Feeds

back to article Crimelords: Stolen credit cards... keep 'em. It's all about banking logins now

Stolen bank login information attracts an even higher price than credit card numbers on underground cybercrime bazaars, and EU logins are worth more than American ones, according to research by McAfee. The Intel-owned security division's Cybercrime Exposed paper highlights trends in the thriving digital underground, including …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

They are welcome to my maxxxxxxxxed out over draught.

2
2
Pint

Over draught?

Is that like when the foam on the top of your beer runs down the side of the glass?

13
0
Silver badge

Over drought

No, it's like when the glass has run dry.

0
0
Silver badge
Big Brother

Re: Over drought

Then fill it with a governmental credit card!

0
0

Anyone who keeps money in a bank is a fool. Romans knew how to keep money safe - were still finding it 2000 years later

1
2
Silver badge

Is that safe?

Romans knew how to keep money safe - we're still finding it 2000 years later

Safe as in squirrel hiding hazelnut?

3
0
Silver badge
Devil

Re: Is that safe?

They had EXACTLY the same problems as we do today.

1
0

Lazy users, lazy politicians

This whole security scam is 90% enabled by the continued use of never-ABLE-to-be-secure home computer operating systems. 90% of ALL cyber crime could be eradicated by using commercial-grade OS - ie FREE open-source UX systems. That is a fact that has NOTHING to do with with the lower use of UX but is due to the INHERENTsecurity in UX. Lazy users can't be bothered so they deserve the problems they get. Lazy politicians are so tech illiterate that they put National Security at risk through their ignorance, indolence and hand-in-the-till cow-towing to US manufactured spyware masquerading as an operating system.

1
29
Silver badge

Re: Lazy users, lazy politicians

If 'jacasta' is an anagram, then it's a freaky, cryptic anagram by someone who enjoys punishment. Ah, .......

0
0

Re: Lazy users, lazy politicians

You think if the tables were flipped, and Unix had a 95% market share that everything would be hunky dory and clouds rain lemonade and muggers give you sweets instead of stabbing you? This has to be one of the most random comments I've seen on El Reg.

You sir, are a buffoon. All the exploits mentioned were cross platform, unless you think that FireFox was coded by Billy Gates himself? Proportionally, the amount of retarded Unix users equal Windows, and you are a shining example of one. Your comments just enabled 100,000 retarded Windows users to get their credit card and bank details stolen. Why would you do such a thing?

1
0
Anonymous Coward

Re: Lazy users, lazy politicians

@Eadon - You know you've been banned, right?

3
0
Anonymous Coward

Re: Lazy users, lazy politicians

Why was he banned? Just generally being a twat, or did he post something particularly offensive?

0
0

Eadon !

http://3.bp.blogspot.com/-zDUkaAn2eAY/UF6Ew9SvbAI/AAAAAAAAAFE/nuuDqy1Pc9A/s320/Bender.+I%27m+Back+Baby!.jpg

0
0
Silver badge
Trollface

Re: Lazy users, lazy politicians

jacasta: five posts at the time of writing, account started on 16th June. When was Eadon nuked by the mods?

0
0

Lazy users,Lazy politicians

This whole security scam is 90% enabled by the continued use of never-ABLE-to-be-secure home computer operating systems. 90% of ALL cyber crime could be eradicated by using commercial-grade OS - ie FREE open-source UX systems. That is a fact that has NOTHING to do with with the lower use of UX but is due to the INHERENTsecurity in UX. Lazy users can't be bothered so they deserve the problems they get. Lazy politicians are so tech illiterate that they put National Security at risk through their ignorance, indolence and hand-in-the-till cow-towing to US manufactured spyware masquerading as an operating system.

2
25
Silver badge
Headmaster

Re: Lazy users,Lazy politicians

90% of ALL cyber crime could be eradicated by using commercial-grade OS - ie FREE open-source UX systems. That is a fact that has NOTHING to do with with the lower use of UX but is due to the INHERENT security in UX.

Open source user experience?

Lazy users can't be bothered…

…to put the "NI" in "UNIX"?

6
0
Silver badge

Re: Lazy users,Lazy politicians

Random capitals, rabid foaming at the mouth zeal for open source unix systems....

It's hauntingly familiar.

6
2
Bronze badge
Happy

Re: Lazy users,Lazy politicians

It's rare that you get chance to downvote stupid comments twice.

17
0
Silver badge

Re: Lazy users,Lazy politicians

It's rare that you get chance to downvote stupid comments twice.

It's an open source comment and he decided to fork it.

10
0
Silver badge
FAIL

Re: Lazy users,Lazy politicians

As soon as UX has a 90% market share it will become viewed as the risky OS. It's the users who are the problem.

Security by obscurity - there's no target for UX at the moment, not enough users to make it worthwhile targeting.

