Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Squid Pheromone |
| Societal Security »
February 14, 2011
Credit Card Fraud Ring
It amazes me that credit card fraud is so easy that you can run it from prison.
Posted on February 14, 2011 at 6:37 AM
• 32 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I don't know why it'd amaze you. There's no security around credit cards at all; they just have a percentage built into their fraud budget, because it's cheaper than actually going after it.
I think it is the from prison part that amazed him, not that CC fraud happens.
Drat! When I saw the title I was hoping for a ring that reads magnetic cc strips!
Gizmodo recently had a massive redesign and the site is now very difficult to read. Here's a mobile edition of the same article which is easier on the eyes:
The worrying thing is not that even inmates can run such a scheme, it's that people keep using broken technology whenever taking out their credit cards to pay for stuff.
"It amazes me that credit card fraud is so easy that you can run it from prison."
Well all fraud is generaly an easy crime compared to many other types.
As fraud is mainly about (mis)handeling information it can in theory be carried out from any where where you can establish a suitable communications channel.
The hard part with nearly all frauds is realising the proceads of the crime in an untracable way and that's the bit where most fraudsters come unstuck.
Also many others realy realy don't know when it's time to "cut and run" not just with fraud but many other crimes as well.
Yes you can make money out of crime but as many find out that's just the start of the problem, keeping it's the hard part...
My father used to point out to me that if you are bright enough to commit the "perfect crime" you are more than bright enough to earn more money honestly.
thx Yossi Oren,
the mobile version works with noscript too
damn shebangs in URLs :(
It appears the original story is from the NY Daily Times,
What does amaze me is the number of "official newspaper" sites that have "ripped it off" one offender being the UK's Daily Mail...
The only odd thing that comes out of the story is the group escaped detection by re-encoding the mag-stripe on their own legitimate credit cards etc...
Now I don't know about others but this sounds like a massive fail in the US Credit Card system. Maybe the Payments Card Industries (PCI) should put it's own house in order for once...
What amazes me is that Bruce reads Gizmodo, and uses it as a source. Even I left after the redesign, but when sharing anything interesting from there, I'd share the original link, not the repost.
@pc "I don't know why it'd amaze you. There's no security around credit cards at all; they just have a percentage built into their fraud budget, because it's cheaper than actually going after it."
I don't know why it would amaze anyone since prisoners have 24 hours a day, seven days a week, for the duration of their sentence, to think of ways to get over on the system. They can be *quite* inventive.
In the QA section at the end of this talk http://forum-network.org/lecture/...
Frank Abingale comes out very strongly for credit cards and against debit cards. What he fails to mention is the hidden cost of merchant fees. Even if you get a no fee card, pay your bill in full every month, and get 1% cash back, your're STILL paying for the card. We all are.
I don't see a problem with "STILL paying for the card". It's part of the merchant's cost of doing business, and I would certainly expect it to be part of the price I pay.
Thats one reason why I prefer to make my in-store purchases with cash, rather than a credit card. I want to give my money to the merchant without the credit card companies skimming off a percentage of it as transaction fees. If you buy with a credit card, the merchant has to pay transaction fees to the credit card company, and is prohibited by agreements with Visa, Mastercard et al. from passing those fees on the consumer. Most people think of credit card purchases as costing "nothing" (i.e. they pay the same price as they would pay with cash) but that is only true for the customer, not for the merchant. Its also usually the merchant who gets shafted when someone defrauds them with a credit card.
@pc "fraud budget"
But buying insurance to reduce your risk _is_ security too isn't it?
@Clive "original story is from the NY Daily Times"
Better coverage too.
@clive "establish a suitable communications channel"
But controlling for that's the real trick isn't it. And a long known vulnerability. Gangsters continue to run thier gangs from the inside and order all manner of nastiness from day to day operations to witness intimdation and murder. But this worked through human outside confederates. As long as the incarcerated are allowed to communicate with people, or their lawyers, a channel is open. Mitnick tells a great ancedotal story about a prisoner gaming the call in / public defenders only line to create an outgoing session.
