They are welcome to my maxxxxxxxxed out over draught.
Crimelords: Stolen credit cards... keep 'em. It's all about banking logins now
Stolen bank login information attracts an even higher price than credit card numbers on underground cybercrime bazaars, and EU logins are worth more than American ones, according to research by McAfee. The Intel-owned security division's Cybercrime Exposed paper highlights trends in the thriving digital underground, including …
-
Tuesday 2nd July 2013 09:03 GMT jacasta
Lazy users, lazy politicians
This whole security scam is 90% enabled by the continued use of never-ABLE-to-be-secure home computer operating systems. 90% of ALL cyber crime could be eradicated by using commercial-grade OS - ie FREE open-source UX systems. That is a fact that has NOTHING to do with with the lower use of UX but is due to the INHERENTsecurity in UX. Lazy users can't be bothered so they deserve the problems they get. Lazy politicians are so tech illiterate that they put National Security at risk through their ignorance, indolence and hand-in-the-till cow-towing to US manufactured spyware masquerading as an operating system.
-
Tuesday 2nd July 2013 13:28 GMT weebs
Re: Lazy users, lazy politicians
You think if the tables were flipped, and Unix had a 95% market share that everything would be hunky dory and clouds rain lemonade and muggers give you sweets instead of stabbing you? This has to be one of the most random comments I've seen on El Reg.
You sir, are a buffoon. All the exploits mentioned were cross platform, unless you think that FireFox was coded by Billy Gates himself? Proportionally, the amount of retarded Unix users equal Windows, and you are a shining example of one. Your comments just enabled 100,000 retarded Windows users to get their credit card and bank details stolen. Why would you do such a thing?
-
Tuesday 2nd July 2013 09:03 GMT jacasta
Lazy users,Lazy politicians
This whole security scam is 90% enabled by the continued use of never-ABLE-to-be-secure home computer operating systems. 90% of ALL cyber crime could be eradicated by using commercial-grade OS - ie FREE open-source UX systems. That is a fact that has NOTHING to do with with the lower use of UX but is due to the INHERENTsecurity in UX. Lazy users can't be bothered so they deserve the problems they get. Lazy politicians are so tech illiterate that they put National Security at risk through their ignorance, indolence and hand-in-the-till cow-towing to US manufactured spyware masquerading as an operating system.
-
Tuesday 2nd July 2013 09:08 GMT Tom 38
Re: Lazy users,Lazy politicians
90% of ALL cyber crime could be eradicated by using commercial-grade OS - ie FREE open-source UX systems. That is a fact that has NOTHING to do with with the lower use of UX but is due to the INHERENT security in UX.
Open source user experience?
Lazy users can't be bothered…
…to put the "NI" in "UNIX"?
-
Tuesday 2nd July 2013 10:05 GMT Velv
Re: Lazy users,Lazy politicians
As soon as UX has a 90% market share it will become viewed as the risky OS. It's the users who are the problem.
Security by obscurity - there's no target for UX at the moment, not enough users to make it worthwhile targeting.
Most of the vulnerabilities come from apps these days, not the OS, and while it could be argued MS is still playing catch up with security, once mainstream coders start writing apps for UX there will be just as many security breaches viewed as being the fault of UX
-
Tuesday 2nd July 2013 12:08 GMT a_milan
Re: Lazy users,Lazy politicians
Microsoft almost single-handedly created market for third-grade developers with Visual toolbox that promotes learning lists of functions by heart (remember MFC? or .Net?) instead of understanding the underlying issues.
Unfortunately nowadays majority of commercial software is written by underpaid people who just can't be expected to be concerned with anything but delivering the minimal required functionality with absolute minimum of effort. Yay IT industry!
-
-
Tuesday 2nd July 2013 13:20 GMT NumptyScrub
Re: Lazy users,Lazy politicians
quote: "90% of ALL cyber crime could be eradicated by using commercial-grade OS - ie FREE open-source UX systems. That is a fact that has NOTHING to do with with the lower use of UX but is due to the INHERENTsecurity in UX."
I did like that bit. You obviously missed the part in the article where they place a high value on exploits for browsers, like Firefox, which is available for install in various POSIX-compliant (or mostly POSIX compliant) operating systems.
