A Michigan State University criminologist dug into the seamy underbelly of online credit card theft and uncovered a surprisingly sophisticated network of crooks that is unique in the cybercrime domain.
The thieves, Thomas Holt found, run an online marketplace for stolen credit data similar to eBay or Amazon where reputations drive sales. Thieves sell data and money laundering services, advertised via web forums, and send and receive payments electronically or through an intermediary. They even provide feedback on transactions to help weed out sellers who cannot be trusted to deliver the illegal goods.
Holt's study, funded by the National Institute of Justice, is published in the research journal Global Crime.
"These aren't just 15-year-olds stealing credit card info online and using it to buy pornography," said Holt, associate professor of criminal justice. "These are thieves who come to trust one another. There's a layer of sophistication here that can't be understated, that's very different than what we think about with other forms of crime."
First, credit card information is stolen from an individual or group. Tactics can include hacking into the database of a bank, retailer or other service provider; sending emails to consumers masquerading as a bank to acquire sensitive details such as usernames and passwords (called phishing); and skimming. Examples of skimming include attaching a hard-to-spot device on an ATM machine or a crooked waiter who wears an electronic belt that can capture a card's details.
The thief then advertises his haul in an online forum, with details such as card type, country of origin and asking price. Holt said a Visa Classic card, for example, might go for $5 to $20 per card, with a price discount for buying large amounts of data.
The winning buyer finalizes the deal online and sends the money through an electronic payment service. If the seller isn't known or trusted, a middleman, called a guarantor, is used to assure the data is good before payment is sent – minus a fee.
For the buyers, there is any number of illicit service providers to then help them make purchases in a way that doesn't raise suspicion or to pull money directly from the accounts – minus a fee.
All of this is done in a rather democratic fashion – unlike, say, the hierarchical structure of the mafia, said Holt, who monitored two English-language and two Russian-language forums for the study.
Some policymakers have called for flooding the online forums with bogus comments in an attempt to build mistrust and bring them down. But Holt said this strategy won't necessarily work for organized forums with managers who can monitor and remove comments as in the forums he sampled.
A better strategy, he said, might be for law enforcement authorities to infiltrate the sophisticated networks with a long-term undercover operation. It's a challenge, but one that might be more effective than other strategies called for by researchers.
Explore further: Business booming for cyber criminals: security firm