With the Target data breach, many are wondering how criminals can profit from the use of the stolen credit cards. The card holders themselves will not be responsible for any of the charges, so how is it that criminals are able to make money from stolen credit cards?

I have been involved with several cases where organized crime rings have been unveiled, many of these have had connections to Russian and Eastern European groups. These groups generate a significant profit through stolen property acquired through burglaries, shoplifting, identity theft, credit card skimming and carding. Many underestimate the complexity of some of these networks and the revenue they generate.

The United States is a mecca for carders, simply because of the fact we are one of the last countries to rely on magnetic strip credit cards that are easily cloned and lack the security of newer chip and pin. The reason the U.S. is still using the technology from the 1960’s is a topic for another blog post altogether.

Buying Stolen Credit Cards Online

First the card numbers are sold to brokers who acquire the stolen card numbers in bulk. These are then sold to carders. The price for valid credit cards can be as high as $100 per card depending on the amount of information available with the card, type of card and known limits of the card. Many of these sites offer guarantees on the validity of the cards and will provide a valid replacement if it is blocked. Now that is customer service.

Carding Shop On Dark Net
Valid stolen credit cards for sale on a website in the “deep web”

The Credit to Gift Card Shell Game – Find the Fraud!

One lucrative method of “carding” involves a shell game, where stolen credit cards are used to charge pre-paid cards. These cards are then used to purchase store specific gift cards, such as from Amazon for example.

How credit cards stolen during the Target data breach are turned into profit

Shopping & Reshipping

The carder then uses that gift card to purchase high value goods, usually electronics such as cell phones, computers and game consoles. This process makes it difficult for companies to trace. By the time it is figured out and the cards blocked the criminal is in possession of the purchased goods.
Carding Reshipping

These packages are usually then shipped via a re-shipping scam. Unsuspecting individuals are recruited as Mules (re-shippers) usually through legitimate channels such as Craigslist job listings promising “easy work-from-home jobs” and usually in the United States as it raises fewer red flags.

The re-shipper then assembles multiple packages and ships them usually outside the country, or directly to someone who purchases the goods from an auction site the fraudster has posted the goods to.

Reselling Goods for Profit

The carder may then sell the electronics through legitimate channels such as through eBay, or to avoid risk can sell the goods through a hidden underground “deep web” site. Most people know the “deep web” from the Silk Road, which was recently shut down by the FBI, reappeared and then vanished again.
Stolen Goods Deep Web

The Silk Road was a marketplace for illegal products such as drugs online. However the Silk Road had somewhat of a code of ethics, as certain products were restricted from sale such as pornography, weapons, personal data (stolen credit cards, passwords etc), poisons, or weapons.

There are many hidden services available that do not have such scruples. There are numerous places on the deep web that sell stolen credit cards and goods acquired through carding.

On these hidden illegal websites the goods are usually sold at deep discounts on the black market, usually around 50% of retail and reshipped or sent to a secure drop (vacant house etc) a purchaser has setup for this purpose.

Right now the entire carding underground is busy, as banks scramble to monitor fraudulent activity on the stolen Target cards, the carders need to stay a step ahead and move quickly. Much of the credit card charges have already been made and thieves have already cashed out.

This process of detecting fraud by the banks is furthered hampered simply because of the holiday season and the high volume of transactions that are occurring. It is going to be tough time for fraud analysts this holiday season.


Additional Resources:


picTripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

This publication is designed to assist executives by providing guidance for implementing broad baseline technical controls that are required to ensure a robust network security posture.

The author, a security and compliance architect, examined each of the Controls and has distilled key takeaways and areas of improvement. At the end of each section in the e-book, you’ll find a link to the fully annotated complete text of the Control.

Download your free copy of The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities today.



Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.

* Show how security activities are enabling the business

* Balance security risk with business needs

* Continuously improve your extended enterprise security posture


Title image courtesy of ShutterStock

Categories ,

Tags , , , , , , , , , ,

SANS Endpoint Security Maturity Model
  • MAA

    Question: in the above prepaid-to-gift-card scenario, who is left stuck with the losses? Is it the credit card company who provided the pre-paid card (not the stolen one) who ends up out of pocket? I would think that whatever company accepted/processed the stolen card would be left with the loss.

    (My credit card was skimmed a year ago–probably by a waitress–and used in another state to make a duplicate card which bought a bunch of stuff at Wal-Mart for resale–probably just one "spree" before Discover froze the card for unusual activity. In that case, I assume Wal-Mart ended up out of pocket.)

    I'm asking about credit cards–I know debit cards leave the consumer liable to pay off the stolen goods.

  • http://twitter.com/kwestin @kwestin

    I am not quite sure, I am guessing the liability would be shared between the pre-paid credit card issuer and the gift card issuer, but am not sure. This is part of why the the hot potato model of shifting balances across different cards is effective, it makes it difficult to trace and takes time. It would be really interesting to see the full amounts charged by the stolen cards…particularly before Target and card issuers were aware of the charges.

    For debit cards, the card holder is not responsible for any transactions after the card is reported stolen and only $50 for 2 days prior to that and up to $500 two days after, if it is 60 days after the statement then it is the entire amount. Another reason to be vigilante around the monitoring of your accounts.

  • http://twitter.com/broadlycurious @broadlycurious

    Ken, thanks for the outline of what happens after the card information is purloined. In the first part of the piece, however, you, perhaps inadvertently, conflate two distinct kinds of fraud: counterfeit cards and data theft.

    Chip, or EMV compliant, card combat counterfeit and lost/stolen card fraud. They validate that the card is legitimate and in the hands of the owner, but the do not do anything to reduce the theft of card data. Indeed, once the EMV cards is validate, it transmits the payment information to the point of sale (POS) device just as do magstripe cards.

    The Target breach, although we don't yet know the details, had nothing to do with counterfeit card and would not have been prevented if Target were fully EMV compliant and accepting only chip cards.

    In Target's case, the malefactor(s) grabbed the payment information after it was passed from cards to the POS device. And did this on a massive scale.

    Now if the person who received the card information then tried to create plastic cards and use them at physical store locations, this would be a case where EMV would prevent the fraud. But that is unlikely the case, when it is so easy to use the card information online to load a debit card or, better, buy a prepaid card. In which case EMV would again not limit the fraud, since EMV was created before eCommerce and doesn't address online fraud.

    Which is one reason merchants are reluctant to spend the money to become EMV compliant.

  • http://twitter.com/kwestin @kwestin

    I don't see counterfeit cards and data theft as distinct kinds of fraud, but symbiotic. With EMV the transactions would not have been able to record the CVV making the cloning of the cards improbable. The PAN would still be exposed in a breach like we see at Target, but not the full track, so EMV does provide additional protections that magstripe does not and would limit the type of fraud to online transactions. I never said EMV would completely mitigate all risks of a breach like this, but that it makes the U.S. an easier target because we don't.

  • John Doe

    Great article, but you left something out. A new process to receiving the goods via mail has been developed. which hasn't been written about. Anyone that is purchasing the credit cars on Silk Road, or Black Market Reloaded; can purchase the item of their wish online and have it shipped right to a foreclosed house. They look online for foreclosed houses in the area and copy the addresses and have the items shipped there. They pay for the FED EX, UPS, ETC for the tracking so they are able to know exactly when it has been dropped off, With no trace at all to the person who purchased the item.

    – Anonymous

    • http://yourmortgageoryourlife.com Paisano1

      An old tactic that has been employed by drug distributors as well…

Ken Westin

Ken Westin has contributed 157 posts to The State of Security.

View all posts by Ken Westin >