In Fast Walking Wasco says "God, I love it here, in this joint, you know that, ? ... , there's no place like it in the whole damn world. There's nothing you can't do in here, if you got the balls. It's as simple as that, you just believe in yourself. Follow your star. It'll lead you right to opportunity..." Prison doesn't stop business.
Modern day contraband is the cellphone. I've seen one overseas prisons RFI asking for signal jamming of the whole range of wireless data transmission methods from wi-fi to satphone.
Odd that this went on for 3 years. I understood that prison phones, 'cept for lawyer priviledge calls, were all tapped and monitored. If universal wire-tapping of a known population is ineffective at identifying criminal activity how can USG make the claim that broadly based warrentless wiretapping is effective in identifying unknown villians?
Reading the original piece (and that was a circus since Gawker Media hasn't been displaying in my Firefox for a while until I adjusted an exception rule in AdBlock Plus!), I see only a mention that the ringleader coached a relative over the phone.
I see no evidence that they actually did anything illegal on the prison phone system - the "coaching" referred to might have been in some sort of verbal code. I suspect most of the information was passed during prison visits or in some coded way from gifts sent in and material sent out via the mail. While all of that is inspected, it wouldn't be that hard to evade the prison censor. Anything done during visits would be impossible to detect.
So in that respect it's no surprise this could be done as virtually everything was done by confederates on the outside. That's SOP for prisoners.
These are Americans of course - from a British prison you can mastermind stealing a plane load of gold and escaping through the sewers in a fleet of British cars.
Yes, you pay for the card even if you pay full bill every month - in the merchant's payment processing fees. But you pay the same price for your goods even if you pay in cash - the merchant just gets a little bit richer (possibly not much; cash convoy services and/or bank cash deposit services cost him, too). You may sometimes get a slight discount when you propose to pay in cash, but are you going to do it every time you buy at your grocer's?
Actually it is a win-win situation. Merchant gets a sale now, not the next day, when the client comes back with cash - or never if the client changes her mind. Client gets her shiny new goods now and don't have to worry if she has enough cash in her purse. Banks get their share. Everybody's happy! well, maybe the client not so much after all, when the bill arrives :-)
Other reasons for not using a credit card (fraud risk, traceability, shopaholism, etc.) aside, paying in cash does not give you any financial gain over using a credit card a "smart" way - and often the other way round.
"and is prohibited by agreements with Visa, Mastercard et al. from passing those fees on the consumer"
If only. In the UK travel companies routinely pass on a credit card "fee" that is several times the actual cost
A friend recently had her purse stolen and within one HOUR thieves had racked up $1,000 worth of charges...at local GROCERY stores. No word yet on if they bought out the whole meat-section at one store, or stamped duplicate cards and hit multiple stores individually.
Another friend insists that signing her card "Check My ID" helps prevent fraud...yet I can't recall the last time a cashier actually looked at the back of my card for a signature, much less even touched my card since most places have me swipe (or wave RFID) it myself.
The credit card companies may be doing us a favor with their lack of security. Carjackings have been on the rise since many older vehicles (desirable for parts) now have anti-theft devices. There will always be thieves, but if credit cards are enhanced with smartcards or other uncopyable electronic validation, there could be a similar trend when they are forced to steal the card.
Given this, it is possible that there would be a higher societal cost if the credit card companies improved their security.
Is there such a thing as 'societal security' or 'sociological security', that looks at the cost/benefit of private security practices on society as a whole?
Apple products stolen? No sympathy for the company, feel bad for the victims though. The credit card companies will just pass along the 'difference' to their other customers, write some insurance forms, get reimbursed by Joe Taxpayer..Just the cost of doing business, I think credit cards should be overhauled and made into something new.
