Stolen-card crime sites use "cop detection" algorithms to flag purchases


#1

[Read the post]


#2

Imagine if the cop tried to appeal and found out what it was like being on the other side of that unimpeachable algorithm fence for once…


#3

So if I go to one of these “carding sites” and buy a stolen card, how do I pay for it? With my credit card? That would seem to be a leap of faith.


#4

Well, who would expect the police to take the trouble of applying some real sophistication to their investigation here? We’re only talking about massive grand larceny in the near-billions, causing serious financial disruption to several million law abiding citizens…not the heinous activities of vile teenagers downloading music on the sly.

Gotta set some priorities, ya know.


#5

Having no experience in it myself, I’d imagine that Bitcoin would probably be a more popular form of currency used for these types of transactions.


#6

Btc, webmoney (but only if you are in certain countries), and a few others. Back in the good old days it was egold :slight_smile:


#7

I would think a burner card would work - either a stolen card with a low limit, or even a prepaid debit card.


#8

Some cards – I am told; I’ve yet to actually find one that offers this – allow you to generate a temporary credit card number that’s linked to your primary account. I imagine you can also set a transaction limit for the new number.


#9

Sure… Until the credit card processor that these guys use see what business they’re in, and boot them.


#10

I doubt they accept credit cards at all. Otherwise, one quick buyer could buy out their entire stock using the cards from the first purchase.


#11

Wait - they are trying to bust large criminal sites that steal CC info from average people and resell them?

Why are we upset over this?

I guess none of you ever had a fraudulent charge before…


#12

Who is upset? The only comment I can see in this topic as being somewhat “upset” is @Nell_Anvoid, who seems to be upset that the government is devoting more resources to small-time stuff, rather than making stuff like this more sophisticated so that they could catch these guys.


#13

I guess I misread the tone of the original post…

Also the government is pretty far behind on the curve of technology. Read the Wired article on bringing down the Dread Pirate Roberts. They relied more on old time “befriend and ensnare” tactics and not some fancy hacking scheme.


#14

I reckon the two commenters on the Krebs article postulating that the machine the cop was using had traces of law enforcement right through it are onto something.


#15

They don’t accept burners. At least not three months or so ago. And real burners are getting hard to get.

Cryptocoin of your choice, use a big mixer, then extract to a currency with dubious financial controls.

Does anyone ever want a tour around some of these places? (I wonder if I could do that without getting in trouble. Also, never trust Brian :D)


#16

Well, yeah. It isn’t too terribly hard to figure out which buyers have an agenda. And if they have an agenda they aren’t your friend.

Here are a couple freebies:

  • Buying cards only with high balances
  • Buying cards only in a specific area code
  • Tracking the btc wallet address
  • Tracking dirty Tor peers (a ton of tor peers are owned by LEO)

#17

These all make sense except for the high balance card one… Can you elaborate, please?

(part of my confusion is that I’m not clear on whether the card balances are known – and made known to the potential buyer – when a card is being offered for sale)


#18

It is a common blind spot for security researchers and LEO. It will take a moment to explain.

So you get a trove of CC numbers. It is easy to determine the limit and balance by a number of means (I will not discuss tools unless you meet me at Defcon :D). Just trust me that it isnt rocket science. So a few things happen.

  1. The card is priced at a percentage of what you can monetize.
  2. LEO generally pursues cases in a somewhat ‘impact’ or ‘value’ order. So the higher the value of the investigation, the more tempting.
  3. High value transactions are easier for LEO to track (not entirely true, but true enough), and harder to actually monetize (for reasons)

So if you get a new customer with only high value cards in their cart, they are either idiots or LEO. Or both :smile:

It is the equivalent of wearing a fur coat and diamond rings to a jewelry heist.


#19

And most of the rest are probably owned by governments.


#20

I suppose buying only particular types of cards is a tell, as well as buying massive numbers. Those needing to use the cards would likely only need a handful, whereas investigators would need as many possible.