You open your credit card bill and see a bogus charge. Yep, you
were hacked. You're not alone -- but most likely, neither was the
criminal who used your card.
Card fraud is a staggeringly big business: A
Federal Reserve payments study
released in July 2014 found more than 28 million unauthorized
transactions on credit, debit and prepaid cards, totaling $4
billion in fraudulent charges. Behind those numbers are multiple
layers of criminals.
"A lot of people assume that the hacker is the person who steals
the credit card number and uses it -- a single person," says Jeff
Foresman, information security compliance lead with Rook Security
in Indianapolis. "But the concept of some guy sitting in his
basement doing all this is not valid anymore."
Until 2003, most online crimes were isolated vandalism --
"anti-social self-expression using high-tech means," according to a
report from Kaspersky Lab
. By contrast, today's cybercrime is a sophisticated, widespread
business meant to make money illegally, the report says.
While a few rogues still steal information and use it
themselves, most credit card fraudsters are part of a large
Organized crime, much of it based in Eastern Europe and Russia,
helps bankroll the criminals involved, says Loc Nguyen, chief
marketing officer at data security company Feedzai Inc., in San
Mateo, California. An IT specialist working for organized crime
gangs in Eastern Europe can make 10 times what he'd make in a
legitimate job -- or more.
"These are not high school kids -- these are highly organized,
well-funded organizations," says Nguyen. "The business of hacking
has gone from a mischievous activity conducted by hobbyist
developers to an occupation of paid professionals working closely
with organized criminals. Just like any company, they have
specialists, people who write the code, people who run the
equivalent of e-commerce sites and people who buy the card numbers.
They have upper management and an endless supply of workers."
There are multiple ways to get your credit card information and
there are different types of criminals who specialize in each. Once
they have your info, numerous players stand ready to use it for
their profit. The whole industry includes malware writers, several
types of thieves who use card skimmers, operators of websites
selling card data, credit card counterfeiters and end users: people
who buy and shop with stolen credit cards. (To get a taste of life
on the lower rungs of this criminal enterprise, check out "
'A day in the life of a common credit card
Sound complicated? This guide breaks down the eight professions
and their job descriptions.
1. Malware writers
Malware authors write the software code that remotely hacks into
major databanks to get stored credit card numbers, Nguyen says.
Many are young men who are either from Eastern Europe and Russia,
or who have connections to people in those areas, he says. Some
malware writers are part of organized crime rings, others are
freelancers selling code with no idea of who uses it, says Jay
Jacobs, managing principal and co-author of the
2014 Verizon Data Breach Investigations Report
"Someone will create the malware, then they sell it for hackers
to use to steal credit card data," Rook Security's Foresman
The code writers evolve quickly to stay ahead of the good guys.
After the 2008 arrest of master hacker Albert Gonzalez for, among
other things, stealing credit card information from clothing
retailer TJ Maxx, malware writers changed their focus from major
companies to smaller businesses, says Jay Jacobs, managing
principal and co-author of the
2014 Verizon Data
Breach Investigations Report. They began using devices or small
programs known as keystroke loggers to capture information typed
into the systems of small businesses whose point-of-sale terminals
are often open directly to the Internet via third party servers,
Now the focus is back on major retailers and businesses using
programs called RAM scrapers that take payment card information
from the merchant's point-of-sale system while it's still being
processed inside the terminal, Jacobs says.
Because the terminals at large businesses are not directly
connected to the Internet, the criminals must work their way
through the company's system to find a part that is connected to
the Internet so they can get the stolen data out. That can take
time, but the payoff is potentially huge. "Rather than focusing on
10 victims and getting a little data from each, there's a shift
back to multiple weeks targeting a lot of data from one large
victim," Jacobs says.
2. Phishers and spoofers
Some malware coders specialize in creating phishing emails designed
to get you to give up your personal information. Others perform
these duties in addition to writing other kinds of code, Nguyen
These phishing fraudsters may work with or separately from
spoofers -- criminals who create websites that are designed to look
like the real thing but are instead run by criminals seeking your
personal information, Nguyen says.
"They may have hacked into a database to get your email address
," he says. That's why you should be concerned about email hacks
such as the one discovered at Home Depot.
Besides targeting consumers, phishers also often target
nontechnical employees of banks or retailers that handle a lot of
consumer data. The "From" address is spoofed to make it look like
it has come from a trusted insider.
3. Shady clerks and wait staff
The same guy that's serving your food may be dishing out your
credit card number to an organized crime ring. Gangsters sometimes
score credit card information by putting employees of legitimate
businesses on their payroll, Jacobs says. "They'll approach an
employee -- at a restaurant, hotel, retail chain or anywhere that
handles credit cards -- and bribe them" to skim customers' credit
card numbers when they swipe the credit cards, he says. "The
employee is paid by the number of cards they're able to skim."
These employees use small portable skimmers that fit in the palm
of the hand and steal your credit card number as they process your
payment for the legitimate business, he says.
Working the skimmer scam in person is easier at restaurants
where the server takes your card away than at retailers or hotel
chains where the employee has to use the skimmer under the counter
right in front of you, Jacobs says.
Although many of these workers answer to organized criminals,
some work alone, skimming your credit card information for
themselves, Jacobs says.
