It's a small world, at least to data thieves, but legal authorities are only now working out jurisdictional problems associated with international crimes. As the result of Operation Cardkeeper, the FBI last week announced the arrest of more than 13 data thieves in the United States and in Poland, with additional arrests expected in Romania. As arrests go, this is the tip of a much larger iceberg. In fact, federal investigators were touting this as an opportunity to network with other investigators in other parts of the world. It's a small step, but it sends a loud message that data criminals will be sought and arrested, no matter where they are.
Unlikely trio
The Americans arrested included Dana Carollotta Warren, 29, of Atlanta, Georgia, and Zanadu Lyons, 24, and Frederick Hale, 27, of Columbus, Ohio. According to reports, law enforcement started noticing a pattern among thefts at Richmond, Virginia, banks and began tracing the sources of the stolen debit and credit cards.
 |
With a copied debit card, the thieves were able to cash out a bank account by hitting ATMs and withdrawing the maximum amount until the account was sucked dry.
|
|
The thieves apparently obtained the card numbers through international chat groups, such as CCpowerForums, and were then are capable of burning their own credit cards using machines that convert data into plastic, such as the $200 MSR-206. With a copied debit card, the thieves were then able to cash out a bank account by hitting ATMs and withdrawing the maximum amount until the account was sucked dry. Apparently the three Americans were recruited by Polish thieves who had obtained debit and credit card information through Internet phishing scams.
Misnomer
A quick aside here: An identity can't really be stolen, but personal data such as date of birth, mother's maiden name, or social security number can be used fraudulently. Thus, headlines--and I've used it myself--that say "identity theft" are not entirely accurate; the headlines should instead say "identity fraud," which is not as sexy, perhaps, but far more accurate.
A second misnomer: Mainstream headlines scream "1 million identities stolen from university." That's also not true. The potential exists, but the reality is often not as bad. Many of the stolen laptops in such cases have been recovered with no supporting evidence that the thief ever looked at the files contained within. It doesn't matter whether the personal data files were encrypted, often the thief only wants the hardware to sell for cash. The same is true when large computer databases have been compromised, such as the breach that occurred at the data warehouse ChoicePoint in 2005. According to a spokesperson for Visa USA, "Of all the data compromises, only about 2 percent of the accounts that are compromised are ever used fraudulently."
|
According to Javelin Strategy & Research, only 12 percent of identity fraud was the result of online shopping, while 63 percent could be traced to more traditional retail shopping.
| |
|
Safer online than off
According to Javelin Strategy & Research, only 12 percent of identity fraud was the result of online shopping, while 63 percent could be traced to more traditional retail shopping, such as handing your waiter a credit card, which could be swiped through both a legitimate credit card processing device and a credit card copying device in a back room of the restaurant. About two-thirds of identity fraud today is credit card related. Fortunately, most credit card companies offer zero liability for fraud.
That said, Operation Cardkeeper represents a case where online phishing and even spyware intersect with identity fraud; there's evidence the Polish and Romanian suspects in this case used keystroke-logging software to capture credit card information. Keeping your system clean of computer viruses and spyware, with a side antisphishing technology, goes a long way to keeping your personal data safe. But while the FBI is now able to reach out to agents in other countries and shut down these rings, they're a few years too late. I hope that Operation Cardkeeper, which represents two years of investigation, truly is the beginning of regular headlines reporting more and more arrests for data theft.
Do large public arrests such as Operation Cardkeeper have an effect on cybercriminals? Talk back to me.