Most of the vulnerabilities come from apps these days, not the OS, and while it could be argued MS is still playing catch up with security, once mainstream coders start writing apps for UX there will be just as many security breaches viewed as being the fault of UX

3
4

Re: Lazy users,Lazy politicians

Microsoft almost single-handedly created market for third-grade developers with Visual toolbox that promotes learning lists of functions by heart (remember MFC? or .Net?) instead of understanding the underlying issues.

Unfortunately nowadays majority of commercial software is written by underpaid people who just can't be expected to be concerned with anything but delivering the minimal required functionality with absolute minimum of effort. Yay IT industry!

2
0
Silver badge
Alert

Re: It's the users who are the problem.

Yeah, but you try telling them that!

0
0
Silver badge
Trollface

Re: Lazy users,Lazy politicians

quote: "90% of ALL cyber crime could be eradicated by using commercial-grade OS - ie FREE open-source UX systems. That is a fact that has NOTHING to do with with the lower use of UX but is due to the INHERENTsecurity in UX."

I did like that bit. You obviously missed the part in the article where they place a high value on exploits for browsers, like Firefox, which is available for install in various POSIX-compliant (or mostly POSIX compliant) operating systems.

From the article: "Browser exploits are second only to iOS pwnage tricks, according to figures cited by McAfee, commanding a fee of $60,000 to $150,000 for Firefox or Safari zero-days and perhaps higher for Chrome or Internet Explorer malfeasance."

Possibly 90% of all cybercrime could be eliminated by properly educating users, however that's the only way I can see it happening. Android is built on a "UX" (what does that term even mean by the way?) platform but users will still happily install malware themselves if it promises to be a free version of the latest craze (angry birds, gambling apps, that confectionary app I see advertised on the TV). Until users stop infecting themselves, the platform is irrelevant.

1
0

I have always wondered and I hope someone can answer in a non sarcastic way. If I was to purchase some of these stolen details, with a pin for example, Surely at some point my action will be traceable back to me right?

Cashpoint - location and time logged, and possible cctv looking over the cashpoint too

online - location and ip etc plus if I was getting something delivered where would I get it delivered to, so not to be traceable?

Surely if these issues are sorted then that would be less appealing to get the CC data rather than trying to teach millions of people that an email from nigeria, or your Natw3st.ru statement email is not legit?

0
0
Silver badge
Holmes

"Cashpoint - location and time logged, and possible cctv looking over the cashpoint too"

Use the busiest one in London's main shopping area and wear a hoodie.

"online - location and ip etc plus if I was getting something delivered where would I get it delivered to, so not to be traceable?"

Use a wifi hotspot, a stolen laptop and buy downloadable stuff. Or collect at venue stuff like airline tickets, theatre tickets etc.

Then make you own card up, ad use that for instore purchases

0
0

Might be traceable, but the police have to be arsed to do the tracing

Yes, techincally you might get caught, but I believe in practice the chances are slim.

I once had a PC from Comet charged to my credit card (I believe they must have got the details from a dodgy employee of a place I legitimately purchased online).

The CC company spotted it before I even saw the statement, and a few days later I received a paper VAT invoice through the post from Comet, listing my address as the billing address and the delivery address somewhere in Coventry.

I passed the info to the CC company, but I never heard any more - I doubt it ever got as far as a police investigation even if they could have just knocked on the door in Coventry for a start.

1
0
Silver badge
Meh

Yes, you're very traceable if you buy this information online. The sellers of this information, on the other hand, will be hiding behind (though not necessarily themselves in) dodgy countries with banking infrastructure that can't or won't trace transactions, and kleptocratic governments who won't intervene. From the point of view of the sellers of this information, they're taking their margin with little risk of being caught, but the low rent buyers are taking all the risk of being caught, because the realisation of the theft/fraud will mostly be in well governed countries with traceability both for the original purchase of information, and for the subsequent illegal transactions. So you in theory buy card details (with no recourse or come back if you've paid for made up numbers) you try and use them, and you have a good chance of getting caught and prosecuted. Try and trace your purchase, and it'll be channeled through (guessing) Kazakstan then to Bulgaria to Ukraine or some such.

If you order goods with stolen details, then you are highly traceable, by the IP you order from (assuming you can change the delivery address without arousing suspicion), and probably by the transaction you've undertaken to buy the card details. Your biggest protection is merely the laziness or incompetence of the local police - not something I'd want to rely on as my best chance of staying out of jail. The buyersof this information are like drug mules - the fall guys, the idiots, the weak minded, lazy people who think that they won't get caught. Some don't get caught, many do. And as we now know, all of our online transactions are being collected and stored, so not being caught today doesn't mean never being caught.

I suspect the answer to this would be to pressure the global payments processors to remove the mechant status and confiscate the balance of suspected criminals - and this could be extended to stamping on the financial knackers of counterfeiters and spammers around the world. There's no obligation for Visa and Mastercard to continue to support worldwide crime, but they choose to overlook the extent to which they process payments for criminals, as far as I can see. But they have a very nice corporate social responsibility programme, so that's OK then.