From the article: "Browser exploits are second only to iOS pwnage tricks, according to figures cited by McAfee, commanding a fee of $60,000 to $150,000 for Firefox or Safari zero-days and perhaps higher for Chrome or Internet Explorer malfeasance."
Possibly 90% of all cybercrime could be eliminated by properly educating users, however that's the only way I can see it happening. Android is built on a "UX" (what does that term even mean by the way?) platform but users will still happily install malware themselves if it promises to be a free version of the latest craze (angry birds, gambling apps, that confectionary app I see advertised on the TV). Until users stop infecting themselves, the platform is irrelevant.
-
-
Tuesday 2nd July 2013 09:09 GMT Senior Ugli
I have always wondered and I hope someone can answer in a non sarcastic way. If I was to purchase some of these stolen details, with a pin for example, Surely at some point my action will be traceable back to me right?
Cashpoint - location and time logged, and possible cctv looking over the cashpoint too
online - location and ip etc plus if I was getting something delivered where would I get it delivered to, so not to be traceable?
Surely if these issues are sorted then that would be less appealing to get the CC data rather than trying to teach millions of people that an email from nigeria, or your Natw3st.ru statement email is not legit?
-
Tuesday 2nd July 2013 09:22 GMT itzman
"Cashpoint - location and time logged, and possible cctv looking over the cashpoint too"
Use the busiest one in London's main shopping area and wear a hoodie.
"online - location and ip etc plus if I was getting something delivered where would I get it delivered to, so not to be traceable?"
Use a wifi hotspot, a stolen laptop and buy downloadable stuff. Or collect at venue stuff like airline tickets, theatre tickets etc.
Then make you own card up, ad use that for instore purchases
-
Tuesday 2nd July 2013 09:23 GMT Tom Wood
Might be traceable, but the police have to be arsed to do the tracing
Yes, techincally you might get caught, but I believe in practice the chances are slim.
I once had a PC from Comet charged to my credit card (I believe they must have got the details from a dodgy employee of a place I legitimately purchased online).
The CC company spotted it before I even saw the statement, and a few days later I received a paper VAT invoice through the post from Comet, listing my address as the billing address and the delivery address somewhere in Coventry.
I passed the info to the CC company, but I never heard any more - I doubt it ever got as far as a police investigation even if they could have just knocked on the door in Coventry for a start.
-
Tuesday 2nd July 2013 09:37 GMT Anonymous Coward
Yes, you're very traceable if you buy this information online. The sellers of this information, on the other hand, will be hiding behind (though not necessarily themselves in) dodgy countries with banking infrastructure that can't or won't trace transactions, and kleptocratic governments who won't intervene. From the point of view of the sellers of this information, they're taking their margin with little risk of being caught, but the low rent buyers are taking all the risk of being caught, because the realisation of the theft/fraud will mostly be in well governed countries with traceability both for the original purchase of information, and for the subsequent illegal transactions. So you in theory buy card details (with no recourse or come back if you've paid for made up numbers) you try and use them, and you have a good chance of getting caught and prosecuted. Try and trace your purchase, and it'll be channeled through (guessing) Kazakstan then to Bulgaria to Ukraine or some such.
If you order goods with stolen details, then you are highly traceable, by the IP you order from (assuming you can change the delivery address without arousing suspicion), and probably by the transaction you've undertaken to buy the card details. Your biggest protection is merely the laziness or incompetence of the local police - not something I'd want to rely on as my best chance of staying out of jail. The buyersof this information are like drug mules - the fall guys, the idiots, the weak minded, lazy people who think that they won't get caught. Some don't get caught, many do. And as we now know, all of our online transactions are being collected and stored, so not being caught today doesn't mean never being caught.
I suspect the answer to this would be to pressure the global payments processors to remove the mechant status and confiscate the balance of suspected criminals - and this could be extended to stamping on the financial knackers of counterfeiters and spammers around the world. There's no obligation for Visa and Mastercard to continue to support worldwide crime, but they choose to overlook the extent to which they process payments for criminals, as far as I can see. But they have a very nice corporate social responsibility programme, so that's OK then.
