stop us saying any more about vulnerabilities in their systems:

http://cryptome.org/citi-ban.htm

Didn't do them much good, did it?


JungsonnJune 6, 2006 9:47 AM

Phew!.. i guess many found the way to Bruce on this one.

I provided about 900 download slots by now, i have made a torrent of it, because 900 slots more and i'm down also :)

The Smallworld podcast torrent: http://www.mininova.org/tor/332293

Anyone want to seed this file with me?

GavinJune 6, 2006 10:22 AM

Interesting comment at the end regarding using 'socks and proxies and stuff like that to protect my identity'

Sounds like a potential TOR client !

Davi OttenheimerJune 6, 2006 11:04 AM

"Being flippant under the circumstances of how people lose money and their identities shows your lack of understanding of the situation. Nay, its shows your lack of actually caring what a victim goes through."

I really don't see how these ad hominems do any good for your position. Do you really think someone who claims to be in the business of fraudulently taking money from people's accounts cares more about their victims than someone who doesn't take their money? That seems rather backwards to me, like saying I show more concern about your health if I poison you. Bizarre logic and perhaps an insight into how some of the criminals can live with themselves, believing that they are doing good by stealing someone else's money.

"Putting your real name out on any blog, or any web interface is about as dumb as it can be."

Wow, no need to attack Bruce like that. I think he's a really smart guy and I appreciate the fact that he put his real name on his blog and website. I can certainly think of dumber things in the world, and the Darwin award certainly has a fair number of examples far dumber than using your real name to represent yourself.

@ Pete

I think you're right on the money, so to speak.

Bazooka JoeJune 6, 2006 5:29 PM

Thanks for providing mirrors to the interview. The Small World website was reactivated at a little after midnight and went back down within four hours due to the traffic from Bruce's blog, Boing Boing, Digg, etc. Time for a new ISP, I think.

This interview was part of a segment I do from time to time called Shadow Crew (the name was inspired by that nefarious board). The theme of the segment was examining the dark underbelly of the digital world we're living in.

The show came to a halt due to time constraints and obligations between myself and my co-host, El Mariachi. I'd like to do more Shadow Crew segments so please let me know if there are any white hat/black hats out there who would be interested in participating.

T. DogJune 7, 2006 3:26 PM

Is there any other source for this podcast...none of the 'mirrors' above
seem to work. For the one @ feedburner, I'm getting : The requested URL /mp3/smallworld051906.mp3 was not found on this server.

Would sure like to listen to it....wondering why it's hosted at such a low-bandwidth & limited site?

guyfromtheinterviewJune 10, 2006 4:31 PM

Wow this interview has really gone places i really didnt want it to. However I am very surprized at all the responces it has gotten. Some of you mite be delighted to know that I cashed out Ann Coulter's account, I noticed this and I wonderd who this was and I googled her and found out that she isnt very well liked.

thank you all for your comments.

Peace
gfti

guyfromtheinterviewJune 10, 2006 4:39 PM

if anyone would like to contact me you can do so at.

guyfromtheinterview2@Safe-mail.net

ask me anything you want and I will answer if I am able too.

Bazooka JoeJuly 12, 2006 7:31 PM

I just wanted to let you know that since my interview with Dillinger he's since been arrested. You might be interested in today's Small World. I talked to El Mariachi about crume and punishment and the fate of Dillinger.

AshleaJuly 16, 2006 2:22 PM

how bad does your credit become after having a car reposessed? will it hinder someone from taking out school loans?

ROFLMAODecember 27, 2006 11:04 PM

I think it is hilarious that David Thomas, AKA 'El Mariachi', AKA 'Bob's Your Uncle' is sitting in jail right this moment for fraud. He did all that podcast crap to boost his inner-little-boy ego while he was scamming his ass of behind the scenes. He used fantasy hype on the thinnest level and had thousands listening to his self-indulged BS. Good riddance to another wart of hypocrisy.

ROFLMAOJune 3, 2009 10:26 PM

I'm still laughing at Thomas, AKA "El Mariachi", and especially at Steven Lance Roberts, AKA "John Dillinger". Apparently these two bone heads thought they could scam, get caught scamming, then turn snitch, setup all their friends, putting many of them in jail, then GO BACK TO SCAMMING, all behind their FBI agent handlers back (an especially bone-headed Special Agent Butler).

I've posted a few followups at "pcianswers.com" under the name Robert to some of "El Mariachis" most egregious transgressions of truth (or as close to truth as he'll ever come).

What I'd like to see if the FBI own up to and admit they got taken in by a scammer, who played both sides of the law while "working" for them.

Then I'd like to see all the supposed "reporters" do some actual fact-checking before they take a story handed to them by a lunatic scammer and run with it like it was fact.

MSeptember 1, 2010 12:27 AM

Can someone explain how one of the individuals arrested in "Operation Cardkeeper", Steven Lance Roberts, aka "John Dillinger" - who was sentenced to 94 months in February 2007 is already due to be released in November 2010?

Or should the explanation be self-evident - that he's a snitch...

These guys can pull scams worth hundreds of thousands of dollars, ruin people's lives, then get a slap on the wrist - what kind of message is this sending?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..