2
0
Silver badge

A lot of the actual work (and risk-taking) is done by 'mules'. Kingpin buys details of 100 cards, then farms out the dirty work of physically withdrawing cash to underlings who retain a small percentage. I guess would be done through intermediaries / blind drops so the mules don't even know who they're working for.

Even if 20%, 30%, 50%, whatever of the mules get caught, most of it would be after the fact (kingpin already has his* money). Most probably operated in a gang-type environment where the mules wouldn't / couldn't simply take all the money and run.

*her?

0
0
Anonymous Coward

Launder it through Bitcoins?

0
1

Yes, its very likely possible to track you down unless but this is a cost/benefit trade-off for multiple parties. We'll presume for the moment they've paid for the details in an anonymous fashion (or at least, one beyond the wit of current law enforcement such as bitcoin so they need to get the person after the details are used).

First, if you wipe out someone's account for £300 a time at an ATM then then its frankly not worth the bank doing anything about it in terms of improving security or adding inconvenience to people (e.g. adding RSA-fob like displays on cards, or texting people a code they must enter when they make a withdrawal over £50 etc.).

Also, its the police who should investigate and pursue these crimes but they are not encouraged or rewarded for doing so. Why should they trawl through CCTV an try doing some real detective work when they can park a car or two on the overpass of a dual carriageway and catch - and solve - tens if not hundreds of crimes a day while bagging the treasury £60+ a pop each time?

If the criminal has taken some basic steps - gloves, a hoody, doing it a night, not speaking when they use the ATM and whacking a sticker over the ATM camera while approaching it from the side, whatever... then the odds of them getting caught are probably remarkably low. Partly because its not in the banks interest to chase them down (more expensive to do than fraud costs - which customers ultimately pay for anyway) and the police, frankly, have other priorities such as finding chavvy teenagers who have run away from home for the umpteenth time, breaking up a brawls outside nightclubs and giving fines to people going a tad over the legal limit on beautiful spring and summer days.

0
1
Bronze badge

>traceable back to me

I had an acquaintance who went to jail for cashing stolen cheques. They traced it back to him no problems. He was a druggy and did desperate things like that.

He bought the stolen cheques from a supplier. Even if he gave up his supplier, there was no evidence. Even if he was stupid enough to give evidence in open court, it was his word (a desperate druggy) against the other.

The supplier sold the stolen cheques at a fraction of face value. He wasn't stupid or desperate enough to get caught. The druggies took all the risk. When one went to jail, another took his place.

0
0
Silver badge

@Ledswinger

Generally correct except you've usually got the word order wrong. For example it should be: Many don't get caught some do.

I've had some direct experience with this running a large convention. One time we caught vandals red-handed tearing down and attempting to steal a sign at the convention. Called the police turned over the perps and requested to press charges. We were never called for a court date. Elsewhere we had a bunch of people doing security type work trying to prevent shoplifting in the dealers room. We'd catch dozens of people a day. Best we could usually manage was to ban them from the convention (fat chance of actually keeping them out afterward). The dealers generally didn't want to even try to press charges because they'd already learned it was a colossal waste of time. It was all petty ante stuff. Pretty much like most identity theft. Too much work and too many culprits. So instead we factor in the cost of the expected losses in the prices of our goods and services.

That said, I wouldn't be keen on taking the 1 in 10,000 chance of getting caught. Cue Hee-Haw song:

Oh, if it weren't for bad luck I'd have no luck at all.

...

0
0
Anonymous Coward

Isn't this sort of thing more-or-less what two-factor is for?

A certain worldwide local bank uses it. And it's handy because even if the user is thick enough to respond to a phish, it's only valid for about a minute.

I know some other bank uses a usb card reader, that sounds all sorts of wrong.

0
0
Bronze badge

No Ones' Left Behind

...where a crooks is also offering to sell a PIN number.

Sorry. It just hurt to much to leave alone. Interesting story in need of some good editing....

1
0
Anonymous Coward

Re: No Ones' Left Behind

too ?

1
0
Anonymous Coward

Re: No Ones' Left Behind

Ones' ?

0
0

Re: No Ones' Left Behind

Ones' ?

0
0
Anonymous Coward

Apple and Adobe exploits ..

How are these credit cards and PINs harvested?

Who is going to save us from all these Apple Adobe exploits?

0
0

"Such underground platforms are implementing stronger mechanisms to ensure that participants are who they purport to be (or at the very least are not law enforcement officials). Ironically, while the platforms that facilitate the services marketplace for illegal activities are going deeper underground, the trade in zero-day vulnerabilities is more transparent than ever before," Samani and Paget report.

I would have though criminals would prefer other criminals didn't know who they were, so the above seems implausible, if I'm being generous. The markets are designed so that it doesn't matter if the police can participate, and that you don't know who you are dealing with.

0
0
This topic is closed for new posts.