We have mentioned him before, but credit where it is most certainly due, Kevin Poulsen’s Threat Level blog is a real treasure trove for those wanting to understand the hacker community.
As the author of the excellent Kingpin, and himself a reformed hacker, Mr. Poulsen has a chilling transcript in his latest blogpost showing the incredibly casual way in which stolen credit cards are traded on line.
The seller in this deal is Max Butler, the subject of the book. A white hat hacker gone bad, Butler at this time was still finding his legs as a stolen credit card vendor, using the handle “Generous.”
He’d recently cracked the point-of-sale system at a pizza restaurant in Vancouver, Washington, and he was looking for someone to buy the credit card “dumps” -– magnetic stripe data, including account numbers -– that he was stealing from customers. (Note that dumps are more valuable than the credit card numbers involved in the Sony breach, which would likely sell for less than 50 cents each.)
The buyer here is Brett “Gollumfun” Johnson, a veteran fraudster who was, unbeknown to Butler, working as a Secret Service informant from the agency’s Columbia, South Carolina field office. That, of course, is why we have logs of what would normally be a very private conversation.
The shocking casualness of the conversation, these are cards belonging to ordinary people that are being hawked, shows how mundane this trade has become. It is Butler who is offering to sell fresh cards.
Butler: customers used these approval in past week (though i get these every day i’m backlogged going from oldest->new)
Johnson: thats goddamn impressive
Butler: haven’t been approved to vend anywhere so haven’t made prices, i figure whatever is fair, something below market rate and i’ll be very happy just try i guess and pay what you think is fair – i can give you another batch that includes the nicer cards too
Johnson: Thats a deal.
Butler: oh, these are ones the cardholder swiped on .. june 2nd (in case it matters
Johnson: It will take a few days to run these, but Im sure our mutual friend has told you im good for the money–heh
Later on Butler passes on tips on how to avoid detection:
Butler: i have heard keep all classics under 1k/800 per swipe dont try to get big electronics etc.. seems that credit/debit doesn’t matter as much as type
Johnson: good deal. that is my expoerience as well
Butler: so for example i’ve heard platinum debits are rocking in most cases even thouhg debit
Wall Street Journal 6 May 2011
http://blogs.wsj.com/tech-europe/2011/05/06/how-your-card-details-are-sold-on-line/
No comments:
Post a Comment