4. Skimmer installers
Another brand of criminals mounts hidden skimming equipment
anywhere credit cards are swiped. Good targets are unmonitored
payment locations, such as gas pumps, vending machines and train
ticket kiosks, Jacobs says.
These skimmer installers vary widely in skill and
sophistication. Like the shady employee with a skimmer, some
operate as part of organized crime gangs and others operate
They may leave a skimmer in one location for a few days, gather
a few hundred credit card numbers and then stop collecting data
before they get caught. "The longer the skimmers are on there, the
more likely they are to get noticed," Foresman says.
Yesterday's old-style skimmer installers were often caught when
they came back to retrieve the equipment and stolen data. New
technology creates wider buffers. Today's more sophisticated
installers use skimmers connected via Bluetooth so they can
download stolen data from the safety of the parking lot, the
Verizon report says.
Tech savvy fraudsters can also buy skimmers with built-in SIM
cards enabling remote configuration, remote data uploading and even
tamper alerts that, if triggered, will cache the data and send it
Sometimes these skimmers also are paired with cameras or
keystroke loggers to capture additional information including your
PIN, ZIP code and the
[%Link?type=article&id=3663&text="'card validation code"%]
(also called CVV2 or CVC2) that is written but not embossed on your
credit card, Foreman says.
5. Fake technicians
This con artist looks and acts like a company technician. But
beneath the designed-to-fool persona you'll find a fraudster out to
tamper with a legitimate company's credit card processing
The scenario plays out with someone walking into a store with an
authentic-looking work order to replace the old credit card
terminal, Foresman says. But this tech guy has no connection to the
real processing provider. The new terminal installation comes with
an extra feature: a computer chip that copies credit card numbers
and sends it out to another online server.
These setups allow fraudsters to get all the magnetic stripe
information and PIN numbers from swpied cards, Foresman says. "If I
can capture the entire track that's on the magnetic strip on the
back, I can make a new card or overwrite an existing card," he
6. Counterfeit credit card manufacturers
These modern day counterfeiters don't make $20 bills. Instead, they
buy stolen credit card numbers and make fake credit cards. All
that's needed are imprint machines, a magnetic card writer and,
sometimes, credit card stock -- all of which are for sale legally,
"With less than $1,000 invested, you can have your credit card
maker," he says. "The equipment itself isn't illegal."
Sometimes, criminals don't even need new card stock. Instead,
they can take the magnetic stripe data from the stolen cards and
overwrite it onto existing credit cards or even onto hotel key
cards, Nguyen says.
That's one reason merchants may ask to see your credit card for
a transaction. They want to compare the last four numbers embossed
or printed on the front of the card with the last four digits of
the account number that the magnetic stripe sends to their system
to make sure it matches, he says.
7. Data sales websites
The credit card numbers that don't end up on fake cards often end
up on websites offering credit card numbers for sale. Operators of
these sites offer thousands of credit card numbers and associated
information for sale.
"You can go online and buy 1,000 Visa platinum cards," Foresman
Also for sale are card expiration dates, card validation codes,
ZIP codes and PINs, Foresman says. The prices vary from $2 for a
single unchecked credit card number to more than $100 for a
complete data sets called
"It's just like eBay," Nguyen says. "You go on, put in your
search criteria, where you want the card. Do you want MasterCard or
Visa? Do you want the PIN and the address? The more valuable the
information, the more the fraudsters are willing to pay for
Unattended gas stations and vending machines are more than great
places to obtain credit card numbers -- they're also good places to
test hot cards and card numbers, he says. If a small purchase goes
through, the card is verified.
8. Shoppers, mules
At the end of the chain are crooks who buy the fake credit cards or
fraudulently obtained card numbers and shop with them, typically
for items that then can be resold. They buy big-ticket items at
electronics stores such as Apple or major retailers such as Home
Depot, Nguyen says.
Grocery stores -- because they sell gifts cards that can easily
be resold -- are another big target. "They want to use cards and
get cash out of the system," he says. "They buy $500 or $1,000
worth of gift cards and go and resell them."
Spending habits differ by the mode of purchase. Thieves who use
the cards in face-to-face transactions tend to spend about $450 in
the course of a week, often at supermarkets and home-supply
warehouses, according to data compiled by Feedzai.
Those shopping online tend to spend about $900 over five days.
They target electronics sellers and discounters, according to
Feedzai data. To avoid detection, they have the items shipped
somewhere other than their home address, Nguyen says.
Though the latter would seem to be more efficient, it's all a
matter of taste if you're a criminal. In-person crooks prefer not
to have to deal with e-commerce hassles such as fake shipping
addresses or proxy servers. "To each their own," says Nguyen. "The
opportunity, or 'market,' for fraud is so big that there's room for
all kinds of talents, just like honest professions."
Sometimes, "mules" are hired to do the shopping -- often unaware
that they're part of a scam. These end-of-the-line criminals are
the ones who tend to get caught, Nguyen says. "They get arrested,
make the news, and then are replaced with other people," he
4 ways crooks cash in on your personal and
Don't be fooled by these 6 data breach myths
'Spam Nation' author Brian Krebs sheds light on
card data black market