You’d have to be living under a cyber-rock to avoid the headlines about credit card data breaches from the last two years. While we’re especially sensitive to these events right now, it’s not a new trend. Credit card data has been a consistent target for cyber criminals for years and years.
You may remember the infamous TJX breach from 2005, an incident that one could claim gave significant media attention to the developing PCI Data Security Standard. Even through a period of relatively few headlines on the topic (2007-2012), criminals were busy pilfering more than 160M records worth of card data from major retailers. We may all be thinking of Target as the genesis of the credit card theft trend, but it’s really just one point in a much longer timeline.
Researchers and journalists have spent a lot of virtual ink on analyzing the methods of attack, the vectors for initial compromise, the methods of avoiding detection and the developing point of sale malware being utilized, but relatively little attention seems to have yet been paid to the economy behind these crimes.
People steal credit card data to make money, so I thought it would be interesting to examine how that process generally works. This is really an attempt to assemble a general picture from the plethora of specific examples that are out there. Journalists like to tell a good story, and good stories are usually specific. Let’s start with a basic picture of the credit card data economy:
One of the best known is Rescator, which has been covered by Bloomberg here. There’s a lot of detail in here about how card dumps are evaluated, what makes them worth more or less, etc., but selling stolen card data is only the start of the monetization process. What about the buyers? What do they do with this data they bought?
Know Your Customer
I looked for but didn’t find a good overview of why people buy credit card data and what they do with it. I did find a plethora of individual stories about how an enterprising criminal might turn stolen data into something of more immediate value. The challenge is that each of these scams has generally been closed off by the time they’re actually reported in the media. For the purposes of illustration, here are a few of the examples.
We might call this the most classic scam. Assuming you have sufficient data, it’s simply used to manufacture counterfeit credit cards. These cards are then used to purchase actual goods from a physical store. The goods might be the end goal, or they might simply be items that can be easily resold for cash. The whole EMV standard, aka chip-and-pin, aka chip-and-signature, is intended to prevent just this type of activity by making it much, much harder to create a counterfeit card that works.
Gift Cards/Travel Cards
The credit card data is essentially perishable, so criminals smartly aim to transfer that money to a format with more storage life. Gift cards, and even travel cards, can provide a means to make that money last. These might be used to buy goods that can be fenced, or simply resold for cash. After all, the pool of potential buyers for gift cards is bigger than for the stolen card data.
It’s quite possible that a criminal might have enough data to perform a card-not-present transaction but not to actually manufacture a counterfeit card. In that case, they have some logistical challenges to overcome, and that’s where reshipping scams come into play. Reshipping is a method of getting goods shipped to one location, then collected and reshipped to their real destination, allowing the criminal to resell the goods for cash.
Money Laundering Through Auction Sites
In this example, the criminal cuts out all the hassle of reshipping and just collects the cash. It works by posting ads on an auction site for goods you don’t have. When someone buys those goods, you order them from another site with the stolen card data, using your buyer’s address as the shipping address. You collect the cash and the buyers get the goods.
As I said, these are examples of the many scams that someone might run in order to turn stolen card data into cash. I thought it might be interesting to try to categorize these as a means of understanding what additional scams might be possible, or more specifically, as a means of threat modeling the possibilities.
The ingredients in a credit card monetization scam always involve a transaction, some goods and a merchant.
- Card Present
- Card Not Present
- Physical Goods
- Transferable Goods
- Fake Goods
- Legitimate Merchant
- Illegitimate Merchant
I won’t outline all the possible combinations here, but you can use these primitives to construct possible monetization scams and to examine how you might disrupt them. Each of the primitives provides an opportunity for disrupting the credit card data economy. As noted above, the EMV standards take aim at securing card present transactions.
Roles and Responsibilities
If you’re reading this, there’s a pretty good chance you actually work in information security. Each of us has a role in protecting this data, either directly or indirectly, through the disruption of the criminal economy. Even if you’re an average consumer, you can be vigilant about what goods your purchase in order to make the gift card scams less effective.
As a vendor in the cybersecurity space, I will continue to do this kind of research and drive Tripwire to build products that help our customers protect credit card data.
If you work for a retailer, take a close look at how you manage your point-of-sale systems. I’m not talking about just the payment devices themselves but the system as a whole. The rise in point-of-sale malware, including most recently AbaddonPoS and Cherry Picker, isn’t likely to stop until it’s no longer successful, and the supply chain for point-of-sale systems is next on the list for attack.
If you work in the supply chain for credit card transactions, at a bank, issuer, acquirer or processor, then you’re well aware of the risks and are already deeply familiar with the requirements imposed by the PCI Data Security Standard. Don’t rest on compliance; take the next step to ensure that you have maximum visibility into your transaction environment.
If you work in any other company that handles credit card data, start by understanding the scope of data you actually handle. Do you outsource the entire payment process? Even if you do, it’s likely your name will be in the headline if that provider is breached. Have you evaluated your outsourcer’s security? Does it do more than comply with PCI? If you accept, store, process or transmit cardholder data yourself, is it secure?
And no matter where you fit in the transaction process, examine where you fit in the monetization process. Ask yourself how a criminal with stolen card data might use your organization to turn those bits and bytes into dead presidents.
After all, we can make an impact from both the supply and demand side of this economic equation.
Title image courtesy of ShutterStock