Misleading headline anyway. The prisoners never had any Apple goods, nor did they buy or sell anything. The guy running it from prison was just giving orders so everyone on the outside could do the dirty work. People asked how the ring was busted - The prison either intercepted an outgoing message or someone finked on him. And when you're dealing with 25 accomplices, eventually someone is going to slip up and spill the beans. Now its just a matter of rolling on each other to get a better deal then the guy on top of him. This is why a good rule in criminal behavior is to never trust anyone - No honor among thieves, but that goes for legitimate business also.
"Another friend insists that signing her card "Check My ID" helps prevent fraud..."
Many places don't bother to even *look* at the card if it's under $25, much less check the signature.
Still, here's a funny article about whether people even bother to check the signatures.
"Actually it is a win-win situation."
My issue is that credit companies have very effectively hijacked the development of cashless systems. Paying via a plastic card needn't cost 5%. 1) require a 2nd form of authentication (PIN). Not perfect, they can be skimmed and social engineered, but it would reduce fraud. 2) don't give out cards based on only DoB and SSN.
The worst part about it is the very devious 'cash back'. As an individual, it is in my best interest to use my 1% back credit card for everything, even though that costs merchants more than if I use a debit card. In fact when gas prices spiked in the US in 2008, gas station owners were getting pinched because the card fees ate up an ever increasing portion of the sale, but their commission from the oil company remained fixed per gallon.
I have been in some stores that charge 25 cents to use a debit card, because they can, but nothing to use a credit card, because they're not allowed to. Ends up costing them more in fees.
It'll grant, it's ingenious, but it's hurting the consuming public.
Many places don't even bother to get a signature, let alone look at the card, if it's under $25 or $50.
@moo: "... I prefer to make my in-store purchases with cash, rather than a credit card. I want to give my money to the merchant without the credit card companies skimming off a percentage of it as transaction fees...."
Cash payments are not cost-free to merchants. They have to expend labor counting the cash and making change, checking for counterfeit bills (and losing the money if they miss one), moving cash from registers to safes and then from safes to banks, and recording the cash deposits. Also, banks charge businesses for depositing bills and coins. Merchants with heavy cash flows have to increase physical security (safes, cash chutes, secure counting rooms, security cameras and monitoring rooms, etc.) and may need to add security personnel to guard against robbery from without and within. When you figure total costs for most merchants in the USA, the ranking of payment types by cost (least to most) is debit card, credit card, cash, and personal check.
In some businesses (such as bars, restaurants, hair cutting salons, etc.) employees who receive cash payments can fail to record the transaction (or record it as a lesser value) and pocket the cash. For these businesses, cash is the most costly method of payment.
Interesting. I guess it doesn't help the merchant much to pay by cash, after all. I'd still rather not give the fees to the blood-sucking credit card companies, though.
I prefer to pay by credit card, because I get to earn interest on "spent" money for an average of 40 days (half a month plus the 25 day grace period).
The issue that irks me most about credit card companies is that they don't invest enough in security to reduce the high levels of fraud (which the merchants and therefore the consumers pay for in the end).
Rikers is a dark place; see, for example:
The Lords of Rikers
The juvenile unit of the New York City jail is a survival-of-the-
fittest finishing school for the roughest kids in New York.
And an upcoming case alleges the guards run the show.
Not sure why it is a surprise that the guards run the show; the real surprise is how they do it, using inmate muscle.
Wait, so what exactly is surprising here? Gang leaders, drug lords, mob kingpins... they don't seem to have much trouble conducting their business from prison. Why should CC fraudsters be any different? See Charles Manson + cell phone for a recent example.
It's also against the merchant agreement for the store to ask for ID when making a credit card purchase. This requires some sort of comment as to why this might be, but I dont have one..With all the fraud, one might think that credit card companies would force stores to check ID.
RSX - I'm in the MSP business. Merchant are supposed to authenticate the card by matching the customers signature with the signature on the card.
Reasons IDs are against the rules:
Fake IDs are historically easy to make and asking for ID may make someone pay in cash instead.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.