-
Wednesday 3rd July 2013 21:41 GMT Tom 13
@Ledswinger
Generally correct except you've usually got the word order wrong. For example it should be: Many don't get caught some do.
I've had some direct experience with this running a large convention. One time we caught vandals red-handed tearing down and attempting to steal a sign at the convention. Called the police turned over the perps and requested to press charges. We were never called for a court date. Elsewhere we had a bunch of people doing security type work trying to prevent shoplifting in the dealers room. We'd catch dozens of people a day. Best we could usually manage was to ban them from the convention (fat chance of actually keeping them out afterward). The dealers generally didn't want to even try to press charges because they'd already learned it was a colossal waste of time. It was all petty ante stuff. Pretty much like most identity theft. Too much work and too many culprits. So instead we factor in the cost of the expected losses in the prices of our goods and services.
That said, I wouldn't be keen on taking the 1 in 10,000 chance of getting caught. Cue Hee-Haw song:
Oh, if it weren't for bad luck I'd have no luck at all.
...
-
-
Tuesday 2nd July 2013 10:07 GMT James Micallef
A lot of the actual work (and risk-taking) is done by 'mules'. Kingpin buys details of 100 cards, then farms out the dirty work of physically withdrawing cash to underlings who retain a small percentage. I guess would be done through intermediaries / blind drops so the mules don't even know who they're working for.
Even if 20%, 30%, 50%, whatever of the mules get caught, most of it would be after the fact (kingpin already has his* money). Most probably operated in a gang-type environment where the mules wouldn't / couldn't simply take all the money and run.
*her?
-
-
Tuesday 2nd July 2013 12:02 GMT AlexF
Yes, its very likely possible to track you down unless but this is a cost/benefit trade-off for multiple parties. We'll presume for the moment they've paid for the details in an anonymous fashion (or at least, one beyond the wit of current law enforcement such as bitcoin so they need to get the person after the details are used).
First, if you wipe out someone's account for £300 a time at an ATM then then its frankly not worth the bank doing anything about it in terms of improving security or adding inconvenience to people (e.g. adding RSA-fob like displays on cards, or texting people a code they must enter when they make a withdrawal over £50 etc.).
Also, its the police who should investigate and pursue these crimes but they are not encouraged or rewarded for doing so. Why should they trawl through CCTV an try doing some real detective work when they can park a car or two on the overpass of a dual carriageway and catch - and solve - tens if not hundreds of crimes a day while bagging the treasury £60+ a pop each time?
If the criminal has taken some basic steps - gloves, a hoody, doing it a night, not speaking when they use the ATM and whacking a sticker over the ATM camera while approaching it from the side, whatever... then the odds of them getting caught are probably remarkably low. Partly because its not in the banks interest to chase them down (more expensive to do than fraud costs - which customers ultimately pay for anyway) and the police, frankly, have other priorities such as finding chavvy teenagers who have run away from home for the umpteenth time, breaking up a brawls outside nightclubs and giving fines to people going a tad over the legal limit on beautiful spring and summer days.
-
Wednesday 3rd July 2013 08:43 GMT david 12
>traceable back to me
I had an acquaintance who went to jail for cashing stolen cheques. They traced it back to him no problems. He was a druggy and did desperate things like that.
He bought the stolen cheques from a supplier. Even if he gave up his supplier, there was no evidence. Even if he was stupid enough to give evidence in open court, it was his word (a desperate druggy) against the other.
The supplier sold the stolen cheques at a fraction of face value. He wasn't stupid or desperate enough to get caught. The druggies took all the risk. When one went to jail, another took his place.
-
-
-
-
Tuesday 2nd July 2013 13:35 GMT David Ireland
"Such underground platforms are implementing stronger mechanisms to ensure that participants are who they purport to be (or at the very least are not law enforcement officials). Ironically, while the platforms that facilitate the services marketplace for illegal activities are going deeper underground, the trade in zero-day vulnerabilities is more transparent than ever before," Samani and Paget report.
I would have though criminals would prefer other criminals didn't know who they were, so the above seems implausible, if I'm being generous. The markets are designed so that it doesn't matter if the police can participate, and that you don't know who you are dealing with.